Make dev firmware keyblock/data key generation and use optional

For key generation, only generate dev firmware keyblocks, if the
--devkeyblock option is passed. For signing, re-use normal firmware
keyblock and data key if no dev keyblocks or data key are found in
the keyset directory.

BUG=chrome-os-partner:6942
TEST=manual
     - tested key generation with/without the new flag
     - tested signing with or without the presence of dev keyblock

Change-Id: Ic4bf72cb194461e07fcc0f6de39d4e16d1c979a6
Reviewed-on: https://gerrit.chromium.org/gerrit/12038
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
Commit-Ready: Gaurav Shah <gauravsh@chromium.org>

scripts/image_signing/resign_firmwarefd.sh

@@ -78,6 +78,12 @@ if [ -z "$VERSION" ]; then
 fi
 echo "Using firmware version: $VERSION"
 
+if [ ! -e $DEV_FIRMWARE_KEYBLOCK ] || [ ! -e $DEV_FIRMWARE_DATAKEY ] ; then
+  echo "No dev firmware keyblock/datakey found. Reusing normal keys."
+  DEV_FIRMWARE_KEYBLOCK=$FIRMWARE_KEYBLOCK
+  DEV_FIRMWARE_DATAKEY=$FIRMWARE_DATAKEY
+fi
+
 # Parse offsets and size of firmware data and vblocks
 for i in "A" "B"
 do

scripts/keygeneration/create_new_keys.sh

@@ -9,6 +9,13 @@
 # Load common constants and functions.
 . "$(dirname "$0")/common.sh"
 
+# Flag to indicate whether we should be generating a developer keyblock flag.
+DEV_KEYBLOCK_FLAG=""
+if [ $# -eq 1 ] && [ $1 = "--devkeyblock" ]; then
+  echo "Will also generate developer firmware keyblock and data key."
+  DEV_KEYBLOCK_FLAG=1
+fi
+
 # File to read current versions from.
 VERSION_FILE="key.versions"
 
@@ -29,7 +36,9 @@ KDATAKEY_VERSION=$(get_version "kernel_key_version")
 # Create the normal keypairs
 make_pair root_key                 $ROOT_KEY_ALGOID
 make_pair firmware_data_key        $FIRMWARE_DATAKEY_ALGOID $FKEY_VERSION
-make_pair dev_firmware_data_key    $DEV_FIRMWARE_DATAKEY_ALGOID $FKEY_VERSION
+if [ -n "$DEV_KEYBLOCK_FLAG" ]; then
+  make_pair dev_firmware_data_key    $DEV_FIRMWARE_DATAKEY_ALGOID $FKEY_VERSION
+fi
 make_pair kernel_subkey            $KERNEL_SUBKEY_ALGOID $KSUBKEY_VERSION
 make_pair kernel_data_key          $KERNEL_DATAKEY_ALGOID $KDATAKEY_VERSION
 
@@ -42,8 +51,12 @@ make_pair installer_kernel_data_key $INSTALLER_KERNEL_ALGOID
 # since it's never even checked during Recovery mode.
 make_keyblock firmware $FIRMWARE_KEYBLOCK_MODE firmware_data_key root_key
 
-# Create the dev firmware keyblock for use only in Developer mode.
+
-make_keyblock dev_firmware $DEV_FIRMWARE_KEYBLOCK_MODE dev_firmware_data_key root_key
+if [ -n "$DEV_KEYBLOCK_FLAG" ]; then
+  # Create the dev firmware keyblock for use only in Developer mode.
+  make_keyblock dev_firmware $DEV_FIRMWARE_KEYBLOCK_MODE dev_firmware_data_key root_key
+fi
+
 
 # Create the recovery kernel keyblock for use only in Recovery mode.
 make_keyblock recovery_kernel $RECOVERY_KERNEL_KEYBLOCK_MODE recovery_kernel_data_key recovery_key