drinkcat · August 29, 2015 13:59 · tedm · Apr 16, 2014
diff --git a/testsig.sh b/testsig.sh
 verifykernelsig() {
    dev_debug_vboot -c -i "`rootdev -s -d`" | tee /tmp/dev_debug_vboot
    echo "Checking output:"
    cat /tmp/dev_debug_vboot | mawk '
        !/^  / {
            label = ""
        }
        /^Kernel / {
            sub(/:$/, "", $2)
            ( "blkid -o value -s PARTLABEL " $2) | getline label
            # Ignore kernel C, or any kernel whose header is not valid
            if (label == "KERN-C" || $3 != "OK") {
                label = ""
            }
        }
        label && /^  Verify / && $4 ~ /^kern_subkey_[AB].vbpubk:$/ {
            if ($5 == "OK") {
                okkernel[label] = 1
            }
        }
        
        END {
            if (okkernel["KERN-A"] && okkernel["KERN-B"]) {
                print "Both Kernel A or Kernel B are verified."
                exit 0
            } else {
                print "Either Kernel A or Kernel B is not verified."
                exit 1
            }
        }
    '
    return $?
 }

 if verifykernelsig; then
    echo "RESULT: signed_boot can be enabled safely."
 else
    echo "RESULT: signed_boot must be kept disabled."
 fi
diff --git a/z_output_daisy_signed b/z_output_daisy_signed
 sudo sh -e testsig.sh 
 Saving verbose log as /tmp/debug_vboot_vK2xkrKGi/noisy.log
 Extracting BIOS components...
 Pulling root and recovery keys from GBB...
 Verify firmware A with root key: OK
  TPM=0x00010003, this=0x00010003
 Verify firmware B with root key: OK
  TPM=0x00010003, this=0x00010003
 Examining kernels...
 Kernel /dev/mmcblk0p2: OK
  Verify /dev/mmcblk0p2 with kern_subkey_A.vbpubk: OK
    TPM=0x00030001 this=0x00030001
  Verify /dev/mmcblk0p2 with kern_subkey_B.vbpubk: OK
    TPM=0x00030001 this=0x00030001
  Verify /dev/mmcblk0p2 with recoverykey.vbpubk: FAILED
 Kernel /dev/mmcblk0p4: OK
  Verify /dev/mmcblk0p4 with kern_subkey_A.vbpubk: OK
    TPM=0x00030001 this=0x00030001
  Verify /dev/mmcblk0p4 with kern_subkey_B.vbpubk: OK
    TPM=0x00030001 this=0x00030001
  Verify /dev/mmcblk0p4 with recoverykey.vbpubk: FAILED
 Kernel /dev/mmcblk0p6: FAILED
 Checking output:
 Both Kernel A or Kernel B are verified.
 RESULT: signed_boot can be enabled safely.
diff --git a/z_output_signed_peppy.txt b/z_output_signed_peppy.txt
 Output on a signed peppy:
 sudo sh -e testsig.sh
 Saving verbose log as /tmp/debug_vboot_Hvv8qTy2F/noisy.log
 Extracting BIOS components...
 Pulling root and recovery keys from GBB...
 Verify firmware A with root key: OK
  TPM=0x00010002, this=0x00010002
 Verify firmware B with root key: OK
  TPM=0x00010002, this=0x00010002
 Examining kernels...
 Kernel /dev/sda2: OK
  Verify /dev/sda2 with kern_subkey_A.vbpubk: OK
    TPM=0x00020001 this=0x00020001
  Verify /dev/sda2 with kern_subkey_B.vbpubk: OK
    TPM=0x00020001 this=0x00020001
  Verify /dev/sda2 with recoverykey.vbpubk: FAILED
 Kernel /dev/sda4: OK
  Verify /dev/sda4 with kern_subkey_A.vbpubk: OK
    TPM=0x00020001 this=0x00020001
  Verify /dev/sda4 with kern_subkey_B.vbpubk: OK
    TPM=0x00020001 this=0x00020001
  Verify /dev/sda4 with recoverykey.vbpubk: FAILED
 Kernel /dev/sda6: FAILED
 Checking output:
 Both Kernel A or Kernel B are verified.
 RESULT: signed_boot can be enabled safely.
diff --git a/z_output_unsigned_qemu.txt b/z_output_unsigned_qemu.txt
 Output on a non-signed QEMU (no firmware, so no keys are extracted):
 sudo sh -e testsig.sh 
 Saving verbose log as /tmp/debug_vboot_GFsNM1db4/noisy.log
 Extracting BIOS components...
  ...individually...
 Checking output:
 Either Kernel A or Kernel B is not verified.
 RESULT: signed_boot must be kept disabled.
	verifykernelsig() {
	dev_debug_vboot -c -i "`rootdev -s -d`" \| tee /tmp/dev_debug_vboot
	echo "Checking output:"
	cat /tmp/dev_debug_vboot \| mawk '
	!/^ / {
	label = ""
	}
	/^Kernel / {
	sub(/:$/, "", $2)
	( "blkid -o value -s PARTLABEL " $2) \| getline label
	# Ignore kernel C, or any kernel whose header is not valid
	if (label == "KERN-C" \|\| $3 != "OK") {
	label = ""
	}
	}
	label && /^ Verify / && $4 ~ /^kern_subkey_[AB].vbpubk:$/ {
	if ($5 == "OK") {
	okkernel[label] = 1
	}
	}

	END {
	if (okkernel["KERN-A"] && okkernel["KERN-B"]) {
	print "Both Kernel A or Kernel B are verified."
	exit 0
	} else {
	print "Either Kernel A or Kernel B is not verified."
	exit 1
	}
	}
	'
	return $?
	}

	if verifykernelsig; then
	echo "RESULT: signed_boot can be enabled safely."
	else
	echo "RESULT: signed_boot must be kept disabled."
	fi
	sudo sh -e testsig.sh
	Saving verbose log as /tmp/debug_vboot_vK2xkrKGi/noisy.log
	Extracting BIOS components...
	Pulling root and recovery keys from GBB...
	Verify firmware A with root key: OK
	TPM=0x00010003, this=0x00010003
	Verify firmware B with root key: OK
	TPM=0x00010003, this=0x00010003
	Examining kernels...
	Kernel /dev/mmcblk0p2: OK
	Verify /dev/mmcblk0p2 with kern_subkey_A.vbpubk: OK
	TPM=0x00030001 this=0x00030001
	Verify /dev/mmcblk0p2 with kern_subkey_B.vbpubk: OK
	TPM=0x00030001 this=0x00030001
	Verify /dev/mmcblk0p2 with recoverykey.vbpubk: FAILED
	Kernel /dev/mmcblk0p4: OK
	Verify /dev/mmcblk0p4 with kern_subkey_A.vbpubk: OK
	TPM=0x00030001 this=0x00030001
	Verify /dev/mmcblk0p4 with kern_subkey_B.vbpubk: OK
	TPM=0x00030001 this=0x00030001
	Verify /dev/mmcblk0p4 with recoverykey.vbpubk: FAILED
	Kernel /dev/mmcblk0p6: FAILED
	Checking output:
	Both Kernel A or Kernel B are verified.
	RESULT: signed_boot can be enabled safely.
	Output on a signed peppy:
	sudo sh -e testsig.sh
	Saving verbose log as /tmp/debug_vboot_Hvv8qTy2F/noisy.log
	Extracting BIOS components...
	Pulling root and recovery keys from GBB...
	Verify firmware A with root key: OK
	TPM=0x00010002, this=0x00010002
	Verify firmware B with root key: OK
	TPM=0x00010002, this=0x00010002
	Examining kernels...
	Kernel /dev/sda2: OK
	Verify /dev/sda2 with kern_subkey_A.vbpubk: OK
	TPM=0x00020001 this=0x00020001
	Verify /dev/sda2 with kern_subkey_B.vbpubk: OK
	TPM=0x00020001 this=0x00020001
	Verify /dev/sda2 with recoverykey.vbpubk: FAILED
	Kernel /dev/sda4: OK
	Verify /dev/sda4 with kern_subkey_A.vbpubk: OK
	TPM=0x00020001 this=0x00020001
	Verify /dev/sda4 with kern_subkey_B.vbpubk: OK
	TPM=0x00020001 this=0x00020001
	Verify /dev/sda4 with recoverykey.vbpubk: FAILED
	Kernel /dev/sda6: FAILED
	Checking output:
	Both Kernel A or Kernel B are verified.
	RESULT: signed_boot can be enabled safely.
	Output on a non-signed QEMU (no firmware, so no keys are extracted):
	sudo sh -e testsig.sh
	Saving verbose log as /tmp/debug_vboot_GFsNM1db4/noisy.log
	Extracting BIOS components...
	...individually...
	Checking output:
	Either Kernel A or Kernel B is not verified.
	RESULT: signed_boot must be kept disabled.