Add scripts to increment single fm/kernel keys.
For firmware and kernel key increment testing we need to be able to
rev only particular keys and verify an autoupdate works.
BUG=None
TEST=Ran it
BRANCH=None
Change-Id: Ic814480b4bf8fbc994132fcd7ba519c3be9b0ccd
Reviewed-on: https://gerrit.chromium.org/gerrit/32458
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Ready: Kris Rambish <krisr@chromium.org>
Tested-by: Kris Rambish <krisr@chromium.org>
diff --git a/scripts/keygeneration/common.sh b/scripts/keygeneration/common.sh
index b6e20c6..b7725ad 100755
--- a/scripts/keygeneration/common.sh
+++ b/scripts/keygeneration/common.sh
@@ -114,4 +114,120 @@
--signpubkey "${signkey}.vbpubk"
}
+# File to read current versions from.
+VERSION_FILE="key.versions"
+# ARGS: <VERSION_TYPE>
+get_version() {
+ awk -F= '/^'$1'\>/ { print $NF }' ${2:-${VERSION_FILE}}
+}
+
+# Loads the current versions prints them to stdout and sets the global version
+# variables: CURR_FIRMKEY_VER CURR_FIRM_VER CURR_KERNKEY_VER CURR_KERN_VER
+load_current_versions() {
+ if [[ ! -f ${VERSION_FILE} ]]; then
+ return 1
+ fi
+ CURR_FIRMKEY_VER=$(get_version "firmware_key_version")
+ # Firmware version is the kernel subkey version.
+ CURR_FIRM_VER=$(get_version "firmware_version")
+ # Kernel data key version is the kernel key version.
+ CURR_KERNKEY_VER=$(get_version "kernel_key_version")
+ CURR_KERN_VER=$(get_version "kernel_version")
+
+ cat <<EOF
+Current Firmware key version: ${CURR_FIRMKEY_VER}
+Current Firmware version: ${CURR_FIRM_VER}
+Current Kernel key version: ${CURR_KERNKEY_VER}
+Current Kernel version: ${CURR_KERN_VER}
+EOF
+}
+
+# Make backups of existing kernel subkeys and keyblocks that will be revved.
+# Backup format:
+# for keyblocks: <keyblock_name>.v<datakey version>.v<subkey version>.keyblock
+# Args: SUBKEY_VERSION DATAKEY_VERSION
+backup_existing_kernel_keyblock() {
+ if [[ ! -e kernel.keyblock ]]; then
+ return
+ fi
+ mv --no-clobber kernel.{keyblock,"v$2.v$1.keyblock"}
+}
+
+# Make backups of existing kernel subkeys and keyblocks that will be revved.
+# Backup format:
+# for keys: <key_name>.v<version>.vb{pub|priv}k
+# for keyblocks: <keyblock_name>.v<datakey version>.v<subkey version>.keyblock
+# Args: SUBKEY_VERSION DATAKEY_VERSION
+backup_existing_kernel_subkeys() {
+ local subkey_ver=$1
+ local datakey_ver=$2
+ # --no-clobber to prevent accidentally overwriting existing
+ # backups.
+ mv --no-clobber kernel_subkey.{vbprivk,"v${subkey_ver}.vbprivk"}
+ mv --no-clobber kernel_subkey.{vbpubk,"v${subkey_ver}.vbpubk"}
+ backup_existing_kernel_keyblock ${subkey_ver} ${datakey_ver}
+}
+
+# Make backups of existing kernel data keys and keyblocks that will be revved.
+# Backup format:
+# for keys: <key_name>.v<version>.vb{pub|priv}k
+# for keyblocks: <keyblock_name>.v<datakey version>.v<subkey version>.keyblock
+# Args: SUBKEY_VERSION DATAKEY_VERSION
+backup_existing_kernel_data_keys() {
+ local subkey_ver=$1
+ local datakey_ver=$2
+ # --no-clobber to prevent accidentally overwriting existing
+ # backups.
+ mv --no-clobber kernel_data_key.{vbprivk,"v${datakey_ver}.vbprivk"}
+ mv --no-clobber kernel_data_key.{vbpubk,"v${datakey_ver}.vbpubk"}
+ backup_existing_kernel_keyblock ${subkey_ver} ${datakey_ver}
+}
+
+# Make backups of existing firmware keys and keyblocks that will be revved.
+# Backup format:
+# for keys: <key_name>.v<version>.vb{pub|priv}k
+# for keyblocks: <keyblock_name>.v<datakey version>.v<subkey version>.keyblock
+# Args: SUBKEY_VERSION DATAKEY_VERSION
+backup_existing_firmware_keys() {
+ local subkey_ver=$1
+ local datakey_ver=$2
+ mv --no-clobber firmware_data_key.{vbprivk,"v${subkey_ver}.vbprivk"}
+ mv --no-clobber firmware_data_key.{vbpubk,"v${subkey_ver}.vbpubk"}
+ mv --no-clobber firmware.{keyblock,"v${datakey_ver}.v${subkey_ver}.keyblock"}
+}
+
+
+# Write new key version file with the updated key versions.
+# Args: FIRMWARE_KEY_VERSION FIRMWARE_VERSION KERNEL_KEY_VERSION
+# KERNEL_VERSION
+write_updated_version_file() {
+ local firmware_key_version=$1
+ local firmware_version=$2
+ local kernel_key_version=$3
+ local kernel_version=$4
+
+ cat > ${VERSION_FILE} <<EOF
+firmware_key_version=${firmware_key_version}
+firmware_version=${firmware_version}
+kernel_key_version=${kernel_key_version}
+kernel_version=${kernel_version}
+EOF
+}
+
+# Returns the incremented version number of the passed in key from the version
+# file. The options are "firmware_key_version", "firmware_version",
+# "kernel_key_version", or "kernel_version".
+# ARGS: KEY_DIR <key_name>
+increment_version() {
+ local key_dir=$1
+ local VERSION_FILE="${key_dir}/${VERSION_FILE}"
+ local old_version=$(get_version $2)
+ local new_version=$(( ${old_version} + 1 ))
+
+ if [[ ${new_version} -gt 0xffff ]]; then
+ echo "Version overflow!" >&2
+ return 1
+ fi
+ echo ${new_version}
+}
diff --git a/scripts/keygeneration/increment_firmware_data_key.sh b/scripts/keygeneration/increment_firmware_data_key.sh
new file mode 100755
index 0000000..facd776
--- /dev/null
+++ b/scripts/keygeneration/increment_firmware_data_key.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Script to increment firmware version key for firmware updates.
+# Used when revving versions for a firmware update.
+
+# Load common constants and variables.
+. "$(dirname "$0")/common.sh"
+
+# Abort on errors.
+set -e
+
+if [ $# -ne 1 ]; then
+ cat <<EOF
+ Usage: $0 <keyset directory>
+
+ Increments the firmware version in the specified keyset.
+EOF
+ exit 1
+fi
+
+KEY_DIR=$1
+
+main() {
+ load_current_versions
+ new_firmkey_ver=$(increment_version "${KEY_DIR}" "firmware_key_version")
+
+ backup_existing_firmware_keys ${CURR_FIRM_VER} ${CURR_FIRMKEY_VER}
+
+ cat <<EOF
+Generating new firmware version key.
+
+New Firmware key version (due to firmware key change): ${new_firmkey_ver}.
+EOF
+ make_pair firmware_data_key ${FIRMWARE_DATAKEY_ALGOID} ${new_firmkey_ver}
+ make_keyblock firmware ${FIRMWARE_KEYBLOCK_MODE} firmware_data_key root_key
+
+ write_updated_version_file ${new_firmkey_ver} ${CURR_FIRM_VER} \
+ ${CURR_KERNKEY_VER} ${CURR_KERN_VER}
+}
+
+main "$@"
diff --git a/scripts/keygeneration/increment_kernel_data_key.sh b/scripts/keygeneration/increment_kernel_data_key.sh
new file mode 100755
index 0000000..193df2a
--- /dev/null
+++ b/scripts/keygeneration/increment_kernel_data_key.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Script to increment kernel data key for firmware updates.
+# Used when revving versions for a firmware update.
+
+# Load common constants and variables.
+. "$(dirname "$0")/common.sh"
+
+# Abort on errors.
+set -e
+
+if [ $# -ne 1 ]; then
+ cat <<EOF
+ Usage: $0 <keyset directory>
+
+ Increments the kernel data key in the specified keyset.
+EOF
+ exit 1
+fi
+
+KEY_DIR=$1
+
+main() {
+ load_current_versions
+ new_kernkey_ver=$(increment_version "${KEY_DIR}" "kernel_key_version")
+
+ backup_existing_kernel_data_keys ${CURR_FIRM_VER} ${CURR_KERNKEY_VER}
+
+ cat <<EOF
+Generating new kernel data version, and new kernel keyblock.
+
+New Kernel data key version: ${new_kernkey_ver}.
+EOF
+ make_pair kernel_data_key ${KERNEL_DATAKEY_ALGOID} ${new_kernkey_ver}
+ make_keyblock kernel ${KERNEL_KEYBLOCK_MODE} kernel_data_key kernel_subkey
+
+ write_updated_version_file ${CURR_FIRMKEY_VER} ${CURR_FIRM_VER} \
+ ${new_kernkey_ver} ${CURR_KERN_VER}
+}
+
+main "$@"
diff --git a/scripts/keygeneration/increment_kernel_subkey.sh b/scripts/keygeneration/increment_kernel_subkey.sh
new file mode 100755
index 0000000..26af3fa
--- /dev/null
+++ b/scripts/keygeneration/increment_kernel_subkey.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Script to increment kernel subkey for firmware updates.
+# Used when revving versions for a firmware update.
+
+# Load common constants and variables.
+. "$(dirname "$0")/common.sh"
+
+# Abort on errors.
+set -e
+
+if [ $# -ne 1 ]; then
+ cat <<EOF
+ Usage: $0 <keyset directory>
+
+ Increments the kernel subkey in the specified keyset.
+EOF
+ exit 1
+fi
+
+KEY_DIR=$1
+
+main() {
+ load_current_versions
+ new_firm_ver=$(increment_version "${KEY_DIR}" "firmware_version")
+
+ backup_existing_kernel_subkeys ${CURR_FIRM_VER} ${CURR_KERNKEY_VER}
+ backup_existing_kernel_data_keys ${CURR_FIRM_VER} ${CURR_KERNKEY_VER}
+
+ cat <<EOF
+Generating new kernel subkey, data keys and new kernel keyblock.
+
+New Firmware version (due to kernel subkey change): ${new_firm_ver}.
+EOF
+ make_pair kernel_subkey ${KERNEL_SUBKEY_ALGOID} ${new_firm_ver}
+ make_pair kernel_data_key ${KERNEL_DATAKEY_ALGOID} ${CURRENT_KDATAKEY_VERSION}
+ make_keyblock kernel $KERNEL_KEYBLOCK_MODE kernel_data_key kernel_subkey
+
+ write_updated_version_file ${CURR_FIRMKEY_VER} ${new_firm_ver} \
+ ${CURR_KERNKEY_VER} ${CURR_KERN_VER}
+}
+
+main "$@"
diff --git a/scripts/keygeneration/increment_kernel_subkey_and_key.sh b/scripts/keygeneration/increment_kernel_subkey_and_key.sh
index ed20db4..ac84660 100755
--- a/scripts/keygeneration/increment_kernel_subkey_and_key.sh
+++ b/scripts/keygeneration/increment_kernel_subkey_and_key.sh
@@ -24,90 +24,26 @@
KEY_DIR=$1
-# File to read current versions from.
-VERSION_FILE="key.versions"
-
-# ARGS: <version_type>
-get_version() {
- local version_type=$1
- version=$(sed -n "s#^${version_type}=\(.*\)#\1#pg" ${VERSION_FILE})
- echo $version
-}
-
-# Make backups of existing keys and keyblocks that will be revved.
-# Backup format:
-# for keys: <key_name>.v<version>.vb{pub|priv}k
-# for keyblocks: <keyblock_name>.v<datakey version>.v<subkey version>.keyblock
-# Args: SUBKEY_VERSION DATAKEY_VERSION
-backup_existing_kernel_keys() {
- subkey_version=$1
- datakey_version=$2
- # --no-clobber to prevent accidentally overwriting existing
- # backups.
- mv --no-clobber kernel_subkey.{vbprivk,"v${subkey_version}.vbprivk"}
- mv --no-clobber kernel_subkey.{vbpubk,"v${subkey_version}.vbpubk"}
- mv --no-clobber kernel_data_key.{vbprivk,"v${datakey_version}.vbprivk"}
- mv --no-clobber kernel_data_key.{vbpubk,"v${datakey_version}.vbpubk"}
- mv --no-clobber kernel.{keyblock,"v${datakey_version}.v${subkey_version}.keyblock"}
-}
-
-# Write new key version file with the updated key versions.
-# Args: FIRMWARE_KEY_VERSION FIRMWARE_VERSION KERNEL_KEY_VERSION KERNEL_VERSION
-write_updated_version_file() {
- local firmware_key_version=$1
- local firmware_version=$2
- local kernel_key_version=$3
- local kernel_version=$4
-
- cat > ${VERSION_FILE} <<EOF
-firmware_key_version=${firmware_key_version}
-firmware_version=${firmware_version}
-kernel_key_version=${kernel_key_version}
-kernel_version=${kernel_version}
-EOF
-}
-
-
main() {
- local key_dir=$1
- cd "${key_dir}"
- current_fkey_version=$(get_version "firmware_key_version")
- # Firmware version is the kernel subkey version.
- current_ksubkey_version=$(get_version "firmware_version")
- # Kernel data key version is the kernel key version.
- current_kdatakey_version=$(get_version "kernel_key_version")
- current_kernel_version=$(get_version "kernel_version")
+ load_current_versions
+ new_kernkey_ver=$(increment_version "${KEY_DIR}" "kernel_key_version")
+ new_firm_ver=$(increment_version "${KEY_DIR}" "firmware_version")
- cat <<EOF
-Current Firmware key version: ${current_fkey_version}
-Current Firmware version: ${current_ksubkey_version}
-Current Kernel key version: ${current_kdatakey_version}
-Current Kernel version: ${current_kernel_version}
-EOF
-
- backup_existing_kernel_keys $current_ksubkey_version $current_kdatakey_version
-
- new_ksubkey_version=$(( current_ksubkey_version + 1 ))
- new_kdatakey_version=$(( current_kdatakey_version + 1 ))
-
- if [ $new_kdatakey_version -gt 65535 ] || [ $new_kdatakey_version -gt 65535 ];
- then
- echo "Version overflow!"
- exit 1
- fi
+ backup_existing_kernel_subkeys ${CURR_FIRM_VER} ${CURR_KERNKEY_VER}
+ backup_existing_kernel_data_keys ${CURR_FIRM_VER} ${CURR_KERNKEY_VER}
cat <<EOF
Generating new kernel subkey, data keys and new kernel keyblock.
-New Firmware version (due to kernel subkey change): ${new_ksubkey_version}.
-New Kernel key version (due to kernel datakey change): ${new_kdatakey_version}.
+New Firmware version (due to kernel subkey change): ${new_firm_ver}.
+New Kernel key version (due to kernel datakey change): ${new_kernkey_ver}.
EOF
- make_pair kernel_subkey $KERNEL_SUBKEY_ALGOID $new_ksubkey_version
- make_pair kernel_data_key $KERNEL_DATAKEY_ALGOID $new_kdatakey_version
- make_keyblock kernel $KERNEL_KEYBLOCK_MODE kernel_data_key kernel_subkey
+ make_pair kernel_subkey ${KERNEL_SUBKEY_ALGOID} ${new_firm_ver}
+ make_pair kernel_data_key ${KERNEL_DATAKEY_ALGOID} ${new_kernkey_ver}
+ make_keyblock kernel ${KERNEL_KEYBLOCK_MODE} kernel_data_key kernel_subkey
- write_updated_version_file $current_fkey_version $new_ksubkey_version \
- $new_kdatakey_version $current_kernel_version
+ write_updated_version_file ${CURR_FIRMKEY_VER} ${new_firm_ver} \
+ ${new_kernkey_ver} ${CURR_KERN_VER}
}
-main $@
+main "$@"
