[coreboot-gerrit] New patch to review for coreboot: util/amdfwtool: Add script to verify signature of PSP firmware file

Kyösti Mälkki (kyosti.malkki@gmail.com) gerrit at coreboot.org
Thu Nov 10 17:39:45 CET 2016 

Kyösti Mälkki (kyosti.malkki at gmail.com) just uploaded a new patch set to gerrit, which you can find at https://review.coreboot.org/17363

-gerrit

commit 7b762b72b41d859b0a8746954d1043c88592e624
Author: Kyösti Mälkki <kyosti.malkki at gmail.com>
Date:   Thu Nov 10 18:35:26 2016 +0200

    util/amdfwtool: Add script to verify signature of PSP firmware file
    
    This checks signature of AMD PSP binary against supplied public keyfile.
    It is now hardcoded for RSA2048 while format could support RSA4096.
    
    Depends on installed pycrypto-2.6 (or later).
    
    Change-Id: I3610235a6ca7989f2e3594ca036b6afce70f5fb0
    Signed-off-by: Kyösti Mälkki <kyosti.malkki at gmail.com>
---
 util/amdfwtool/psp_verify_signature.py | 68 ++++++++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)

diff --git a/util/amdfwtool/psp_verify_signature.py b/util/amdfwtool/psp_verify_signature.py
new file mode 100755
index 0000000..e755022
--- /dev/null
+++ b/util/amdfwtool/psp_verify_signature.py
@@ -0,0 +1,68 @@
+#! /usr/bin/python
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+
+import sys
+import base64
+import zlib
+from struct import *
+
+# pycrypto-2.6
+from Crypto.Signature import PKCS1_PSS
+from Crypto.Hash import SHA256
+from Crypto.PublicKey import RSA
+
+if (len(sys.argv) < 3):
+	print "Usage: psp_verify_signature.py pubkey.bin image.bin"
+	exit(2)
+
+keystore = open(str(sys.argv[1]),'rb')
+fh = open(str(sys.argv[2]), 'rb')
+
+keys = keystore.read()
+mod_rev = keys[0x140:0x240]
+# Reverse byte-order of modulus
+modulus = mod_rev[::-1]
+keystore.close()
+
+sbin = fh.read()
+fh.close()
+
+# Convert public key to DER format.
+apn1 = 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA'
+mid = '\x02\x03'
+exponent = '\x01\x00\x01'
+pubkey_DER = base64.decodestring(apn1) + modulus + mid + exponent
+key = RSA.importKey(pubkey_DER)
+
+
+compressed = ord(sbin[0x48])
+if (compressed == 0x01):
+	print "Deflating zlib compressed image."
+	deflated = zlib.decompress(sbin[0x100:])
+	sbin = deflated
+elif (compressed != 0x0):
+	exit(2)
+
+# Last 256 byte is signature, LSB first
+message = sbin[:-0x100]
+sign_rev = sbin[-0x100:]
+signature = sign_rev[::-1]
+
+h = SHA256.new()
+h.update(message)
+verifier = PKCS1_PSS.new(key)
+if verifier.verify(h, signature):
+	print "The signature is authentic."
+	exit(0)
+else:
+	print "The signature is not authentic."
+	exit(1)

More information about the coreboot-gerrit mailing list