gooftool: Verify fingerprint signer This patch adds a gooftool sub-command 'verify_fp_key' to verify the running fingerprint firmware is signed with the same key used to sign the fingerprint firmware binary in the release rootfs partition. This new verification will be executed as part of GRT (Google Required Test). BUG=b:144699517 TEST=run `gooftool verify_fp_key` on dratini board Change-Id: Id01cb0e8438dc0052ae4c9015a56b446d7dc68ea Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/factory/+/2343945 Reviewed-by: Yong Hong <yhong@chromium.org> Tested-by: Philip Chen <philipchen@chromium.org> Commit-Queue: Philip Chen <philipchen@chromium.org>

commit: 84c1626c5af5844e7cf7060102c4efe5aab92845 [log] [tgz]
author: Philip Chen <philipchen@google.com> Thu Jul 30 17:35:27 2020 -0700
committer: Commit Bot <commit-bot@chromium.org> Fri Aug 21 02:41:38 2020 +0000
tree: c75445dc8efb819cd3e64f49e291dd868c3669c5
parent: 5eb5f6868caa5acea48cf016adfe6df2d6110469 [diff] [blame]
diff --git a/py/gooftool/commands.py b/py/gooftool/commands.py
index 8fee09e..3e7986c 100755
--- a/py/gooftool/commands.py
+++ b/py/gooftool/commands.py

@@ -279,6 +279,12 @@
       options.ec_pubkey_path, options.ec_pubkey_hash)
 
 
+@Command('verify_fp_key')
+def VerifyFpKey(options):
+  """Verify fingerprint firmware key."""
+  return GetGooftool(options).VerifyFpKey()
+
+
 @Command('verify_keys',
          _release_rootfs_cmd_arg,
          _firmware_path_cmd_arg)
@@ -586,6 +592,8 @@
   VerifySystemTime(options)
   if options.has_ec_pubkey:
     VerifyECKey(options)
+  if HasFpmcu():
+    VerifyFpKey(options)
   VerifyKeys(options)
   VerifyRootFs(options)
   VerifyTPM(options)
commit	84c1626c5af5844e7cf7060102c4efe5aab92845	[log] [tgz]
author	Philip Chen <philipchen@google.com>	Thu Jul 30 17:35:27 2020 -0700
committer	Commit Bot <commit-bot@chromium.org>	Fri Aug 21 02:41:38 2020 +0000
tree	c75445dc8efb819cd3e64f49e291dd868c3669c5
parent	5eb5f6868caa5acea48cf016adfe6df2d6110469 [diff] [blame]