Add a script to increment kernel subkey and data key.

scripts/keygeneration/increment_kernel_subkey_and_key.sh

+#!/bin/bash
+# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Script to increment kernel subkey and datakey for firmware updates.
+# Used when revving versions for a firmware update.
+
+# Load common constants and variables.
+. "$(dirname "$0")/common.sh"
+
+# Abort on errors.
+set -e
+
+# File to read current versions from.
+VERSION_FILE="key.versions"
+
+# ARGS: <version_type>
+get_version() {
+  local version_type=$1
+  version=$(sed -n "s#^${version_type}=\(.*\)#\1#pg" ${VERSION_FILE})
+  echo $version
+}
+
+# Make backups of existing keys and keyblocks that will be revved.
+# Backup format:
+# for keys: <key_name>.v<version>
+# for keyblocks: <keyblock_name>.v<datakey version>.v<subkey version>
+# Args: SUBKEY_VERSION DATAKEY_VERSION
+backup_existing_kernel_keys() {
+  subkey_version=$1
+  datakey_version=$2
+  # --no-clobber to prevent accidentally overwriting existing
+  # backups.
+  mv --no-clobber kernel_subkey.vbprivk{,".v${subkey_version}"}
+  mv --no-clobber kernel_subkey.vbpubk{,".v${subkey_version}"}
+  mv --no-clobber kernel_data_key.vbprivk{,".v${datakey_version}"}
+  mv --no-clobber kernel_data_key.vbpubk{,".v${datakey_version}"}
+  mv --no-clobber kernel.keyblock{,".v${datakey_version}.v${subkey_version}"}
+}
+
+# Write new key version file with the updated key versions.
+# Args: FIRMWARE_KEY_VERSION FIRMWARE_VERSION KERNEL_KEY_VERSION KERNEL_VERSION
+write_updated_version_file() {
+  local firmware_key_version=$1
+  local firmware_version=$2
+  local kernel_key_version=$3
+  local kernel_version=$4
+
+  cat > ${VERSION_FILE} <<EOF
+firmware_key_version=${firmware_key_version}
+firmware_version=${firmware_version}
+kernel_key_version=${kernel_key_version}
+kernel_version=${kernel_version}
+EOF
+}
+  
+
+main() {
+  current_fkey_version=$(get_version "firmware_key_version")
+  # Firmware version is the kernel subkey version.
+  current_ksubkey_version=$(get_version "firmware_version")
+  # Kernel data key version is the kernel key version.
+  current_kdatakey_version=$(get_version "kernel_key_version")
+  current_kernel_version=$(get_version "kernel_version")
+
+  cat <<EOF
+Current Firmware key version: ${current_fkey_version}
+Current Firmware version: ${current_ksubkey_version}
+Current Kernel key version: ${current_kdatakey_version}
+Current Kernel version: ${current_kernel_version}
+EOF
+
+  backup_existing_kernel_keys $current_ksubkey_version $current_kdatakey_version
+
+  new_ksubkey_version=$(( current_ksubkey_version + 1 ))
+  new_kdatakey_version=$(( current_kdatakey_version + 1 ))
+
+  if [ $new_kdatakey_version -gt 65535 ] || [ $new_kdatakey_version -gt 65535 ];
+  then
+    echo "Version overflow!"
+    exit 1
+  fi
+
+  cat <<EOF 
+Generating new kernel subkey, data keys and new kernel keyblock.
+
+New Firmware version (due to kernel subkey change): ${new_ksubkey_version}.
+New Kernel key version (due to kernel datakey change): ${new_kdatakey_version}.
+EOF
+  make_pair kernel_subkey $KERNEL_SUBKEY_ALGOID $new_ksubkey_version
+  make_pair kernel_data_key $KERNEL_DATAKEY_ALGOID $new_kdatakey_version
+  make_keyblock kernel $KERNEL_KEYBLOCK_MODE kernel_data_key kernel_subkey
+
+  write_updated_version_file $current_fkey_version $new_ksubkey_version \
+    $new_kdatakey_version $current_kernel_version
+}
+
+main $@