| Index: tests/devkeys/create_new_keys.sh
|
| diff --git a/tests/devkeys/create_new_keys.sh b/tests/devkeys/create_new_keys.sh
|
| deleted file mode 100755
|
| index 311d92439cb4b8888ca27c2023f89dd9258b20d5..0000000000000000000000000000000000000000
|
| --- a/tests/devkeys/create_new_keys.sh
|
| +++ /dev/null
|
| @@ -1,127 +0,0 @@
|
| -#!/bin/bash
|
| -# Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
|
| -# Use of this source code is governed by a BSD-style license that can be
|
| -# found in the LICENSE file.
|
| -#
|
| -# Generate .vbpubk and .vbprivk pairs for use by developer builds. These should
|
| -# be exactly like the real keys except that the private keys aren't secret.
|
| -
|
| -
|
| -# 0 = (RSA1024 SHA1)
|
| -# 1 = (RSA1024 SHA256)
|
| -# 2 = (RSA1024 SHA512)
|
| -# 3 = (RSA2048 SHA1)
|
| -# 4 = (RSA2048 SHA256)
|
| -# 5 = (RSA2048 SHA512)
|
| -# 6 = (RSA4096 SHA1)
|
| -# 7 = (RSA4096 SHA256)
|
| -# 8 = (RSA4096 SHA512)
|
| -# 9 = (RSA8192 SHA1)
|
| -# 10 = (RSA8192 SHA256)
|
| -# 11 = (RSA8192 SHA512)
|
| -function alg_to_keylen {
|
| - echo $(( 1 << (10 + ($1 / 3)) ))
|
| -}
|
| -
|
| -# Emit .vbpubk and .vbprivk using given basename and algorithm
|
| -# NOTE: This function also appears in ../../utility/dev_make_keypair. Making
|
| -# the two implementations the same would require some common.sh, which is more
|
| -# likely to cause problems than just keeping an eye out for any differences. If
|
| -# you feel the need to change this file, check the history of that other file
|
| -# to see what may need updating here too.
|
| -function make_pair {
|
| - local base=$1
|
| - local alg=$2
|
| - local len=$(alg_to_keylen $alg)
|
| -
|
| - echo "creating $base keypair..."
|
| -
|
| - # make the RSA keypair
|
| - openssl genrsa -F4 -out "${base}_${len}.pem" $len
|
| - # create a self-signed certificate
|
| - openssl req -batch -new -x509 -key "${base}_${len}.pem" \
|
| - -out "${base}_${len}.crt"
|
| - # generate pre-processed RSA public key
|
| - dumpRSAPublicKey -cert "${base}_${len}.crt" > "${base}_${len}.keyb"
|
| -
|
| - # wrap the public key
|
| - vbutil_key \
|
| - --pack "${base}.vbpubk" \
|
| - --key "${base}_${len}.keyb" \
|
| - --version 1 \
|
| - --algorithm $alg
|
| -
|
| - # wrap the private key
|
| - vbutil_key \
|
| - --pack "${base}.vbprivk" \
|
| - --key "${base}_${len}.pem" \
|
| - --algorithm $alg
|
| -
|
| - # remove intermediate files
|
| - rm -f "${base}_${len}.pem" "${base}_${len}.crt" "${base}_${len}.keyb"
|
| -}
|
| -
|
| -
|
| -# Emit a .keyblock containing flags and a public key, signed by a private key
|
| -# flags are the bitwise OR of these (passed in decimal, though)
|
| -# 0x01 Developer switch off
|
| -# 0x02 Developer switch on
|
| -# 0x04 Not recovery mode
|
| -# 0x08 Recovery mode
|
| -function make_keyblock {
|
| - local base=$1
|
| - local flags=$2
|
| - local pubkey=$3
|
| - local signkey=$4
|
| -
|
| - echo "creating $base keyblock..."
|
| -
|
| - # create it
|
| - vbutil_keyblock \
|
| - --pack "${base}.keyblock" \
|
| - --flags $flags \
|
| - --datapubkey "${pubkey}.vbpubk" \
|
| - --signprivate "${signkey}.vbprivk"
|
| -
|
| - # verify it
|
| - vbutil_keyblock \
|
| - --unpack "${base}.keyblock" \
|
| - --signpubkey "${signkey}.vbpubk"
|
| -}
|
| -
|
| -
|
| -
|
| -# Create the normal keypairs
|
| -make_pair root_key 11
|
| -make_pair firmware_data_key 7
|
| -make_pair dev_firmware_data_key 7
|
| -make_pair kernel_subkey 7
|
| -make_pair kernel_data_key 4
|
| -
|
| -# Create the recovery and factory installer keypairs
|
| -make_pair recovery_key 11
|
| -make_pair recovery_kernel_data_key 11
|
| -make_pair installer_kernel_data_key 11
|
| -
|
| -# Create the firmware keyblock for use only in Normal mode. This is redundant,
|
| -# since it's never even checked during Recovery mode.
|
| -make_keyblock firmware 7 firmware_data_key root_key
|
| -
|
| -# Create the dev firmware keyblock for use only in Developer mode.
|
| -make_keyblock dev_firmware 6 dev_firmware_data_key root_key
|
| -
|
| -# Create the recovery kernel keyblock for use only in Recovery mode.
|
| -make_keyblock recovery_kernel 11 recovery_kernel_data_key recovery_key
|
| -
|
| -# Create the normal kernel keyblock for use only in Normal mode.
|
| -make_keyblock kernel 7 kernel_data_key kernel_subkey
|
| -
|
| -# Create the installer keyblock for use in Developer + Recovery mode
|
| -# For use in Factory Install and Developer Mode install shims.
|
| -make_keyblock installer_kernel 10 installer_kernel_data_key recovery_key
|
| -
|
| -# CAUTION: The public parts of most of these blobs must be compiled into the
|
| -# firmware, which is built separately (and some of which can't be changed after
|
| -# manufacturing). If you update these keys, you must coordinate the changes
|
| -# with the BIOS people or you'll be unable to boot the resulting images.
|
| -
|
|
|
Chromium Code Reviews
Issue 6594131:
Add support for using separate developer firmware keyblock while signing. (Closed)
Base URL: ssh://git@gitrw.chromium.org:9222/vboot_reference.git@master