| OLD | NEW |
|---|
| 1 #!/bin/bash | 1 #!/bin/bash |
| 2 # Copyright (c) 2011 The Chromium OS Authors. All rights reserved. | 2 # Copyright (c) 2011 The Chromium OS Authors. All rights reserved. |
| 3 # Use of this source code is governed by a BSD-style license that can be | 3 # Use of this source code is governed by a BSD-style license that can be |
| 4 # found in the LICENSE file. | 4 # found in the LICENSE file. |
| 5 | 5 |
| 6 # Common key generation functions. | 6 # Common key generation functions. |
| 7 | 7 |
| 8 SCRIPT_DIR="$(dirname "$0")" | 8 SCRIPT_DIR="$(dirname "$0")" |
| 9 | 9 |
| 10 # 0 = (RSA1024 SHA1) | 10 # 0 = (RSA1024 SHA1) |
| 11 # 1 = (RSA1024 SHA256) | 11 # 1 = (RSA1024 SHA256) |
| 12 # 2 = (RSA1024 SHA512) | 12 # 2 = (RSA1024 SHA512) |
| 13 # 3 = (RSA2048 SHA1) | 13 # 3 = (RSA2048 SHA1) |
| 14 # 4 = (RSA2048 SHA256) | 14 # 4 = (RSA2048 SHA256) |
| 15 # 5 = (RSA2048 SHA512) | 15 # 5 = (RSA2048 SHA512) |
| 16 # 6 = (RSA4096 SHA1) | 16 # 6 = (RSA4096 SHA1) |
| 17 # 7 = (RSA4096 SHA256) | 17 # 7 = (RSA4096 SHA256) |
| 18 # 8 = (RSA4096 SHA512) | 18 # 8 = (RSA4096 SHA512) |
| 19 # 9 = (RSA8192 SHA1) | 19 # 9 = (RSA8192 SHA1) |
| 20 # 10 = (RSA8192 SHA256) | 20 # 10 = (RSA8192 SHA256) |
| 21 # 11 = (RSA8192 SHA512) | 21 # 11 = (RSA8192 SHA512) |
| 22 function alg_to_keylen { | 22 function alg_to_keylen { |
| 23 echo $(( 1 << (10 + ($1 / 3)) )) | 23 echo $(( 1 << (10 + ($1 / 3)) )) |
| 24 } | 24 } |
| 25 | 25 |
| 26 # Default alrogithms. |
| 27 ROOT_KEY_ALGOID=11 |
| 28 RECOVERY_KEY_ALGOID=11 |
| 29 |
| 30 FIRMWARE_DATAKEY_ALGOID=7 |
| 31 DEV_FIRMWARE_DATAKEY_ALGOID=7 |
| 32 |
| 33 RECOVERY_KERNEL_ALGOID=11 |
| 34 INSTALLER_KERNEL_ALGOID=11 |
| 35 KERNEL_SUBKEY_ALGOID=7 |
| 36 KERNEL_DATAKEY_ALGOID=4 |
| 37 |
| 38 # Keyblock modes determine which boot modes a signing key is valid for use |
| 39 # in verification. |
| 40 FIRMWARE_KEYBLOCK_MODE=7 |
| 41 DEV_FIRMWARE_KEYBLOCK_MODE=6 # Only allow in dev mode. |
| 42 RECOVERY_KERNEL_KEYBLOCK_MODE=11 |
| 43 KERNEL_KEYBLOCK_MODE=7 # Only allow in non-recovery. |
| 44 INSTALLER_KERNEL_KEYBLOCK_MODE=10 # Only allow in Dev + Recovery. |
| 45 |
| 46 |
| 26 # Emit .vbpubk and .vbprivk using given basename and algorithm | 47 # Emit .vbpubk and .vbprivk using given basename and algorithm |
| 27 # NOTE: This function also appears in ../../utility/dev_make_keypair. Making | 48 # NOTE: This function also appears in ../../utility/dev_make_keypair. Making |
| 28 # the two implementations the same would require some common.sh, which is more | 49 # the two implementations the same would require some common.sh, which is more |
| 29 # likely to cause problems than just keeping an eye out for any differences. If | 50 # likely to cause problems than just keeping an eye out for any differences. If |
| 30 # you feel the need to change this file, check the history of that other file | 51 # you feel the need to change this file, check the history of that other file |
| 31 # to see what may need updating here too. | 52 # to see what may need updating here too. |
| 32 function make_pair { | 53 function make_pair { |
| 33 local base=$1 | 54 local base=$1 |
| 34 local alg=$2 | 55 local alg=$2 |
| 56 local key_version=${3:-1} |
| 35 local len=$(alg_to_keylen $alg) | 57 local len=$(alg_to_keylen $alg) |
| 36 | 58 |
| 37 echo "creating $base keypair..." | 59 echo "creating $base keypair (version = $key_version)..." |
| 38 | 60 |
| 39 # make the RSA keypair | 61 # make the RSA keypair |
| 40 openssl genrsa -F4 -out "${base}_${len}.pem" $len | 62 openssl genrsa -F4 -out "${base}_${len}.pem" $len |
| 41 # create a self-signed certificate | 63 # create a self-signed certificate |
| 42 openssl req -batch -new -x509 -key "${base}_${len}.pem" \ | 64 openssl req -batch -new -x509 -key "${base}_${len}.pem" \ |
| 43 -out "${base}_${len}.crt" | 65 -out "${base}_${len}.crt" |
| 44 # generate pre-processed RSA public key | 66 # generate pre-processed RSA public key |
| 45 dumpRSAPublicKey -cert "${base}_${len}.crt" > "${base}_${len}.keyb" | 67 dumpRSAPublicKey -cert "${base}_${len}.crt" > "${base}_${len}.keyb" |
| 46 | 68 |
| 47 # wrap the public key | 69 # wrap the public key |
| 48 vbutil_key \ | 70 vbutil_key \ |
| 49 --pack "${base}.vbpubk" \ | 71 --pack "${base}.vbpubk" \ |
| 50 --key "${base}_${len}.keyb" \ | 72 --key "${base}_${len}.keyb" \ |
| 51 --version 1 \ | 73 --version "${key_version}" \ |
| 52 --algorithm $alg | 74 --algorithm $alg |
| 53 | 75 |
| 54 # wrap the private key | 76 # wrap the private key |
| 55 vbutil_key \ | 77 vbutil_key \ |
| 56 --pack "${base}.vbprivk" \ | 78 --pack "${base}.vbprivk" \ |
| 57 --key "${base}_${len}.pem" \ | 79 --key "${base}_${len}.pem" \ |
| 58 --algorithm $alg | 80 --algorithm $alg |
| 59 | 81 |
| 60 # remove intermediate files | 82 # remove intermediate files |
| 61 rm -f "${base}_${len}.pem" "${base}_${len}.crt" "${base}_${len}.keyb" | 83 rm -f "${base}_${len}.pem" "${base}_${len}.crt" "${base}_${len}.keyb" |
| (...skipping 21 matching lines...) Expand all Loading... |
| 83 --datapubkey "${pubkey}.vbpubk" \ | 105 --datapubkey "${pubkey}.vbpubk" \ |
| 84 --signprivate "${signkey}.vbprivk" | 106 --signprivate "${signkey}.vbprivk" |
| 85 | 107 |
| 86 # verify it | 108 # verify it |
| 87 vbutil_keyblock \ | 109 vbutil_keyblock \ |
| 88 --unpack "${base}.keyblock" \ | 110 --unpack "${base}.keyblock" \ |
| 89 --signpubkey "${signkey}.vbpubk" | 111 --signpubkey "${signkey}.vbpubk" |
| 90 } | 112 } |
| 91 | 113 |
| 92 | 114 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 6824059:
Add a script to increment kernel subkey and data key. (Closed)
Base URL: ssh://git@gitrw.chromium.org:9222/vboot_reference.git@master