diff options
author | Kris Rambish <krisr@chromium.org> | 2012-09-06 15:58:37 -0700 |
---|---|---|
committer | Kris Rambish <krisr@chromium.org> | 2012-09-18 16:05:00 -0700 |
commit | 40d8651bb36048c9b5f07be97ff17b2cf503015e (patch) | |
tree | 69db93237dcb7fa4f163f0ce25084196e2173b2a | |
parent | 770c1b772c0aa9241bc2923354092a14e1c68661 (diff) | |
download | vboot-40d8651bb36048c9b5f07be97ff17b2cf503015e.tar.gz |
Add scripts to increment single fm/kernel keys.factory-2914.B
For firmware and kernel key increment testing we need to be able to
rev only particular keys and verify an autoupdate works.
BUG=None
TEST=Ran it
BRANCH=None
Change-Id: Ic814480b4bf8fbc994132fcd7ba519c3be9b0ccd
Reviewed-on: https://gerrit.chromium.org/gerrit/32458
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Ready: Kris Rambish <krisr@chromium.org>
Tested-by: Kris Rambish <krisr@chromium.org>
-rwxr-xr-x | scripts/keygeneration/common.sh | 116 | ||||
-rwxr-xr-x | scripts/keygeneration/increment_firmware_data_key.sh | 44 | ||||
-rwxr-xr-x | scripts/keygeneration/increment_kernel_data_key.sh | 44 | ||||
-rwxr-xr-x | scripts/keygeneration/increment_kernel_subkey.sh | 46 | ||||
-rwxr-xr-x | scripts/keygeneration/increment_kernel_subkey_and_key.sh | 90 |
5 files changed, 263 insertions, 77 deletions
diff --git a/scripts/keygeneration/common.sh b/scripts/keygeneration/common.sh index b6e20c61..b7725add 100755 --- a/scripts/keygeneration/common.sh +++ b/scripts/keygeneration/common.sh @@ -114,4 +114,120 @@ function make_keyblock { --signpubkey "${signkey}.vbpubk" } +# File to read current versions from. +VERSION_FILE="key.versions" +# ARGS: <VERSION_TYPE> +get_version() { + awk -F= '/^'$1'\>/ { print $NF }' ${2:-${VERSION_FILE}} +} + +# Loads the current versions prints them to stdout and sets the global version +# variables: CURR_FIRMKEY_VER CURR_FIRM_VER CURR_KERNKEY_VER CURR_KERN_VER +load_current_versions() { + if [[ ! -f ${VERSION_FILE} ]]; then + return 1 + fi + CURR_FIRMKEY_VER=$(get_version "firmware_key_version") + # Firmware version is the kernel subkey version. + CURR_FIRM_VER=$(get_version "firmware_version") + # Kernel data key version is the kernel key version. + CURR_KERNKEY_VER=$(get_version "kernel_key_version") + CURR_KERN_VER=$(get_version "kernel_version") + + cat <<EOF +Current Firmware key version: ${CURR_FIRMKEY_VER} +Current Firmware version: ${CURR_FIRM_VER} +Current Kernel key version: ${CURR_KERNKEY_VER} +Current Kernel version: ${CURR_KERN_VER} +EOF +} + +# Make backups of existing kernel subkeys and keyblocks that will be revved. +# Backup format: +# for keyblocks: <keyblock_name>.v<datakey version>.v<subkey version>.keyblock +# Args: SUBKEY_VERSION DATAKEY_VERSION +backup_existing_kernel_keyblock() { + if [[ ! -e kernel.keyblock ]]; then + return + fi + mv --no-clobber kernel.{keyblock,"v$2.v$1.keyblock"} +} + +# Make backups of existing kernel subkeys and keyblocks that will be revved. +# Backup format: +# for keys: <key_name>.v<version>.vb{pub|priv}k +# for keyblocks: <keyblock_name>.v<datakey version>.v<subkey version>.keyblock +# Args: SUBKEY_VERSION DATAKEY_VERSION +backup_existing_kernel_subkeys() { + local subkey_ver=$1 + local datakey_ver=$2 + # --no-clobber to prevent accidentally overwriting existing + # backups. + mv --no-clobber kernel_subkey.{vbprivk,"v${subkey_ver}.vbprivk"} + mv --no-clobber kernel_subkey.{vbpubk,"v${subkey_ver}.vbpubk"} + backup_existing_kernel_keyblock ${subkey_ver} ${datakey_ver} +} + +# Make backups of existing kernel data keys and keyblocks that will be revved. +# Backup format: +# for keys: <key_name>.v<version>.vb{pub|priv}k +# for keyblocks: <keyblock_name>.v<datakey version>.v<subkey version>.keyblock +# Args: SUBKEY_VERSION DATAKEY_VERSION +backup_existing_kernel_data_keys() { + local subkey_ver=$1 + local datakey_ver=$2 + # --no-clobber to prevent accidentally overwriting existing + # backups. + mv --no-clobber kernel_data_key.{vbprivk,"v${datakey_ver}.vbprivk"} + mv --no-clobber kernel_data_key.{vbpubk,"v${datakey_ver}.vbpubk"} + backup_existing_kernel_keyblock ${subkey_ver} ${datakey_ver} +} + +# Make backups of existing firmware keys and keyblocks that will be revved. +# Backup format: +# for keys: <key_name>.v<version>.vb{pub|priv}k +# for keyblocks: <keyblock_name>.v<datakey version>.v<subkey version>.keyblock +# Args: SUBKEY_VERSION DATAKEY_VERSION +backup_existing_firmware_keys() { + local subkey_ver=$1 + local datakey_ver=$2 + mv --no-clobber firmware_data_key.{vbprivk,"v${subkey_ver}.vbprivk"} + mv --no-clobber firmware_data_key.{vbpubk,"v${subkey_ver}.vbpubk"} + mv --no-clobber firmware.{keyblock,"v${datakey_ver}.v${subkey_ver}.keyblock"} +} + + +# Write new key version file with the updated key versions. +# Args: FIRMWARE_KEY_VERSION FIRMWARE_VERSION KERNEL_KEY_VERSION +# KERNEL_VERSION +write_updated_version_file() { + local firmware_key_version=$1 + local firmware_version=$2 + local kernel_key_version=$3 + local kernel_version=$4 + + cat > ${VERSION_FILE} <<EOF +firmware_key_version=${firmware_key_version} +firmware_version=${firmware_version} +kernel_key_version=${kernel_key_version} +kernel_version=${kernel_version} +EOF +} + +# Returns the incremented version number of the passed in key from the version +# file. The options are "firmware_key_version", "firmware_version", +# "kernel_key_version", or "kernel_version". +# ARGS: KEY_DIR <key_name> +increment_version() { + local key_dir=$1 + local VERSION_FILE="${key_dir}/${VERSION_FILE}" + local old_version=$(get_version $2) + local new_version=$(( ${old_version} + 1 )) + + if [[ ${new_version} -gt 0xffff ]]; then + echo "Version overflow!" >&2 + return 1 + fi + echo ${new_version} +} diff --git a/scripts/keygeneration/increment_firmware_data_key.sh b/scripts/keygeneration/increment_firmware_data_key.sh new file mode 100755 index 00000000..facd776d --- /dev/null +++ b/scripts/keygeneration/increment_firmware_data_key.sh @@ -0,0 +1,44 @@ +#!/bin/bash +# Copyright (c) 2012 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +# Script to increment firmware version key for firmware updates. +# Used when revving versions for a firmware update. + +# Load common constants and variables. +. "$(dirname "$0")/common.sh" + +# Abort on errors. +set -e + +if [ $# -ne 1 ]; then + cat <<EOF + Usage: $0 <keyset directory> + + Increments the firmware version in the specified keyset. +EOF + exit 1 +fi + +KEY_DIR=$1 + +main() { + load_current_versions + new_firmkey_ver=$(increment_version "${KEY_DIR}" "firmware_key_version") + + backup_existing_firmware_keys ${CURR_FIRM_VER} ${CURR_FIRMKEY_VER} + + cat <<EOF +Generating new firmware version key. + +New Firmware key version (due to firmware key change): ${new_firmkey_ver}. +EOF + make_pair firmware_data_key ${FIRMWARE_DATAKEY_ALGOID} ${new_firmkey_ver} + make_keyblock firmware ${FIRMWARE_KEYBLOCK_MODE} firmware_data_key root_key + + write_updated_version_file ${new_firmkey_ver} ${CURR_FIRM_VER} \ + ${CURR_KERNKEY_VER} ${CURR_KERN_VER} +} + +main "$@" diff --git a/scripts/keygeneration/increment_kernel_data_key.sh b/scripts/keygeneration/increment_kernel_data_key.sh new file mode 100755 index 00000000..193df2ae --- /dev/null +++ b/scripts/keygeneration/increment_kernel_data_key.sh @@ -0,0 +1,44 @@ +#!/bin/bash +# Copyright (c) 2012 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +# Script to increment kernel data key for firmware updates. +# Used when revving versions for a firmware update. + +# Load common constants and variables. +. "$(dirname "$0")/common.sh" + +# Abort on errors. +set -e + +if [ $# -ne 1 ]; then + cat <<EOF + Usage: $0 <keyset directory> + + Increments the kernel data key in the specified keyset. +EOF + exit 1 +fi + +KEY_DIR=$1 + +main() { + load_current_versions + new_kernkey_ver=$(increment_version "${KEY_DIR}" "kernel_key_version") + + backup_existing_kernel_data_keys ${CURR_FIRM_VER} ${CURR_KERNKEY_VER} + + cat <<EOF +Generating new kernel data version, and new kernel keyblock. + +New Kernel data key version: ${new_kernkey_ver}. +EOF + make_pair kernel_data_key ${KERNEL_DATAKEY_ALGOID} ${new_kernkey_ver} + make_keyblock kernel ${KERNEL_KEYBLOCK_MODE} kernel_data_key kernel_subkey + + write_updated_version_file ${CURR_FIRMKEY_VER} ${CURR_FIRM_VER} \ + ${new_kernkey_ver} ${CURR_KERN_VER} +} + +main "$@" diff --git a/scripts/keygeneration/increment_kernel_subkey.sh b/scripts/keygeneration/increment_kernel_subkey.sh new file mode 100755 index 00000000..26af3fa4 --- /dev/null +++ b/scripts/keygeneration/increment_kernel_subkey.sh @@ -0,0 +1,46 @@ +#!/bin/bash +# Copyright (c) 2012 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +# Script to increment kernel subkey for firmware updates. +# Used when revving versions for a firmware update. + +# Load common constants and variables. +. "$(dirname "$0")/common.sh" + +# Abort on errors. +set -e + +if [ $# -ne 1 ]; then + cat <<EOF + Usage: $0 <keyset directory> + + Increments the kernel subkey in the specified keyset. +EOF + exit 1 +fi + +KEY_DIR=$1 + +main() { + load_current_versions + new_firm_ver=$(increment_version "${KEY_DIR}" "firmware_version") + + backup_existing_kernel_subkeys ${CURR_FIRM_VER} ${CURR_KERNKEY_VER} + backup_existing_kernel_data_keys ${CURR_FIRM_VER} ${CURR_KERNKEY_VER} + + cat <<EOF +Generating new kernel subkey, data keys and new kernel keyblock. + +New Firmware version (due to kernel subkey change): ${new_firm_ver}. +EOF + make_pair kernel_subkey ${KERNEL_SUBKEY_ALGOID} ${new_firm_ver} + make_pair kernel_data_key ${KERNEL_DATAKEY_ALGOID} ${CURRENT_KDATAKEY_VERSION} + make_keyblock kernel $KERNEL_KEYBLOCK_MODE kernel_data_key kernel_subkey + + write_updated_version_file ${CURR_FIRMKEY_VER} ${new_firm_ver} \ + ${CURR_KERNKEY_VER} ${CURR_KERN_VER} +} + +main "$@" diff --git a/scripts/keygeneration/increment_kernel_subkey_and_key.sh b/scripts/keygeneration/increment_kernel_subkey_and_key.sh index ed20db43..ac846605 100755 --- a/scripts/keygeneration/increment_kernel_subkey_and_key.sh +++ b/scripts/keygeneration/increment_kernel_subkey_and_key.sh @@ -24,90 +24,26 @@ fi KEY_DIR=$1 -# File to read current versions from. -VERSION_FILE="key.versions" - -# ARGS: <version_type> -get_version() { - local version_type=$1 - version=$(sed -n "s#^${version_type}=\(.*\)#\1#pg" ${VERSION_FILE}) - echo $version -} - -# Make backups of existing keys and keyblocks that will be revved. -# Backup format: -# for keys: <key_name>.v<version>.vb{pub|priv}k -# for keyblocks: <keyblock_name>.v<datakey version>.v<subkey version>.keyblock -# Args: SUBKEY_VERSION DATAKEY_VERSION -backup_existing_kernel_keys() { - subkey_version=$1 - datakey_version=$2 - # --no-clobber to prevent accidentally overwriting existing - # backups. - mv --no-clobber kernel_subkey.{vbprivk,"v${subkey_version}.vbprivk"} - mv --no-clobber kernel_subkey.{vbpubk,"v${subkey_version}.vbpubk"} - mv --no-clobber kernel_data_key.{vbprivk,"v${datakey_version}.vbprivk"} - mv --no-clobber kernel_data_key.{vbpubk,"v${datakey_version}.vbpubk"} - mv --no-clobber kernel.{keyblock,"v${datakey_version}.v${subkey_version}.keyblock"} -} - -# Write new key version file with the updated key versions. -# Args: FIRMWARE_KEY_VERSION FIRMWARE_VERSION KERNEL_KEY_VERSION KERNEL_VERSION -write_updated_version_file() { - local firmware_key_version=$1 - local firmware_version=$2 - local kernel_key_version=$3 - local kernel_version=$4 - - cat > ${VERSION_FILE} <<EOF -firmware_key_version=${firmware_key_version} -firmware_version=${firmware_version} -kernel_key_version=${kernel_key_version} -kernel_version=${kernel_version} -EOF -} - - main() { - local key_dir=$1 - cd "${key_dir}" - current_fkey_version=$(get_version "firmware_key_version") - # Firmware version is the kernel subkey version. - current_ksubkey_version=$(get_version "firmware_version") - # Kernel data key version is the kernel key version. - current_kdatakey_version=$(get_version "kernel_key_version") - current_kernel_version=$(get_version "kernel_version") - - cat <<EOF -Current Firmware key version: ${current_fkey_version} -Current Firmware version: ${current_ksubkey_version} -Current Kernel key version: ${current_kdatakey_version} -Current Kernel version: ${current_kernel_version} -EOF - - backup_existing_kernel_keys $current_ksubkey_version $current_kdatakey_version - - new_ksubkey_version=$(( current_ksubkey_version + 1 )) - new_kdatakey_version=$(( current_kdatakey_version + 1 )) + load_current_versions + new_kernkey_ver=$(increment_version "${KEY_DIR}" "kernel_key_version") + new_firm_ver=$(increment_version "${KEY_DIR}" "firmware_version") - if [ $new_kdatakey_version -gt 65535 ] || [ $new_kdatakey_version -gt 65535 ]; - then - echo "Version overflow!" - exit 1 - fi + backup_existing_kernel_subkeys ${CURR_FIRM_VER} ${CURR_KERNKEY_VER} + backup_existing_kernel_data_keys ${CURR_FIRM_VER} ${CURR_KERNKEY_VER} cat <<EOF Generating new kernel subkey, data keys and new kernel keyblock. -New Firmware version (due to kernel subkey change): ${new_ksubkey_version}. -New Kernel key version (due to kernel datakey change): ${new_kdatakey_version}. +New Firmware version (due to kernel subkey change): ${new_firm_ver}. +New Kernel key version (due to kernel datakey change): ${new_kernkey_ver}. EOF - make_pair kernel_subkey $KERNEL_SUBKEY_ALGOID $new_ksubkey_version - make_pair kernel_data_key $KERNEL_DATAKEY_ALGOID $new_kdatakey_version - make_keyblock kernel $KERNEL_KEYBLOCK_MODE kernel_data_key kernel_subkey + make_pair kernel_subkey ${KERNEL_SUBKEY_ALGOID} ${new_firm_ver} + make_pair kernel_data_key ${KERNEL_DATAKEY_ALGOID} ${new_kernkey_ver} + make_keyblock kernel ${KERNEL_KEYBLOCK_MODE} kernel_data_key kernel_subkey - write_updated_version_file $current_fkey_version $new_ksubkey_version \ - $new_kdatakey_version $current_kernel_version + write_updated_version_file ${CURR_FIRMKEY_VER} ${new_firm_ver} \ + ${new_kernkey_ver} ${CURR_KERN_VER} } -main $@ +main "$@" |