The existing keys are kept the same, so that old dev kernels and
firmware remain compatible with new kernels and firmware.
Change-Id: I4177d1868904a477d79b9f2e6de88ed756ed57b4
BUG=chrome-os-partner:2218
TEST=manual:
Build firmware with new keys.
Boot with dev switch on.
Run 'crossystem mainfw_act mainfw_type'.
Should see "A developer"
Boot with dev switch off.
Run 'crossystem mainfw_act mainfw_type'.
Should see "B normal"
Review URL: http://codereview.chromium.org/6580035
This change makes dumpRSAPublicKey directly accept a public key in PEM format. This makes it possible to avoid the unnecessary step of generating a self-signed certificate to dump the public key in .keyb format.
The old style certificate input is still accepted.
Using certs (as done previously):
dumpRSAPublicKey -cert <certfile>
Directly using public keys:
dumpRSAPublicKey -pub <pubfile>
Change-Id: Ic35b59aff6613d145d7947212650da281f734b74
BUG=7576
TEST=manual
$ openssl genrsa -F4 -out test.pem 4096
$ openssl rsa -in test.pem -out test.pub
$ dumpRSAPublicKey -pub test.pub >test.pub.keyb
Verify that this matches the output we get using the old style <cert> input.
$ openssl req -batch -new -x509 -key test.pem -out test.cert
$ dumpRSAPublicKey -cert test.cert >test.cert.keyb
$ diff test.pub.keyb test.cert.keyb
$
Review URL: http://codereview.chromium.org/4215006
The make_dev_ssd.sh is made for devinstall shim to
change SSD kernels to be signed by dev keys.
- Kernel A, B will be resigned with dev keys (ignore if A/B seems not bootable)
- Adding param --remove_rootfs_verification can even disable rootfs hash check
This CL also includes some shared refine/fix to make_dev_firmware.sh
BUG=chrome-os-partner:1276
TEST=sudo ./make_dev_ssd.sh; (seeing Kernel A is resigned and B is ignored)
then reboot without developer mode (OK),
rootdev shows /dev/dm-0, rootdev -s shows /dev/sda3
sudo ./make_dev_ssd.sh --remove_rootfs_verification;
then reboot without developer mode (OK), rootdev shows /dev/sda3
Change-Id: Ic20f734b2af42e50a43c19a565a166a39d57a7fd
Review URL: http://codereview.chromium.org/3772013
Make vbutil_keyblock handle unsigned blocks. Also enable --unpack option and
add tests for it.
Modify vbutil_kernel to allow unsigned keyblocks, correct usage message,
and fix the --debug option which was somehow disabled.
Update load_kernel_test to accept /dev/null for the public key, to test
non-signed kernel keyblocks.
Review URL: http://codereview.chromium.org/3124004
