blob: d225e5654b1fff91c148d0aeb88d34094f124927 (
plain) (
tree)
|
|
#!/bin/bash
# Copyright (C) 2016 Paul Kocialkowski <contact@paulk.fr>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
KEYBLOCK="keyblock"
VBPRIVK="vbprivk"
VBPUBK="vbpubk"
GBB_FLAGS="dev_screen_short_delay load_option_roms enable_alternate_os force_dev_switch_on force_dev_boot_usb disable_fw_rollback_check enter_triggers_tonorm force_dev_boot_legacy faft_key_overide disable_ec_software_sync default_dev_boot_lefacy disable_pd_software_sync disable_lid_shutdown dev_boot_fastboot_full_cap enable_serial"
usage() {
printf "$executable [action] [firmware image] [gbb action|vpd action] [gbb file|gbb flag|vpd file]\n" >&2
printf "\nActions:\n" >&2
printf " sign - Sign firmware image\n" >&2
printf " verify - Verify firmware image\n" >&2
printf " gbb - Google Binary Block\n" >&2
printf "\nGBB actions:\n" >&2
printf " extract - Extract GBB from firmware image to path \n" >&2
printf " replace - Replace GBB from path to firmware image\n" >&2
printf " list - List enabled GBB flags\n" >&2
printf " enable - Enable GBB flag\n" >&2
printf " disable - Disable GBB flag\n" >&2
printf "\nGBB flags:\n" >&2
for flag in $GBB_FLAGS
do
printf " $flag\n" >&2
done
printf "\nVPD actions:\n" >&2
printf " extract - Extract VPD from firmware image to path \n" >&2
printf " replace - Replace VPD from path to firmware image\n" >&2
printf "\nEnvironment variables:\n" >&2
printf " VBOOT_KEYS_PATH - Path to the vboot keys\n" >&2
printf " VBOOT_TOOLS_PATH - Path to vboot tools\n" >&2
}
sign() {
local firmware_image_path=$1
futility sign --signprivate="$VBOOT_KEYS_PATH/firmware_data_key.$VBPRIVK" --keyblock "$VBOOT_KEYS_PATH/firmware.$KEYBLOCK" --kernelkey "$VBOOT_KEYS_PATH/kernel_subkey.$VBPUBK" --infile "$firmware_image_path"
futility gbb_utility -s --recoverykey="$VBOOT_KEYS_PATH/recovery_key.$VBPUBK" --rootkey="$VBOOT_KEYS_PATH/root_key.$VBPUBK" "$firmware_image_path" "$firmware_image_path"
printf "\nSigned firmwares image $firmware_image_path\n"
}
verify() {
local firmware_image_path=$1
futility verify -k "$VBOOT_KEYS_PATH/root_key.$VBPUBK" "$firmware_image_path" || ( printf "\nBad firmware image signature!\n" >&2 && return 1 )
printf "\nVerified firmware image $firmware_image_path\n"
}
gbb() {
local firmware_image_path=$1
local gbb_action=$2
local gbb_file_path=$3
local gbb_flag=$3
local i=0
local flags
local flag
local flag_value
case $gbb_action in
"extract")
if [ -z "$gbb_file_path" ]
then
usage
exit 1
fi
futility dump_fmap -x "$firmware_image_path" "GBB:$gbb_file_path"
printf "\nExtracted GBB from $firmware_image_path to $gbb_file_path\n"
;;
"replace")
if [ -z "$gbb_file_path" ]
then
usage
exit 1
fi
futility load_fmap "$firmware_image_path" "GBB:$gbb_file_path"
printf "\nReplaced GBB from $gbb_file_path to $firmware_image_path\n"
;;
"list")
printf "GBB flags in $firmware_image_path:\n"
flags=$( gbb_flags_get "$firmware_image_path" )
for flag in $GBB_FLAGS
do
flag_value=$(( 1 << $i ))
if (( $flags & $flag_value ))
then
printf " $flag\n"
fi
i=$(( $i + 1 ))
done
;;
"enable")
if [ -z "$gbb_flag" ]
then
usage
exit 1
fi
flags=$( gbb_flags_get "$firmware_image_path" )
flag_value=$( gbb_flag_value "$gbb_flag" )
if [ -z "$flag_value" ]
then
printf "Invalid GBB flag: $gbb_flag\n" >&2
exit 1
fi
flags=$( printf "0x%x\n" $(( $flags | $flag_value )) )
gbb_flags_set "$firmware_image_path" "$flags"
printf "\nEnabled GBB flag $gbb_flag in $firmware_image_path\n"
;;
"disable")
if [ -z "$gbb_flag" ]
then
usage
exit 1
fi
flags=$( gbb_flags_get "$firmware_image_path" )
flag_value=$( gbb_flag_value "$gbb_flag" )
if [ -z "$flag_value" ]
then
printf "Invalid GBB flag: $gbb_flag\n" >&2
exit 1
fi
flags=$( printf "0x%x\n" $(( $flags & ~$flag_value )) )
gbb_flags_set "$firmware_image_path" "$flags"
printf "\nDisabled GBB flag $gbb_flag in $firmware_image_path\n"
;;
*)
usage
exit 1
;;
esac
}
gbb_flags_get() {
local firmware_image_path=$1
futility gbb_utility -g --flags "$firmware_image_path" | sed "s/^[^:]*: //g"
}
gbb_flags_set() {
local firmware_image_path=$1
local gbb_flags=$2
futility gbb_utility -s --flags="$gbb_flags" "$firmware_image_path"
}
gbb_flag_value() {
local gbb_flag=$1
local i=0
for flag in $GBB_FLAGS
do
if [ "$gbb_flag" = "$flag" ]
then
echo $(( 1 << $i ))
return
fi
i=$(( $i + 1 ))
done
}
vpd() {
local firmware_image_path=$1
local vpd_action=$2
local vpd_file_path=$3
case $vpd_action in
"extract")
futility dump_fmap -x "$firmware_image_path" "RO_VPD:$vpd_file_path"
printf "\nExtracted VPD from $firmware_image_path to $vpd_file_path\n"
;;
"replace")
futility load_fmap "$firmware_image_path" "RO_VPD:$vpd_file_path"
printf "\nReplaced VPD from $vpd_file_path to $firmware_image_path\n"
;;
*)
usage
exit 1
;;
esac
}
requirements() {
local requirement
local requirement_path
for requirement in "$@"
do
requirement_path=$( which "$requirement" || true )
if [ -z "$requirement_path" ]
then
printf "Missing requirement: $requirement\n" >&2
exit 1
fi
done
}
setup() {
root=$( realpath "$( dirname "$0" )" )
executable=$( basename "$0" )
if ! [ -z "$VBOOT_TOOLS_PATH" ]
then
PATH="$PATH:$VBOOT_TOOLS_PATH"
fi
if [ -z "$VBOOT_KEYS_PATH" ]
then
if ! [ -z "$VBOOT_TOOLS_PATH" ] && [ -d "$VBOOT_TOOLS_PATH/devkeys" ]
then
VBOOT_KEYS_PATH="$VBOOT_TOOLS_PATH/devkeys"
else
VBOOT_KEYS_PATH="/usr/share/vboot/devkeys"
fi
fi
}
cros_firmware_prepare() {
local action=$1
local firmware_image_path=$2
local gbb_action=$3
local vpd_action=$3
local gbb_file_path_flag=$4
local vpd_file_path=$4
set -e
setup "$@"
if [ -z "$action" ] || [ -z "$firmware_image_path" ]
then
usage
exit 1
fi
case $action in
"sign")
if ! [ -f "$firmware_image_path" ]
then
usage
exit 1
fi
requirements "futility"
sign "$firmware_image_path"
;;
"verify")
requirements "futility"
verify "$firmware_image_path"
;;
"gbb")
requirements "futility"
gbb "$firmware_image_path" "$gbb_action" "$gbb_file_path_flag"
;;
"vpd")
if [ -z "$vpd_file_path" ]
then
usage
exit 1
fi
requirements "futility"
vpd "$firmware_image_path" "$vpd_action" "$vpd_file_path"
;;
*)
usage
exit 1
;;
esac
}
cros_firmware_prepare "$@"
|