1#!/bin/bash
2# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
3# Use of this source code is governed by a BSD-style license that can be
4# found in the LICENSE file.
5#
6# Generate .vbpubk and .vbprivk pairs for use by developer builds. These should
7# be exactly like the real keys except that the private keys aren't secret.
8
9# Load common constants and functions.
10. "$(dirname "$0")/common.sh"
11
12usage() {
13  cat <<EOF
14Usage: $0 [--devkeyblock]
15
16Options:
17  --devkeyblock          Also generate developer firmware keyblock and data key
18  --4k                   Use 4k keys instead of 8k (enables options below)
19  --4k-root              Use 4k key size for the root key
20  --4k-recovery          Use 4k key size for the recovery key
21  --4k-recovery-kernel   Use 4k key size for the recovery kernel data
22  --4k-installer-kernel  Use 4k key size for the installer kernel data
23EOF
24
25  if [[ $# -ne 0 ]]; then
26    echo "ERROR: unknown option $*" >&2
27    exit 1
28  else
29    exit 0
30  fi
31}
32
33main() {
34  set -e
35
36  # Flag to indicate whether we should be generating a developer keyblock flag.
37  local dev_keyblock="false"
38  local root_key_algoid=${ROOT_KEY_ALGOID}
39  local recovery_key_algoid=${RECOVERY_KEY_ALGOID}
40  local recovery_kernel_algoid=${RECOVERY_KERNEL_ALGOID}
41  local installer_kernel_algoid=${INSTALLER_KERNEL_ALGOID}
42
43  while [[ $# -gt 0 ]]; do
44    case $1 in
45    --devkeyblock)
46      echo "Will also generate developer firmware keyblock and data key."
47      dev_keyblock="true"
48      ;;
49
50    --4k)
51      root_key_algoid=${RSA4096_SHA512_ALGOID}
52      recovery_key_algoid=${RSA4096_SHA512_ALGOID}
53      recovery_kernel_algoid=${RSA4096_SHA512_ALGOID}
54      installer_kernel_algoid=${RSA4096_SHA512_ALGOID}
55      ;;
56    --4k-root)
57      root_key_algoid=${RSA4096_SHA512_ALGOID}
58      ;;
59    --4k-recovery)
60      recovery_key_algoid=${RSA4096_SHA512_ALGOID}
61      ;;
62    --4k-recovery-kernel)
63      recovery_kernel_algoid=${RSA4096_SHA512_ALGOID}
64      ;;
65    --4k-installer-kernel)
66      installer_kernel_algoid=${RSA4096_SHA512_ALGOID}
67      ;;
68
69    -h|--help)
70      usage
71      ;;
72    *)
73      usage "$1"
74      ;;
75    esac
76    shift
77  done
78
79  if [[ ! -e "${VERSION_FILE}" ]]; then
80    echo "No version file found. Creating default ${VERSION_FILE}."
81    printf '%s_version=1\n' {firmware,kernel}{_key,} > "${VERSION_FILE}"
82  fi
83
84  local eckey_version fkey_version ksubkey_version kdatakey_version
85
86  # Get the key versions for normal keypairs
87  eckey_version=$(get_version "ec_key_version")
88  fkey_version=$(get_version "firmware_key_version")
89  # Firmware version is the kernel subkey version.
90  ksubkey_version=$(get_version "firmware_version")
91  # Kernel data key version is the kernel key version.
92  kdatakey_version=$(get_version "kernel_key_version")
93
94  # Create the normal keypairs
95  make_pair ec_root_key              ${EC_ROOT_KEY_ALGOID}
96  make_pair ec_data_key              ${EC_DATAKEY_ALGOID} ${eckey_version}
97  make_pair root_key                 ${root_key_algoid}
98  make_pair firmware_data_key        ${FIRMWARE_DATAKEY_ALGOID} ${fkey_version}
99  if [[ "${dev_keyblock}" == "true" ]]; then
100    make_pair dev_firmware_data_key    ${DEV_FIRMWARE_DATAKEY_ALGOID} ${fkey_version}
101  fi
102  make_pair kernel_subkey            ${KERNEL_SUBKEY_ALGOID} ${ksubkey_version}
103  make_pair kernel_data_key          ${KERNEL_DATAKEY_ALGOID} ${kdatakey_version}
104
105  # Create the recovery and factory installer keypairs
106  make_pair recovery_key             ${recovery_key_algoid}
107  make_pair recovery_kernel_data_key ${recovery_kernel_algoid}
108  make_pair installer_kernel_data_key ${installer_kernel_algoid}
109
110  # Create the firmware keyblock for use only in Normal mode. This is redundant,
111  # since it's never even checked during Recovery mode.
112  make_keyblock firmware ${FIRMWARE_KEYBLOCK_MODE} firmware_data_key root_key
113  # Ditto EC keyblock
114  make_keyblock ec ${EC_KEYBLOCK_MODE} ec_data_key ec_root_key
115
116  if [[ "${dev_keyblock}" == "true" ]]; then
117    # Create the dev firmware keyblock for use only in Developer mode.
118    make_keyblock dev_firmware ${DEV_FIRMWARE_KEYBLOCK_MODE} dev_firmware_data_key root_key
119  fi
120
121  # Create the recovery kernel keyblock for use only in Recovery mode.
122  make_keyblock recovery_kernel ${RECOVERY_KERNEL_KEYBLOCK_MODE} recovery_kernel_data_key recovery_key
123
124  # Create the normal kernel keyblock for use only in Normal mode.
125  make_keyblock kernel ${KERNEL_KEYBLOCK_MODE} kernel_data_key kernel_subkey
126
127  # Create the installer keyblock for use in Developer + Recovery mode
128  # For use in Factory Install and Developer Mode install shims.
129  make_keyblock installer_kernel ${INSTALLER_KERNEL_KEYBLOCK_MODE} installer_kernel_data_key recovery_key
130
131  # CAUTION: The public parts of most of these blobs must be compiled into the
132  # firmware, which is built separately (and some of which can't be changed after
133  # manufacturing). If you update these keys, you must coordinate the changes
134  # with the BIOS people or you'll be unable to boot the resulting images.
135}
136main "$@"
137