Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / vboot_reference / 41f444a11b267285a41a22a996a86a249c99549c^! / . / scripts / keygeneration / common.sh
commit41f444a11b267285a41a22a996a86a249c99549c[log] [tgz]
authorGaurav Shah <gauravsh@chromium.org>Tue Apr 12 17:05:37 2011 -0700
committerGaurav Shah <gauravsh@chromium.org>Tue Apr 12 17:05:37 2011 -0700
tree752b20102bd0d81aa4e18a0afadbcc28faba93fc
parent44a127675b311aaa46ebb171e95701b29aba74de [diff] [blame]
Add a script to increment kernel subkey and data key.

When we do perform firmware updates, we'd like to change the kernel subkey to ensure that new firmware and Chrome OS image stay in sync. This CL adds a scripts which makes it possible to do this revving in an automated manner.

The current versions rollback versions corresponding to the keyset are stored in key.versions. If we change the kernel subkey (to enforce firmware/Chrome OS lockstep), we must also update the firmware version. Similarly, since we modify the kernel subkey, we also generate a new set of kernel data keys. Thus, we also increment the kernel key version.

Change-Id: I364ab50bda115991dd4f69331d37291f66abbf36

BUG=chrome-os-partner:3274, chromium-os:8016
TEST=Manually tested using a newly generated keyset.

Review URL: http://codereview.chromium.org/6824059

diff --git a/scripts/keygeneration/common.sh b/scripts/keygeneration/common.sh
index 0e1a6df..1d08fdb 100755
--- a/scripts/keygeneration/common.sh
+++ b/scripts/keygeneration/common.sh

@@ -23,6 +23,27 @@
   echo $(( 1 << (10 + ($1 / 3)) ))
 }
 
+# Default alrogithms.
+ROOT_KEY_ALGOID=11
+RECOVERY_KEY_ALGOID=11
+
+FIRMWARE_DATAKEY_ALGOID=7
+DEV_FIRMWARE_DATAKEY_ALGOID=7
+
+RECOVERY_KERNEL_ALGOID=11
+INSTALLER_KERNEL_ALGOID=11
+KERNEL_SUBKEY_ALGOID=7
+KERNEL_DATAKEY_ALGOID=4
+
+# Keyblock modes determine which boot modes a signing key is valid for use
+# in verification.
+FIRMWARE_KEYBLOCK_MODE=7
+DEV_FIRMWARE_KEYBLOCK_MODE=6  # Only allow in dev mode.
+RECOVERY_KERNEL_KEYBLOCK_MODE=11
+KERNEL_KEYBLOCK_MODE=7  # Only allow in non-recovery.
+INSTALLER_KERNEL_KEYBLOCK_MODE=10  # Only allow in Dev + Recovery.
+
+
 # Emit .vbpubk and .vbprivk using given basename and algorithm
 # NOTE: This function also appears in ../../utility/dev_make_keypair. Making
 # the two implementations the same would require some common.sh, which is more
@@ -32,9 +53,10 @@
 function make_pair {
   local base=$1
   local alg=$2
+  local key_version=${3:-1}
   local len=$(alg_to_keylen $alg)
 
-  echo "creating $base keypair..."
+  echo "creating $base keypair (version = $key_version)..."
 
   # make the RSA keypair
   openssl genrsa -F4 -out "${base}_${len}.pem" $len
@@ -48,7 +70,7 @@
   vbutil_key \
     --pack "${base}.vbpubk" \
     --key "${base}_${len}.keyb" \
-    --version 1 \
+    --version  "${key_version}" \
     --algorithm $alg
 
   # wrap the private key