dasharo/dts-scripts
0
0
Fork 0
mirror of https://github.com/Dasharo/dts-scripts.git synced 2026-03-06 15:01:22 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
dts-scripts/scripts/btg_key_validator
Michał Iwanicki 872a402298 dasharo-deploy & btg_key_validator: reword error messages 
Signed-off-by: Michał Iwanicki <michal.iwanicki@3mdeb.com>
2026-01-14 12:23:08 +01:00

96 lines
2.4 KiB
Bash
Executable File
Raw Permalink Blame History

#!/bin/bash
# shellcheck source=../include/dts-environment.sh
source "$DTS_ENV"
# shellcheck source=../include/dts-functions.sh
source "$DTS_FUNCS"
print_help() {
cat <<EOF
$(basename "$0") [OPTION]...
Script that allows for verification whether firmware binary is signed with correct keys.
Options:
-f|--file <file> Path to firmware file for which to check key hash.
-k|--key-hash <hash> Expected key hash
-v|--verbose Enable trace output
-h|--help Print this help
EOF
}
parse_args() {
while [[ $# -gt 0 ]]; do
case $1 in
-v | --verbose)
set -x
shift
;;
-h | --help)
print_help
exit 0
;;
-f | --file)
if [ ! -f "$2" ]; then
error_exit "File '$2' doesn't exist"
fi
rom="$2"
shift 2
;;
-k | --key-hash)
if [ -z "$2" ]; then
error_exit "--key-hash argument cannot be empty"
fi
expected_hash="$2"
shift 2
;;
-*)
print_help
error_exit "Unknown option $1"
;;
*)
print_usage
error_exit "Script doesn't accept any positional arguments, but got $#"
;;
esac
done
}
expected_hash=
rom="flashdump.bin"
parse_args "$@"
if [ -z "$expected_hash" ]; then
board_config
error_check "Failed to download board configuration."
if [ -z "$INTEL_BTG_HASH" ]; then
error_exit "Platform configuration is missing expected key hash.
The most likely reason is that there is no fusing binary for your platform."
fi
expected_hash="$INTEL_BTG_HASH"
fi
if [ ! -f "$rom" ]; then
echo "Reading flash..."
$FLASHROM -p "$PROGRAMMER_BIOS" --ifd -i bios -i me -i fd -r "${rom}" >>"$FLASHROM_LOG_FILE" 2>>"$ERR_LOG_FILE"
error_check "Failed to read flash"
fi
echo "Extracting key manifest..."
bg-prov km-export "${rom}" km.bin 2>>"$ERR_LOG_FILE" >&2
error_check "Failed to export key manifest."
modulus=$(bg-prov km-show km.bin | grep "Key And Signature" -A 8 | grep Data | cut -d ' ' -f 10 | tail -c +11)
exponent=01000100
fw_key_hash="$(echo "$modulus$exponent" | awk '{gsub(/.{2}/,"& ")}1' | xxd -r -p | sha384sum | awk '{print $1}')"
if grep -q "${expected_hash}" <<<"${fw_key_hash}"; then
echo_green "Firmware is signed with expected key hash:"
echo_green " ${expected_hash}"
else
echo_red "Firmware signature doesn't match expected hash:"
echo_red " Expected: ${expected_hash}"
echo_red " Signed : ${fw_key_hash}"
exit 1
fi
Reference in New Issue View Git Blame Copy Permalink