1#!/bin/bash 2# Copyright 2011 The ChromiumOS Authors 3# Use of this source code is governed by a BSD-style license that can be 4# found in the LICENSE file. 5# 6# Generate .vbpubk and .vbprivk pairs for use by developer builds. These should 7# be exactly like the real keys except that the private keys aren't secret. 8 9# Load common constants and functions. 10# shellcheck source=common.sh 11. "$(dirname "$0")/common.sh" 12 13usage() { 14 cat <<EOF 15Usage: ${PROG} [options] 16 17Options: 18 --android Also generate android keys 19 --uefi Also generate UEFI keys 20 --8k Use 8k keys instead of 4k (enables options below) 21 --8k-root Use 8k key size for the root key 22 --8k-recovery Use 8k key size for the recovery key 23 --8k-recovery-kernel Use 8k key size for the recovery kernel data 24 --8k-installer-kernel Use 8k key size for the installer kernel data 25 --key-name <name> Name of the keyset (for key.versions) 26 --output <dir> Where to write the keys (default is cwd) 27 --arv-root-path <dir> Path to AP RO verificaton root key directory, 28 defaults to ./${ARV_ROOT_DIR} 29 --arv-root-uri <uri> URI to remote AP RO verification root key (stored in 30 GCP, accessed using CloudKMS). 31EOF 32 33 if [[ $# -ne 0 ]]; then 34 die "unknown option $*" 35 else 36 exit 0 37 fi 38} 39 40main() { 41 set -e 42 43 local android_keys="false" 44 local uefi_keys="false" 45 local root_key_algoid=${ROOT_KEY_ALGOID} 46 local recovery_key_algoid=${RECOVERY_KEY_ALGOID} 47 local recovery_kernel_algoid=${RECOVERY_KERNEL_ALGOID} 48 local minios_kernel_algoid=${MINIOS_KERNEL_ALGOID} 49 local installer_kernel_algoid=${INSTALLER_KERNEL_ALGOID} 50 local keyname 51 local output_dir="${PWD}" setperms="false" 52 local arv_root_path="" 53 local arv_root_uri="" 54 55 while [[ $# -gt 0 ]]; do 56 case $1 in 57 --android) 58 echo "Will also generate Android keys." 59 android_keys="true" 60 ;; 61 62 --uefi) 63 echo "Will also generate UEFI keys." 64 uefi_keys="true" 65 ;; 66 67 --8k) 68 root_key_algoid=${RSA8192_SHA512_ALGOID} 69 recovery_key_algoid=${RSA8192_SHA512_ALGOID} 70 recovery_kernel_algoid=${RSA8192_SHA512_ALGOID} 71 installer_kernel_algoid=${RSA8192_SHA512_ALGOID} 72 ;; 73 --8k-root) 74 root_key_algoid=${RSA8192_SHA512_ALGOID} 75 ;; 76 --8k-recovery) 77 recovery_key_algoid=${RSA8192_SHA512_ALGOID} 78 ;; 79 --8k-recovery-kernel) 80 recovery_kernel_algoid=${RSA8192_SHA512_ALGOID} 81 ;; 82 --8k-installer-kernel) 83 installer_kernel_algoid=${RSA8192_SHA512_ALGOID} 84 ;; 85 86 --4k) 87 root_key_algoid=${RSA4096_SHA512_ALGOID} 88 recovery_key_algoid=${RSA4096_SHA512_ALGOID} 89 recovery_kernel_algoid=${RSA4096_SHA512_ALGOID} 90 installer_kernel_algoid=${RSA4096_SHA512_ALGOID} 91 ;; 92 --4k-root) 93 root_key_algoid=${RSA4096_SHA512_ALGOID} 94 ;; 95 --4k-recovery) 96 recovery_key_algoid=${RSA4096_SHA512_ALGOID} 97 ;; 98 --4k-recovery-kernel) 99 recovery_kernel_algoid=${RSA4096_SHA512_ALGOID} 100 ;; 101 --4k-installer-kernel) 102 installer_kernel_algoid=${RSA4096_SHA512_ALGOID} 103 ;; 104 105 --arv-root-path) 106 arv_root_path="$(readlink -f "$2")" 107 shift 108 ;; 109 --arv-root-uri) 110 arv_root_uri="$2" 111 shift 112 ;; 113 114 --key-name) 115 keyname="$2" 116 shift 117 ;; 118 119 --output) 120 output_dir="$2" 121 setperms="true" 122 if [[ -d "${output_dir}" ]]; then 123 die "output dir (${output_dir}) already exists" 124 fi 125 shift 126 ;; 127 128 -h|--help) 129 usage 130 ;; 131 *) 132 usage "$1" 133 ;; 134 esac 135 shift 136 done 137 138 mkdir -p "${output_dir}" 139 cd "${output_dir}" 140 if [[ "${setperms}" == "true" ]]; then 141 chmod 700 . 142 fi 143 144 if [[ -z "${arv_root_uri}" ]]; then 145 if [[ -z "${arv_root_path}" ]]; then 146 # If not explicitly set, expect AP RO verification root key directory one 147 # level above the output directory where the specific board keys are going 148 # to be placed. 149 arv_root_path="$(readlink -f "../${ARV_ROOT_DIR}")" 150 fi 151 152 if [[ ! -d "${arv_root_path}" ]]; then 153 die "AP RO root key directory \"${arv_root_path}\" not found." \ 154 "Run make_arv_root.sh to create it or specify --arv-root-path." 155 exit 1 156 fi 157 fi 158 159 if [[ ! -e "${VERSION_FILE}" ]]; then 160 echo "No version file found. Creating default ${VERSION_FILE}." 161 ( 162 if [[ -n "${keyname}" ]]; then 163 echo "name=${keyname}" 164 fi 165 printf '%s_version=1\n' {firmware,kernel}{_key,} 166 ) > "${VERSION_FILE}" 167 fi 168 169 local fkey_version ksubkey_version kdatakey_version 170 171 # Get the key versions for normal keypairs 172 fkey_version=$(get_version "firmware_key_version") 173 # Firmware version is the kernel subkey version. 174 ksubkey_version=$(get_version "firmware_version") 175 # Kernel data key version is the kernel key version. 176 kdatakey_version=$(get_version "kernel_key_version") 177 178 # Create the normal keypairs 179 make_pair root_key ${root_key_algoid} 180 make_pair firmware_data_key ${FIRMWARE_DATAKEY_ALGOID} ${fkey_version} 181 make_pair kernel_subkey ${KERNEL_SUBKEY_ALGOID} ${ksubkey_version} 182 make_pair kernel_data_key ${KERNEL_DATAKEY_ALGOID} ${kdatakey_version} 183 184 # Create the recovery and factory installer keypairs 185 make_pair recovery_key ${recovery_key_algoid} 186 make_pair recovery_kernel_data_key ${recovery_kernel_algoid} 187 make_pair minios_kernel_data_key ${minios_kernel_algoid} 188 make_pair installer_kernel_data_key ${installer_kernel_algoid} 189 make_pair arv_platform "${ARV_PLATFORM_ALGOID}" 190 191 # Make sure there is a copy of the AP RO 192 # verification root public key in the keyset directory. 193 cp "${arv_root_path}/${ARV_ROOT_NAME_BASE}.vbpubk" . 194 195 # Create the firmware keyblock for use only in Normal mode. This is redundant, 196 # since it's never even checked during Recovery mode. 197 make_keyblock firmware ${FIRMWARE_KEYBLOCK_MODE} firmware_data_key root_key 198 199 # Create the recovery kernel keyblock for use only in Recovery mode. 200 make_keyblock recovery_kernel ${RECOVERY_KERNEL_KEYBLOCK_MODE} recovery_kernel_data_key recovery_key 201 202 # Create the miniOS kernel keyblock for use only in miniOS mode. 203 make_keyblock minios_kernel ${MINIOS_KERNEL_KEYBLOCK_MODE} minios_kernel_data_key recovery_key 204 205 # Create the normal kernel keyblock for use only in Normal mode. 206 make_keyblock kernel ${KERNEL_KEYBLOCK_MODE} kernel_data_key kernel_subkey 207 208 # Create the installer keyblock for use in Developer + Recovery mode 209 # For use in Factory Install and Developer Mode install shims. 210 make_keyblock installer_kernel ${INSTALLER_KERNEL_KEYBLOCK_MODE} installer_kernel_data_key recovery_key 211 212 # Create AP RO verification platform keyblock. 213 make_keyblock arv_platform "${ARV_KEYBLOCK_MODE}" arv_platform \ 214 "${arv_root_path}/${ARV_ROOT_NAME_BASE}" "${arv_root_uri}" 215 216 # Copy AP RO verification root public key into the output directory, it is 217 # necessary for AP RO verification signing. 218 cp "${arv_root_path}/arv_root.vbpubk" . || die "Failed to copy" 219 220 if [[ "${android_keys}" == "true" ]]; then 221 mkdir android 222 "${SCRIPT_DIR}"/create_new_android_keys.sh android 223 fi 224 225 if [[ "${uefi_keys}" == "true" ]]; then 226 mkdir -p uefi 227 "${SCRIPT_DIR}"/uefi/create_new_crdyshim_key.sh uefi 228 "${SCRIPT_DIR}"/uefi/create_new_uefi_keys.sh --output uefi 229 fi 230 231 if [[ "${setperms}" == "true" ]]; then 232 find -type f -exec chmod 400 {} + 233 find -type d -exec chmod 500 {} + 234 fi 235 236 # CAUTION: The public parts of most of these blobs must be compiled into the 237 # firmware, which is built separately (and some of which can't be changed after 238 # manufacturing). If you update these keys, you must coordinate the changes 239 # with the BIOS people or you'll be unable to boot the resulting images. 240} 241main "$@" 242