diff options
| author | Gaurav Shah <gauravsh@chromium.org> | 2011-03-02 14:50:46 -0800 |
|---|---|---|
| committer | Gaurav Shah <gauravsh@chromium.org> | 2011-03-02 14:50:46 -0800 |
| commit | 574684550064ab5ea4adcfd1b8d2c9ce92a0176b (patch) | |
| tree | f929ef1f1949d30c5fd3a850ccdf1398806c9b70 | |
| parent | 340335447f83532228bf388dba50e43595cc2e55 (diff) | |
| download | vboot-574684550064ab5ea4adcfd1b8d2c9ce92a0176b.tar.gz | |
Add support for using separate developer firmware keyblock while signing.
Also re-factor the key generation script to its own directory, including wrappers for generating key pairs and keyblocks without needing to start keyset generation process from scratch. (Useful for generating new kernel keyblocks, and for retroactively adding new keys to an existing keyset - as in this case).
Finally, change hard coded algorithm ids and keyblock modes to bash variables, for each changes and telling keyset configuration from a glance.
BUG=chrome-os-partner:2218
TEST=manually tried the following:
1) Generating an entire new keyset.
2) Generating a new key pair and creating a keyblock from an existing key (for generating dev firmware keyblock for existing PVT keysets)
3) Firmware signing via sign_official_build.sh of an image with a firmware payload/
Change-Id: I4e9bb96ac7e5fe4cc0d95af6162ad6d37bbd4bda
Review URL: http://codereview.chromium.org/6594131
| -rwxr-xr-x | scripts/image_signing/resign_firmwarefd.sh | 19 | ||||
| -rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 2 | ||||
| -rwxr-xr-x | scripts/keygeneration/common.sh (renamed from tests/devkeys/create_new_keys.sh) | 43 | ||||
| -rwxr-xr-x | scripts/keygeneration/create_new_keys.sh | 65 | ||||
| -rwxr-xr-x | scripts/keygeneration/make_keyblock.sh | 27 | ||||
| -rwxr-xr-x | scripts/keygeneration/make_pair.sh | 23 |
6 files changed, 132 insertions, 47 deletions
diff --git a/scripts/image_signing/resign_firmwarefd.sh b/scripts/image_signing/resign_firmwarefd.sh index 42412ef4..b5d1cf23 100755 --- a/scripts/image_signing/resign_firmwarefd.sh +++ b/scripts/image_signing/resign_firmwarefd.sh @@ -54,9 +54,9 @@ set -e # Check arguments -if [ $# -lt 5 ] || [ $# -gt 6 ]; then +if [ $# -lt 7 ] || [ $# -gt 8 ]; then echo "Usage: $PROG src_fd dst_fd firmware_datakey firmware_keyblock"\ - "kernel_subkey [version]" + "dev_firmware_datakey dev_firmware_keyblock kernel_subkey [version]" exit 1 fi @@ -70,8 +70,10 @@ SRC_FD=$1 DST_FD=$2 FIRMWARE_DATAKEY=$3 FIRMWARE_KEYBLOCK=$4 -KERNEL_SUBKEY=$5 -VERSION=$6 +DEV_FIRMWARE_DATAKEY=$5 +DEV_FIRMWARE_KEYBLOCK=$6 +KERNEL_SUBKEY=$7 +VERSION=$8 if [ -z $VERSION ]; then VERSION=1 @@ -105,15 +107,16 @@ done temp_fwimage=$(make_temp_file) temp_out_vb=$(make_temp_file) -# Extract out Firmware A data and generate signature using the right keys +# Extract out Firmware A data and generate signature using the right keys. +# Firmware A is the dev firmware. dd if="${SRC_FD}" of="${temp_fwimage}" skip="${fwA_offset}" bs=1 \ count="${fwA_size}" echo "Re-calculating Firmware A vblock" vbutil_firmware \ --vblock "${temp_out_vb}" \ - --keyblock "${FIRMWARE_KEYBLOCK}" \ - --signprivate "${FIRMWARE_DATAKEY}" \ + --keyblock "${DEV_FIRMWARE_KEYBLOCK}" \ + --signprivate "${DEV_FIRMWARE_DATAKEY}" \ --version "${VERSION}" \ --fv "${temp_fwimage}" \ --kernelkey "${KERNEL_SUBKEY}" @@ -123,7 +126,7 @@ cp "${SRC_FD}" "${DST_FD}" dd if="${temp_out_vb}" of="${DST_FD}" seek="${fwA_vblock_offset}" bs=1 \ count="${fwA_vblock_size}" conv=notrunc -# Repeat for firmware B +# Firmware B is the normal firmware. dd if="${SRC_FD}" of="${temp_fwimage}" skip="${fwB_offset}" bs=1 \ count="${fwB_size}" echo "Re-calculating Firmware B vblock" diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index da9db062..12014da6 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -261,6 +261,8 @@ resign_firmware_payload() { ${SCRIPT_DIR}/resign_firmwarefd.sh ${temp_outfd} ${shellball_dir}/bios.bin \ ${KEY_DIR}/firmware_data_key.vbprivk \ ${KEY_DIR}/firmware.keyblock \ + ${KEY_DIR}/dev_firmware_data_key.vbprivk \ + ${KEY_DIR}/dev_firmware.keyblock \ ${KEY_DIR}/kernel_subkey.vbpubk \ ${FIRMWARE_VERSION} diff --git a/tests/devkeys/create_new_keys.sh b/scripts/keygeneration/common.sh index 311d9243..0e1a6dfd 100755 --- a/tests/devkeys/create_new_keys.sh +++ b/scripts/keygeneration/common.sh @@ -1,11 +1,11 @@ #!/bin/bash -# Copyright (c) 2010 The Chromium OS Authors. All rights reserved. +# Copyright (c) 2011 The Chromium OS Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -# -# Generate .vbpubk and .vbprivk pairs for use by developer builds. These should -# be exactly like the real keys except that the private keys aren't secret. +# Common key generation functions. + +SCRIPT_DIR="$(dirname "$0")" # 0 = (RSA1024 SHA1) # 1 = (RSA1024 SHA256) @@ -90,38 +90,3 @@ function make_keyblock { } - -# Create the normal keypairs -make_pair root_key 11 -make_pair firmware_data_key 7 -make_pair dev_firmware_data_key 7 -make_pair kernel_subkey 7 -make_pair kernel_data_key 4 - -# Create the recovery and factory installer keypairs -make_pair recovery_key 11 -make_pair recovery_kernel_data_key 11 -make_pair installer_kernel_data_key 11 - -# Create the firmware keyblock for use only in Normal mode. This is redundant, -# since it's never even checked during Recovery mode. -make_keyblock firmware 7 firmware_data_key root_key - -# Create the dev firmware keyblock for use only in Developer mode. -make_keyblock dev_firmware 6 dev_firmware_data_key root_key - -# Create the recovery kernel keyblock for use only in Recovery mode. -make_keyblock recovery_kernel 11 recovery_kernel_data_key recovery_key - -# Create the normal kernel keyblock for use only in Normal mode. -make_keyblock kernel 7 kernel_data_key kernel_subkey - -# Create the installer keyblock for use in Developer + Recovery mode -# For use in Factory Install and Developer Mode install shims. -make_keyblock installer_kernel 10 installer_kernel_data_key recovery_key - -# CAUTION: The public parts of most of these blobs must be compiled into the -# firmware, which is built separately (and some of which can't be changed after -# manufacturing). If you update these keys, you must coordinate the changes -# with the BIOS people or you'll be unable to boot the resulting images. - diff --git a/scripts/keygeneration/create_new_keys.sh b/scripts/keygeneration/create_new_keys.sh new file mode 100755 index 00000000..d39dd6ee --- /dev/null +++ b/scripts/keygeneration/create_new_keys.sh @@ -0,0 +1,65 @@ +#!/bin/bash +# Copyright (c) 2011 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. +# +# Generate .vbpubk and .vbprivk pairs for use by developer builds. These should +# be exactly like the real keys except that the private keys aren't secret. + +# Load common constants and functions. +. "$(dirname "$0")/common.sh" + +# Mapping are in common.sh. +ROOT_KEY_ALGOID=11 +RECOVERY_KEY_ALGOID=11 + +FIRMWARE_DATAKEY_ALGOID=7 +DEV_FIRMWARE_DATAKEY_ALGOID=7 + +RECOVERY_KERNEL_ALGOID=11 +INSTALLER_KERNEL_ALGOID=11 +KERNEL_SUBKEY_ALGOID=7 +KERNEL_DATAKEY_ALGOID=4 + +# Keyblock modes determine which boot modes a signing key is valid for use +# in verification. +FIRMWARE_KEYBLOCK_MODE=7 +DEV_FIRMWARE_KEYBLOCK_MODE=6 # Only allow in dev mode. +RECOVERY_KERNEL_KEYBLOCK_MODE=11 +KERNEL_KEYBLOCK_MODE=7 # Only allow in non-recovery. +INSTALLER_KERNEL_KEYBLOCK_MODE=10 # Only allow in Dev + Recovery. + +# Create the normal keypairs +make_pair root_key $ROOT_KEY_ALGOID +make_pair firmware_data_key $FIRMWARE_DATAKEY_ALGOID +make_pair dev_firmware_data_key $DEV_FIRMWARE_DATAKEY_ALGOID +make_pair kernel_subkey $KERNEL_SUBKEY_ALGOID +make_pair kernel_data_key $KERNEL_DATAKEY_ALGOID + +# Create the recovery and factory installer keypairs +make_pair recovery_key $RECOVERY_KEY_ALGOID +make_pair recovery_kernel_data_key $RECOVERY_KERNEL_ALGOID +make_pair installer_kernel_data_key $INSTALLER_KERNEL_ALGOID + +# Create the firmware keyblock for use only in Normal mode. This is redundant, +# since it's never even checked during Recovery mode. +make_keyblock firmware $FIRMWARE_KEYBLOCK_MODE firmware_data_key root_key + +# Create the dev firmware keyblock for use only in Developer mode. +make_keyblock dev_firmware $DEV_FIRMWARE_KEYBLOCK_MODE dev_firmware_data_key root_key + +# Create the recovery kernel keyblock for use only in Recovery mode. +make_keyblock recovery_kernel $RECOVERY_KERNEL_KEYBLOCK_MODE recovery_kernel_data_key recovery_key + +# Create the normal kernel keyblock for use only in Normal mode. +make_keyblock kernel $KERNEL_KEYBLOCK_MODE kernel_data_key kernel_subkey + +# Create the installer keyblock for use in Developer + Recovery mode +# For use in Factory Install and Developer Mode install shims. +make_keyblock installer_kernel $INSTALLER_KERNEL_KEYBLOCK_MODE installer_kernel_data_key recovery_key + +# CAUTION: The public parts of most of these blobs must be compiled into the +# firmware, which is built separately (and some of which can't be changed after +# manufacturing). If you update these keys, you must coordinate the changes +# with the BIOS people or you'll be unable to boot the resulting images. + diff --git a/scripts/keygeneration/make_keyblock.sh b/scripts/keygeneration/make_keyblock.sh new file mode 100755 index 00000000..565a566c --- /dev/null +++ b/scripts/keygeneration/make_keyblock.sh @@ -0,0 +1,27 @@ +#!/bin/bash +# Copyright (c) 2011 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. +# +# Generates a keyblock containing a public key and signed using the given +# signing key. + +# Load common constants and functions. +. "$(dirname "$0")/common.sh" + +if [ $# -ne 4 ]; then + cat <<EOF +Usage: $0 <in_public_key> <in_signing_key> <flags> <out_keyblock> + +Emits <out_keyblock>.keyblock containing <in_public_key>.vbpubk signed with +<in_signing_key>.vbprivk with the given keyblock <flags>. +EOF + exit 1 +fi + +in_pubkey=$1 +in_signkey=$2 +keyblock_flags=$3 +out_keyblock=$4 + +make_keyblock $out_keyblock $keyblock_flags $in_pubkey $in_signkey diff --git a/scripts/keygeneration/make_pair.sh b/scripts/keygeneration/make_pair.sh new file mode 100755 index 00000000..cd5d0c10 --- /dev/null +++ b/scripts/keygeneration/make_pair.sh @@ -0,0 +1,23 @@ +#!/bin/bash +# Copyright (c) 2011 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. +# +# Generate .vbpubk and .vbprivk pairs with the given algorithm id. + +# Load common constants and functions. +. "$(dirname "$0")/common.sh" + +if [ $# -ne 2 ]; then + cat <<EOF +Usage: $0 <algoid> <out_keypair> + +Output: <out_keypair>.vbprivk and <out_keypair>.vbpubk +EOF + exit 1 +fi + +algoid=$1 +out_keypair=$2 + +make_pair $out_keypair $algoid |