Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / chromiumos / platform / factory / 34f5480a6d998e21e3ccffd0484812482f9c214e^! / . / py / gooftool / commands.py
commit34f5480a6d998e21e3ccffd0484812482f9c214e[log] [tgz]
authorYilun Lin <yllin@google.com>Thu Nov 16 11:58:25 2017 +0800
committerchrome-bot <chrome-bot@chromium.org>Mon Nov 27 09:05:15 2017 -0800
tree911d39aad555a64f9efe181f669e3e76cf310635
parenta509ad13c341a8cd82e01014420a1844c8735816 [diff] [blame]
gooftool: Support verifying EC key.

Verify EC public key to prevent from finalizing a non properly
signed EC image. A wrong key would cause the system failing to
boot to recovery image. Thus, we support verifying EC key.

The EC public key hash can be retrieved on a device by:
flashom -p ec -r /tmp/ec.bin; futility show --type rwsig /tmp/ec.bin

TEST=gooftool veriy_ec_key --ec_pubkey_hash=...
TEST=run pytest Finalize
BUG=b:66956286

Change-Id: I13de3492fdf08d7e9cf81e532a63b99c15656580
Reviewed-on: https://chromium-review.googlesource.com/778400
Commit-Ready: Yilun Lin <yllin@chromium.org>
Tested-by: Yilun Lin <yllin@chromium.org>
Reviewed-by: Yilun Lin <yllin@chromium.org>

diff --git a/py/gooftool/commands.py b/py/gooftool/commands.py
index 4190608..49ea023 100755
--- a/py/gooftool/commands.py
+++ b/py/gooftool/commands.py

@@ -156,6 +156,16 @@
     '--enforced_release_channels', nargs='*', default=None,
     help='Enforced release image channels.')
 
+_ec_pubkey_path_cmd_arg = CmdArg(
+    '--ec_pubkey_path',
+    default=None,
+    help='Path to public key in vb2 format. Verify EC key with pubkey file.')
+
+_ec_pubkey_hash_cmd_arg = CmdArg(
+    '--ec_pubkey_hash',
+    default=None,
+    help='A string for public key hash. Verify EC key with the given hash.')
+
 _release_rootfs_cmd_arg = CmdArg(
     '--release_rootfs', help='Location of release image rootfs partition.')
 
@@ -261,6 +271,16 @@
     print '\ncomponent verification SUCCESS'
 
 
+@Command(
+    'verify_ec_key',
+    _ec_pubkey_path_cmd_arg,
+    _ec_pubkey_hash_cmd_arg)
+def VerifyECKey(options):
+  """Verify EC key."""
+  return GetGooftool(options).VerifyECKey(
+      options.ec_pubkey_path, options.ec_pubkey_hash)
+
+
 @Command('verify_keys',
          _release_rootfs_cmd_arg,
          _firmware_path_cmd_arg)
@@ -484,6 +504,8 @@
          _hwid_cmd_arg,
          _rma_mode_cmd_arg,
          _cros_core_cmd_arg,
+         _ec_pubkey_path_cmd_arg,
+         _ec_pubkey_hash_cmd_arg,
          _release_rootfs_cmd_arg,
          _firmware_path_cmd_arg,
          _enforced_release_channels_cmd_arg,
@@ -504,6 +526,7 @@
   VerifyDevSwitch(options)
   VerifyHWID(options)
   VerifySystemTime(options)
+  VerifyECKey(options)
   VerifyKeys(options)
   VerifyRootFs(options)
   VerifyTPM(options)
@@ -670,6 +693,8 @@
          _hwid_cmd_arg,
          _rma_mode_cmd_arg,
          _cros_core_cmd_arg,
+         _ec_pubkey_path_cmd_arg,
+         _ec_pubkey_hash_cmd_arg,
          _release_rootfs_cmd_arg,
          _firmware_path_cmd_arg,
          _enforced_release_channels_cmd_arg,