vboot: introduce minios_kernel.keyblock
miniOS requires a distinct kernel data key, whose dev key pair
is added in this CL as minios_kernel_data_key.vb{pub,priv}k.
A distinct keyblock is also required. The keyblock should set
the kernel keyblock flag MINIOS_1. Other keyblocks are modified
appropriately to set MINIOS_0. Keyblocks were generated using
the following commands:
$ futility vbutil_keyblock
--flags 23
--datapubkey tests/devkeys/ec_data_key.vbpubk
--signprivate tests/devkeys/ec_root_key.vbprivk
--pack tests/devkeys/ec.keyblock
Keyblock file: tests/devkeys/ec.keyblock
Signature valid
Flags: 23 !DEV DEV !REC !MINIOS
Data key algorithm: 7 RSA4096 SHA256
Data key version: 1
Data key sha1sum: 5833470fe934be76753cb6501dbb8fbf88ab272b
$ futility vbutil_keyblock
--flags 23
--datapubkey tests/devkeys/firmware_data_key.vbpubk
--signprivate tests/devkeys/root_key.vbprivk
--pack tests/devkeys/firmware.keyblock
Keyblock file: tests/devkeys/firmware.keyblock
Signature valid
Flags: 23 !DEV DEV !REC !MINIOS
Data key algorithm: 7 RSA4096 SHA256
Data key version: 1
Data key sha1sum: e2c1c92d7d7aa7dfed5e8375edd30b7ae52b7450
$ futility vbutil_keyblock
--flags 27
--datapubkey tests/devkeys/recovery_kernel_data_key.vbpubk
--signprivate tests/devkeys/recovery_key.vbprivk
--pack tests/devkeys/recovery_kernel.keyblock
Keyblock file: tests/devkeys/recovery_kernel.keyblock
Signature valid
Flags: 27 !DEV DEV REC !MINIOS
Data key algorithm: 11 RSA8192 SHA512
Data key version: 1
Data key sha1sum: e78ce746a037837155388a1096212ded04fb86eb
$ futility vbutil_keyblock
--flags 43
--datapubkey tests/devkeys/minios_kernel_data_key.vbpubk
--signprivate tests/devkeys/recovery_key.vbprivk
--pack tests/devkeys/minios_kernel.keyblock
Keyblock file: tests/devkeys/minios_kernel.keyblock
Signature valid
Flags: 43 !DEV DEV REC MINIOS
Data key algorithm: 8 RSA4096 SHA512
Data key version: 1
Data key sha1sum: 65441886bc54cbfe3a7308b650806f4b61d8d142
$ futility vbutil_keyblock
--flags 23
--datapubkey tests/devkeys/kernel_data_key.vbpubk
--signprivate tests/devkeys/kernel_subkey.vbprivk
--pack tests/devkeys/kernel.keyblock
Keyblock file: tests/devkeys/kernel.keyblock
Signature valid
Flags: 23 !DEV DEV !REC !MINIOS
Data key algorithm: 4 RSA2048 SHA256
Data key version: 1
Data key sha1sum: d6170aa480136f1f29cf339a5ab1b960585fa444
$ futility vbutil_keyblock
--flags 26
--datapubkey tests/devkeys/installer_kernel_data_key.vbpubk
--signprivate tests/devkeys/recovery_key.vbprivk
--pack tests/devkeys/installer_kernel.keyblock
Keyblock file: tests/devkeys/installer_kernel.keyblock
Signature valid
Flags: 26 DEV REC !MINIOS
Data key algorithm: 11 RSA8192 SHA512
Data key version: 1
Data key sha1sum: e78ce746a037837155388a1096212ded04fb86eb
BUG=b:188121855
TEST=make clean && make runtests
BRANCH=none
Signed-off-by: Joel Kitching <kitching@google.com>
Change-Id: I5b3e4def83ff29ca156b3c84dfcb8398f4985e67
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2965485
Tested-by: Joel Kitching <kitching@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Commit-Queue: Joel Kitching <kitching@chromium.org>
19 files changed