1a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim#!/bin/bash 2a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# Copyright (c) 2011 The Chromium OS Authors. All rights reserved. 3a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# Use of this source code is governed by a BSD-style license that can be 4a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# found in the LICENSE file. 5a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 6a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# Common key generation functions. 7a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 8a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay KimSCRIPT_DIR="$(dirname "$0")" 9a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 10a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# 0 = (RSA1024 SHA1) 11a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# 1 = (RSA1024 SHA256) 12a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# 2 = (RSA1024 SHA512) 13a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# 3 = (RSA2048 SHA1) 14a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# 4 = (RSA2048 SHA256) 15a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# 5 = (RSA2048 SHA512) 16a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# 6 = (RSA4096 SHA1) 17a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# 7 = (RSA4096 SHA256) 18a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# 8 = (RSA4096 SHA512) 19a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# 9 = (RSA8192 SHA1) 20a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# 10 = (RSA8192 SHA256) 21a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# 11 = (RSA8192 SHA512) 22a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kimfunction alg_to_keylen { 23a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim echo $(( 1 << (10 + ($1 / 3)) )) 24a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim} 25a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 26a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# Default algorithms. 27a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay KimEC_ROOT_KEY_ALGOID=7 28a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay KimEC_DATAKEY_ALGOID=7 29a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 30a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay KimROOT_KEY_ALGOID=11 31a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay KimRECOVERY_KEY_ALGOID=11 32a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 33a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay KimFIRMWARE_DATAKEY_ALGOID=7 34a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay KimDEV_FIRMWARE_DATAKEY_ALGOID=7 35a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 36a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay KimRECOVERY_KERNEL_ALGOID=11 37a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay KimINSTALLER_KERNEL_ALGOID=11 38a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay KimKERNEL_SUBKEY_ALGOID=7 39a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay KimKERNEL_DATAKEY_ALGOID=4 40a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 41a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# Keyblock modes determine which boot modes a signing key is valid for use 42a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# in verification. 43a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay KimEC_KEYBLOCK_MODE=7 # Only allow RW EC firmware in non-recovery. 44a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay KimFIRMWARE_KEYBLOCK_MODE=7 # Only allow RW firmware in non-recovery. 45a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay KimDEV_FIRMWARE_KEYBLOCK_MODE=6 # Only allow in dev mode. 46a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay KimRECOVERY_KERNEL_KEYBLOCK_MODE=11 # Only in recovery mode. 47a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay KimKERNEL_KEYBLOCK_MODE=7 # Only allow in non-recovery. 48a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay KimINSTALLER_KERNEL_KEYBLOCK_MODE=10 # Only allow in Dev + Recovery. 49a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 50a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# Emit .vbpubk and .vbprivk using given basename and algorithm 51a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# NOTE: This function also appears in ../../utility/dev_make_keypair. Making 52a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# the two implementations the same would require some common.sh, which is more 53a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# likely to cause problems than just keeping an eye out for any differences. If 54a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# you feel the need to change this file, check the history of that other file 55a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# to see what may need updating here too. 56a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kimfunction make_pair { 57a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim local base=$1 58a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim local alg=$2 59a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim local key_version=${3:-1} 60a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim local len=$(alg_to_keylen $alg) 61a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 62a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim echo "creating $base keypair (version = $key_version)..." 63a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 64a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim # make the RSA keypair 65a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim openssl genrsa -F4 -out "${base}_${len}.pem" $len 66a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim # create a self-signed certificate 67a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim openssl req -batch -new -x509 -key "${base}_${len}.pem" \ 68a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim -out "${base}_${len}.crt" 69a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim # generate pre-processed RSA public key 70a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim dumpRSAPublicKey -cert "${base}_${len}.crt" > "${base}_${len}.keyb" 71a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 72a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim # wrap the public key 73a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim vbutil_key \ 74a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim --pack "${base}.vbpubk" \ 75a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim --key "${base}_${len}.keyb" \ 76a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim --version "${key_version}" \ 77a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim --algorithm $alg 78a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 79a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim # wrap the private key 80a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim vbutil_key \ 81a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim --pack "${base}.vbprivk" \ 82a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim --key "${base}_${len}.pem" \ 83a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim --algorithm $alg 84a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 85a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim # remove intermediate files 86a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim rm -f "${base}_${len}.pem" "${base}_${len}.crt" "${base}_${len}.keyb" 87a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim} 88a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 89a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 90a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# Emit a .keyblock containing flags and a public key, signed by a private key 91a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# flags are the bitwise OR of these (passed in decimal, though) 92a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# 0x01 Developer switch off 93a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# 0x02 Developer switch on 94a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# 0x04 Not recovery mode 95a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# 0x08 Recovery mode 96a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kimfunction make_keyblock { 97a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim local base=$1 98a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim local flags=$2 99a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim local pubkey=$3 100a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim local signkey=$4 101a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 102a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim echo "creating $base keyblock..." 103a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 104a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim # create it 105a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim vbutil_keyblock \ 106a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim --pack "${base}.keyblock" \ 107a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim --flags $flags \ 108a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim --datapubkey "${pubkey}.vbpubk" \ 109a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim --signprivate "${signkey}.vbprivk" 110a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 111a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim # verify it 112a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim vbutil_keyblock \ 113a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim --unpack "${base}.keyblock" \ 114a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim --signpubkey "${signkey}.vbpubk" 115a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim} 116a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 117a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# File to read current versions from. 118a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay KimVERSION_FILE="key.versions" 119a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 120a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# ARGS: <VERSION_TYPE> [VERSION_FILE] 121a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kimget_version() { 122a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim awk -F= '/^'$1'\>/ { print $NF }' "${2:-${VERSION_FILE}}" 123a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim} 124a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 125a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# Loads the current versions prints them to stdout and sets the global version 126a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# variables: CURR_FIRMKEY_VER CURR_FIRM_VER CURR_KERNKEY_VER CURR_KERN_VER 127a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kimload_current_versions() { 128a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim local key_dir=$1 129a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim local VERSION_FILE="${key_dir}/${VERSION_FILE}" 130a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim if [[ ! -f ${VERSION_FILE} ]]; then 131a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim return 1 132a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim fi 133a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim CURR_FIRMKEY_VER=$(get_version "firmware_key_version") 134a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim # Firmware version is the kernel subkey version. 135a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim CURR_FIRM_VER=$(get_version "firmware_version") 136a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim # Kernel data key version is the kernel key version. 137a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim CURR_KERNKEY_VER=$(get_version "kernel_key_version") 138a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim CURR_KERN_VER=$(get_version "kernel_version") 139a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 140a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim cat <<EOF 141a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay KimCurrent Firmware key version: ${CURR_FIRMKEY_VER} 142a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay KimCurrent Firmware version: ${CURR_FIRM_VER} 143a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay KimCurrent Kernel key version: ${CURR_KERNKEY_VER} 144a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay KimCurrent Kernel version: ${CURR_KERN_VER} 145a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay KimEOF 146a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim} 147a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 148a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# Make backups of existing kernel subkeys and keyblocks that will be revved. 149a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# Backup format: 150a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# for keyblocks: <keyblock_name>.v<datakey version>.v<subkey version>.keyblock 151a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# Args: SUBKEY_VERSION DATAKEY_VERSION 152a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kimbackup_existing_kernel_keyblock() { 153a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim if [[ ! -e kernel.keyblock ]]; then 154a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim return 155a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim fi 156a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim mv --no-clobber kernel.{keyblock,"v$2.v$1.keyblock"} 157a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim} 158a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 159a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# Make backups of existing kernel subkeys and keyblocks that will be revved. 160a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# Backup format: 161a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# for keys: <key_name>.v<version>.vb{pub|priv}k 162a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# for keyblocks: <keyblock_name>.v<datakey version>.v<subkey version>.keyblock 163a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# Args: SUBKEY_VERSION DATAKEY_VERSION 164a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kimbackup_existing_kernel_subkeys() { 165a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim local subkey_ver=$1 166a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim local datakey_ver=$2 167a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim # --no-clobber to prevent accidentally overwriting existing 168a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim # backups. 169a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim mv --no-clobber kernel_subkey.{vbprivk,"v${subkey_ver}.vbprivk"} 170a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim mv --no-clobber kernel_subkey.{vbpubk,"v${subkey_ver}.vbpubk"} 171a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim backup_existing_kernel_keyblock ${subkey_ver} ${datakey_ver} 172a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim} 173a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 174a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# Make backups of existing kernel data keys and keyblocks that will be revved. 175a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# Backup format: 176a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# for keys: <key_name>.v<version>.vb{pub|priv}k 177a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# for keyblocks: <keyblock_name>.v<datakey version>.v<subkey version>.keyblock 178a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# Args: SUBKEY_VERSION DATAKEY_VERSION 179a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kimbackup_existing_kernel_data_keys() { 180a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim local subkey_ver=$1 181a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim local datakey_ver=$2 182a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim # --no-clobber to prevent accidentally overwriting existing 183a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim # backups. 184a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim mv --no-clobber kernel_data_key.{vbprivk,"v${datakey_ver}.vbprivk"} 185a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim mv --no-clobber kernel_data_key.{vbpubk,"v${datakey_ver}.vbpubk"} 186a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim backup_existing_kernel_keyblock ${subkey_ver} ${datakey_ver} 187a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim} 188a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 189a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# Make backups of existing firmware keys and keyblocks that will be revved. 190a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# Backup format: 191a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# for keys: <key_name>.v<version>.vb{pub|priv}k 192a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# for keyblocks: <keyblock_name>.v<datakey version>.v<subkey version>.keyblock 193a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# Args: SUBKEY_VERSION DATAKEY_VERSION 194a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kimbackup_existing_firmware_keys() { 195a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim local subkey_ver=$1 196a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim local datakey_ver=$2 197a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim mv --no-clobber firmware_data_key.{vbprivk,"v${subkey_ver}.vbprivk"} 198a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim mv --no-clobber firmware_data_key.{vbpubk,"v${subkey_ver}.vbpubk"} 199a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim mv --no-clobber firmware.{keyblock,"v${datakey_ver}.v${subkey_ver}.keyblock"} 200a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim} 201a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 202a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 203a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# Write new key version file with the updated key versions. 204a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# Args: FIRMWARE_KEY_VERSION FIRMWARE_VERSION KERNEL_KEY_VERSION 205a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# KERNEL_VERSION 206a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kimwrite_updated_version_file() { 207a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim local firmware_key_version=$1 208a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim local firmware_version=$2 209a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim local kernel_key_version=$3 210a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim local kernel_version=$4 211a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 212a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim cat > ${VERSION_FILE} <<EOF 213a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kimfirmware_key_version=${firmware_key_version} 214a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kimfirmware_version=${firmware_version} 215a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kimkernel_key_version=${kernel_key_version} 216a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kimkernel_version=${kernel_version} 217a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay KimEOF 218a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim} 219a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 220a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# Returns the incremented version number of the passed in key from the version 221a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# file. The options are "firmware_key_version", "firmware_version", 222a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# "kernel_key_version", or "kernel_version". 223a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim# ARGS: KEY_DIR <key_name> 224a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kimincrement_version() { 225a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim local key_dir=$1 226a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim local VERSION_FILE="${key_dir}/${VERSION_FILE}" 227a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim local old_version=$(get_version $2) 228a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim local new_version=$(( ${old_version} + 1 )) 229a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim 230a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim if [[ ${new_version} -gt 0xffff ]]; then 231a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim echo "Version overflow!" >&2 232a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim return 1 233a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim fi 234a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim echo ${new_version} 235a3cdb6fd3e9094ff95f4ecf79b133fa85919e9ecJay Kim} 236