commit 79add75aa39da30fdd5b049048131f0dbb52d8ef
author Mike Frysinger <vapier@chromium.org> Mon Feb 02 22:23:30 2015 -0500
committer ChromeOS Commit Bot <chromeos-commit-bot@chromium.org> Tue Feb 03 22:03:34 2015 +0000
tree 1b469b07cf27af41125dbcafd140cfa4294784e4
parent 1bdc6125788e5f9156f23045c004db5c3b30c7b8

create_new_keys: add options for generating 4k keys

BUG=chromium:454651
TEST=`./create_new_keys.sh` still generates 8k keys
TEST=`./create_new_keys.sh --4k` now generates 4k keys
BRANCH=None

Change-Id: I2203536880b9320959fd741c4bbcf814aded603c
Reviewed-on: https://chromium-review.googlesource.com/245318
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Commit-Queue: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>

scripts/keygeneration/common.sh

diff --git a/scripts/keygeneration/common.sh b/scripts/keygeneration/common.sh
index aa955dd..641a71b 100644
--- a/scripts/keygeneration/common.sh
+++ b/scripts/keygeneration/common.sh
@@ -7,36 +7,37 @@
 
 SCRIPT_DIR="$(dirname "$0")"
 
-# 0 = (RSA1024 SHA1)
-# 1 = (RSA1024 SHA256)
-# 2 = (RSA1024 SHA512)
-# 3 = (RSA2048 SHA1)
-# 4 = (RSA2048 SHA256)
-# 5 = (RSA2048 SHA512)
-# 6 = (RSA4096 SHA1)
-# 7 = (RSA4096 SHA256)
-# 8 = (RSA4096 SHA512)
-# 9 = (RSA8192 SHA1)
-# 10 = (RSA8192 SHA256)
-# 11 = (RSA8192 SHA512)
-function alg_to_keylen {
+# Algorithm ID mappings:
+RSA1024_SHA1_ALGOID=0
+RSA1024_SHA256_ALGOID=1
+RSA1024_SHA512_ALGOID=2
+RSA1024_SHA1_ALGOID=3
+RSA1024_SHA256_ALGOID=4
+RSA1024_SHA512_ALGOID=5
+RSA1024_SHA1_ALGOID=6
+RSA1024_SHA256_ALGOID=7
+RSA1024_SHA512_ALGOID=8
+RSA1024_SHA1_ALGOID=9
+RSA1024_SHA256_ALGOID=10
+RSA1024_SHA512_ALGOID=11
+alg_to_keylen() {
   echo $(( 1 << (10 + ($1 / 3)) ))
 }
 
 # Default algorithms.
-EC_ROOT_KEY_ALGOID=7
-EC_DATAKEY_ALGOID=7
+EC_ROOT_KEY_ALGOID=${RSA4096_SHA256_ALGOID}
+EC_DATAKEY_ALGOID=${RSA4096_SHA256_ALGOID}
 
-ROOT_KEY_ALGOID=11
-RECOVERY_KEY_ALGOID=11
+ROOT_KEY_ALGOID=${RSA8192_SHA512_ALGOID}
+RECOVERY_KEY_ALGOID=${RSA8192_SHA512_ALGOID}
 
-FIRMWARE_DATAKEY_ALGOID=7
-DEV_FIRMWARE_DATAKEY_ALGOID=7
+FIRMWARE_DATAKEY_ALGOID=${RSA4096_SHA256_ALGOID}
+DEV_FIRMWARE_DATAKEY_ALGOID=${RSA4096_SHA256_ALGOID}
 
-RECOVERY_KERNEL_ALGOID=11
-INSTALLER_KERNEL_ALGOID=11
-KERNEL_SUBKEY_ALGOID=7
-KERNEL_DATAKEY_ALGOID=4
+RECOVERY_KERNEL_ALGOID=${RSA8192_SHA512_ALGOID}
+INSTALLER_KERNEL_ALGOID=${RSA8192_SHA512_ALGOID}
+KERNEL_SUBKEY_ALGOID=${RSA4096_SHA256_ALGOID}
+KERNEL_DATAKEY_ALGOID=${RSA2048_SHA256_ALGOID}
 
 # Keyblock modes determine which boot modes a signing key is valid for use
 # in verification.

scripts/keygeneration/create_new_keys.sh

diff --git a/scripts/keygeneration/create_new_keys.sh b/scripts/keygeneration/create_new_keys.sh
index 68b79e1..02df34a 100755
--- a/scripts/keygeneration/create_new_keys.sh
+++ b/scripts/keygeneration/create_new_keys.sh
@@ -14,7 +14,12 @@
 Usage: $0 [--devkeyblock]
 
 Options:
-  --devkeyblock   Also generate developer firmware keyblock and data key
+  --devkeyblock          Also generate developer firmware keyblock and data key
+  --4k                   Use 4k keys instead of 8k (enables options below)
+  --4k-root              Use 4k key size for the root key
+  --4k-recovery          Use 4k key size for the recovery key
+  --4k-recovery-kernel   Use 4k key size for the recovery kernel data
+  --4k-installer-kernel  Use 4k key size for the installer kernel data
 EOF
 
   if [[ $# -ne 0 ]]; then
@@ -30,12 +35,37 @@
 
   # Flag to indicate whether we should be generating a developer keyblock flag.
   local dev_keyblock="false"
+  local root_key_algoid=${ROOT_KEY_ALGOID}
+  local recovery_key_algoid=${RECOVERY_KEY_ALGOID}
+  local recovery_kernel_algoid=${RECOVERY_KERNEL_ALGOID}
+  local installer_kernel_algoid=${INSTALLER_KERNEL_ALGOID}
+
   while [[ $# -gt 0 ]]; do
     case $1 in
     --devkeyblock)
       echo "Will also generate developer firmware keyblock and data key."
       dev_keyblock="true"
       ;;
+
+    --4k)
+      root_key_algoid=${RSA4096_SHA512_ALGOID}
+      recovery_key_algoid=${RSA4096_SHA512_ALGOID}
+      recovery_kernel_algoid=${RSA4096_SHA512_ALGOID}
+      installer_kernel_algoid=${RSA4096_SHA512_ALGOID}
+      ;;
+    --4k-root)
+      root_key_algoid=${RSA4096_SHA512_ALGOID}
+      ;;
+    --4k-recovery)
+      recovery_key_algoid=${RSA4096_SHA512_ALGOID}
+      ;;
+    --4k-recovery-kernel)
+      recovery_kernel_algoid=${RSA4096_SHA512_ALGOID}
+      ;;
+    --4k-installer-kernel)
+      installer_kernel_algoid=${RSA4096_SHA512_ALGOID}
+      ;;
+
     -h|--help)
       usage
       ;;
@@ -64,7 +94,7 @@
   # Create the normal keypairs
   make_pair ec_root_key              ${EC_ROOT_KEY_ALGOID}
   make_pair ec_data_key              ${EC_DATAKEY_ALGOID} ${eckey_version}
-  make_pair root_key                 ${ROOT_KEY_ALGOID}
+  make_pair root_key                 ${root_key_algoid}
   make_pair firmware_data_key        ${FIRMWARE_DATAKEY_ALGOID} ${fkey_version}
   if [[ "${dev_keyblock}" == "true" ]]; then
     make_pair dev_firmware_data_key    ${DEV_FIRMWARE_DATAKEY_ALGOID} ${fkey_version}
@@ -73,9 +103,9 @@
   make_pair kernel_data_key          ${KERNEL_DATAKEY_ALGOID} ${kdatakey_version}
 
   # Create the recovery and factory installer keypairs
-  make_pair recovery_key             ${RECOVERY_KEY_ALGOID}
-  make_pair recovery_kernel_data_key ${RECOVERY_KERNEL_ALGOID}
-  make_pair installer_kernel_data_key ${INSTALLER_KERNEL_ALGOID}
+  make_pair recovery_key             ${recovery_key_algoid}
+  make_pair recovery_kernel_data_key ${recovery_kernel_algoid}
+  make_pair installer_kernel_data_key ${installer_kernel_algoid}
 
   # Create the firmware keyblock for use only in Normal mode. This is redundant,
   # since it's never even checked during Recovery mode.