diff options
author | Vadim Bendebury <vbendeb@chromium.org> | 2022-04-21 20:25:48 -0700 |
---|---|---|
committer | Mike Frysinger <vapier@chromium.org> | 2022-04-23 04:09:58 +0000 |
commit | 58bfa1d53c4a1be40680775bd004ddb5b80ad8cb (patch) | |
tree | 72728f7716e4cc965a898b9dad46a22dea5a8e8d | |
parent | 2981c0bacbaa0446562aaa04f23e3e9f07c86069 (diff) | |
download | vboot-58bfa1d53c4a1be40680775bd004ddb5b80ad8cb.tar.gz |
Revert "keygeneration: add ability to generate GSC RW signing key pairs"
This reverts commit 2981c0bacbaa0446562aaa04f23e3e9f07c86069, as that
patch is not the proper way to generate accessory keys.
BUG=b:221423468
BRANCH=none
TEST=none
Change-Id: I5500424b01ef45cc353468173f60f9b202b92b54
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3600150
Reviewed-by: Mike Frysinger <vapier@chromium.org>
-rw-r--r-- | scripts/keygeneration/common.sh | 33 | ||||
-rwxr-xr-x | scripts/keygeneration/create_new_keys.sh | 2 |
2 files changed, 1 insertions, 34 deletions
diff --git a/scripts/keygeneration/common.sh b/scripts/keygeneration/common.sh index 4ec445a9..af6cd717 100644 --- a/scripts/keygeneration/common.sh +++ b/scripts/keygeneration/common.sh @@ -43,15 +43,8 @@ RSA4096_SHA512_ALGOID=8 RSA8192_SHA1_ALGOID=9 RSA8192_SHA256_ALGOID=10 RSA8192_SHA512_ALGOID=11 -RSA3070_NOSIG_ALGOID=12 alg_to_keylen() { - local alg="$1" - - # GSC RW signing key does not fit the pattern, return its size explicitly. - case ${alg} in - (${RSA3070_NOSIG_ALGOID}) echo 3070;; - (*) echo $(( 1 << (10 + (alg / 3)) ));; - esac + echo $(( 1 << (10 + ($1 / 3)) )) } # Default algorithms. @@ -74,9 +67,6 @@ KERNEL_DATAKEY_ALGOID=${RSA2048_SHA256_ALGOID} ARV_ROOT_ALGOID=${RSA4096_SHA256_ALGOID} ARV_PLATFORM_ALGOID=${RSA4096_SHA256_ALGOID} -# GSC signing. -GSC_RW_KEY_ALGOID=${RSA3070_NOSIG_ALGOID} - # Keyblock modes determine which boot modes a signing key is valid for use # in verification. # !DEV 0x1 DEV 0x2 @@ -138,27 +128,6 @@ make_pair() { rm -f "${base}_${len}.pem" "${base}_${len}.crt" "${base}_${len}.keyb" } -# Emit .pem and .pem.pub using given basename and algorithm -# This is a special case for GSC signing where vboot reference format keys are -# not being used. -make_gsc_pair() { - local base=$1 - local alg=$2 - local key_version=${3:-1} - local len="$(alg_to_keylen "${alg}")" - local base_name="${base}_${len}" - - echo "creating ${base} key pair (version = ${key_version})..." - - # Make the RSA key pair. - openssl genrsa -F4 -out "${base_name}.pem" "${len}" - - echo "skipping wrapping of ${base_name} keys" - echo "Preserving ${base_name}.pem and generating ${base_name}.pem.pub" - openssl rsa -in "${base_name}.pem" -outform PEM \ - -pubout -out "${base_name}.pem.pub" -} - # Used to generate keys for signing update payloads. make_au_payload_key() { local dir=$1 diff --git a/scripts/keygeneration/create_new_keys.sh b/scripts/keygeneration/create_new_keys.sh index 7c036fa2..2e1fd22c 100755 --- a/scripts/keygeneration/create_new_keys.sh +++ b/scripts/keygeneration/create_new_keys.sh @@ -172,8 +172,6 @@ main() { make_pair arv_root ${ARV_ROOT_ALGOID} make_pair arv_platform ${ARV_PLATFORM_ALGOID} - make_gsc_pair gsc_rw ${GSC_RW_KEY_ALGOID} - # Create the firmware keyblock for use only in Normal mode. This is redundant, # since it's never even checked during Recovery mode. make_keyblock firmware ${FIRMWARE_KEYBLOCK_MODE} firmware_data_key root_key |