Adding new directory with developer signing keys.

tests/devkeys/create_new_keys.sh

Index: tests/devkeys/create_new_keys.sh
diff --git a/tests/devkeys/create_new_keys.sh b/tests/devkeys/create_new_keys.sh
new file mode 100755
index 0000000000000000000000000000000000000000..93d17fb6e19cbbf93fdc715fd3b93b14a5982b8c
--- /dev/null
+++ b/tests/devkeys/create_new_keys.sh
@@ -0,0 +1,115 @@
+#!/bin/bash
+# Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+#
+# Generate .vbpubk and .vbprivk pairs for use by developer builds. These should
+# be exactly like the real keys except that the private keys aren't secret.
+
+
+# 0 = (RSA1024 SHA1)
+# 1 = (RSA1024 SHA256)
+# 2 = (RSA1024 SHA512)
+# 3 = (RSA2048 SHA1)
+# 4 = (RSA2048 SHA256)
+# 5 = (RSA2048 SHA512)
+# 6 = (RSA4096 SHA1)
+# 7 = (RSA4096 SHA256)
+# 8 = (RSA4096 SHA512)
+# 9 = (RSA8192 SHA1)
+# 10 = (RSA8192 SHA256)
+# 11 = (RSA8192 SHA512)
+function alg_to_keylen {
+  echo $(( 1 << (10 + ($1 / 3)) ))
+}
+
+# Emit .vbpubk and .vbprivk using given basename and algorithm
+function make_pair {
+  local base=$1
+  local alg=$2
+  local len=$(alg_to_keylen $alg)
+
+  echo "creating $base keypair..."
+
+  # make the RSA keypair
+  openssl genrsa -F4 -out "${base}_${len}.pem" $len
+  # create a self-signed certificate
+  openssl req -batch -new -x509 -key "${base}_${len}.pem" \
+    -out "${base}_${len}.crt"
+  # generate pre-processed RSA public key
+  dumpRSAPublicKey "${base}_${len}.crt" > "${base}_${len}.keyb"
+
+  # wrap the public key
+  vbutil_key \
+    --pack "${base}.vbpubk" \
+    --key "${base}_${len}.keyb" \
+    --version 1 \
+    --algorithm $alg
+
+  # wrap the private key
+  vbutil_key \
+    --pack "${base}.vbprivk" \
+    --key "${base}_${len}.pem" \
+    --algorithm $alg
+
+  # remove intermediate files
+  rm -f "${base}_${len}.pem" "${base}_${len}.crt" "${base}_${len}.keyb"
+}
+
+
+# Emit a .keyblock containing flags and a public key, signed by a private key
+# flags are the bitwise OR of these (passed in decimal, though)
+#   0x01  Developer switch off
+#   0x02  Developer switch on
+#   0x04  Not recovery mode
+#   0x08  Recovery mode
+function make_keyblock {
+  local base=$1
+  local flags=$2
+  local pubkey=$3
+  local signkey=$4
+
+  echo "creating $base keyblock..."
+
+  # create it
+  vbutil_keyblock \
+    --pack "${base}.keyblock" \
+    --flags $flags \
+    --datapubkey "${pubkey}.vbpubk" \
+    --signprivate "${signkey}.vbprivk"
+
+  # verify it
+  vbutil_keyblock \
+    --unpack "${base}.keyblock" \
+    --signpubkey "${signkey}.vbpubk"
+}
+
+
+
+# Create the normal keypairs
+make_pair root_key                 11
+make_pair firmware_data_key        7
+make_pair kernel_subkey            7
+make_pair kernel_data_key          4
+
+# Create the recovery keypairs
+make_pair recovery_key             11
+make_pair recovery_kernel_data_key 11
+
+
+# Create the firmware keyblock for use only in Normal mode. This is redundant,
+# since it's never even checked during Recovery mode.
+make_keyblock firmware 7 firmware_data_key root_key
+
+# Create the recovery kernel keyblock for use only in Recovery mode. 
+make_keyblock recovery_kernel 11 recovery_kernel_data_key recovery_key
+
+# Create the normal kernel keyblock for use only in Normal mode. 
+make_keyblock kernel 7 kernel_data_key kernel_subkey
+
+
+# CAUTION: The public parts of most of these blobs must be compiled into the
+# firmware, which is built separately (and some of which can't be changed after
+# manufacturing). If you update these keys, you must coordinate the changes
+# with the BIOS people or you'll be unable to boot the resulting images.
+