Skip to content

Fuse key verification #140

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
m-iwanicki wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Fuse key verification #140

m-iwanicki wants to merge 6 commits into from

Conversation

@m-iwanicki
Copy link
Contributor

@m-iwanicki m-iwanicki commented Dec 18, 2025
edited by SergiiDmytruk
Loading

Manual usage of btg_key_validator. Error paths on QEMU:

  • Hash not defined in dts-configs

    image

  • Failed to read flash:

    Reading flash...
Failed to read flash : (1)

  • Failed to export key manifest:

    Extracting key manifest...
Failed to export key manifest. : (1)

  • Hashes don't match:

    image

Happy path:

image

Usage:

btg_key_validator [OPTION]...

Script that allows for verification whether firmware binary is signed with correct keys.
Options:
  -f|--file <file>          Path to firmware file for which to check key hash.
  -k|--key-hash <hash>      Expected key hash
  -v|--verbose              Enable trace output
  -h|--help                 Print this help

Fuse workflow on QEMU (emulated NovaCustom) with correctly signed binary:

image

Fuse workflow on QEMU (emulated NovaCustom) with update binary signed with wrong key:

image

ref: zhs-397

@m-iwanicki m-iwanicki force-pushed the fuse-key-verification branch 5 times, most recently from 4a286a7 to a22ed0b Compare December 18, 2025 16:32
@m-iwanicki m-iwanicki marked this pull request as ready for review December 18, 2025 16:44
@m-iwanicki m-iwanicki self-assigned this Dec 18, 2025
3mkusiak
3mkusiak requested changes Dec 22, 2025
View reviewed changes
Copy link
Contributor

@3mkusiak 3mkusiak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two nitpicks, LGTM otherwise.

I still need to test it on qemu.

@m-iwanicki m-iwanicki force-pushed the fuse-key-verification branch from a42c68e to 32fcecd Compare December 22, 2025 08:57
3mkusiak
3mkusiak approved these changes Dec 22, 2025
View reviewed changes
Copy link
Contributor

@3mkusiak 3mkusiak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, verified in qemu.

Not merging since there are more reviewers assigned.

SergiiDmytruk
SergiiDmytruk approved these changes Dec 22, 2025
View reviewed changes
Copy link
Member

@SergiiDmytruk SergiiDmytruk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bash doesn't allow using '-' in function names

It does, even in POSIX-compliance mode (bash --posix). Maybe you got the error from a fake bash of busybox or something. man bash:

When in posix mode, fname must be a valid shell name and may not be the name of one of the POSIX
special builtins. In default mode, a function name can be any unquoted shell word that does not contain $.

@m-iwanicki
dts-boot & dts-profile: move path exports to dts-profile
8d136d2 
That way there won't be duplication which we might forgot to update.
Before this change, sourcing "$DTS_ENV" in shell connected to via ssh
wasn't possible as "$DTS_HAL" was empty, which resulted in ssh session
ending.

Signed-off-by: Michał Iwanicki <michal.iwanicki@3mdeb.com>
@m-iwanicki
dts-profile: set ERR_LOG_FILE to '/dev/null'
84a9a50 
This is to allow using some functions in source `$DTS_FUNCTIONS`
without entering dts-boot first e.g. board_config.

Signed-off-by: Michał Iwanicki <michal.iwanicki@3mdeb.com>
@m-iwanicki
btg_key_validator: Parse arguments, add error checks
359fb05 
* Add argument parsing
* allow passing expected key hash and firmware file to check.
* Add error checks
* Download expected key hash from dts-configs repository instead of
  hardcoding

Signed-off-by: Michał Iwanicki <michal.iwanicki@3mdeb.com>
@m-iwanicki
dasharo-deploy: fuse_workflow: add btg signature verification
ac591c3 
Signed-off-by: Michał Iwanicki <michal.iwanicki@3mdeb.com>
@m-iwanicki
common-mock-func: add cap_upd_tool_mock, it shouldn't print anything
6eadecd 
Signed-off-by: Michał Iwanicki <michal.iwanicki@3mdeb.com>
@m-iwanicki
dasharo-deploy & btg_key_validator: reword error messages
db6ad78 
Signed-off-by: Michał Iwanicki <michal.iwanicki@3mdeb.com>
@m-iwanicki m-iwanicki force-pushed the fuse-key-verification branch from 443fc82 to db6ad78 Compare December 22, 2025 15:28
@m-iwanicki
Copy link
Contributor Author

m-iwanicki commented Dec 22, 2025

@SergiiDmytruk you are right, I checked again and got no error this time. Reverted. Not sure where I got this error from. I can reproduce it by entering sh and then trying to define function with - in the name so probably related to that.
I removed this commit. Thanks for noticing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SergiiDmytruk SergiiDmytruk SergiiDmytruk approved these changes

@3mkusiak 3mkusiak 3mkusiak approved these changes

@DaniilKl DaniilKl Awaiting requested review from DaniilKl

Assignees

@m-iwanicki m-iwanicki

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@m-iwanicki @SergiiDmytruk @3mkusiak