keygeneration: default to RSA4096 keys.

We are leaving the --4k options since they are (now) no-ops, and
existing users of the script may be passing them.  Since they are the
default, we want to discourage their use, so they are not documented.

BUG=b:135130152
TEST=Unit tests pass
BRANCH=None

Change-Id: I1d73496f45ac0e04657149d438434a33e0e8569b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1680641
Tested-by: LaMont Jones <lamontjones@chromium.org>
Commit-Queue: LaMont Jones <lamontjones@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Auto-Submit: LaMont Jones <lamontjones@chromium.org>

2 files changed, 28 insertions, 9 deletions

diff --git a/scripts/keygeneration/common.sh b/scripts/keygeneration/common.sh
index 9acffcc9..7482dfcd 100644
--- a/scripts/keygeneration/common.sh
+++ b/scripts/keygeneration/common.sh
@@ -51,14 +51,14 @@ alg_to_keylen() {
 EC_ROOT_KEY_ALGOID=${RSA4096_SHA256_ALGOID}
 EC_DATAKEY_ALGOID=${RSA4096_SHA256_ALGOID}
 
-ROOT_KEY_ALGOID=${RSA8192_SHA512_ALGOID}
-RECOVERY_KEY_ALGOID=${RSA8192_SHA512_ALGOID}
+ROOT_KEY_ALGOID=${RSA4096_SHA512_ALGOID}
+RECOVERY_KEY_ALGOID=${RSA4096_SHA512_ALGOID}
 
 FIRMWARE_DATAKEY_ALGOID=${RSA4096_SHA256_ALGOID}
 DEV_FIRMWARE_DATAKEY_ALGOID=${RSA4096_SHA256_ALGOID}
 
-RECOVERY_KERNEL_ALGOID=${RSA8192_SHA512_ALGOID}
-INSTALLER_KERNEL_ALGOID=${RSA8192_SHA512_ALGOID}
+RECOVERY_KERNEL_ALGOID=${RSA4096_SHA512_ALGOID}
+INSTALLER_KERNEL_ALGOID=${RSA4096_SHA512_ALGOID}
 KERNEL_SUBKEY_ALGOID=${RSA4096_SHA256_ALGOID}
 KERNEL_DATAKEY_ALGOID=${RSA2048_SHA256_ALGOID}
 
diff --git a/scripts/keygeneration/create_new_keys.sh b/scripts/keygeneration/create_new_keys.sh
index 7a68fe9f..40cccbc5 100755
--- a/scripts/keygeneration/create_new_keys.sh
+++ b/scripts/keygeneration/create_new_keys.sh
@@ -17,11 +17,11 @@ Options:
   --devkeyblock          Also generate developer firmware keyblock and data key
   --android              Also generate android keys
   --uefi                 Also generate UEFI keys
-  --4k                   Use 4k keys instead of 8k (enables options below)
-  --4k-root              Use 4k key size for the root key
-  --4k-recovery          Use 4k key size for the recovery key
-  --4k-recovery-kernel   Use 4k key size for the recovery kernel data
-  --4k-installer-kernel  Use 4k key size for the installer kernel data
+  --8k                   Use 8k keys instead of 4k (enables options below)
+  --8k-root              Use 8k key size for the root key
+  --8k-recovery          Use 8k key size for the recovery key
+  --8k-recovery-kernel   Use 8k key size for the recovery kernel data
+  --8k-installer-kernel  Use 8k key size for the installer kernel data
   --key-name <name>      Name of the keyset (for key.versions)
   --output <dir>         Where to write the keys (default is cwd)
 EOF
@@ -64,6 +64,25 @@ main() {
       uefi_keys="true"
       ;;
 
+    --8k)
+      root_key_algoid=${RSA8192_SHA512_ALGOID}
+      recovery_key_algoid=${RSA8192_SHA512_ALGOID}
+      recovery_kernel_algoid=${RSA8192_SHA512_ALGOID}
+      installer_kernel_algoid=${RSA8192_SHA512_ALGOID}
+      ;;
+    --8k-root)
+      root_key_algoid=${RSA8192_SHA512_ALGOID}
+      ;;
+    --8k-recovery)
+      recovery_key_algoid=${RSA8192_SHA512_ALGOID}
+      ;;
+    --8k-recovery-kernel)
+      recovery_kernel_algoid=${RSA8192_SHA512_ALGOID}
+      ;;
+    --8k-installer-kernel)
+      installer_kernel_algoid=${RSA8192_SHA512_ALGOID}
+      ;;
+
     --4k)
       root_key_algoid=${RSA4096_SHA512_ALGOID}
       recovery_key_algoid=${RSA4096_SHA512_ALGOID}