| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
BUG=b:170156734
TEST=run signing script locally
BRANCH=None
Signed-off-by: Victor HSieh <victorhsieh@chromium.org>
Change-Id: I4f045729241b479b56fef5687b721b5b59c2eed8
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2450551
Reviewed-by: George Engelbrecht <engeg@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We want to separate the stages of creating the key & using the key as
our HSM tools use different commands for these.
This also means we no longer need a passphrase at all.
BUG=b:166095736
TEST=ran script before & after and made sure output (largely) looked the same
BRANCH=None
Change-Id: Id488789f83c21ffb6263489e3c22531878ceb1f2
Signed-off-by: Mike Frysinger <vapier@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2391219
Reviewed-by: Furquan Shaikh <furquan@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This script is based on previous key generation scripts and on the
AMD document describing their recommendations.
BUG=b:166095736
TEST=Generate keys of different sizes with different passphrases in
various directories.
Change-Id: I76a31f5d592d233282c145a9a4ce5220a2d597d8
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2380612
Tested-by: Martin Roth <martinroth@google.com>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Google is working to change its source code to use more inclusive
language. To that end, replace the term "sanity" with inclusive
alternatives.
BUG=b:163883397
BRANCH=None
TEST=grep -ir sanity
TEST=make runtests
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Change-Id: I708a044d89050c442f14fb11a8ae5e98490d56af
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2353420
Reviewed-by: Julius Werner <jwerner@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
...also inflate my personal CL stats.
BUG=None
TEST=None
BRANCH=master
Signed-off-by: George Engelbrecht <engeg@chromium.org>
Change-Id: I4af2d8b2aa42b4e6d4d4ea36a6ca73a340aa4814
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2220336
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: George Engelbrecht <engeg@google.com>
Tested-by: George Engelbrecht <engeg@google.com>
Auto-Submit: George Engelbrecht <engeg@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We don't use this anywhere as we've only ever generated one key so
far. But we never wrote this down, so this is more documentation.
BUG=None
TEST=ran the code manually
BRANCH=None
Change-Id: Ia9a318c686b1ad7ab1de31899b49ce73a4d5ad9f
Signed-off-by: Mike Frysinger <vapier@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1947554
Reviewed-by: George Engelbrecht <engeg@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We are leaving the --4k options since they are (now) no-ops, and
existing users of the script may be passing them. Since they are the
default, we want to discourage their use, so they are not documented.
BUG=b:135130152
TEST=Unit tests pass
BRANCH=None
Change-Id: I1d73496f45ac0e04657149d438434a33e0e8569b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1680641
Tested-by: LaMont Jones <lamontjones@chromium.org>
Commit-Queue: LaMont Jones <lamontjones@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Auto-Submit: LaMont Jones <lamontjones@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
BUG=None
TEST=manually verified.
BRANCH=None
Change-Id: I65467d56409bcf608e9c59aa0759e820d11507ed
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1667537
Tested-by: LaMont Jones <lamontjones@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: LaMont Jones <lamontjones@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* To enable, use --use_apksigner.
* Drop signature schemes that we don't really need.
* Supports key rotation. In this case, the signing lineage
will be honored if the file exists next to the keys.
* Update key generation script to auto generate the signing lineage.
TEST=the script runs successfully with and without the flag
TEST=`apksigner lineage --print-certs -v -in foo.apk` shows
correct rotation info
TEST=keygeneration/create_new_android_keys.sh --rotate-from old new
BUG=None
BRANCH=None
Change-Id: Ic7b7b0ed4ea707a748dc42a1f39d6eb79d53cf1b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1643411
Tested-by: Victor Hsieh <victorhsieh@chromium.org>
Reviewed-by: LaMont Jones <lamontjones@chromium.org>
Commit-Queue: Victor Hsieh <victorhsieh@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All accessories leverage the key format of Hammer therefore this
script calls Hammer's one to generate a key pair and renames them.
The key name isn't referenced by the signer anymore, so we will
name them all "hammerlike".
BUG=chromium:859269
TEST=Run this script in the chroot.
BRANCH=None
Change-Id: Iba35b03e59216e96a99f8aa471b660f3805c1f23
Reviewed-on: https://chromium-review.googlesource.com/1205636
Commit-Ready: Nick Sanders <nsanders@chromium.org>
Tested-by: Nick Sanders <nsanders@chromium.org>
Reviewed-by: Marco Chen <marcochen@chromium.org>
Reviewed-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All accessories leverage the key format of Hammer therefore this
script calls Hammer's one to generate a key pair and renames them.
BUG=b:110880196
TEST=Run this script in the chroot.
BRANCH=None
Change-Id: I955f28fbe2c1dab1b5f76672c34e6022660a77ed
Reviewed-on: https://chromium-review.googlesource.com/1121632
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Nick Sanders <nsanders@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
UEFI firmware implementations are unlikely to validate the "days".
However we'd better specify a reasonable value. We learned that
setting the "days" argument to a large number can cause unexpected
results due to overflow.
GCE team has decided to set this value as 10 years.
BUG=b:62189155
TEST=None
BRANCH=none
Change-Id: If0375251b41e9584708355a6fd32192aa5ad0c1a
Reviewed-on: https://chromium-review.googlesource.com/1088165
Commit-Ready: Edward Jee <edjee@google.com>
Tested-by: Edward Jee <edjee@google.com>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case PK has been generated in HSM, no need to generate them in
software.
BUG=b:62189155
TEST=See CL:*630434.
BRANCH=none
Change-Id: I2180b340e992b678e46920a1142d3b7101c8158f
Reviewed-on: https://chromium-review.googlesource.com/1071242
Commit-Ready: Edward Jee <edjee@google.com>
Tested-by: Edward Jee <edjee@google.com>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Follow up the code review comments on CL:995174, which was merged as
7dff0105d66fa597741604cf1652a72c7a8463ac
("keygeneration: add support for UEFI key generation")
BUG=b:62189155
TEST=With CL:*613656, set up a local signer and tested key generation
and signing.
Also, manually ran the scripts like the following.
$ export PATH=$(readlink -f ../../../cros-signing/signer/signingtools-bin):$PATH
$ cd scripts/keygeneration && ./create_new_keys.sh --uefi --output ./key
$ chmod -R u+w key/uefi
$ ./uefi/increment_kek_key.sh key/uefi
$ ./uefi/increment_kek_key.sh key/uefi
$ ./uefi/increment_db_child_key.sh key/uefi
$ ./uefi/increment_db_child_key.sh key/uefi
$ ./uefi/increment_db_child_key.sh key/uefi
$ ./uefi/increment_db_key.sh key/uefi
$ ./uefi/increment_db_child_key.sh key/uefi
$ ./uefi/increment_db_key.sh key/uefi
$ ./uefi/increment_db_child_key.sh key/uefi
$ ./uefi/increment_db_child_key.sh key/uefi
$ openssl x509 -noout -subject -in key/uefi/db/db.children/db_child.pem
BRANCH=none
Change-Id: I6c0cd47914a0a77970cd074fe087bba33c16cffc
Reviewed-on: https://chromium-review.googlesource.com/1024918
Commit-Ready: Edward Jee <edjee@google.com>
Tested-by: Edward Jee <edjee@google.com>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Follow up the code review comments on CL:995174, which was merged as
7dff0105d66fa597741604cf1652a72c7a8463ac
("keygeneration: add support for UEFI key generation")
BUG=b:62189155
TEST=See the following commit.
BRANCH=none
Change-Id: Id642029010e4eea51ec1f7d23240678f3f07e872
Reviewed-on: https://chromium-review.googlesource.com/1024917
Commit-Ready: Edward Jee <edjee@google.com>
Tested-by: Edward Jee <edjee@google.com>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Whiskers decided to leverage the key format of Hammer therefore this
script calls Hammer's one to generate a key pair and renames them to
key_whiskers*.
BUG=b:78254017
TEST=Run this script in the chroot and verify the generated key pair.
BRANCH=None
Change-Id: Iae7097a3b2da1b134fa1a986c669704bbbaca4e9
Reviewed-on: https://chromium-review.googlesource.com/1018591
Commit-Ready: Patrick Berny <pberny@chromium.org>
Tested-by: Patrick Berny <pberny@chromium.org>
Reviewed-by: Jason Clinton <jclinton@chromium.org>
Reviewed-by: Bob Moragues <moragues@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=b:62189155
TEST=With CL:*601769, set up a local signer and tested key generation
and signing.
Also, manually ran the scripts like the following.
$ export PATH=$(readlink -f ../../../cros-signing/signer/signingtools-bin):$PATH
$ cd scripts/keygeneration && ./create_new_keys.sh --uefi --board lakitu --output ./key
$ ./uefi/increment_kek_key.sh key/uefi lakitu
$ ./uefi/increment_kek_key.sh key/uefi lakitu
$ ./uefi/increment_db_child_key.sh key/uefi lakitu
$ ./uefi/increment_db_child_key.sh key/uefi lakitu
$ ./uefi/increment_db_child_key.sh key/uefi lakitu
$ ./uefi/increment_db_key.sh key/uefi lakitu
$ ./uefi/increment_db_child_key.sh key/uefi lakitu
$ ./uefi/increment_db_key.sh key/uefi lakitu
$ ./uefi/increment_db_child_key.sh key/uefi lakitu
$ ./uefi/increment_db_child_key.sh key/uefi lakitu
$ openssl x509 -noout -subject -in key/uefi/db.children/db_child.pem
BRANCH=none
Change-Id: I9276269a2a66c57f4e99deafec3b90d6cbf52244
Reviewed-on: https://chromium-review.googlesource.com/995174
Commit-Ready: Edward Jee <edjee@google.com>
Tested-by: Edward Jee <edjee@google.com>
Reviewed-by: Jason Clinton <jclinton@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Wand decided to leverage the key format of Hammer therefore this
script calls Hammer's one to generate a key pair and renames them to
key_wand*.
BUG=b:73799441
TEST=Run this script in the chroot and verify the generated key pair.
BRANCH=None
Change-Id: Id2749d78e0632bee66c09c4ee7aa1930534157b7
Reviewed-on: https://chromium-review.googlesource.com/991532
Commit-Ready: Marco Chen <marcochen@chromium.org>
Tested-by: Marco Chen <marcochen@chromium.org>
Reviewed-by: Nicolas Boichat <drinkcat@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a script which generates a key pair for signing
& verifying EC-RW copies.
BUG=b:66956286
BRANCH=none
TEST=Verify the script generates indented key pair
Change-Id: Ia5aff7130587d4f1e18bcdfa514a953caa0cf183
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/731824
Reviewed-by: C Shapiro <shapiroc@google.com>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Staff decided to leverage the key format of Hammer therefore this
script calls Hammer's one to generate a key pair and renames them to
key_staff*.
BUG=b:66889892
TEST=Run this script in the chroot and verify the generated key pair.
BRANCH=None
Change-Id: I73162efaba47a8c08336805130ced0be25ab262a
Reviewed-on: https://chromium-review.googlesource.com/688522
Commit-Ready: Marco Chen <marcochen@chromium.org>
Tested-by: Marco Chen <marcochen@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
BUG=None
TEST=ran against local devkeys
BRANCH=None
Change-Id: Ib1c88ae187f12aad4531e9c22da6cda2af1503e3
Reviewed-on: https://chromium-review.googlesource.com/691340
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: David Riley <davidriley@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
BUG=None
TEST=ran against local devkeys
BRANCH=None
Change-Id: I76470e18ea2e66f6abb5a912c4055fc245cedc8a
Reviewed-on: https://chromium-review.googlesource.com/691339
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: David Riley <davidriley@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rose decided to leverage the key format of Hammer therefore this script calls
Hammer's one to generate a key pair and renames them to key_rose*.
BUG=b:37693819
TEST=None
BRANCH=None
Change-Id: I1f31afe89a00895434a169401ab76b594ad0a403
Reviewed-on: https://chromium-review.googlesource.com/529504
Commit-Ready: Wei-Ning Huang <wnhuang@chromium.org>
Tested-by: Marco Chen <marcochen@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
BUG=b:35587169
TEST=None
BRANCH=None
Change-Id: I2098f39dd17893c5e30ed495eaa87935efbcb0ee
Reviewed-on: https://chromium-review.googlesource.com/526613
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Marco Chen <marcochen@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=b:35587169
TEST=None
BRANCH=None
Change-Id: Ibb309c34ca22d30138cb62d698eafb6ee77add8c
Reviewed-on: https://chromium-review.googlesource.com/520368
Commit-Ready: Marco Chen <marcochen@chromium.org>
Tested-by: Marco Chen <marcochen@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
These use the same forms as in other shell projects in CrOS.
BUG=b:35587169
TEST=ran create_new_android_keys.sh and new output works
BRANCH=None
Change-Id: Id75fd77203795d7837537f12ab948376a7ad105e
Reviewed-on: https://chromium-review.googlesource.com/520786
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Nicolas Boichat <drinkcat@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We use these features on the signer, so move the logic here so it's
in the public code.
BUG=None
TEST=`./create_new_keys.sh --key-name hihya --output foo --android` worked
BRANCH=None
Change-Id: I85d6fdbafd99a1b94bc90e26cbc17ba801614914
Reviewed-on: https://chromium-review.googlesource.com/388673
Reviewed-by: David Riley <davidriley@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
BUG=b:29915721
TEST=`./create_new_keys.sh --android` includes android keys
BRANCH=None
Change-Id: Ibb00b87921435ac5b70a297324ddf60563dc08d8
Reviewed-on: https://chromium-review.googlesource.com/386905
Reviewed-by: Victor Hsieh <victorhsieh@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sign_android_image.sh is the main script that signs the image. It makes
similar changes to an image like the Android official signing tool
(sign_target_files_apks.py) does, but more Chrome OS specific.
TEST=./sign_official_build.sh recovery recovery_image.bin \
../../tests/devkeys/ out_img
TEST=Same above but with a recovery image without Android image.
Android signing was skipping.
TEST=Same above but with a M53 image. Android signing was skipped.
TEST=Unpack the image and diff the before and after. Looks correct.
BUG=b:29915721
Change-Id: I0ae5f0ad8d2b05e485d60262558517ea563bf527
Reviewed-on: https://chromium-review.googlesource.com/366794
Commit-Ready: Victor Hsieh <victorhsieh@chromium.org>
Tested-by: Victor Hsieh <victorhsieh@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The "function" keyword is not portable -- use the normal function style.
The awk command uses a non-portable regex (the word anchor \>). Rework
it to avoid regexes entirely.
BUG=chromium:475101
TEST=keyset_version_check.sh works on a POSIX system
BRANCH=None
Change-Id: I5446f63aa9181d06da1898aafb8fab17f5042989
Reviewed-on: https://chromium-review.googlesource.com/296562
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: David Riley <davidriley@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is largely geared for testing for quickly creating a set of loem keys.
BUG=chromium:381862
TEST=`./add_loem_keys.sh 0` converted an existing keyset to a loem keyset
TEST=`./add_loem_keys.sh 3` added three more keysets
TEST=ran sign_official_build.sh with new keysets against a recovery.bin
BRANCH=none
Change-Id: I598b7a453b747a231df850657df50bede01768c2
Reviewed-on: https://chromium-review.googlesource.com/203940
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: Mike Frysinger <vapier@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Forgot to update the bitsizes in the variable constants.
BUG=chromium:454651
TEST=`./create_new_keys.sh` still generates 8k keys
TEST=`./create_new_keys.sh --4k` now generates 4k keys
BRANCH=None
Change-Id: Ie285649f4d58ad2e2cba71f4cab737cc2235e3ab
Reviewed-on: https://chromium-review.googlesource.com/245890
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=chromium:454651
TEST=`./create_new_keys.sh` still generates 8k keys
TEST=`./create_new_keys.sh --4k` now generates 4k keys
BRANCH=None
Change-Id: I2203536880b9320959fd741c4bbcf814aded603c
Reviewed-on: https://chromium-review.googlesource.com/245318
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Commit-Queue: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While we do this, clean up:
- use braces everywhere
- convert local vars from $VAR to $var
- parse all command line args properly
- run in `set -e` mode
BUG=chromium:454651
TEST=`./create_new_keys.sh` still generates sane keys
TEST=`./create_new_keys.sh --help` shows help output
TEST=`./create_new_keys.sh --asdfasdf` shows an error
TEST=`./create_new_keys.sh` outside chroot (w/out vboot binaries) aborts after first failure
BRANCH=None
Change-Id: I1ba0db0b24c0f2f10cf397b47115f0e98384d991
Reviewed-on: https://chromium-review.googlesource.com/245317
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Commit-Queue: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a script that runs sanity checks on the versions in a keyset.
In particular, tests whether the actual key versions match those
in key.versions. Also runs consistency checks (for example: firmware
version should match kernel subkey version).
BUG=none
TEST=run on all of our keysets
BRANCH=none
Change-Id: I5b509ba33127364f6b63252ad167646eb7dce710
Reviewed-on: https://chromium-review.googlesource.com/190790
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The common.sh file already defines these variables/funcs, so drop them.
BUG=chromium:381862
TEST=`./create_new_keys.sh` created new keys correctly
BRANCH=none
Change-Id: Ie7f0f683d4971c188d4629b520938b4b65bb0a9f
Reviewed-on: https://chromium-review.googlesource.com/203685
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There's no need to give execute permissions to files that aren't supposed to
executed.
BUG=none
BRANCH=none
TEST=manual
make runtests
Change-Id: I2480b97b39124e98c2f639d56be54cadfdc17f9b
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/42648
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Part of the recent rewrite dropped changing of the active dir to
${KEY_DIR}. Meant the scripts needed to be run inside of the key
dir since not all functions take the key dir as an argument but
instead assume they're in ${PWD}.
BUG=None
TEST=Ran increment_kernel_subkey_and_key_mp.sh and saw it work
BRANCH=None
Change-Id: Icbc02f123e999d186d9c40fd16528a134397699e
Reviewed-on: https://gerrit.chromium.org/gerrit/35803
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
BUG=None
TEST=Ran it
BRANCH=None
Change-Id: Ib494c64d81c4ee80991a01b2172c7c47b60d5658
Reviewed-on: https://gerrit.chromium.org/gerrit/33659
Tested-by: Kris Rambish <krisr@chromium.org>
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For firmware and kernel key increment testing we need to be able to
rev only particular keys and verify an autoupdate works.
BUG=None
TEST=Ran it
BRANCH=None
Change-Id: Ic814480b4bf8fbc994132fcd7ba519c3be9b0ccd
Reviewed-on: https://gerrit.chromium.org/gerrit/32458
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Ready: Kris Rambish <krisr@chromium.org>
Tested-by: Kris Rambish <krisr@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
First, preserve extensions for the backed up keys (and keyblocks). Useful since
our wrapping scripts look at the extension in deciding what needs wrapping.
Second, instead of having to run the script from within a keyset directory,
take the keyset path as an argument and increment the versions for
the keys in there.
BUG=chrome-os-partner:13748
TEST=ran on devkeys
BRANCH=none
Change-Id: I9e8c3e58149e5cb4cd5557521e047e25c06b0cd6
Reviewed-on: https://gerrit.chromium.org/gerrit/32417
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This just adds the vbutil_ec tool (and a simple test of the library
functions related to it).
BUG=chrome-os-partner:7459, chromium-os:27142
TEST=manual
make
make runtests
Change-Id: I2a2c4e7cfb8ac6ce2229c5de4252a5cc89321fa5
Reviewed-on: https://gerrit.chromium.org/gerrit/21868
Commit-Ready: Bill Richardson <wfrichar@chromium.org>
Tested-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-by: Stefan Reinauer <reinauer@google.com>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Also remove the default checked in key.versions.
BUG=none
TEST='rm key.versions && ./create_new_keys.sh; ./create_new_keys.sh'
Change-Id: Ia46d411904cb67bcefdbf73524f506e5b2336875
Reviewed-on: https://gerrit.chromium.org/gerrit/20253
Commit-Ready: Gaurav Shah <gauravsh@chromium.org>
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For key generation, only generate dev firmware keyblocks, if the
--devkeyblock option is passed. For signing, re-use normal firmware
keyblock and data key if no dev keyblocks or data key are found in
the keyset directory.
BUG=chrome-os-partner:6942
TEST=manual
- tested key generation with/without the new flag
- tested signing with or without the presence of dev keyblock
Change-Id: Ic4bf72cb194461e07fcc0f6de39d4e16d1c979a6
Reviewed-on: https://gerrit.chromium.org/gerrit/12038
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
Commit-Ready: Gaurav Shah <gauravsh@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
BUG=chromium-os:14904
TEST=manual:
./create_new_keys.sh
verify that keys are created
edit key.versions to change versions to 10 20 30 40
./create_new_keys.sh
verify that keys are created with versions from the file
Change-Id: I459018267883557237ab4cc0de9b443242739346
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When we do perform firmware updates, we'd like to change the kernel subkey to ensure that new firmware and Chrome OS image stay in sync. This CL adds a scripts which makes it possible to do this revving in an automated manner.
The current versions rollback versions corresponding to the keyset are stored in key.versions. If we change the kernel subkey (to enforce firmware/Chrome OS lockstep), we must also update the firmware version. Similarly, since we modify the kernel subkey, we also generate a new set of kernel data keys. Thus, we also increment the kernel key version.
Change-Id: I364ab50bda115991dd4f69331d37291f66abbf36
BUG=chrome-os-partner:3274, chromium-os:8016
TEST=Manually tested using a newly generated keyset.
Review URL: http://codereview.chromium.org/6824059
|
|
|
Also re-factor the key generation script to its own directory, including wrappers for generating key pairs and keyblocks without needing to start keyset generation process from scratch. (Useful for generating new kernel keyblocks, and for retroactively adding new keys to an existing keyset - as in this case).
Finally, change hard coded algorithm ids and keyblock modes to bash variables, for each changes and telling keyset configuration from a glance.
BUG=chrome-os-partner:2218
TEST=manually tried the following:
1) Generating an entire new keyset.
2) Generating a new key pair and creating a keyblock from an existing key (for generating dev firmware keyblock for existing PVT keysets)
3) Firmware signing via sign_official_build.sh of an image with a firmware payload/
Change-Id: I4e9bb96ac7e5fe4cc0d95af6162ad6d37bbd4bda
Review URL: http://codereview.chromium.org/6594131
|
