firmware/coreboot: Subtree merged vboot

Signed-off-by: David Hendricks <dhendricks@fb.com>

firmware/coreboot/3rdparty/vboot/scripts/keygeneration/accessory/common_leverage_hammer.sh

@@ -0,0 +1,69 @@
+#!/bin/bash
+
+# Copyright 2017 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Load common constants and functions.
+. "$(dirname "$0")/../common.sh"
+
+usage() {
+  cat <<EOF
+Usage: ${PROG} [options]
+
+Options:
+  -o, --output_dir <dir>:    Where to write the keys (default is cwd)
+EOF
+
+  if [[ $# -ne 0 ]]; then
+    die "$*"
+  else
+    exit 0
+  fi
+}
+
+generate_rsa3072_exp3_key() {
+  local output_dir="$1"
+  local key_name="$2"
+
+  # Generate RSA key.
+  openssl genrsa -3 -out "${output_dir}/temp.pem" 3072
+
+  # Create a keypair from an RSA .pem file generated above.
+  futility create "${output_dir}/temp.pem" "${output_dir}/key_${key_name}"
+
+  # Best attempt to securely delete the temp.pem file.
+  shred --remove "${output_dir}/temp.pem"
+}
+
+# To generate a keypair with the same algorithm of Hammer and rename the kepair
+# to specific accessory's name.
+leverage_hammer_to_create_key() {
+  local output_dir="${PWD}"
+  local key_name="$1"
+  shift
+
+  while [[ $# -gt 0 ]]; do
+    case "$1" in
+    -h|--help)
+      usage
+      ;;
+    -o|--output_dir)
+      output_dir="$2"
+      if [[ ! -d "${output_dir}" ]]; then
+        die "output dir ("${output_dir}") doesn't exist."
+      fi
+      shift
+      ;;
+    -*)
+      usage "Unknown option: "$1""
+      ;;
+    *)
+      usage "Unknown argument "$1""
+      ;;
+    esac
+    shift
+  done
+
+  generate_rsa3072_exp3_key "${output_dir}" "${key_name}"
+}

firmware/coreboot/3rdparty/vboot/scripts/keygeneration/accessory/create_new_ec_efs_key.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Copyright 2017 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Load common constants and functions.
+. "$(dirname "$0")/common_leverage_hammer.sh"
+
+main() {
+  set -e
+
+  leverage_hammer_to_create_key "ec_efs" "$@"
+}
+
+main "$@"

firmware/coreboot/3rdparty/vboot/scripts/keygeneration/accessory/create_new_hammer_keys.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Copyright 2017 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Load common constants and functions.
+. "$(dirname "$0")/common_leverage_hammer.sh"
+
+main() {
+  set -e
+
+  leverage_hammer_to_create_key "hammer" "$@"
+}
+
+main "$@"

firmware/coreboot/3rdparty/vboot/scripts/keygeneration/accessory/create_new_rose_keys.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Copyright 2017 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Load common constants and functions.
+. "$(dirname "$0")/common_leverage_hammer.sh"
+
+main() {
+  set -e
+
+  leverage_hammer_to_create_key "rose" "$@"
+}
+
+main "$@"

firmware/coreboot/3rdparty/vboot/scripts/keygeneration/accessory/create_new_staff_keys.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Copyright 2017 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Load common constants and functions.
+. "$(dirname "$0")/common_leverage_hammer.sh"
+
+main() {
+  set -e
+
+  leverage_hammer_to_create_key "staff" "$@"
+}
+
+main "$@"

firmware/coreboot/3rdparty/vboot/scripts/keygeneration/accessory/create_new_wand.keys.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Copyright 2017 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Load common constants and functions.
+. "$(dirname "$0")/common_leverage_hammer.sh"
+
+main() {
+  set -e
+
+  leverage_hammer_to_create_key "wand" "$@"
+}
+
+main "$@"

firmware/coreboot/3rdparty/vboot/scripts/keygeneration/accessory/create_new_whiskers_keys.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Copyright 2018 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Load common constants and functions.
+. "$(dirname "$0")/common_leverage_hammer.sh"
+
+main() {
+  set -e
+
+  leverage_hammer_to_create_key "whiskers" "$@"
+}
+
+main "$@"

firmware/coreboot/3rdparty/vboot/scripts/keygeneration/add_loem_keys.sh

@@ -0,0 +1,83 @@
+#!/bin/bash
+# Copyright 2015 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Load common constants and functions.
+. "$(dirname "$0")/common.sh"
+
+usage() {
+  cat <<EOF
+Usage: ${PROG} <number of loem keys to add>
+
+If the existing keyset is not set up for loem usage, it will be converted.
+
+Note: Use 0 if you want to just convert an existing keyset.
+EOF
+  exit ${1:-0}
+}
+
+convert_keyset_to_loem() {
+  local f
+
+  printf "Converting to loem keyset; continue? (y/N) "
+  read f
+  [[ ${f} == [yY] ]]
+
+  for f in {firmware_data,root}_key.vb{pub,priv}k firmware.keyblock; do
+    if [[ ${f} == "root_key.vbprivk" && ! -e ${f} ]]; then
+      # For official keys, we won't have the private half of the root key.
+      echo "Skipping ${f} for official keys"
+      continue
+    fi
+    if [[ ${f} == *.vbprivk && ! -e ${f} ]]; then
+      # For official keys, will be gpg wrapped.
+      f+=".gpg"
+    fi
+    mv -i "${f}" "${f/./.loem1.}"
+  done
+
+  echo "[loem]" > loem.ini
+}
+
+main() {
+  set -e -u
+
+  if [[ $# -ne 1 || $1 == -* ]]; then
+    usage
+  fi
+
+  # Keep `local` and assignment split so return values are checked.
+  local firmware_key_version
+  local num_keys highest_key k
+
+  if [[ ! -e ${VERSION_FILE} ]]; then
+    die "missing ${VERSION_FILE} in ${PWD}; please create one"
+  fi
+
+  firmware_key_version=$(get_version "firmware_key_version")
+
+  # See if we need to convert the keyset first.
+  if [[ -e root_key.vbpubk ]]; then
+    convert_keyset_to_loem
+  fi
+
+  num_keys=$1
+  highest_key=$(printf '%s\n' firmware.loem*.keyblock |
+                sed -r 's:firmware.loem(.*).keyblock:\1:' |
+                sort -n | tail -1)
+  echo "There are ${highest_key} loem keys; ading ${num_keys} more"
+
+  for ((k = highest_key + 1; k < highest_key + 1 + num_keys; ++k)); do
+    echo "Generating LOEM ${k}"
+    make_pair root_key.loem${k} ${ROOT_KEY_ALGOID}
+    make_pair firmware_data_key.loem${k} ${FIRMWARE_DATAKEY_ALGOID} \
+      ${firmware_key_version}
+    make_keyblock firmware.loem${k} ${FIRMWARE_KEYBLOCK_MODE} \
+      firmware_data_key.loem${k} root_key.loem${k}
+  done
+
+  echo
+  echo "Don't forget to update loem.ini to allocate the keys!"
+}
+main "$@"

firmware/coreboot/3rdparty/vboot/scripts/keygeneration/common.sh

@@ -0,0 +1,261 @@
+#!/bin/bash
+# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Common key generation functions.
+
+SCRIPT_DIR="$(dirname "$(readlink -f -- "$0")")"
+PROG=$(basename "$0")
+CROS_LOG_PREFIX="${PROG}: "
+
+# Prints an informational message.
+info() {
+  echo "${CROS_LOG_PREFIX}INFO: $*" >&2
+}
+
+# Prints a warning message.
+warn() {
+  echo "${CROS_LOG_PREFIX}WARNING: $*" >&2
+}
+
+# Prints an error message.
+error() {
+  echo "${CROS_LOG_PREFIX}ERROR: $*" >&2
+}
+
+# Print an error message and then exit the script.
+die() {
+  error "$@"
+  exit 1
+}
+
+# Algorithm ID mappings:
+RSA1024_SHA1_ALGOID=0
+RSA1024_SHA256_ALGOID=1
+RSA1024_SHA512_ALGOID=2
+RSA2048_SHA1_ALGOID=3
+RSA2048_SHA256_ALGOID=4
+RSA2048_SHA512_ALGOID=5
+RSA4096_SHA1_ALGOID=6
+RSA4096_SHA256_ALGOID=7
+RSA4096_SHA512_ALGOID=8
+RSA8192_SHA1_ALGOID=9
+RSA8192_SHA256_ALGOID=10
+RSA8192_SHA512_ALGOID=11
+alg_to_keylen() {
+  echo $(( 1 << (10 + ($1 / 3)) ))
+}
+
+# Default algorithms.
+EC_ROOT_KEY_ALGOID=${RSA4096_SHA256_ALGOID}
+EC_DATAKEY_ALGOID=${RSA4096_SHA256_ALGOID}
+
+ROOT_KEY_ALGOID=${RSA8192_SHA512_ALGOID}
+RECOVERY_KEY_ALGOID=${RSA8192_SHA512_ALGOID}
+
+FIRMWARE_DATAKEY_ALGOID=${RSA4096_SHA256_ALGOID}
+DEV_FIRMWARE_DATAKEY_ALGOID=${RSA4096_SHA256_ALGOID}
+
+RECOVERY_KERNEL_ALGOID=${RSA8192_SHA512_ALGOID}
+INSTALLER_KERNEL_ALGOID=${RSA8192_SHA512_ALGOID}
+KERNEL_SUBKEY_ALGOID=${RSA4096_SHA256_ALGOID}
+KERNEL_DATAKEY_ALGOID=${RSA2048_SHA256_ALGOID}
+
+# Keyblock modes determine which boot modes a signing key is valid for use
+# in verification.
+EC_KEYBLOCK_MODE=7  # Only allow RW EC firmware in non-recovery.
+FIRMWARE_KEYBLOCK_MODE=7  # Only allow RW firmware in non-recovery.
+DEV_FIRMWARE_KEYBLOCK_MODE=6  # Only allow in dev mode.
+RECOVERY_KERNEL_KEYBLOCK_MODE=11 # Only in recovery mode.
+KERNEL_KEYBLOCK_MODE=7  # Only allow in non-recovery.
+INSTALLER_KERNEL_KEYBLOCK_MODE=10  # Only allow in Dev + Recovery.
+
+# Emit .vbpubk and .vbprivk using given basename and algorithm
+# NOTE: This function also appears in ../../utility/dev_make_keypair. Making
+# the two implementations the same would require some common.sh, which is more
+# likely to cause problems than just keeping an eye out for any differences. If
+# you feel the need to change this file, check the history of that other file
+# to see what may need updating here too.
+make_pair() {
+  local base=$1
+  local alg=$2
+  local key_version=${3:-1}
+  local len=$(alg_to_keylen $alg)
+
+  echo "creating $base keypair (version = $key_version)..."
+
+  # make the RSA keypair
+  openssl genrsa -F4 -out "${base}_${len}.pem" $len
+  # create a self-signed certificate
+  openssl req -batch -new -x509 -key "${base}_${len}.pem" \
+    -out "${base}_${len}.crt"
+  # generate pre-processed RSA public key
+  dumpRSAPublicKey -cert "${base}_${len}.crt" > "${base}_${len}.keyb"
+
+  # wrap the public key
+  vbutil_key \
+    --pack "${base}.vbpubk" \
+    --key "${base}_${len}.keyb" \
+    --version  "${key_version}" \
+    --algorithm $alg
+
+  # wrap the private key
+  vbutil_key \
+    --pack "${base}.vbprivk" \
+    --key "${base}_${len}.pem" \
+    --algorithm $alg
+
+  # remove intermediate files
+  rm -f "${base}_${len}.pem" "${base}_${len}.crt" "${base}_${len}.keyb"
+}
+
+
+# Emit a .keyblock containing flags and a public key, signed by a private key
+# flags are the bitwise OR of these (passed in decimal, though)
+#   0x01  Developer switch off
+#   0x02  Developer switch on
+#   0x04  Not recovery mode
+#   0x08  Recovery mode
+make_keyblock() {
+  local base=$1
+  local flags=$2
+  local pubkey=$3
+  local signkey=$4
+
+  echo "creating $base keyblock..."
+
+  # create it
+  vbutil_keyblock \
+    --pack "${base}.keyblock" \
+    --flags $flags \
+    --datapubkey "${pubkey}.vbpubk" \
+    --signprivate "${signkey}.vbprivk"
+
+  # verify it
+  vbutil_keyblock \
+    --unpack "${base}.keyblock" \
+    --signpubkey "${signkey}.vbpubk"
+}
+
+# File to read current versions from.
+VERSION_FILE="key.versions"
+
+# ARGS: <VERSION_TYPE> [VERSION_FILE]
+get_version() {
+  local key="$1"
+  local file="${2:-${VERSION_FILE}}"
+  awk -F= -vkey="${key}" '$1 == key { print $NF }' "${file}"
+}
+
+# Loads the current versions prints them to stdout and sets the global version
+# variables: CURR_FIRMKEY_VER CURR_FIRM_VER CURR_KERNKEY_VER CURR_KERN_VER
+load_current_versions() {
+  local key_dir=$1
+  local VERSION_FILE="${key_dir}/${VERSION_FILE}"
+  if [[ ! -f ${VERSION_FILE} ]]; then
+    return 1
+  fi
+  CURR_FIRMKEY_VER=$(get_version "firmware_key_version")
+  # Firmware version is the kernel subkey version.
+  CURR_FIRM_VER=$(get_version "firmware_version")
+  # Kernel data key version is the kernel key version.
+  CURR_KERNKEY_VER=$(get_version "kernel_key_version")
+  CURR_KERN_VER=$(get_version "kernel_version")
+
+  cat <<EOF
+Current Firmware key version: ${CURR_FIRMKEY_VER}
+Current Firmware version: ${CURR_FIRM_VER}
+Current Kernel key version: ${CURR_KERNKEY_VER}
+Current Kernel version: ${CURR_KERN_VER}
+EOF
+}
+
+# Make backups of existing kernel subkeys and keyblocks that will be revved.
+# Backup format:
+# for keyblocks: <keyblock_name>.v<datakey version>.v<subkey version>.keyblock
+# Args: SUBKEY_VERSION DATAKEY_VERSION
+backup_existing_kernel_keyblock() {
+  if [[ ! -e kernel.keyblock ]]; then
+    return
+  fi
+  mv --no-clobber kernel.{keyblock,"v$2.v$1.keyblock"}
+}
+
+# Make backups of existing kernel subkeys and keyblocks that will be revved.
+# Backup format:
+# for keys: <key_name>.v<version>.vb{pub|priv}k
+# for keyblocks: <keyblock_name>.v<datakey version>.v<subkey version>.keyblock
+# Args: SUBKEY_VERSION DATAKEY_VERSION
+backup_existing_kernel_subkeys() {
+  local subkey_ver=$1
+  local datakey_ver=$2
+  # --no-clobber to prevent accidentally overwriting existing
+  # backups.
+  mv --no-clobber kernel_subkey.{vbprivk,"v${subkey_ver}.vbprivk"}
+  mv --no-clobber kernel_subkey.{vbpubk,"v${subkey_ver}.vbpubk"}
+  backup_existing_kernel_keyblock ${subkey_ver} ${datakey_ver}
+}
+
+# Make backups of existing kernel data keys and keyblocks that will be revved.
+# Backup format:
+# for keys: <key_name>.v<version>.vb{pub|priv}k
+# for keyblocks: <keyblock_name>.v<datakey version>.v<subkey version>.keyblock
+# Args: SUBKEY_VERSION DATAKEY_VERSION
+backup_existing_kernel_data_keys() {
+  local subkey_ver=$1
+  local datakey_ver=$2
+  # --no-clobber to prevent accidentally overwriting existing
+  # backups.
+  mv --no-clobber kernel_data_key.{vbprivk,"v${datakey_ver}.vbprivk"}
+  mv --no-clobber kernel_data_key.{vbpubk,"v${datakey_ver}.vbpubk"}
+  backup_existing_kernel_keyblock ${subkey_ver} ${datakey_ver}
+}
+
+# Make backups of existing firmware keys and keyblocks that will be revved.
+# Backup format:
+# for keys: <key_name>.v<version>.vb{pub|priv}k
+# for keyblocks: <keyblock_name>.v<datakey version>.v<subkey version>.keyblock
+# Args: SUBKEY_VERSION DATAKEY_VERSION
+backup_existing_firmware_keys() {
+  local subkey_ver=$1
+  local datakey_ver=$2
+  mv --no-clobber firmware_data_key.{vbprivk,"v${subkey_ver}.vbprivk"}
+  mv --no-clobber firmware_data_key.{vbpubk,"v${subkey_ver}.vbpubk"}
+  mv --no-clobber firmware.{keyblock,"v${datakey_ver}.v${subkey_ver}.keyblock"}
+}
+
+
+# Write new key version file with the updated key versions.
+# Args: FIRMWARE_KEY_VERSION FIRMWARE_VERSION KERNEL_KEY_VERSION
+#       KERNEL_VERSION
+write_updated_version_file() {
+  local firmware_key_version=$1
+  local firmware_version=$2
+  local kernel_key_version=$3
+  local kernel_version=$4
+
+  cat > ${VERSION_FILE} <<EOF
+firmware_key_version=${firmware_key_version}
+firmware_version=${firmware_version}
+kernel_key_version=${kernel_key_version}
+kernel_version=${kernel_version}
+EOF
+}
+
+# Returns the incremented version number of the passed in key from the version
+# file.  The options are "firmware_key_version", "firmware_version",
+# "kernel_key_version", or "kernel_version".
+# ARGS: KEY_DIR <key_name>
+increment_version() {
+  local key_dir=$1
+  local VERSION_FILE="${key_dir}/${VERSION_FILE}"
+  local old_version=$(get_version $2)
+  local new_version=$(( ${old_version} + 1 ))
+
+  if [[ ${new_version} -gt 0xffff ]]; then
+    echo "Version overflow!" >&2
+    return 1
+  fi
+  echo ${new_version}
+}

firmware/coreboot/3rdparty/vboot/scripts/keygeneration/create_new_android_keys.sh

@@ -0,0 +1,80 @@
+#!/bin/bash
+
+# Copyright 2016 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Load common constants and functions.
+. "$(dirname "$0")/common.sh"
+
+usage() {
+  cat <<EOF
+Usage: ${PROG} DIR
+
+Generate Android's 4 framework key pairs at DIR.  For detail, please refer to
+"Certificates and private keys" and "Manually generating keys" in
+https://source.android.com/devices/tech/ota/sign_builds.html.
+
+EOF
+
+  if [[ $# -ne 0 ]]; then
+    die "$*"
+  else
+    exit 0
+  fi
+}
+
+# Use the same SUBJECT used in Nexus.
+SUBJECT='/C=US/ST=California/L=Mountain View/O=Google Inc./OU=Android/CN=Android'
+
+# Generate .pk8 and .x509.pem at the given directory.
+make_pair() {
+  local dir=$1
+  local name=$2
+
+  # Generate RSA key.
+  openssl genrsa -3 -out "${dir}/temp.pem" 2048
+
+  # Create a certificate with the public part of the key.
+  openssl req -new -x509 -key "${dir}/temp.pem" -out "${dir}/${name}.x509.pem" \
+    -days 10000 -subj "${SUBJECT}"
+
+  # Create a PKCS#8-formatted version of the private key.
+  openssl pkcs8 -in "${dir}/temp.pem" -topk8 -outform DER \
+    -out "${dir}/${name}.pk8" -nocrypt
+
+  # Best attempt to securely delete the temp.pem file.
+  shred --remove "${dir}/temp.pem"
+}
+
+main() {
+  set -e
+
+  local dir
+
+  while [[ $# -gt 0 ]]; do
+    case $1 in
+    -h|--help)
+      usage
+      ;;
+    -*)
+      usage "Unknown option: $1"
+      ;;
+    *)
+      break
+      ;;
+    esac
+  done
+
+  if [[ $# -ne 1 ]]; then
+    usage "Missing output directory"
+  fi
+  dir=$1
+
+  make_pair "${dir}" platform
+  make_pair "${dir}" shared
+  make_pair "${dir}" media
+  make_pair "${dir}" releasekey
+}
+
+main "$@"

firmware/coreboot/3rdparty/vboot/scripts/keygeneration/create_new_keys.sh

@@ -0,0 +1,193 @@
+#!/bin/bash
+# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+#
+# Generate .vbpubk and .vbprivk pairs for use by developer builds. These should
+# be exactly like the real keys except that the private keys aren't secret.
+
+# Load common constants and functions.
+. "$(dirname "$0")/common.sh"
+
+usage() {
+  cat <<EOF
+Usage: ${PROG} [options]
+
+Options:
+  --devkeyblock          Also generate developer firmware keyblock and data key
+  --android              Also generate android keys
+  --uefi                 Also generate UEFI keys
+  --4k                   Use 4k keys instead of 8k (enables options below)
+  --4k-root              Use 4k key size for the root key
+  --4k-recovery          Use 4k key size for the recovery key
+  --4k-recovery-kernel   Use 4k key size for the recovery kernel data
+  --4k-installer-kernel  Use 4k key size for the installer kernel data
+  --key-name <name>      Name of the keyset (for key.versions)
+  --output <dir>         Where to write the keys (default is cwd)
+EOF
+
+  if [[ $# -ne 0 ]]; then
+    die "unknown option $*"
+  else
+    exit 0
+  fi
+}
+
+main() {
+  set -e
+
+  # Flag to indicate whether we should be generating a developer keyblock flag.
+  local dev_keyblock="false"
+  local android_keys="false"
+  local uefi_keys="false"
+  local root_key_algoid=${ROOT_KEY_ALGOID}
+  local recovery_key_algoid=${RECOVERY_KEY_ALGOID}
+  local recovery_kernel_algoid=${RECOVERY_KERNEL_ALGOID}
+  local installer_kernel_algoid=${INSTALLER_KERNEL_ALGOID}
+  local keyname
+  local output_dir="${PWD}" setperms="false"
+
+  while [[ $# -gt 0 ]]; do
+    case $1 in
+    --devkeyblock)
+      echo "Will also generate developer firmware keyblock and data key."
+      dev_keyblock="true"
+      ;;
+
+    --android)
+      echo "Will also generate Android keys."
+      android_keys="true"
+      ;;
+
+    --uefi)
+      echo "Will also generate UEFI keys."
+      uefi_keys="true"
+      ;;
+
+    --4k)
+      root_key_algoid=${RSA4096_SHA512_ALGOID}
+      recovery_key_algoid=${RSA4096_SHA512_ALGOID}
+      recovery_kernel_algoid=${RSA4096_SHA512_ALGOID}
+      installer_kernel_algoid=${RSA4096_SHA512_ALGOID}
+      ;;
+    --4k-root)
+      root_key_algoid=${RSA4096_SHA512_ALGOID}
+      ;;
+    --4k-recovery)
+      recovery_key_algoid=${RSA4096_SHA512_ALGOID}
+      ;;
+    --4k-recovery-kernel)
+      recovery_kernel_algoid=${RSA4096_SHA512_ALGOID}
+      ;;
+    --4k-installer-kernel)
+      installer_kernel_algoid=${RSA4096_SHA512_ALGOID}
+      ;;
+
+    --key-name)
+      keyname="$2"
+      shift
+      ;;
+
+    --output)
+      output_dir="$2"
+      setperms="true"
+      if [[ -d "${output_dir}" ]]; then
+        die "output dir (${output_dir}) already exists"
+      fi
+      shift
+      ;;
+
+    -h|--help)
+      usage
+      ;;
+    *)
+      usage "$1"
+      ;;
+    esac
+    shift
+  done
+
+  mkdir -p "${output_dir}"
+  cd "${output_dir}"
+  if [[ "${setperms}" == "true" ]]; then
+    chmod 700 .
+  fi
+
+  if [[ ! -e "${VERSION_FILE}" ]]; then
+    echo "No version file found. Creating default ${VERSION_FILE}."
+    (
+      if [[ -n "${keyname}" ]]; then
+        echo "name=${keyname}"
+      fi
+      printf '%s_version=1\n' {firmware,kernel}{_key,}
+    ) > "${VERSION_FILE}"
+  fi
+
+  local eckey_version fkey_version ksubkey_version kdatakey_version
+
+  # Get the key versions for normal keypairs
+  eckey_version=$(get_version "ec_key_version")
+  fkey_version=$(get_version "firmware_key_version")
+  # Firmware version is the kernel subkey version.
+  ksubkey_version=$(get_version "firmware_version")
+  # Kernel data key version is the kernel key version.
+  kdatakey_version=$(get_version "kernel_key_version")
+
+  # Create the normal keypairs
+  make_pair ec_root_key              ${EC_ROOT_KEY_ALGOID}
+  make_pair ec_data_key              ${EC_DATAKEY_ALGOID} ${eckey_version}
+  make_pair root_key                 ${root_key_algoid}
+  make_pair firmware_data_key        ${FIRMWARE_DATAKEY_ALGOID} ${fkey_version}
+  if [[ "${dev_keyblock}" == "true" ]]; then
+    make_pair dev_firmware_data_key    ${DEV_FIRMWARE_DATAKEY_ALGOID} ${fkey_version}
+  fi
+  make_pair kernel_subkey            ${KERNEL_SUBKEY_ALGOID} ${ksubkey_version}
+  make_pair kernel_data_key          ${KERNEL_DATAKEY_ALGOID} ${kdatakey_version}
+
+  # Create the recovery and factory installer keypairs
+  make_pair recovery_key             ${recovery_key_algoid}
+  make_pair recovery_kernel_data_key ${recovery_kernel_algoid}
+  make_pair installer_kernel_data_key ${installer_kernel_algoid}
+
+  # Create the firmware keyblock for use only in Normal mode. This is redundant,
+  # since it's never even checked during Recovery mode.
+  make_keyblock firmware ${FIRMWARE_KEYBLOCK_MODE} firmware_data_key root_key
+  # Ditto EC keyblock
+  make_keyblock ec ${EC_KEYBLOCK_MODE} ec_data_key ec_root_key
+
+  if [[ "${dev_keyblock}" == "true" ]]; then
+    # Create the dev firmware keyblock for use only in Developer mode.
+    make_keyblock dev_firmware ${DEV_FIRMWARE_KEYBLOCK_MODE} dev_firmware_data_key root_key
+  fi
+
+  # Create the recovery kernel keyblock for use only in Recovery mode.
+  make_keyblock recovery_kernel ${RECOVERY_KERNEL_KEYBLOCK_MODE} recovery_kernel_data_key recovery_key
+
+  # Create the normal kernel keyblock for use only in Normal mode.
+  make_keyblock kernel ${KERNEL_KEYBLOCK_MODE} kernel_data_key kernel_subkey
+
+  # Create the installer keyblock for use in Developer + Recovery mode
+  # For use in Factory Install and Developer Mode install shims.
+  make_keyblock installer_kernel ${INSTALLER_KERNEL_KEYBLOCK_MODE} installer_kernel_data_key recovery_key
+
+  if [[ "${android_keys}" == "true" ]]; then
+    mkdir android
+    "${SCRIPT_DIR}"/create_new_android_keys.sh android
+  fi
+
+  if [[ "${uefi_keys}" == "true" ]]; then
+    mkdir -p uefi
+    "${SCRIPT_DIR}"/uefi/create_new_uefi_keys.sh --output uefi
+  fi
+
+  if [[ "${setperms}" == "true" ]]; then
+    find -type f -exec chmod 400 {} +
+    find -type d -exec chmod 500 {} +
+  fi
+
+  # CAUTION: The public parts of most of these blobs must be compiled into the
+  # firmware, which is built separately (and some of which can't be changed after
+  # manufacturing). If you update these keys, you must coordinate the changes
+  # with the BIOS people or you'll be unable to boot the resulting images.
+}
+main "$@"

firmware/coreboot/3rdparty/vboot/scripts/keygeneration/increment_firmware_data_key.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Script to increment firmware version key for firmware updates.
+# Used when revving versions for a firmware update.
+
+# Load common constants and variables.
+. "$(dirname "$0")/common.sh"
+
+# Abort on errors.
+set -e
+
+if [ $# -ne 1 ]; then
+  cat <<EOF
+  Usage: $0 <keyset directory>
+
+  Increments the firmware version in the specified keyset.
+EOF
+  exit 1
+fi
+
+KEY_DIR=$1
+
+main() {
+  load_current_versions "${KEY_DIR}"
+  new_firmkey_ver=$(increment_version "${KEY_DIR}" "firmware_key_version")
+
+  cd "${KEY_DIR}"
+  backup_existing_firmware_keys ${CURR_FIRM_VER} ${CURR_FIRMKEY_VER}
+
+  cat <<EOF
+Generating new firmware version key.
+
+New Firmware key version (due to firmware key change): ${new_firmkey_ver}.
+EOF
+  make_pair firmware_data_key ${FIRMWARE_DATAKEY_ALGOID} ${new_firmkey_ver}
+  make_keyblock firmware ${FIRMWARE_KEYBLOCK_MODE} firmware_data_key root_key
+
+  write_updated_version_file ${new_firmkey_ver} ${CURR_FIRM_VER} \
+    ${CURR_KERNKEY_VER} ${CURR_KERN_VER}
+}
+
+main "$@"

firmware/coreboot/3rdparty/vboot/scripts/keygeneration/increment_kernel_data_key.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Script to increment kernel data key for firmware updates.
+# Used when revving versions for a firmware update.
+
+# Load common constants and variables.
+. "$(dirname "$0")/common.sh"
+
+# Abort on errors.
+set -e
+
+if [ $# -ne 1 ]; then
+  cat <<EOF
+  Usage: $0 <keyset directory>
+
+  Increments the kernel data key in the specified keyset.
+EOF
+  exit 1
+fi
+
+KEY_DIR=$1
+
+main() {
+  load_current_versions "${KEY_DIR}"
+  new_kernkey_ver=$(increment_version "${KEY_DIR}" "kernel_key_version")
+
+  cd "${KEY_DIR}"
+  backup_existing_kernel_data_keys ${CURR_FIRM_VER} ${CURR_KERNKEY_VER}
+
+  cat <<EOF
+Generating new kernel data version, and new kernel keyblock.
+
+New Kernel data key version: ${new_kernkey_ver}.
+EOF
+  make_pair kernel_data_key ${KERNEL_DATAKEY_ALGOID} ${new_kernkey_ver}
+  make_keyblock kernel ${KERNEL_KEYBLOCK_MODE} kernel_data_key kernel_subkey
+
+  write_updated_version_file ${CURR_FIRMKEY_VER} ${CURR_FIRM_VER} \
+    ${new_kernkey_ver} ${CURR_KERN_VER}
+}
+
+main "$@"

firmware/coreboot/3rdparty/vboot/scripts/keygeneration/increment_kernel_subkey.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Script to increment kernel subkey for firmware updates.
+# Used when revving versions for a firmware update.
+
+# Load common constants and variables.
+. "$(dirname "$0")/common.sh"
+
+# Abort on errors.
+set -e
+
+if [ $# -ne 1 ]; then
+  cat <<EOF
+  Usage: $0 <keyset directory>
+
+  Increments the kernel subkey in the specified keyset.
+EOF
+  exit 1
+fi
+
+KEY_DIR=$1
+
+main() {
+  load_current_versions "${KEY_DIR}"
+  new_firm_ver=$(increment_version "${KEY_DIR}" "firmware_version")
+
+  cd "${KEY_DIR}"
+  backup_existing_kernel_subkeys ${CURR_FIRM_VER} ${CURR_KERNKEY_VER}
+
+  cat <<EOF
+Generating new kernel subkey and new kernel keyblock.
+
+New Firmware version (due to kernel subkey change): ${new_firm_ver}.
+EOF
+  make_pair kernel_subkey ${KERNEL_SUBKEY_ALGOID} ${new_firm_ver}
+  make_keyblock kernel $KERNEL_KEYBLOCK_MODE kernel_data_key kernel_subkey
+
+  write_updated_version_file ${CURR_FIRMKEY_VER} ${new_firm_ver} \
+    ${CURR_KERNKEY_VER} ${CURR_KERN_VER}
+}
+
+main "$@"

firmware/coreboot/3rdparty/vboot/scripts/keygeneration/increment_kernel_subkey_and_key.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Script to increment kernel subkey and datakey for firmware updates.
+# Used when revving versions for a firmware update.
+
+# Load common constants and variables.
+. "${0%/*}"/common.sh
+
+# Abort on errors.
+set -e
+
+if [ $# -ne 1 ]; then
+  cat <<EOF
+Usage: $0 <keyset directory>
+
+Increments the kernel subkey, data key and firmware version in the
+specified keyset.
+EOF
+  exit 1
+fi
+
+KEY_DIR=$1
+
+main() {
+  load_current_versions "${KEY_DIR}"
+  new_kernkey_ver=$(increment_version "${KEY_DIR}" "kernel_key_version")
+  new_firm_ver=$(increment_version "${KEY_DIR}" "firmware_version")
+
+  cd "${KEY_DIR}"
+  backup_existing_kernel_subkeys ${CURR_FIRM_VER} ${CURR_KERNKEY_VER}
+  backup_existing_kernel_data_keys ${CURR_FIRM_VER} ${CURR_KERNKEY_VER}
+
+  cat <<EOF 
+Generating new kernel subkey, data keys and new kernel keyblock.
+
+New Firmware version (due to kernel subkey change): ${new_firm_ver}.
+New Kernel key version (due to kernel datakey change): ${new_kernkey_ver}.
+EOF
+  make_pair kernel_subkey ${KERNEL_SUBKEY_ALGOID} ${new_firm_ver}
+  make_pair kernel_data_key ${KERNEL_DATAKEY_ALGOID} ${new_kernkey_ver}
+  make_keyblock kernel ${KERNEL_KEYBLOCK_MODE} kernel_data_key kernel_subkey
+
+  write_updated_version_file ${CURR_FIRMKEY_VER} ${new_firm_ver} \
+    ${new_kernkey_ver} ${CURR_KERN_VER}
+}
+
+main "$@"

firmware/coreboot/3rdparty/vboot/scripts/keygeneration/keyset_version_check.sh

@@ -0,0 +1,118 @@
+#!/bin/bash
+# Copyright 2014 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Script that sanity checks a keyset to ensure actual key versions
+# match those set in key.versions.
+
+# Load common constants and variables.
+. "$(dirname "$0")/common.sh"
+
+# Abort on errors.
+set -e
+
+if [ $# -ne 1 ]; then
+  cat <<EOF
+Usage: $0 <keyset directory>
+
+Sanity check a keyset directory for key versions.
+EOF
+  exit 1
+fi
+
+KEY_DIR="$1"
+VERSION_FILE="${KEY_DIR}/key.versions"
+
+keyblock_version() {
+  local keyblock="$1"
+  echo "$(vbutil_keyblock --unpack "${keyblock}" | grep 'Data key version' |
+    cut -f 2 -d : | tr -d ' ')"
+}
+
+key_version() {
+  local key="$1"
+  echo "$(vbutil_key --unpack "${key}" | grep 'Key Version' | cut -f 2 -d : |
+    tr -d ' ')"
+}
+
+# Compare versions and print out error if there is a mismatch.
+check_versions() {
+  local expected="$1"
+  local got="$2"
+  local expected_label="$3"
+  local got_label="$4"
+  if [[ ${expected} != ${got} ]]; then
+    echo "ERROR: ${expected_label} version does not match ${got_label} version"
+    echo "EXPECTED (${expected_label} version): ${expected}"
+    echo "GOT (${got_label} version): ${got}"
+    return 1
+  fi
+  return 0
+}
+
+# Check the key.versions against firmware.keyblock and firmware_data_key.vbpubk.
+check_firmware_keyblock() {
+  local fkey_keyblock="$1" fkey="$2"
+  local got_fkey_keyblock="$(keyblock_version "${fkey_keyblock}")"
+  local got_fkey="$(key_version "${fkey}")"
+
+  check_versions "${got_fkey_keyblock}" "${got_fkey}" \
+    "${fkey_keyblock##*/} keyblock key" "firmware key" || testfail=1
+  check_versions "${expected_fkey}" "${got_fkey}" "${fkey##*/} key" \
+    "firmware key" || testfail=1
+}
+
+# Validate the firmware keys in an loem keyset.
+check_loem_keyset() {
+  local line loem_index
+  while read line; do
+    loem_index=$(cut -d= -f1 <<<"${line}" | sed 's: *$::')
+
+    check_firmware_keyblock \
+      "${KEY_DIR}/firmware.loem${loem_index}.keyblock" \
+      "${KEY_DIR}/firmware_data_key.loem${loem_index}.vbpubk"
+  done < <(grep = "${KEY_DIR}"/loem.ini)
+}
+
+# Validate the firmware keys in a non-loem keyset.
+check_non_loem_keyset() {
+  check_firmware_keyblock \
+    "${KEY_DIR}/firmware.keyblock" \
+    "${KEY_DIR}/firmware_data_key.vbpubk"
+}
+
+main() {
+  local testfail=0
+
+  local expected_kkey="$(get_version kernel_key_version)"
+  local expected_fkey="$(get_version firmware_key_version)"
+  local expected_firmware="$(get_version firmware_version)"
+  local expected_kernel="$(get_version kernel_version)"
+
+  check_versions "${expected_firmware}" "${expected_kkey}" \
+    "firmware" "kernel key" || testfail=1
+
+  local got_kkey_keyblock="$(keyblock_version ${KEY_DIR}/kernel.keyblock)"
+  local got_ksubkey="$(key_version ${KEY_DIR}/kernel_subkey.vbpubk)"
+  local got_kdatakey="$(key_version ${KEY_DIR}/kernel_data_key.vbpubk)"
+
+  if [[ -f "${KEY_DIR}"/loem.ini ]]; then
+    check_loem_keyset
+  else
+    check_non_loem_keyset
+  fi
+
+  check_versions "${got_kkey_keyblock}" "${got_ksubkey}" "kernel keyblock key" \
+    "kernel subkey" || testfail=1
+  check_versions "${got_kdatakey}" "${got_ksubkey}" "kernel data key" \
+    "kernel subkey" || testfail=1
+  check_versions "${expected_kkey}" "${got_kdatakey}" "key.versions kernel key" \
+    "kernel datakey" || testfail=1
+  check_versions "${expected_kkey}" "${got_ksubkey}" "key.versions kernel key" \
+    "kernel subkey" || testfail=1
+
+  exit ${testfail}
+}
+
+main "$@"

firmware/coreboot/3rdparty/vboot/scripts/keygeneration/make_keyblock.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+#
+# Generates a keyblock containing a public key and signed using the given
+# signing key.
+
+# Load common constants and functions.
+. "$(dirname "$0")/common.sh"
+
+if [ $# -ne 4 ]; then
+  cat <<EOF
+Usage: $0 <in_public_key> <in_signing_key> <flags> <out_keyblock>
+
+Emits <out_keyblock>.keyblock containing <in_public_key>.vbpubk signed with
+<in_signing_key>.vbprivk with the given keyblock <flags>.
+EOF
+  exit 1
+fi
+
+in_pubkey=$1
+in_signkey=$2
+keyblock_flags=$3
+out_keyblock=$4
+
+make_keyblock $out_keyblock $keyblock_flags $in_pubkey $in_signkey

firmware/coreboot/3rdparty/vboot/scripts/keygeneration/make_pair.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+#
+# Generate .vbpubk and .vbprivk pairs with the given algorithm id.
+
+# Load common constants and functions.
+. "$(dirname "$0")/common.sh"
+
+if [ $# -ne 2 ]; then
+  cat <<EOF
+Usage: $0 <algoid> <out_keypair>
+
+Output: <out_keypair>.vbprivk and <out_keypair>.vbpubk
+EOF
+  exit 1
+fi
+
+algoid=$1
+out_keypair=$2
+
+make_pair $out_keypair $algoid

firmware/coreboot/3rdparty/vboot/scripts/keygeneration/uefi/create_new_uefi_keys.sh

@@ -0,0 +1,80 @@
+#!/bin/bash
+# Copyright 2018 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Load common constants and functions.
+. "$(dirname "$0")/uefi_common.sh"
+
+usage() {
+  cat <<EOF
+Usage: ${PROG} [options]
+
+Generate key pairs for UEFI secure boot.
+
+Options:
+  --output <dir>  Where to write the keys (default is cwd).
+                  The base name must be '.../uefi'.
+  --no-pk         Do not generate PK.
+EOF
+
+  if [[ $# -ne 0 ]]; then
+    die "unknown option $*"
+  else
+    exit 0
+  fi
+}
+
+main() {
+  set -e
+
+  local generate_pk="true"
+  local output_dir="${PWD}"
+
+  while [[ $# -gt 0 ]]; do
+    case $1 in
+    --output)
+      output_dir="$2"
+      shift
+      ;;
+    --no-pk)
+      info "Will not generate PK."
+      generate_pk="false"
+      ;;
+    -h|--help)
+      usage
+      ;;
+    *)
+      usage "Unknown option: $1"
+      ;;
+    esac
+    shift
+  done
+
+  check_uefi_key_dir_name "${output_dir}"
+  pushd "${output_dir}" >/dev/null || die "Wrong output directory name"
+
+  if [[ ! -e "${UEFI_VERSION_FILE}" ]]; then
+    echo "No version file found. Creating default ${UEFI_VERSION_FILE}."
+    printf '%s_key_version=1\n' {pk,kek,db,db_child} > "${UEFI_VERSION_FILE}"
+  fi
+
+  local pk_key_version kek_key_version db_key_version db_child_key_version
+
+  # Get the key versions for normal keypairs
+  pk_key_version=$(get_uefi_version "pk_key_version")
+  kek_key_version=$(get_uefi_version "kek_key_version")
+  db_key_version=$(get_uefi_version "db_key_version")
+  db_child_key_version=$(get_uefi_version "db_child_key_version")
+
+  if [[ "${generate_pk}" == "true" ]]; then
+    make_pk_keypair "${pk_key_version}"
+  fi
+  make_kek_keypair "${kek_key_version}"
+  make_db_keypair "${db_key_version}"
+  make_db_child_keypair "${db_key_version}" "${db_child_key_version}"
+
+  popd >/dev/null
+}
+
+main "$@"

firmware/coreboot/3rdparty/vboot/scripts/keygeneration/uefi/increment_db_child_key.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+# Copyright 2018 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Script to increment UEFI DB child key.
+
+# Load common constants and variables.
+. "$(dirname "$0")/uefi_common.sh"
+
+# Abort on errors.
+set -e
+
+if [ $# -ne 1 ]; then
+  cat <<EOF
+  Usage: $0 <keyset directory>
+
+  Increments the UEFI DB child key in the specified keyset.
+EOF
+  exit 1
+fi
+
+KEY_DIR="$1"
+
+main() {
+  check_uefi_key_dir_name "${KEY_DIR}"
+
+  load_current_uefi_key_versions "${KEY_DIR}"
+  new_db_child_key_ver=$(increment_uefi_version "${KEY_DIR}" \
+                                                "db_child_key_version")
+
+  cd "${KEY_DIR}"
+  backup_db_child_keypair "${CURR_DB_CHILD_KEY_VER}"
+
+  cat <<EOF
+Generating new UEFI DB child key version.
+
+New DB child key version: ${new_db_child_key_ver}.
+EOF
+  make_db_child_keypair "${CURR_DB_KEY_VER}" "${new_db_child_key_ver}"
+  write_updated_uefi_version_file "${CURR_PK_KEY_VER}" "${CURR_KEK_KEY_VER}" \
+      "${CURR_DB_KEY_VER}" "${new_db_child_key_ver}"
+}
+
+main "$@"

firmware/coreboot/3rdparty/vboot/scripts/keygeneration/uefi/increment_db_key.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+# Copyright 2018 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Script to increment UEFI DB key.
+
+# Load common constants and variables.
+. "$(dirname "$0")/uefi_common.sh"
+
+# Abort on errors.
+set -e
+
+if [ $# -ne 1 ]; then
+  cat <<EOF
+  Usage: $0 <keyset directory>
+
+  Increments the UEFI DB key in the specified keyset.
+EOF
+  exit 1
+fi
+
+KEY_DIR="$1"
+
+main() {
+  check_uefi_key_dir_name "${KEY_DIR}"
+
+  load_current_uefi_key_versions "${KEY_DIR}"
+  new_db_key_ver=$(increment_uefi_version "${KEY_DIR}" "db_key_version")
+  new_db_child_key_ver=1
+
+  cd "${KEY_DIR}"
+  backup_db_keypair_and_children "${CURR_DB_KEY_VER}"
+
+  cat <<EOF
+Generating new UEFI DB key version.
+
+New DB key version: ${new_db_key_ver}.
+EOF
+  make_db_keypair "${new_db_key_ver}"
+  make_db_child_keypair "${new_db_key_ver}" "${new_db_child_key_ver}"
+  write_updated_uefi_version_file "${CURR_PK_KEY_VER}" "${CURR_KEK_KEY_VER}" \
+      "${new_db_key_ver}" "${new_db_child_key_ver}"
+}
+
+main "$@"

firmware/coreboot/3rdparty/vboot/scripts/keygeneration/uefi/increment_kek_key.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+# Copyright 2018 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Script to increment UEFI Key Exchange Key (KEK).
+
+# Load common constants and variables.
+. "$(dirname "$0")/uefi_common.sh"
+
+# Abort on errors.
+set -e
+
+if [ $# -ne 1 ]; then
+  cat <<EOF
+  Usage: $0 <keyset directory>
+
+  Increments the UEFI Key Exchange Key (KEK) in the specified keyset.
+EOF
+  exit 1
+fi
+
+KEY_DIR="$1"
+
+main() {
+  check_uefi_key_dir_name "${KEY_DIR}"
+
+  load_current_uefi_key_versions "${KEY_DIR}"
+  new_kek_key_ver=$(increment_uefi_version "${KEY_DIR}" "kek_key_version")
+
+  cd "${KEY_DIR}"
+  backup_kek_keypair "${CURR_KEK_KEY_VER}"
+
+  cat <<EOF
+Generating new UEFI Key Exchange Key (KEK) version.
+
+New Key Exchange Key version: ${new_kek_key_ver}.
+EOF
+  make_kek_keypair "${new_kek_key_ver}"
+  write_updated_uefi_version_file "${CURR_PK_KEY_VER}" "${new_kek_key_ver}" \
+      "${CURR_DB_KEY_VER}" "${CURR_DB_CHILD_KEY_VER}"
+}
+
+main "$@"

firmware/coreboot/3rdparty/vboot/scripts/keygeneration/uefi/increment_pk_key.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+# Copyright 2018 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Script to increment UEFI Platform Key (PK).
+
+# Load common constants and variables.
+. "$(dirname "$0")/uefi_common.sh"
+
+# Abort on errors.
+set -e
+
+if [ $# -ne 1 ]; then
+  cat <<EOF
+  Usage: $0 <keyset directory>
+
+  Increments the UEFI Platform Key (PK) in the specified keyset.
+EOF
+  exit 1
+fi
+
+KEY_DIR="$1"
+
+main() {
+  check_uefi_key_dir_name "${KEY_DIR}"
+
+  load_current_uefi_key_versions "${KEY_DIR}"
+  new_pk_key_ver=$(increment_uefi_version "${KEY_DIR}" "pk_key_version")
+
+  cd "${KEY_DIR}"
+  backup_pk_keypair "${CURR_PK_KEY_VER}"
+
+  cat <<EOF
+Generating new UEFI Platform Key (PK) version.
+
+New Platform Key version: ${new_pk_key_ver}.
+EOF
+  make_pk_keypair "${new_pk_key_ver}"
+  write_updated_uefi_version_file "${new_pk_key_ver}" "${CURR_KEK_KEY_VER}" \
+      "${CURR_DB_KEY_VER}" "${CURR_DB_CHILD_KEY_VER}"
+}
+
+main "$@"

firmware/coreboot/3rdparty/vboot/scripts/keygeneration/uefi/uefi_common.sh

@@ -0,0 +1,253 @@
+#!/bin/bash
+# Copyright 2018 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Common UEFI key generation functions.
+
+. "$(dirname "$0")/../common.sh"
+
+# Checks whether the given key directory name is "uefi".
+# Dies if it isn't.
+# ARGS: KEY_DIR
+check_uefi_key_dir_name() {
+  local key_dir="$1"
+  local key_dir_fullpath="$(readlink -f "${key_dir}")"
+  local key_dir_basename="$(basename "${key_dir_fullpath}")"
+  if [[ "${key_dir_basename}" != "uefi" ]]; then
+    die "Key directory base name is not \"uefi\""
+  fi
+}
+
+# File to read current versions from.
+UEFI_VERSION_FILE="uefi_key.versions"
+
+# Prints the version value for the given VERSION_TYPE, from UEFI_VERSION_FILE.
+# ARGS: <VERSION_TYPE> [UEFI_VERSION_FILE]
+get_uefi_version() {
+  local key="$1"
+  local file="${2:-${UEFI_VERSION_FILE}}"
+  awk -F= -vkey="${key}" '$1 == key { print $NF }' "${file}"
+}
+
+# Loads the current versions, prints them to stdout, and sets the global version
+# variables: CURR_PK_KEY_VER CURR_KEK_KEY_VER CURR_DB_KEY_VER
+# CURR_DB_CHILD_KEY_VER
+# ARGS: KEY_DIR
+load_current_uefi_key_versions() {
+  local key_dir="$1"
+  local UEFI_VERSION_FILE="${key_dir}/${UEFI_VERSION_FILE}"
+  if [[ ! -f "${UEFI_VERSION_FILE}" ]]; then
+    return 1
+  fi
+  CURR_PK_KEY_VER=$(get_uefi_version "pk_key_version")
+  CURR_KEK_KEY_VER=$(get_uefi_version "kek_key_version")
+  CURR_DB_KEY_VER=$(get_uefi_version "db_key_version")
+  CURR_DB_CHILD_KEY_VER=$(get_uefi_version "db_child_key_version")
+
+  cat <<EOF
+Current UEFI Platform Key (PK) version: ${CURR_PK_KEY_VER}
+Current UEFI Key Exchange Key (KEK) version: ${CURR_KEK_KEY_VER}
+Current UEFI DB key version: ${CURR_DB_KEY_VER}
+Current UEFI DB child key version: ${CURR_DB_CHILD_KEY_VER}
+EOF
+}
+
+# The common part for the subject of a UEFI key.
+_CHROMIUM_OS_SUBJECT=\
+'/C=US/ST=California/L=Mountain View/O=Google LLC./OU=Chromium OS'
+
+# Prints a UEFI key subject.
+# ARGS: TITLE VERSION
+_get_subj() {
+  local title="$1"
+  local version="$2"
+
+  echo "${_CHROMIUM_OS_SUBJECT}/CN=${title} v${version}"
+}
+
+# Generates a pair of a private key and a self-signed cert at the current
+# directory. Generated files are
+#   $1/$1.rsa: The private key
+#   $1/$1.pem: The self-signed cert in PEM format
+# ARGS: KEY_NAME SUBJECT
+_make_self_signed_pair() {
+  local key_name="$1"
+  local subj="$2"
+
+  mkdir -p "${key_name}"
+  pushd "${key_name}" >/dev/null || return 1
+  openssl req -new -x509 -nodes -newkey rsa:2048 -sha256 \
+      -keyout "${key_name}.rsa" -out "${key_name}.pem" \
+      -subj "${subj}" -days 3650
+  popd >/dev/null
+}
+
+# Generates a pair of a private key and a cert signed by the given CA.
+# "$1" (the first argument) is the CA file name without extension.
+# The results are signed by "$1/$1.{rsa,pem}", and are generated in
+# "$1/$1.children" directory under the current directory. Generated files are
+#   $1/$1.children/$2.rsa: The private key
+#   $1/$1.children/$2.csr: The Certificate Signing Request
+#   $1/$1.children/$2.pem: The certificate signed by "$1.{rsa,pem}"
+# ARGS: CA_NAME CHILD_KEY_NAME SUBJECT
+_make_child_pair() {
+  local ca_name="$1"  # Base filename without extension.
+  local child_key_name="$2"
+  local subj="$3"
+
+  mkdir -p "${ca_name}/${ca_name}.children"
+  pushd "${ca_name}/${ca_name}.children" >/dev/null || return 1
+  openssl req -new -nodes -newkey rsa:2048 -sha256 \
+      -keyout "${child_key_name}.rsa" -out "${child_key_name}.csr" \
+      -subj "${subj}"
+  openssl x509 -req -sha256 -CA "../${ca_name}.pem" -CAkey "../${ca_name}.rsa" \
+      -CAcreateserial -in "${child_key_name}.csr" \
+      -out "${child_key_name}.pem" -days 3650
+  popd >/dev/null
+}
+
+# Makes a PK (Platform Key) keypair.
+# Generated files are
+#   pk/pk.rsa: The private key
+#   pk/pk.pem: The self-signed cert in PEM format
+# ARGS: VERSION
+make_pk_keypair() {
+  local version="$1"
+  _make_self_signed_pair pk \
+      "$(_get_subj "UEFI Platform Key" "${version}")"
+}
+
+# Makes a KEK (Key Exchange Key) keypair.
+# Generated files are
+#   kek/kek.rsa: The private key
+#   kek/kek.pem: The self-signed cert in PEM format
+# ARGS: VERSION
+make_kek_keypair() {
+  local version="$1"
+  _make_self_signed_pair kek \
+      "$(_get_subj "UEFI Key Exchange Key" "${version}")"
+}
+
+# Makes a DB keypair.
+# Generated files are
+#   db/db.rsa: The private key
+#   db/db.pem: The self-signed cert in PEM format
+# ARGS: VERSION
+make_db_keypair() {
+  local version="$1"
+  _make_self_signed_pair db \
+      "$(_get_subj "UEFI DB Key" "${version}")"
+}
+
+# Makes a DB child keypair (a keypair signed by the db key).
+# Generated files are
+#   db/db.children/db_child.rsa: The private key
+#   db/db.children/db_child.csr: The Certificate Signing Request
+#   db/db.children/db_child.pem: The certificate signed by "db/db.{rsa,pem}"
+# ARGS: DB_KEY_VERSION CHILD_KEY_VERSION
+make_db_child_keypair() {
+  local db_key_version="$1"
+  local child_key_version="$2"
+  _make_child_pair db db_child \
+      "$(_get_subj "UEFI DB Child Key" \
+          "${db_key_version}.${child_key_version}")"
+}
+
+# Makes a backup of a self-signed keypair.
+# ARGS: KEY_NAME VERSION
+_backup_self_signed_pair() {
+  local key_name="$1"
+  local version="$2"
+  pushd "${key_name}" >/dev/null || return 1
+  mv --no-clobber "${key_name}".{rsa,"v${version}.rsa"}
+  mv --no-clobber "${key_name}".{pem,"v${version}.pem"}
+  popd >/dev/null
+}
+
+# Makes a backup of a self-signed keypair and its child keys.
+# ARGS: KEY_NAME VERSION
+_backup_self_signed_pair_and_children() {
+  local key_name="$1"
+  local version="$2"
+  _backup_self_signed_pair "${key_name}" "${version}"
+  pushd "${key_name}" >/dev/null || return 1
+  mv --no-clobber "${key_name}".{children,"v${version}.children"}
+  popd >/dev/null
+}
+
+# Makes a backup of a child keypair signed by a CA.
+# ARGS: CA_NAME CHILD_KEY_NAME CHILD_KEY_VERSION
+_backup_child_pair() {
+  local ca_name="$1"
+  local child_key_name="$2"
+  local child_key_version="$3"
+  pushd "${ca_name}/${ca_name}.children" >/dev/null || return 1
+  mv --no-clobber "${child_key_name}".{rsa,"v${child_key_version}.rsa"}
+  mv --no-clobber "${child_key_name}".{csr,"v${child_key_version}.csr"}
+  mv --no-clobber "${child_key_name}".{pem,"v${child_key_version}.pem"}
+  popd >/dev/null
+}
+
+# Makes a backup of the PK (Platform Key) keypair.
+# Backup format: pk.v<pk key version>.{rsa,pem}
+# ARGS: PK_KEY_VERSION
+backup_pk_keypair() {
+  local pk_key_version="$1"
+  _backup_self_signed_pair pk "${pk_key_version}"
+}
+
+# Makes a backup of the KEK (Key Exchange Key) keypair.
+# Backup format: kek.v<kek key version>.{rsa,pem}
+# ARGS: KEK_KEY_VERSION
+backup_kek_keypair() {
+  local kek_key_version="$1"
+  _backup_self_signed_pair kek "${kek_key_version}"
+}
+
+# Makes a backup of the DB keypair and its children.
+# Backup format:
+#   for db keypair: db.v<db key version>.{rsa,pem}
+#   for child keypair: db.v<db key version>.childern/child*.{rsa,csr,pem}
+# ARGS: DB_KEY_VERSION
+backup_db_keypair_and_children() {
+  local db_key_version="$1"
+  _backup_self_signed_pair_and_children db "${db_key_version}"
+}
+
+# Makes a backup of the DB child keypair.
+# Backup format: db.children/child.v<db child key version>.{rsa,csr,pem}
+# ARGS: DB_CHILD_KEY_VERSION
+backup_db_child_keypair() {
+  local db_child_key_version="$1"
+  _backup_child_pair db db_child "${db_child_key_version}"
+}
+
+# Writes new key version file with the updated key versions.
+# Args: PK_KEY_VERSION KEK_KEY_VERSION DB_KEY_VERSION DB_CHILD_KEY_VERSION
+write_updated_uefi_version_file() {
+  local pk_key_version="$1"
+  local kek_key_version="$2"
+  local db_key_version="$3"
+  local db_child_key_version="$4"
+
+  cat > "${UEFI_VERSION_FILE}" <<EOF
+pk_key_version=${pk_key_version}
+kek_key_version=${kek_key_version}
+db_key_version=${db_key_version}
+db_child_key_version=${db_child_key_version}
+EOF
+}
+
+# Returns the incremented version number of the passed in key from the version
+# file.  The options are "pk_key_version", "kek_key_version", "db_key_version",
+# or "db_child_key_version".
+# ARGS: KEY_DIR <key_name>
+increment_uefi_version() {
+  local key_dir="$1"
+  local UEFI_VERSION_FILE="${key_dir}/${UEFI_VERSION_FILE}"
+  local old_version=$(get_uefi_version "$2")
+  local new_version=$(( old_version + 1 ))
+
+  echo "${new_version}"
+}