1*8617a60dSAndroid Build Coastguard Worker#!/bin/bash 2*8617a60dSAndroid Build Coastguard Worker# Copyright 2011 The ChromiumOS Authors 3*8617a60dSAndroid Build Coastguard Worker# Use of this source code is governed by a BSD-style license that can be 4*8617a60dSAndroid Build Coastguard Worker# found in the LICENSE file. 5*8617a60dSAndroid Build Coastguard Worker 6*8617a60dSAndroid Build Coastguard Worker# Common key generation functions. 7*8617a60dSAndroid Build Coastguard Worker 8*8617a60dSAndroid Build Coastguard WorkerSCRIPT_DIR="$(dirname "$(readlink -f -- "$0")")" 9*8617a60dSAndroid Build Coastguard WorkerPROG=$(basename "$0") 10*8617a60dSAndroid Build Coastguard WorkerCROS_LOG_PREFIX="${PROG}: " 11*8617a60dSAndroid Build Coastguard Worker 12*8617a60dSAndroid Build Coastguard Worker# Prints an informational message. 13*8617a60dSAndroid Build Coastguard Workerinfo() { 14*8617a60dSAndroid Build Coastguard Worker echo "${CROS_LOG_PREFIX}INFO: $*" >&2 15*8617a60dSAndroid Build Coastguard Worker} 16*8617a60dSAndroid Build Coastguard Worker 17*8617a60dSAndroid Build Coastguard Worker# Prints a warning message. 18*8617a60dSAndroid Build Coastguard Workerwarn() { 19*8617a60dSAndroid Build Coastguard Worker echo "${CROS_LOG_PREFIX}WARNING: $*" >&2 20*8617a60dSAndroid Build Coastguard Worker} 21*8617a60dSAndroid Build Coastguard Worker 22*8617a60dSAndroid Build Coastguard Worker# Prints an error message. 23*8617a60dSAndroid Build Coastguard Workererror() { 24*8617a60dSAndroid Build Coastguard Worker echo "${CROS_LOG_PREFIX}ERROR: $*" >&2 25*8617a60dSAndroid Build Coastguard Worker} 26*8617a60dSAndroid Build Coastguard Worker 27*8617a60dSAndroid Build Coastguard Worker# Print an error message and then exit the script. 28*8617a60dSAndroid Build Coastguard Workerdie() { 29*8617a60dSAndroid Build Coastguard Worker error "$@" 30*8617a60dSAndroid Build Coastguard Worker exit 1 31*8617a60dSAndroid Build Coastguard Worker} 32*8617a60dSAndroid Build Coastguard Worker 33*8617a60dSAndroid Build Coastguard Worker# Algorithm ID mappings: 34*8617a60dSAndroid Build Coastguard WorkerRSA1024_SHA1_ALGOID=0 35*8617a60dSAndroid Build Coastguard WorkerRSA1024_SHA256_ALGOID=1 36*8617a60dSAndroid Build Coastguard WorkerRSA1024_SHA512_ALGOID=2 37*8617a60dSAndroid Build Coastguard WorkerRSA2048_SHA1_ALGOID=3 38*8617a60dSAndroid Build Coastguard WorkerRSA2048_SHA256_ALGOID=4 39*8617a60dSAndroid Build Coastguard WorkerRSA2048_SHA512_ALGOID=5 40*8617a60dSAndroid Build Coastguard WorkerRSA4096_SHA1_ALGOID=6 41*8617a60dSAndroid Build Coastguard WorkerRSA4096_SHA256_ALGOID=7 42*8617a60dSAndroid Build Coastguard WorkerRSA4096_SHA512_ALGOID=8 43*8617a60dSAndroid Build Coastguard WorkerRSA8192_SHA1_ALGOID=9 44*8617a60dSAndroid Build Coastguard WorkerRSA8192_SHA256_ALGOID=10 45*8617a60dSAndroid Build Coastguard WorkerRSA8192_SHA512_ALGOID=11 46*8617a60dSAndroid Build Coastguard Workeralg_to_keylen() { 47*8617a60dSAndroid Build Coastguard Worker echo $(( 1 << (10 + ($1 / 3)) )) 48*8617a60dSAndroid Build Coastguard Worker} 49*8617a60dSAndroid Build Coastguard Worker 50*8617a60dSAndroid Build Coastguard Worker# Default algorithms. 51*8617a60dSAndroid Build Coastguard WorkerROOT_KEY_ALGOID=${RSA4096_SHA512_ALGOID} 52*8617a60dSAndroid Build Coastguard WorkerRECOVERY_KEY_ALGOID=${RSA4096_SHA512_ALGOID} 53*8617a60dSAndroid Build Coastguard Worker 54*8617a60dSAndroid Build Coastguard WorkerFIRMWARE_DATAKEY_ALGOID=${RSA4096_SHA256_ALGOID} 55*8617a60dSAndroid Build Coastguard WorkerDEV_FIRMWARE_DATAKEY_ALGOID=${RSA4096_SHA256_ALGOID} 56*8617a60dSAndroid Build Coastguard Worker 57*8617a60dSAndroid Build Coastguard WorkerRECOVERY_KERNEL_ALGOID=${RSA4096_SHA512_ALGOID} 58*8617a60dSAndroid Build Coastguard WorkerMINIOS_KERNEL_ALGOID=${RSA4096_SHA512_ALGOID} 59*8617a60dSAndroid Build Coastguard WorkerINSTALLER_KERNEL_ALGOID=${RSA4096_SHA512_ALGOID} 60*8617a60dSAndroid Build Coastguard WorkerKERNEL_SUBKEY_ALGOID=${RSA4096_SHA256_ALGOID} 61*8617a60dSAndroid Build Coastguard WorkerKERNEL_DATAKEY_ALGOID=${RSA2048_SHA256_ALGOID} 62*8617a60dSAndroid Build Coastguard Worker 63*8617a60dSAndroid Build Coastguard Worker# AP RO Verification. 64*8617a60dSAndroid Build Coastguard WorkerARV_ROOT_ALGOID=${RSA4096_SHA256_ALGOID} 65*8617a60dSAndroid Build Coastguard WorkerARV_PLATFORM_ALGOID=${RSA4096_SHA256_ALGOID} 66*8617a60dSAndroid Build Coastguard WorkerARV_ROOT_NAME_BASE="arv_root" 67*8617a60dSAndroid Build Coastguard Worker# Presumably the script is run from the top of the PreMP keys directory 68*8617a60dSAndroid Build Coastguard Worker# tree, place AP RO verification root key there. 69*8617a60dSAndroid Build Coastguard WorkerARV_ROOT_DIR="ApRoV1Signing-PreMP" 70*8617a60dSAndroid Build Coastguard Worker 71*8617a60dSAndroid Build Coastguard Worker# Keyblock modes determine which boot modes a signing key is valid for use 72*8617a60dSAndroid Build Coastguard Worker# in verification. 73*8617a60dSAndroid Build Coastguard Worker# !DEV 0x1 DEV 0x2 74*8617a60dSAndroid Build Coastguard Worker# !REC 0x4 REC 0x8 75*8617a60dSAndroid Build Coastguard Worker# !MINIOS 0x10 MINIOS 0x20 76*8617a60dSAndroid Build Coastguard Worker# Note that firmware keyblock modes are not used. Consider deprecating. 77*8617a60dSAndroid Build Coastguard Worker 78*8617a60dSAndroid Build Coastguard Worker# Only allow RW firmware in non-recovery + non-miniOS. 79*8617a60dSAndroid Build Coastguard WorkerFIRMWARE_KEYBLOCK_MODE=$((0x1 | 0x2 | 0x4 | 0x10)) 80*8617a60dSAndroid Build Coastguard Worker# Only allow in dev mode + non-recovery + non-miniOS. 81*8617a60dSAndroid Build Coastguard WorkerDEV_FIRMWARE_KEYBLOCK_MODE=$((0x2 | 0x4 | 0x10)) 82*8617a60dSAndroid Build Coastguard Worker# Only allow in recovery mode + non-miniOS. 83*8617a60dSAndroid Build Coastguard WorkerRECOVERY_KERNEL_KEYBLOCK_MODE=$((0x1 | 0x2 | 0x8 | 0x10)) 84*8617a60dSAndroid Build Coastguard Worker# Only allow in recovery mode + miniOS. 85*8617a60dSAndroid Build Coastguard WorkerMINIOS_KERNEL_KEYBLOCK_MODE=$((0x1 | 0x2 | 0x8 | 0x20)) 86*8617a60dSAndroid Build Coastguard Worker# Only allow in non-recovery + non-miniOS. 87*8617a60dSAndroid Build Coastguard WorkerKERNEL_KEYBLOCK_MODE=$((0x1 | 0x2 | 0x4 | 0x10)) 88*8617a60dSAndroid Build Coastguard Worker# Only allow in dev + recovery + non-miniOS. 89*8617a60dSAndroid Build Coastguard WorkerINSTALLER_KERNEL_KEYBLOCK_MODE=$((0x2 | 0x8 | 0x10)) 90*8617a60dSAndroid Build Coastguard Worker# Only allow in non-recovery + non-miniOS, does not mean much for AP RO keys. 91*8617a60dSAndroid Build Coastguard WorkerARV_KEYBLOCK_MODE=$((0x1 | 0x2 | 0x4 | 0x10)) 92*8617a60dSAndroid Build Coastguard Worker 93*8617a60dSAndroid Build Coastguard Worker 94*8617a60dSAndroid Build Coastguard Worker# Emit .vbpubk and .vbprivk using given basename and algorithm 95*8617a60dSAndroid Build Coastguard Worker# NOTE: This function also appears in ../../utility/dev_make_keypair. Making 96*8617a60dSAndroid Build Coastguard Worker# the two implementations the same would require some common.sh, which is more 97*8617a60dSAndroid Build Coastguard Worker# likely to cause problems than just keeping an eye out for any differences. If 98*8617a60dSAndroid Build Coastguard Worker# you feel the need to change this file, check the history of that other file 99*8617a60dSAndroid Build Coastguard Worker# to see what may need updating here too. 100*8617a60dSAndroid Build Coastguard Workermake_pair() { 101*8617a60dSAndroid Build Coastguard Worker local base=$1 102*8617a60dSAndroid Build Coastguard Worker local alg=$2 103*8617a60dSAndroid Build Coastguard Worker local key_version=${3:-1} 104*8617a60dSAndroid Build Coastguard Worker local len=$(alg_to_keylen $alg) 105*8617a60dSAndroid Build Coastguard Worker 106*8617a60dSAndroid Build Coastguard Worker echo "creating $base keypair (version = $key_version)..." 107*8617a60dSAndroid Build Coastguard Worker 108*8617a60dSAndroid Build Coastguard Worker # make the RSA keypair 109*8617a60dSAndroid Build Coastguard Worker openssl genrsa -F4 -out "${base}_${len}.pem" $len 110*8617a60dSAndroid Build Coastguard Worker # create a self-signed certificate 111*8617a60dSAndroid Build Coastguard Worker openssl req -batch -new -x509 -key "${base}_${len}.pem" \ 112*8617a60dSAndroid Build Coastguard Worker -out "${base}_${len}.crt" 113*8617a60dSAndroid Build Coastguard Worker # generate pre-processed RSA public key 114*8617a60dSAndroid Build Coastguard Worker dumpRSAPublicKey -cert "${base}_${len}.crt" > "${base}_${len}.keyb" 115*8617a60dSAndroid Build Coastguard Worker 116*8617a60dSAndroid Build Coastguard Worker # wrap the public key 117*8617a60dSAndroid Build Coastguard Worker vbutil_key \ 118*8617a60dSAndroid Build Coastguard Worker --pack "${base}.vbpubk" \ 119*8617a60dSAndroid Build Coastguard Worker --key "${base}_${len}.keyb" \ 120*8617a60dSAndroid Build Coastguard Worker --version "${key_version}" \ 121*8617a60dSAndroid Build Coastguard Worker --algorithm $alg 122*8617a60dSAndroid Build Coastguard Worker 123*8617a60dSAndroid Build Coastguard Worker # wrap the private key 124*8617a60dSAndroid Build Coastguard Worker vbutil_key \ 125*8617a60dSAndroid Build Coastguard Worker --pack "${base}.vbprivk" \ 126*8617a60dSAndroid Build Coastguard Worker --key "${base}_${len}.pem" \ 127*8617a60dSAndroid Build Coastguard Worker --algorithm $alg 128*8617a60dSAndroid Build Coastguard Worker 129*8617a60dSAndroid Build Coastguard Worker # remove intermediate files 130*8617a60dSAndroid Build Coastguard Worker rm -f "${base}_${len}.pem" "${base}_${len}.crt" "${base}_${len}.keyb" 131*8617a60dSAndroid Build Coastguard Worker} 132*8617a60dSAndroid Build Coastguard Worker 133*8617a60dSAndroid Build Coastguard Worker# Used to generate keys for signing update payloads. 134*8617a60dSAndroid Build Coastguard Workermake_au_payload_key() { 135*8617a60dSAndroid Build Coastguard Worker local dir=$1 136*8617a60dSAndroid Build Coastguard Worker local priv="${dir}/update_key.pem" 137*8617a60dSAndroid Build Coastguard Worker local pub="${dir}/update-payload-key-pub.pem" 138*8617a60dSAndroid Build Coastguard Worker openssl genrsa -out "${priv}" 2048 139*8617a60dSAndroid Build Coastguard Worker openssl rsa -pubout -in "${priv}" -out "${pub}" 140*8617a60dSAndroid Build Coastguard Worker} 141*8617a60dSAndroid Build Coastguard Worker 142*8617a60dSAndroid Build Coastguard Worker# Emit a .keyblock containing flags and a public key, signed by a private key 143*8617a60dSAndroid Build Coastguard Worker# flags are the bitwise OR of these (passed in decimal, though) 144*8617a60dSAndroid Build Coastguard Worker# 0x01 Developer switch off 145*8617a60dSAndroid Build Coastguard Worker# 0x02 Developer switch on 146*8617a60dSAndroid Build Coastguard Worker# 0x04 Not recovery mode 147*8617a60dSAndroid Build Coastguard Worker# 0x08 Recovery mode 148*8617a60dSAndroid Build Coastguard Worker# 0x10 Not miniOS mode 149*8617a60dSAndroid Build Coastguard Worker# 0x20 miniOS mode 150*8617a60dSAndroid Build Coastguard Workermake_keyblock() { 151*8617a60dSAndroid Build Coastguard Worker local base=$1 152*8617a60dSAndroid Build Coastguard Worker local flags=$2 153*8617a60dSAndroid Build Coastguard Worker local pubkey=$3 154*8617a60dSAndroid Build Coastguard Worker # (Local) path to the key we're using to sign the keyblock. 155*8617a60dSAndroid Build Coastguard Worker # This is required, since the public key (as specified with --signpubkey) 156*8617a60dSAndroid Build Coastguard Worker # must always be local. 157*8617a60dSAndroid Build Coastguard Worker local signkey_path=$4 158*8617a60dSAndroid Build Coastguard Worker # Remote URI to the key we're using to sign the keyblock. 159*8617a60dSAndroid Build Coastguard Worker # Optional, if not set we'll look for the private key in signkey_path. 160*8617a60dSAndroid Build Coastguard Worker local signkey_uri=$5 161*8617a60dSAndroid Build Coastguard Worker 162*8617a60dSAndroid Build Coastguard Worker local signkey_priv="${signkey_path}.vbprivk" 163*8617a60dSAndroid Build Coastguard Worker # If the URI is set, the private key is remote. 164*8617a60dSAndroid Build Coastguard Worker if [[ -n "${signkey_uri}" ]]; then 165*8617a60dSAndroid Build Coastguard Worker signkey_priv="${signkey_uri}" 166*8617a60dSAndroid Build Coastguard Worker fi 167*8617a60dSAndroid Build Coastguard Worker 168*8617a60dSAndroid Build Coastguard Worker echo "creating $base keyblock..." 169*8617a60dSAndroid Build Coastguard Worker 170*8617a60dSAndroid Build Coastguard Worker # create it 171*8617a60dSAndroid Build Coastguard Worker vbutil_keyblock \ 172*8617a60dSAndroid Build Coastguard Worker --pack "${base}.keyblock" \ 173*8617a60dSAndroid Build Coastguard Worker --flags $flags \ 174*8617a60dSAndroid Build Coastguard Worker --datapubkey "${pubkey}.vbpubk" \ 175*8617a60dSAndroid Build Coastguard Worker --signprivate "${signkey_priv}" 176*8617a60dSAndroid Build Coastguard Worker 177*8617a60dSAndroid Build Coastguard Worker # verify it 178*8617a60dSAndroid Build Coastguard Worker vbutil_keyblock \ 179*8617a60dSAndroid Build Coastguard Worker --unpack "${base}.keyblock" \ 180*8617a60dSAndroid Build Coastguard Worker --signpubkey "${signkey_path}.vbpubk" 181*8617a60dSAndroid Build Coastguard Worker} 182*8617a60dSAndroid Build Coastguard Worker 183*8617a60dSAndroid Build Coastguard Worker# File to read current versions from. 184*8617a60dSAndroid Build Coastguard WorkerVERSION_FILE="key.versions" 185*8617a60dSAndroid Build Coastguard Worker 186*8617a60dSAndroid Build Coastguard Worker# ARGS: <VERSION_TYPE> [VERSION_FILE] 187*8617a60dSAndroid Build Coastguard Workerget_version() { 188*8617a60dSAndroid Build Coastguard Worker local key="$1" 189*8617a60dSAndroid Build Coastguard Worker local file="${2:-${VERSION_FILE}}" 190*8617a60dSAndroid Build Coastguard Worker awk -F= -vkey="${key}" '$1 == key { print $NF }' "${file}" 191*8617a60dSAndroid Build Coastguard Worker} 192*8617a60dSAndroid Build Coastguard Worker 193*8617a60dSAndroid Build Coastguard Worker# Loads the current versions prints them to stdout and sets the global version 194*8617a60dSAndroid Build Coastguard Worker# variables: CURR_FIRMKEY_VER CURR_FIRM_VER CURR_KERNKEY_VER CURR_KERN_VER 195*8617a60dSAndroid Build Coastguard Workerload_current_versions() { 196*8617a60dSAndroid Build Coastguard Worker local key_dir=$1 197*8617a60dSAndroid Build Coastguard Worker local VERSION_FILE="${key_dir}/${VERSION_FILE}" 198*8617a60dSAndroid Build Coastguard Worker if [[ ! -f ${VERSION_FILE} ]]; then 199*8617a60dSAndroid Build Coastguard Worker return 1 200*8617a60dSAndroid Build Coastguard Worker fi 201*8617a60dSAndroid Build Coastguard Worker CURR_FIRMKEY_VER=$(get_version "firmware_key_version") 202*8617a60dSAndroid Build Coastguard Worker # Firmware version is the kernel subkey version. 203*8617a60dSAndroid Build Coastguard Worker CURR_FIRM_VER=$(get_version "firmware_version") 204*8617a60dSAndroid Build Coastguard Worker # Kernel data key version is the kernel key version. 205*8617a60dSAndroid Build Coastguard Worker CURR_KERNKEY_VER=$(get_version "kernel_key_version") 206*8617a60dSAndroid Build Coastguard Worker CURR_KERN_VER=$(get_version "kernel_version") 207*8617a60dSAndroid Build Coastguard Worker 208*8617a60dSAndroid Build Coastguard Worker cat <<EOF 209*8617a60dSAndroid Build Coastguard WorkerCurrent Firmware key version: ${CURR_FIRMKEY_VER} 210*8617a60dSAndroid Build Coastguard WorkerCurrent Firmware version: ${CURR_FIRM_VER} 211*8617a60dSAndroid Build Coastguard WorkerCurrent Kernel key version: ${CURR_KERNKEY_VER} 212*8617a60dSAndroid Build Coastguard WorkerCurrent Kernel version: ${CURR_KERN_VER} 213*8617a60dSAndroid Build Coastguard WorkerEOF 214*8617a60dSAndroid Build Coastguard Worker} 215*8617a60dSAndroid Build Coastguard Worker 216*8617a60dSAndroid Build Coastguard Worker# Make backups of existing kernel subkeys and keyblocks that will be revved. 217*8617a60dSAndroid Build Coastguard Worker# Backup format: 218*8617a60dSAndroid Build Coastguard Worker# for keyblocks: <keyblock_name>.v<datakey version>.v<subkey version>.keyblock 219*8617a60dSAndroid Build Coastguard Worker# Args: SUBKEY_VERSION DATAKEY_VERSION 220*8617a60dSAndroid Build Coastguard Workerbackup_existing_kernel_keyblock() { 221*8617a60dSAndroid Build Coastguard Worker if [[ ! -e kernel.keyblock ]]; then 222*8617a60dSAndroid Build Coastguard Worker return 223*8617a60dSAndroid Build Coastguard Worker fi 224*8617a60dSAndroid Build Coastguard Worker mv --no-clobber kernel.{keyblock,"v$2.v$1.keyblock"} 225*8617a60dSAndroid Build Coastguard Worker} 226*8617a60dSAndroid Build Coastguard Worker 227*8617a60dSAndroid Build Coastguard Worker# Make backups of existing kernel subkeys and keyblocks that will be revved. 228*8617a60dSAndroid Build Coastguard Worker# Backup format: 229*8617a60dSAndroid Build Coastguard Worker# for keys: <key_name>.v<version>.vb{pub|priv}k 230*8617a60dSAndroid Build Coastguard Worker# for keyblocks: <keyblock_name>.v<datakey version>.v<subkey version>.keyblock 231*8617a60dSAndroid Build Coastguard Worker# Args: SUBKEY_VERSION DATAKEY_VERSION 232*8617a60dSAndroid Build Coastguard Workerbackup_existing_kernel_subkeys() { 233*8617a60dSAndroid Build Coastguard Worker local subkey_ver=$1 234*8617a60dSAndroid Build Coastguard Worker local datakey_ver=$2 235*8617a60dSAndroid Build Coastguard Worker # --no-clobber to prevent accidentally overwriting existing 236*8617a60dSAndroid Build Coastguard Worker # backups. 237*8617a60dSAndroid Build Coastguard Worker mv --no-clobber kernel_subkey.{vbprivk,"v${subkey_ver}.vbprivk"} 238*8617a60dSAndroid Build Coastguard Worker mv --no-clobber kernel_subkey.{vbpubk,"v${subkey_ver}.vbpubk"} 239*8617a60dSAndroid Build Coastguard Worker backup_existing_kernel_keyblock ${subkey_ver} ${datakey_ver} 240*8617a60dSAndroid Build Coastguard Worker} 241*8617a60dSAndroid Build Coastguard Worker 242*8617a60dSAndroid Build Coastguard Worker# Make backups of existing kernel data keys and keyblocks that will be revved. 243*8617a60dSAndroid Build Coastguard Worker# Backup format: 244*8617a60dSAndroid Build Coastguard Worker# for keys: <key_name>.v<version>.vb{pub|priv}k 245*8617a60dSAndroid Build Coastguard Worker# for keyblocks: <keyblock_name>.v<datakey version>.v<subkey version>.keyblock 246*8617a60dSAndroid Build Coastguard Worker# Args: SUBKEY_VERSION DATAKEY_VERSION 247*8617a60dSAndroid Build Coastguard Workerbackup_existing_kernel_data_keys() { 248*8617a60dSAndroid Build Coastguard Worker local subkey_ver=$1 249*8617a60dSAndroid Build Coastguard Worker local datakey_ver=$2 250*8617a60dSAndroid Build Coastguard Worker # --no-clobber to prevent accidentally overwriting existing 251*8617a60dSAndroid Build Coastguard Worker # backups. 252*8617a60dSAndroid Build Coastguard Worker mv --no-clobber kernel_data_key.{vbprivk,"v${datakey_ver}.vbprivk"} 253*8617a60dSAndroid Build Coastguard Worker mv --no-clobber kernel_data_key.{vbpubk,"v${datakey_ver}.vbpubk"} 254*8617a60dSAndroid Build Coastguard Worker backup_existing_kernel_keyblock ${subkey_ver} ${datakey_ver} 255*8617a60dSAndroid Build Coastguard Worker} 256*8617a60dSAndroid Build Coastguard Worker 257*8617a60dSAndroid Build Coastguard Worker# Make backups of existing firmware keys and keyblocks that will be revved. 258*8617a60dSAndroid Build Coastguard Worker# Backup format: 259*8617a60dSAndroid Build Coastguard Worker# for keys: <key_name>.v<version>.vb{pub|priv}k 260*8617a60dSAndroid Build Coastguard Worker# for keyblocks: <keyblock_name>.v<datakey version>.v<subkey version>.keyblock 261*8617a60dSAndroid Build Coastguard Worker# Args: SUBKEY_VERSION DATAKEY_VERSION 262*8617a60dSAndroid Build Coastguard Workerbackup_existing_firmware_keys() { 263*8617a60dSAndroid Build Coastguard Worker local subkey_ver=$1 264*8617a60dSAndroid Build Coastguard Worker local datakey_ver=$2 265*8617a60dSAndroid Build Coastguard Worker mv --no-clobber firmware_data_key.{vbprivk,"v${subkey_ver}.vbprivk"} 266*8617a60dSAndroid Build Coastguard Worker mv --no-clobber firmware_data_key.{vbpubk,"v${subkey_ver}.vbpubk"} 267*8617a60dSAndroid Build Coastguard Worker mv --no-clobber firmware.{keyblock,"v${datakey_ver}.v${subkey_ver}.keyblock"} 268*8617a60dSAndroid Build Coastguard Worker} 269*8617a60dSAndroid Build Coastguard Worker 270*8617a60dSAndroid Build Coastguard Worker 271*8617a60dSAndroid Build Coastguard Worker# Write new key version file with the updated key versions. 272*8617a60dSAndroid Build Coastguard Worker# Args: FIRMWARE_KEY_VERSION FIRMWARE_VERSION KERNEL_KEY_VERSION 273*8617a60dSAndroid Build Coastguard Worker# KERNEL_VERSION 274*8617a60dSAndroid Build Coastguard Workerwrite_updated_version_file() { 275*8617a60dSAndroid Build Coastguard Worker local firmware_key_version=$1 276*8617a60dSAndroid Build Coastguard Worker local firmware_version=$2 277*8617a60dSAndroid Build Coastguard Worker local kernel_key_version=$3 278*8617a60dSAndroid Build Coastguard Worker local kernel_version=$4 279*8617a60dSAndroid Build Coastguard Worker 280*8617a60dSAndroid Build Coastguard Worker cat > ${VERSION_FILE} <<EOF 281*8617a60dSAndroid Build Coastguard Workerfirmware_key_version=${firmware_key_version} 282*8617a60dSAndroid Build Coastguard Workerfirmware_version=${firmware_version} 283*8617a60dSAndroid Build Coastguard Workerkernel_key_version=${kernel_key_version} 284*8617a60dSAndroid Build Coastguard Workerkernel_version=${kernel_version} 285*8617a60dSAndroid Build Coastguard WorkerEOF 286*8617a60dSAndroid Build Coastguard Worker} 287*8617a60dSAndroid Build Coastguard Worker 288*8617a60dSAndroid Build Coastguard Worker# Returns the incremented version number of the passed in key from the version 289*8617a60dSAndroid Build Coastguard Worker# file. The options are "firmware_key_version", "firmware_version", 290*8617a60dSAndroid Build Coastguard Worker# "kernel_key_version", or "kernel_version". 291*8617a60dSAndroid Build Coastguard Worker# ARGS: KEY_DIR <key_name> 292*8617a60dSAndroid Build Coastguard Workerincrement_version() { 293*8617a60dSAndroid Build Coastguard Worker local key_dir=$1 294*8617a60dSAndroid Build Coastguard Worker local VERSION_FILE="${key_dir}/${VERSION_FILE}" 295*8617a60dSAndroid Build Coastguard Worker local old_version=$(get_version $2) 296*8617a60dSAndroid Build Coastguard Worker local new_version=$(( ${old_version} + 1 )) 297*8617a60dSAndroid Build Coastguard Worker 298*8617a60dSAndroid Build Coastguard Worker if [[ ${new_version} -gt 0xffff ]]; then 299*8617a60dSAndroid Build Coastguard Worker echo "Version overflow!" >&2 300*8617a60dSAndroid Build Coastguard Worker return 1 301*8617a60dSAndroid Build Coastguard Worker fi 302*8617a60dSAndroid Build Coastguard Worker echo ${new_version} 303*8617a60dSAndroid Build Coastguard Worker} 304*8617a60dSAndroid Build Coastguard Worker 305*8617a60dSAndroid Build Coastguard Worker# Create a new ed25519 key pair given a base name. For example, if the 306*8617a60dSAndroid Build Coastguard Worker# base is "dir/foo", this will create "dir/foo.priv.pem" and 307*8617a60dSAndroid Build Coastguard Worker# "dir/foo.pub.pem". 308*8617a60dSAndroid Build Coastguard Worker# Args: BASE 309*8617a60dSAndroid Build Coastguard Workergenerate_ed25519_key() { 310*8617a60dSAndroid Build Coastguard Worker local base="$1" 311*8617a60dSAndroid Build Coastguard Worker 312*8617a60dSAndroid Build Coastguard Worker # Generate ed25519 private and public key. 313*8617a60dSAndroid Build Coastguard Worker openssl genpkey -algorithm Ed25519 -out "${base}.priv.pem" 314*8617a60dSAndroid Build Coastguard Worker openssl pkey -in "${base}.priv.pem" -pubout -text_pub -out "${base}.pub.pem" 315*8617a60dSAndroid Build Coastguard Worker} 316