xref: /aosp_15_r20/external/vboot_reference/scripts/image_signing/lib/keycfg.sh (revision 8617a60d3594060b7ecbd21bc622a7c14f3cf2bc) 
1#!/bin/bash
2
3# Copyright 2023 The ChromiumOS Authors
4# Use of this source code is governed by a BSD-style license that can be
5# found in the LICENSE file.
6
7# Declare these arrays up-front so they can be used.
8declare -a KEYCFG_ROOT_KEY_VBPUBK_LOEM KEYCFG_FIRMWARE_VBPRIVK_LOEM \
9  KEYCFG_FIRMWARE_KEYBLOCK_LOEM
10
11# Setup the default key configuration by using the local key in `key_dir`.
12setup_default_keycfg() {
13  local key_dir=$1
14
15  # Root keys with LOEM variants. Avoid using them directly; instead, use
16  # get_root_key_vbpubk().
17  export KEYCFG_ROOT_KEY_VBPUBK="${key_dir}/root_key.vbpubk"
18  # Firmware data keys with LOEM variants. Avoid using them directly; instead, use
19  # get_firmware_vbprivk() and get_firmware_keyblock().
20  export KEYCFG_FIRMWARE_VBPRIVK="${key_dir}/firmware_data_key.vbprivk"
21  export KEYCFG_FIRMWARE_KEYBLOCK="${key_dir}/firmware.keyblock"
22
23  # Kernel subkey
24  export KEYCFG_KERNEL_SUBKEY_VBPUBK="${key_dir}/kernel_subkey.vbpubk"
25  # Kernel data keys
26  export KEYCFG_KERNEL_KEYBLOCK="${key_dir}/kernel.keyblock"
27  export KEYCFG_KERNEL_VBPRIVK="${key_dir}/kernel_data_key.vbprivk"
28  # Recovery root key
29  export KEYCFG_RECOVERY_KEY_VBPUBK="${key_dir}/recovery_key.vbpubk"
30  # Recovery kernel data keys
31  export KEYCFG_RECOVERY_KERNEL_KEYBLOCK="${key_dir}/recovery_kernel.keyblock"
32  export KEYCFG_RECOVERY_KERNEL_V1_KEYBLOCK="${key_dir}/recovery_kernel.v1.keyblock"
33  export KEYCFG_RECOVERY_KERNEL_VBPRIVK="${key_dir}/recovery_kernel_data_key.vbprivk"
34  # Installer kernel data keys
35  export KEYCFG_INSTALLER_KERNEL_KEYBLOCK="${key_dir}/installer_kernel.keyblock"
36  export KEYCFG_INSTALLER_KERNEL_V1_KEYBLOCK="${key_dir}/installer_kernel.v1.keyblock"
37  export KEYCFG_INSTALLER_KERNEL_VBPRIVK="${key_dir}/installer_kernel_data_key.vbprivk"
38  # MiniOS kernel data keys
39  export KEYCFG_MINIOS_KERNEL_KEYBLOCK="${key_dir}/minios_kernel.keyblock"
40  export KEYCFG_MINIOS_KERNEL_V1_KEYBLOCK="${key_dir}/minios_kernel.v1.keyblock"
41  export KEYCFG_MINIOS_KERNEL_VBPRIVK="${key_dir}/minios_kernel_data_key.vbprivk"
42
43  # AP RO verification keys
44  export KEYCFG_ARV_ROOT_VBPUBK="${key_dir}/arv_root.vbpubk"
45  export KEYCFG_ARV_PLATFORM_KEYBLOCK="${key_dir}/arv_platform.keyblock"
46  export KEYCFG_ARV_PLATFORM_VBPRIVK="${key_dir}/arv_platform.vbprivk"
47  # UEFI keys and certs
48  export KEYCFG_UEFI_PRIVATE_KEY="${key_dir}/uefi/db/db.children/db_child.rsa"
49  export KEYCFG_UEFI_SIGN_CERT="${key_dir}/uefi/db/db.children/db_child.pem"
50  export KEYCFG_UEFI_VERIFY_CERT="${key_dir}/uefi/db/db.pem"
51  export KEYCFG_UEFI_CRDYSHIM_PRIVATE_KEY="${key_dir}/uefi/crdyshim.priv.pem"
52  # EC EFS key
53  export KEYCFG_KEY_EC_EFS_VBPRIK2="${key_dir}/key_ec_efs.vbprik2"
54  # This is for `sign_official_build.sh accessory_rwsig`, which uses arbitrary
55  # one of .vbprik2 in KEY_DIR if KEYCFG_ACCESSORY_RWSIG_VBPRIK2 is empty or unset.
56  export KEYCFG_ACCESSORY_RWSIG_VBPRIK2=""
57  # update payload key
58  export KEYCFG_UPDATE_KEY_PEM="${key_dir}/update_key.pem"
59}
60
61# Setup the key configuration. This setups the default configuration and source
62# the key_config.sh in `key_dir` to overwrite the default value.
63setup_keycfg() {
64  local key_dir=$1
65  setup_default_keycfg "${key_dir}"
66  export KEYCFG_KEY_DIR="${key_dir}"
67  if [ -f "${key_dir}/key_config.sh" ]; then
68    # Use process substitution to pass in the array to the key_config.sh file.
69    BASH_ENV=<(declare -p KEYCFG_ROOT_KEY_VBPUBK_LOEM \
70      KEYCFG_FIRMWARE_VBPRIVK_LOEM KEYCFG_FIRMWARE_KEYBLOCK_LOEM) \
71      . "${key_dir}/key_config.sh"
72  fi
73}
74
75# Check if KEYCFG_KEY_DIR is set properly.
76check_key_dir() {
77  if [[ -z "${KEYCFG_KEY_DIR}" ]]; then
78    echo "KEYCFG_KEY_DIR is unset. Try run setup_keycfg first." >&2
79    exit 1
80  fi
81  if [[ ! -d "${KEYCFG_KEY_DIR}" ]]; then
82    echo "The key directory '${KEYCFG_KEY_DIR}' doesn't exist." >&2
83    exit 1
84  fi
85}
86
87# Get the default or configured path of root key with loem suffix. It could be
88# either local or PKCS#11 path. If LOEM_INDEX is not specified, the non-loem
89# root key would be returned.
90# Args: [LOEM_INDEX]
91get_root_key_vbpubk() {
92  local loem_index=$1
93  check_key_dir
94  if [[ -z "${loem_index}" ]]; then
95    echo "${KEYCFG_ROOT_KEY_VBPUBK}"
96    return
97  fi
98  local default="${KEYCFG_KEY_DIR}/root_key.loem${loem_index}.vbpubk"
99  echo "${KEYCFG_ROOT_KEY_VBPUBK_LOEM[${loem_index}]:-${default}}"
100}
101
102# Get the default or configured path of firmware data key with loem suffix. It
103# could be either local or PKCS#11 path. If LOEM_INDEX is not specified, the
104# non-loem data key would be returned.
105# Args: [LOEM_INDEX]
106get_firmware_vbprivk() {
107  local loem_index=$1
108  check_key_dir
109  if [[ -z "${loem_index}" ]]; then
110    echo "${KEYCFG_FIRMWARE_VBPRIVK}"
111    return
112  fi
113  local default="${KEYCFG_KEY_DIR}/firmware_data_key.loem${loem_index}.vbprivk"
114  echo "${KEYCFG_FIRMWARE_VBPRIVK_LOEM[${loem_index}]:-${default}}"
115}
116
117# Get the default or configured path of firmware key block with loem suffix. It
118# could be either local or PKCS#11 path. If LOEM_INDEX is not specified, the
119# non-loem key block would be returned.
120# Args: [LOEM_INDEX]
121get_firmware_keyblock() {
122  local loem_index=$1
123  check_key_dir
124  if [[ -z "${loem_index}" ]]; then
125    echo "${KEYCFG_FIRMWARE_KEYBLOCK}"
126    return
127  fi
128  local default="${KEYCFG_KEY_DIR}/firmware.loem${loem_index}.keyblock"
129  echo "${KEYCFG_FIRMWARE_KEYBLOCK_LOEM[${loem_index}]:-${default}}"
130}
131