1*8617a60dSAndroid Build Coastguard WorkerThis directory contains a reference implementation for Chrome OS 2*8617a60dSAndroid Build Coastguard Workerverified boot in firmware. 3*8617a60dSAndroid Build Coastguard Worker 4*8617a60dSAndroid Build Coastguard Worker---------- 5*8617a60dSAndroid Build Coastguard WorkerDirectory Structure 6*8617a60dSAndroid Build Coastguard Worker---------- 7*8617a60dSAndroid Build Coastguard Worker 8*8617a60dSAndroid Build Coastguard WorkerThe source is organized into distinct modules - 9*8617a60dSAndroid Build Coastguard Worker 10*8617a60dSAndroid Build Coastguard Workerfirmware/ 11*8617a60dSAndroid Build Coastguard Worker 12*8617a60dSAndroid Build Coastguard Worker Contains ONLY the code required by the BIOS to validate the secure boot 13*8617a60dSAndroid Build Coastguard Worker components. There shouldn't be any code in here that signs or generates 14*8617a60dSAndroid Build Coastguard Worker images. BIOS should require ONLY this directory to implement secure boot. 15*8617a60dSAndroid Build Coastguard Worker Refer to firmware/README for futher details. 16*8617a60dSAndroid Build Coastguard Worker 17*8617a60dSAndroid Build Coastguard Workercgpt/ 18*8617a60dSAndroid Build Coastguard Worker 19*8617a60dSAndroid Build Coastguard Worker Utility to read/write/modify GPT partitions. Similar to GNU parted or any 20*8617a60dSAndroid Build Coastguard Worker other GPT tool, but this has support for Chrome OS extensions. 21*8617a60dSAndroid Build Coastguard Worker 22*8617a60dSAndroid Build Coastguard Workerhost/ 23*8617a60dSAndroid Build Coastguard Worker 24*8617a60dSAndroid Build Coastguard Worker Miscellaneous functions needed by userland utilities. 25*8617a60dSAndroid Build Coastguard Worker 26*8617a60dSAndroid Build Coastguard Workerfutility/ 27*8617a60dSAndroid Build Coastguard Worker 28*8617a60dSAndroid Build Coastguard Worker The "firmware utility" tool, used to create, sign, and validate Chrome OS 29*8617a60dSAndroid Build Coastguard Worker images. 30*8617a60dSAndroid Build Coastguard Worker 31*8617a60dSAndroid Build Coastguard Workerutility/ 32*8617a60dSAndroid Build Coastguard Worker 33*8617a60dSAndroid Build Coastguard Worker Random other utilities, not necesssarily related to verified boot as such. 34*8617a60dSAndroid Build Coastguard Worker 35*8617a60dSAndroid Build Coastguard Workertests/ 36*8617a60dSAndroid Build Coastguard Worker 37*8617a60dSAndroid Build Coastguard Worker User-land tests and benchmarks that test the reference implementation. 38*8617a60dSAndroid Build Coastguard Worker Please have a look at these if you'd like to understand how to use the 39*8617a60dSAndroid Build Coastguard Worker reference implementation. 40*8617a60dSAndroid Build Coastguard Worker 41*8617a60dSAndroid Build Coastguard Workerbuild/ 42*8617a60dSAndroid Build Coastguard Worker 43*8617a60dSAndroid Build Coastguard Worker The output directory where the generated files will be placed, and where 44*8617a60dSAndroid Build Coastguard Worker tests are run. 45*8617a60dSAndroid Build Coastguard Worker 46*8617a60dSAndroid Build Coastguard Workerscripts/ 47*8617a60dSAndroid Build Coastguard Worker 48*8617a60dSAndroid Build Coastguard Worker Tools and scripts used to generate and use new signing keypairs. These are 49*8617a60dSAndroid Build Coastguard Worker typically used only on a secure machine. 50*8617a60dSAndroid Build Coastguard Worker 51*8617a60dSAndroid Build Coastguard Workerrust/ 52*8617a60dSAndroid Build Coastguard Worker 53*8617a60dSAndroid Build Coastguard Worker Rust bindings for vboot_reference. See rust/README.md for more details. 54*8617a60dSAndroid Build Coastguard Worker 55*8617a60dSAndroid Build Coastguard Worker-------------------- 56*8617a60dSAndroid Build Coastguard WorkerBuilding and testing 57*8617a60dSAndroid Build Coastguard Worker-------------------- 58*8617a60dSAndroid Build Coastguard Worker 59*8617a60dSAndroid Build Coastguard WorkerThe suite can be built on the host or in the chroot environment. 60*8617a60dSAndroid Build Coastguard Worker 61*8617a60dSAndroid Build Coastguard WorkerBuilding on the host could fail if certain packages are not installed. If 62*8617a60dSAndroid Build Coastguard Workerthere are host environment build problems due to missing .h files, try 63*8617a60dSAndroid Build Coastguard Workerresearching what packages the files belong to and install the missing packages 64*8617a60dSAndroid Build Coastguard Workerbefore reporting a problem. 65*8617a60dSAndroid Build Coastguard Worker 66*8617a60dSAndroid Build Coastguard Worker 67*8617a60dSAndroid Build Coastguard WorkerThe commands are the more-or-less expected ones: 68*8617a60dSAndroid Build Coastguard Worker 69*8617a60dSAndroid Build Coastguard Worker make 70*8617a60dSAndroid Build Coastguard Worker make runtests 71*8617a60dSAndroid Build Coastguard Worker make install [ DESTDIR=/usr/local ] 72*8617a60dSAndroid Build Coastguard Worker 73*8617a60dSAndroid Build Coastguard Worker 74*8617a60dSAndroid Build Coastguard Worker 75*8617a60dSAndroid Build Coastguard Worker---------- 76*8617a60dSAndroid Build Coastguard WorkerSome useful utilities: 77*8617a60dSAndroid Build Coastguard Worker---------- 78*8617a60dSAndroid Build Coastguard Worker 79*8617a60dSAndroid Build Coastguard Workerfutility vbutil_key Convert a public key into .vbpubk format 80*8617a60dSAndroid Build Coastguard Workerfutility vbutil_keyblock Wrap a public key inside a signature and checksum 81*8617a60dSAndroid Build Coastguard Workerfutility sign Sign a blob. Supported operations include: 82*8617a60dSAndroid Build Coastguard Worker * Create a .vblock with signature info for a 83*8617a60dSAndroid Build Coastguard Worker firmware image 84*8617a60dSAndroid Build Coastguard Worker * Re-sign a firmware image 85*8617a60dSAndroid Build Coastguard Worker * Pack a vmlinuz image, bootloader and config into a 86*8617a60dSAndroid Build Coastguard Worker kernel partition 87*8617a60dSAndroid Build Coastguard Workerfutility verify Verify a blob such as a firmware image or a kernel 88*8617a60dSAndroid Build Coastguard Worker partition 89*8617a60dSAndroid Build Coastguard Worker 90*8617a60dSAndroid Build Coastguard WorkerdumpRSAPublicKey Dump RSA Public key (from a DER-encoded X509 91*8617a60dSAndroid Build Coastguard Worker certificate) in a format suitable for use by 92*8617a60dSAndroid Build Coastguard Worker RSAVerify* functions in crypto/. 93*8617a60dSAndroid Build Coastguard Worker 94*8617a60dSAndroid Build Coastguard Worker 95*8617a60dSAndroid Build Coastguard Worker 96*8617a60dSAndroid Build Coastguard Worker---------- 97*8617a60dSAndroid Build Coastguard WorkerGenerating a signed firmware image: 98*8617a60dSAndroid Build Coastguard Worker---------- 99*8617a60dSAndroid Build Coastguard Worker 100*8617a60dSAndroid Build Coastguard Worker* Step 0: Build the tools, install them somewhere. 101*8617a60dSAndroid Build Coastguard Worker 102*8617a60dSAndroid Build Coastguard Worker* Step 1: Generate RSA root and signing keys. 103*8617a60dSAndroid Build Coastguard Worker 104*8617a60dSAndroid Build Coastguard Worker The root key is always 8192 bits. 105*8617a60dSAndroid Build Coastguard Worker 106*8617a60dSAndroid Build Coastguard Worker $ openssl genrsa -F4 -out root_key.pem 8192 107*8617a60dSAndroid Build Coastguard Worker 108*8617a60dSAndroid Build Coastguard Worker The signing key can be between 1024-8192 bits. 109*8617a60dSAndroid Build Coastguard Worker 110*8617a60dSAndroid Build Coastguard Worker $ openssl genrsa -F4 -out signing_key.pem <1024|2048|4096|8192> 111*8617a60dSAndroid Build Coastguard Worker 112*8617a60dSAndroid Build Coastguard Worker Note: The -F4 option must be specified to generate RSA keys with a public 113*8617a60dSAndroid Build Coastguard Worker exponent of 65535. RSA keys with 3 as a public exponent (the default) 114*8617a60dSAndroid Build Coastguard Worker won't work. 115*8617a60dSAndroid Build Coastguard Worker 116*8617a60dSAndroid Build Coastguard Worker* Step 2: Generate pre-processed public versions of the above keys using 117*8617a60dSAndroid Build Coastguard Worker dumpRSAPublicKey. This utility expects an x509 certificate as 118*8617a60dSAndroid Build Coastguard Worker input, and emits an intermediate representation for further 119*8617a60dSAndroid Build Coastguard Worker processing. 120*8617a60dSAndroid Build Coastguard Worker 121*8617a60dSAndroid Build Coastguard Worker $ openssl req -batch -new -x509 -key root_key.pem -out root_key.crt 122*8617a60dSAndroid Build Coastguard Worker $ openssl req -batch -new -x509 -key signing_key.pem -out signing_key.crt 123*8617a60dSAndroid Build Coastguard Worker $ dumpRSAPublicKey root_key.crt > root_key.keyb 124*8617a60dSAndroid Build Coastguard Worker $ dumpRSAPublicKey signing_key.crt > signing_key.keyb 125*8617a60dSAndroid Build Coastguard Worker 126*8617a60dSAndroid Build Coastguard Worker************** TODO: STUFF PAST HERE IS OUT OF DATE *************** 127*8617a60dSAndroid Build Coastguard Worker 128*8617a60dSAndroid Build Coastguard WorkerAt this point we have all the requisite keys needed to generate a signed 129*8617a60dSAndroid Build Coastguard Workerfirmware image. 130*8617a60dSAndroid Build Coastguard Worker 131*8617a60dSAndroid Build Coastguard Worker.pem RSA Public/Private Key Pair 132*8617a60dSAndroid Build Coastguard Worker.crt X509 Key Certificate 133*8617a60dSAndroid Build Coastguard Worker.keyb Pre-processed RSA Public Key 134*8617a60dSAndroid Build Coastguard Worker 135*8617a60dSAndroid Build Coastguard Worker 136*8617a60dSAndroid Build Coastguard Worker* Step 3: Use utility/firmware_utility to generate a signed firmare blob. 137*8617a60dSAndroid Build Coastguard Worker 138*8617a60dSAndroid Build Coastguard Worker$ utility/firmware_utility --generate \ 139*8617a60dSAndroid Build Coastguard Worker --root_key root_key.pem \ 140*8617a60dSAndroid Build Coastguard Worker --firmware_sign_key signing_key.pem \ 141*8617a60dSAndroid Build Coastguard Worker --firmware_sign_key_pub signing_key.keyb \ 142*8617a60dSAndroid Build Coastguard Worker --firmware_sign_algorithm <algoid> \ 143*8617a60dSAndroid Build Coastguard Worker --firmware_key_version 1 \ 144*8617a60dSAndroid Build Coastguard Worker --firmware_version 1 \ 145*8617a60dSAndroid Build Coastguard Worker --in <firmware blob file> \ 146*8617a60dSAndroid Build Coastguard Worker --out <output file> 147*8617a60dSAndroid Build Coastguard Worker 148*8617a60dSAndroid Build Coastguard WorkerWhere <algoid> is based on the signature algorithm to use for firmware 149*8617a60dSAndroid Build Coastguard Workersignining. The list of <algoid> specifications can be output by running 150*8617a60dSAndroid Build Coastguard Worker'utility/firmware_utility' without any arguments. 151*8617a60dSAndroid Build Coastguard Worker 152*8617a60dSAndroid Build Coastguard WorkerNote: --firmware_key_version and --firmware_version are part of a signed 153*8617a60dSAndroid Build Coastguard Worker image and are used to prevent rollbacks to older version. For testing, 154*8617a60dSAndroid Build Coastguard Worker they can just be set to valid values. 155*8617a60dSAndroid Build Coastguard Worker 156*8617a60dSAndroid Build Coastguard Worker 157*8617a60dSAndroid Build Coastguard Worker* Step 4: Verify that this image verifies. 158*8617a60dSAndroid Build Coastguard Worker 159*8617a60dSAndroid Build Coastguard Worker$ utility/firmware_utility --verify \ 160*8617a60dSAndroid Build Coastguard Worker --in <signed firmware image> 161*8617a60dSAndroid Build Coastguard Worker --root_key_pub root_key.keyb 162*8617a60dSAndroid Build Coastguard WorkerVerification SUCCESS. 163*8617a60dSAndroid Build Coastguard Worker 164*8617a60dSAndroid Build Coastguard Worker 165*8617a60dSAndroid Build Coastguard WorkerNote: The verification functions expects a pointer to the 166*8617a60dSAndroid Build Coastguard Worker pre-processed public root key as input. For testing purposes, 167*8617a60dSAndroid Build Coastguard Worker root_key.keyb can be stored in RW part of the firmware. For the 168*8617a60dSAndroid Build Coastguard Worker final firmware, this will be a fixed public key which cannot be 169*8617a60dSAndroid Build Coastguard Worker changed and must be stored in RO firmware. 170*8617a60dSAndroid Build Coastguard Worker 171*8617a60dSAndroid Build Coastguard Worker---------- 172*8617a60dSAndroid Build Coastguard WorkerGenerating a signed kernel image: 173*8617a60dSAndroid Build Coastguard Worker---------- 174*8617a60dSAndroid Build Coastguard Worker 175*8617a60dSAndroid Build Coastguard WorkerThe steps for generating a signed kernel image are similar to that of 176*8617a60dSAndroid Build Coastguard Workera firmware image. Since verification is chained - RO firmware verifies 177*8617a60dSAndroid Build Coastguard WorkerRW firmware which verifies the kernel, only the keys change. An additional 178*8617a60dSAndroid Build Coastguard Workerkernel signing key must be generated. The firmware signing generated above 179*8617a60dSAndroid Build Coastguard Workeris the root key equivalent for signed kernel images. 180