Google Git
Sign in
chromium / chromiumos / platform / factory_test_tools / 0.12.433.B^! / .
commit093775f656c54f93edd962cb782bcf7004350f6f[log] [tgz]
authorHung-Te Lin <hungte@chromium.org>Tue Apr 19 06:56:31 2011
committerHung-Te Lin <hungte@chromium.org>Tue Apr 19 06:56:31 2011
treef1b915428695068c2bf55e284b0ea4e8ebb7fd59
parentd6674600a296cded7f9498824758d819d8b250d0 [diff]
factory_test_tools: provide more helpful debug messages

We often see key verification error in factory process,
but lack of detail information for what's heppening.

This CL attempts to add more messages when the verifiaction failed, especially
for dev-signed / recovery-signed issue.

BUG=chrome-os-partner:3374
TEST=./gft_verify_keys.sh /dev/sda2 bios.bin # seeing DEV-SIGNED IMAGE warning
     ./gft_verify_keys.sh /dev/sda4 devbios.bin # seeing DEV ROOTKEY warning
     ./gft_verify_keys.sh /dev/sda2 devbios.bin # seeing DEV-SINED, RECOVERY, DEV-ROOTKEY warnings

Change-Id: Ic7e09e15c4a0ad7a908e4d1c114990160e85704d

R=waihong@chromium.org

Review URL: http://codereview.chromium.org/6883039

diff --git a/gft_verify_keys.sh b/gft_verify_keys.sh
index 3bdc5b0..6c6caa0 100755
--- a/gft_verify_keys.sh
+++ b/gft_verify_keys.sh

@@ -9,11 +9,16 @@
 # booting.
 #
 
+alert() {
+  echo "$*" 1>&2
+}
+
 if [ "$#" != "2" ]; then
-  echo "ERROR: Usage: $0 kernel_device main_firmware" 1>&2
+  alert "ERROR: Usage: $0 kernel_device main_firmware"
   exit 1
 fi
 
+DEVKEYS="/usr/share/vboot/devkeys"
 TMPDIR="$(mktemp -d)"
 KERN_DEV="$(readlink -f "$1")"
 FIRMWARE_IMAGE="$(readlink -f "$2")"
@@ -26,8 +31,8 @@
   shift
   eval "$@" >_stdout 2>_stderr || result=$?
   if [ "$result" != 0 ]; then
-    echo "ERROR: Failed to $message" 1>&2
-    echo "Command detail: $@" 1>&2
+    alert "ERROR: Failed to $message"
+    alert "Command detail: $@"
     cat _stdout _stderr 1>&2
     RETURN=1
   fi
@@ -55,9 +60,22 @@
   invoke "dump kernel" dd if="$1" bs=1M count=64 of=hd_kern.blob
   invoke "extract firmware" dump_fmap -x "$2"
   invoke "get keys from firmware" \
-    gbb_utility -g --rootkey rootkey.vbpubk "$GBB"
+    gbb_utility -g --rootkey rootkey.vbpubk \
+                   --recoverykey recoverykey.vbpubk "$GBB"
   invoke "unpack rootkey" \
     vbutil_key --unpack rootkey.vbpubk
+  invoke "unpack recovery key" \
+    vbutil_key --unpack recoverykey.vbpubk
+
+  # check if rootkey is developer key. 130 is the magic number for DEV key
+  local key
+  local rootkey_hash="$(od "rootkey.vbpubk" |
+                        head -130 |
+                        md5sum |
+                        sed 's/ .*$//' 2>/dev/null || true)"
+  if [ "$rootkey_hash" = "a13642246ef93daaf75bd791446fec9b" ]; then
+    alert "ERROR: YOU ARE TRYING TO FINALIZE WITH DEV ROOTKEY."
+  fi
 
   # Verify firmware A/B with root key
   invoke "verify VBLOCK_A with FW_MAIN_A" \
@@ -83,6 +101,23 @@
         vbutil_kernel --verify $kern --signpubkey $key
     done
   done
+
+  if [ "$RETURN" != "0" ]; then
+    # Error encountered. Let's try if we can provide more information.
+    key="recoverykey.vbpubk"
+    vbutil_kernel --verify "$kern" --signpubkey "$key" >/dev/null 2>&1 &&
+      alert "ERROR: YOU ARE USING A RECOVERY KEY SIGNED IMAGE." ||
+      true
+    for key in recovery_key.vbpubk kernel_subkey.vbpubk; do
+      if [ -f "$DEVKEYS/$key" ]; then
+        vbutil_kernel --verify "$kern" \
+                      --signpubkey "$DEVKEYS/$key" >/dev/null 2>&1 &&
+          alert "ERROR: YOU ARE FINALIZING WITH DEV-SIGNED IMAGE ($key)." ||
+          true
+      fi
+    done
+  fi
+
   return $RETURN
 }