Home Explore Help
Sign In
coolsoul
/
u-boot
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: eda1dfafb3
Branches Tags
u-boot
/
test
/
vboot
/
vboot_test.sh

vboot_test.sh 3.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151 
  1. #!/bin/bash
    2. 

  2. #
    3. 

  3. # Copyright (c) 2013, Google Inc.
    4. 

  4. #
    5. 

  5. # Simple Verified Boot Test Script
    6. 

  6. #
    7. 

  7. # SPDX-License-Identifier:	GPL-2.0+
    8. 

  8. 

  9. set -e
    10. 

  10. 

  11. # Run U-Boot and report the result
    12. 

  12. # Args:
    13. 

  13. #	$1:	Test message
    14. 

  14. run_uboot() {
    15. 

  15. 	echo -n "Test Verified Boot Run: $1: "
    16. 

  16. 	${uboot} -d sandbox-u-boot.dtb >${tmp} -c '
    17. 

  17. sb load hostfs - 100 test.fit;
    18. 

  18. fdt addr 100;
    19. 

  19. bootm 100;
    20. 

  20. reset'
    21. 

  21. 	if ! grep -q "$2" ${tmp}; then
    22. 

  22. 		echo
    23. 

  23. 		echo "Verified boot key check failed, output follows:"
    24. 

  24. 		cat ${tmp}
    25. 

  25. 		false
    26. 

  26. 	else
    27. 

  27. 		echo "OK"
    28. 

  28. 	fi
    29. 

  29. }
    30. 

  30. 

  31. echo "Simple Verified Boot Test"
    32. 

  32. echo "========================="
    33. 

  33. echo
    34. 

  34. echo "Please see doc/uImage.FIT/verified-boot.txt for more information"
    35. 

  35. echo
    36. 

  36. 

  37. err=0
    38. 

  38. tmp=/tmp/vboot_test.$$
    39. 

  39. 

  40. dir=$(dirname $0)
    41. 

  41. 

  42. if [ -z ${O} ]; then
    43. 

  43. 	O=.
    44. 

  44. fi
    45. 

  45. O=$(readlink -f ${O})
    46. 

  46. 

  47. dtc="-I dts -O dtb -p 2000"
    48. 

  48. uboot="${O}/u-boot"
    49. 

  49. mkimage="${O}/tools/mkimage"
    50. 

  50. fit_check_sign="${O}/tools/fit_check_sign"
    51. 

  51. keys="${dir}/dev-keys"
    52. 

  52. echo ${mkimage} -D "${dtc}"
    53. 

  53. 

  54. echo "Build keys"
    55. 

  55. mkdir -p ${keys}
    56. 

  56. 

  57. PUBLIC_EXPONENT=${1}
    58. 

  58. 

  59. if [ -z "${PUBLIC_EXPONENT}" ]; then
    60. 

  60. 	PUBLIC_EXPONENT=65537
    61. 

  61. fi
    62. 

  62. 

  63. # Create an RSA key pair
    64. 

  64. openssl genpkey -algorithm RSA -out ${keys}/dev.key \
    65. 

  65.     -pkeyopt rsa_keygen_bits:2048 \
    66. 

  66.     -pkeyopt rsa_keygen_pubexp:${PUBLIC_EXPONENT} 2>/dev/null
    67. 

  67. 

  68. # Create a certificate containing the public key
    69. 

  69. openssl req -batch -new -x509 -key ${keys}/dev.key -out ${keys}/dev.crt
    70. 

  70. 

  71. pushd ${dir} >/dev/null
    72. 

  72. 

  73. function do_test {
    74. 

  74. 	echo do $sha test
    75. 

  75. 	# Compile our device tree files for kernel and U-Boot
    76. 

  76. 	dtc -p 0x1000 sandbox-kernel.dts -O dtb -o sandbox-kernel.dtb
    77. 

  77. 	dtc -p 0x1000 sandbox-u-boot.dts -O dtb -o sandbox-u-boot.dtb
    78. 

  78. 

  79. 	# Create a number kernel image with zeroes
    80. 

  80. 	head -c 5000 /dev/zero >test-kernel.bin
    81. 

  81. 

  82. 	# Build the FIT, but don't sign anything yet
    83. 

  83. 	echo Build FIT with signed images
    84. 

  84. 	${mkimage} -D "${dtc}" -f sign-images-$sha.its test.fit >${tmp}
    85. 

  85. 

  86. 	run_uboot "unsigned signatures:" "dev-"
    87. 

  87. 

  88. 	# Sign images with our dev keys
    89. 

  89. 	echo Sign images
    90. 

  90. 	${mkimage} -D "${dtc}" -F -k dev-keys -K sandbox-u-boot.dtb \
    91. 

  91. 		-r test.fit >${tmp}
    92. 

  92. 

  93. 	run_uboot "signed images" "dev+"
    94. 

  94. 

  95. 

  96. 	# Create a fresh .dtb without the public keys
    97. 

  97. 	dtc -p 0x1000 sandbox-u-boot.dts -O dtb -o sandbox-u-boot.dtb
    98. 

  98. 

  99. 	echo Build FIT with signed configuration
    100. 

  100. 	${mkimage} -D "${dtc}" -f sign-configs-$sha.its test.fit >${tmp}
    101. 

  101. 

  102. 	run_uboot "unsigned config" $sha"+ OK"
    103. 

  103. 

  104. 	# Sign images with our dev keys
    105. 

  105. 	echo Sign images
    106. 

  106. 	${mkimage} -D "${dtc}" -F -k dev-keys -K sandbox-u-boot.dtb \
    107. 

  107. 		-r test.fit >${tmp}
    108. 

  108. 

  109. 	run_uboot "signed config" "dev+"
    110. 

  110. 

  111. 	echo check signed config on the host
    112. 

  112. 	if ! ${fit_check_sign} -f test.fit -k sandbox-u-boot.dtb >${tmp}; then
    113. 

  113. 		echo
    114. 

  114. 		echo "Verified boot key check on host failed, output follows:"
    115. 

  115. 		cat ${tmp}
    116. 

  116. 		false
    117. 

  117. 	else
    118. 

  118. 		if ! grep -q "dev+" ${tmp}; then
    119. 

  119. 			echo
    120. 

  120. 			echo "Verified boot key check failed, output follows:"
    121. 

  121. 			cat ${tmp}
    122. 

  122. 			false
    123. 

  123. 		else
    124. 

  124. 			echo "OK"
    125. 

  125. 		fi
    126. 

  126. 	fi
    127. 

  127. 

  128. 	run_uboot "signed config" "dev+"
    129. 

  129. 

  130. 	# Increment the first byte of the signature, which should cause failure
    131. 

  131. 	sig=$(fdtget -t bx test.fit /configurations/conf@1/signature@1 value)
    132. 

  132. 	newbyte=$(printf %x $((0x${sig:0:2} + 1)))
    133. 

  133. 	sig="${newbyte} ${sig:2}"
    134. 

  134. 	fdtput -t bx test.fit /configurations/conf@1/signature@1 value ${sig}
    135. 

  135. 

  136. 	run_uboot "signed config with bad hash" "Bad Data Hash"
    137. 

  137. }
    138. 

  138. 

  139. sha=sha1
    140. 

  140. do_test
    141. 

  141. sha=sha256
    142. 

  142. do_test
    143. 

  143. 

  144. popd >/dev/null
    145. 

  145. 

  146. echo
    147. 

  147. if ${ok}; then
    148. 

  148. 	echo "Test passed"
    149. 

  149. else
    150. 

  150. 	echo "Test failed"
    151. 

  151. fi
    152.