xref: /OK3568_Linux_fs/tools/linux/Linux_SecurityAVB/avb_user_tool.sh (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1#!/bin/bash
2
3set -e
4
5KEYS=avb_keys
6PRODUCT_ID=0123456789ABCDE
7SCRIPTS=scripts
8OUT=out
9
10usage()
11{
12	echo "$0 [ -n/f/s/d/l/u/h or --su_pswd]"
13	echo "	n	< Product id > #16 bytes"
14	echo "		Generate new AVB keys"
15	echo "	f	< /path/to/secureboot/private/key >"
16	echo "		Config efuse device"
17	echo "		Must generated keys [-n] firstly"
18	echo "	s	Sign file"
19	echo "		[ -b < /path/to/boot.img > ]: Sign boot.img"
20	echo "		[ -r < /path/to/recovery.img > ]: Sign recovery.img"
21	echo "	d	Download permanent_attributes.bin to OTP or RPMB"
22	echo "	l	Lock device"
23	echo "	u	Unlock device"
24	echo "	h	Show this context"
25	echo "	--su_pswd	Set super user password for fastboot"
26}
27
28Generate_keys()
29{
30	# generate config file
31	touch $KEYS/temp.bin
32	echo -n $PRODUCT_ID > $KEYS/product_id.bin
33	# generate test keys
34	openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -outform PEM -out $KEYS/testkey_prk.pem
35	openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -outform PEM -out $KEYS/testkey_psk.pem
36	openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -outform PEM -out $KEYS/testkey_pik.pem
37	openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -outform PEM -out $KEYS/testkey_puk.pem
38
39	# generate certificate.bin and metadata
40	python $SCRIPTS/avbtool make_atx_certificate --output=avb_keys/pik_certificate.bin --subject=avb_keys/temp.bin --subject_key=avb_keys/testkey_pik.pem --subject_is_intermediate_authority --subject_key_version 42 --authority_key=avb_keys/testkey_prk.pem
41	python $SCRIPTS/avbtool make_atx_certificate --output=avb_keys/psk_certificate.bin --subject=avb_keys/product_id.bin --subject_key=avb_keys/testkey_psk.pem --subject_key_version 42 --authority_key=avb_keys/testkey_pik.pem
42	python $SCRIPTS/avbtool make_atx_certificate --output=avb_keys/puk_certificate.bin --subject=avb_keys/product_id.bin --subject_key=avb_keys/testkey_puk.pem --usage=com.google.android.things.vboot.unlock --subject_key_version 42 --authority_key=avb_keys/testkey_pik.pem
43	python $SCRIPTS/avbtool make_atx_metadata --output=avb_keys/metadata.bin --intermediate_key_certificate=avb_keys/pik_certificate.bin --product_key_certificate=avb_keys/psk_certificate.bin
44
45	# Generate permanent_attributes.bin
46	python $SCRIPTS/avbtool make_atx_permanent_attributes --output=avb_keys/permanent_attributes.bin --product_id=avb_keys/product_id.bin --root_authority_key=avb_keys/testkey_prk.pem
47	echo "Generate AVB Keys Done!!!"
48}
49
50signed_image()
51{
52	IMAGE=$1
53	echo "Sign ${IMAGE}"
54	SIZE=`ls $OUT/${IMAGE}.img -l | awk '{printf $5}'`
55	echo "image size is ${SIZE}"
56	# At least 68K greater than origin file
57	# Source code (scripts/avbtool)
58	# reserve some memory for (footer + vbmeta struct)
59	# - MAX_VBMETA_SIZE = 64 * 1024
60	# - MAX_FOOTER_SIZE = 4096
61	SIZE=$[(SIZE / 4096 + 18) * 4096]
62	echo "set size to ${SIZE}"
63	python $SCRIPTS/avbtool add_hash_footer --image $OUT/${IMAGE}.img --partition_size ${SIZE} --partition_name ${IMAGE} --key avb_keys/testkey_psk.pem --algorithm SHA512_RSA4096
64	echo "Sign $IMAGE Done"
65}
66
67Sign_file()
68{
69	while [ $# -gt 1 ]
70	do
71		FILE=$2
72		case $1 in
73			-b)
74				cp $2 $OUT/boot.img
75				signed_image boot
76				VBMETA_CMD="${VBMETA_CMD} --include_descriptors_from_image $OUT/boot.img"
77				;;
78			-r)
79				cp $2 $OUT/recovery.img
80				signed_image recovery
81				VBMETA_CMD="${VBMETA_CMD} --include_descriptors_from_image $OUT/recovery.img"
82				;;
83			*)
84				echo "unknown file type"
85				exit -1
86				;;
87		esac
88		shift 2
89	done
90
91	echo "Generate vbmeta.img"
92	python $SCRIPTS/avbtool make_vbmeta_image --public_key_metadata $KEYS/metadata.bin ${VBMETA_CMD} --algorithm SHA256_RSA4096 --rollback_index 0 --key $KEYS/testkey_psk.pem  --output $OUT/vbmeta.img
93	echo "Genrate vbmeta.img Done"
94}
95
96Expect_cmd_fastboot()
97{
98		test -z ${SU_PSWD} && exit -1
99
100/usr/bin/expect << EOF
101		set timeout 2
102		spawn sudo ./${SCRIPTS}/fastboot $1
103		expect {
104			"* password for *" {send "${SU_PSWD}\r"; exp_continue;}
105			"OKAY *" {send "fastboot succeed\r"}
106			"rebooting...*" {send "fastboot succeed\r"}
107			default {send_error "expect_timeout 2\n"; exit 1}
108		}
109		expect eof
110EOF
111}
112
113Make_unlock()
114{
115	python $SCRIPTS/avb-challenge-verify.py raw_unlock_challenge.bin $KEYS/product_id.bin # Generate unlock_challenge.bin
116	python $SCRIPTS/avbtool make_atx_unlock_credential --output=unlock_credential.bin --intermediate_key_certificate=$KEYS/pik_certificate.bin --unlock_key_certificate=$KEYS/puk_certificate.bin --challenge=unlock_challenge.bin --unlock_key=$KEYS/testkey_puk.pem
117}
118
119load_su_pswd()
120{
121	if [ ! -e $SCRIPTS/.su_pswd ]; then
122		echo "Please set super user password with --su_pswd first"
123		exit
124	fi
125
126	SU_PSWD=$(cat $SCRIPTS/.su_pswd)
127}
128
129case $1 in
130	-n)
131		if [ ${#2} != 16 ]; then
132			echo "please input 16 bytes product_id behind -n !"
133			exit
134		fi
135		PRODUCT_ID=$2
136		test -d $KEYS && rm $KEYS -rf
137		mkdir $KEYS
138		Generate_keys
139		;;
140	-f)
141		if [ $# -lt 2 ]; then
142			usage
143			exit -1
144		fi
145
146		openssl dgst -sha256 -out $KEYS/permanent_attributes_cer.bin -sign $2 $KEYS/permanent_attributes.bin
147
148		test -e .setting || touch .setting
149		sed -i "/type=/d" .setting
150		echo "type=efuse" >> .setting
151		;;
152	-s)
153		if [ $# -lt 3 ]; then
154			usage
155			exit
156		fi
157
158		shift 1
159		test -d $OUT || mkdir $OUT
160		Sign_file $@
161		;;
162	--su_pswd)
163		if [ $# -lt 2 ]; then
164			usage
165		fi
166		echo -n "$2" > $SCRIPTS/.su_pswd
167		;;
168	-d)
169		load_su_pswd
170		test -e .setting && source .setting || echo "no .setting"
171		Expect_cmd_fastboot "stage ${KEYS}/permanent_attributes.bin"
172		Expect_cmd_fastboot "oem fuse at-perm-attr"
173		if [ "$type" = "efuse" ]; then
174			Expect_cmd_fastboot "stage ${KEYS}/permanent_attributes_cer.bin"
175			Expect_cmd_fastboot "oem fuse at-rsa-perm-attr"
176		fi
177		;;
178	-l)
179		load_su_pswd
180		Expect_cmd_fastboot "oem at-lock-vboot"
181		Expect_cmd_fastboot "reboot"
182		;;
183	-u)
184		load_su_pswd
185		Expect_cmd_fastboot "oem at-get-vboot-unlock-challenge"
186		Expect_cmd_fastboot "get_staged raw_unlock_challenge.bin"
187		Make_unlock
188		Expect_cmd_fastboot "stage unlock_credential.bin"
189		Expect_cmd_fastboot "oem at-unlock-vboot"
190		rm raw_unlock_challenge.bin -f
191		rm unlock_challenge.bin -f
192		rm unlock_credential.bin -f
193		Expect_cmd_fastboot "reboot"
194		;;
195	*)
196		usage
197		;;
198esac
199