Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / vboot_reference / 2448d3b3bc8e80232e7943c16b41eaab19faa1a2^! / . / scripts / keygeneration
commit2448d3b3bc8e80232e7943c16b41eaab19faa1a2[log] [tgz]
authorBill Richardson <wfrichar@chromium.org>Thu May 03 08:40:44 2012 -0700
committerGerrit <chrome-bot@google.com>Fri May 04 12:16:45 2012 -0700
tree602ed9451ec91f58fd60ab055ab9f531f50a921e
parentf47291926afce3235421f73811a04324195f3e13 [diff]
Create vbutil_ec tool for signing EC firmware.

This just adds the vbutil_ec tool (and a simple test of the library
functions related to it).

BUG=chrome-os-partner:7459, chromium-os:27142
TEST=manual

  make
  make runtests

Change-Id: I2a2c4e7cfb8ac6ce2229c5de4252a5cc89321fa5
Reviewed-on: https://gerrit.chromium.org/gerrit/21868
Commit-Ready: Bill Richardson <wfrichar@chromium.org>
Tested-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-by: Stefan Reinauer <reinauer@google.com>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>

diff --git a/scripts/keygeneration/common.sh b/scripts/keygeneration/common.sh
index 1d08fdb..b6e20c6 100755
--- a/scripts/keygeneration/common.sh
+++ b/scripts/keygeneration/common.sh

@@ -23,7 +23,10 @@
   echo $(( 1 << (10 + ($1 / 3)) ))
 }
 
-# Default alrogithms.
+# Default algorithms.
+EC_ROOT_KEY_ALGOID=7
+EC_DATAKEY_ALGOID=7
+
 ROOT_KEY_ALGOID=11
 RECOVERY_KEY_ALGOID=11
 
@@ -37,13 +40,13 @@
 
 # Keyblock modes determine which boot modes a signing key is valid for use
 # in verification.
-FIRMWARE_KEYBLOCK_MODE=7
+EC_KEYBLOCK_MODE=7  # Only allow RW EC firmware in non-recovery.
+FIRMWARE_KEYBLOCK_MODE=7  # Only allow RW firmware in non-recovery.
 DEV_FIRMWARE_KEYBLOCK_MODE=6  # Only allow in dev mode.
-RECOVERY_KERNEL_KEYBLOCK_MODE=11
+RECOVERY_KERNEL_KEYBLOCK_MODE=11 # Only in recovery mode.
 KERNEL_KEYBLOCK_MODE=7  # Only allow in non-recovery.
 INSTALLER_KERNEL_KEYBLOCK_MODE=10  # Only allow in Dev + Recovery.
 
-
 # Emit .vbpubk and .vbprivk using given basename and algorithm
 # NOTE: This function also appears in ../../utility/dev_make_keypair. Making
 # the two implementations the same would require some common.sh, which is more

diff --git a/scripts/keygeneration/create_new_keys.sh b/scripts/keygeneration/create_new_keys.sh
index 054a3ed..722d69d 100755
--- a/scripts/keygeneration/create_new_keys.sh
+++ b/scripts/keygeneration/create_new_keys.sh

@@ -32,6 +32,7 @@
 fi
 
 # Get the key versions for normal keypairs
+ECKEY_VERSION=$(get_version "ec_key_version")
 FKEY_VERSION=$(get_version "firmware_key_version")
 # Firmware version is the kernel subkey version.
 KSUBKEY_VERSION=$(get_version "firmware_version")
@@ -39,6 +40,8 @@
 KDATAKEY_VERSION=$(get_version "kernel_key_version")
 
 # Create the normal keypairs
+make_pair ec_root_key              $EC_ROOT_KEY_ALGOID
+make_pair ec_data_key              $EC_DATAKEY_ALGOID $ECKEY_VERSION
 make_pair root_key                 $ROOT_KEY_ALGOID
 make_pair firmware_data_key        $FIRMWARE_DATAKEY_ALGOID $FKEY_VERSION
 if [ -n "$DEV_KEYBLOCK_FLAG" ]; then
@@ -55,14 +58,14 @@
 # Create the firmware keyblock for use only in Normal mode. This is redundant,
 # since it's never even checked during Recovery mode.
 make_keyblock firmware $FIRMWARE_KEYBLOCK_MODE firmware_data_key root_key
-
+# Ditto EC keyblock
+make_keyblock ec $EC_KEYBLOCK_MODE ec_data_key ec_root_key
 
 if [ -n "$DEV_KEYBLOCK_FLAG" ]; then
   # Create the dev firmware keyblock for use only in Developer mode.
   make_keyblock dev_firmware $DEV_FIRMWARE_KEYBLOCK_MODE dev_firmware_data_key root_key
 fi
 
-
 # Create the recovery kernel keyblock for use only in Recovery mode.
 make_keyblock recovery_kernel $RECOVERY_KERNEL_KEYBLOCK_MODE recovery_kernel_data_key recovery_key