Home | History | Annotate | Download | only in keygeneration 
      1 #!/bin/bash
      2 # Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
      3 # Use of this source code is governed by a BSD-style license that can be
      4 # found in the LICENSE file.
      5 #
      6 # Generate .vbpubk and .vbprivk pairs for use by developer builds. These should
      7 # be exactly like the real keys except that the private keys aren't secret.
      8 
      9 # Load common constants and functions.
     10 . "$(dirname "$0")/common.sh"
     11 
     12 usage() {
     13   cat <<EOF
     14 Usage: $0 [--devkeyblock]
     15 
     16 Options:
     17   --devkeyblock          Also generate developer firmware keyblock and data key
     18   --4k                   Use 4k keys instead of 8k (enables options below)
     19   --4k-root              Use 4k key size for the root key
     20   --4k-recovery          Use 4k key size for the recovery key
     21   --4k-recovery-kernel   Use 4k key size for the recovery kernel data
     22   --4k-installer-kernel  Use 4k key size for the installer kernel data
     23 EOF
     24 
     25   if [[ $# -ne 0 ]]; then
     26     echo "ERROR: unknown option $*" >&2
     27     exit 1
     28   else
     29     exit 0
     30   fi
     31 }
     32 
     33 main() {
     34   set -e
     35 
     36   # Flag to indicate whether we should be generating a developer keyblock flag.
     37   local dev_keyblock="false"
     38   local root_key_algoid=${ROOT_KEY_ALGOID}
     39   local recovery_key_algoid=${RECOVERY_KEY_ALGOID}
     40   local recovery_kernel_algoid=${RECOVERY_KERNEL_ALGOID}
     41   local installer_kernel_algoid=${INSTALLER_KERNEL_ALGOID}
     42 
     43   while [[ $# -gt 0 ]]; do
     44     case $1 in
     45     --devkeyblock)
     46       echo "Will also generate developer firmware keyblock and data key."
     47       dev_keyblock="true"
     48       ;;
     49 
     50     --4k)
     51       root_key_algoid=${RSA4096_SHA512_ALGOID}
     52       recovery_key_algoid=${RSA4096_SHA512_ALGOID}
     53       recovery_kernel_algoid=${RSA4096_SHA512_ALGOID}
     54       installer_kernel_algoid=${RSA4096_SHA512_ALGOID}
     55       ;;
     56     --4k-root)
     57       root_key_algoid=${RSA4096_SHA512_ALGOID}
     58       ;;
     59     --4k-recovery)
     60       recovery_key_algoid=${RSA4096_SHA512_ALGOID}
     61       ;;
     62     --4k-recovery-kernel)
     63       recovery_kernel_algoid=${RSA4096_SHA512_ALGOID}
     64       ;;
     65     --4k-installer-kernel)
     66       installer_kernel_algoid=${RSA4096_SHA512_ALGOID}
     67       ;;
     68 
     69     -h|--help)
     70       usage
     71       ;;
     72     *)
     73       usage "$1"
     74       ;;
     75     esac
     76     shift
     77   done
     78 
     79   if [[ ! -e "${VERSION_FILE}" ]]; then
     80     echo "No version file found. Creating default ${VERSION_FILE}."
     81     printf '%s_version=1\n' {firmware,kernel}{_key,} > "${VERSION_FILE}"
     82   fi
     83 
     84   local eckey_version fkey_version ksubkey_version kdatakey_version
     85 
     86   # Get the key versions for normal keypairs
     87   eckey_version=$(get_version "ec_key_version")
     88   fkey_version=$(get_version "firmware_key_version")
     89   # Firmware version is the kernel subkey version.
     90   ksubkey_version=$(get_version "firmware_version")
     91   # Kernel data key version is the kernel key version.
     92   kdatakey_version=$(get_version "kernel_key_version")
     93 
     94   # Create the normal keypairs
     95   make_pair ec_root_key              ${EC_ROOT_KEY_ALGOID}
     96   make_pair ec_data_key              ${EC_DATAKEY_ALGOID} ${eckey_version}
     97   make_pair root_key                 ${root_key_algoid}
     98   make_pair firmware_data_key        ${FIRMWARE_DATAKEY_ALGOID} ${fkey_version}
     99   if [[ "${dev_keyblock}" == "true" ]]; then
    100     make_pair dev_firmware_data_key    ${DEV_FIRMWARE_DATAKEY_ALGOID} ${fkey_version}
    101   fi
    102   make_pair kernel_subkey            ${KERNEL_SUBKEY_ALGOID} ${ksubkey_version}
    103   make_pair kernel_data_key          ${KERNEL_DATAKEY_ALGOID} ${kdatakey_version}
    104 
    105   # Create the recovery and factory installer keypairs
    106   make_pair recovery_key             ${recovery_key_algoid}
    107   make_pair recovery_kernel_data_key ${recovery_kernel_algoid}
    108   make_pair installer_kernel_data_key ${installer_kernel_algoid}
    109 
    110   # Create the firmware keyblock for use only in Normal mode. This is redundant,
    111   # since it's never even checked during Recovery mode.
    112   make_keyblock firmware ${FIRMWARE_KEYBLOCK_MODE} firmware_data_key root_key
    113   # Ditto EC keyblock
    114   make_keyblock ec ${EC_KEYBLOCK_MODE} ec_data_key ec_root_key
    115 
    116   if [[ "${dev_keyblock}" == "true" ]]; then
    117     # Create the dev firmware keyblock for use only in Developer mode.
    118     make_keyblock dev_firmware ${DEV_FIRMWARE_KEYBLOCK_MODE} dev_firmware_data_key root_key
    119   fi
    120 
    121   # Create the recovery kernel keyblock for use only in Recovery mode.
    122   make_keyblock recovery_kernel ${RECOVERY_KERNEL_KEYBLOCK_MODE} recovery_kernel_data_key recovery_key
    123 
    124   # Create the normal kernel keyblock for use only in Normal mode.
    125   make_keyblock kernel ${KERNEL_KEYBLOCK_MODE} kernel_data_key kernel_subkey
    126 
    127   # Create the installer keyblock for use in Developer + Recovery mode
    128   # For use in Factory Install and Developer Mode install shims.
    129   make_keyblock installer_kernel ${INSTALLER_KERNEL_KEYBLOCK_MODE} installer_kernel_data_key recovery_key
    130 
    131   # CAUTION: The public parts of most of these blobs must be compiled into the
    132   # firmware, which is built separately (and some of which can't be changed after
    133   # manufacturing). If you update these keys, you must coordinate the changes
    134   # with the BIOS people or you'll be unable to boot the resulting images.
    135 }
    136 main "$@"
    137