vboot: introduce minios_kernel.keyblock

miniOS requires a distinct kernel data key, whose dev key pair is added in this CL as minios_kernel_data_key.vb{pub,priv}k. A distinct keyblock is also required. The keyblock should set the kernel keyblock flag MINIOS_1. Other keyblocks are modified appropriately to set MINIOS_0. Keyblocks were generated using the following commands: $ futility vbutil_keyblock --flags 23 --datapubkey tests/devkeys/ec_data_key.vbpubk --signprivate tests/devkeys/ec_root_key.vbprivk --pack tests/devkeys/ec.keyblock Keyblock file: tests/devkeys/ec.keyblock Signature valid Flags: 23 !DEV DEV !REC !MINIOS Data key algorithm: 7 RSA4096 SHA256 Data key version: 1 Data key sha1sum: 5833470fe934be76753cb6501dbb8fbf88ab272b $ futility vbutil_keyblock --flags 23 --datapubkey tests/devkeys/firmware_data_key.vbpubk --signprivate tests/devkeys/root_key.vbprivk --pack tests/devkeys/firmware.keyblock Keyblock file: tests/devkeys/firmware.keyblock Signature valid Flags: 23 !DEV DEV !REC !MINIOS Data key algorithm: 7 RSA4096 SHA256 Data key version: 1 Data key sha1sum: e2c1c92d7d7aa7dfed5e8375edd30b7ae52b7450 $ futility vbutil_keyblock --flags 27 --datapubkey tests/devkeys/recovery_kernel_data_key.vbpubk --signprivate tests/devkeys/recovery_key.vbprivk --pack tests/devkeys/recovery_kernel.keyblock Keyblock file: tests/devkeys/recovery_kernel.keyblock Signature valid Flags: 27 !DEV DEV REC !MINIOS Data key algorithm: 11 RSA8192 SHA512 Data key version: 1 Data key sha1sum: e78ce746a037837155388a1096212ded04fb86eb $ futility vbutil_keyblock --flags 43 --datapubkey tests/devkeys/minios_kernel_data_key.vbpubk --signprivate tests/devkeys/recovery_key.vbprivk --pack tests/devkeys/minios_kernel.keyblock Keyblock file: tests/devkeys/minios_kernel.keyblock Signature valid Flags: 43 !DEV DEV REC MINIOS Data key algorithm: 8 RSA4096 SHA512 Data key version: 1 Data key sha1sum: 65441886bc54cbfe3a7308b650806f4b61d8d142 $ futility vbutil_keyblock --flags 23 --datapubkey tests/devkeys/kernel_data_key.vbpubk --signprivate tests/devkeys/kernel_subkey.vbprivk --pack tests/devkeys/kernel.keyblock Keyblock file: tests/devkeys/kernel.keyblock Signature valid Flags: 23 !DEV DEV !REC !MINIOS Data key algorithm: 4 RSA2048 SHA256 Data key version: 1 Data key sha1sum: d6170aa480136f1f29cf339a5ab1b960585fa444 $ futility vbutil_keyblock --flags 26 --datapubkey tests/devkeys/installer_kernel_data_key.vbpubk --signprivate tests/devkeys/recovery_key.vbprivk --pack tests/devkeys/installer_kernel.keyblock Keyblock file: tests/devkeys/installer_kernel.keyblock Signature valid Flags: 26 DEV REC !MINIOS Data key algorithm: 11 RSA8192 SHA512 Data key version: 1 Data key sha1sum: e78ce746a037837155388a1096212ded04fb86eb BUG=b:188121855 TEST=make clean && make runtests BRANCH=none Signed-off-by: Joel Kitching <kitching@google.com> Change-Id: I5b3e4def83ff29ca156b3c84dfcb8398f4985e67 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2965485 Tested-by: Joel Kitching <kitching@chromium.org> Reviewed-by: Julius Werner <jwerner@chromium.org> Commit-Queue: Joel Kitching <kitching@chromium.org>
author: Joel Kitching <kitching@google.com> 2021-06-16 05:23:19 +0800
committer: Commit Bot <commit-bot@chromium.org> 2021-07-05 02:46:24 +0000
commit: 9ea1e75805cfb7523729c5f5d48df0d05ced1b11 (patch)
tree: 5ce8f16f296b745a800762c42e76e7889ac34d54 /tests/load_kernel_tests.sh
parent: b95414c73b1b44485a072abdd55e0d8f965deb9d (diff)
download: vboot-9ea1e75805cfb7523729c5f5d48df0d05ced1b11.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/tests/load_kernel_tests.sh b/tests/load_kernel_tests.sh
index d5f41f25..45eedf4c 100755
--- a/tests/load_kernel_tests.sh
+++ b/tests/load_kernel_tests.sh
@@ -31,10 +31,10 @@ ${FUTILITY} vbutil_key --pack datakey.test \
     --key ${TESTKEY_DIR}/key_rsa2048.keyb --algorithm 4
 
 # Keyblock with kernel data key is signed by kernel subkey
-# Flags=5 means dev=0 rec=0
+# Flags=21 means dev=0 rec=0 minios=0
 ${FUTILITY} vbutil_keyblock --pack keyblock.test \
     --datapubkey datakey.test \
-    --flags 5 \
+    --flags 21 \
     --signprivate ${SCRIPT_DIR}/devkeys/kernel_subkey.vbprivk
 
 # Kernel preamble is signed with the kernel data key
author	Joel Kitching <kitching@google.com>	2021-06-16 05:23:19 +0800
committer	Commit Bot <commit-bot@chromium.org>	2021-07-05 02:46:24 +0000
commit	9ea1e75805cfb7523729c5f5d48df0d05ced1b11 (patch)
tree	5ce8f16f296b745a800762c42e76e7889ac34d54 /tests/load_kernel_tests.sh
parent	b95414c73b1b44485a072abdd55e0d8f965deb9d (diff)
download	vboot-9ea1e75805cfb7523729c5f5d48df0d05ced1b11.tar.gz