vboot: introduce minios_kernel.keyblock

miniOS requires a distinct kernel data key, whose dev key pair is added in this CL as minios_kernel_data_key.vb{pub,priv}k. A distinct keyblock is also required. The keyblock should set the kernel keyblock flag MINIOS_1. Other keyblocks are modified appropriately to set MINIOS_0. Keyblocks were generated using the following commands: $ futility vbutil_keyblock --flags 23 --datapubkey tests/devkeys/ec_data_key.vbpubk --signprivate tests/devkeys/ec_root_key.vbprivk --pack tests/devkeys/ec.keyblock Keyblock file: tests/devkeys/ec.keyblock Signature valid Flags: 23 !DEV DEV !REC !MINIOS Data key algorithm: 7 RSA4096 SHA256 Data key version: 1 Data key sha1sum: 5833470fe934be76753cb6501dbb8fbf88ab272b $ futility vbutil_keyblock --flags 23 --datapubkey tests/devkeys/firmware_data_key.vbpubk --signprivate tests/devkeys/root_key.vbprivk --pack tests/devkeys/firmware.keyblock Keyblock file: tests/devkeys/firmware.keyblock Signature valid Flags: 23 !DEV DEV !REC !MINIOS Data key algorithm: 7 RSA4096 SHA256 Data key version: 1 Data key sha1sum: e2c1c92d7d7aa7dfed5e8375edd30b7ae52b7450 $ futility vbutil_keyblock --flags 27 --datapubkey tests/devkeys/recovery_kernel_data_key.vbpubk --signprivate tests/devkeys/recovery_key.vbprivk --pack tests/devkeys/recovery_kernel.keyblock Keyblock file: tests/devkeys/recovery_kernel.keyblock Signature valid Flags: 27 !DEV DEV REC !MINIOS Data key algorithm: 11 RSA8192 SHA512 Data key version: 1 Data key sha1sum: e78ce746a037837155388a1096212ded04fb86eb $ futility vbutil_keyblock --flags 43 --datapubkey tests/devkeys/minios_kernel_data_key.vbpubk --signprivate tests/devkeys/recovery_key.vbprivk --pack tests/devkeys/minios_kernel.keyblock Keyblock file: tests/devkeys/minios_kernel.keyblock Signature valid Flags: 43 !DEV DEV REC MINIOS Data key algorithm: 8 RSA4096 SHA512 Data key version: 1 Data key sha1sum: 65441886bc54cbfe3a7308b650806f4b61d8d142 $ futility vbutil_keyblock --flags 23 --datapubkey tests/devkeys/kernel_data_key.vbpubk --signprivate tests/devkeys/kernel_subkey.vbprivk --pack tests/devkeys/kernel.keyblock Keyblock file: tests/devkeys/kernel.keyblock Signature valid Flags: 23 !DEV DEV !REC !MINIOS Data key algorithm: 4 RSA2048 SHA256 Data key version: 1 Data key sha1sum: d6170aa480136f1f29cf339a5ab1b960585fa444 $ futility vbutil_keyblock --flags 26 --datapubkey tests/devkeys/installer_kernel_data_key.vbpubk --signprivate tests/devkeys/recovery_key.vbprivk --pack tests/devkeys/installer_kernel.keyblock Keyblock file: tests/devkeys/installer_kernel.keyblock Signature valid Flags: 26 DEV REC !MINIOS Data key algorithm: 11 RSA8192 SHA512 Data key version: 1 Data key sha1sum: e78ce746a037837155388a1096212ded04fb86eb BUG=b:188121855 TEST=make clean && make runtests BRANCH=none Signed-off-by: Joel Kitching <kitching@google.com> Change-Id: I5b3e4def83ff29ca156b3c84dfcb8398f4985e67 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2965485 Tested-by: Joel Kitching <kitching@chromium.org> Reviewed-by: Julius Werner <jwerner@chromium.org> Commit-Queue: Joel Kitching <kitching@chromium.org>
author: Joel Kitching <kitching@google.com> 2021-06-16 05:23:19 +0800
committer: Commit Bot <commit-bot@chromium.org> 2021-07-05 02:46:24 +0000
commit: 9ea1e75805cfb7523729c5f5d48df0d05ced1b11 (patch)
tree: 5ce8f16f296b745a800762c42e76e7889ac34d54
parent: b95414c73b1b44485a072abdd55e0d8f965deb9d (diff)
download: vboot-9ea1e75805cfb7523729c5f5d48df0d05ced1b11.tar.gz
19 files changed, 48 insertions, 13 deletions
diff --git a/firmware/2lib/include/2struct.h b/firmware/2lib/include/2struct.h
index b79bbd03..ea193d74 100644
--- a/firmware/2lib/include/2struct.h
+++ b/firmware/2lib/include/2struct.h
@@ -364,6 +364,8 @@ struct vb2_signature {
 #define VB2_KEYBLOCK_FLAG_DEVELOPER_1 0x2  /* Developer switch on */
 #define VB2_KEYBLOCK_FLAG_RECOVERY_0 0x4  /* Not recovery mode */
 #define VB2_KEYBLOCK_FLAG_RECOVERY_1 0x8  /* Recovery mode */
+#define VB2_KEYBLOCK_FLAG_MINIOS_0 0x10  /* Not miniOS boot */
+#define VB2_KEYBLOCK_FLAG_MINIOS_1 0x20  /* miniOS boot */
 
 /*
  * Keyblock, containing the public key used to sign some other chunk of data.
diff --git a/futility/cmd_show.c b/futility/cmd_show.c
index 716b2b2b..dbe6edde 100644
--- a/futility/cmd_show.c
+++ b/futility/cmd_show.c
@@ -72,6 +72,10 @@ static void show_keyblock(struct vb2_keyblock *keyblock, const char *name,
 		printf(" !REC");
 	if (keyblock->keyblock_flags & VB2_KEYBLOCK_FLAG_RECOVERY_1)
 		printf(" REC");
+	if (keyblock->keyblock_flags & VB2_KEYBLOCK_FLAG_MINIOS_0)
+		printf(" !MINIOS");
+	if (keyblock->keyblock_flags & VB2_KEYBLOCK_FLAG_MINIOS_1)
+		printf(" MINIOS");
 	printf("\n");
 
 	struct vb2_packed_key *data_key = &keyblock->data_key;
diff --git a/futility/cmd_vbutil_keyblock.c b/futility/cmd_vbutil_keyblock.c
index bec23c39..28a3ccd8 100644
--- a/futility/cmd_vbutil_keyblock.c
+++ b/futility/cmd_vbutil_keyblock.c
@@ -222,6 +222,10 @@ static int Unpack(const char *infile, const char *datapubkey,
 		printf(" !REC");
 	if (block->keyblock_flags & VB2_KEYBLOCK_FLAG_RECOVERY_1)
 		printf(" REC");
+	if (block->keyblock_flags & VB2_KEYBLOCK_FLAG_MINIOS_0)
+		printf(" !MINIOS");
+	if (block->keyblock_flags & VB2_KEYBLOCK_FLAG_MINIOS_1)
+		printf(" MINIOS");
 	printf("\n");
 
 	struct vb2_packed_key *data_key = &block->data_key;
diff --git a/futility/vb1_helper.c b/futility/vb1_helper.c
index 39bb16ae..2a0e87a2 100644
--- a/futility/vb1_helper.c
+++ b/futility/vb1_helper.c
@@ -548,6 +548,10 @@ int VerifyKernelBlob(uint8_t *kernel_blob,
 		printf(" !REC");
 	if (g_keyblock->keyblock_flags & VB2_KEYBLOCK_FLAG_RECOVERY_1)
 		printf(" REC");
+	if (g_keyblock->keyblock_flags & VB2_KEYBLOCK_FLAG_MINIOS_0)
+		printf(" !MINIOS");
+	if (g_keyblock->keyblock_flags & VB2_KEYBLOCK_FLAG_MINIOS_1)
+		printf(" MINIOS");
 	printf("\n");
 	printf("  Data key algorithm:  %u %s\n", data_key->algorithm,
 	       vb2_get_crypto_algorithm_name(data_key->algorithm));
diff --git a/scripts/keygeneration/common.sh b/scripts/keygeneration/common.sh
index 21d5334e..da06f3cf 100644
--- a/scripts/keygeneration/common.sh
+++ b/scripts/keygeneration/common.sh
@@ -58,18 +58,32 @@ FIRMWARE_DATAKEY_ALGOID=${RSA4096_SHA256_ALGOID}
 DEV_FIRMWARE_DATAKEY_ALGOID=${RSA4096_SHA256_ALGOID}
 
 RECOVERY_KERNEL_ALGOID=${RSA4096_SHA512_ALGOID}
+MINIOS_KERNEL_ALGOID=${RSA4096_SHA512_ALGOID}
 INSTALLER_KERNEL_ALGOID=${RSA4096_SHA512_ALGOID}
 KERNEL_SUBKEY_ALGOID=${RSA4096_SHA256_ALGOID}
 KERNEL_DATAKEY_ALGOID=${RSA2048_SHA256_ALGOID}
 
 # Keyblock modes determine which boot modes a signing key is valid for use
 # in verification.
-EC_KEYBLOCK_MODE=7  # Only allow RW EC firmware in non-recovery.
-FIRMWARE_KEYBLOCK_MODE=7  # Only allow RW firmware in non-recovery.
-DEV_FIRMWARE_KEYBLOCK_MODE=6  # Only allow in dev mode.
-RECOVERY_KERNEL_KEYBLOCK_MODE=11 # Only in recovery mode.
-KERNEL_KEYBLOCK_MODE=7  # Only allow in non-recovery.
-INSTALLER_KERNEL_KEYBLOCK_MODE=10  # Only allow in Dev + Recovery.
+#    !DEV 0x1      DEV 0x2
+#    !REC 0x4      REC 0x8
+# !MINIOS 0x10  MINIOS 0x20
+# Note that firmware keyblock modes are not used.  Consider deprecating.
+
+# Only allow RW EC firmware in non-recovery + non-miniOS.
+EC_KEYBLOCK_MODE=$((0x1 | 0x2 | 0x4 | 0x10))
+# Only allow RW firmware in non-recovery + non-miniOS.
+FIRMWARE_KEYBLOCK_MODE=$((0x1 | 0x2 | 0x4 | 0x10))
+# Only allow in dev mode + non-recovery + non-miniOS.
+DEV_FIRMWARE_KEYBLOCK_MODE=$((0x2 | 0x4 | 0x10))
+# Only allow in recovery mode + non-miniOS.
+RECOVERY_KERNEL_KEYBLOCK_MODE=$((0x1 | 0x2 | 0x8 | 0x10))
+# Only allow in recovery mode + miniOS.
+MINIOS_KERNEL_KEYBLOCK_MODE=$((0x1 | 0x2 | 0x8 | 0x20))
+# Only allow in non-recovery + non-miniOS.
+KERNEL_KEYBLOCK_MODE=$((0x1 | 0x2 | 0x4 | 0x10))
+# Only allow in dev + recovery + non-miniOS.
+INSTALLER_KERNEL_KEYBLOCK_MODE=$((0x2 | 0x8 | 0x10))
 
 # Emit .vbpubk and .vbprivk using given basename and algorithm
 # NOTE: This function also appears in ../../utility/dev_make_keypair. Making
@@ -125,6 +139,8 @@ make_au_payload_key() {
 #   0x02  Developer switch on
 #   0x04  Not recovery mode
 #   0x08  Recovery mode
+#   0x10  Not miniOS mode
+#   0x20  miniOS mode
 make_keyblock() {
   local base=$1
   local flags=$2
diff --git a/scripts/keygeneration/create_new_keys.sh b/scripts/keygeneration/create_new_keys.sh
index 40cccbc5..11aedc1d 100755
--- a/scripts/keygeneration/create_new_keys.sh
+++ b/scripts/keygeneration/create_new_keys.sh
@@ -43,6 +43,7 @@ main() {
   local root_key_algoid=${ROOT_KEY_ALGOID}
   local recovery_key_algoid=${RECOVERY_KEY_ALGOID}
   local recovery_kernel_algoid=${RECOVERY_KERNEL_ALGOID}
+  local minios_kernel_algoid=${MINIOS_KERNEL_ALGOID}
   local installer_kernel_algoid=${INSTALLER_KERNEL_ALGOID}
   local keyname
   local output_dir="${PWD}" setperms="false"
@@ -166,6 +167,7 @@ main() {
   # Create the recovery and factory installer keypairs
   make_pair recovery_key             ${recovery_key_algoid}
   make_pair recovery_kernel_data_key ${recovery_kernel_algoid}
+  make_pair minios_kernel_data_key   ${minios_kernel_algoid}
   make_pair installer_kernel_data_key ${installer_kernel_algoid}
 
   # Create the firmware keyblock for use only in Normal mode. This is redundant,
@@ -182,6 +184,9 @@ main() {
   # Create the recovery kernel keyblock for use only in Recovery mode.
   make_keyblock recovery_kernel ${RECOVERY_KERNEL_KEYBLOCK_MODE} recovery_kernel_data_key recovery_key
 
+  # Create the miniOS kernel keyblock for use only in miniOS mode.
+  make_keyblock minios_kernel ${MINIOS_KERNEL_KEYBLOCK_MODE} minios_kernel_data_key recovery_key
+
   # Create the normal kernel keyblock for use only in Normal mode.
   make_keyblock kernel ${KERNEL_KEYBLOCK_MODE} kernel_data_key kernel_subkey
 
diff --git a/tests/devkeys/ec.keyblock b/tests/devkeys/ec.keyblock
index 6b088f32..d9342918 100644
--- a/tests/devkeys/ec.keyblock
+++ b/tests/devkeys/ec.keyblock
diff --git a/tests/devkeys/firmware.keyblock b/tests/devkeys/firmware.keyblock
index 1e2273e5..e3653f85 100644
--- a/tests/devkeys/firmware.keyblock
+++ b/tests/devkeys/firmware.keyblock
diff --git a/tests/devkeys/installer_kernel.keyblock b/tests/devkeys/installer_kernel.keyblock
index cfa3bd18..282e1d62 100644
--- a/tests/devkeys/installer_kernel.keyblock
+++ b/tests/devkeys/installer_kernel.keyblock
diff --git a/tests/devkeys/kernel.keyblock b/tests/devkeys/kernel.keyblock
index 9740be4e..6bb72137 100644
--- a/tests/devkeys/kernel.keyblock
+++ b/tests/devkeys/kernel.keyblock
diff --git a/tests/devkeys/minios_kernel.keyblock b/tests/devkeys/minios_kernel.keyblock
new file mode 100644
index 00000000..3675690b
--- /dev/null
+++ b/tests/devkeys/minios_kernel.keyblock
diff --git a/tests/devkeys/minios_kernel_data_key.vbprivk b/tests/devkeys/minios_kernel_data_key.vbprivk
new file mode 100644
index 00000000..da3a15bf
--- /dev/null
+++ b/tests/devkeys/minios_kernel_data_key.vbprivk
diff --git a/tests/devkeys/minios_kernel_data_key.vbpubk b/tests/devkeys/minios_kernel_data_key.vbpubk
new file mode 100644
index 00000000..34ff93be
--- /dev/null
+++ b/tests/devkeys/minios_kernel_data_key.vbpubk
diff --git a/tests/devkeys/recovery_kernel.keyblock b/tests/devkeys/recovery_kernel.keyblock
index ad16e399..c1c8effd 100644
--- a/tests/devkeys/recovery_kernel.keyblock
+++ b/tests/devkeys/recovery_kernel.keyblock
diff --git a/tests/futility/expect_output/show.tests_devkeys_kernel.keyblock b/tests/futility/expect_output/show.tests_devkeys_kernel.keyblock
index 6505d91e..2266424f 100644
--- a/tests/futility/expect_output/show.tests_devkeys_kernel.keyblock
+++ b/tests/futility/expect_output/show.tests_devkeys_kernel.keyblock
@@ -1,7 +1,7 @@
 Keyblock:                tests/devkeys/kernel.keyblock
   Signature:             ignored
   Size:                  0x4b8
-  Flags:                 7  !DEV DEV !REC
+  Flags:                 23  !DEV DEV !REC !MINIOS
   Data key algorithm:    4 RSA2048 SHA256
   Data key version:      1
   Data key sha1sum:      d6170aa480136f1f29cf339a5ab1b960585fa444
diff --git a/tests/futility/expect_output/vbutil_firmware.verify b/tests/futility/expect_output/vbutil_firmware.verify
index edc9c654..e23c1699 100644
--- a/tests/futility/expect_output/vbutil_firmware.verify
+++ b/tests/futility/expect_output/vbutil_firmware.verify
@@ -1,6 +1,6 @@
 Keyblock:
   Size:                2232
-  Flags:               7 (ignored)
+  Flags:               23 (ignored)
   Data key algorithm:  7 RSA4096 SHA256
   Data key version:    1
   Data key sha1sum:    e2c1c92d7d7aa7dfed5e8375edd30b7ae52b7450
diff --git a/tests/futility/expect_output/vbutil_keyblock.tests_devkeys_kernel.keyblock b/tests/futility/expect_output/vbutil_keyblock.tests_devkeys_kernel.keyblock
index d55fce3a..afb0faf2 100644
--- a/tests/futility/expect_output/vbutil_keyblock.tests_devkeys_kernel.keyblock
+++ b/tests/futility/expect_output/vbutil_keyblock.tests_devkeys_kernel.keyblock
@@ -1,6 +1,6 @@
 Keyblock file:        tests/devkeys/kernel.keyblock
 Signature             valid
-Flags:                7  !DEV DEV !REC
+Flags:                23  !DEV DEV !REC !MINIOS
 Data key algorithm:   4 RSA2048 SHA256
 Data key version:     1
 Data key sha1sum:     d6170aa480136f1f29cf339a5ab1b960585fa444
diff --git a/tests/futility/test_sign_keyblocks.sh b/tests/futility/test_sign_keyblocks.sh
index 7ba43afa..f689c89c 100755
--- a/tests/futility/test_sign_keyblocks.sh
+++ b/tests/futility/test_sign_keyblocks.sh
@@ -18,7 +18,7 @@ SIGNER=${SRCDIR}/tests/external_rsa_signer.sh
 # Create a copy of an existing keyblock, using the old way
 ${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock0 \
   --datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \
-  --flags 7 \
+  --flags 23 \
   --signprivate ${DEVKEYS}/root_key.vbprivk
 
 # Check it.
@@ -32,7 +32,7 @@ cmp ${DEVKEYS}/firmware.keyblock ${TMP}.keyblock0
 # Now create it the new way
 ${FUTILITY} --debug sign \
   --datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \
-  --flags 7 \
+  --flags 23 \
   --signprivate ${DEVKEYS}/root_key.vbprivk \
   --outfile ${TMP}.keyblock1
 
diff --git a/tests/load_kernel_tests.sh b/tests/load_kernel_tests.sh
index d5f41f25..45eedf4c 100755
--- a/tests/load_kernel_tests.sh
+++ b/tests/load_kernel_tests.sh
@@ -31,10 +31,10 @@ ${FUTILITY} vbutil_key --pack datakey.test \
     --key ${TESTKEY_DIR}/key_rsa2048.keyb --algorithm 4
 
 # Keyblock with kernel data key is signed by kernel subkey
-# Flags=5 means dev=0 rec=0
+# Flags=21 means dev=0 rec=0 minios=0
 ${FUTILITY} vbutil_keyblock --pack keyblock.test \
     --datapubkey datakey.test \
-    --flags 5 \
+    --flags 21 \
     --signprivate ${SCRIPT_DIR}/devkeys/kernel_subkey.vbprivk
 
 # Kernel preamble is signed with the kernel data key
author	Joel Kitching <kitching@google.com>	2021-06-16 05:23:19 +0800
committer	Commit Bot <commit-bot@chromium.org>	2021-07-05 02:46:24 +0000
commit	9ea1e75805cfb7523729c5f5d48df0d05ced1b11 (patch)
tree	5ce8f16f296b745a800762c42e76e7889ac34d54
parent	b95414c73b1b44485a072abdd55e0d8f965deb9d (diff)
download	vboot-9ea1e75805cfb7523729c5f5d48df0d05ced1b11.tar.gz