scripts/keygeneration/create_psp_verstagebl_key.sh - mirrors/cros/chromiumos/platform/vboot_reference - Git at Google

 #!/bin/bash
 # Copyright 2020 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 usage() {
   cat <<EOF
 Usage: $0 <OUTPUT DIRECTORY> <KEY SIZE> [PASSPHRASE]

 Generate a key pair for signing the PSP_Verstage binary to be loaded by
 the PSP bootloader.  For detail, reference the AMD documentation titled
 "OEM PSP VERSTAGE BL FW Signing Key Pair Generation and Certificate Request
 Process" - http://dr/corp/drive/folders/1ySJyDgbH73W1lqrhxMvM9UYl5TtJt_mw

 Arguments:
 - Output Directory: Location for the keys to be generated.  Must exist.
 - Key size: 2048 for Picasso, Dali, & Pollock, 4096 for other F17h SOCs
 - Passphrase: optional passphrase.  If not given on the command line, or in
     the environment variable "PASSPHRASE", it will be requested at runtime.

 EOF

   if [[ $# -ne 0 ]]; then
     echo "$*" >&2
     exit 1
   else
     exit 0
   fi
 }

 KEYNAME=psp_verstagebl_fw_signing

 main() {
   set -e

   # Check arguments
   if [[ $# -lt 2 ]]; then
     usage "Error: Too few arguments"
   fi
   if [[ ! ($2 -eq 2048 || $2 -eq 4096) ]]; then
     usage "Error: invalid keysize"
   fi
   if [[ $# -eq 3 ]]; then
     export PASSPHRASE=$3
   fi
   if [[ $# -gt 3 ]]; then
     usage "Error: Too many arguments"
   fi

   local dir=$1
   local keysize=$2
   local hash

   if [[ ${keysize} -eq 2048 ]]; then
     hash="sha256"
   else
     hash="sha384"
   fi

   cat <<EOF >"${dir}/${KEYNAME}.cnf"
 [req]
 default_md         = ${hash}
 prompt             = no
 distinguished_name = req_distinguished_name
 req_extensions     = v3_req

 [req_distinguished_name]
 countryName             = US
 stateOrProvinceName     = CA
 localityName            = Mountain View
 organizationalUnitName  = Google LLC
 commonName              = AMD Reference PSP Verstage BL FW Certificate

 # Google Platform Vendor ID [31:24] = 0x94 other bits [23:0] are reserved
 serialNumber            = 94000000

 [v3_req]
 basicConstraints     = CA:FALSE
 keyUsage             = nonRepudiation, digitalSignature, keyEncipherment
 subjectKeyIdentifier = hash
 EOF

   local cmd=(
     openssl req -new
     -newkey "rsa:${keysize}"
     -config "${dir}/${KEYNAME}.cnf"
     -keyout "${dir}/${KEYNAME}.key"
     -out "${dir}/${KEYNAME}.csr"
   )
   if [[ "${PASSPHRASE+set}" == "set" ]]; then
     cmd+=(-passout env:PASSPHRASE)
   fi
   "${cmd[@]}"

   echo
   echo "The following hash should be communicated to AMD separately from the CSR"
   echo "to allow it to be verified."
   openssl dgst -sha256 ${KEYNAME}.csr

   rm -f "${dir}/${KEYNAME}.cnf"
 }

 main "$@"
	#!/bin/bash
	# Copyright 2020 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	usage() {
	cat <<EOF
	Usage: $0 <OUTPUT DIRECTORY> <KEY SIZE> [PASSPHRASE]

	Generate a key pair for signing the PSP_Verstage binary to be loaded by
	the PSP bootloader. For detail, reference the AMD documentation titled
	"OEM PSP VERSTAGE BL FW Signing Key Pair Generation and Certificate Request
	Process" - http://dr/corp/drive/folders/1ySJyDgbH73W1lqrhxMvM9UYl5TtJt_mw

	Arguments:
	- Output Directory: Location for the keys to be generated. Must exist.
	- Key size: 2048 for Picasso, Dali, & Pollock, 4096 for other F17h SOCs
	- Passphrase: optional passphrase. If not given on the command line, or in
	the environment variable "PASSPHRASE", it will be requested at runtime.

	EOF

	if [[ $# -ne 0 ]]; then
	echo "$*" >&2
	exit 1
	else
	exit 0
	fi
	}

	KEYNAME=psp_verstagebl_fw_signing

	main() {
	set -e

	# Check arguments
	if [[ $# -lt 2 ]]; then
	usage "Error: Too few arguments"
	fi
	if [[ ! ($2 -eq 2048 \|\| $2 -eq 4096) ]]; then
	usage "Error: invalid keysize"
	fi
	if [[ $# -eq 3 ]]; then
	export PASSPHRASE=$3
	fi
	if [[ $# -gt 3 ]]; then
	usage "Error: Too many arguments"
	fi

	local dir=$1
	local keysize=$2
	local hash

	if [[ ${keysize} -eq 2048 ]]; then
	hash="sha256"
	else
	hash="sha384"
	fi

	cat <<EOF >"${dir}/${KEYNAME}.cnf"
	[req]
	default_md = ${hash}
	prompt = no
	distinguished_name = req_distinguished_name
	req_extensions = v3_req

	[req_distinguished_name]
	countryName = US
	stateOrProvinceName = CA
	localityName = Mountain View
	organizationalUnitName = Google LLC
	commonName = AMD Reference PSP Verstage BL FW Certificate

	# Google Platform Vendor ID [31:24] = 0x94 other bits [23:0] are reserved
	serialNumber = 94000000

	[v3_req]
	basicConstraints = CA:FALSE
	keyUsage = nonRepudiation, digitalSignature, keyEncipherment
	subjectKeyIdentifier = hash
	EOF

	local cmd=(
	openssl req -new
	-newkey "rsa:${keysize}"
	-config "${dir}/${KEYNAME}.cnf"
	-keyout "${dir}/${KEYNAME}.key"
	-out "${dir}/${KEYNAME}.csr"
	)
	if [[ "${PASSPHRASE+set}" == "set" ]]; then
	cmd+=(-passout env:PASSPHRASE)
	fi
	"${cmd[@]}"

	echo
	echo "The following hash should be communicated to AMD separately from the CSR"
	echo "to allow it to be verified."
	openssl dgst -sha256 ${KEYNAME}.csr

	rm -f "${dir}/${KEYNAME}.cnf"
	}

	main "$@"