| OLD | NEW |
|---|
| 1 #!/bin/bash | 1 #!/bin/bash |
| 2 | 2 |
| 3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | 3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
| 4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
| 5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
| 6 | 6 |
| 7 # Helper script that generates the signed kernel image | 7 # Helper script that generates the signed kernel image |
| 8 | 8 |
| 9 . "$(dirname "$0")/common.sh" | 9 . "$(dirname "$0")/common.sh" |
| 10 | 10 |
| 11 get_default_board | 11 get_default_board |
| 12 | 12 |
| 13 # Flags. | 13 # Flags. |
| 14 DEFINE_string arch "x86" \ | 14 DEFINE_string arch "x86" \ |
| 15 "The boot architecture: arm or x86. (Default: x86)" | 15 "The boot architecture: arm or x86. (Default: x86)" |
| 16 DEFINE_string to "/tmp/vmlinuz.image" \ | 16 DEFINE_string to "/tmp/vmlinuz.image" \ |
| 17 "The path to the kernel image to be created. (Default: /tmp/vmlinuz.image)" | 17 "The path to the kernel image to be created. (Default: /tmp/vmlinuz.image)" |
| 18 DEFINE_string vmlinuz "vmlinuz" \ | 18 DEFINE_string vmlinuz "vmlinuz" \ |
| 19 "The path to the kernel (Default: vmlinuz)" | 19 "The path to the kernel (Default: vmlinuz)" |
| 20 DEFINE_string working_dir "/tmp/vmlinuz.working" \ | 20 DEFINE_string working_dir "/tmp/vmlinuz.working" \ |
| 21 "Working directory for in-progress files. (Default: /tmp/vmlinuz.working)" | 21 "Working directory for in-progress files. (Default: /tmp/vmlinuz.working)" |
| 22 DEFINE_boolean keep_work ${FLAGS_FALSE} \ | 22 DEFINE_boolean keep_work ${FLAGS_FALSE} \ |
| 23 "Keep temporary files (*.keyblock, *.vbpubk). (Default: false)" | 23 "Keep temporary files (*.keyblock, *.vbpubk). (Default: false)" |
| 24 DEFINE_string keys_dir "${SRC_ROOT}/platform/vboot_reference/tests/testkeys" \ | 24 DEFINE_string keys_dir "${SRC_ROOT}/platform/vboot_reference/tests/testkeys" \ |
| 25 "Directory with the signing keys. (Defaults to test keys)" | 25 "Directory with the RSA signing keys. (Defaults to test keys)" |
| 26 # Note, to enable verified boot, the caller would pass: | 26 # Note, to enable verified boot, the caller would pass: |
| 27 # --boot_args='dm="... /dev/sd%D%P /dev/sd%D%P ..." \ | 27 # --boot_args='dm="... /dev/sd%D%P /dev/sd%D%P ..." \ |
| 28 # --root=/dev/dm-0 | 28 # --root=/dev/dm-0 |
| 29 DEFINE_string boot_args "noinitrd" \ | 29 DEFINE_string boot_args "noinitrd" \ |
| 30 "Additional boot arguments to pass to the commandline (Default: noinitrd)" | 30 "Additional boot arguments to pass to the commandline (Default: noinitrd)" |
| 31 DEFINE_string root "/dev/sd%D%P" \ | 31 DEFINE_string root "/dev/sd%D%P" \ |
| 32 "Expected device root (Default: root=/dev/sd%D%P)" | 32 "Expected device root (Default: root=/dev/sd%D%P)" |
| 33 | 33 |
| 34 # Parse flags | 34 # Parse flags |
| 35 FLAGS "$@" || exit 1 | 35 FLAGS "$@" || exit 1 |
| (...skipping 22 matching lines...) Expand all Loading... |
| 58 ro | 58 ro |
| 59 noresume | 59 noresume |
| 60 noswap | 60 noswap |
| 61 i915.modeset=1 | 61 i915.modeset=1 |
| 62 loglevel=7 | 62 loglevel=7 |
| 63 cros_secure | 63 cros_secure |
| 64 ${FLAGS_boot_args} | 64 ${FLAGS_boot_args} |
| 65 EOF | 65 EOF |
| 66 WORK="${FLAGS_working_dir}/config.txt" | 66 WORK="${FLAGS_working_dir}/config.txt" |
| 67 | 67 |
| 68 # Wrap the public keys with VbPublicKey headers. | 68 |
| 69 # FIX: The .vbprivk files are not encrypted, so we shouldn't just leave them |
| 70 # lying around as a general thing. |
| 71 |
| 72 # Wrap the kernel data keypair, used for the kernel body |
| 69 vbutil_key \ | 73 vbutil_key \ |
| 70 --pack \ | 74 --pack "${FLAGS_working_dir}/kernel_data_key.vbpubk" \ |
| 71 --in "${FLAGS_keys_dir}/key_rsa2048.keyb" \ | 75 --key "${FLAGS_keys_dir}/key_rsa2048.keyb" \ |
| 72 --version 1 \ | 76 --version 1 \ |
| 73 --algorithm 4 \ | 77 --algorithm 4 |
| 74 --out "${FLAGS_working_dir}/key_alg4.vbpubk" | 78 WORK="${WORK} ${FLAGS_working_dir}/kernel_data_key.vbpubk" |
| 75 WORK="${WORK} ${FLAGS_working_dir}/key_alg4.vbpubk" | |
| 76 | 79 |
| 77 vbutil_key \ | 80 vbutil_key \ |
| 78 --pack \ | 81 --pack "${FLAGS_working_dir}/kernel_data_key.vbprivk" \ |
| 79 --in "${FLAGS_keys_dir}/key_rsa4096.keyb" \ | 82 --key "${FLAGS_keys_dir}/key_rsa2048.pem" \ |
| 83 --algorithm 4 |
| 84 WORK="${WORK} ${FLAGS_working_dir}/kernel_data_key.vbprivk" |
| 85 |
| 86 |
| 87 # Wrap the kernel subkey pair, used for the kernel's keyblock |
| 88 vbutil_key \ |
| 89 --pack "${FLAGS_working_dir}/kernel_subkey.vbpubk" \ |
| 90 --key "${FLAGS_keys_dir}/key_rsa4096.keyb" \ |
| 80 --version 1 \ | 91 --version 1 \ |
| 81 --algorithm 8 \ | 92 --algorithm 8 |
| 82 --out "${FLAGS_working_dir}/key_alg8.vbpubk" | 93 WORK="${WORK} ${FLAGS_working_dir}/kernel_subkey.vbpubk" |
| 83 WORK="${WORK} ${FLAGS_working_dir}/key_alg8.vbpubk" | |
| 84 | 94 |
| 95 vbutil_key \ |
| 96 --pack "${FLAGS_working_dir}/kernel_subkey.vbprivk" \ |
| 97 --key "${FLAGS_keys_dir}/key_rsa4096.pem" \ |
| 98 --algorithm 8 |
| 99 WORK="${WORK} ${FLAGS_working_dir}/kernel_subkey.vbprivk" |
| 100 |
| 101 |
| 102 # Create the kernel keyblock, containing the kernel data key |
| 85 vbutil_keyblock \ | 103 vbutil_keyblock \ |
| 86 --pack "${FLAGS_working_dir}/data4_sign8.keyblock" \ | 104 --pack "${FLAGS_working_dir}/kernel.keyblock" \ |
| 87 --datapubkey "${FLAGS_working_dir}/key_alg4.vbpubk" \ | 105 --datapubkey "${FLAGS_working_dir}/kernel_data_key.vbpubk" \ |
| 88 --signprivate "${FLAGS_keys_dir}/key_rsa4096.pem" \ | 106 --signprivate "${FLAGS_working_dir}/kernel_subkey.vbprivk" \ |
| 89 --algorithm 8 \ | |
| 90 --flags 15 | 107 --flags 15 |
| 91 WORK="${WORK} ${FLAGS_working_dir}/data4_sign8.keyblock" | 108 WORK="${WORK} ${FLAGS_working_dir}/kernel.keyblock" |
| 92 | 109 |
| 93 # Verify the keyblock. | 110 # Verify the keyblock. |
| 94 vbutil_keyblock \ | 111 vbutil_keyblock \ |
| 95 --unpack "${FLAGS_working_dir}/data4_sign8.keyblock" \ | 112 --unpack "${FLAGS_working_dir}/kernel.keyblock" \ |
| 96 --signpubkey "${FLAGS_working_dir}/key_alg8.vbpubk" | 113 --signpubkey "${FLAGS_working_dir}/kernel_subkey.vbpubk" |
| 97 | 114 |
| 98 # Sign the kernel: | 115 # TODO: We should sign the kernel blob using the recovery root key and recovery |
| 116 # kernel data key instead (to create the recovery image), and then re-sign it |
| 117 # this way for the install image. But we'll want to keep the install vblock |
| 118 # separate, so we can just copy that part over separately when we install it |
| 119 # instead of the whole kernel blob. |
| 120 |
| 121 # Create and sign the kernel blob |
| 99 vbutil_kernel \ | 122 vbutil_kernel \ |
| 100 --pack "${FLAGS_to}" \ | 123 --pack "${FLAGS_to}" \ |
| 101 --keyblock "${FLAGS_working_dir}/data4_sign8.keyblock" \ | 124 --keyblock "${FLAGS_working_dir}/kernel.keyblock" \ |
| 102 --signprivate "${FLAGS_keys_dir}/key_rsa2048.pem" \ | 125 --signprivate "${FLAGS_working_dir}/kernel_data_key.vbprivk" \ |
| 103 --version 1 \ | 126 --version 1 \ |
| 104 --config "${FLAGS_working_dir}/config.txt" \ | 127 --config "${FLAGS_working_dir}/config.txt" \ |
| 105 --bootloader /lib64/bootstub/bootstub.efi \ | 128 --bootloader /lib64/bootstub/bootstub.efi \ |
| 106 --vmlinuz "${FLAGS_vmlinuz}" | 129 --vmlinuz "${FLAGS_vmlinuz}" |
| 107 | 130 |
| 108 # And verify it. | 131 # And verify it. |
| 109 vbutil_kernel \ | 132 vbutil_kernel \ |
| 110 --verify "${FLAGS_to}" \ | 133 --verify "${FLAGS_to}" \ |
| 111 --signpubkey "${FLAGS_working_dir}/key_alg8.vbpubk" | 134 --signpubkey "${FLAGS_working_dir}/kernel_subkey.vbpubk" |
| 112 | 135 |
| 113 else | 136 else |
| 114 # FIXME: For now, ARM just uses the unsigned kernel by itself. | 137 # FIXME: For now, ARM just uses the unsigned kernel by itself. |
| 115 cp -f "${FLAGS_vmlinuz}" "${FLAGS_to}" | 138 cp -f "${FLAGS_vmlinuz}" "${FLAGS_to}" |
| 116 fi | 139 fi |
| 117 | 140 |
| 118 set +e # cleanup failure is a-ok | 141 set +e # cleanup failure is a-ok |
| 119 | 142 |
| 120 if [[ ${FLAGS_keep_work} -eq ${FLAGS_FALSE} ]]; then | 143 if [[ ${FLAGS_keep_work} -eq ${FLAGS_FALSE} ]]; then |
| 121 echo "Cleaning up temporary files: ${WORK}" | 144 echo "Cleaning up temporary files: ${WORK}" |
| 122 rm ${WORK} | 145 rm ${WORK} |
| 123 rmdir ${FLAGS_working_dir} | 146 rmdir ${FLAGS_working_dir} |
| 124 fi | 147 fi |
| 125 | 148 |
| 126 echo "Kernel partition image emitted: ${FLAGS_to}" | 149 echo "Kernel partition image emitted: ${FLAGS_to}" |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2817047:
Generate and use .vbprivk files for signing now. (Closed)
Base URL: ssh://git@chromiumos-git//crosutils.git