mirror of
https://github.com/Telecominfraproject/OpenCellular.git
synced 2025-11-24 02:05:01 +00:00
bd52fc793a
The kernel_config is now stored as a 4K binary block instead of the kconfig_options structure that was being used before. Since the verified boot code doesn't care what kernel config options are (other than the length of the kernel image and for verifying them before the rest of kernel), it is ok to keep them as a blackbox. This CL also changes the verified boot kernel layout - VBlock Data followed by Kernel Config followed by the Kernel Image. This will allow them to be stored separately, or as a concatenated block (for easy memory mapping during kernel load). This should ease the process of generating a layout for verified boot kernel images which is also compatible with legacy BIOSes that don't support this mechanism. Finally, there is also a new firmware API function to determine the size of a kernel verified boot block, given a pointer to its beginning (for determining the offset to the kernel config and data). Review URL: http://codereview.chromium.org/1732022
141 lines
4.8 KiB
C
141 lines
4.8 KiB
C
/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
|
|
* Use of this source code is governed by a BSD-style license that can be
|
|
* found in the LICENSE file.
|
|
*
|
|
* Tests for kernel image library.
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
|
|
#include "cryptolib.h"
|
|
#include "file_keys.h"
|
|
#include "kernel_image.h"
|
|
#include "test_common.h"
|
|
#include "utility.h"
|
|
|
|
/* Normal Kernel Blob Verification Tests. */
|
|
void VerifyKernelTest(uint8_t* kernel_blob, uint8_t* firmware_key_blob) {
|
|
TEST_EQ(VerifyKernel(firmware_key_blob, kernel_blob, DEV_MODE_ENABLED),
|
|
VERIFY_KERNEL_SUCCESS,
|
|
"Normal Kernel Blob Verification (Dev Mode)");
|
|
|
|
TEST_EQ(VerifyKernel(firmware_key_blob, kernel_blob, DEV_MODE_DISABLED),
|
|
VERIFY_KERNEL_SUCCESS,
|
|
"Normal Kernel Blob Verification (Trusted)");
|
|
}
|
|
|
|
|
|
/* Normal KernelImage Verification Tests. */
|
|
void VerifyKernelImageTest(KernelImage* image,
|
|
RSAPublicKey* firmware_key) {
|
|
TEST_EQ(VerifyKernelImage(firmware_key, image, DEV_MODE_ENABLED),
|
|
VERIFY_KERNEL_SUCCESS,
|
|
"Normal KernelImage Verification (Dev Mode)");
|
|
TEST_EQ(VerifyKernelImage(firmware_key, image, DEV_MODE_DISABLED),
|
|
VERIFY_KERNEL_SUCCESS,
|
|
"Normal KernelImage Verification (Trusted)");
|
|
}
|
|
|
|
/* Tampered KernelImage Verification Tests. */
|
|
void VerifyKernelImageTamperTest(KernelImage* image,
|
|
RSAPublicKey* firmware_key) {
|
|
image->kernel_config[0] ^= 0xFF;
|
|
TEST_EQ(VerifyKernelImage(firmware_key, image, DEV_MODE_ENABLED),
|
|
VERIFY_KERNEL_CONFIG_SIGNATURE_FAILED,
|
|
"KernelImage Config Tamper Verification (Dev Mode)");
|
|
TEST_EQ(VerifyKernelImage(firmware_key, image, DEV_MODE_DISABLED),
|
|
VERIFY_KERNEL_CONFIG_SIGNATURE_FAILED,
|
|
"KernelImage Config Tamper Verification (Trusted)");
|
|
image->kernel_config[0] ^= 0xFF;
|
|
|
|
image->kernel_data[0] = 'T';
|
|
TEST_EQ(VerifyKernelImage(firmware_key, image, DEV_MODE_ENABLED),
|
|
VERIFY_KERNEL_SIGNATURE_FAILED,
|
|
"KernelImage Tamper Verification (Dev Mode)");
|
|
TEST_EQ(VerifyKernelImage(firmware_key, image, DEV_MODE_DISABLED),
|
|
VERIFY_KERNEL_SIGNATURE_FAILED,
|
|
"KernelImage Tamper Verification (Trusted)");
|
|
image->kernel_data[0] = 'K';
|
|
|
|
image->kernel_key_signature[0] = 0xFF;
|
|
image->kernel_key_signature[1] = 0x00;
|
|
TEST_EQ(VerifyKernelImage(firmware_key, image, DEV_MODE_ENABLED),
|
|
VERIFY_KERNEL_SUCCESS,
|
|
"KernelImage Key Signature Tamper Verification (Dev Mode)");
|
|
TEST_EQ(VerifyKernelImage(firmware_key, image, DEV_MODE_DISABLED),
|
|
VERIFY_KERNEL_KEY_SIGNATURE_FAILED,
|
|
"KernelImage Key Signature Tamper Verification (Trusted)");
|
|
}
|
|
|
|
int main(int argc, char* argv[]) {
|
|
uint64_t len;
|
|
const char* firmware_key_file = NULL;
|
|
const char* kernel_key_file = NULL;
|
|
uint8_t* kernel_sign_key_buf = NULL;
|
|
uint8_t* firmware_key_blob = NULL;
|
|
uint8_t* kernel_blob = NULL;
|
|
uint64_t kernel_blob_len = 0;
|
|
KernelImage* image = NULL;
|
|
RSAPublicKey* firmware_key = NULL;
|
|
int error_code = 0;
|
|
|
|
if(argc != 7) {
|
|
fprintf(stderr, "Usage: %s <firmware signing algorithm> " /* argv[1] */
|
|
"<kernel signing algorithm> " /* argv[2] */
|
|
"<firmware key> " /* argv[3] */
|
|
"<processed firmware pubkey> " /* argv[4] */
|
|
"<kernel signing key> " /* argv[5] */
|
|
"<processed kernel signing key>\n", /* argv[6] */
|
|
argv[0]);
|
|
return -1;
|
|
}
|
|
|
|
/* Read verification keys and create a test image. */
|
|
firmware_key = RSAPublicKeyFromFile(argv[4]);
|
|
firmware_key_blob = BufferFromFile(argv[4], &len);
|
|
kernel_sign_key_buf = BufferFromFile(argv[6], &len);
|
|
firmware_key_file = argv[3];
|
|
kernel_key_file = argv[5];
|
|
|
|
if (!firmware_key || !kernel_sign_key_buf || !kernel_sign_key_buf) {
|
|
error_code = 1;
|
|
goto failure;
|
|
}
|
|
|
|
image = GenerateTestKernelImage(atoi(argv[1]),
|
|
atoi(argv[2]),
|
|
kernel_sign_key_buf,
|
|
1, /* Kernel Key Version */
|
|
1, /* Kernel Version */
|
|
1000, /* Kernel Size */
|
|
firmware_key_file,
|
|
kernel_key_file,
|
|
'K');
|
|
if (!image) {
|
|
error_code = 1;
|
|
goto failure;
|
|
}
|
|
|
|
kernel_blob = GetKernelBlob(image, &kernel_blob_len);
|
|
|
|
/* Test Kernel blob verify operations. */
|
|
VerifyKernelTest(kernel_blob, firmware_key_blob);
|
|
|
|
/* Test KernelImage verify operations. */
|
|
VerifyKernelImageTest(image, firmware_key);
|
|
VerifyKernelImageTamperTest(image, firmware_key);
|
|
|
|
if (!gTestSuccess)
|
|
error_code = 255;
|
|
|
|
failure:
|
|
Free(kernel_blob);
|
|
KernelImageFree(image);
|
|
Free(kernel_sign_key_buf);
|
|
Free(firmware_key_blob);
|
|
RSAPublicKeyFree(firmware_key);
|
|
|
|
return error_code;
|
|
}
|