diff options
| author | Vadim Bendebury <vbendeb@google.com> | 2021-11-22 21:24:56 -0800 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2021-12-03 05:16:14 +0000 |
| commit | 3efb6a6cd8e8679b6f95c1088fa5c20cbb327478 (patch) | |
| tree | 905cf1bc56b4da92bc4645752cafcfd73ab91af3 /scripts | |
| parent | dd180f6d8545eace4ccc4569c32dbf7bff0354f5 (diff) | |
| download | vboot-3efb6a6cd8e8679b6f95c1088fa5c20cbb327478.tar.gz | |
gscvd: add dedicated test keys
This patch extends create_new_keys.sh to generate two additional key
pairs to use for AP RO verification signing. Both new pairs are
RSA4096/SHA256.
The script was ran to generate a new set of keys and the produced AP
RO verification key pairs were copied into tests/devkeys.
BRANCH=none
BUG=b:141191727
TEST=re-signed guybrush AP firmware image following the process
described in cmd_gscvd.c comments, created a Cr50 image
incorporating the new root public key hash, updated the DUT AP
and Cr50 firmware and observed successful AP RO validation.
Change-Id: I03cba1446fc5ffdfef662c5ce1ea3e61950477d4
Signed-off-by: Vadim Bendebury <vbendeb@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3297447
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
Diffstat (limited to 'scripts')
| -rw-r--r-- | scripts/keygeneration/common.sh | 4 | ||||
| -rwxr-xr-x | scripts/keygeneration/create_new_keys.sh | 2 |
2 files changed, 6 insertions, 0 deletions
diff --git a/scripts/keygeneration/common.sh b/scripts/keygeneration/common.sh index da06f3cf..af6cd717 100644 --- a/scripts/keygeneration/common.sh +++ b/scripts/keygeneration/common.sh @@ -63,6 +63,10 @@ INSTALLER_KERNEL_ALGOID=${RSA4096_SHA512_ALGOID} KERNEL_SUBKEY_ALGOID=${RSA4096_SHA256_ALGOID} KERNEL_DATAKEY_ALGOID=${RSA2048_SHA256_ALGOID} +# AP RO Verification. +ARV_ROOT_ALGOID=${RSA4096_SHA256_ALGOID} +ARV_PLATFORM_ALGOID=${RSA4096_SHA256_ALGOID} + # Keyblock modes determine which boot modes a signing key is valid for use # in verification. # !DEV 0x1 DEV 0x2 diff --git a/scripts/keygeneration/create_new_keys.sh b/scripts/keygeneration/create_new_keys.sh index 11aedc1d..2e1fd22c 100755 --- a/scripts/keygeneration/create_new_keys.sh +++ b/scripts/keygeneration/create_new_keys.sh @@ -169,6 +169,8 @@ main() { make_pair recovery_kernel_data_key ${recovery_kernel_algoid} make_pair minios_kernel_data_key ${minios_kernel_algoid} make_pair installer_kernel_data_key ${installer_kernel_algoid} + make_pair arv_root ${ARV_ROOT_ALGOID} + make_pair arv_platform ${ARV_PLATFORM_ALGOID} # Create the firmware keyblock for use only in Normal mode. This is redundant, # since it's never even checked during Recovery mode. |