-
Notifications
You must be signed in to change notification settings - Fork 51
/
generate_bios_oemvars
executable file
·141 lines (115 loc) · 4.77 KB
/
generate_bios_oemvars
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
#!/usr/bin/env python
#
# Copyright (C) 2014 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""
Produces a text file suitable for flashing with "fastboot flash oemvars"
which sets the device's authenticated PK/KEK/DB keys.
Key pairs supplied in the command line are expected to be in .pk8 and .x509.pem
format.
generate_bios_oemvars [options] <output filename>
-D (--db-pair) <key pair)
-K (--kek-pair) <key pair)
-P (--pk-pair) <key pair)
-U (--unlock) <filename>
Generate an additional "unlock" file which clears PK, placing the device in
Setup Mode.
-T (--timestamp) <UNIX timestamp>
Timestamp (seconds since the Epoch) to use for autheticated UEFI Variables.
If --unlock is in use, the unlock file will use this value +1. Defaults
to UNIX system time.
"""
import sys
import tempfile
import os
import time
# Android Release Tools
sys.path.append("build/tools/releasetools")
import common
sys.path.append("device/intel/build/releasetools")
import intel_common
OPTIONS = common.OPTIONS
OPTIONS.db_pair = None
OPTIONS.kek_pair = None
OPTIONS.pk_pair = None
OPTIONS.unlock = None
OPTIONS.all_keys = set()
OPTIONS.ts = 0
guid_map = {
"global" : "8be4df61-93ca-11d2-aa0d-00e098032b8c",
"image-security" : "d719b2cb-3d3a-4596-a3bc-dad00e67656f"
}
def main(argv):
def option_handler(o, a):
if o in ("-D", "--db-pair"):
OPTIONS.db_pair = a
OPTIONS.all_keys.add(a)
elif o in ("-K", "--kek-pair"):
OPTIONS.kek_pair = a
OPTIONS.all_keys.add(a)
elif o in ("-P", "--pk-pair"):
OPTIONS.pk_pair = a
OPTIONS.all_keys.add(a)
elif o in ("-U", "--unlock"):
OPTIONS.unlock = a
elif o in ("-T", "--timestamp"):
OPTIONS.ts = int(a)
else:
return False
return True
args = common.ParseOptions(argv, __doc__,
extra_opts = "D:K:P:U:T:",
extra_long_opts = ["db-pair=", "kek-pair=",
"pk-pair=", "unlock=", "timestamp="],
extra_option_handler = option_handler)
if len(args) != 1:
common.Usage(__doc__)
sys.exit(1)
if not OPTIONS.db_pair or not OPTIONS.kek_pair or not OPTIONS.pk_pair:
raise common.ExternalError("use of -D, -K, and -P is mandatory");
if not OPTIONS.ts:
OPTIONS.ts = int(time.time())
passwords = common.GetKeyPasswords(OPTIONS.all_keys)
pk_auth = intel_common.get_auth_data(OPTIONS.ts, OPTIONS.pk_pair, passwords[OPTIONS.pk_pair],
OPTIONS.pk_pair + OPTIONS.public_key_suffix, guid_map["global"], "PK")
kek_auth = intel_common.get_auth_data(OPTIONS.ts, OPTIONS.pk_pair, passwords[OPTIONS.pk_pair],
OPTIONS.kek_pair + OPTIONS.public_key_suffix, guid_map["global"], "KEK")
db_auth = intel_common.get_auth_data(OPTIONS.ts, OPTIONS.kek_pair, passwords[OPTIONS.kek_pair],
OPTIONS.db_pair + OPTIONS.public_key_suffix, guid_map["image-security"], "db")
output = open(args[0], "wb")
output.write("# This file generated by generate_bios_oemvar to enroll UEFI Secure Boot keys\n");
output.write("GUID = %s\n\n" % (guid_map["image-security"]))
output.write("[ad] db %s\n\n" % intel_common.escaped_value(db_auth))
output.write("GUID = %s\n\n" % (guid_map["global"]))
output.write("[ad] KEK %s\n\n" % intel_common.escaped_value(kek_auth))
output.write("[ad] PK %s\n\n" % intel_common.escaped_value(pk_auth))
output.close()
if OPTIONS.unlock:
# Add 1 to the timestamp so it can always be unlocked; auth variables only apply
# for monotonically increasing values
no_pk_auth = intel_common.get_auth_data(OPTIONS.ts + 1, OPTIONS.pk_pair,
passwords[OPTIONS.pk_pair], None, guid_map["global"], "PK")
output = open(OPTIONS.unlock, "wb")
output.write("# This file generated by generate_bios_oemvars to put device in Setup Mode\n");
output.write("GUID = %s\n\n" % (guid_map["global"]))
output.write("[ad] PK %s\n\n" % intel_common.escaped_value(no_pk_auth))
output.close()
if __name__ == '__main__':
try:
main(sys.argv[1:])
except common.ExternalError, e:
print
print " ERROR: %s" % (e,)
print
sys.exit(1)