| #!/bin/bash |
| # Copyright 2011 The ChromiumOS Authors |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| # |
| # Generate .vbpubk and .vbprivk pairs for use by developer builds. These should |
| # be exactly like the real keys except that the private keys aren't secret. |
| |
| # Load common constants and functions. |
| # shellcheck source=common.sh |
| . "$(dirname "$0")/common.sh" |
| |
| usage() { |
| cat <<EOF |
| Usage: ${PROG} [options] |
| |
| Options: |
| --android Also generate android keys |
| --uefi Also generate UEFI keys |
| --8k Use 8k keys instead of 4k (enables options below) |
| --8k-root Use 8k key size for the root key |
| --8k-recovery Use 8k key size for the recovery key |
| --8k-recovery-kernel Use 8k key size for the recovery kernel data |
| --8k-installer-kernel Use 8k key size for the installer kernel data |
| --key-name <name> Name of the keyset (for key.versions) |
| --output <dir> Where to write the keys (default is cwd) |
| --arv-root-path <dir> Path to AP RO verificaton root key directory, |
| defaults to ./${ARV_ROOT_DIR} |
| --arv-root-uri <uri> URI to remote AP RO verification root key (stored in |
| GCP, accessed using CloudKMS). |
| EOF |
| |
| if [[ $# -ne 0 ]]; then |
| die "unknown option $*" |
| else |
| exit 0 |
| fi |
| } |
| |
| main() { |
| set -e |
| |
| local android_keys="false" |
| local uefi_keys="false" |
| local root_key_algoid=${ROOT_KEY_ALGOID} |
| local recovery_key_algoid=${RECOVERY_KEY_ALGOID} |
| local recovery_kernel_algoid=${RECOVERY_KERNEL_ALGOID} |
| local minios_kernel_algoid=${MINIOS_KERNEL_ALGOID} |
| local installer_kernel_algoid=${INSTALLER_KERNEL_ALGOID} |
| local keyname |
| local output_dir="${PWD}" setperms="false" |
| local arv_root_path="" |
| local arv_root_uri="" |
| |
| while [[ $# -gt 0 ]]; do |
| case $1 in |
| --android) |
| echo "Will also generate Android keys." |
| android_keys="true" |
| ;; |
| |
| --uefi) |
| echo "Will also generate UEFI keys." |
| uefi_keys="true" |
| ;; |
| |
| --8k) |
| root_key_algoid=${RSA8192_SHA512_ALGOID} |
| recovery_key_algoid=${RSA8192_SHA512_ALGOID} |
| recovery_kernel_algoid=${RSA8192_SHA512_ALGOID} |
| installer_kernel_algoid=${RSA8192_SHA512_ALGOID} |
| ;; |
| --8k-root) |
| root_key_algoid=${RSA8192_SHA512_ALGOID} |
| ;; |
| --8k-recovery) |
| recovery_key_algoid=${RSA8192_SHA512_ALGOID} |
| ;; |
| --8k-recovery-kernel) |
| recovery_kernel_algoid=${RSA8192_SHA512_ALGOID} |
| ;; |
| --8k-installer-kernel) |
| installer_kernel_algoid=${RSA8192_SHA512_ALGOID} |
| ;; |
| |
| --4k) |
| root_key_algoid=${RSA4096_SHA512_ALGOID} |
| recovery_key_algoid=${RSA4096_SHA512_ALGOID} |
| recovery_kernel_algoid=${RSA4096_SHA512_ALGOID} |
| installer_kernel_algoid=${RSA4096_SHA512_ALGOID} |
| ;; |
| --4k-root) |
| root_key_algoid=${RSA4096_SHA512_ALGOID} |
| ;; |
| --4k-recovery) |
| recovery_key_algoid=${RSA4096_SHA512_ALGOID} |
| ;; |
| --4k-recovery-kernel) |
| recovery_kernel_algoid=${RSA4096_SHA512_ALGOID} |
| ;; |
| --4k-installer-kernel) |
| installer_kernel_algoid=${RSA4096_SHA512_ALGOID} |
| ;; |
| |
| --arv-root-path) |
| arv_root_path="$(readlink -f "$2")" |
| shift |
| ;; |
| --arv-root-uri) |
| arv_root_uri="$2" |
| shift |
| ;; |
| |
| --key-name) |
| keyname="$2" |
| shift |
| ;; |
| |
| --output) |
| output_dir="$2" |
| setperms="true" |
| if [[ -d "${output_dir}" ]]; then |
| die "output dir (${output_dir}) already exists" |
| fi |
| shift |
| ;; |
| |
| -h|--help) |
| usage |
| ;; |
| *) |
| usage "$1" |
| ;; |
| esac |
| shift |
| done |
| |
| mkdir -p "${output_dir}" |
| cd "${output_dir}" |
| if [[ "${setperms}" == "true" ]]; then |
| chmod 700 . |
| fi |
| |
| if [[ -z "${arv_root_uri}" ]]; then |
| if [[ -z "${arv_root_path}" ]]; then |
| # If not explicitly set, expect AP RO verification root key directory one |
| # level above the output directory where the specific board keys are going |
| # to be placed. |
| arv_root_path="$(readlink -f "../${ARV_ROOT_DIR}")" |
| fi |
| |
| if [[ ! -d "${arv_root_path}" ]]; then |
| die "AP RO root key directory \"${arv_root_path}\" not found." \ |
| "Run make_arv_root.sh to create it or specify --arv-root-path." |
| exit 1 |
| fi |
| fi |
| |
| if [[ ! -e "${VERSION_FILE}" ]]; then |
| echo "No version file found. Creating default ${VERSION_FILE}." |
| ( |
| if [[ -n "${keyname}" ]]; then |
| echo "name=${keyname}" |
| fi |
| printf '%s_version=1\n' {firmware,kernel}{_key,} |
| ) > "${VERSION_FILE}" |
| fi |
| |
| local fkey_version ksubkey_version kdatakey_version |
| |
| # Get the key versions for normal keypairs |
| fkey_version=$(get_version "firmware_key_version") |
| # Firmware version is the kernel subkey version. |
| ksubkey_version=$(get_version "firmware_version") |
| # Kernel data key version is the kernel key version. |
| kdatakey_version=$(get_version "kernel_key_version") |
| |
| # Create the normal keypairs |
| make_pair root_key ${root_key_algoid} |
| make_pair firmware_data_key ${FIRMWARE_DATAKEY_ALGOID} ${fkey_version} |
| make_pair kernel_subkey ${KERNEL_SUBKEY_ALGOID} ${ksubkey_version} |
| make_pair kernel_data_key ${KERNEL_DATAKEY_ALGOID} ${kdatakey_version} |
| |
| # Create the recovery and factory installer keypairs |
| make_pair recovery_key ${recovery_key_algoid} |
| make_pair recovery_kernel_data_key ${recovery_kernel_algoid} |
| make_pair minios_kernel_data_key ${minios_kernel_algoid} |
| make_pair installer_kernel_data_key ${installer_kernel_algoid} |
| make_pair arv_platform "${ARV_PLATFORM_ALGOID}" |
| |
| # Make sure there is a copy of the AP RO |
| # verification root public key in the keyset directory. |
| cp "${arv_root_path}/${ARV_ROOT_NAME_BASE}.vbpubk" . |
| |
| # Create the firmware keyblock for use only in Normal mode. This is redundant, |
| # since it's never even checked during Recovery mode. |
| make_keyblock firmware ${FIRMWARE_KEYBLOCK_MODE} firmware_data_key root_key |
| |
| # Create the recovery kernel keyblock for use only in Recovery mode. |
| make_keyblock recovery_kernel ${RECOVERY_KERNEL_KEYBLOCK_MODE} recovery_kernel_data_key recovery_key |
| |
| # Create the miniOS kernel keyblock for use only in miniOS mode. |
| make_keyblock minios_kernel ${MINIOS_KERNEL_KEYBLOCK_MODE} minios_kernel_data_key recovery_key |
| |
| # Create the normal kernel keyblock for use only in Normal mode. |
| make_keyblock kernel ${KERNEL_KEYBLOCK_MODE} kernel_data_key kernel_subkey |
| |
| # Create the installer keyblock for use in Developer + Recovery mode |
| # For use in Factory Install and Developer Mode install shims. |
| make_keyblock installer_kernel ${INSTALLER_KERNEL_KEYBLOCK_MODE} installer_kernel_data_key recovery_key |
| |
| # Create AP RO verification platform keyblock. |
| make_keyblock arv_platform "${ARV_KEYBLOCK_MODE}" arv_platform \ |
| "${arv_root_path}/${ARV_ROOT_NAME_BASE}" "${arv_root_uri}" |
| |
| # Copy AP RO verification root public key into the output directory, it is |
| # necessary for AP RO verification signing. |
| cp "${arv_root_path}/arv_root.vbpubk" . || die "Failed to copy" |
| |
| if [[ "${android_keys}" == "true" ]]; then |
| mkdir android |
| "${SCRIPT_DIR}"/create_new_android_keys.sh android |
| fi |
| |
| if [[ "${uefi_keys}" == "true" ]]; then |
| mkdir -p uefi |
| "${SCRIPT_DIR}"/uefi/create_new_crdyshim_key.sh uefi |
| "${SCRIPT_DIR}"/uefi/create_new_uefi_keys.sh --output uefi |
| fi |
| |
| if [[ "${setperms}" == "true" ]]; then |
| find -type f -exec chmod 400 {} + |
| find -type d -exec chmod 500 {} + |
| fi |
| |
| # CAUTION: The public parts of most of these blobs must be compiled into the |
| # firmware, which is built separately (and some of which can't be changed after |
| # manufacturing). If you update these keys, you must coordinate the changes |
| # with the BIOS people or you'll be unable to boot the resulting images. |
| } |
| main "$@" |