diff options
| author | Gaurav Shah <gauravsh@chromium.org> | 2011-11-22 11:44:06 -0800 |
|---|---|---|
| committer | Gerrit <chrome-bot@google.com> | 2011-11-22 20:22:07 -0800 |
| commit | a24e30cdc2f81e619f2441cdf372a7b6064e1844 (patch) | |
| tree | 870827e4438121dcd8ab878a2dd999ba2f4d4c36 | |
| parent | 8e85e987739281161ece1dbc9ff2b73f3e8e1e35 (diff) | |
| download | vboot-a24e30cdc2f81e619f2441cdf372a7b6064e1844.tar.gz | |
Make dev firmware keyblock/data key generation and use optional
For key generation, only generate dev firmware keyblocks, if the
--devkeyblock option is passed. For signing, re-use normal firmware
keyblock and data key if no dev keyblocks or data key are found in
the keyset directory.
BUG=chrome-os-partner:6942
TEST=manual
- tested key generation with/without the new flag
- tested signing with or without the presence of dev keyblock
Change-Id: Ic4bf72cb194461e07fcc0f6de39d4e16d1c979a6
Reviewed-on: https://gerrit.chromium.org/gerrit/12038
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
Commit-Ready: Gaurav Shah <gauravsh@chromium.org>
| -rwxr-xr-x | scripts/image_signing/resign_firmwarefd.sh | 6 | ||||
| -rwxr-xr-x | scripts/keygeneration/create_new_keys.sh | 19 |
2 files changed, 22 insertions, 3 deletions
diff --git a/scripts/image_signing/resign_firmwarefd.sh b/scripts/image_signing/resign_firmwarefd.sh index a07311c1..146907b2 100755 --- a/scripts/image_signing/resign_firmwarefd.sh +++ b/scripts/image_signing/resign_firmwarefd.sh @@ -78,6 +78,12 @@ if [ -z "$VERSION" ]; then fi echo "Using firmware version: $VERSION" +if [ ! -e $DEV_FIRMWARE_KEYBLOCK ] || [ ! -e $DEV_FIRMWARE_DATAKEY ] ; then + echo "No dev firmware keyblock/datakey found. Reusing normal keys." + DEV_FIRMWARE_KEYBLOCK=$FIRMWARE_KEYBLOCK + DEV_FIRMWARE_DATAKEY=$FIRMWARE_DATAKEY +fi + # Parse offsets and size of firmware data and vblocks for i in "A" "B" do diff --git a/scripts/keygeneration/create_new_keys.sh b/scripts/keygeneration/create_new_keys.sh index a33e2a7f..0bc86197 100755 --- a/scripts/keygeneration/create_new_keys.sh +++ b/scripts/keygeneration/create_new_keys.sh @@ -9,6 +9,13 @@ # Load common constants and functions. . "$(dirname "$0")/common.sh" +# Flag to indicate whether we should be generating a developer keyblock flag. +DEV_KEYBLOCK_FLAG="" +if [ $# -eq 1 ] && [ $1 = "--devkeyblock" ]; then + echo "Will also generate developer firmware keyblock and data key." + DEV_KEYBLOCK_FLAG=1 +fi + # File to read current versions from. VERSION_FILE="key.versions" @@ -29,7 +36,9 @@ KDATAKEY_VERSION=$(get_version "kernel_key_version") # Create the normal keypairs make_pair root_key $ROOT_KEY_ALGOID make_pair firmware_data_key $FIRMWARE_DATAKEY_ALGOID $FKEY_VERSION -make_pair dev_firmware_data_key $DEV_FIRMWARE_DATAKEY_ALGOID $FKEY_VERSION +if [ -n "$DEV_KEYBLOCK_FLAG" ]; then + make_pair dev_firmware_data_key $DEV_FIRMWARE_DATAKEY_ALGOID $FKEY_VERSION +fi make_pair kernel_subkey $KERNEL_SUBKEY_ALGOID $KSUBKEY_VERSION make_pair kernel_data_key $KERNEL_DATAKEY_ALGOID $KDATAKEY_VERSION @@ -42,8 +51,12 @@ make_pair installer_kernel_data_key $INSTALLER_KERNEL_ALGOID # since it's never even checked during Recovery mode. make_keyblock firmware $FIRMWARE_KEYBLOCK_MODE firmware_data_key root_key -# Create the dev firmware keyblock for use only in Developer mode. -make_keyblock dev_firmware $DEV_FIRMWARE_KEYBLOCK_MODE dev_firmware_data_key root_key + +if [ -n "$DEV_KEYBLOCK_FLAG" ]; then + # Create the dev firmware keyblock for use only in Developer mode. + make_keyblock dev_firmware $DEV_FIRMWARE_KEYBLOCK_MODE dev_firmware_data_key root_key +fi + # Create the recovery kernel keyblock for use only in Recovery mode. make_keyblock recovery_kernel $RECOVERY_KERNEL_KEYBLOCK_MODE recovery_kernel_data_key recovery_key |