diff options
| author | LaMont Jones <lamontjones@chromium.org> | 2019-06-20 12:17:40 -0600 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2019-06-28 21:14:20 +0000 |
| commit | 6373cd57d7c4af79b9cf0b401d24c5dfffde68d4 (patch) | |
| tree | 821eb2e5f0b62e7479baf5630706a92bacc7086e /scripts | |
| parent | 11c512664e0b9c30307bf96ae01edead27939dfd (diff) | |
| download | vboot-6373cd57d7c4af79b9cf0b401d24c5dfffde68d4.tar.gz | |
keygeneration: default to RSA4096 keys.
We are leaving the --4k options since they are (now) no-ops, and
existing users of the script may be passing them. Since they are the
default, we want to discourage their use, so they are not documented.
BUG=b:135130152
TEST=Unit tests pass
BRANCH=None
Change-Id: I1d73496f45ac0e04657149d438434a33e0e8569b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1680641
Tested-by: LaMont Jones <lamontjones@chromium.org>
Commit-Queue: LaMont Jones <lamontjones@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Auto-Submit: LaMont Jones <lamontjones@chromium.org>
Diffstat (limited to 'scripts')
| -rw-r--r-- | scripts/keygeneration/common.sh | 8 | ||||
| -rwxr-xr-x | scripts/keygeneration/create_new_keys.sh | 29 |
2 files changed, 28 insertions, 9 deletions
diff --git a/scripts/keygeneration/common.sh b/scripts/keygeneration/common.sh index 9acffcc9..7482dfcd 100644 --- a/scripts/keygeneration/common.sh +++ b/scripts/keygeneration/common.sh @@ -51,14 +51,14 @@ alg_to_keylen() { EC_ROOT_KEY_ALGOID=${RSA4096_SHA256_ALGOID} EC_DATAKEY_ALGOID=${RSA4096_SHA256_ALGOID} -ROOT_KEY_ALGOID=${RSA8192_SHA512_ALGOID} -RECOVERY_KEY_ALGOID=${RSA8192_SHA512_ALGOID} +ROOT_KEY_ALGOID=${RSA4096_SHA512_ALGOID} +RECOVERY_KEY_ALGOID=${RSA4096_SHA512_ALGOID} FIRMWARE_DATAKEY_ALGOID=${RSA4096_SHA256_ALGOID} DEV_FIRMWARE_DATAKEY_ALGOID=${RSA4096_SHA256_ALGOID} -RECOVERY_KERNEL_ALGOID=${RSA8192_SHA512_ALGOID} -INSTALLER_KERNEL_ALGOID=${RSA8192_SHA512_ALGOID} +RECOVERY_KERNEL_ALGOID=${RSA4096_SHA512_ALGOID} +INSTALLER_KERNEL_ALGOID=${RSA4096_SHA512_ALGOID} KERNEL_SUBKEY_ALGOID=${RSA4096_SHA256_ALGOID} KERNEL_DATAKEY_ALGOID=${RSA2048_SHA256_ALGOID} diff --git a/scripts/keygeneration/create_new_keys.sh b/scripts/keygeneration/create_new_keys.sh index 7a68fe9f..40cccbc5 100755 --- a/scripts/keygeneration/create_new_keys.sh +++ b/scripts/keygeneration/create_new_keys.sh @@ -17,11 +17,11 @@ Options: --devkeyblock Also generate developer firmware keyblock and data key --android Also generate android keys --uefi Also generate UEFI keys - --4k Use 4k keys instead of 8k (enables options below) - --4k-root Use 4k key size for the root key - --4k-recovery Use 4k key size for the recovery key - --4k-recovery-kernel Use 4k key size for the recovery kernel data - --4k-installer-kernel Use 4k key size for the installer kernel data + --8k Use 8k keys instead of 4k (enables options below) + --8k-root Use 8k key size for the root key + --8k-recovery Use 8k key size for the recovery key + --8k-recovery-kernel Use 8k key size for the recovery kernel data + --8k-installer-kernel Use 8k key size for the installer kernel data --key-name <name> Name of the keyset (for key.versions) --output <dir> Where to write the keys (default is cwd) EOF @@ -64,6 +64,25 @@ main() { uefi_keys="true" ;; + --8k) + root_key_algoid=${RSA8192_SHA512_ALGOID} + recovery_key_algoid=${RSA8192_SHA512_ALGOID} + recovery_kernel_algoid=${RSA8192_SHA512_ALGOID} + installer_kernel_algoid=${RSA8192_SHA512_ALGOID} + ;; + --8k-root) + root_key_algoid=${RSA8192_SHA512_ALGOID} + ;; + --8k-recovery) + recovery_key_algoid=${RSA8192_SHA512_ALGOID} + ;; + --8k-recovery-kernel) + recovery_kernel_algoid=${RSA8192_SHA512_ALGOID} + ;; + --8k-installer-kernel) + installer_kernel_algoid=${RSA8192_SHA512_ALGOID} + ;; + --4k) root_key_algoid=${RSA4096_SHA512_ALGOID} recovery_key_algoid=${RSA4096_SHA512_ALGOID} |