diff options
author | Martin Roth <martinroth@chromium.org> | 2020-08-27 15:21:38 -0600 |
---|---|---|
committer | Mike Frysinger <vapier@chromium.org> | 2020-09-03 19:31:06 +0000 |
commit | c6641cfd113383f363ebae41256a8447fdc81918 (patch) | |
tree | ec687be00a63602c0656ce3015bd120e10941411 | |
parent | 8196d4e598a86c31ac07c60de151d9e9c2f9502c (diff) | |
download | vboot-c6641cfd113383f363ebae41256a8447fdc81918.tar.gz |
Add CSR generation script for signing PSP Verstage
This script is based on previous key generation scripts and on the
AMD document describing their recommendations.
BUG=b:166095736
TEST=Generate keys of different sizes with different passphrases in
various directories.
Change-Id: I76a31f5d592d233282c145a9a4ce5220a2d597d8
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2380612
Tested-by: Martin Roth <martinroth@google.com>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
-rwxr-xr-x | scripts/keygeneration/create_psp_verstagebl_key.sh | 103 |
1 files changed, 103 insertions, 0 deletions
diff --git a/scripts/keygeneration/create_psp_verstagebl_key.sh b/scripts/keygeneration/create_psp_verstagebl_key.sh new file mode 100755 index 00000000..31f78ba1 --- /dev/null +++ b/scripts/keygeneration/create_psp_verstagebl_key.sh @@ -0,0 +1,103 @@ +#!/bin/bash +# Copyright 2020 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +usage() { + cat <<EOF +Usage: $0 <OUTPUT DIRECTORY> <KEY SIZE> [PASSPHRASE] + +Generate a key pair for signing the PSP_Verstage binary to be loaded by +the PSP bootloader. For detail, reference the AMD documentation titled +"OEM PSP VERSTAGE BL FW Signing Key Pair Generation and Certificate Request +Process" - http://dr/corp/drive/folders/1ySJyDgbH73W1lqrhxMvM9UYl5TtJt_mw + +Arguments: +- Output Directory: Location for the keys to be generated. Must exist. +- Key size: 2048 for Picasso, Dali, & Pollock, 4096 for other F17h SOCs +- Passphrase: optional passphrase. If not given on the command line, or in + the environment variable "PASSPHRASE", it will be requested at runtime. + +EOF + + if [[ $# -ne 0 ]]; then + echo "$*" >&2 + exit 1 + else + exit 0 + fi +} + +KEYNAME=psp_verstagebl_fw_signing + +main() { + set -e + + # Check arguments + if [[ $# -lt 2 ]]; then + usage "Error: Too few arguments" + fi + if [[ ! ($2 -eq 2048 || $2 -eq 4096) ]]; then + usage "Error: invalid keysize" + fi + if [[ $# -eq 3 ]]; then + export PASSPHRASE=$3 + fi + if [[ $# -gt 3 ]]; then + usage "Error: Too many arguments" + fi + + local dir=$1 + local keysize=$2 + local hash + + if [[ ${keysize} -eq 2048 ]]; then + hash="sha256" + else + hash="sha384" + fi + + cat <<EOF >"${dir}/${KEYNAME}.cnf" +[req] +default_md = ${hash} +prompt = no +distinguished_name = req_distinguished_name +req_extensions = v3_req + +[req_distinguished_name] +countryName = US +stateOrProvinceName = CA +localityName = Mountain View +organizationalUnitName = Google LLC +commonName = AMD Reference PSP Verstage BL FW Certificate + +# Google Platform Vendor ID [31:24] = 0x94 other bits [23:0] are reserved +serialNumber = 94000000 + +[v3_req] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +subjectKeyIdentifier = hash +EOF + + local cmd=( + openssl req -new + -newkey "rsa:${keysize}" + -config "${dir}/${KEYNAME}.cnf" + -keyout "${dir}/${KEYNAME}.key" + -out "${dir}/${KEYNAME}.csr" + ) + if [[ "${PASSPHRASE+set}" == "set" ]]; then + cmd+=(-passout env:PASSPHRASE) + fi + "${cmd[@]}" + + echo + echo "The following hash should be communicated to AMD separately from the CSR" + echo "to allow it to be verified." + openssl dgst -sha256 ${KEYNAME}.csr + + rm -f "${dir}/${KEYNAME}.cnf" +} + +main "$@" |