{"id":19094599,"url":"https://github.com/coreboot/vboot","last_synced_at":"2025-04-06T22:09:36.860Z","repository":{"id":31552266,"uuid":"35116931","full_name":"coreboot/vboot","owner":"coreboot","description":"mirror of https://chromium.googlesource.com/chromiumos/platform/vboot_reference","archived":false,"fork":false,"pushed_at":"2024-10-21T20:19:56.000Z","size":81503,"stargazers_count":33,"open_issues_count":0,"forks_count":23,"subscribers_count":12,"default_branch":"main","last_synced_at":"2024-10-21T23:41:21.337Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/coreboot.png","metadata":{"files":{"readme":"README","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2015-05-05T18:30:40.000Z","updated_at":"2024-10-21T20:20:00.000Z","dependencies_parsed_at":"2024-10-25T18:34:10.285Z","dependency_job_id":null,"html_url":"https://github.com/coreboot/vboot","commit_stats":{"total_commits":3218,"total_committers":250,"mean_commits":12.872,"dds":0.877252952144189,"last_synced_commit":"f5dcda11682c6f3ad267b73673946d425bb70fd9"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coreboot%2Fvboot","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coreboot%2Fvboot/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coreboot%2Fvboot/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coreboot%2Fvboot/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/coreboot","download_url":"https://codeload.github.com/coreboot/vboot/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247557767,"owners_count":20958047,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-09T03:30:22.728Z","updated_at":"2025-04-06T22:09:36.829Z","avatar_url":"https://github.com/coreboot.png","language":"C","readme":"This directory contains a reference implementation for Chrome OS\nverified boot in firmware.\n\n----------\nDirectory Structure\n----------\n\nThe source is organized into distinct modules -\n\nfirmware/\n\n  Contains ONLY the code required by the BIOS to validate the secure boot\n  components. There shouldn't be any code in here that signs or generates\n  images. BIOS should require ONLY this directory to implement secure boot.\n  Refer to firmware/README for futher details.\n\ncgpt/\n\n  Utility to read/write/modify GPT partitions. Similar to GNU parted or any\n  other GPT tool, but this has support for Chrome OS extensions.\n\nhost/\n\n  Miscellaneous functions needed by userland utilities.\n\nfutility/\n\n  The \"firmware utility\" tool, used to create, sign, and validate Chrome OS\n  images.\n\nutility/\n\n  Random other utilities, not necesssarily related to verified boot as such.\n\ntests/\n\n  User-land tests and benchmarks that test the reference implementation.\n  Please have a look at these if you'd like to understand how to use the\n  reference implementation.\n\nbuild/\n\n  The output directory where the generated files will be placed, and where\n  tests are run.\n\nscripts/\n\n  Tools and scripts used to generate and use new signing keypairs. These are\n  typically used only on a secure machine.\n\nrust/\n\n  Rust bindings for vboot_reference. See rust/README.md for more details.\n\n--------------------\nBuilding and testing\n--------------------\n\nThe suite can be built on the host or in the chroot environment.\n\nBuilding on the host could fail if certain packages are not installed. If\nthere are host environment build problems due to missing .h files, try\nresearching what packages the files belong to and install the missing packages\nbefore reporting a problem.\n\n\nThe commands are the more-or-less expected ones:\n\n  make\n  make runtests\n  make install [ DESTDIR=/usr/local ]\n\n\n\n----------\nSome useful utilities:\n----------\n\nfutility vbutil_key         Convert a public key into .vbpubk format\nfutility vbutil_keyblock    Wrap a public key inside a signature and checksum\nfutility sign               Sign a blob. Supported operations include:\n                            * Create a .vblock with signature info for a\n                              firmware image\n                            * Re-sign a firmware image\n                            * Pack a vmlinuz image, bootloader and config into a\n                              kernel partition\nfutility verify             Verify a blob such as a firmware image or a kernel\n                              partition\n\ndumpRSAPublicKey            Dump RSA Public key (from a DER-encoded X509\n                            certificate) in a format suitable for use by\n                            RSAVerify* functions in crypto/.\n\n\n\n----------\nGenerating a signed firmware image:\n----------\n\n* Step 0: Build the tools, install them somewhere.\n\n* Step 1: Generate RSA root and signing keys.\n\n  The root key is always 8192 bits.\n\n    $ openssl genrsa -F4 -out root_key.pem 8192\n\n  The signing key can be between 1024-8192 bits.\n\n    $ openssl genrsa -F4 -out signing_key.pem \u003c1024|2048|4096|8192\u003e\n\n  Note: The -F4 option must be specified to generate RSA keys with a public\n  exponent of 65535. RSA keys with 3 as a public exponent (the default)\n  won't work.\n\n* Step 2: Generate pre-processed public versions of the above keys using\n          dumpRSAPublicKey. This utility expects an x509 certificate as\n          input, and emits an intermediate representation for further\n          processing.\n\n    $ openssl req -batch -new -x509 -key root_key.pem -out root_key.crt\n    $ openssl req -batch -new -x509 -key signing_key.pem -out signing_key.crt\n    $ dumpRSAPublicKey root_key.crt \u003e root_key.keyb\n    $ dumpRSAPublicKey signing_key.crt \u003e signing_key.keyb\n\n************** TODO: STUFF PAST HERE IS OUT OF DATE ***************\n\nAt this point we have all the requisite keys needed to generate a signed\nfirmware image.\n\n.pem   RSA Public/Private Key Pair\n.crt   X509 Key Certificate\n.keyb  Pre-processed RSA Public Key\n\n\n* Step 3: Use utility/firmware_utility to generate a signed firmare blob.\n\n$ utility/firmware_utility --generate \\\n  --root_key root_key.pem \\\n  --firmware_sign_key signing_key.pem \\\n  --firmware_sign_key_pub signing_key.keyb \\\n  --firmware_sign_algorithm \u003calgoid\u003e \\\n  --firmware_key_version 1 \\\n  --firmware_version 1 \\\n  --in \u003cfirmware blob file\u003e \\\n  --out \u003coutput file\u003e\n\nWhere \u003calgoid\u003e is based on the signature algorithm to use for firmware\nsignining. The list of \u003calgoid\u003e specifications can be output by running\n'utility/firmware_utility' without any arguments.\n\nNote: --firmware_key_version and --firmware_version are part of a signed\n      image and are used to prevent rollbacks to older version. For testing,\n      they can just be set to valid values.\n\n\n* Step 4: Verify that this image verifies.\n\n$ utility/firmware_utility --verify \\\n                         --in \u003csigned firmware image\u003e\n                         --root_key_pub root_key.keyb\nVerification SUCCESS.\n\n\nNote: The verification functions expects a pointer to the\n      pre-processed public root key as input. For testing purposes,\n      root_key.keyb can be stored in RW part of the firmware. For the\n      final firmware, this will be a fixed public key which cannot be\n      changed and must be stored in RO firmware.\n\n----------\nGenerating a signed kernel image:\n----------\n\nThe steps for generating a signed kernel image are similar to that of\na firmware image. Since verification is chained - RO firmware verifies\nRW firmware which verifies the kernel, only the keys change. An additional\nkernel signing key must be generated. The firmware signing generated above\nis the root key equivalent for signed kernel images.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcoreboot%2Fvboot","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcoreboot%2Fvboot","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcoreboot%2Fvboot/lists"}