#!/bin/bash # Copyright 2015 The ChromiumOS Authors # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. # Load common constants and functions. # shellcheck source=common.sh . "$(dirname "$0")/common.sh" usage() { cat < If the existing keyset is not set up for loem usage, it will be converted. Note: Use 0 if you want to just convert an existing keyset. EOF exit ${1:-0} } convert_keyset_to_loem() { local f printf "Converting to loem keyset; continue? (y/N) " read f [[ ${f} == [yY] ]] for f in {firmware_data,root}_key.vb{pub,priv}k firmware.keyblock; do if [[ ${f} == "root_key.vbprivk" && ! -e ${f} ]]; then # For official keys, we won't have the private half of the root key. echo "Skipping ${f} for official keys" continue fi if [[ ${f} == *.vbprivk && ! -e ${f} ]]; then # For official keys, will be gpg wrapped. f+=".gpg" fi mv -i "${f}" "${f/./.loem1.}" done echo "[loem]" > loem.ini } main() { set -e -u if [[ $# -ne 1 || $1 == -* ]]; then usage fi # Keep `local` and assignment split so return values are checked. local firmware_key_version local num_keys highest_key k if [[ ! -e ${VERSION_FILE} ]]; then die "missing ${VERSION_FILE} in ${PWD}; please create one" fi firmware_key_version=$(get_version "firmware_key_version") # See if we need to convert the keyset first. if [[ -e root_key.vbpubk ]]; then convert_keyset_to_loem fi num_keys=$1 highest_key=$(printf '%s\n' firmware.loem*.keyblock | sed -r 's:firmware.loem(.*).keyblock:\1:' | sort -n | tail -1) echo "There are ${highest_key} loem keys; adding ${num_keys} more" for ((k = highest_key + 1; k < highest_key + 1 + num_keys; ++k)); do echo "Generating LOEM ${k}" make_pair root_key.loem${k} ${ROOT_KEY_ALGOID} make_pair firmware_data_key.loem${k} ${FIRMWARE_DATAKEY_ALGOID} \ ${firmware_key_version} make_keyblock firmware.loem${k} ${FIRMWARE_KEYBLOCK_MODE} \ firmware_data_key.loem${k} root_key.loem${k} done echo echo "Don't forget to update loem.ini to allocate the keys!" } main "$@"