From 8d136d2e4e76c2a358b27156b1faf79a0c3d76aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Iwanicki?= Date: Thu, 18 Dec 2025 14:34:47 +0100 Subject: [PATCH 1/7] dts-boot & dts-profile: move path exports to dts-profile MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit That way there won't be duplication which we might forgot to update. Before this change, sourcing "$DTS_ENV" in shell connected to via ssh wasn't possible as "$DTS_HAL" was empty, which resulted in ssh session ending. Signed-off-by: Michał Iwanicki --- dts-profile.sh | 2 ++ scripts/dts-boot.sh | 7 ++----- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/dts-profile.sh b/dts-profile.sh index c8a8c074..bcb85dc3 100644 --- a/dts-profile.sh +++ b/dts-profile.sh @@ -8,3 +8,5 @@ SBIN_DIR="/usr/sbin" export DTS_FUNCS="$SBIN_DIR/dts-functions.sh" export DTS_ENV="$SBIN_DIR/dts-environment.sh" export DTS_SUBS="$SBIN_DIR/dts-subscription.sh" +export DTS_HAL="$SBIN_DIR/dts-hal.sh" +export DTS_MOCK_COMMON="$SBIN_DIR/common-mock-func.sh" diff --git a/scripts/dts-boot.sh b/scripts/dts-boot.sh index da24c4eb..0dd358c5 100644 --- a/scripts/dts-boot.sh +++ b/scripts/dts-boot.sh @@ -7,11 +7,8 @@ SBIN_DIR="/usr/sbin" FUM_EFIVAR="/sys/firmware/efi/efivars/FirmwareUpdateMode-d15b327e-ff2d-4fc1-abf6-c12bd08c1359" -export DTS_FUNCS="$SBIN_DIR/dts-functions.sh" -export DTS_ENV="$SBIN_DIR/dts-environment.sh" -export DTS_SUBS="$SBIN_DIR/dts-subscription.sh" -export DTS_HAL="$SBIN_DIR/dts-hal.sh" -export DTS_MOCK_COMMON="$SBIN_DIR/common-mock-func.sh" +# shellcheck source=../dts-profile.sh +source "/etc/profile.d/dts-profile.sh" export BASH_ENV="$SBIN_DIR/logging" export TMP_LOG_DIR="/tmp/logs" export ERR_LOG_FILE_REALPATH From 84a9a500fd4dd034f7ae4ccc4814bdc240112832 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Iwanicki?= Date: Thu, 18 Dec 2025 15:55:07 +0100 Subject: [PATCH 2/7] dts-profile: set ERR_LOG_FILE to '/dev/null' MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is to allow using some functions in source `$DTS_FUNCTIONS` without entering dts-boot first e.g. board_config. Signed-off-by: Michał Iwanicki --- dts-profile.sh | 1 + scripts/dts-boot.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/dts-profile.sh b/dts-profile.sh index bcb85dc3..321f7b3a 100644 --- a/dts-profile.sh +++ b/dts-profile.sh @@ -10,3 +10,4 @@ export DTS_ENV="$SBIN_DIR/dts-environment.sh" export DTS_SUBS="$SBIN_DIR/dts-subscription.sh" export DTS_HAL="$SBIN_DIR/dts-hal.sh" export DTS_MOCK_COMMON="$SBIN_DIR/common-mock-func.sh" +export ERR_LOG_FILE="/dev/null" diff --git a/scripts/dts-boot.sh b/scripts/dts-boot.sh index 0dd358c5..e7a7082d 100644 --- a/scripts/dts-boot.sh +++ b/scripts/dts-boot.sh @@ -28,7 +28,7 @@ DTS_VERBOSE_LOG_FILE="$TMP_LOG_DIR/dts-verbose_$(basename "$(tty)").log" source "$BASH_ENV" start_trace_logging start_logging -if [ -z "$ERR_LOG_FILE" ]; then +if [[ -z "$ERR_LOG_FILE" || "$ERR_LOG_FILE" == "/dev/null" ]]; then # pass everything written to $ERR_LOG_FILE to logger function and save it's # output to $ERR_LOG_FILE_REALPATH file exec {ERR_LOG_FILE}> >(logger >>"$ERR_LOG_FILE_REALPATH") From 359fb057ad3da94801fc9684ddc9d24542f70375 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Iwanicki?= Date: Thu, 18 Dec 2025 15:57:38 +0100 Subject: [PATCH 3/7] btg_key_validator: Parse arguments, add error checks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add argument parsing * allow passing expected key hash and firmware file to check. * Add error checks * Download expected key hash from dts-configs repository instead of hardcoding Signed-off-by: Michał Iwanicki --- scripts/btg_key_validator | 90 +++++++++++++++++++++++++++++++++++---- 1 file changed, 81 insertions(+), 9 deletions(-) diff --git a/scripts/btg_key_validator b/scripts/btg_key_validator index 3c387c4f..5acfeeeb 100755 --- a/scripts/btg_key_validator +++ b/scripts/btg_key_validator @@ -1,23 +1,95 @@ #!/bin/bash -ncm_mtl_key=e64b6b0e82c68fecc58f750d3696c26e1c98bf9e3149c81f3b2ed775eb9d2c157a99c103c62c44c0cdc61be971caeae1 +# shellcheck source=../include/dts-environment.sh +source "$DTS_ENV" +# shellcheck source=../include/dts-functions.sh +source "$DTS_FUNCS" -rom=flashdump.bin +print_help() { + cat </dev/null 2>&1 +Script that allows for verification whether firmware binary is signed with correct keys. +Options: + -f|--file Path to firmware file for which to check key hash. + -k|--key-hash Expected key hash + -v|--verbose Enable trace output + -h|--help Print this help +EOF +} + +parse_args() { + while [[ $# -gt 0 ]]; do + case $1 in + -v | --verbose) + set -x + shift + ;; + -h | --help) + print_help + exit 0 + ;; + -f | --file) + if [ ! -f "$2" ]; then + error_exit "File '$2' doesn't exist" + fi + rom="$2" + shift 2 + ;; + -k | --key-hash) + if [ -z "$2" ]; then + error_exit "--key-hash argument cannot be empty" + fi + expected_hash="$2" + shift 2 + ;; + -*) + print_help + error_exit "Unknown option $1" + ;; + *) + print_usage + error_exit "Script doesn't accept any positional arguments, but got $#" + ;; + esac + done +} + +expected_hash= +rom="flashdump.bin" + +parse_args "$@" + +if [ -z "$expected_hash" ]; then + board_config + error_check "Failed to download board configuration" + if [ -z "$INTEL_BTG_HASH" ]; then + error_exit "Cannot determine expected key hash. +Make sure your platform firmware supports Intel BootGuard" + fi + expected_hash="$INTEL_BTG_HASH" +fi +if [ ! -f "$rom" ]; then + echo "Reading flash..." + $FLASHROM -p "$PROGRAMMER_BIOS" --ifd -i bios -i me -i fd -r "${rom}" >>"$FLASHROM_LOG_FILE" 2>>"$ERR_LOG_FILE" + error_check "Failed to read flash" +fi echo "Extracting key manifest..." -bg-prov km-export $rom km.bin >/dev/null +bg-prov km-export "${rom}" km.bin 2>>"$ERR_LOG_FILE" >&2 +error_check "Failed to export key manifest." modulus=$(bg-prov km-show km.bin | grep "Key And Signature" -A 8 | grep Data | cut -d ' ' -f 10 | tail -c +11) exponent=01000100 -echo $modulus$exponent | awk '{gsub(/.{2}/,"& ")}1' | xxd -r -p | sha384sum | grep -q $ncm_mtl_key +fw_key_hash="$(echo "$modulus$exponent" | awk '{gsub(/.{2}/,"& ")}1' | xxd -r -p | sha384sum | awk '{print $1}')" -if [ $? -eq 0 ]; then - echo "Key matches NovaCustom Meteor Lake signing key." +if grep -q "${expected_hash}" <<<"${fw_key_hash}"; then + echo_green "Firmware is signed with expected key hash:" + echo_green " ${expected_hash}" else - echo "Key does not match NovaCustom Meteor Lake signing key!" + echo_red "Firmware signature doesn't match expected hash:" + echo_red " Expected: ${expected_hash}" + echo_red " Signed : ${fw_key_hash}" exit 1 fi From ac591c395ecb4e4aaf22285cf21e0c4e599ffd1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Iwanicki?= Date: Thu, 18 Dec 2025 16:30:53 +0100 Subject: [PATCH 4/7] dasharo-deploy: fuse_workflow: add btg signature verification MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michał Iwanicki --- scripts/dasharo-deploy.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/dasharo-deploy.sh b/scripts/dasharo-deploy.sh index d555ff9f..9a1f8114 100644 --- a/scripts/dasharo-deploy.sh +++ b/scripts/dasharo-deploy.sh @@ -1470,6 +1470,8 @@ fuse_workflow() { check_if_ac download_bios verify_artifacts bios + btg_key_validator --file "$BIOS_UPDATE_FILE" --key-hash "$INTEL_BTG_HASH" + error_check "Firmware Intel BootGuard signature check failed. Aborting..." # Ask user for confirmation: display_warning From 6eadecd1e70345a1bf36ad89604dd585b437a5d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Iwanicki?= Date: Thu, 18 Dec 2025 17:25:04 +0100 Subject: [PATCH 5/7] common-mock-func: add cap_upd_tool_mock, it shouldn't print anything MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michał Iwanicki --- include/hal/common-mock-func.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/include/hal/common-mock-func.sh b/include/hal/common-mock-func.sh index b88d1b5a..5bb12b08 100644 --- a/include/hal/common-mock-func.sh +++ b/include/hal/common-mock-func.sh @@ -785,3 +785,11 @@ amdtool_on_amd_mock() { fi return 1 } + +################################################################################ +# cap_upd_tool +################################################################################ + +cap_upd_tool_mock() { + return 0 +} From db6ad78143cb774e5c400a9c8d7147927678ad60 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Iwanicki?= Date: Mon, 22 Dec 2025 09:56:27 +0100 Subject: [PATCH 6/7] dasharo-deploy & btg_key_validator: reword error messages MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michał Iwanicki --- scripts/btg_key_validator | 6 +++--- scripts/dasharo-deploy.sh | 6 +++++- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/scripts/btg_key_validator b/scripts/btg_key_validator index 5acfeeeb..22780f60 100755 --- a/scripts/btg_key_validator +++ b/scripts/btg_key_validator @@ -62,10 +62,10 @@ parse_args "$@" if [ -z "$expected_hash" ]; then board_config - error_check "Failed to download board configuration" + error_check "Failed to download board configuration." if [ -z "$INTEL_BTG_HASH" ]; then - error_exit "Cannot determine expected key hash. -Make sure your platform firmware supports Intel BootGuard" + error_exit "Platform configuration is missing expected key hash. +The most likely reason is that there is no fusing binary for your platform." fi expected_hash="$INTEL_BTG_HASH" fi diff --git a/scripts/dasharo-deploy.sh b/scripts/dasharo-deploy.sh index 9a1f8114..6fb9969d 100644 --- a/scripts/dasharo-deploy.sh +++ b/scripts/dasharo-deploy.sh @@ -1450,6 +1450,9 @@ fuse_workflow() { echo "No release with fusing support is available for your platform." exit "${CANCEL}" fi + if [ -z "$INTEL_BTG_HASH" ]; then + error_exit "Platform config is missing hash of the key used to sign firmware" + fi BIOS_LINK="${EOM_LINK_COMM_CAP}" BIOS_HASH_LINK="${EOM_HASH_LINK_COMM_CAP}" @@ -1471,7 +1474,8 @@ fuse_workflow() { download_bios verify_artifacts bios btg_key_validator --file "$BIOS_UPDATE_FILE" --key-hash "$INTEL_BTG_HASH" - error_check "Firmware Intel BootGuard signature check failed. Aborting..." + error_check "Firmware Intel BootGuard signature check failed. Aborting... +Platform has not been fused and no changes were made." # Ask user for confirmation: display_warning From 2573c7e1d6eee7d5e0dd21173bc27f4b4531232b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Iwanicki?= Date: Thu, 8 Jan 2026 17:58:52 +0100 Subject: [PATCH 7/7] common-mock: mock btg_key_validator so we can test failure states MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michał Iwanicki --- include/hal/common-mock-func.sh | 17 +++++++++++++++++ include/hal/dts-hal.sh | 1 + scripts/dasharo-deploy.sh | 2 +- 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/include/hal/common-mock-func.sh b/include/hal/common-mock-func.sh index 5bb12b08..e58fee1c 100644 --- a/include/hal/common-mock-func.sh +++ b/include/hal/common-mock-func.sh @@ -793,3 +793,20 @@ amdtool_on_amd_mock() { cap_upd_tool_mock() { return 0 } + +################################################################################ +# cap_upd_tool +################################################################################ +# Leave empty to call original tool, set to "true" to return 1 otherwise +# return 0 +TEST_KEY_VALIDATOR_FAIL="${TEST_KEY_VALIDATOR_RESULT:-}" + +btg_key_validator_mock() { + if [ -z "${TEST_KEY_VALIDATOR_FAIL}" ]; then + btg_key_validator "$@" + elif [ "${TEST_KEY_VALIDATOR_FAIL}" = "true" ]; then + return 1 + else + return 0 + fi +} diff --git a/include/hal/dts-hal.sh b/include/hal/dts-hal.sh index 1088b081..7ab91345 100644 --- a/include/hal/dts-hal.sh +++ b/include/hal/dts-hal.sh @@ -60,6 +60,7 @@ RDMSR="tool_wrapper rdmsr" LSPCI="tool_wrapper lspci" LSUSB="tool_wrapper lsusb" DUMP_PCRS="tool_wrapper dump_pcrs" +BTG_KEY_VALIDATOR="tool_wrapper btg_key_validator" ################################################################################ # Tools wrapper. diff --git a/scripts/dasharo-deploy.sh b/scripts/dasharo-deploy.sh index 6fb9969d..ecfa88de 100644 --- a/scripts/dasharo-deploy.sh +++ b/scripts/dasharo-deploy.sh @@ -1473,7 +1473,7 @@ fuse_workflow() { check_if_ac download_bios verify_artifacts bios - btg_key_validator --file "$BIOS_UPDATE_FILE" --key-hash "$INTEL_BTG_HASH" + $BTG_KEY_VALIDATOR --file "$BIOS_UPDATE_FILE" --key-hash "$INTEL_BTG_HASH" error_check "Firmware Intel BootGuard signature check failed. Aborting... Platform has not been fused and no changes were made." # Ask user for confirmation: