#!/bin/bash -eux
# Copyright 2014 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
me=${0##*/}
TMP="$me.tmp"
# Work in scratch directory
cd "$OUTDIR"
# some stuff we'll need
DEVKEYS=${SRCDIR}/tests/devkeys
TESTKEYS=${SRCDIR}/tests/testkeys
SIGNER=${SRCDIR}/tests/external_rsa_signer.sh
# Create a copy of an existing keyblock, using the old way
${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock0 \
--datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \
--flags 7 \
--signprivate ${DEVKEYS}/root_key.vbprivk
# Check it.
${FUTILITY} vbutil_keyblock --unpack ${TMP}.keyblock0 \
--signpubkey ${DEVKEYS}/root_key.vbpubk
# It should be the same as the dev-key firmware keyblock
cmp ${DEVKEYS}/firmware.keyblock ${TMP}.keyblock0
# Now create it the new way
${FUTILITY} sign --debug \
--datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \
--flags 7 \
--signprivate ${DEVKEYS}/root_key.vbprivk \
--outfile ${TMP}.keyblock1
# It should be the same too.
cmp ${DEVKEYS}/firmware.keyblock ${TMP}.keyblock1
# Create a keyblock without signing it.
# old way
${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock0 \
--datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \
--flags 14
# new way
${FUTILITY} sign --debug \
--flags 14 \
${DEVKEYS}/firmware_data_key.vbpubk \
${TMP}.keyblock1
cmp ${TMP}.keyblock0 ${TMP}.keyblock1
# Create one using PEM args
# old way
${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock2 \
--datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \
--signprivate_pem ${TESTKEYS}/key_rsa4096.pem \
--pem_algorithm 8 \
--flags 9
# verify it
${FUTILITY} vbutil_keyblock --unpack ${TMP}.keyblock2 \
--signpubkey ${TESTKEYS}/key_rsa4096.sha512.vbpubk
# new way
${FUTILITY} sign --debug \
--pem_signpriv ${TESTKEYS}/key_rsa4096.pem \
--pem_algo 8 \
--flags 9 \
${DEVKEYS}/firmware_data_key.vbpubk \
${TMP}.keyblock3
cmp ${TMP}.keyblock2 ${TMP}.keyblock3
# Try it with an external signer
# old way
${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock4 \
--datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \
--signprivate_pem ${TESTKEYS}/key_rsa4096.pem \
--pem_algorithm 8 \
--flags 19 \
--externalsigner ${SIGNER}
# verify it
${FUTILITY} vbutil_keyblock --unpack ${TMP}.keyblock4 \
--signpubkey ${TESTKEYS}/key_rsa4096.sha512.vbpubk
# new way
${FUTILITY} sign --debug \
--pem_signpriv ${TESTKEYS}/key_rsa4096.pem \
--pem_algo 8 \
--pem_external ${SIGNER} \
--flags 19 \
${DEVKEYS}/firmware_data_key.vbpubk \
${TMP}.keyblock5
cmp ${TMP}.keyblock4 ${TMP}.keyblock5
# cleanup
rm -rf ${TMP}*
exit 0