diff options
author | Gaurav Shah <gauravsh@chromium.org> | 2011-11-22 11:44:06 -0800 |
---|---|---|
committer | Stefan Reinauer <reinauer@chromium.org> | 2012-01-05 15:55:41 -0800 |
commit | e24a4855a8f2d593fa9339cba998a0ddeeccc009 (patch) | |
tree | b797d1f409cdb3a07e7db082a9ed642510f8f05a | |
parent | d5a06140ef78ce91cb279d0f1153ff4e82c74aa2 (diff) | |
download | vboot-e24a4855a8f2d593fa9339cba998a0ddeeccc009.tar.gz |
Make dev firmware keyblock/data key generation and use optional
For key generation, only generate dev firmware keyblocks, if the
--devkeyblock option is passed. For signing, re-use normal firmware
keyblock and data key if no dev keyblocks or data key are found in
the keyset directory.
BUG=chrome-os-partner:6942
TEST=manual
- tested key generation with/without the new flag
- tested signing with or without the presence of dev keyblock
Reviewed-on: https://gerrit.chromium.org/gerrit/12038
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
Commit-Ready: Gaurav Shah <gauravsh@chromium.org>
(cherry picked from commit a24e30cdc2f81e619f2441cdf372a7b6064e1844)
Change-Id: I5cd2b150d8006523d56e0858c17b8001b22d8cb7
Reviewed-on: https://gerrit.chromium.org/gerrit/13727
Reviewed-by: Duncan Laurie <dlaurie@chromium.org>
Tested-by: Stefan Reinauer <reinauer@chromium.org>
-rwxr-xr-x | scripts/image_signing/resign_firmwarefd.sh | 6 | ||||
-rwxr-xr-x | scripts/keygeneration/create_new_keys.sh | 19 |
2 files changed, 22 insertions, 3 deletions
diff --git a/scripts/image_signing/resign_firmwarefd.sh b/scripts/image_signing/resign_firmwarefd.sh index a07311c1..146907b2 100755 --- a/scripts/image_signing/resign_firmwarefd.sh +++ b/scripts/image_signing/resign_firmwarefd.sh @@ -78,6 +78,12 @@ if [ -z "$VERSION" ]; then fi echo "Using firmware version: $VERSION" +if [ ! -e $DEV_FIRMWARE_KEYBLOCK ] || [ ! -e $DEV_FIRMWARE_DATAKEY ] ; then + echo "No dev firmware keyblock/datakey found. Reusing normal keys." + DEV_FIRMWARE_KEYBLOCK=$FIRMWARE_KEYBLOCK + DEV_FIRMWARE_DATAKEY=$FIRMWARE_DATAKEY +fi + # Parse offsets and size of firmware data and vblocks for i in "A" "B" do diff --git a/scripts/keygeneration/create_new_keys.sh b/scripts/keygeneration/create_new_keys.sh index a33e2a7f..0bc86197 100755 --- a/scripts/keygeneration/create_new_keys.sh +++ b/scripts/keygeneration/create_new_keys.sh @@ -9,6 +9,13 @@ # Load common constants and functions. . "$(dirname "$0")/common.sh" +# Flag to indicate whether we should be generating a developer keyblock flag. +DEV_KEYBLOCK_FLAG="" +if [ $# -eq 1 ] && [ $1 = "--devkeyblock" ]; then + echo "Will also generate developer firmware keyblock and data key." + DEV_KEYBLOCK_FLAG=1 +fi + # File to read current versions from. VERSION_FILE="key.versions" @@ -29,7 +36,9 @@ KDATAKEY_VERSION=$(get_version "kernel_key_version") # Create the normal keypairs make_pair root_key $ROOT_KEY_ALGOID make_pair firmware_data_key $FIRMWARE_DATAKEY_ALGOID $FKEY_VERSION -make_pair dev_firmware_data_key $DEV_FIRMWARE_DATAKEY_ALGOID $FKEY_VERSION +if [ -n "$DEV_KEYBLOCK_FLAG" ]; then + make_pair dev_firmware_data_key $DEV_FIRMWARE_DATAKEY_ALGOID $FKEY_VERSION +fi make_pair kernel_subkey $KERNEL_SUBKEY_ALGOID $KSUBKEY_VERSION make_pair kernel_data_key $KERNEL_DATAKEY_ALGOID $KDATAKEY_VERSION @@ -42,8 +51,12 @@ make_pair installer_kernel_data_key $INSTALLER_KERNEL_ALGOID # since it's never even checked during Recovery mode. make_keyblock firmware $FIRMWARE_KEYBLOCK_MODE firmware_data_key root_key -# Create the dev firmware keyblock for use only in Developer mode. -make_keyblock dev_firmware $DEV_FIRMWARE_KEYBLOCK_MODE dev_firmware_data_key root_key + +if [ -n "$DEV_KEYBLOCK_FLAG" ]; then + # Create the dev firmware keyblock for use only in Developer mode. + make_keyblock dev_firmware $DEV_FIRMWARE_KEYBLOCK_MODE dev_firmware_data_key root_key +fi + # Create the recovery kernel keyblock for use only in Recovery mode. make_keyblock recovery_kernel $RECOVERY_KERNEL_KEYBLOCK_MODE recovery_kernel_data_key recovery_key |