History log of /system/extras/verity/verify_boot_signature.c
Revision Date Author Comments (<<< Hide modified files) (Show modified files >>>)
2a75a61e2aeb241b6bd75e4d3c648f98cfc4d3be 19-Oct-2016 Tao Bao <tbao@google.com> Support verifying the boot signature against the given pubkey.

verify_boot_signature currently verifies the signature in the boot image
(against the certificate embedded in the image).

This CL supports additionally verifying the signature against the given
OEM pubkey (a fixed, tamper-protected key available to the bootloader).

Usage: verify_boot_signature <path-to-boot-image>
verify_boot_signature <path-to-boot-image> <pubkey>

- Locally built boot image is signed with the default key.
$ openssl x509 -pubkey -noout -in build/target/product/security/verity.x509.pem > pubkey.pem
$ verify_boot_signature $OUT/boot.img pubkey.pem; echo $?
Signature is VALID
0

- Signed boot image should be verified with the OEM pubkey.
$ verify_boot_signature boot.img bullhead_pub.pem; echo $?
Signature is VALID
0

- Locally built boot image can be verified with its embedded certificate
but not with the OEM pubkey. This will lead to the YELLOW boot state.
$ verify_boot_signature $OUT/boot.img; echo $?
Signature is VALID
0

$ verify_boot_signature $OUT/boot.img bullhead_pub.pem; echo $?
<...>
1

Bug: 32173582
Test: See above.

Change-Id: I11043eb796ccd128885e7412e65981cbd0183fb2
/system/extras/verity/verify_boot_signature.c
532f28f1bae5cbdbbd28148c8c1d33ed6a996b39 01-Oct-2015 Adam Langley <agl@google.com> system/extras: remove BORINGSSL_201509 support.

The BORINGSSL_201509 define was used to make updating BoringSSL in
external/boringssl less painful. It allowed code to compile with either
the old BoringSSL (which didn't define BORINGSSL_201509) or with the new
(which does).

Now that the new version has landed, this change removes that support.

Change-Id: I19e661419f830459d015bf14e7905af2ec41b735
/system/extras/verity/verify_boot_signature.c
7a688f6e8774920cb8cfc52bf2e3c16976e8ff23 03-Sep-2015 Adam Langley <agl@google.com> Prepare for BoringSSL update.

This change tweaks things as needed so that the code will compile
against both the BoringSSL that's currently in Android and a version
from upstream. The BORINGSSL_201509 define is temporary to allow the
switch to happen without breaking the build and a followup change will
remove it.

In this case, we backed off on removing |ERR_print_errors|, despite it
being a wart in the layering of the code.

Change-Id: I2f2f567cfc37fe2d5a69742302c5a92d289b814f
/system/extras/verity/verify_boot_signature.c
fa5185ea275da334fccafafb5ce21dedfc02e9a2 11-Aug-2015 Elliott Hughes <enh@google.com> Add <endian.h> back and stop building one tool for the Mac.

We can't stop building all this stuff until we clean up the build
system to not require the OTA tools on Mac OS. This code does actually
use htobe64 and so should have included <endian.h>, so put that back.

Change-Id: I2807b4f237d3e26d470652f373f2de85864691c4
/system/extras/verity/verify_boot_signature.c
3adbe0f59610db9d870c62f85119182fa1d662f6 10-Aug-2015 Elliott Hughes <enh@google.com> Another go at fixing the Mac build.

I don't want to have to work out how to disable building OTAs on Macs --
though we should -- but it actually looks like this file didn't need the
problematic header file anyway.

Change-Id: I9d7eff8e72192958b3e880ae48fef194820ce148
/system/extras/verity/verify_boot_signature.c
a83adf6354f3073a1938ffcd6cadd5c357856de5 11-May-2015 Adam Langley <agl@google.com> system/extra: include more of what you use.

This is a reland of aa24bc89b78a5981df7618bdef78b7b49ffad14d which was
reverted in 291e20dab39783c7074191ff2d2de9b86465c10f because it broke
the git_master-gpl builder.

This version of the change uses crypto.h as a proxy for mem.h because
it'll work in both BoringSSL and OpenSSL.

Change-Id: I9e4c9e4d459c2e31f74180b3a3b2ab139ab76e80
/system/extras/verity/verify_boot_signature.c
291e20dab39783c7074191ff2d2de9b86465c10f 10-May-2015 Kenny Root <kroot@google.com> Revert "system/extra: include more of what you use."

This reverts commit aa24bc89b78a5981df7618bdef78b7b49ffad14d.

Change-Id: If55eb0effc582f1cfa329bab8d7504ad4964f67e
/system/extras/verity/verify_boot_signature.c
aa24bc89b78a5981df7618bdef78b7b49ffad14d 28-Apr-2015 Adam Langley <agl@google.com> system/extra: include more of what you use.

Historically, the OpenSSL/BoringSSL headers have been quite sloppy:
including many system headers. Over time, code has grown to depend on
this.

BoringSSL has cleaned things up a bit, but that requires code like this
to include what it uses.

Change-Id: Id456a598151d4c58a73cf05cef46f3db296e1f39
/system/extras/verity/verify_boot_signature.c
e3ec11c2d95cc03be01426d13ea87fc8edb3daad 17-Mar-2015 Adam Langley <agl@google.com> system/extras/verity: BoringSSL fix.

In BoringSSL, the functions that references BIOs have been moved out of
ERR in order to have some reasonable layering of the code.

A recent addition here referenced ERR_print_errors, which is now
BIO_print_errors in BoringSSL for that reason. Additionally, the
BoringSSL headers don't #include so many standard headers for you so an
explicit #include of errno.h is needed here.

Change-Id: Iebcc353b1354bd85d432deebeb7873aae46b0d2a
/system/extras/verity/verify_boot_signature.c
ac342b944b6bcb4b936e6cbcd9fb8be3e5262cd0 20-Nov-2014 Sami Tolvanen <samitolvanen@google.com> Add a reference C implementation for verifying signatures

Due to OEM requests, add a reference implementation for boot/recovery
image signature verification in C. The tool uses OpenSSL for ASN.1 and
crypto routines.

Bug: 18120110
Change-Id: I9f6c59e0b338b68f35ac1c2c4d83c10d31d70cd9
/system/extras/verity/verify_boot_signature.c