Support verifying the boot signature against the given pubkey.
verify_boot_signature currently verifies the signature in the boot image
(against the certificate embedded in the image).
This CL supports additionally verifying the signature against the given
OEM pubkey (a fixed, tamper-protected key available to the bootloader).
Usage: verify_boot_signature <path-to-boot-image>
verify_boot_signature <path-to-boot-image> <pubkey>
- Locally built boot image is signed with the default key.
$ openssl x509 -pubkey -noout -in build/target/product/security/verity.x509.pem > pubkey.pem
$ verify_boot_signature $OUT/boot.img pubkey.pem; echo $?
Signature is VALID
0
- Signed boot image should be verified with the OEM pubkey.
$ verify_boot_signature boot.img bullhead_pub.pem; echo $?
Signature is VALID
0
- Locally built boot image can be verified with its embedded certificate
but not with the OEM pubkey. This will lead to the YELLOW boot state.
$ verify_boot_signature $OUT/boot.img; echo $?
Signature is VALID
0
$ verify_boot_signature $OUT/boot.img bullhead_pub.pem; echo $?
<...>
1
Bug: 32173582
Test: See above.
Change-Id: I11043eb796ccd128885e7412e65981cbd0183fb2
1 file changed