diff options
author | Joel Kitching <kitching@google.com> | 2021-06-16 05:23:19 +0800 |
---|---|---|
committer | Commit Bot <commit-bot@chromium.org> | 2021-07-05 02:46:24 +0000 |
commit | 9ea1e75805cfb7523729c5f5d48df0d05ced1b11 (patch) | |
tree | 5ce8f16f296b745a800762c42e76e7889ac34d54 /scripts | |
parent | b95414c73b1b44485a072abdd55e0d8f965deb9d (diff) | |
download | vboot-9ea1e75805cfb7523729c5f5d48df0d05ced1b11.tar.gz |
vboot: introduce minios_kernel.keyblock
miniOS requires a distinct kernel data key, whose dev key pair
is added in this CL as minios_kernel_data_key.vb{pub,priv}k.
A distinct keyblock is also required. The keyblock should set
the kernel keyblock flag MINIOS_1. Other keyblocks are modified
appropriately to set MINIOS_0. Keyblocks were generated using
the following commands:
$ futility vbutil_keyblock
--flags 23
--datapubkey tests/devkeys/ec_data_key.vbpubk
--signprivate tests/devkeys/ec_root_key.vbprivk
--pack tests/devkeys/ec.keyblock
Keyblock file: tests/devkeys/ec.keyblock
Signature valid
Flags: 23 !DEV DEV !REC !MINIOS
Data key algorithm: 7 RSA4096 SHA256
Data key version: 1
Data key sha1sum: 5833470fe934be76753cb6501dbb8fbf88ab272b
$ futility vbutil_keyblock
--flags 23
--datapubkey tests/devkeys/firmware_data_key.vbpubk
--signprivate tests/devkeys/root_key.vbprivk
--pack tests/devkeys/firmware.keyblock
Keyblock file: tests/devkeys/firmware.keyblock
Signature valid
Flags: 23 !DEV DEV !REC !MINIOS
Data key algorithm: 7 RSA4096 SHA256
Data key version: 1
Data key sha1sum: e2c1c92d7d7aa7dfed5e8375edd30b7ae52b7450
$ futility vbutil_keyblock
--flags 27
--datapubkey tests/devkeys/recovery_kernel_data_key.vbpubk
--signprivate tests/devkeys/recovery_key.vbprivk
--pack tests/devkeys/recovery_kernel.keyblock
Keyblock file: tests/devkeys/recovery_kernel.keyblock
Signature valid
Flags: 27 !DEV DEV REC !MINIOS
Data key algorithm: 11 RSA8192 SHA512
Data key version: 1
Data key sha1sum: e78ce746a037837155388a1096212ded04fb86eb
$ futility vbutil_keyblock
--flags 43
--datapubkey tests/devkeys/minios_kernel_data_key.vbpubk
--signprivate tests/devkeys/recovery_key.vbprivk
--pack tests/devkeys/minios_kernel.keyblock
Keyblock file: tests/devkeys/minios_kernel.keyblock
Signature valid
Flags: 43 !DEV DEV REC MINIOS
Data key algorithm: 8 RSA4096 SHA512
Data key version: 1
Data key sha1sum: 65441886bc54cbfe3a7308b650806f4b61d8d142
$ futility vbutil_keyblock
--flags 23
--datapubkey tests/devkeys/kernel_data_key.vbpubk
--signprivate tests/devkeys/kernel_subkey.vbprivk
--pack tests/devkeys/kernel.keyblock
Keyblock file: tests/devkeys/kernel.keyblock
Signature valid
Flags: 23 !DEV DEV !REC !MINIOS
Data key algorithm: 4 RSA2048 SHA256
Data key version: 1
Data key sha1sum: d6170aa480136f1f29cf339a5ab1b960585fa444
$ futility vbutil_keyblock
--flags 26
--datapubkey tests/devkeys/installer_kernel_data_key.vbpubk
--signprivate tests/devkeys/recovery_key.vbprivk
--pack tests/devkeys/installer_kernel.keyblock
Keyblock file: tests/devkeys/installer_kernel.keyblock
Signature valid
Flags: 26 DEV REC !MINIOS
Data key algorithm: 11 RSA8192 SHA512
Data key version: 1
Data key sha1sum: e78ce746a037837155388a1096212ded04fb86eb
BUG=b:188121855
TEST=make clean && make runtests
BRANCH=none
Signed-off-by: Joel Kitching <kitching@google.com>
Change-Id: I5b3e4def83ff29ca156b3c84dfcb8398f4985e67
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2965485
Tested-by: Joel Kitching <kitching@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Commit-Queue: Joel Kitching <kitching@chromium.org>
Diffstat (limited to 'scripts')
-rw-r--r-- | scripts/keygeneration/common.sh | 28 | ||||
-rwxr-xr-x | scripts/keygeneration/create_new_keys.sh | 5 |
2 files changed, 27 insertions, 6 deletions
diff --git a/scripts/keygeneration/common.sh b/scripts/keygeneration/common.sh index 21d5334e..da06f3cf 100644 --- a/scripts/keygeneration/common.sh +++ b/scripts/keygeneration/common.sh @@ -58,18 +58,32 @@ FIRMWARE_DATAKEY_ALGOID=${RSA4096_SHA256_ALGOID} DEV_FIRMWARE_DATAKEY_ALGOID=${RSA4096_SHA256_ALGOID} RECOVERY_KERNEL_ALGOID=${RSA4096_SHA512_ALGOID} +MINIOS_KERNEL_ALGOID=${RSA4096_SHA512_ALGOID} INSTALLER_KERNEL_ALGOID=${RSA4096_SHA512_ALGOID} KERNEL_SUBKEY_ALGOID=${RSA4096_SHA256_ALGOID} KERNEL_DATAKEY_ALGOID=${RSA2048_SHA256_ALGOID} # Keyblock modes determine which boot modes a signing key is valid for use # in verification. -EC_KEYBLOCK_MODE=7 # Only allow RW EC firmware in non-recovery. -FIRMWARE_KEYBLOCK_MODE=7 # Only allow RW firmware in non-recovery. -DEV_FIRMWARE_KEYBLOCK_MODE=6 # Only allow in dev mode. -RECOVERY_KERNEL_KEYBLOCK_MODE=11 # Only in recovery mode. -KERNEL_KEYBLOCK_MODE=7 # Only allow in non-recovery. -INSTALLER_KERNEL_KEYBLOCK_MODE=10 # Only allow in Dev + Recovery. +# !DEV 0x1 DEV 0x2 +# !REC 0x4 REC 0x8 +# !MINIOS 0x10 MINIOS 0x20 +# Note that firmware keyblock modes are not used. Consider deprecating. + +# Only allow RW EC firmware in non-recovery + non-miniOS. +EC_KEYBLOCK_MODE=$((0x1 | 0x2 | 0x4 | 0x10)) +# Only allow RW firmware in non-recovery + non-miniOS. +FIRMWARE_KEYBLOCK_MODE=$((0x1 | 0x2 | 0x4 | 0x10)) +# Only allow in dev mode + non-recovery + non-miniOS. +DEV_FIRMWARE_KEYBLOCK_MODE=$((0x2 | 0x4 | 0x10)) +# Only allow in recovery mode + non-miniOS. +RECOVERY_KERNEL_KEYBLOCK_MODE=$((0x1 | 0x2 | 0x8 | 0x10)) +# Only allow in recovery mode + miniOS. +MINIOS_KERNEL_KEYBLOCK_MODE=$((0x1 | 0x2 | 0x8 | 0x20)) +# Only allow in non-recovery + non-miniOS. +KERNEL_KEYBLOCK_MODE=$((0x1 | 0x2 | 0x4 | 0x10)) +# Only allow in dev + recovery + non-miniOS. +INSTALLER_KERNEL_KEYBLOCK_MODE=$((0x2 | 0x8 | 0x10)) # Emit .vbpubk and .vbprivk using given basename and algorithm # NOTE: This function also appears in ../../utility/dev_make_keypair. Making @@ -125,6 +139,8 @@ make_au_payload_key() { # 0x02 Developer switch on # 0x04 Not recovery mode # 0x08 Recovery mode +# 0x10 Not miniOS mode +# 0x20 miniOS mode make_keyblock() { local base=$1 local flags=$2 diff --git a/scripts/keygeneration/create_new_keys.sh b/scripts/keygeneration/create_new_keys.sh index 40cccbc5..11aedc1d 100755 --- a/scripts/keygeneration/create_new_keys.sh +++ b/scripts/keygeneration/create_new_keys.sh @@ -43,6 +43,7 @@ main() { local root_key_algoid=${ROOT_KEY_ALGOID} local recovery_key_algoid=${RECOVERY_KEY_ALGOID} local recovery_kernel_algoid=${RECOVERY_KERNEL_ALGOID} + local minios_kernel_algoid=${MINIOS_KERNEL_ALGOID} local installer_kernel_algoid=${INSTALLER_KERNEL_ALGOID} local keyname local output_dir="${PWD}" setperms="false" @@ -166,6 +167,7 @@ main() { # Create the recovery and factory installer keypairs make_pair recovery_key ${recovery_key_algoid} make_pair recovery_kernel_data_key ${recovery_kernel_algoid} + make_pair minios_kernel_data_key ${minios_kernel_algoid} make_pair installer_kernel_data_key ${installer_kernel_algoid} # Create the firmware keyblock for use only in Normal mode. This is redundant, @@ -182,6 +184,9 @@ main() { # Create the recovery kernel keyblock for use only in Recovery mode. make_keyblock recovery_kernel ${RECOVERY_KERNEL_KEYBLOCK_MODE} recovery_kernel_data_key recovery_key + # Create the miniOS kernel keyblock for use only in miniOS mode. + make_keyblock minios_kernel ${MINIOS_KERNEL_KEYBLOCK_MODE} minios_kernel_data_key recovery_key + # Create the normal kernel keyblock for use only in Normal mode. make_keyblock kernel ${KERNEL_KEYBLOCK_MODE} kernel_data_key kernel_subkey |