diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index df27ef37..958fab3e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -135,3 +135,97 @@ jobs: --pbet=12 --ibbflags=1 --mchbar=123456 --vdtbar=120000 --dmabase0=130000 \ --dmasize0=2048 --entrypoint=140000 --ibbhash=SHA256 config.json cat ./config.json | jq + RoundTripValidation: + needs: build + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + + - name: Install dependencies + run: sudo apt update & sudo apt install openssl + + - name: Download FW with BtG 1.0 + run: | + wget "https://downloads.hpe.com/pub/softlib2/software1/pubfw-uefi/p736852486/v283550/U30_3.66_04_01_2026.signed.flash" + mv U30_3.66_04_01_2026.signed.flash firmware10.bin + - name: Download FW with CBnT 2.0 + run: | + wget "https://download.asrock.com/BIOS/4677/W790%20WS(9.01)ROM.zip" + unzip W790\ WS\(9.01\)ROM.zip + mv W790-WS_9.01.ROM firmware20.bin + - name: Download Artifacts + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + with: + name: artifacts-amd64 + path: ./artifacts + + - name: Make artifacts executable + run: chmod +x ./artifacts/* + + - name: Read 1.0 config + run: | + ./artifacts/bg-prov read-config config10.json ./firmware10.bin + ./artifacts/bg-prov bpm-export ./firmware10.bin bpm10.bin + ./artifacts/bg-prov km-export ./firmware10.bin km10.bin + sha256sum km10.bin > checksums + sha256sum bpm10.bin >> checksums + sha256sum km10.bin + sha256sum bpm10.bin + rm km10.bin bpm10.bin + - name: Extract pubkey from KM 1.0 + run: | + KEY_DATA_B64=$(jq -r '."v1-keymanifest".kmKeySignature.ksKey.keyData' config10.json) + echo "$KEY_DATA_B64" | base64 -d > /tmp/keydata.bin + EXPONENT_HEX=$(dd if=/tmp/keydata.bin bs=1 count=4 2>/dev/null | od -An -tx1 | tr -d ' \n' | fold -w2 | tac | tr -d '\n') + MODULUS_HEX=$(dd if=/tmp/keydata.bin bs=1 skip=4 2>/dev/null | od -An -tx1 | tr -d ' \n' | fold -w2 | tac | tr -d '\n') + cat > /tmp/rsa_key.asn1 << EOF + asn1=SEQUENCE:rsa_key + [rsa_key] + n=INTEGER:0x${MODULUS_HEX} + e=INTEGER:0x${EXPONENT_HEX} + EOF + openssl asn1parse -genconf /tmp/rsa_key.asn1 -out /tmp/rsa_key.der -noout + openssl rsa -in /tmp/rsa_key.der \ + -inform DER \ + -RSAPublicKey_in \ + -pubout \ + -out km_pub10.pem + rm -f /tmp/keydata.bin /tmp/rsa_key.asn1 /tmp/rsa_key.der + - name: Generate 1.0 from config + run: | + ./artifacts/bg-prov bpm-gen-v-1 --config=config10.json bpm10.bin ./firmware10.bin + ./artifacts/bg-prov km-gen-v-1 --config=config10.json km10.bin km_pub10.pem + sha256sum -c checksums + - name: Read 2.0 config + run: | + ./artifacts/bg-prov read-config config20.json ./firmware20.bin + ./artifacts/bg-prov bpm-export ./firmware20.bin bpm20.bin + ./artifacts/bg-prov km-export ./firmware20.bin km20.bin + sha256sum km20.bin > checksums + sha256sum bpm20.bin >> checksums + rm km20.bin bpm20.bin + - name: Extract pubkey from KM 2.0 + run: | + KEY_DATA_B64=$(jq -r '."v2-keymanifest".kmKeySignature.ksKey.keyData' config20.json) + echo "$KEY_DATA_B64" | base64 -d > /tmp/keydata.bin + EXPONENT_HEX=$(dd if=/tmp/keydata.bin bs=1 count=4 2>/dev/null | od -An -tx1 | tr -d ' \n' | fold -w2 | tac | tr -d '\n') + MODULUS_HEX=$(dd if=/tmp/keydata.bin bs=1 skip=4 2>/dev/null | od -An -tx1 | tr -d ' \n' | fold -w2 | tac | tr -d '\n') + cat > /tmp/rsa_key.asn1 << EOF + asn1=SEQUENCE:rsa_key + [rsa_key] + n=INTEGER:0x${MODULUS_HEX} + e=INTEGER:0x${EXPONENT_HEX} + EOF + openssl asn1parse -genconf /tmp/rsa_key.asn1 -out /tmp/rsa_key.der -noout + openssl rsa -in /tmp/rsa_key.der \ + -inform DER \ + -RSAPublicKey_in \ + -pubout \ + -out km_pub20.pem + rm -f /tmp/keydata.bin /tmp/rsa_key.asn1 /tmp/rsa_key.der + - name: Generate 2.0 from config + run: | + ./artifacts/bg-prov bpm-gen-v-2 --config=config20.json bpm20.bin ./firmware20.bin + ./artifacts/bg-prov km-gen-v-2 --config=config20.json km20.bin km_pub20.pem + sha256sum -c checksums