summaryrefslogtreecommitdiff
path: root/scripts
diff options
context:
space:
mode:
authorMike Frysinger <vapier@chromium.org>2020-09-03 16:56:06 -0400
committerMike Frysinger <vapier@chromium.org>2020-09-09 06:41:54 +0000
commit68f0eaaea967334f9fa05251bb13ac843a7d5b26 (patch)
tree75f575e4aed6e04f0969476b8b2c67d70af72c8b /scripts
parent8f43ad977003ac4ed502c285dc08feca5e4d9bdf (diff)
downloadvboot-68f0eaaea967334f9fa05251bb13ac843a7d5b26.tar.gz
keygeneration: psp verstagebl: refactor key gen & csr generation
We want to separate the stages of creating the key & using the key as our HSM tools use different commands for these. This also means we no longer need a passphrase at all. BUG=b:166095736 TEST=ran script before & after and made sure output (largely) looked the same BRANCH=None Change-Id: Id488789f83c21ffb6263489e3c22531878ceb1f2 Signed-off-by: Mike Frysinger <vapier@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2391219 Reviewed-by: Furquan Shaikh <furquan@chromium.org>
Diffstat (limited to 'scripts')
-rwxr-xr-xscripts/keygeneration/create_psp_verstagebl_key.sh102
1 files changed, 70 insertions, 32 deletions
diff --git a/scripts/keygeneration/create_psp_verstagebl_key.sh b/scripts/keygeneration/create_psp_verstagebl_key.sh
index 31f78ba1..aeb79208 100755
--- a/scripts/keygeneration/create_psp_verstagebl_key.sh
+++ b/scripts/keygeneration/create_psp_verstagebl_key.sh
@@ -3,9 +3,12 @@
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
+# Load common constants and functions.
+. "$(dirname "$0")/common.sh"
+
usage() {
cat <<EOF
-Usage: $0 <OUTPUT DIRECTORY> <KEY SIZE> [PASSPHRASE]
+Usage: ${PROG} <PROJECT/DEVICE NAME> <OUTPUT DIRECTORY> <KEY SIZE>
Generate a key pair for signing the PSP_Verstage binary to be loaded by
the PSP bootloader. For detail, reference the AMD documentation titled
@@ -15,9 +18,6 @@ Process" - http://dr/corp/drive/folders/1ySJyDgbH73W1lqrhxMvM9UYl5TtJt_mw
Arguments:
- Output Directory: Location for the keys to be generated. Must exist.
- Key size: 2048 for Picasso, Dali, & Pollock, 4096 for other F17h SOCs
-- Passphrase: optional passphrase. If not given on the command line, or in
- the environment variable "PASSPHRASE", it will be requested at runtime.
-
EOF
if [[ $# -ne 0 ]]; then
@@ -30,34 +30,48 @@ EOF
KEYNAME=psp_verstagebl_fw_signing
-main() {
- set -e
+# Generate the key pair.
+# ARGS: <name> <key> <keysize>
+create_psp_key() {
+ local name=$1
+ local key=$2
+ local keysize=$3
- # Check arguments
- if [[ $# -lt 2 ]]; then
- usage "Error: Too few arguments"
- fi
- if [[ ! ($2 -eq 2048 || $2 -eq 4096) ]]; then
- usage "Error: invalid keysize"
- fi
- if [[ $# -eq 3 ]]; then
- export PASSPHRASE=$3
- fi
- if [[ $# -gt 3 ]]; then
- usage "Error: Too many arguments"
- fi
+ [[ $# -eq 3 ]] || error "${FUNCNAME} requires 3 args"
+ local plainname="psp_verstagebl_${name}_${keysize}"
+ local embedname="psp_verstagebl_${name}"
+
+ # HSM signer stuff -- need a unique name for the key.
+ echo "Will use plain name: ${plainname}, and embed name: ${embedname}."
+
+ local cmd=(
+ openssl genrsa -F4 -out "${key}" "${keysize}"
+ )
+ echo "> ${cmd[@]}"
+ "${cmd[@]}" || die "generating key failed"
+}
+
+# Generate the CSR for this key.
+# ARGS: <output dir> key> <keysize>
+create_psp_csr() {
local dir=$1
- local keysize=$2
- local hash
+ local key=$2
+ local keysize=$3
+
+ [[ $# -eq 3 ]] || error "${FUNCNAME} requires 3 args"
+ local hash
if [[ ${keysize} -eq 2048 ]]; then
hash="sha256"
else
hash="sha384"
fi
- cat <<EOF >"${dir}/${KEYNAME}.cnf"
+ local config="${dir}/${KEYNAME}.cnf"
+ local csr="${dir}/${KEYNAME}.csr"
+
+ cat <<EOF >"${config}"
[req]
default_md = ${hash}
prompt = no
@@ -82,22 +96,46 @@ EOF
local cmd=(
openssl req -new
- -newkey "rsa:${keysize}"
- -config "${dir}/${KEYNAME}.cnf"
- -keyout "${dir}/${KEYNAME}.key"
- -out "${dir}/${KEYNAME}.csr"
+ -config "${config}"
+ -key "${key}"
+ -out "${csr}"
)
- if [[ "${PASSPHRASE+set}" == "set" ]]; then
- cmd+=(-passout env:PASSPHRASE)
- fi
- "${cmd[@]}"
+ echo "> ${cmd[@]}"
+ "${cmd[@]}" || die "generating CSR failed"
echo
echo "The following hash should be communicated to AMD separately from the CSR"
echo "to allow it to be verified."
- openssl dgst -sha256 ${KEYNAME}.csr
+ local digest="${dir}/${KEYNAME}.digest"
+ openssl dgst -sha256 "${csr}" >"${digest}" || die "generating digest failed"
+ cat "${digest}"
+}
+
+main() {
+ set -e
+
+ # Check arguments.
+ if [[ $# -ne 3 ]]; then
+ usage "Error: Incorrect number of arguments"
+ fi
+ local name=$1
+ local dir=$2
+ local keysize=$3
+
+ if [[ "${keysize}" -ne 2048 && "${keysize}" -ne 4096 ]]; then
+ usage "Error: invalid keysize"
+ fi
+
+ if [[ ! -d "${dir}" ]]; then
+ mkdir -p "${dir}"
+ else
+ echo "Error: ${dir} already exists" >&2
+ exit 1
+ fi
- rm -f "${dir}/${KEYNAME}.cnf"
+ local key="${dir}/${KEYNAME}.pem"
+ create_psp_key "${name}" "${key}" "${keysize}"
+ create_psp_csr "${dir}" "${key}" "${keysize}"
}
main "$@"