1 files changed, 73 insertions, 36 deletions

diff --git a/scripts/keygeneration/uefi/uefi_common.sh b/scripts/keygeneration/uefi/uefi_common.sh
index e35a20f2..87585450 100644
--- a/scripts/keygeneration/uefi/uefi_common.sh
+++ b/scripts/keygeneration/uefi/uefi_common.sh
@@ -7,6 +7,9 @@
 
 . "$(dirname "$0")/../common.sh"
 
+# Checks whether the given key directory name is "uefi".
+# Dies if it isn't.
+# ARGS: KEY_DIR
 check_uefi_key_dir_name() {
   local key_dir="$1"
   local key_dir_fullpath="$(readlink -f "${key_dir}")"
@@ -19,6 +22,7 @@ check_uefi_key_dir_name() {
 # File to read current versions from.
 UEFI_VERSION_FILE="uefi_key.versions"
 
+# Prints the version value for the given VERSION_TYPE, from UEFI_VERSION_FILE.
 # ARGS: <VERSION_TYPE> [UEFI_VERSION_FILE]
 get_uefi_version() {
   local key="$1"
@@ -29,6 +33,7 @@ get_uefi_version() {
 # Loads the current versions, prints them to stdout, and sets the global version
 # variables: CURR_PK_KEY_VER CURR_KEK_KEY_VER CURR_DB_KEY_VER
 # CURR_DB_CHILD_KEY_VER
+# ARGS: KEY_DIR
 load_current_uefi_key_versions() {
   local key_dir="$1"
   local UEFI_VERSION_FILE="${key_dir}/${UEFI_VERSION_FILE}"
@@ -48,9 +53,12 @@ Current UEFI DB child key version: ${CURR_DB_CHILD_KEY_VER}
 EOF
 }
 
+# The common part for the subject of a UEFI key.
 _CHROMIUM_OS_SUBJECT=\
 '/C=US/ST=California/L=Mountain View/O=Google LLC./OU=Chromium OS'
 
+# Prints a UEFI key subject.
+# ARGS: TITLE VERSION
 _get_subj() {
   local title="$1"
   local version="$2"
@@ -58,63 +66,86 @@ _get_subj() {
   echo "${_CHROMIUM_OS_SUBJECT}/CN=${title} v${version}"
 }
 
-# Generate a pair of a private key and a self-signed cert at the current
+# Generates a pair of a private key and a self-signed cert at the current
 # directory. Generated files are
 #   $1/$1.rsa: The private key
 #   $1/$1.pem: The self-signed cert in PEM format
+# ARGS: KEY_NAME SUBJECT
 _make_self_signed_pair() {
   local key_name="$1"
   local subj="$2"
 
   mkdir -p "${key_name}"
-  pushd "${key_name}" > /dev/null
+  pushd "${key_name}" >/dev/null || return 1
   openssl req -new -x509 -nodes -newkey rsa:2048 -sha256 \
       -keyout "${key_name}.rsa" -out "${key_name}.pem" \
       -subj "${subj}" -days 73000
-  popd > /dev/null
+  popd >/dev/null
 }
 
-# Generate a pair of a private key and a cert signed by the given CA.
+# Generates a pair of a private key and a cert signed by the given CA.
 # "$1" (the first argument) is the CA file name without extension.
 # The results are signed by "$1/$1.{rsa,pem}", and are generated in
 # "$1/$1.children" directory under the current directory. Generated files are
 #   $1/$1.children/$2.rsa: The private key
 #   $1/$1.children/$2.csr: The Certificate Signing Request
 #   $1/$1.children/$2.pem: The certificate signed by "$1.{rsa,pem}"
+# ARGS: CA_NAME CHILD_KEY_NAME SUBJECT
 _make_child_pair() {
   local ca_name="$1"  # Base filename without extension.
   local child_key_name="$2"
   local subj="$3"
 
   mkdir -p "${ca_name}/${ca_name}.children"
-  pushd "${ca_name}/${ca_name}.children" > /dev/null
+  pushd "${ca_name}/${ca_name}.children" >/dev/null || return 1
   openssl req -new -nodes -newkey rsa:2048 -sha256 \
       -keyout "${child_key_name}.rsa" -out "${child_key_name}.csr" \
       -subj "${subj}" -days 73000
   openssl x509 -req -sha256 -CA "../${ca_name}.pem" -CAkey "../${ca_name}.rsa" \
       -CAcreateserial -in "${child_key_name}.csr" \
       -out "${child_key_name}.pem" -days 73000
-  popd > /dev/null
+  popd >/dev/null
 }
 
+# Makes a PK (Platform Key) keypair.
+# Generated files are
+#   pk/pk.rsa: The private key
+#   pk/pk.pem: The self-signed cert in PEM format
+# ARGS: VERSION
 make_pk_keypair() {
   local version="$1"
   _make_self_signed_pair pk \
       "$(_get_subj "UEFI Platform Key" "${version}")"
 }
 
+# Makes a KEK (Key Exchange Key) keypair.
+# Generated files are
+#   kek/kek.rsa: The private key
+#   kek/kek.pem: The self-signed cert in PEM format
+# ARGS: VERSION
 make_kek_keypair() {
   local version="$1"
   _make_self_signed_pair kek \
       "$(_get_subj "UEFI Key Exchange Key" "${version}")"
 }
 
+# Makes a DB keypair.
+# Generated files are
+#   db/db.rsa: The private key
+#   db/db.pem: The self-signed cert in PEM format
+# ARGS: VERSION
 make_db_keypair() {
   local version="$1"
   _make_self_signed_pair db \
       "$(_get_subj "UEFI DB Key" "${version}")"
 }
 
+# Makes a DB child keypair (a keypair signed by the db key).
+# Generated files are
+#   db/db.children/db_child.rsa: The private key
+#   db/db.children/db_child.csr: The Certificate Signing Request
+#   db/db.children/db_child.pem: The certificate signed by "db/db.{rsa,pem}"
+# ARGS: DB_KEY_VERSION CHILD_KEY_VERSION
 make_db_child_keypair() {
   local db_key_version="$1"
   local child_key_version="$2"
@@ -123,66 +154,76 @@ make_db_child_keypair() {
           "${db_key_version}.${child_key_version}")"
 }
 
-_backup_existing_self_signed_pair() {
+# Makes a backup of a self-signed keypair.
+# ARGS: KEY_NAME VERSION
+_backup_self_signed_pair() {
   local key_name="$1"
   local version="$2"
-  pushd "${key_name}" > /dev/null
+  pushd "${key_name}" >/dev/null || return 1
   mv --no-clobber "${key_name}".{rsa,"v${version}.rsa"}
   mv --no-clobber "${key_name}".{pem,"v${version}.pem"}
-  popd > /dev/null
+  popd >/dev/null
 }
 
-_backup_existing_self_signed_pair_and_children() {
+# Makes a backup of a self-signed keypair and its child keys.
+# ARGS: KEY_NAME VERSION
+_backup_self_signed_pair_and_children() {
   local key_name="$1"
   local version="$2"
-  _backup_existing_self_signed_pair "${key_name}" "${version}"
-  pushd "${key_name}" > /dev/null
+  _backup_self_signed_pair "${key_name}" "${version}"
+  pushd "${key_name}" >/dev/null || return 1
   mv --no-clobber "${key_name}".{children,"v${version}.children"}
-  popd > /dev/null
+  popd >/dev/null
 }
 
-_backup_existing_child_pair() {
+# Makes a backup of a child keypair signed by a CA.
+# ARGS: CA_NAME CHILD_KEY_NAME CHILD_KEY_VERSION
+_backup_child_pair() {
   local ca_name="$1"
   local child_key_name="$2"
   local child_key_version="$3"
-  pushd "${ca_name}/${ca_name}.children" > /dev/null
+  pushd "${ca_name}/${ca_name}.children" >/dev/null || return 1
   mv --no-clobber "${child_key_name}".{rsa,"v${child_key_version}.rsa"}
   mv --no-clobber "${child_key_name}".{csr,"v${child_key_version}.csr"}
   mv --no-clobber "${child_key_name}".{pem,"v${child_key_version}.pem"}
-  popd
+  popd >/dev/null
 }
 
-# Make backup of existing pk keypair.
+# Makes a backup of the PK (Platform Key) keypair.
 # Backup format: pk.v<pk key version>.{rsa,pem}
-backup_existing_pk_keypair() {
+# ARGS: PK_KEY_VERSION
+backup_pk_keypair() {
   local pk_key_version="$1"
-  _backup_existing_self_signed_pair pk "${pk_key_version}"
+  _backup_self_signed_pair pk "${pk_key_version}"
 }
 
-# Make backup of existing kek keypair.
+# Makes a backup of the KEK (Key Exchange Key) keypair.
 # Backup format: kek.v<kek key version>.{rsa,pem}
-backup_existing_kek_keypair() {
+# ARGS: KEK_KEY_VERSION
+backup_kek_keypair() {
   local kek_key_version="$1"
-  _backup_existing_self_signed_pair kek "${kek_key_version}"
+  _backup_self_signed_pair kek "${kek_key_version}"
 }
 
-# Make backup of existing db keypair and children.
+# Makes a backup of the DB keypair and its children.
 # Backup format:
-# for db keypair: db.v<db key version>.{rsa,pem}
-# for child keypair: db.v<db key version>.childern/child*.{rsa,csr,pem}
-backup_existing_db_keypair_and_children() {
+#   for db keypair: db.v<db key version>.{rsa,pem}
+#   for child keypair: db.v<db key version>.childern/child*.{rsa,csr,pem}
+# ARGS: DB_KEY_VERSION
+backup_db_keypair_and_children() {
   local db_key_version="$1"
-  _backup_existing_self_signed_pair_and_children db "${db_key_version}"
+  _backup_self_signed_pair_and_children db "${db_key_version}"
 }
 
-# Make backup of existing db child keypair.
+# Makes a backup of the DB child keypair.
 # Backup format: db.children/child.v<db child key version>.{rsa,csr,pem}
-backup_existing_db_child_keypair() {
+# ARGS: DB_CHILD_KEY_VERSION
+backup_db_child_keypair() {
   local db_child_key_version="$1"
-  _backup_existing_child_pair db db_child "${db_child_key_version}"
+  _backup_child_pair db db_child "${db_child_key_version}"
 }
 
-# Write new key version file with the updated key versions.
+# Writes new key version file with the updated key versions.
 # Args: PK_KEY_VERSION KEK_KEY_VERSION DB_KEY_VERSION DB_CHILD_KEY_VERSION
 write_updated_uefi_version_file() {
   local pk_key_version="$1"
@@ -208,9 +249,5 @@ increment_uefi_version() {
   local old_version=$(get_uefi_version "$2")
   local new_version=$(( old_version + 1 ))
 
-  if [[ ${new_version} -gt 0xffff ]]; then
-    echo "Version overflow!" >&2
-    return 1
-  fi
-  echo ${new_version}
+  echo "${new_version}"
 }