Add a script to increment kernel subkey and data key.

When we do perform firmware updates, we'd like to change the kernel subkey to ensure that new firmware and Chrome OS image stay in sync. This CL adds a scripts which makes it possible to do this revving in an automated manner. The current versions rollback versions corresponding to the keyset are stored in key.versions. If we change the kernel subkey (to enforce firmware/Chrome OS lockstep), we must also update the firmware version. Similarly, since we modify the kernel subkey, we also generate a new set of kernel data keys. Thus, we also increment the kernel key version. Change-Id: I364ab50bda115991dd4f69331d37291f66abbf36 BUG=chrome-os-partner:3274, chromium-os:8016 TEST=Manually tested using a newly generated keyset. Review URL: http://codereview.chromium.org/6824059
2025-11-23 17:55:01 +00:00 · 2011-04-12 17:05:37 -07:00
parent 44a127675b
commit 41f444a11b
4 changed files with 127 additions and 22 deletions
--- a/scripts/keygeneration/common.sh
+++ b/scripts/keygeneration/common.sh
@@ -23,6 +23,27 @@ function alg_to_keylen {
  echo $(( 1 << (10 + ($1 / 3)) ))
 }

+# Default alrogithms.
+ROOT_KEY_ALGOID=11
+RECOVERY_KEY_ALGOID=11
+
+FIRMWARE_DATAKEY_ALGOID=7
+DEV_FIRMWARE_DATAKEY_ALGOID=7
+
+RECOVERY_KERNEL_ALGOID=11
+INSTALLER_KERNEL_ALGOID=11
+KERNEL_SUBKEY_ALGOID=7
+KERNEL_DATAKEY_ALGOID=4
+
+# Keyblock modes determine which boot modes a signing key is valid for use
+# in verification.
+FIRMWARE_KEYBLOCK_MODE=7
+DEV_FIRMWARE_KEYBLOCK_MODE=6  # Only allow in dev mode.
+RECOVERY_KERNEL_KEYBLOCK_MODE=11
+KERNEL_KEYBLOCK_MODE=7  # Only allow in non-recovery.
+INSTALLER_KERNEL_KEYBLOCK_MODE=10  # Only allow in Dev + Recovery.
+
+
 # Emit .vbpubk and .vbprivk using given basename and algorithm
 # NOTE: This function also appears in ../../utility/dev_make_keypair. Making
 # the two implementations the same would require some common.sh, which is more
@@ -32,9 +53,10 @@ function alg_to_keylen {
 function make_pair {
  local base=$1
  local alg=$2
+  local key_version=${3:-1}
  local len=$(alg_to_keylen $alg)

-  echo "creating $base keypair..."
+  echo "creating $base keypair (version = $key_version)..."

  # make the RSA keypair
  openssl genrsa -F4 -out "${base}_${len}.pem" $len
@@ -48,7 +70,7 @@ function make_pair {
  vbutil_key \
    --pack "${base}.vbpubk" \
    --key "${base}_${len}.keyb" \
-    --version 1 \
+    --version  "${key_version}" \
    --algorithm $alg

  # wrap the private key
--- a/scripts/keygeneration/create_new_keys.sh
+++ b/scripts/keygeneration/create_new_keys.sh
@@ -9,26 +9,6 @@
 # Load common constants and functions.
 . "$(dirname "$0")/common.sh"

-# Mapping are in common.sh.
-ROOT_KEY_ALGOID=11
-RECOVERY_KEY_ALGOID=11
-
-FIRMWARE_DATAKEY_ALGOID=7
-DEV_FIRMWARE_DATAKEY_ALGOID=7
-
-RECOVERY_KERNEL_ALGOID=11
-INSTALLER_KERNEL_ALGOID=11
-KERNEL_SUBKEY_ALGOID=7
-KERNEL_DATAKEY_ALGOID=4
-
-# Keyblock modes determine which boot modes a signing key is valid for use
-# in verification.
-FIRMWARE_KEYBLOCK_MODE=7
-DEV_FIRMWARE_KEYBLOCK_MODE=6  # Only allow in dev mode.
-RECOVERY_KERNEL_KEYBLOCK_MODE=11
-KERNEL_KEYBLOCK_MODE=7  # Only allow in non-recovery.
-INSTALLER_KERNEL_KEYBLOCK_MODE=10  # Only allow in Dev + Recovery.
-
 # Create the normal keypairs
 make_pair root_key                 $ROOT_KEY_ALGOID
 make_pair firmware_data_key        $FIRMWARE_DATAKEY_ALGOID
--- a/scripts/keygeneration/increment_kernel_subkey_and_key.sh
+++ b/scripts/keygeneration/increment_kernel_subkey_and_key.sh
@@ -0,0 +1,99 @@
+#!/bin/bash
+# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Script to increment kernel subkey and datakey for firmware updates.
+# Used when revving versions for a firmware update.
+
+# Load common constants and variables.
+. "$(dirname "$0")/common.sh"
+
+# Abort on errors.
+set -e
+
+# File to read current versions from.
+VERSION_FILE="key.versions"
+
+# ARGS: <version_type>
+get_version() {
+  local version_type=$1
+  version=$(sed -n "s#^${version_type}=\(.*\)#\1#pg" ${VERSION_FILE})
+  echo $version
+}
+
+# Make backups of existing keys and keyblocks that will be revved.
+# Backup format:
+# for keys: <key_name>.v<version>
+# for keyblocks: <keyblock_name>.v<datakey version>.v<subkey version>
+# Args: SUBKEY_VERSION DATAKEY_VERSION
+backup_existing_kernel_keys() {
+  subkey_version=$1
+  datakey_version=$2
+  # --no-clobber to prevent accidentally overwriting existing
+  # backups.
+  mv --no-clobber kernel_subkey.vbprivk{,".v${subkey_version}"}
+  mv --no-clobber kernel_subkey.vbpubk{,".v${subkey_version}"}
+  mv --no-clobber kernel_data_key.vbprivk{,".v${datakey_version}"}
+  mv --no-clobber kernel_data_key.vbpubk{,".v${datakey_version}"}
+  mv --no-clobber kernel.keyblock{,".v${datakey_version}.v${subkey_version}"}
+}
+
+# Write new key version file with the updated key versions.
+# Args: FIRMWARE_KEY_VERSION FIRMWARE_VERSION KERNEL_KEY_VERSION KERNEL_VERSION
+write_updated_version_file() {
+  local firmware_key_version=$1
+  local firmware_version=$2
+  local kernel_key_version=$3
+  local kernel_version=$4
+
+  cat > ${VERSION_FILE} <<EOF
+firmware_key_version=${firmware_key_version}
+firmware_version=${firmware_version}
+kernel_key_version=${kernel_key_version}
+kernel_version=${kernel_version}
+EOF
+}
+  
+
+main() {
+  current_fkey_version=$(get_version "firmware_key_version")
+  # Firmware version is the kernel subkey version.
+  current_ksubkey_version=$(get_version "firmware_version")
+  # Kernel data key version is the kernel key version.
+  current_kdatakey_version=$(get_version "kernel_key_version")
+  current_kernel_version=$(get_version "kernel_version")
+
+  cat <<EOF
+Current Firmware key version: ${current_fkey_version}
+Current Firmware version: ${current_ksubkey_version}
+Current Kernel key version: ${current_kdatakey_version}
+Current Kernel version: ${current_kernel_version}
+EOF
+
+  backup_existing_kernel_keys $current_ksubkey_version $current_kdatakey_version
+
+  new_ksubkey_version=$(( current_ksubkey_version + 1 ))
+  new_kdatakey_version=$(( current_kdatakey_version + 1 ))
+
+  if [ $new_kdatakey_version -gt 65535 ] || [ $new_kdatakey_version -gt 65535 ];
+  then
+    echo "Version overflow!"
+    exit 1
+  fi
+
+  cat <<EOF 
+Generating new kernel subkey, data keys and new kernel keyblock.
+
+New Firmware version (due to kernel subkey change): ${new_ksubkey_version}.
+New Kernel key version (due to kernel datakey change): ${new_kdatakey_version}.
+EOF
+  make_pair kernel_subkey $KERNEL_SUBKEY_ALGOID $new_ksubkey_version
+  make_pair kernel_data_key $KERNEL_DATAKEY_ALGOID $new_kdatakey_version
+  make_keyblock kernel $KERNEL_KEYBLOCK_MODE kernel_data_key kernel_subkey
+
+  write_updated_version_file $current_fkey_version $new_ksubkey_version \
+    $new_kdatakey_version $current_kernel_version
+}
+
+main $@
--- a/scripts/keygeneration/key.versions
+++ b/scripts/keygeneration/key.versions
@@ -0,0 +1,4 @@
+firmware_key_version=1
+firmware_version=1
+kernel_key_version=1
+kernel_version=1