Google Git
Sign in
qemu / skiboot / refs/tags/v6.0.24 / . / libstb / print-container.c
blob: 17aea12b11b41eb6e87a7839070176e13d7e4fac [file] [log] [blame]
/* Copyright 2017 IBM Corp.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <config.h>
#include <alloca.h>
#include <errno.h>
#include <fcntl.h>
#include <getopt.h>
#include <limits.h>
#include <openssl/bn.h>
#include <openssl/ec.h>
#include <openssl/ecdsa.h>
#include <openssl/obj_mac.h>
#include <openssl/opensslv.h>
#include <openssl/ossl_typ.h>
#include <openssl/sha.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sysexits.h>
#include <unistd.h>
#include "ccan/endian/endian.h"
#include "ccan/short_types/short_types.h"
#include "container-utils.h"
#include "container.h"
#define PASSED 1
#define FAILED 0
#define UNATTEMPTED -1
char *progname;
bool print_stats;
bool verbose, debug;
int wrap = 100;
ecc_key_t ECDSA_KEY_NULL;
typedef struct keyprops {
char index;
const char *name;
const ecc_key_t *key;
const ecc_signature_t *sig;
} Keyprops;
static void usage(int status);
static bool getPayloadHash(int fdin, unsigned char *md);
static bool getVerificationHash(char *input, unsigned char *md, int len);
static bool verify_signature(const char *moniker, const unsigned char *dgst,
int dgst_len, const ecc_signature_t sig_raw, const ecc_key_t key_raw);
static void print_bytes(char *lead, uint8_t *buffer, size_t buflen)
{
unsigned int i;
unsigned int width;
unsigned int leadbytes = strlen(lead);
leadbytes = leadbytes > 30 ? 30 : leadbytes;
width = (wrap - leadbytes) / 2;
width = (width < 1) ? INT_MAX : width;
fprintf(stdout, "%s", lead);
for (i = 1; i < buflen + 1; i++) {
fprintf(stdout, "%02x", buffer[i - 1]);
if (((i % width) == 0) && (i < buflen))
fprintf(stdout, "\n%*c", leadbytes, ' ');
}
fprintf(stdout, "\n");
}
bool stb_is_container(const void *buf, size_t size)
{
ROM_container_raw *c;
c = (ROM_container_raw*) buf;
if (!buf || size < SECURE_BOOT_HEADERS_SIZE)
return false;
if (be32_to_cpu(c->magic_number) != ROM_MAGIC_NUMBER)
return false;
return true;
}
int parse_stb_container(const void* data, size_t len,
struct parsed_stb_container *c)
{
const size_t prefix_data_min_size = 3 * (EC_COORDBYTES * 2);
c->buf = data;
c->bufsz = len;
c->c = data;
c->ph = data += sizeof(ROM_container_raw);
c->pd = data += sizeof(ROM_prefix_header_raw)
+ (c->ph->ecid_count * ECID_SIZE);
c->sh = data += prefix_data_min_size
+ c->ph->sw_key_count * (EC_COORDBYTES * 2);
c->ssig = data += sizeof(ROM_sw_header_raw) + c->sh->ecid_count * ECID_SIZE;
return 0;
}
static void display_version_raw(const ROM_version_raw v)
{
printf("ver_alg:\n");
printf(" version: %04x\n", be16_to_cpu(v.version));
printf(" hash_alg: %02x (%s)\n", v.hash_alg,
(v.hash_alg == 1) ? "SHA512" : "UNKNOWN");
printf(" sig_alg: %02x (%s)\n", v.sig_alg,
(v.sig_alg == 1) ? "SHA512/ECDSA-521" : "UNKNOWN");
}
static void display_container_stats(const struct parsed_stb_container *c)
{
unsigned int size, offset;
printf("Container stats:\n");
size = (uint8_t*) c->ph - (uint8_t *) c->c;
offset = (uint8_t*) c->c - (uint8_t *) c->buf;
printf(" HW header size = %4u (%#06x) at offset %4u (%#06x)\n",
size, size, offset, offset);
size = (uint8_t*) c->pd - (uint8_t *) c->ph;
offset = (uint8_t*) c->ph - (uint8_t *) c->buf;
printf(" Prefix header size = %4u (%#06x) at offset %4u (%#06x)\n",
size, size, offset, offset);
size = (uint8_t*) c->sh - (uint8_t *) c->pd;
offset = (uint8_t*) c->pd - (uint8_t *) c->buf;
printf(" Prefix data size = %4u (%#06x) at offset %4u (%#06x)\n",
size, size, offset, offset);
size = (uint8_t*) c->ssig - (uint8_t *) c->sh;
offset = (uint8_t*) c->sh - (uint8_t *) c->buf;
printf(" SW header size = %4u (%#06x) at offset %4u (%#06x)\n",
size, size, offset, offset);
size = sizeof(ecc_key_t) * c->ph->sw_key_count;
offset = (uint8_t*) c->ssig - (uint8_t *) c->buf;
printf(" SW signature size = %4u (%#06x) at offset %4u (%#06x)\n",
size, size, offset, offset);
printf(" TOTAL HEADER SIZE = %4lu (%#0lx)\n", c->bufsz, c->bufsz);
printf(" PAYLOAD SIZE = %4lu (%#0lx)\n",
be64_to_cpu(c->sh->payload_size), be64_to_cpu(c->sh->payload_size));
printf(" TOTAL CONTAINER SIZE = %4lu (%#0lx)\n",
be64_to_cpu(c->c->container_size),
be64_to_cpu(c->c->container_size));
printf("\n");
}
static void display_container(struct parsed_stb_container c)
{
unsigned char md[SHA512_DIGEST_LENGTH];
void *p;
printf("Container:\n");
printf("magic: 0x%04x\n", be32_to_cpu(c.c->magic_number));
printf("version: 0x%02x\n", be16_to_cpu(c.c->version));
printf("container_size: 0x%08lx (%lu)\n", be64_to_cpu(c.c->container_size),
be64_to_cpu(c.c->container_size));
printf("target_hrmor: 0x%08lx\n", be64_to_cpu(c.c->target_hrmor));
printf("stack_pointer: 0x%08lx\n", be64_to_cpu(c.c->stack_pointer));
print_bytes((char *) "hw_pkey_a: ", (uint8_t *) c.c->hw_pkey_a,
sizeof(c.c->hw_pkey_a));
print_bytes((char *) "hw_pkey_b: ", (uint8_t *) c.c->hw_pkey_b,
sizeof(c.c->hw_pkey_b));
print_bytes((char *) "hw_pkey_c: ", (uint8_t *) c.c->hw_pkey_c,
sizeof(c.c->hw_pkey_c));
p = SHA512(c.c->hw_pkey_a, sizeof(ecc_key_t) * 3, md);
if (!p)
die(EX_SOFTWARE, "%s", "Cannot get SHA512");
printf("HW keys hash (calculated):\n");
print_bytes((char *) " ", (uint8_t *) md, sizeof(md));
printf("\n");
printf("Prefix Header:\n");
display_version_raw(c.ph->ver_alg);
printf("code_start_offset: %08lx\n", be64_to_cpu(c.ph->code_start_offset));
printf("reserved: %08lx\n", be64_to_cpu(c.ph->reserved));
printf("flags: %08x\n", be32_to_cpu(c.ph->flags));
printf("sw_key_count: %02x\n", c.ph->sw_key_count);
printf("payload_size: %08lx\n", be64_to_cpu(c.ph->payload_size));
print_bytes((char *) "payload_hash: ", (uint8_t *) c.ph->payload_hash,
sizeof(c.ph->payload_hash));
printf("ecid_count: %02x\n", c.ph->ecid_count);
for (int i = 0; i < c.ph->ecid_count; i++) {
printf("ecid: ");
print_bytes((char *) "ecid: ",
(uint8_t *) c.ph->ecid[i].ecid, sizeof(c.ph->ecid[i].ecid));
printf("\n");
}
printf("\n");
printf("Prefix Data:\n");
print_bytes((char *) "hw_sig_a: ", (uint8_t *) c.pd->hw_sig_a, sizeof(c.pd->hw_sig_a));
print_bytes((char *) "hw_sig_b: ", (uint8_t *) c.pd->hw_sig_b, sizeof(c.pd->hw_sig_b));
print_bytes((char *) "hw_sig_c: ", (uint8_t *) c.pd->hw_sig_c, sizeof(c.pd->hw_sig_c));
if (c.ph->sw_key_count >=1)
print_bytes((char *) "sw_pkey_p: ", (uint8_t *) c.pd->sw_pkey_p, sizeof(c.pd->sw_pkey_p));
if (c.ph->sw_key_count >=2)
print_bytes((char *) "sw_pkey_q: ", (uint8_t *) c.pd->sw_pkey_q, sizeof(c.pd->sw_pkey_q));
if (c.ph->sw_key_count >=3)
print_bytes((char *) "sw_pkey_r: ", (uint8_t *) c.pd->sw_pkey_r, sizeof(c.pd->sw_pkey_r));
printf("\n");
printf("Software Header:\n");
display_version_raw(c.sh->ver_alg);
printf("code_start_offset: %08lx\n", be64_to_cpu(c.sh->code_start_offset));
printf("reserved: %08lx\n", be64_to_cpu(c.sh->reserved));
printf("reserved (ASCII): %.8s\n", (char *) &(c.sh->reserved));
printf("flags: %08x\n", be32_to_cpu(c.sh->flags));
printf("reserved_0: %02x\n", c.sh->reserved_0);
printf("payload_size: %08lx (%lu)\n", be64_to_cpu(c.sh->payload_size),
be64_to_cpu(c.sh->payload_size));
print_bytes((char *) "payload_hash: ", (uint8_t *) c.sh->payload_hash,
sizeof(c.sh->payload_hash));
printf("ecid_count: %02x\n", c.sh->ecid_count);
for (int i = 0; i < c.sh->ecid_count; i++) {
printf("ecid: ");
print_bytes((char *) "ecid: ",
(uint8_t *) c.sh->ecid[i].ecid, sizeof(c.sh->ecid[i].ecid));
printf("\n");
}
printf("\n");
printf("Software Signatures:\n");
print_bytes((char *) "sw_sig_p: ", (uint8_t *) c.ssig->sw_sig_p,
sizeof(c.ssig->sw_sig_p));
print_bytes((char *) "sw_sig_q: ", (uint8_t *) c.ssig->sw_sig_q,
sizeof(c.ssig->sw_sig_q));
print_bytes((char *) "sw_sig_r: ", (uint8_t *) c.ssig->sw_sig_r,
sizeof(c.ssig->sw_sig_r));
printf("\n");
if (print_stats)
display_container_stats(&c);
}
static bool validate_container(struct parsed_stb_container c, int fdin)
{
static int n;
static int status = true;
Keyprops *k;
Keyprops hwKeylist[] = {
{ 'a', "HW_key_A", &(c.c->hw_pkey_a), &(c.pd->hw_sig_a) },
{ 'b', "HW_key_B", &(c.c->hw_pkey_b), &(c.pd->hw_sig_b) },
{ 'c', "HW_key_C", &(c.c->hw_pkey_c), &(c.pd->hw_sig_c) },
{ 0, NULL, NULL, NULL },
};
Keyprops swKeylist[] = {
{ 'p', "SW_key_P", &(c.pd->sw_pkey_p), &(c.ssig->sw_sig_p) },
{ 'q', "SW_key_Q", &(c.pd->sw_pkey_q), &(c.ssig->sw_sig_q) },
{ 'r', "SW_key_R", &(c.pd->sw_pkey_r), &(c.ssig->sw_sig_r) },
{ 0, NULL, NULL, NULL },
};
void *md = alloca(SHA512_DIGEST_LENGTH);
void *p;
// Get Prefix header hash.
p = SHA512((uint8_t *) c.ph, sizeof(ROM_prefix_header_raw), md);
if (!p)
die(EX_SOFTWARE, "%s", "Cannot get SHA512");
if (verbose) print_bytes((char *) "PR header hash = ", (uint8_t *) md,
SHA512_DIGEST_LENGTH);
// Verify HW key sigs.
for (k = hwKeylist; k->index; k++) {
if (memcmp(k->key, &ECDSA_KEY_NULL, sizeof(ecc_key_t)))
status = verify_signature(k->name, md, SHA512_DIGEST_LENGTH,
*(k->sig), *(k->key)) && status;
else
if (verbose) printf("%s is NULL, skipping signature check.\n", k->name);
}
if (verbose) printf("\n");
// Get SW header hash.
p = SHA512((uint8_t *) c.sh, sizeof(ROM_sw_header_raw), md);
if (!p)
die(EX_SOFTWARE, "%s", "Cannot get SHA512");
if (verbose) print_bytes((char *) "SW header hash = ", (uint8_t *) md,
SHA512_DIGEST_LENGTH);
// Verify SW key sigs.
for (k = swKeylist, n = 1; k->index && n <= c.ph->sw_key_count; k++, n++) {
if (memcmp(k->key, &ECDSA_KEY_NULL, sizeof(ecc_key_t)))
status = verify_signature(k->name, md, SHA512_DIGEST_LENGTH,
*(k->sig), *(k->key)) && status;
else
if (verbose) printf("%s is NULL, skipping\n", k->name);
}
if (verbose) printf("\n");
// Verify Payload hash.
status = getPayloadHash(fdin, md) && status;
if (verbose) print_bytes((char *) "Payload hash = ", (uint8_t *) md,
SHA512_DIGEST_LENGTH);
if (memcmp((uint8_t *) c.sh->payload_hash, md, SHA512_DIGEST_LENGTH)) {
if (verbose)
printf("Payload hash does not agree with value in SW header: MISMATCH\n");
status = false;
} else {
if (verbose)
printf("Payload hash agrees with value in SW header: VERIFIED ./\n");
status = status && true;
}
if (verbose) printf("\n");
// Verify SW keys hash.
p = SHA512(c.pd->sw_pkey_p, sizeof(ecc_key_t) * c.ph->sw_key_count, md);
if (!p)
die(EX_SOFTWARE, "%s", "Cannot get SHA512");
if (verbose) print_bytes((char *) "SW keys hash = ", (uint8_t *) md,
SHA512_DIGEST_LENGTH);
if (memcmp((uint8_t *) c.ph->payload_hash, md, SHA512_DIGEST_LENGTH)) {
if (verbose)
printf("SW keys hash does not agree with value in Prefix header: MISMATCH\n");
status = false;
} else {
if (verbose)
printf("SW keys hash agrees with value in Prefix header: VERIFIED ./\n");
status = status && true;
}
if (verbose) printf("\n");
return status;
}
static bool verify_container(struct parsed_stb_container c, char * verify)
{
static int status = false;
void *md = alloca(SHA512_DIGEST_LENGTH);
void *p;
void *md_verify;
p = SHA512(c.c->hw_pkey_a, sizeof(ecc_key_t) * 3, md);
if (!p)
die(EX_SOFTWARE, "%s", "Cannot get SHA512");
if (verbose) print_bytes((char *) "HW keys hash = ", (uint8_t *) md,
SHA512_DIGEST_LENGTH);
md_verify = alloca(SHA512_DIGEST_LENGTH);
getVerificationHash(verify, md_verify, SHA512_DIGEST_LENGTH);
if (memcmp((uint8_t *) md_verify, md, SHA512_DIGEST_LENGTH )) {
if (verbose)
printf("HW keys hash does not agree with provided value: MISMATCH\n");
} else {
if (verbose)
printf("HW keys hash agrees with provided value: VERIFIED ./\n");
status = true;
}
if (verbose) printf("\n");
return status;
}
static bool verify_signature(const char *moniker, const unsigned char *dgst,
int dgst_len, const ecc_signature_t sig_raw, const ecc_key_t key_raw)
{
int r;
bool status = false;
BIGNUM *r_bn, *s_bn;
ECDSA_SIG* ecdsa_sig;
EC_KEY *ec_key;
const EC_GROUP *ec_group;
unsigned char *buffer;
BIGNUM *key_bn;
EC_POINT *ec_point;
// Convert the raw sig to a structure that can be handled by openssl.
debug_print((char *) "Raw sig = ", (uint8_t *) sig_raw,
sizeof(ecc_signature_t));
r_bn = BN_new();
s_bn = BN_new();
BN_bin2bn((const unsigned char*) &sig_raw[0], 66, r_bn);
BN_bin2bn((const unsigned char*) &sig_raw[66], 66, s_bn);
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
ecdsa_sig = ECDSA_SIG_new();
ECDSA_SIG_set0(ecdsa_sig, r_bn, s_bn);
#else
ecdsa_sig = malloc(sizeof(ECDSA_SIG));
ecdsa_sig->r = r_bn;
ecdsa_sig->s = s_bn;
#endif
// Convert the raw key to a structure that can be handled by openssl.
debug_print((char *) "Raw key = ", (uint8_t *) key_raw,
sizeof(ecc_key_t));
ec_key = EC_KEY_new();
if (!ec_key)
die(EX_SOFTWARE, "%s", "Cannot EC_KEY_new");
ec_group = EC_GROUP_new_by_curve_name(NID_secp521r1);
if (!ec_group)
die(EX_SOFTWARE, "%s", "Cannot EC_GROUP_new_by_curve_name");
r = EC_KEY_set_group(ec_key, ec_group);
if (r == 0)
die(EX_SOFTWARE, "%s", "Cannot EC_KEY_set_group");
// Add prefix 0x04, for uncompressed key.
buffer = alloca(sizeof(ecc_key_t) + 1);
*buffer = 0x04;
memcpy(buffer + 1, key_raw, sizeof(ecc_key_t));
key_bn = BN_new();
BN_bin2bn((const unsigned char*) buffer, EC_COORDBYTES * 2 + 1, key_bn);
ec_point = EC_POINT_bn2point(ec_group, key_bn, NULL, NULL);
if (!ec_point)
die(EX_SOFTWARE, "%s", "Cannot EC_POINT_bn2point");
r = EC_KEY_set_public_key(ec_key, (const EC_POINT*) ec_point);
if (r == 0)
die(EX_SOFTWARE, "%s", "Cannot EC_KEY_set_public_key");
// Verify the signature.
r = ECDSA_do_verify(dgst, dgst_len, ecdsa_sig, ec_key);
if (r == 1) {
if (verbose) printf("%s signature is good: VERIFIED ./\n", moniker);
status = true;
} else if (r == 0) {
if (verbose) printf("%s signature FAILED to verify.\n", moniker);
status = false;
} else {
die(EX_SOFTWARE, "%s", "Cannot ECDSA_do_verify");
}
BN_free(r_bn);
BN_free(s_bn);
BN_free(key_bn);
EC_KEY_free(ec_key);
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
ECDSA_SIG_free(ecdsa_sig);
#else
free(ecdsa_sig);
#endif
return status;
}
static bool getPayloadHash(int fdin, unsigned char *md)
{
struct stat payload_st;
void *payload;
int r;
void *p;
r = fstat(fdin, &payload_st);
if (r != 0)
die(EX_NOINPUT, "Cannot stat payload file at descriptor: %d (%s)", fdin,
strerror(errno));
payload = mmap(NULL, payload_st.st_size - SECURE_BOOT_HEADERS_SIZE,
PROT_READ, MAP_PRIVATE, fdin, SECURE_BOOT_HEADERS_SIZE);
if (!payload)
die(EX_OSERR, "Cannot mmap file at descriptor: %d (%s)", fdin,
strerror(errno));
p = SHA512(payload, payload_st.st_size - SECURE_BOOT_HEADERS_SIZE, md);
if (!p)
die(EX_SOFTWARE, "%s", "Cannot get SHA512");
return true;
}
static bool getVerificationHash(char *input, unsigned char *md, int len)
{
char buf[len * 2 + 1 + 2]; // allow trailing \n and leading "0x"
char *p;
struct stat s;
int r;
if (isValidHex(input, len)) {
p = input;
} else {
int fdin = open(input, O_RDONLY);
if (fdin <= 0)
die(EX_NOINPUT, "%s",
"Verify requested but no valid hash or hash file provided");
r = fstat(fdin, &s);
if (r != 0)
die(EX_NOINPUT, "Cannot stat hash file: %s (%s)", input,
strerror(errno));
if ((size_t) s.st_size > (sizeof(buf)))
die(EX_DATAERR,
"Verify hash file \"%s\" invalid size: expected a %d byte hexadecimal value",
input, len);
r = read(fdin, buf, s.st_size);
if (r <= 0)
die(EX_NOINPUT, "Cannot read hash file: %s (%s)", input,
strerror(errno));
p = (char *) buf;
for (unsigned int i = 0; i < sizeof(buf); i++) // strip newline char
if (buf[i] == '\n')
buf[i] = '\0';
close(fdin);
}
// Convert hexascii to binary.
if (isValidHex(p, len)) {
if (!strncmp(p, "0x", 2)) // skip leading "0x"
p += 2;
for (int count = 0; count < len; count++) {
sscanf(p, "%2hhx", &md[count]);
p += 2;
}
} else
die(EX_DATAERR,
"Verify hash file \"%s\" invalid data: expected a %d byte hexadecimal value",
input, len);
return true;
}
__attribute__((__noreturn__)) static void usage (int status)
{
if (status != 0) {
fprintf(stderr, "Try '%s --help' for more information.\n", progname);
}
else {
printf("Usage: %s [options]\n", progname);
printf(
"\n"
"Options:\n"
" -h, --help display this message and exit\n"
" -v, --verbose show verbose output\n"
" -d, --debug show additional debug output\n"
" -w, --wrap column at which to wrap long output (wrap=0 => unlimited)\n"
" -s, --stats additionally print container stats\n"
" -I, --imagefile containerized image to display (input)\n"
" --validate perform all checks to ensure is container valid for secure boot\n"
" --verify value, or filename containing value, of the HW Keys hash to\n"
" verify the container against. must be valid 64 byte hexascii.\n"
"\n");
};
exit(status);
}
static struct option const opts[] = {
{ "help", no_argument, 0, 'h' },
{ "verbose", no_argument, 0, 'v' },
{ "debug", no_argument, 0, 'd' },
{ "wrap", required_argument, 0, 'w' },
{ "stats", no_argument, 0, 's' },
{ "imagefile", required_argument, 0, 'I' },
{ "validate", no_argument, 0, 128 },
{ "verify", required_argument, 0, 129 },
{ "no-print", no_argument, 0, 130 },
{ "print", no_argument, 0, 131 },
{ NULL, 0, NULL, 0 }
};
static struct {
char *imagefn;
bool validate;
char *verify;
bool print_container;
} params;
int main(int argc, char* argv[])
{
int indexptr;
int r;
struct stat st;
void *container;
struct parsed_stb_container c;
int container_status = EX_OK;
int validate_status = UNATTEMPTED;
int verify_status = UNATTEMPTED;
int fdin;
params.print_container = true;
progname = strrchr(argv[0], '/');
if (progname != NULL)
++progname;
else
progname = argv[0];
while (1) {
int opt;
opt = getopt_long(argc, argv, "hvdw:sI:", opts, &indexptr);
if (opt == -1)
break;
switch (opt) {
case 'h':
case '?':
usage(EX_OK);
break;
case 'v':
verbose = true;
break;
case 'd':
debug = true;
break;
case 'w':
wrap = atoi(optarg);
wrap = (wrap < 2) ? INT_MAX : wrap;
break;
case 's':
print_stats = true;
break;
case 'I':
params.imagefn = optarg;
break;
case 128:
params.validate = true;
break;
case 129:
params.verify = optarg;
break;
case 130:
params.print_container = false;
break;
case 131:
params.print_container = true;
break;
default:
usage(EX_USAGE);
}
}
fdin = open(params.imagefn, O_RDONLY);
if (fdin <= 0)
die(EX_NOINPUT, "Cannot open container file: %s (%s)", params.imagefn,
strerror(errno));
r = fstat(fdin, &st);
if (r != 0)
die(EX_NOINPUT, "Cannot stat container file: %s (%s)", params.imagefn,
strerror(errno));
container = mmap(NULL, st.st_size, PROT_READ, MAP_PRIVATE, fdin, 0);
if (!container)
die(EX_OSERR, "Cannot mmap file: %s (%s)", params.imagefn,
strerror(errno));
if (!stb_is_container(container, SECURE_BOOT_HEADERS_SIZE))
die(EX_DATAERR, "%s", "Not a container, missing magic number");
if (parse_stb_container(container, SECURE_BOOT_HEADERS_SIZE, &c) != 0)
die(EX_DATAERR, "%s", "Failed to parse container");
if (params.print_container)
display_container(c);
if (params.validate)
validate_status = validate_container(c, fdin);
if (params.verify)
verify_status = verify_container(c, params.verify);
if ((validate_status != UNATTEMPTED) || (verify_status != UNATTEMPTED)) {
printf("Container validity check %s. Container verification check %s.\n\n",
(validate_status == UNATTEMPTED) ?
"not attempted" :
((validate_status == PASSED) ? "PASSED" : "FAILED"),
(verify_status == UNATTEMPTED) ?
"not attempted" :
((verify_status == PASSED) ? "PASSED" : "FAILED"));
if ((validate_status == FAILED) || (verify_status == FAILED))
container_status = 1;
}
close(fdin);
return container_status;
}