diff options
-rw-r--r-- | scripts/keygeneration/common.sh | 7 | ||||
-rwxr-xr-x | scripts/keygeneration/create_new_keys.sh | 36 | ||||
-rwxr-xr-x | scripts/keygeneration/make_arv_root.sh | 46 | ||||
-rw-r--r-- | tests/ApRoV1Signing-PreMP/arv_root.vbprivk (renamed from tests/devkeys/arv_root.vbprivk) | bin | 2358 -> 2358 bytes | |||
-rw-r--r-- | tests/ApRoV1Signing-PreMP/arv_root.vbpubk | bin | 0 -> 1064 bytes |
5 files changed, 87 insertions, 2 deletions
diff --git a/scripts/keygeneration/common.sh b/scripts/keygeneration/common.sh index c4cbb3fb..18630266 100644 --- a/scripts/keygeneration/common.sh +++ b/scripts/keygeneration/common.sh @@ -66,6 +66,10 @@ KERNEL_DATAKEY_ALGOID=${RSA2048_SHA256_ALGOID} # AP RO Verification. ARV_ROOT_ALGOID=${RSA4096_SHA256_ALGOID} ARV_PLATFORM_ALGOID=${RSA4096_SHA256_ALGOID} +ARV_ROOT_NAME_BASE="arv_root" +# Presumably the script is run from the top of the PreMP keys directory +# tree, place AP RO verification root key there. +ARV_ROOT_DIR="ApRoV1Signing-PreMP" # Keyblock modes determine which boot modes a signing key is valid for use # in verification. @@ -88,6 +92,9 @@ MINIOS_KERNEL_KEYBLOCK_MODE=$((0x1 | 0x2 | 0x8 | 0x20)) KERNEL_KEYBLOCK_MODE=$((0x1 | 0x2 | 0x4 | 0x10)) # Only allow in dev + recovery + non-miniOS. INSTALLER_KERNEL_KEYBLOCK_MODE=$((0x2 | 0x8 | 0x10)) +# Only allow in non-recovery + non-miniOS, does not mean much for AP RO keys. +ARV_KEYBLOCK_MODE=$((0x1 | 0x2 | 0x4 | 0x10)) + # Emit .vbpubk and .vbprivk using given basename and algorithm # NOTE: This function also appears in ../../utility/dev_make_keypair. Making diff --git a/scripts/keygeneration/create_new_keys.sh b/scripts/keygeneration/create_new_keys.sh index 44521e7b..21a9cfec 100755 --- a/scripts/keygeneration/create_new_keys.sh +++ b/scripts/keygeneration/create_new_keys.sh @@ -23,6 +23,8 @@ Options: --8k-installer-kernel Use 8k key size for the installer kernel data --key-name <name> Name of the keyset (for key.versions) --output <dir> Where to write the keys (default is cwd) + --arv-root-path <dir> Path to AP RO verificaton root key directory, + defaults to ./${ARV_ROOT_DIR} EOF if [[ $# -ne 0 ]]; then @@ -44,6 +46,7 @@ main() { local installer_kernel_algoid=${INSTALLER_KERNEL_ALGOID} local keyname local output_dir="${PWD}" setperms="false" + local arv_root_path="" while [[ $# -gt 0 ]]; do case $1 in @@ -95,6 +98,11 @@ main() { installer_kernel_algoid=${RSA4096_SHA512_ALGOID} ;; + --arv-root-path) + arv_root_path="$(readlink -f "$2")" + shift + ;; + --key-name) keyname="$2" shift @@ -125,6 +133,19 @@ main() { chmod 700 . fi + if [[ -z "${arv_root_path}" ]]; then + # If not explicitly set, expect AP RO verification root key directory one + # level above the output directory where the specific board keys are going + # to be placed. + arv_root_path="$(readlink -f "../${ARV_ROOT_DIR}")" + fi + + if [[ ! -d "${arv_root_path}" ]]; then + die "AP RO root key directory \"${arv_root_path}\" not found." \ + "Run make_arv_root.sh to create it or specify --arv-root-path." + exit 1 + fi + if [[ ! -e "${VERSION_FILE}" ]]; then echo "No version file found. Creating default ${VERSION_FILE}." ( @@ -158,8 +179,11 @@ main() { make_pair recovery_kernel_data_key ${recovery_kernel_algoid} make_pair minios_kernel_data_key ${minios_kernel_algoid} make_pair installer_kernel_data_key ${installer_kernel_algoid} - make_pair arv_root ${ARV_ROOT_ALGOID} - make_pair arv_platform ${ARV_PLATFORM_ALGOID} + make_pair arv_platform "${ARV_PLATFORM_ALGOID}" + + # Make sure there is a copy of the AP RO verification root public key in the + # keyset directory. + cp "${arv_root_path}/${ARV_ROOT_NAME_BASE}.vbpubk" . # Create the firmware keyblock for use only in Normal mode. This is redundant, # since it's never even checked during Recovery mode. @@ -180,6 +204,14 @@ main() { # For use in Factory Install and Developer Mode install shims. make_keyblock installer_kernel ${INSTALLER_KERNEL_KEYBLOCK_MODE} installer_kernel_data_key recovery_key + # Create AP RO verification platform keyblock. + make_keyblock arv_platform "${ARV_KEYBLOCK_MODE}" arv_platform \ + "${arv_root_path}/${ARV_ROOT_NAME_BASE}" + + # Copy AP RO verification root public key into the output directory, it is + # necessary for AP RO verification signing. + cp "${arv_root_path}/arv_root.vbpubk" . || die "Failed to copy" + if [[ "${android_keys}" == "true" ]]; then mkdir android "${SCRIPT_DIR}"/create_new_android_keys.sh android diff --git a/scripts/keygeneration/make_arv_root.sh b/scripts/keygeneration/make_arv_root.sh new file mode 100755 index 00000000..39c0ae9c --- /dev/null +++ b/scripts/keygeneration/make_arv_root.sh @@ -0,0 +1,46 @@ +#!/bin/bash +# Copyright 2022 The ChromiumOS Authors +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. +# +# Create AP RO verification Root key pair for PreMp signing. + +# Load common constants and functions. +. "$(dirname "$0")/common.sh" + +usage() { + cat <<EOF +Usage: $0 [destination directory] + +Output: arv_root.vbprivk and arv_root.vbpubk created in [destination dirctory] + which by default is "./${ARV_ROOT_DIR}" +EOF + exit 1 +} + +main() { + local key_dir + + case $# in + (0) # Use default directory. + key_dir="${ARV_ROOT_DIR}" + ;; + (1) + key_dir="$1" + ;; + (*) + usage + esac + + if [[ -d ${key_dir} ]]; then + die "Destination directory \"${key_dir}\" exists. There can be only one!" + fi + + mkdir -p "${key_dir}" || die "Failed to create \"${key_dir}\"." + + cd "${key_dir}" || die "Failed to cd to \"${key_dir}\"." + + make_pair "${ARV_ROOT_NAME_BASE}" "${ARV_ROOT_ALGOID}" +} + +main "$@" diff --git a/tests/devkeys/arv_root.vbprivk b/tests/ApRoV1Signing-PreMP/arv_root.vbprivk Binary files differindex 7747717a..7747717a 100644 --- a/tests/devkeys/arv_root.vbprivk +++ b/tests/ApRoV1Signing-PreMP/arv_root.vbprivk diff --git a/tests/ApRoV1Signing-PreMP/arv_root.vbpubk b/tests/ApRoV1Signing-PreMP/arv_root.vbpubk Binary files differnew file mode 100644 index 00000000..aebe2a48 --- /dev/null +++ b/tests/ApRoV1Signing-PreMP/arv_root.vbpubk |