diff options
| author | Mike Frysinger <vapier@chromium.org> | 2020-09-03 16:56:06 -0400 |
|---|---|---|
| committer | Mike Frysinger <vapier@chromium.org> | 2020-09-09 06:41:54 +0000 |
| commit | 68f0eaaea967334f9fa05251bb13ac843a7d5b26 (patch) | |
| tree | 75f575e4aed6e04f0969476b8b2c67d70af72c8b | |
| parent | 8f43ad977003ac4ed502c285dc08feca5e4d9bdf (diff) | |
| download | vboot-68f0eaaea967334f9fa05251bb13ac843a7d5b26.tar.gz | |
keygeneration: psp verstagebl: refactor key gen & csr generation
We want to separate the stages of creating the key & using the key as
our HSM tools use different commands for these.
This also means we no longer need a passphrase at all.
BUG=b:166095736
TEST=ran script before & after and made sure output (largely) looked the same
BRANCH=None
Change-Id: Id488789f83c21ffb6263489e3c22531878ceb1f2
Signed-off-by: Mike Frysinger <vapier@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2391219
Reviewed-by: Furquan Shaikh <furquan@chromium.org>
| -rwxr-xr-x | scripts/keygeneration/create_psp_verstagebl_key.sh | 102 |
1 files changed, 70 insertions, 32 deletions
diff --git a/scripts/keygeneration/create_psp_verstagebl_key.sh b/scripts/keygeneration/create_psp_verstagebl_key.sh index 31f78ba1..aeb79208 100755 --- a/scripts/keygeneration/create_psp_verstagebl_key.sh +++ b/scripts/keygeneration/create_psp_verstagebl_key.sh @@ -3,9 +3,12 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. +# Load common constants and functions. +. "$(dirname "$0")/common.sh" + usage() { cat <<EOF -Usage: $0 <OUTPUT DIRECTORY> <KEY SIZE> [PASSPHRASE] +Usage: ${PROG} <PROJECT/DEVICE NAME> <OUTPUT DIRECTORY> <KEY SIZE> Generate a key pair for signing the PSP_Verstage binary to be loaded by the PSP bootloader. For detail, reference the AMD documentation titled @@ -15,9 +18,6 @@ Process" - http://dr/corp/drive/folders/1ySJyDgbH73W1lqrhxMvM9UYl5TtJt_mw Arguments: - Output Directory: Location for the keys to be generated. Must exist. - Key size: 2048 for Picasso, Dali, & Pollock, 4096 for other F17h SOCs -- Passphrase: optional passphrase. If not given on the command line, or in - the environment variable "PASSPHRASE", it will be requested at runtime. - EOF if [[ $# -ne 0 ]]; then @@ -30,34 +30,48 @@ EOF KEYNAME=psp_verstagebl_fw_signing -main() { - set -e +# Generate the key pair. +# ARGS: <name> <key> <keysize> +create_psp_key() { + local name=$1 + local key=$2 + local keysize=$3 - # Check arguments - if [[ $# -lt 2 ]]; then - usage "Error: Too few arguments" - fi - if [[ ! ($2 -eq 2048 || $2 -eq 4096) ]]; then - usage "Error: invalid keysize" - fi - if [[ $# -eq 3 ]]; then - export PASSPHRASE=$3 - fi - if [[ $# -gt 3 ]]; then - usage "Error: Too many arguments" - fi + [[ $# -eq 3 ]] || error "${FUNCNAME} requires 3 args" + local plainname="psp_verstagebl_${name}_${keysize}" + local embedname="psp_verstagebl_${name}" + + # HSM signer stuff -- need a unique name for the key. + echo "Will use plain name: ${plainname}, and embed name: ${embedname}." + + local cmd=( + openssl genrsa -F4 -out "${key}" "${keysize}" + ) + echo "> ${cmd[@]}" + "${cmd[@]}" || die "generating key failed" +} + +# Generate the CSR for this key. +# ARGS: <output dir> key> <keysize> +create_psp_csr() { local dir=$1 - local keysize=$2 - local hash + local key=$2 + local keysize=$3 + + [[ $# -eq 3 ]] || error "${FUNCNAME} requires 3 args" + local hash if [[ ${keysize} -eq 2048 ]]; then hash="sha256" else hash="sha384" fi - cat <<EOF >"${dir}/${KEYNAME}.cnf" + local config="${dir}/${KEYNAME}.cnf" + local csr="${dir}/${KEYNAME}.csr" + + cat <<EOF >"${config}" [req] default_md = ${hash} prompt = no @@ -82,22 +96,46 @@ EOF local cmd=( openssl req -new - -newkey "rsa:${keysize}" - -config "${dir}/${KEYNAME}.cnf" - -keyout "${dir}/${KEYNAME}.key" - -out "${dir}/${KEYNAME}.csr" + -config "${config}" + -key "${key}" + -out "${csr}" ) - if [[ "${PASSPHRASE+set}" == "set" ]]; then - cmd+=(-passout env:PASSPHRASE) - fi - "${cmd[@]}" + echo "> ${cmd[@]}" + "${cmd[@]}" || die "generating CSR failed" echo echo "The following hash should be communicated to AMD separately from the CSR" echo "to allow it to be verified." - openssl dgst -sha256 ${KEYNAME}.csr + local digest="${dir}/${KEYNAME}.digest" + openssl dgst -sha256 "${csr}" >"${digest}" || die "generating digest failed" + cat "${digest}" +} + +main() { + set -e + + # Check arguments. + if [[ $# -ne 3 ]]; then + usage "Error: Incorrect number of arguments" + fi + local name=$1 + local dir=$2 + local keysize=$3 + + if [[ "${keysize}" -ne 2048 && "${keysize}" -ne 4096 ]]; then + usage "Error: invalid keysize" + fi + + if [[ ! -d "${dir}" ]]; then + mkdir -p "${dir}" + else + echo "Error: ${dir} already exists" >&2 + exit 1 + fi - rm -f "${dir}/${KEYNAME}.cnf" + local key="${dir}/${KEYNAME}.pem" + create_psp_key "${name}" "${key}" "${keysize}" + create_psp_csr "${dir}" "${key}" "${keysize}" } main "$@" |