diff options
| author | Julius Werner <jwerner@chromium.org> | 2023-01-25 18:46:39 -0800 |
|---|---|---|
| committer | Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2023-02-03 05:55:19 +0000 |
| commit | 72f605d2bb21dcfc6879c4a32324f56286180b86 (patch) | |
| tree | 31382b7d765d0b1fbfb8e91ce21c4b95bdc207ba | |
| parent | 52f28a4b68aa018fff3cc575610bc9c1c04a030f (diff) | |
| download | vboot-72f605d2bb21dcfc6879c4a32324f56286180b86.tar.gz | |
scripts/keygeneration: Add replace_recovery_key.sh
This patch adds a new keygeneration script that can be used to replace
the recovery key from an existing key set, but preserved the old key as
a secondary recovery_key.v1. All dependent kernel data keys are
regenerated, but we will create both keyblocks signed by the new and the
old recovery key. This is useful in cases where we want newly produced
devices to use a different recovery key that will no longer boot older
images, but still give older boards already shipped with the old
recovery key a chance to boot new recovery images built after that point
(if they have been dual-signed).
BRANCH=none
BUG=b:266371047
TEST=Created new keyset, ran the script, manually reviewed newly created
keys.
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: Id240c26815cc6ee883315a65e788c68e1a0549e4
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4195518
Reviewed-by: Mike Frysinger <vapier@chromium.org>
| -rwxr-xr-x | scripts/keygeneration/replace_recovery_key.sh | 94 |
1 files changed, 94 insertions, 0 deletions
diff --git a/scripts/keygeneration/replace_recovery_key.sh b/scripts/keygeneration/replace_recovery_key.sh new file mode 100755 index 00000000..6dbabacd --- /dev/null +++ b/scripts/keygeneration/replace_recovery_key.sh @@ -0,0 +1,94 @@ +#!/bin/bash +# Copyright 2023 The ChromiumOS Authors +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +# Script to replace the recovery key with a newly generated one. See usage(). + +# Load common constants and variables. +. "$(dirname "$0")/common.sh" + +# Abort on errors. +set -e + +usage() { + cat <<EOF +Usage: $0 <keyset directory> + +Creates a new recovery_key (incl. dependent kernel data keys) and renames the +old one to recovery_key.v1. This is useful when we want to prevent units +fabricated in the future from booting current recovery or factory shim images, +but still want future recovery and factory shim images to be able to run on +both new units and those that had already been shipped with the old recovery +key. +EOF +} + +# The key versions for recovery keys and dependent kernel data keys are unused, +# since there is no rollback protection for them. Set the new key versions to 2 +# so that they can be easily told apart from the old keys (which would have been +# built with version 1) when reading them from a device. +# +# (Note that for miniOS kernels, the kernel version *is* used for rollback +# protection, but the kernel key version is not, so we are free to do this. +# Kernel versions are set at kernel signing time, so they don't matter here.) +VERSION="2" + +main() { + local ext + local k + + KEY_DIR=$1 + + if [ $# -ne 1 ]; then + usage + exit 1 + fi + + cd "${KEY_DIR}" + + if [[ -e "recovery_key.v1.vbpubk" ]] || [[ -e "recovery_key.v1.vbprivk" ]]; then + die "recovery_key.v1 already exists!" + fi + + info "Moving old recovery key to recovery_key.v1." + + for ext in "vbpubk" "vbprivk"; do + mv "recovery_key.${ext}" "recovery_key.v1.${ext}" + done + + info "Backing up old kernel data keys (no longer needed) as XXX.old.v1.YYY." + + for k in "recovery_kernel" "installer_kernel" "minios_kernel"; do + for ext in "vbpubk" "vbprivk"; do + mv "${k}_data_key.${ext}" "${k}_data_key.old.v1.${ext}" + done + mv "${k}.keyblock" "${k}.old.v1.keyblock" + done + + info "Creating new recovery key." + + make_pair recovery_key "${RECOVERY_KEY_ALGOID}" "${VERSION}" + + info "Creating new recovery, minios and installer kernel data keys." + + make_pair recovery_kernel_data_key "${RECOVERY_KERNEL_ALGOID}" "${VERSION}" + make_pair minios_kernel_data_key "${MINIOS_KERNEL_ALGOID}" "${VERSION}" + make_pair installer_kernel_data_key "${INSTALLER_KERNEL_ALGOID}" "${VERSION}" + + info "Creating new keyblocks signed with new recovery key." + + make_keyblock recovery_kernel "${RECOVERY_KERNEL_KEYBLOCK_MODE}" recovery_kernel_data_key recovery_key + make_keyblock minios_kernel "${MINIOS_KERNEL_KEYBLOCK_MODE}" minios_kernel_data_key recovery_key + make_keyblock installer_kernel "${INSTALLER_KERNEL_KEYBLOCK_MODE}" installer_kernel_data_key recovery_key + + info "Creating secondary XXX.v1.keyblocks signing new kernel data keys with old recovery key." + + make_keyblock recovery_kernel.v1 "${RECOVERY_KERNEL_KEYBLOCK_MODE}" recovery_kernel_data_key recovery_key.v1 + make_keyblock minios_kernel.v1 "${MINIOS_KERNEL_KEYBLOCK_MODE}" minios_kernel_data_key recovery_key.v1 + make_keyblock installer_kernel.v1 "${INSTALLER_KERNEL_KEYBLOCK_MODE}" installer_kernel_data_key recovery_key.v1 + + info "All done." +} + +main "$@" |