xref: /aosp_15_r20/external/vboot_reference/scripts/keygeneration/add_loem_keys.sh (revision 8617a60d3594060b7ecbd21bc622a7c14f3cf2bc) 
1#!/bin/bash
2# Copyright 2015 The ChromiumOS Authors
3# Use of this source code is governed by a BSD-style license that can be
4# found in the LICENSE file.
5
6# Load common constants and functions.
7# shellcheck source=common.sh
8. "$(dirname "$0")/common.sh"
9
10usage() {
11  cat <<EOF
12Usage: ${PROG} <number of loem keys to add>
13
14If the existing keyset is not set up for loem usage, it will be converted.
15
16Note: Use 0 if you want to just convert an existing keyset.
17EOF
18  exit ${1:-0}
19}
20
21convert_keyset_to_loem() {
22  local f
23
24  printf "Converting to loem keyset; continue? (y/N) "
25  read f
26  [[ ${f} == [yY] ]]
27
28  for f in {firmware_data,root}_key.vb{pub,priv}k firmware.keyblock; do
29    if [[ ${f} == "root_key.vbprivk" && ! -e ${f} ]]; then
30      # For official keys, we won't have the private half of the root key.
31      echo "Skipping ${f} for official keys"
32      continue
33    fi
34    if [[ ${f} == *.vbprivk && ! -e ${f} ]]; then
35      # For official keys, will be gpg wrapped.
36      f+=".gpg"
37    fi
38    mv -i "${f}" "${f/./.loem1.}"
39  done
40
41  echo "[loem]" > loem.ini
42}
43
44main() {
45  set -e -u
46
47  if [[ $# -ne 1 || $1 == -* ]]; then
48    usage
49  fi
50
51  # Keep `local` and assignment split so return values are checked.
52  local firmware_key_version
53  local num_keys highest_key k
54
55  if [[ ! -e ${VERSION_FILE} ]]; then
56    die "missing ${VERSION_FILE} in ${PWD}; please create one"
57  fi
58
59  firmware_key_version=$(get_version "firmware_key_version")
60
61  # See if we need to convert the keyset first.
62  if [[ -e root_key.vbpubk ]]; then
63    convert_keyset_to_loem
64  fi
65
66  num_keys=$1
67  highest_key=$(printf '%s\n' firmware.loem*.keyblock |
68                sed -r 's:firmware.loem(.*).keyblock:\1:' |
69                sort -n | tail -1)
70  echo "There are ${highest_key} loem keys; adding ${num_keys} more"
71
72  for ((k = highest_key + 1; k < highest_key + 1 + num_keys; ++k)); do
73    echo "Generating LOEM ${k}"
74    make_pair root_key.loem${k} ${ROOT_KEY_ALGOID}
75    make_pair firmware_data_key.loem${k} ${FIRMWARE_DATAKEY_ALGOID} \
76      ${firmware_key_version}
77    make_keyblock firmware.loem${k} ${FIRMWARE_KEYBLOCK_MODE} \
78      firmware_data_key.loem${k} root_key.loem${k}
79  done
80
81  echo
82  echo "Don't forget to update loem.ini to allocate the keys!"
83}
84main "$@"
85