diff options
| author | Edward Hyunkoo Jee <edjee@google.com> | 2018-04-25 21:09:00 -0700 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2018-05-29 21:22:46 -0700 |
| commit | 29f51dc30dfef564147ecd0555ac53f24bb7c1e9 (patch) | |
| tree | f9b882d9ff64fc420bcd57a4c175457764c95422 | |
| parent | 41c585ed7482da8ccd898b4118d1414028fe749f (diff) | |
| download | vboot-stabilize-nocturne.10736.B.tar.gz | |
keygeneration: add --no-pk option for UEFI key generationstabilize-nocturne.10736.Bstabilize-atlas.10736.B
In case PK has been generated in HSM, no need to generate them in
software.
BUG=b:62189155
TEST=See CL:*630434.
BRANCH=none
Change-Id: I2180b340e992b678e46920a1142d3b7101c8158f
Reviewed-on: https://chromium-review.googlesource.com/1071242
Commit-Ready: Edward Jee <edjee@google.com>
Tested-by: Edward Jee <edjee@google.com>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
| -rwxr-xr-x | scripts/keygeneration/create_new_keys.sh | 2 | ||||
| -rwxr-xr-x | scripts/keygeneration/uefi/create_new_uefi_keys.sh | 40 |
2 files changed, 26 insertions, 16 deletions
diff --git a/scripts/keygeneration/create_new_keys.sh b/scripts/keygeneration/create_new_keys.sh index a41140c8..7a68fe9f 100755 --- a/scripts/keygeneration/create_new_keys.sh +++ b/scripts/keygeneration/create_new_keys.sh @@ -177,7 +177,7 @@ main() { if [[ "${uefi_keys}" == "true" ]]; then mkdir -p uefi - "${SCRIPT_DIR}"/uefi/create_new_uefi_keys.sh uefi + "${SCRIPT_DIR}"/uefi/create_new_uefi_keys.sh --output uefi fi if [[ "${setperms}" == "true" ]]; then diff --git a/scripts/keygeneration/uefi/create_new_uefi_keys.sh b/scripts/keygeneration/uefi/create_new_uefi_keys.sh index 5a57b2f3..2e91b019 100755 --- a/scripts/keygeneration/uefi/create_new_uefi_keys.sh +++ b/scripts/keygeneration/uefi/create_new_uefi_keys.sh @@ -8,13 +8,18 @@ usage() { cat <<EOF -Usage: ${PROG} <OUTPUT_DIR> +Usage: ${PROG} [options] Generate key pairs for UEFI secure boot. + +Options: + --output <dir> Where to write the keys (default is cwd). + The base name must be '.../uefi'. + --no-pk Do not generate PK. EOF if [[ $# -ne 0 ]]; then - die "$*" + die "unknown option $*" else exit 0 fi @@ -23,28 +28,31 @@ EOF main() { set -e + local generate_pk="true" + local output_dir="${PWD}" + while [[ $# -gt 0 ]]; do case $1 in + --output) + output_dir="$2" + shift + ;; + --no-pk) + info "Will not generate PK." + generate_pk="false" + ;; -h|--help) usage ;; - -*) - usage "Unknown option: $1" - ;; *) - break + usage "Unknown option: $1" ;; esac + shift done - if [[ $# -ne 1 ]]; then - usage "Missing output directory" - fi - - local dir="$1" - - check_uefi_key_dir_name "${dir}" - pushd "${dir}" >/dev/null || die "Wrong output directory name" + check_uefi_key_dir_name "${output_dir}" + pushd "${output_dir}" >/dev/null || die "Wrong output directory name" if [[ ! -e "${UEFI_VERSION_FILE}" ]]; then echo "No version file found. Creating default ${UEFI_VERSION_FILE}." @@ -59,7 +67,9 @@ main() { db_key_version=$(get_uefi_version "db_key_version") db_child_key_version=$(get_uefi_version "db_child_key_version") - make_pk_keypair "${pk_key_version}" + if [[ "${generate_pk}" == "true" ]]; then + make_pk_keypair "${pk_key_version}" + fi make_kek_keypair "${kek_key_version}" make_db_keypair "${db_key_version}" make_db_child_keypair "${db_key_version}" "${db_child_key_version}" |