From f690622aeb686789e82d5d9dbc347ed7b017f6ae Mon Sep 17 00:00:00 2001 From: Tim Gover Date: Tue, 27 Sep 2022 19:30:52 +0100 Subject: [PATCH] rpi-eeprom-digest: Add an option to verify RSA signed files. --- tools/rpi-eeprom-digest | 63 ++++++++++++++++++++++++++++++++++++++++++++------------------- 1 file changed, 44 insertions(+), 19 deletions(-) diff --git a/tools/rpi-eeprom-digest b/tools/rpi-eeprom-digest index 58b4843..48d339a 100755 --- a/tools/rpi-eeprom-digest +++ b/tools/rpi-eeprom-digest @@ -57,18 +57,50 @@ The bootloader only verifies RSA signatures in signed boot mode Examples: # Generate RSA signature for the EEPROM config file. -rpi-eeprom-digest -k key.pem -i bootconf.txt -o bootconf.sig +rpi-eeprom-digest -k private.pem -i bootconf.txt -o bootconf.sig # Generate the normal sha256 hash to guard against file-system corruption rpi-eeprom-digest -i pieeprom.bin -o pieeprom.sig rpi-eeprom-digest -i vl805.bin -o vl805.sig +# To verify the signature of an existing .sig file using the public key. +# N.B The key file must be the PUBLIC key in PEM format. +rpi-eeprom-digest -k public.pem -i pieeprom.bin -v pieeprom.sig + EOF exit 0 } +writeSig() { + TMP_DIR=$(mktemp -d) + SIG_TMP="${TMP_DIR}/tmp.sig" + sha256sum "${IMAGE}" | awk '{print $1}' > "${OUTPUT}" + + # Include the update-timestamp + echo "ts: $(date -u +%s)" >> "${OUTPUT}" + + if [ -n "${KEY}" ]; then + [ -f "${KEY}" ] || die "RSA private \"${KEY}\" not found" + "${OPENSSL}" dgst -sign "${KEY}" -keyform PEM -sha256 -out "${SIG_TMP}" "${IMAGE}" + echo "rsa2048: $(xxd -c 4096 -p < "${SIG_TMP}")" >> "${OUTPUT}" + fi +} + +verifySig() { + TMP_DIR=$(mktemp -d) + sig_file="${1}" + [ -f "${sig_file}" ] || die "Signature file ${sig_file} not found" + sig_hex="$(grep rsa2048 "${sig_file}" | cut -f 2 -d ' ')" + echo ${sig_hex} | xxd -c 4096 -p -r > "${TMP_DIR}/sig.bin" + + [ -n "${sig_hex}" ] || die "No RSA signature in ${sig_file}" + sha256=$(sha256sum "${IMAGE}" | awk '{print $1}') + "${OPENSSL}" dgst -verify "${KEY}" -signature "${TMP_DIR}/sig.bin" "${IMAGE}" || die "${IMAGE} not verified" +} + OUTPUT="" -while getopts i:k:ho: option; do +VERIFY=0 +while getopts i:k:ho:v: option; do case "${option}" in i) IMAGE="${OPTARG}" ;; @@ -76,6 +108,9 @@ while getopts i:k:ho: option; do ;; o) OUTPUT="${OPTARG}" ;; + v) SIGNATURE="${OPTARG}" + VERIFY=1 + ;; h) usage ;; *) echo "Unknown argument \"${option}\"" @@ -84,25 +119,15 @@ while getopts i:k:ho: option; do esac done -[ -n "${IMAGE}" ] || usage -[ -n "${OUTPUT}" ] || usage - trap cleanup EXIT - checkDependencies +[ -n "${IMAGE}" ] || usage [ -f "${IMAGE}" ] || die "Source image \"${IMAGE}\" not found" - -TMP_DIR=$(mktemp -d) -SIG_TMP="${TMP_DIR}/tmp.sig" -sha256sum "${IMAGE}" | awk '{print $1}' > "${OUTPUT}" - -# Include the update-timestamp -echo "ts: $(date -u +%s)" >> "${OUTPUT}" - -if [ -n "${KEY}" ]; then - [ -f "${KEY}" ] || die "RSA private \"${KEY}\" not found" - - "${OPENSSL}" dgst -sign "${KEY}" -keyform PEM -sha256 -out "${SIG_TMP}" "${IMAGE}" - echo "rsa2048: $(xxd -c 4096 -p < "${SIG_TMP}")" >> "${OUTPUT}" +if [ "${VERIFY}" = 1 ]; then + verifySig "${SIGNATURE}" +else + [ -n "${OUTPUT}" ] || usage + writeSig fi + -- libgit2 0.21.4