vboot: introduce minios_kernel.keyblock

miniOS requires a distinct kernel data key, whose dev key pair is added in this CL as minios_kernel_data_key.vb{pub,priv}k. A distinct keyblock is also required. The keyblock should set the kernel keyblock flag MINIOS_1. Other keyblocks are modified appropriately to set MINIOS_0. Keyblocks were generated using the following commands: $ futility vbutil_keyblock --flags 23 --datapubkey tests/devkeys/ec_data_key.vbpubk --signprivate tests/devkeys/ec_root_key.vbprivk --pack tests/devkeys/ec.keyblock Keyblock file: tests/devkeys/ec.keyblock Signature valid Flags: 23 !DEV DEV !REC !MINIOS Data key algorithm: 7 RSA4096 SHA256 Data key version: 1 Data key sha1sum: 5833470fe934be76753cb6501dbb8fbf88ab272b $ futility vbutil_keyblock --flags 23 --datapubkey tests/devkeys/firmware_data_key.vbpubk --signprivate tests/devkeys/root_key.vbprivk --pack tests/devkeys/firmware.keyblock Keyblock file: tests/devkeys/firmware.keyblock Signature valid Flags: 23 !DEV DEV !REC !MINIOS Data key algorithm: 7 RSA4096 SHA256 Data key version: 1 Data key sha1sum: e2c1c92d7d7aa7dfed5e8375edd30b7ae52b7450 $ futility vbutil_keyblock --flags 27 --datapubkey tests/devkeys/recovery_kernel_data_key.vbpubk --signprivate tests/devkeys/recovery_key.vbprivk --pack tests/devkeys/recovery_kernel.keyblock Keyblock file: tests/devkeys/recovery_kernel.keyblock Signature valid Flags: 27 !DEV DEV REC !MINIOS Data key algorithm: 11 RSA8192 SHA512 Data key version: 1 Data key sha1sum: e78ce746a037837155388a1096212ded04fb86eb $ futility vbutil_keyblock --flags 43 --datapubkey tests/devkeys/minios_kernel_data_key.vbpubk --signprivate tests/devkeys/recovery_key.vbprivk --pack tests/devkeys/minios_kernel.keyblock Keyblock file: tests/devkeys/minios_kernel.keyblock Signature valid Flags: 43 !DEV DEV REC MINIOS Data key algorithm: 8 RSA4096 SHA512 Data key version: 1 Data key sha1sum: 65441886bc54cbfe3a7308b650806f4b61d8d142 $ futility vbutil_keyblock --flags 23 --datapubkey tests/devkeys/kernel_data_key.vbpubk --signprivate tests/devkeys/kernel_subkey.vbprivk --pack tests/devkeys/kernel.keyblock Keyblock file: tests/devkeys/kernel.keyblock Signature valid Flags: 23 !DEV DEV !REC !MINIOS Data key algorithm: 4 RSA2048 SHA256 Data key version: 1 Data key sha1sum: d6170aa480136f1f29cf339a5ab1b960585fa444 $ futility vbutil_keyblock --flags 26 --datapubkey tests/devkeys/installer_kernel_data_key.vbpubk --signprivate tests/devkeys/recovery_key.vbprivk --pack tests/devkeys/installer_kernel.keyblock Keyblock file: tests/devkeys/installer_kernel.keyblock Signature valid Flags: 26 DEV REC !MINIOS Data key algorithm: 11 RSA8192 SHA512 Data key version: 1 Data key sha1sum: e78ce746a037837155388a1096212ded04fb86eb BUG=b:188121855 TEST=make clean && make runtests BRANCH=none Signed-off-by: Joel Kitching <kitching@google.com> Change-Id: I5b3e4def83ff29ca156b3c84dfcb8398f4985e67 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2965485 Tested-by: Joel Kitching <kitching@chromium.org> Reviewed-by: Julius Werner <jwerner@chromium.org> Commit-Queue: Joel Kitching <kitching@chromium.org>
author: Joel Kitching <kitching@google.com> 2021-06-16 05:23:19 +0800
committer: Commit Bot <commit-bot@chromium.org> 2021-07-05 02:46:24 +0000
commit: 9ea1e75805cfb7523729c5f5d48df0d05ced1b11 (patch)
tree: 5ce8f16f296b745a800762c42e76e7889ac34d54 /scripts
parent: b95414c73b1b44485a072abdd55e0d8f965deb9d (diff)
download: vboot-9ea1e75805cfb7523729c5f5d48df0d05ced1b11.tar.gz
2 files changed, 27 insertions, 6 deletions
diff --git a/scripts/keygeneration/common.sh b/scripts/keygeneration/common.sh
index 21d5334e..da06f3cf 100644
--- a/scripts/keygeneration/common.sh
+++ b/scripts/keygeneration/common.sh
@@ -58,18 +58,32 @@ FIRMWARE_DATAKEY_ALGOID=${RSA4096_SHA256_ALGOID}
 DEV_FIRMWARE_DATAKEY_ALGOID=${RSA4096_SHA256_ALGOID}
 
 RECOVERY_KERNEL_ALGOID=${RSA4096_SHA512_ALGOID}
+MINIOS_KERNEL_ALGOID=${RSA4096_SHA512_ALGOID}
 INSTALLER_KERNEL_ALGOID=${RSA4096_SHA512_ALGOID}
 KERNEL_SUBKEY_ALGOID=${RSA4096_SHA256_ALGOID}
 KERNEL_DATAKEY_ALGOID=${RSA2048_SHA256_ALGOID}
 
 # Keyblock modes determine which boot modes a signing key is valid for use
 # in verification.
-EC_KEYBLOCK_MODE=7  # Only allow RW EC firmware in non-recovery.
-FIRMWARE_KEYBLOCK_MODE=7  # Only allow RW firmware in non-recovery.
-DEV_FIRMWARE_KEYBLOCK_MODE=6  # Only allow in dev mode.
-RECOVERY_KERNEL_KEYBLOCK_MODE=11 # Only in recovery mode.
-KERNEL_KEYBLOCK_MODE=7  # Only allow in non-recovery.
-INSTALLER_KERNEL_KEYBLOCK_MODE=10  # Only allow in Dev + Recovery.
+#    !DEV 0x1      DEV 0x2
+#    !REC 0x4      REC 0x8
+# !MINIOS 0x10  MINIOS 0x20
+# Note that firmware keyblock modes are not used.  Consider deprecating.
+
+# Only allow RW EC firmware in non-recovery + non-miniOS.
+EC_KEYBLOCK_MODE=$((0x1 | 0x2 | 0x4 | 0x10))
+# Only allow RW firmware in non-recovery + non-miniOS.
+FIRMWARE_KEYBLOCK_MODE=$((0x1 | 0x2 | 0x4 | 0x10))
+# Only allow in dev mode + non-recovery + non-miniOS.
+DEV_FIRMWARE_KEYBLOCK_MODE=$((0x2 | 0x4 | 0x10))
+# Only allow in recovery mode + non-miniOS.
+RECOVERY_KERNEL_KEYBLOCK_MODE=$((0x1 | 0x2 | 0x8 | 0x10))
+# Only allow in recovery mode + miniOS.
+MINIOS_KERNEL_KEYBLOCK_MODE=$((0x1 | 0x2 | 0x8 | 0x20))
+# Only allow in non-recovery + non-miniOS.
+KERNEL_KEYBLOCK_MODE=$((0x1 | 0x2 | 0x4 | 0x10))
+# Only allow in dev + recovery + non-miniOS.
+INSTALLER_KERNEL_KEYBLOCK_MODE=$((0x2 | 0x8 | 0x10))
 
 # Emit .vbpubk and .vbprivk using given basename and algorithm
 # NOTE: This function also appears in ../../utility/dev_make_keypair. Making
@@ -125,6 +139,8 @@ make_au_payload_key() {
 #   0x02  Developer switch on
 #   0x04  Not recovery mode
 #   0x08  Recovery mode
+#   0x10  Not miniOS mode
+#   0x20  miniOS mode
 make_keyblock() {
   local base=$1
   local flags=$2
diff --git a/scripts/keygeneration/create_new_keys.sh b/scripts/keygeneration/create_new_keys.sh
index 40cccbc5..11aedc1d 100755
--- a/scripts/keygeneration/create_new_keys.sh
+++ b/scripts/keygeneration/create_new_keys.sh
@@ -43,6 +43,7 @@ main() {
   local root_key_algoid=${ROOT_KEY_ALGOID}
   local recovery_key_algoid=${RECOVERY_KEY_ALGOID}
   local recovery_kernel_algoid=${RECOVERY_KERNEL_ALGOID}
+  local minios_kernel_algoid=${MINIOS_KERNEL_ALGOID}
   local installer_kernel_algoid=${INSTALLER_KERNEL_ALGOID}
   local keyname
   local output_dir="${PWD}" setperms="false"
@@ -166,6 +167,7 @@ main() {
   # Create the recovery and factory installer keypairs
   make_pair recovery_key             ${recovery_key_algoid}
   make_pair recovery_kernel_data_key ${recovery_kernel_algoid}
+  make_pair minios_kernel_data_key   ${minios_kernel_algoid}
   make_pair installer_kernel_data_key ${installer_kernel_algoid}
 
   # Create the firmware keyblock for use only in Normal mode. This is redundant,
@@ -182,6 +184,9 @@ main() {
   # Create the recovery kernel keyblock for use only in Recovery mode.
   make_keyblock recovery_kernel ${RECOVERY_KERNEL_KEYBLOCK_MODE} recovery_kernel_data_key recovery_key
 
+  # Create the miniOS kernel keyblock for use only in miniOS mode.
+  make_keyblock minios_kernel ${MINIOS_KERNEL_KEYBLOCK_MODE} minios_kernel_data_key recovery_key
+
   # Create the normal kernel keyblock for use only in Normal mode.
   make_keyblock kernel ${KERNEL_KEYBLOCK_MODE} kernel_data_key kernel_subkey
author	Joel Kitching <kitching@google.com>	2021-06-16 05:23:19 +0800
committer	Commit Bot <commit-bot@chromium.org>	2021-07-05 02:46:24 +0000
commit	9ea1e75805cfb7523729c5f5d48df0d05ced1b11 (patch)
tree	5ce8f16f296b745a800762c42e76e7889ac34d54 /scripts
parent	b95414c73b1b44485a072abdd55e0d8f965deb9d (diff)
download	vboot-9ea1e75805cfb7523729c5f5d48df0d05ced1b11.tar.gz