keygeneration: create_new_keys: add key-name/output options

We use these features on the signer, so move the logic here so it's in the public code. BUG=None TEST=`./create_new_keys.sh --key-name hihya --output foo --android` worked BRANCH=None Change-Id: I85d6fdbafd99a1b94bc90e26cbc17ba801614914 Reviewed-on: https://chromium-review.googlesource.com/388673 Reviewed-by: David Riley <davidriley@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org>
2025-12-25 09:17:33 +00:00 · 2016-09-22 15:33:13 -04:00
parent df39d0ac27
commit 6f2ea5b731
2 changed files with 37 additions and 2 deletions
--- a/scripts/keygeneration/common.sh
+++ b/scripts/keygeneration/common.sh
@@ -5,7 +5,7 @@

 # Common key generation functions.

-SCRIPT_DIR="$(dirname "$0")"
+SCRIPT_DIR="$(dirname "$(readlink -f -- "$0")")"

 # Algorithm ID mappings:
 RSA1024_SHA1_ALGOID=0
--- a/scripts/keygeneration/create_new_keys.sh
+++ b/scripts/keygeneration/create_new_keys.sh
@@ -21,6 +21,8 @@ Options:
  --4k-recovery          Use 4k key size for the recovery key
  --4k-recovery-kernel   Use 4k key size for the recovery kernel data
  --4k-installer-kernel  Use 4k key size for the installer kernel data
+  --key-name <name>      Name of the keyset (for key.versions)
+  --output <dir>         Where to write the keys (default is cwd)
 EOF

  if [[ $# -ne 0 ]]; then
@@ -41,6 +43,8 @@ main() {
  local recovery_key_algoid=${RECOVERY_KEY_ALGOID}
  local recovery_kernel_algoid=${RECOVERY_KERNEL_ALGOID}
  local installer_kernel_algoid=${INSTALLER_KERNEL_ALGOID}
+  local keyname
+  local output_dir="${PWD}" setperms="false"

  while [[ $# -gt 0 ]]; do
    case $1 in
@@ -73,6 +77,21 @@ main() {
      installer_kernel_algoid=${RSA4096_SHA512_ALGOID}
      ;;

+    --key-name)
+      keyname="$2"
+      shift
+      ;;
+
+    --output)
+      output_dir="$2"
+      setperms="true"
+      if [[ -d "${output_dir}" ]]; then
+        echo "ERROR: output dir (${output_dir}) already exists" >&2
+        exit 1
+      fi
+      shift
+      ;;
+
    -h|--help)
      usage
      ;;
@@ -83,9 +102,20 @@ main() {
    shift
  done

+  mkdir -p "${output_dir}"
+  cd "${output_dir}"
+  if [[ "${setperms}" == "true" ]]; then
+    chmod 700 .
+  fi
+
  if [[ ! -e "${VERSION_FILE}" ]]; then
    echo "No version file found. Creating default ${VERSION_FILE}."
-    printf '%s_version=1\n' {firmware,kernel}{_key,} > "${VERSION_FILE}"
+    (
+      if [[ -n "${keyname}" ]]; then
+        echo "name=${keyname}"
+      fi
+      printf '%s_version=1\n' {firmware,kernel}{_key,}
+    ) > "${VERSION_FILE}"
  fi

  local eckey_version fkey_version ksubkey_version kdatakey_version
@@ -140,6 +170,11 @@ main() {
    "${SCRIPT_DIR}"/create_new_android_keys.sh android
  fi

+  if [[ "${setperms}" == "true" ]]; then
+    find -type f -exec chmod 400 {} +
+    find -type d -exec chmod 500 {} +
+  fi
+
  # CAUTION: The public parts of most of these blobs must be compiled into the
  # firmware, which is built separately (and some of which can't be changed after
  # manufacturing). If you update these keys, you must coordinate the changes