commit 68f0eaaea967334f9fa05251bb13ac843a7d5b26
author Mike Frysinger <vapier@chromium.org> Thu Sep 03 16:56:06 2020 -0400
committer Mike Frysinger <vapier@chromium.org> Wed Sep 09 06:41:54 2020 +0000
tree 75f575e4aed6e04f0969476b8b2c67d70af72c8b
parent 8f43ad977003ac4ed502c285dc08feca5e4d9bdf

keygeneration: psp verstagebl: refactor key gen & csr generation

We want to separate the stages of creating the key & using the key as
our HSM tools use different commands for these.

This also means we no longer need a passphrase at all.

BUG=b:166095736
TEST=ran script before & after and made sure output (largely) looked the same
BRANCH=None

Change-Id: Id488789f83c21ffb6263489e3c22531878ceb1f2
Signed-off-by: Mike Frysinger <vapier@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2391219
Reviewed-by: Furquan Shaikh <furquan@chromium.org>

scripts/keygeneration/create_psp_verstagebl_key.sh

diff --git a/scripts/keygeneration/create_psp_verstagebl_key.sh b/scripts/keygeneration/create_psp_verstagebl_key.sh
index 31f78ba..aeb7920 100755
--- a/scripts/keygeneration/create_psp_verstagebl_key.sh
+++ b/scripts/keygeneration/create_psp_verstagebl_key.sh
@@ -3,9 +3,12 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
+# Load common constants and functions.
+. "$(dirname "$0")/common.sh"
+
 usage() {
   cat <<EOF
-Usage: $0 <OUTPUT DIRECTORY> <KEY SIZE> [PASSPHRASE]
+Usage: ${PROG} <PROJECT/DEVICE NAME> <OUTPUT DIRECTORY> <KEY SIZE>
 
 Generate a key pair for signing the PSP_Verstage binary to be loaded by
 the PSP bootloader.  For detail, reference the AMD documentation titled
@@ -15,9 +18,6 @@
 Arguments:
 - Output Directory: Location for the keys to be generated.  Must exist.
 - Key size: 2048 for Picasso, Dali, & Pollock, 4096 for other F17h SOCs
-- Passphrase: optional passphrase.  If not given on the command line, or in
-    the environment variable "PASSPHRASE", it will be requested at runtime.
-
 EOF
 
   if [[ $# -ne 0 ]]; then
@@ -30,34 +30,48 @@
 
 KEYNAME=psp_verstagebl_fw_signing
 
-main() {
-  set -e
+# Generate the key pair.
+# ARGS: <name> <key> <keysize>
+create_psp_key() {
+  local name=$1
+  local key=$2
+  local keysize=$3
 
-  # Check arguments
-  if [[ $# -lt 2 ]]; then
-    usage "Error: Too few arguments"
-  fi
-  if [[ ! ($2 -eq 2048 || $2 -eq 4096) ]]; then
-    usage "Error: invalid keysize"
-  fi
-  if [[ $# -eq 3 ]]; then
-    export PASSPHRASE=$3
-  fi
-  if [[ $# -gt 3 ]]; then
-    usage "Error: Too many arguments"
-  fi
+  [[ $# -eq 3 ]] || error "${FUNCNAME} requires 3 args"
 
+  local plainname="psp_verstagebl_${name}_${keysize}"
+  local embedname="psp_verstagebl_${name}"
+
+  # HSM signer stuff -- need a unique name for the key.
+  echo "Will use plain name: ${plainname}, and embed name: ${embedname}."
+
+  local cmd=(
+    openssl genrsa -F4 -out "${key}" "${keysize}"
+  )
+  echo "> ${cmd[@]}"
+  "${cmd[@]}" || die "generating key failed"
+}
+
+# Generate the CSR for this key.
+# ARGS: <output dir> key> <keysize>
+create_psp_csr() {
   local dir=$1
-  local keysize=$2
-  local hash
+  local key=$2
+  local keysize=$3
 
+  [[ $# -eq 3 ]] || error "${FUNCNAME} requires 3 args"
+
+  local hash
   if [[ ${keysize} -eq 2048 ]]; then
     hash="sha256"
   else
     hash="sha384"
   fi
 
-  cat <<EOF >"${dir}/${KEYNAME}.cnf"
+  local config="${dir}/${KEYNAME}.cnf"
+  local csr="${dir}/${KEYNAME}.csr"
+
+  cat <<EOF >"${config}"
 [req]
 default_md         = ${hash}
 prompt             = no
@@ -82,22 +96,46 @@
 
   local cmd=(
     openssl req -new
-    -newkey "rsa:${keysize}"
-    -config "${dir}/${KEYNAME}.cnf"
-    -keyout "${dir}/${KEYNAME}.key"
-    -out "${dir}/${KEYNAME}.csr"
+    -config "${config}"
+    -key "${key}"
+    -out "${csr}"
   )
-  if [[ "${PASSPHRASE+set}" == "set" ]]; then
-    cmd+=(-passout env:PASSPHRASE)
-  fi
-  "${cmd[@]}"
+  echo "> ${cmd[@]}"
+  "${cmd[@]}" || die "generating CSR failed"
 
   echo
   echo "The following hash should be communicated to AMD separately from the CSR"
   echo "to allow it to be verified."
-  openssl dgst -sha256 ${KEYNAME}.csr
+  local digest="${dir}/${KEYNAME}.digest"
+  openssl dgst -sha256 "${csr}" >"${digest}" || die "generating digest failed"
+  cat "${digest}"
+}
 
-  rm -f "${dir}/${KEYNAME}.cnf"
+main() {
+  set -e
+
+  # Check arguments.
+  if [[ $# -ne 3 ]]; then
+    usage "Error: Incorrect number of arguments"
+  fi
+  local name=$1
+  local dir=$2
+  local keysize=$3
+
+  if [[ "${keysize}" -ne 2048 && "${keysize}" -ne 4096 ]]; then
+    usage "Error: invalid keysize"
+  fi
+
+  if [[ ! -d "${dir}" ]]; then
+    mkdir -p "${dir}"
+  else
+    echo "Error: ${dir} already exists" >&2
+    exit 1
+  fi
+
+  local key="${dir}/${KEYNAME}.pem"
+  create_psp_key "${name}" "${key}" "${keysize}"
+  create_psp_csr "${dir}" "${key}" "${keysize}"
 }
 
 main "$@"