Home | History | Annotate | Download | only in utility 
      1 #!/bin/bash -e
      2 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
      3 # Use of this source code is governed by a BSD-style license that can be
      4 # found in the LICENSE file.
      5 #
      6 
      7 # Check args first.
      8 if [ "$#" -lt "1" ]; then
      9   cat <<EOF 1>&2
     10 
     11 Usage:  ${0##*/} BASENAME [ALG]
     12 
     13 This creates BASENAME.vbpubk and BASENAME.vbprivk pairs for use in signing
     14 developer files. This also creates a BASENAME.keyblock file containing the
     15 BASENAME.vbpubk, which can be used to sign a developer kernel.
     16 
     17 If specified, ALG is one of:
     18 
     19   0    =  RSA1024 with SHA1
     20   1    =  RSA1024 with SHA256
     21   2    =  RSA1024 with SHA512
     22   3    =  RSA2048 with SHA1
     23   4    =  RSA2048 with SHA256
     24   5    =  RSA2048 with SHA512
     25   6    =  RSA4096 with SHA1
     26   7    =  RSA4096 with SHA256
     27   8    =  RSA4096 with SHA512
     28   9    =  RSA8192 with SHA1
     29   10   =  RSA8192 with SHA256
     30   11   =  RSA8192 with SHA512
     31 
     32 If ALG is not specified, a default value will be used.
     33 
     34 EOF
     35   exit 1
     36 fi
     37 
     38 
     39 # Compute the key length assuming the sizes shown above.
     40 function alg_to_keylen {
     41   echo $(( 1 << (10 + ($1 / 3)) ))
     42 }
     43 
     44 # Emit .vbpubk and .vbprivk using given basename and algorithm.
     45 function make_pair {
     46   local base=$1
     47   local alg=$2
     48   local len=$(alg_to_keylen $alg)
     49 
     50   # make the RSA keypair
     51   openssl genrsa -F4 -out "${base}_${len}.pem" $len
     52   # create a self-signed certificate
     53   openssl req -batch -new -x509 -key "${base}_${len}.pem" \
     54     -out "${base}_${len}.crt"
     55   # generate pre-processed RSA public key
     56   dumpRSAPublicKey -cert "${base}_${len}.crt" > "${base}_${len}.keyb"
     57 
     58   # wrap the public key
     59   futility vbutil_key \
     60     --pack "${base}.vbpubk" \
     61     --key "${base}_${len}.keyb" \
     62     --version 1 \
     63     --algorithm $alg
     64 
     65   # wrap the private key
     66   futility vbutil_key \
     67     --pack "${base}.vbprivk" \
     68     --key "${base}_${len}.pem" \
     69     --algorithm $alg
     70 
     71   # remove intermediate files
     72   rm -f "${base}_${len}.pem" "${base}_${len}.crt" "${base}_${len}.keyb"
     73 }
     74 
     75 # First create the .vbpubk and .vbprivk pair.
     76 make_pair "$1" "${2:-4}"
     77 
     78 # Now create a .keyblock to hold our .vbpubk. Since it's for developer use, it
     79 # won't be signed, just checksummed. Developer kernels can only be run in
     80 # non-recovery mode with the developer switch enabled, but it won't hurt us to
     81 # turn on all the flags bits anyway.
     82 futility vbutil_keyblock --pack "$1.keyblock" \
     83   --datapubkey "$1.vbpubk" --flags 15
     84