diff options
-rw-r--r-- | scripts/keygeneration/common.sh | 33 | ||||
-rwxr-xr-x | scripts/keygeneration/create_new_keys.sh | 2 |
2 files changed, 34 insertions, 1 deletions
diff --git a/scripts/keygeneration/common.sh b/scripts/keygeneration/common.sh index af6cd717..4ec445a9 100644 --- a/scripts/keygeneration/common.sh +++ b/scripts/keygeneration/common.sh @@ -43,8 +43,15 @@ RSA4096_SHA512_ALGOID=8 RSA8192_SHA1_ALGOID=9 RSA8192_SHA256_ALGOID=10 RSA8192_SHA512_ALGOID=11 +RSA3070_NOSIG_ALGOID=12 alg_to_keylen() { - echo $(( 1 << (10 + ($1 / 3)) )) + local alg="$1" + + # GSC RW signing key does not fit the pattern, return its size explicitly. + case ${alg} in + (${RSA3070_NOSIG_ALGOID}) echo 3070;; + (*) echo $(( 1 << (10 + (alg / 3)) ));; + esac } # Default algorithms. @@ -67,6 +74,9 @@ KERNEL_DATAKEY_ALGOID=${RSA2048_SHA256_ALGOID} ARV_ROOT_ALGOID=${RSA4096_SHA256_ALGOID} ARV_PLATFORM_ALGOID=${RSA4096_SHA256_ALGOID} +# GSC signing. +GSC_RW_KEY_ALGOID=${RSA3070_NOSIG_ALGOID} + # Keyblock modes determine which boot modes a signing key is valid for use # in verification. # !DEV 0x1 DEV 0x2 @@ -128,6 +138,27 @@ make_pair() { rm -f "${base}_${len}.pem" "${base}_${len}.crt" "${base}_${len}.keyb" } +# Emit .pem and .pem.pub using given basename and algorithm +# This is a special case for GSC signing where vboot reference format keys are +# not being used. +make_gsc_pair() { + local base=$1 + local alg=$2 + local key_version=${3:-1} + local len="$(alg_to_keylen "${alg}")" + local base_name="${base}_${len}" + + echo "creating ${base} key pair (version = ${key_version})..." + + # Make the RSA key pair. + openssl genrsa -F4 -out "${base_name}.pem" "${len}" + + echo "skipping wrapping of ${base_name} keys" + echo "Preserving ${base_name}.pem and generating ${base_name}.pem.pub" + openssl rsa -in "${base_name}.pem" -outform PEM \ + -pubout -out "${base_name}.pem.pub" +} + # Used to generate keys for signing update payloads. make_au_payload_key() { local dir=$1 diff --git a/scripts/keygeneration/create_new_keys.sh b/scripts/keygeneration/create_new_keys.sh index 2e1fd22c..7c036fa2 100755 --- a/scripts/keygeneration/create_new_keys.sh +++ b/scripts/keygeneration/create_new_keys.sh @@ -172,6 +172,8 @@ main() { make_pair arv_root ${ARV_ROOT_ALGOID} make_pair arv_platform ${ARV_PLATFORM_ALGOID} + make_gsc_pair gsc_rw ${GSC_RW_KEY_ALGOID} + # Create the firmware keyblock for use only in Normal mode. This is redundant, # since it's never even checked during Recovery mode. make_keyblock firmware ${FIRMWARE_KEYBLOCK_MODE} firmware_data_key root_key |