keygeneration: add ability to generate accessory GSC RW signing key pair

GSC RW signing requires a 3070 bit RSA key. The codesigner tool when invoked expects the public key in .pem format, the same format is used by the RO codebase when incorporating the public key in the RO image. This patch introduces a new accessory key generating script, which invokes the appropriate opensssl command to generated the required key pair. BUG=b:221423468 BRANCH=none TEST=ran scripts/keygeneration/accessory/create_new_gsc_key.sh and observed two gsc keys generated: ls -l *gsc* -rw------- 1 vbendeb vbendeb 2451 Apr 21 20:42 gsc_3070.pem -rw-r--r-- 1 vbendeb vbendeb 625 Apr 21 20:42 gsc_3070.pem.pub in the FPGA setup confirmed that Ti50 RW can be signed and verified using the generated key pair. Signed-off-by: Vadim Bendebury <vbendeb@chromium.org> Change-Id: I429c250f60aa1da28aa99f39dff40c3bcda71df6 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3600151 Reviewed-by: Andrey Pronin <apronin@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org>
author: Vadim Bendebury <vbendeb@chromium.org> 2022-04-21 20:38:47 -0700
committer: Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> 2022-04-30 23:37:57 +0000
commit: 567d37e7a4d3fc88587b873cc0ef40d8812366d6 (patch)
tree: 7f4c6058345ba5db15a7958c6fbb52ca4dd33a3c
parent: 5c19df0e6ea9ba079280ff06e9d4016b14c081ee (diff)
download: vboot-567d37e7a4d3fc88587b873cc0ef40d8812366d6.tar.gz
1 files changed, 68 insertions, 0 deletions
diff --git a/scripts/keygeneration/accessory/create_new_gsc_key.sh b/scripts/keygeneration/accessory/create_new_gsc_key.sh
new file mode 100755
index 00000000..674f8530
--- /dev/null
+++ b/scripts/keygeneration/accessory/create_new_gsc_key.sh
@@ -0,0 +1,68 @@
+#!/bin/bash
+
+# Copyright 2022 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Load common constants and functions.
+. "$(dirname "$0")/../common.sh"
+
+usage() {
+  cat <<EOF
+Usage: ${PROG} [options]
+
+Options:
+  -o, --output_dir <dir>:    Where to write the keys (default is cwd)
+EOF
+
+  if [[ $# -ne 0 ]]; then
+    die "$*"
+  else
+    exit 0
+  fi
+}
+
+generate_rsa3070_key() {
+  local output_dir="$1"
+  local base_name="gsc_3070"
+  local len="3070"
+
+  echo "creating ${base_name} key pair..."
+
+  # Make the RSA key pair.
+  openssl genrsa -F4 -out "${base_name}.pem" "${len}"
+  openssl rsa -in "${base_name}.pem" -outform PEM \
+    -pubout -out "${base_name}.pem.pub"
+}
+
+main() {
+  set -euo pipefail
+
+  local output_dir="${PWD}"
+
+  while [[ $# -gt 0 ]]; do
+    case "$1" in
+    -h|--help)
+      usage
+      ;;
+    -o|--output_dir)
+      output_dir="$2"
+      if [[ ! -d "${output_dir}" ]]; then
+        die "output dir (${output_dir}) doesn't exist."
+      fi
+      shift
+      ;;
+    -*)
+      usage "Unknown option: $1"
+      ;;
+    *)
+      usage "Unknown argument $1"
+      ;;
+    esac
+    shift
+  done
+
+  generate_rsa3070_key "${output_dir}"
+}
+
+main "$@"
author	Vadim Bendebury <vbendeb@chromium.org>	2022-04-21 20:38:47 -0700
committer	Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com>	2022-04-30 23:37:57 +0000
commit	567d37e7a4d3fc88587b873cc0ef40d8812366d6 (patch)
tree	7f4c6058345ba5db15a7958c6fbb52ca4dd33a3c
parent	5c19df0e6ea9ba079280ff06e9d4016b14c081ee (diff)
download	vboot-567d37e7a4d3fc88587b873cc0ef40d8812366d6.tar.gz