should use key.versions file

The 'key.versions' file is used by the image signing scripts to
ensure that newly generated keys and re-signed buildbot images
have the correct version numbers to avoid rollback in
officially-signed Chrome OS images.

If a skilled user is re-keying her Chromebook to use personal
keys in normal mode (which requires disabling WP and changing the
GBB and VBLOCK_A/B), she can avoid clearing the TPM rollback
counters if will obtain the firmware_version
from the key.versions file in her personal key directory.

TEST=make runtests, manual tests

Extract an MP-signed BIOS from a Chromebook Peppy.

  flashrom -p host -r peppy.bin

Resign it without this CL: -f peppy.bin -k tests/devkeys -t dev_peppy.bin

Resign it with this CL: -f peppy.bin -k tests/devkeys -t dev_peppy_new.bin

Confirm no difference:

  cmp dev_peppy.bin dev_peppy_new.bin

Temporarily edit tests/devkeys/key.versions to contain


Resign again: -f peppy.bin -k tests/devkeys -t dev_peppy_new2.bin

Confirm that the only difference is the firmware version in VBLOCK_A/B:

  futility show dev_peppy_new*.bin

Change-Id: I133f1b58fb969eaeb239a44a4800750c4eee1d5f
Signed-off-by: Bill Richardson <>
Reviewed-by: Mike Frysinger <>
2 files changed