blob: 7486d9e184e8128d3f09986e7fdf789a47e3f2cb [file] [log] [blame] [edit]
#!/bin/bash -e
# Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
#
# Check args first.
if [ "$#" -lt "1" ]; then
cat <<EOF 1>&2
Usage: ${0##*/} BASENAME [ALG]
This creates BASENAME.vbpubk and BASENAME.vbprivk pairs for use in signing
developer files. This also creates a BASENAME.keyblock file containing the
BASENAME.vbpubk, which can be used to sign a developer kernel.
If specified, ALG is one of:
0 = RSA1024 with SHA1
1 = RSA1024 with SHA256
2 = RSA1024 with SHA512
3 = RSA2048 with SHA1
4 = RSA2048 with SHA256
5 = RSA2048 with SHA512
6 = RSA4096 with SHA1
7 = RSA4096 with SHA256
8 = RSA4096 with SHA512
9 = RSA8192 with SHA1
10 = RSA8192 with SHA256
11 = RSA8192 with SHA512
If ALG is not specified, a default value will be used.
EOF
exit 1
fi
# Compute the key length assuming the sizes shown above.
function alg_to_keylen {
echo $(( 1 << (10 + ($1 / 3)) ))
}
# Emit .vbpubk and .vbprivk using given basename and algorithm.
function make_pair {
local base=$1
local alg=$2
local len=$(alg_to_keylen $alg)
# make the RSA keypair
openssl genrsa -F4 -out "${base}_${len}.pem" $len
# create a self-signed certificate
openssl req -batch -new -x509 -key "${base}_${len}.pem" \
-out "${base}_${len}.crt"
# generate pre-processed RSA public key
dumpRSAPublicKey -cert "${base}_${len}.crt" > "${base}_${len}.keyb"
# wrap the public key
futility vbutil_key \
--pack "${base}.vbpubk" \
--key "${base}_${len}.keyb" \
--version 1 \
--algorithm $alg
# wrap the private key
futility vbutil_key \
--pack "${base}.vbprivk" \
--key "${base}_${len}.pem" \
--algorithm $alg
# remove intermediate files
rm -f "${base}_${len}.pem" "${base}_${len}.crt" "${base}_${len}.keyb"
}
# First create the .vbpubk and .vbprivk pair.
make_pair "$1" "${2:-4}"
# Now create a .keyblock to hold our .vbpubk. Since it's for developer use, it
# won't be signed, just checksummed. Developer kernels can only be run in
# non-recovery mode with the developer switch enabled, but it won't hurt us to
# turn on all the flags bits anyway.
futility vbutil_keyblock --pack "$1.keyblock" \
--datapubkey "$1.vbpubk" --flags 15