diff options
| author | Mike Frysinger <vapier@chromium.org> | 2015-02-02 22:23:30 -0500 |
|---|---|---|
| committer | ChromeOS Commit Bot <chromeos-commit-bot@chromium.org> | 2015-02-23 22:41:13 +0000 |
| commit | 6aec7cc63d8971f026f275ea7ae5365a4755696e (patch) | |
| tree | 0ced03b402575173fe7af21ecd47da12ccc089de | |
| parent | 8c96d9ed294e4dbf61ef76adbec5996715826145 (diff) | |
| download | vboot-6aec7cc63d8971f026f275ea7ae5365a4755696e.tar.gz | |
create_new_keys: add options for generating 4k keys
BUG=chromium:454651
TEST=`./create_new_keys.sh` still generates 8k keys
TEST=`./create_new_keys.sh --4k` now generates 4k keys
BRANCH=None
Change-Id: I2203536880b9320959fd741c4bbcf814aded603c
Reviewed-on: https://chromium-review.googlesource.com/245318
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Commit-Queue: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/252201
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
| -rw-r--r-- | scripts/keygeneration/common.sh | 47 | ||||
| -rwxr-xr-x | scripts/keygeneration/create_new_keys.sh | 40 |
2 files changed, 59 insertions, 28 deletions
diff --git a/scripts/keygeneration/common.sh b/scripts/keygeneration/common.sh index aa955dd8..641a71b6 100644 --- a/scripts/keygeneration/common.sh +++ b/scripts/keygeneration/common.sh @@ -7,36 +7,37 @@ SCRIPT_DIR="$(dirname "$0")" -# 0 = (RSA1024 SHA1) -# 1 = (RSA1024 SHA256) -# 2 = (RSA1024 SHA512) -# 3 = (RSA2048 SHA1) -# 4 = (RSA2048 SHA256) -# 5 = (RSA2048 SHA512) -# 6 = (RSA4096 SHA1) -# 7 = (RSA4096 SHA256) -# 8 = (RSA4096 SHA512) -# 9 = (RSA8192 SHA1) -# 10 = (RSA8192 SHA256) -# 11 = (RSA8192 SHA512) -function alg_to_keylen { +# Algorithm ID mappings: +RSA1024_SHA1_ALGOID=0 +RSA1024_SHA256_ALGOID=1 +RSA1024_SHA512_ALGOID=2 +RSA1024_SHA1_ALGOID=3 +RSA1024_SHA256_ALGOID=4 +RSA1024_SHA512_ALGOID=5 +RSA1024_SHA1_ALGOID=6 +RSA1024_SHA256_ALGOID=7 +RSA1024_SHA512_ALGOID=8 +RSA1024_SHA1_ALGOID=9 +RSA1024_SHA256_ALGOID=10 +RSA1024_SHA512_ALGOID=11 +alg_to_keylen() { echo $(( 1 << (10 + ($1 / 3)) )) } # Default algorithms. -EC_ROOT_KEY_ALGOID=7 -EC_DATAKEY_ALGOID=7 +EC_ROOT_KEY_ALGOID=${RSA4096_SHA256_ALGOID} +EC_DATAKEY_ALGOID=${RSA4096_SHA256_ALGOID} -ROOT_KEY_ALGOID=11 -RECOVERY_KEY_ALGOID=11 +ROOT_KEY_ALGOID=${RSA8192_SHA512_ALGOID} +RECOVERY_KEY_ALGOID=${RSA8192_SHA512_ALGOID} -FIRMWARE_DATAKEY_ALGOID=7 -DEV_FIRMWARE_DATAKEY_ALGOID=7 +FIRMWARE_DATAKEY_ALGOID=${RSA4096_SHA256_ALGOID} +DEV_FIRMWARE_DATAKEY_ALGOID=${RSA4096_SHA256_ALGOID} -RECOVERY_KERNEL_ALGOID=11 -INSTALLER_KERNEL_ALGOID=11 -KERNEL_SUBKEY_ALGOID=7 -KERNEL_DATAKEY_ALGOID=4 +RECOVERY_KERNEL_ALGOID=${RSA8192_SHA512_ALGOID} +INSTALLER_KERNEL_ALGOID=${RSA8192_SHA512_ALGOID} +KERNEL_SUBKEY_ALGOID=${RSA4096_SHA256_ALGOID} +KERNEL_DATAKEY_ALGOID=${RSA2048_SHA256_ALGOID} # Keyblock modes determine which boot modes a signing key is valid for use # in verification. diff --git a/scripts/keygeneration/create_new_keys.sh b/scripts/keygeneration/create_new_keys.sh index 68b79e18..02df34a1 100755 --- a/scripts/keygeneration/create_new_keys.sh +++ b/scripts/keygeneration/create_new_keys.sh @@ -14,7 +14,12 @@ usage() { Usage: $0 [--devkeyblock] Options: - --devkeyblock Also generate developer firmware keyblock and data key + --devkeyblock Also generate developer firmware keyblock and data key + --4k Use 4k keys instead of 8k (enables options below) + --4k-root Use 4k key size for the root key + --4k-recovery Use 4k key size for the recovery key + --4k-recovery-kernel Use 4k key size for the recovery kernel data + --4k-installer-kernel Use 4k key size for the installer kernel data EOF if [[ $# -ne 0 ]]; then @@ -30,12 +35,37 @@ main() { # Flag to indicate whether we should be generating a developer keyblock flag. local dev_keyblock="false" + local root_key_algoid=${ROOT_KEY_ALGOID} + local recovery_key_algoid=${RECOVERY_KEY_ALGOID} + local recovery_kernel_algoid=${RECOVERY_KERNEL_ALGOID} + local installer_kernel_algoid=${INSTALLER_KERNEL_ALGOID} + while [[ $# -gt 0 ]]; do case $1 in --devkeyblock) echo "Will also generate developer firmware keyblock and data key." dev_keyblock="true" ;; + + --4k) + root_key_algoid=${RSA4096_SHA512_ALGOID} + recovery_key_algoid=${RSA4096_SHA512_ALGOID} + recovery_kernel_algoid=${RSA4096_SHA512_ALGOID} + installer_kernel_algoid=${RSA4096_SHA512_ALGOID} + ;; + --4k-root) + root_key_algoid=${RSA4096_SHA512_ALGOID} + ;; + --4k-recovery) + recovery_key_algoid=${RSA4096_SHA512_ALGOID} + ;; + --4k-recovery-kernel) + recovery_kernel_algoid=${RSA4096_SHA512_ALGOID} + ;; + --4k-installer-kernel) + installer_kernel_algoid=${RSA4096_SHA512_ALGOID} + ;; + -h|--help) usage ;; @@ -64,7 +94,7 @@ main() { # Create the normal keypairs make_pair ec_root_key ${EC_ROOT_KEY_ALGOID} make_pair ec_data_key ${EC_DATAKEY_ALGOID} ${eckey_version} - make_pair root_key ${ROOT_KEY_ALGOID} + make_pair root_key ${root_key_algoid} make_pair firmware_data_key ${FIRMWARE_DATAKEY_ALGOID} ${fkey_version} if [[ "${dev_keyblock}" == "true" ]]; then make_pair dev_firmware_data_key ${DEV_FIRMWARE_DATAKEY_ALGOID} ${fkey_version} @@ -73,9 +103,9 @@ main() { make_pair kernel_data_key ${KERNEL_DATAKEY_ALGOID} ${kdatakey_version} # Create the recovery and factory installer keypairs - make_pair recovery_key ${RECOVERY_KEY_ALGOID} - make_pair recovery_kernel_data_key ${RECOVERY_KERNEL_ALGOID} - make_pair installer_kernel_data_key ${INSTALLER_KERNEL_ALGOID} + make_pair recovery_key ${recovery_key_algoid} + make_pair recovery_kernel_data_key ${recovery_kernel_algoid} + make_pair installer_kernel_data_key ${installer_kernel_algoid} # Create the firmware keyblock for use only in Normal mode. This is redundant, # since it's never even checked during Recovery mode. |