futility: return the correct size of kernel blob within partition

When modifying a kernel partition in-place, make sure we only sign enough bytes to cover the kernel blob, not the entire partition. Also added a test for that case. BUG=chromium:418647 BRANCH=none TEST=make runtests Signed-off-by: Bill Richardson <wfrichar@chromium.org> Change-Id: Id89ff3845fe5178ee13f431d99868821fcad3248 Reviewed-on: https://chromium-review.googlesource.com/233038 Reviewed-by: Randall Spangler <rspangler@chromium.org>
2026-01-11 02:15:14 +00:00 · 2014-10-06 10:33:12 -07:00
parent bd2eb59ded
commit 64ef69c48d
2 changed files with 160 additions and 43 deletions
--- a/futility/vb1_helper.c
+++ b/futility/vb1_helper.c
@@ -321,7 +321,7 @@ uint8_t *UnpackKPart(uint8_t *kpart_data, uint64_t kpart_size,

 	Debug("kernel blob is at offset 0x%" PRIx64 "\n", now);
 	g_kernel_blob_data = kpart_data + now;
-	g_kernel_blob_size = kpart_size - now;
+	g_kernel_blob_size = preamble->body_signature.data_size;

 	/* Sanity check */
 	if (g_kernel_blob_size < preamble->body_signature.data_size)
--- a/tests/futility/test_sign_kernel.sh
+++ b/tests/futility/test_sign_kernel.sh
@@ -15,14 +15,15 @@ echo "hi there" > ${TMP}.config.txt
 echo "hello boys" > ${TMP}.config2.txt
 dd if=/dev/urandom bs=512 count=1 of=${TMP}.bootloader.bin
 dd if=/dev/urandom bs=512 count=1 of=${TMP}.bootloader2.bin
+dd if=/dev/urandom bs=1M count=16 of=${TMP}.kern_partition

 # default padding
-padding=65536
+padding=49152

 try_arch () {
  local arch=$1

-  echo -n "${arch}.a " 1>&3
+  echo -n "${arch}: 1 " 1>&3

  # pack it up the old way
  ${FUTILITY} vbutil_kernel --debug \
@@ -34,17 +35,16 @@ try_arch () {
    --bootloader ${TMP}.bootloader.bin \
    --vmlinuz ${SCRIPTDIR}/data/vmlinuz-${arch}.bin \
    --arch ${arch} \
+    --pad ${padding} \
    --kloadaddr 0x11000

  # verify the old way
  ${FUTILITY} vbutil_kernel --verify ${TMP}.blob1.${arch} \
-    --signpubkey ${DEVKEYS}/recovery_key.vbpubk
-  ${FUTILITY} vbutil_kernel2 --verify ${TMP}.blob1.${arch} \
-    --signpubkey ${DEVKEYS}/recovery_key.vbpubk --debug
+    --pad ${padding} \
+    --signpubkey ${DEVKEYS}/recovery_key.vbpubk > ${TMP}.verify1

  # pack it up the new way
-  ${FUTILITY} vbutil_kernel2 --debug \
-    --pack ${TMP}.blob2.${arch} \
+  ${FUTILITY} sign --debug \
    --keyblock ${DEVKEYS}/recovery_kernel.keyblock \
    --signprivate ${DEVKEYS}/recovery_kernel_data_key.vbprivk \
    --version 1 \
@@ -52,44 +52,80 @@ try_arch () {
    --bootloader ${TMP}.bootloader.bin \
    --vmlinuz ${SCRIPTDIR}/data/vmlinuz-${arch}.bin \
    --arch ${arch} \
-    --kloadaddr 0x11000
+    --pad ${padding} \
+    --kloadaddr 0x11000 \
+    --outfile ${TMP}.blob2.${arch}
+
+  ${FUTILITY} vbutil_kernel --verify ${TMP}.blob2.${arch} \
+    --pad ${padding} \
+    --signpubkey ${DEVKEYS}/recovery_key.vbpubk > ${TMP}.verify2

  # they should be identical
  cmp ${TMP}.blob1.${arch} ${TMP}.blob2.${arch}
+  diff ${TMP}.verify1 ${TMP}.verify2
+
+  echo -n "2 " 1>&3

  # repack it the old way
-  ${FUTILITY} vbutil_kernel \
+  ${FUTILITY} vbutil_kernel --debug \
    --repack ${TMP}.blob3.${arch} \
    --oldblob ${TMP}.blob1.${arch} \
    --signprivate ${DEVKEYS}/kernel_data_key.vbprivk \
    --keyblock ${DEVKEYS}/kernel.keyblock \
    --version 2 \
+    --pad ${padding} \
    --config ${TMP}.config2.txt \
    --bootloader ${TMP}.bootloader2.bin

  # verify the old way
  ${FUTILITY} vbutil_kernel --verify ${TMP}.blob3.${arch} \
-    --signpubkey ${DEVKEYS}/kernel_subkey.vbpubk
-  ${FUTILITY} vbutil_kernel2 --verify ${TMP}.blob3.${arch} \
-    --signpubkey ${DEVKEYS}/kernel_subkey.vbpubk
+    --pad ${padding} \
+    --signpubkey ${DEVKEYS}/kernel_subkey.vbpubk > ${TMP}.verify3

  # repack it the new way
-  ${FUTILITY} vbutil_kernel2 \
-    --repack ${TMP}.blob4.${arch} \
-    --oldblob ${TMP}.blob2.${arch} \
+  ${FUTILITY} sign --debug \
    --signprivate ${DEVKEYS}/kernel_data_key.vbprivk \
    --keyblock ${DEVKEYS}/kernel.keyblock \
    --version 2 \
+    --pad ${padding} \
    --config ${TMP}.config2.txt \
-    --bootloader ${TMP}.bootloader2.bin
+    --bootloader ${TMP}.bootloader2.bin \
+    ${TMP}.blob2.${arch} \
+    ${TMP}.blob4.${arch}
+
+  ${FUTILITY} vbutil_kernel --verify ${TMP}.blob4.${arch} \
+    --pad ${padding} \
+    --signpubkey ${DEVKEYS}/kernel_subkey.vbpubk > ${TMP}.verify4

  # they should be identical
  cmp ${TMP}.blob3.${arch} ${TMP}.blob4.${arch}
+  diff ${TMP}.verify3 ${TMP}.verify4
+
+  echo -n "3 " 1>&3
+
+  # repack it the new way, in-place
+  cp ${TMP}.blob2.${arch} ${TMP}.blob5.${arch}
+  ${FUTILITY} sign --debug \
+    --signprivate ${DEVKEYS}/kernel_data_key.vbprivk \
+    --keyblock ${DEVKEYS}/kernel.keyblock \
+    --version 2 \
+    --pad ${padding} \
+    --config ${TMP}.config2.txt \
+    --bootloader ${TMP}.bootloader2.bin \
+    ${TMP}.blob5.${arch}
+
+  ${FUTILITY} vbutil_kernel --verify ${TMP}.blob5.${arch} \
+    --pad ${padding} \
+    --signpubkey ${DEVKEYS}/kernel_subkey.vbpubk > ${TMP}.verify5
+
+  # they should be identical
+  cmp ${TMP}.blob3.${arch} ${TMP}.blob5.${arch}
+  diff ${TMP}.verify3 ${TMP}.verify5

  # and now just the vblocks...
-  echo -n "${arch}.v " 1>&3
+  echo -n "4 " 1>&3

-  dd bs=${padding} count=1 if=${TMP}.blob1.${arch} of=${TMP}.blob1.${arch}.vb0
+  # pack the old way
  ${FUTILITY} vbutil_kernel \
    --pack ${TMP}.blob1.${arch}.vb1 \
    --vblockonly \
@@ -100,13 +136,15 @@ try_arch () {
    --bootloader ${TMP}.bootloader.bin \
    --vmlinuz ${SCRIPTDIR}/data/vmlinuz-${arch}.bin \
    --arch ${arch} \
+    --pad ${padding} \
    --kloadaddr 0x11000
+
+  # compare this new vblock with the one from the full pack
+  dd bs=${padding} count=1 if=${TMP}.blob1.${arch} of=${TMP}.blob1.${arch}.vb0
  cmp ${TMP}.blob1.${arch}.vb0 ${TMP}.blob1.${arch}.vb1

-  dd bs=${padding} count=1 if=${TMP}.blob2.${arch} of=${TMP}.blob2.${arch}.vb0
-  ${FUTILITY} vbutil_kernel2 \
-    --pack ${TMP}.blob2.${arch}.vb1 \
-    --vblockonly \
+  # pack the new way
+  ${FUTILITY} sign --debug \
    --keyblock ${DEVKEYS}/recovery_kernel.keyblock \
    --signprivate ${DEVKEYS}/recovery_kernel_data_key.vbprivk \
    --version 1 \
@@ -114,10 +152,18 @@ try_arch () {
    --bootloader ${TMP}.bootloader.bin \
    --vmlinuz ${SCRIPTDIR}/data/vmlinuz-${arch}.bin \
    --arch ${arch} \
-    --kloadaddr 0x11000
+    --pad ${padding} \
+    --kloadaddr 0x11000 \
+    --vblockonly \
+    ${TMP}.blob2.${arch}.vb1
+
+  # compare this new vblock with the one from the full pack
+  dd bs=${padding} count=1 if=${TMP}.blob2.${arch} of=${TMP}.blob2.${arch}.vb0
  cmp ${TMP}.blob2.${arch}.vb0 ${TMP}.blob2.${arch}.vb1

-  dd bs=${padding} count=1 if=${TMP}.blob3.${arch} of=${TMP}.blob3.${arch}.vb0
+  echo -n "5 " 1>&3
+
+  # now repack the old way, again emitting just the vblock
  ${FUTILITY} vbutil_kernel \
    --repack ${TMP}.blob3.${arch}.vb1 \
    --vblockonly \
@@ -125,39 +171,110 @@ try_arch () {
    --signprivate ${DEVKEYS}/kernel_data_key.vbprivk \
    --keyblock ${DEVKEYS}/kernel.keyblock \
    --version 2 \
+    --pad ${padding} \
    --config ${TMP}.config2.txt \
    --bootloader ${TMP}.bootloader2.bin
+
+  # compare the full repacked vblock with the new repacked vblock
+  dd bs=${padding} count=1 if=${TMP}.blob3.${arch} of=${TMP}.blob3.${arch}.vb0
  cmp ${TMP}.blob3.${arch}.vb0 ${TMP}.blob3.${arch}.vb1

-  dd bs=${padding} count=1 if=${TMP}.blob4.${arch} of=${TMP}.blob4.${arch}.vb0
-  ${FUTILITY} vbutil_kernel2 \
-    --repack ${TMP}.blob4.${arch}.vb1 \
-    --vblockonly \
-    --oldblob ${TMP}.blob2.${arch} \
+  # extract just the kernel blob
+  dd bs=${padding} skip=1 if=${TMP}.blob3.${arch} of=${TMP}.blob3.${arch}.kb0
+  # and verify it using the new vblock (no way to do that with vbutil_kernel)
+  ${FUTILITY} verify --debug \
+    --pad ${padding} \
+    --publickey ${DEVKEYS}/kernel_subkey.vbpubk \
+    --fv ${TMP}.blob3.${arch}.kb0 \
+    ${TMP}.blob3.${arch}.vb1 > ${TMP}.verify3v
+
+  # repack the new way
+  ${FUTILITY} sign --debug \
    --signprivate ${DEVKEYS}/kernel_data_key.vbprivk \
    --keyblock ${DEVKEYS}/kernel.keyblock \
    --version 2 \
    --config ${TMP}.config2.txt \
-    --bootloader ${TMP}.bootloader2.bin
+    --bootloader ${TMP}.bootloader2.bin \
+    --pad ${padding} \
+    --vblockonly \
+    ${TMP}.blob2.${arch} \
+    ${TMP}.blob4.${arch}.vb1 \
+
+  # compare the full repacked vblock with the new repacked vblock
+  dd bs=${padding} count=1 if=${TMP}.blob4.${arch} of=${TMP}.blob4.${arch}.vb0
  cmp ${TMP}.blob4.${arch}.vb0 ${TMP}.blob4.${arch}.vb1

+  # extract just the kernel blob
+  dd bs=${padding} skip=1 if=${TMP}.blob4.${arch} of=${TMP}.blob4.${arch}.kb0
+  # and verify it using the new vblock (no way to do that with vbutil_kernel)
+  ${FUTILITY} verify --debug \
+    --pad ${padding} \
+    --publickey ${DEVKEYS}/kernel_subkey.vbpubk \
+    --fv ${TMP}.blob4.${arch}.kb0 \
+    ${TMP}.blob4.${arch}.vb1 > ${TMP}.verify4v
+
+
+  echo -n "6 " 1>&3
+
+  # Now lets repack some kernel partitions, not just blobs.
+  cp ${TMP}.kern_partition ${TMP}.part1.${arch}
+  dd if=${TMP}.blob1.${arch} of=${TMP}.part1.${arch} conv=notrunc
+
+  # Make sure the partitions verify
+  ${FUTILITY} vbutil_kernel --verify ${TMP}.part1.${arch} \
+    --pad ${padding} \
+    --signpubkey ${DEVKEYS}/recovery_key.vbpubk > ${TMP}.verify6
+
+  # The partition should verify the same way as the blob
+  diff ${TMP}.verify1 ${TMP}.verify6
+
+  # repack it the old way
+  ${FUTILITY} vbutil_kernel --debug \
+    --repack ${TMP}.part6.${arch} \
+    --oldblob ${TMP}.part1.${arch} \
+    --signprivate ${DEVKEYS}/kernel_data_key.vbprivk \
+    --keyblock ${DEVKEYS}/kernel.keyblock \
+    --version 2 \
+    --pad ${padding} \
+    --config ${TMP}.config2.txt \
+    --bootloader ${TMP}.bootloader2.bin
+
+  # verify the old way
+  ${FUTILITY} vbutil_kernel --verify ${TMP}.part6.${arch} \
+    --pad ${padding} \
+    --signpubkey ${DEVKEYS}/kernel_subkey.vbpubk > ${TMP}.verify6.old
+
+  # this "partition" should actually be the same as the old-way blob
+  cmp ${TMP}.blob3.${arch} ${TMP}.part6.${arch}
+
+  # repack it the new way, in-place
+  cp ${TMP}.part1.${arch} ${TMP}.part6.${arch}.new1
+  ${FUTILITY} sign --debug \
+    --signprivate ${DEVKEYS}/kernel_data_key.vbprivk \
+    --keyblock ${DEVKEYS}/kernel.keyblock \
+    --version 2 \
+    --pad ${padding} \
+    --config ${TMP}.config2.txt \
+    --bootloader ${TMP}.bootloader2.bin \
+    ${TMP}.part6.${arch}.new1
+
+  ${FUTILITY} vbutil_kernel --verify ${TMP}.part6.${arch}.new1 \
+    --pad ${padding} \
+    --signpubkey ${DEVKEYS}/kernel_subkey.vbpubk > ${TMP}.verify6.new1
+
+  # The verification should be indentical
+  diff ${TMP}.verify6.old ${TMP}.verify6.new1
+  # But the content should only match up to the size of the kernel blob, since
+  # we're modifying an entire partition in-place.
+  blobsize=$(stat -c '%s' ${TMP}.part6.${arch})
+  cmp -n ${blobsize} ${TMP}.part6.${arch} ${TMP}.part6.${arch}.new1
+  # The rest of the partition should be unchanged.
+  cmp -i ${blobsize} ${TMP}.part1.${arch} ${TMP}.part6.${arch}.new1

  # Note: We specifically do not test repacking with a different --kloadaddr,
  # because the old way has a bug and does not update params->cmd_line_ptr to
  # point at the new on-disk location. Apparently (and not surprisingly), no
  # one has ever done that.
-
-#HEY  # pack it up the new way
-#HEY  ${FUTILITY} sign --debug \
-#HEY    --vmlinuz ${SCRIPTDIR}/data/vmlinuz-${arch}.bin \
-#HEY    --config ${TMP}.config.txt \
-#HEY    --bootloader ${TMP}.bootloader.bin \
-#HEY    --arch ${arch} \
-#HEY    --keyblock ${DEVKEYS}/recovery_kernel.keyblock \
-#HEY    --signprivate ${DEVKEYS}/recovery_kernel_data_key.vbprivk \
-#HEY    --version 1 \
-#HEY    --outfile ${TMP}.blob2.${arch}
-
 }

 try_arch amd64