xref: /aosp_15_r20/external/vboot_reference/scripts/image_signing/verify_uefi.sh (revision 8617a60d3594060b7ecbd21bc622a7c14f3cf2bc) 
1#!/bin/bash
2# Copyright 2018 The ChromiumOS Authors
3# Use of this source code is governed by a BSD-style license that can be
4# found in the LICENSE file.
5
6. "$(dirname "$0")/common.sh"
7
8set -e
9
10usage() {
11  cat <<EOF
12Usage: $PROG /path/to/target/dir /path/to/esp/dir /path/to/uefi/keys/dir
13
14Verify signatures of UEFI binaries in the target directory.
15EOF
16  if [[ $# -gt 0 ]]; then
17    error "$*"
18    exit 1
19  fi
20  exit 0
21}
22
23main() {
24  local target_dir="$1"
25  local esp_dir="$2"
26  local key_dir="$3"
27
28  if [[ $# -ne 3 ]]; then
29    usage "command takes exactly 3 args"
30  fi
31
32  if ! type -P sbverify &>/dev/null; then
33    die "Cannot verify UEFI signatures (sbverify not found)."
34  fi
35
36  local bootloader_dir="${target_dir}/efi/boot"
37  local syslinux_dir="${target_dir}/syslinux"
38  local kernel_dir="${target_dir}"
39  local gsetup_dir="${esp_dir}/EFI/Google/GSetup"
40
41  if [[ ! -f "${gsetup_dir}/pk/pk.der" ]]; then
42    die "No PK cert"
43  fi
44
45  local db_cert_der="${gsetup_dir}/db/db.der"
46  if [[ ! -f "${db_cert_der}" ]]; then
47    die "No DB cert"
48  fi
49
50  local cert="${key_dir}/db/db.pem"
51
52  local working_dir="$(make_temp_dir)"
53  local gsetup_cert="${working_dir}/cert.pem"
54  openssl x509 -in "${db_cert_der}" -inform DER \
55      -out "${gsetup_cert}" -outform PEM
56
57  for efi_file in "${bootloader_dir}"/*.efi; do
58    if [[ ! -f "${efi_file}" ]]; then
59      continue
60    fi
61    sbverify --cert "${cert}" "${efi_file}" ||
62        die "Verification failed. file:${efi_file} cert:${cert}"
63    sbverify --cert "${gsetup_cert}" "${efi_file}" ||
64        die "Verification failed. file:${efi_file} cert:${gsetup_cert}"
65  done
66
67  for syslinux_kernel_file in "${syslinux_dir}"/vmlinuz.?; do
68    if [[ ! -f "${syslinux_kernel_file}" ]]; then
69      continue
70    fi
71    sbverify --cert "${cert}" "${syslinux_kernel_file}" ||
72        warn "Verification failed. file:${syslinux_kernel_file} cert:${cert}"
73    sbverify --cert "${gsetup_cert}" "${syslinux_kernel_file}" ||
74        warn "Verification failed. file:${syslinux_kernel_file}" \
75            "cert:${gsetup_cert}"
76  done
77
78  local kernel_file="$(readlink -f "${kernel_dir}/vmlinuz")"
79  if [[ -f "${kernel_file}" ]]; then
80    sbverify --cert "${cert}" "${kernel_file}" ||
81        warn "Verification failed: file:${kernel_file} cert:${cert}"
82    sbverify --cert "${gsetup_cert}" "${kernel_file}" ||
83        warn "Verification failed: file:${kernel_file} cert:${gsetup_cert}"
84  fi
85}
86
87main "$@"
88