1*8617a60dSAndroid Build Coastguard Worker#!/bin/bash -e 2*8617a60dSAndroid Build Coastguard Worker# Copyright 2010 The ChromiumOS Authors 3*8617a60dSAndroid Build Coastguard Worker# Use of this source code is governed by a BSD-style license that can be 4*8617a60dSAndroid Build Coastguard Worker# found in the LICENSE file. 5*8617a60dSAndroid Build Coastguard Worker# 6*8617a60dSAndroid Build Coastguard Worker 7*8617a60dSAndroid Build Coastguard Worker# Check args first. 8*8617a60dSAndroid Build Coastguard Workerif [ "$#" -lt "1" ]; then 9*8617a60dSAndroid Build Coastguard Worker cat <<EOF 1>&2 10*8617a60dSAndroid Build Coastguard Worker 11*8617a60dSAndroid Build Coastguard WorkerUsage: ${0##*/} BASENAME [ALG] 12*8617a60dSAndroid Build Coastguard Worker 13*8617a60dSAndroid Build Coastguard WorkerThis creates BASENAME.vbpubk and BASENAME.vbprivk pairs for use in signing 14*8617a60dSAndroid Build Coastguard Workerdeveloper files. This also creates a BASENAME.keyblock file containing the 15*8617a60dSAndroid Build Coastguard WorkerBASENAME.vbpubk, which can be used to sign a developer kernel. 16*8617a60dSAndroid Build Coastguard Worker 17*8617a60dSAndroid Build Coastguard WorkerIf specified, ALG is one of: 18*8617a60dSAndroid Build Coastguard Worker 19*8617a60dSAndroid Build Coastguard Worker 0 = RSA1024 with SHA1 20*8617a60dSAndroid Build Coastguard Worker 1 = RSA1024 with SHA256 21*8617a60dSAndroid Build Coastguard Worker 2 = RSA1024 with SHA512 22*8617a60dSAndroid Build Coastguard Worker 3 = RSA2048 with SHA1 23*8617a60dSAndroid Build Coastguard Worker 4 = RSA2048 with SHA256 24*8617a60dSAndroid Build Coastguard Worker 5 = RSA2048 with SHA512 25*8617a60dSAndroid Build Coastguard Worker 6 = RSA4096 with SHA1 26*8617a60dSAndroid Build Coastguard Worker 7 = RSA4096 with SHA256 27*8617a60dSAndroid Build Coastguard Worker 8 = RSA4096 with SHA512 28*8617a60dSAndroid Build Coastguard Worker 9 = RSA8192 with SHA1 29*8617a60dSAndroid Build Coastguard Worker 10 = RSA8192 with SHA256 30*8617a60dSAndroid Build Coastguard Worker 11 = RSA8192 with SHA512 31*8617a60dSAndroid Build Coastguard Worker 32*8617a60dSAndroid Build Coastguard WorkerIf ALG is not specified, a default value will be used. 33*8617a60dSAndroid Build Coastguard Worker 34*8617a60dSAndroid Build Coastguard WorkerEOF 35*8617a60dSAndroid Build Coastguard Worker exit 1 36*8617a60dSAndroid Build Coastguard Workerfi 37*8617a60dSAndroid Build Coastguard Worker 38*8617a60dSAndroid Build Coastguard Worker 39*8617a60dSAndroid Build Coastguard Worker# Compute the key length assuming the sizes shown above. 40*8617a60dSAndroid Build Coastguard Workerfunction alg_to_keylen { 41*8617a60dSAndroid Build Coastguard Worker echo $(( 1 << (10 + ($1 / 3)) )) 42*8617a60dSAndroid Build Coastguard Worker} 43*8617a60dSAndroid Build Coastguard Worker 44*8617a60dSAndroid Build Coastguard Worker# Emit .vbpubk and .vbprivk using given basename and algorithm. 45*8617a60dSAndroid Build Coastguard Workerfunction make_pair { 46*8617a60dSAndroid Build Coastguard Worker local base=$1 47*8617a60dSAndroid Build Coastguard Worker local alg=$2 48*8617a60dSAndroid Build Coastguard Worker local len=$(alg_to_keylen $alg) 49*8617a60dSAndroid Build Coastguard Worker 50*8617a60dSAndroid Build Coastguard Worker # make the RSA keypair 51*8617a60dSAndroid Build Coastguard Worker openssl genrsa -F4 -out "${base}_${len}.pem" $len 52*8617a60dSAndroid Build Coastguard Worker # create a self-signed certificate 53*8617a60dSAndroid Build Coastguard Worker openssl req -batch -new -x509 -key "${base}_${len}.pem" \ 54*8617a60dSAndroid Build Coastguard Worker -out "${base}_${len}.crt" 55*8617a60dSAndroid Build Coastguard Worker # generate pre-processed RSA public key 56*8617a60dSAndroid Build Coastguard Worker dumpRSAPublicKey -cert "${base}_${len}.crt" > "${base}_${len}.keyb" 57*8617a60dSAndroid Build Coastguard Worker 58*8617a60dSAndroid Build Coastguard Worker # wrap the public key 59*8617a60dSAndroid Build Coastguard Worker futility vbutil_key \ 60*8617a60dSAndroid Build Coastguard Worker --pack "${base}.vbpubk" \ 61*8617a60dSAndroid Build Coastguard Worker --key "${base}_${len}.keyb" \ 62*8617a60dSAndroid Build Coastguard Worker --version 1 \ 63*8617a60dSAndroid Build Coastguard Worker --algorithm $alg 64*8617a60dSAndroid Build Coastguard Worker 65*8617a60dSAndroid Build Coastguard Worker # wrap the private key 66*8617a60dSAndroid Build Coastguard Worker futility vbutil_key \ 67*8617a60dSAndroid Build Coastguard Worker --pack "${base}.vbprivk" \ 68*8617a60dSAndroid Build Coastguard Worker --key "${base}_${len}.pem" \ 69*8617a60dSAndroid Build Coastguard Worker --algorithm $alg 70*8617a60dSAndroid Build Coastguard Worker 71*8617a60dSAndroid Build Coastguard Worker # remove intermediate files 72*8617a60dSAndroid Build Coastguard Worker rm -f "${base}_${len}.pem" "${base}_${len}.crt" "${base}_${len}.keyb" 73*8617a60dSAndroid Build Coastguard Worker} 74*8617a60dSAndroid Build Coastguard Worker 75*8617a60dSAndroid Build Coastguard Worker# First create the .vbpubk and .vbprivk pair. 76*8617a60dSAndroid Build Coastguard Workermake_pair "$1" "${2:-4}" 77*8617a60dSAndroid Build Coastguard Worker 78*8617a60dSAndroid Build Coastguard Worker# Now create a .keyblock to hold our .vbpubk. Since it's for developer use, it 79*8617a60dSAndroid Build Coastguard Worker# won't be signed, just checksummed. Developer kernels can only be run in 80*8617a60dSAndroid Build Coastguard Worker# non-recovery mode with the developer switch enabled, but it won't hurt us to 81*8617a60dSAndroid Build Coastguard Worker# turn on all the flags bits anyway. 82*8617a60dSAndroid Build Coastguard Workerfutility vbutil_keyblock --pack "$1.keyblock" \ 83*8617a60dSAndroid Build Coastguard Worker --datapubkey "$1.vbpubk" --flags 15 84