From 4f36ef336036e01b0bd2b395dd55e15db0267266 Mon Sep 17 00:00:00 2001 From: Bill Richardson Date: Mon, 9 Aug 2010 17:50:14 -0700 Subject: Changes to allow user-signed kernels to be generated. Make vbutil_keyblock handle unsigned blocks. Also enable --unpack option and add tests for it. Modify vbutil_kernel to allow unsigned keyblocks, correct usage message, and fix the --debug option which was somehow disabled. Update load_kernel_test to accept /dev/null for the public key, to test non-signed kernel keyblocks. Review URL: http://codereview.chromium.org/3124004 --- utility/dev_make_keypair | 82 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100755 utility/dev_make_keypair (limited to 'utility/dev_make_keypair') diff --git a/utility/dev_make_keypair b/utility/dev_make_keypair new file mode 100755 index 00000000..5506b45f --- /dev/null +++ b/utility/dev_make_keypair @@ -0,0 +1,82 @@ +#!/bin/bash -e +# Copyright (c) 2010 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. +# + +# Check args first. +if [ "$#" -lt "1" ]; then + cat <&2 + +Usage: ${0##*/} BASENAME [ALG] + +This creates BASENAME.vbpubk and BASENAME.vbprivk pairs for use in signing +developer files. This also creates a BASENAME.keyblock file containing the +BASENAME.vbpubk, which can be used to sign a developer kernel. + +If specified, ALG is one of: + + 0 = RSA1024 with SHA1 + 1 = RSA1024 with SHA256 + 2 = RSA1024 with SHA512 + 3 = RSA2048 with SHA1 + 4 = RSA2048 with SHA256 + 5 = RSA2048 with SHA512 + 6 = RSA4096 with SHA1 + 7 = RSA4096 with SHA256 + 8 = RSA4096 with SHA512 + 9 = RSA8192 with SHA1 + 10 = RSA8192 with SHA256 + 11 = RSA8192 with SHA512 + +If ALG is not specified, a default value will be used. + +EOF + exit 1 +fi + + +# Compute the key length assuming the sizes shown above. +function alg_to_keylen { + echo $(( 1 << (10 + ($1 / 3)) )) +} + +# Emit .vbpubk and .vbprivk using given basename and algorithm. +function make_pair { + local base=$1 + local alg=$2 + local len=$(alg_to_keylen $alg) + + # make the RSA keypair + openssl genrsa -F4 -out "${base}_${len}.pem" $len + # create a self-signed certificate + openssl req -batch -new -x509 -key "${base}_${len}.pem" \ + -out "${base}_${len}.crt" + # generate pre-processed RSA public key + dumpRSAPublicKey "${base}_${len}.crt" > "${base}_${len}.keyb" + + # wrap the public key + vbutil_key \ + --pack "${base}.vbpubk" \ + --key "${base}_${len}.keyb" \ + --version 1 \ + --algorithm $alg + + # wrap the private key + vbutil_key \ + --pack "${base}.vbprivk" \ + --key "${base}_${len}.pem" \ + --algorithm $alg + + # remove intermediate files + rm -f "${base}_${len}.pem" "${base}_${len}.crt" "${base}_${len}.keyb" +} + +# First create the .vbpubk and .vbprivk pair. +make_pair "$1" "${2:-4}" + +# Now create a .vblock to hold our .vbpubk. Since it's for developer use, it +# won't be signed, just checksummed. Developer kernels can only be run in +# non-recovery mode with the developer switch enabled, but it won't hurt us to +# turn on all the flags bits anyway. +vbutil_keyblock --pack "$1.keyblock" --datapubkey "$1.vbpubk" --flags 15 -- cgit v1.2.1