Bill Richardson | 4f36ef3 | 2010-08-09 17:50:14 -0700 | [diff] [blame] | 1 | #!/bin/bash -e |
| 2 | # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
| 3 | # Use of this source code is governed by a BSD-style license that can be |
| 4 | # found in the LICENSE file. |
| 5 | # |
| 6 | |
| 7 | # Check args first. |
| 8 | if [ "$#" -lt "1" ]; then |
| 9 | cat <<EOF 1>&2 |
| 10 | |
| 11 | Usage: ${0##*/} BASENAME [ALG] |
| 12 | |
| 13 | This creates BASENAME.vbpubk and BASENAME.vbprivk pairs for use in signing |
| 14 | developer files. This also creates a BASENAME.keyblock file containing the |
| 15 | BASENAME.vbpubk, which can be used to sign a developer kernel. |
| 16 | |
| 17 | If specified, ALG is one of: |
| 18 | |
| 19 | 0 = RSA1024 with SHA1 |
| 20 | 1 = RSA1024 with SHA256 |
| 21 | 2 = RSA1024 with SHA512 |
| 22 | 3 = RSA2048 with SHA1 |
| 23 | 4 = RSA2048 with SHA256 |
| 24 | 5 = RSA2048 with SHA512 |
| 25 | 6 = RSA4096 with SHA1 |
| 26 | 7 = RSA4096 with SHA256 |
| 27 | 8 = RSA4096 with SHA512 |
| 28 | 9 = RSA8192 with SHA1 |
| 29 | 10 = RSA8192 with SHA256 |
| 30 | 11 = RSA8192 with SHA512 |
| 31 | |
| 32 | If ALG is not specified, a default value will be used. |
| 33 | |
| 34 | EOF |
| 35 | exit 1 |
| 36 | fi |
| 37 | |
| 38 | |
| 39 | # Compute the key length assuming the sizes shown above. |
| 40 | function alg_to_keylen { |
| 41 | echo $(( 1 << (10 + ($1 / 3)) )) |
| 42 | } |
| 43 | |
| 44 | # Emit .vbpubk and .vbprivk using given basename and algorithm. |
| 45 | function make_pair { |
| 46 | local base=$1 |
| 47 | local alg=$2 |
| 48 | local len=$(alg_to_keylen $alg) |
| 49 | |
| 50 | # make the RSA keypair |
| 51 | openssl genrsa -F4 -out "${base}_${len}.pem" $len |
| 52 | # create a self-signed certificate |
| 53 | openssl req -batch -new -x509 -key "${base}_${len}.pem" \ |
| 54 | -out "${base}_${len}.crt" |
| 55 | # generate pre-processed RSA public key |
Gaurav Shah | 551037b | 2010-11-01 13:33:32 -0700 | [diff] [blame] | 56 | dumpRSAPublicKey -cert "${base}_${len}.crt" > "${base}_${len}.keyb" |
Bill Richardson | 4f36ef3 | 2010-08-09 17:50:14 -0700 | [diff] [blame] | 57 | |
| 58 | # wrap the public key |
Bill Richardson | a1d9fe6 | 2014-09-05 12:52:27 -0700 | [diff] [blame] | 59 | futility vbutil_key \ |
Bill Richardson | 4f36ef3 | 2010-08-09 17:50:14 -0700 | [diff] [blame] | 60 | --pack "${base}.vbpubk" \ |
| 61 | --key "${base}_${len}.keyb" \ |
| 62 | --version 1 \ |
| 63 | --algorithm $alg |
| 64 | |
| 65 | # wrap the private key |
Bill Richardson | a1d9fe6 | 2014-09-05 12:52:27 -0700 | [diff] [blame] | 66 | futility vbutil_key \ |
Bill Richardson | 4f36ef3 | 2010-08-09 17:50:14 -0700 | [diff] [blame] | 67 | --pack "${base}.vbprivk" \ |
| 68 | --key "${base}_${len}.pem" \ |
| 69 | --algorithm $alg |
| 70 | |
| 71 | # remove intermediate files |
| 72 | rm -f "${base}_${len}.pem" "${base}_${len}.crt" "${base}_${len}.keyb" |
| 73 | } |
| 74 | |
| 75 | # First create the .vbpubk and .vbprivk pair. |
| 76 | make_pair "$1" "${2:-4}" |
| 77 | |
Bill Richardson | 0697e3f | 2010-08-17 16:58:46 -0700 | [diff] [blame] | 78 | # Now create a .keyblock to hold our .vbpubk. Since it's for developer use, it |
Bill Richardson | 4f36ef3 | 2010-08-09 17:50:14 -0700 | [diff] [blame] | 79 | # won't be signed, just checksummed. Developer kernels can only be run in |
| 80 | # non-recovery mode with the developer switch enabled, but it won't hurt us to |
| 81 | # turn on all the flags bits anyway. |
Bill Richardson | a1d9fe6 | 2014-09-05 12:52:27 -0700 | [diff] [blame] | 82 | futility vbutil_keyblock --pack "$1.keyblock" \ |
| 83 | --datapubkey "$1.vbpubk" --flags 15 |