From 29f51dc30dfef564147ecd0555ac53f24bb7c1e9 Mon Sep 17 00:00:00 2001
From: Edward Hyunkoo Jee <edjee@google.com>
Date: Wed, 25 Apr 2018 21:09:00 -0700
Subject: keygeneration: add --no-pk option for UEFI key generation

In case PK has been generated in HSM, no need to generate them in
software.

BUG=b:62189155
TEST=See CL:*630434.
BRANCH=none

Change-Id: I2180b340e992b678e46920a1142d3b7101c8158f
Reviewed-on: https://chromium-review.googlesource.com/1071242
Commit-Ready: Edward Jee <edjee@google.com>
Tested-by: Edward Jee <edjee@google.com>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
---
 scripts/keygeneration/create_new_keys.sh           |  2 +-
 scripts/keygeneration/uefi/create_new_uefi_keys.sh | 40 ++++++++++++++--------
 2 files changed, 26 insertions(+), 16 deletions(-)

diff --git a/scripts/keygeneration/create_new_keys.sh b/scripts/keygeneration/create_new_keys.sh
index a41140c8..7a68fe9f 100755
--- a/scripts/keygeneration/create_new_keys.sh
+++ b/scripts/keygeneration/create_new_keys.sh
@@ -177,7 +177,7 @@ main() {
 
   if [[ "${uefi_keys}" == "true" ]]; then
     mkdir -p uefi
-    "${SCRIPT_DIR}"/uefi/create_new_uefi_keys.sh uefi
+    "${SCRIPT_DIR}"/uefi/create_new_uefi_keys.sh --output uefi
   fi
 
   if [[ "${setperms}" == "true" ]]; then
diff --git a/scripts/keygeneration/uefi/create_new_uefi_keys.sh b/scripts/keygeneration/uefi/create_new_uefi_keys.sh
index 5a57b2f3..2e91b019 100755
--- a/scripts/keygeneration/uefi/create_new_uefi_keys.sh
+++ b/scripts/keygeneration/uefi/create_new_uefi_keys.sh
@@ -8,13 +8,18 @@
 
 usage() {
   cat <<EOF
-Usage: ${PROG} <OUTPUT_DIR>
+Usage: ${PROG} [options]
 
 Generate key pairs for UEFI secure boot.
+
+Options:
+  --output <dir>  Where to write the keys (default is cwd).
+                  The base name must be '.../uefi'.
+  --no-pk         Do not generate PK.
 EOF
 
   if [[ $# -ne 0 ]]; then
-    die "$*"
+    die "unknown option $*"
   else
     exit 0
   fi
@@ -23,28 +28,31 @@ EOF
 main() {
   set -e
 
+  local generate_pk="true"
+  local output_dir="${PWD}"
+
   while [[ $# -gt 0 ]]; do
     case $1 in
+    --output)
+      output_dir="$2"
+      shift
+      ;;
+    --no-pk)
+      info "Will not generate PK."
+      generate_pk="false"
+      ;;
     -h|--help)
       usage
       ;;
-    -*)
-      usage "Unknown option: $1"
-      ;;
     *)
-      break
+      usage "Unknown option: $1"
       ;;
     esac
+    shift
   done
 
-  if [[ $# -ne 1 ]]; then
-    usage "Missing output directory"
-  fi
-
-  local dir="$1"
-
-  check_uefi_key_dir_name "${dir}"
-  pushd "${dir}" >/dev/null || die "Wrong output directory name"
+  check_uefi_key_dir_name "${output_dir}"
+  pushd "${output_dir}" >/dev/null || die "Wrong output directory name"
 
   if [[ ! -e "${UEFI_VERSION_FILE}" ]]; then
     echo "No version file found. Creating default ${UEFI_VERSION_FILE}."
@@ -59,7 +67,9 @@ main() {
   db_key_version=$(get_uefi_version "db_key_version")
   db_child_key_version=$(get_uefi_version "db_child_key_version")
 
-  make_pk_keypair "${pk_key_version}"
+  if [[ "${generate_pk}" == "true" ]]; then
+    make_pk_keypair "${pk_key_version}"
+  fi
   make_kek_keypair "${kek_key_version}"
   make_db_keypair "${db_key_version}"
   make_db_child_keypair "${db_key_version}" "${db_child_key_version}"
-- 
cgit v1.2.1