README
4.52 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
Launching via skapi:
This testapp is published with CID 0x00020000.
1) chain naming: the cert chains have correct signatures but the
names do not match the expected for a cmd signer and ticket signer.
Strategy is to use the regular cert.sys, but just have a BbTicket
signed by the CP chain and a BbContentMetaData signed by a XS chain.
Both these cases should fail. The fact that this test app itself has
launched signifies that launch would succeed if there were no errors
injected.
In the cases below, the published app is just this testapp republished.
Since it won't succeed this is fine, and is in line with the strategy
statement that all would succeed if these errors were not injected.
The signer is specified by the -S arg to pubrom.
a) publish CID 0x00020001 with cmd signed by ticket chain
b) publish CID 0x00020002 with ticket signed by cmd chain
The testapp then attempts to launch both these and we should see failure.
NOTE: the "attempt to launch" only uses skLaunchSetup(). So, and
accidental failure won't actually cause an app launch.
2) bad cert sigs: the only error is that a cert in the chain has a bad
sig.
The testapp itself, as published (CID 0x00020000), is the target.
The testapp will read cert.sys, alter a sig, then write cert.sys back
(the good cert.sys should be copied somewhere so it may be restored
after the test).
The following signatures will have a byte altered (each is altered, the
failure on launch is verified, then fixed before the next case is
treated):
a) XS cert
b) XSCA cert
c) CP cert
d) CPCA cert
3) bad ticket sigs: the ticket and cmd sigs are altered as in "2)". This
requires reading ticket.sys and altering, as was previously done for
cert.sys, but for the cmd and ticket sigs on CID 0x00020000. (though
in this case the ticket.sys doesn't actually need to be re-written
since libultra/bb/sa doesn't read the tickets as it does for certs)
4) ticket bbid mismatch: have makefile require BBCERT define. use bbcert
with arg that will perform a bbid++ on the cert and write back out. Use
this modified cert to publish the testapp with CID 0x00020003.
Insure 0x00020003 fails to launch.
5) bad app hash: makefile generates rom2 with 0x00020004 which is same as
test rom but targetted to a load address that doesn't cause overwrite
of test app on launch. the rom2 app has been tested to launch successfully
by test if no error in injected. the test reads alters a bit before
attempting to launch to test hash. in this case the skLaunchSetup()
succeeds, but the skLaunch() call should fail. A bit is changed in the
first 4K (first byte) and the test insures the app failed accordingly
(if it launches, that's pretty obvious, and should be interpretted as
an error). the test is repeated for a byte past the first 4K (byte
at 16KB into app).
TO RUN:
o insure BBCERT environment variable is set to file with bb cert
for ticketing.
o make
o load ticket.sys, cert.sys, and all generated app files (00020000.app,
00020001.app, 00020002.app, 00020003.app, 00020004.app) to bb.
o launch 00020000.app and insure all tests pass.
o SK must be built using local PKI. in bbapps/sk:
make SK_ROOT_LOCAL=1
o SYSAPP should be number "1)" from below (sysapp.aes/tik built
by the publish script).
o currently have NOT run on system requiring version 1 of CPRL.
the publish script would need to be modified to enable this,
and a suitable crl.sys generated.
------------------------------------------------------------------
Sysapp Launch:
the following are generated.
1) sysapp.tik/sysapp.aes: insure packaging works. launch with this and
insure success.
2) sysapp_xs.tik/sysapp_xs.aes: cmdh in sysapp ticket bundle signed
by ticket server (instead of content publisher). insure sysapp fails
to boot.
3) sysapp_sig.tik/sysapp_sig.aes: cmdh signature has error injected.
insure failure.
4) sysapp_hash.tik/sysapp_hash.aes: hash error over sysapp rom, generated
by appending a few bytes to the end of the sysapp rom prior to publishing.
NOTE: test "2)" insures the function verifyCertChain is called within
the SK. since app-centric launch tests already tested errors in
the cert sigs themselves, this is not retested for the sysapp
case.
TO RUN:
assuming the make has already been done for the regular app load test
case, the sysapps must each be loaded from steps above (1-4), and
the indicated behavior verified.