From 2ace49e0a4de18daf0516e70554a4baddaba80c2 Mon Sep 17 00:00:00 2001
From: Bill Richardson <wfrichar@chromium.org>
Date: Thu, 1 Jul 2010 10:23:27 -0700
Subject: [PATCH] Generate and use .vbprivk files for signing now.

Review URL: http://codereview.chromium.org/2817047
---
 build_image           |  9 ++++--
 build_kernel_image.sh | 71 ++++++++++++++++++++++++++++---------------
 2 files changed, 53 insertions(+), 27 deletions(-)

diff --git a/build_image b/build_image
index 4ee558a12e..6fd3720b3e 100755
--- a/build_image
+++ b/build_image
@@ -559,7 +559,7 @@ EOF
   if [[ "${ARCH}" = "x86" ]]; then
     # Verify the final image.
     load_kernel_test "${OUTPUT_DIR}/${image_name}" \
-      "${OUTPUT_DIR}/key_alg8.vbpubk"
+      "${OUTPUT_DIR}/kernel_subkey.vbpubk"
   fi
 }
 
@@ -603,8 +603,11 @@ fi
 
 # Clean up temporary files.
 rm -f "${ROOT_FS_IMG}" "${STATEFUL_FS_IMG}" "${OUTPUT_DIR}/vmlinuz.image" \
-  "${ESP_FS_IMG}" "${OUTPUT_DIR}/data4_sign8.keyblock" \
-  "${OUTPUT_DIR}/key_alg4.vbpubk" "${OUTPUT_DIR}/key_alg8.vbpubk" \
+  "${ESP_FS_IMG}" "${OUTPUT_DIR}/kernel.keyblock" \
+  "${OUTPUT_DIR}/kernel_subkey.vbpubk" \
+  "${OUTPUT_DIR}/kernel_subkey.vbprivk" \
+  "${OUTPUT_DIR}/kernel_data_key.vbpubk" \
+  "${OUTPUT_DIR}/kernel_data_key.vbprivk" \
   "${OEM_FS_IMG}"
 rmdir "${ROOT_FS_DIR}" "${STATEFUL_FS_DIR}" "${OEM_FS_DIR}" "${ESP_FS_DIR}"
 
diff --git a/build_kernel_image.sh b/build_kernel_image.sh
index d0c3599fea..e7e771160c 100755
--- a/build_kernel_image.sh
+++ b/build_kernel_image.sh
@@ -22,7 +22,7 @@ DEFINE_string working_dir "/tmp/vmlinuz.working" \
 DEFINE_boolean keep_work ${FLAGS_FALSE} \
   "Keep temporary files (*.keyblock, *.vbpubk). (Default: false)"
 DEFINE_string keys_dir "${SRC_ROOT}/platform/vboot_reference/tests/testkeys" \
-  "Directory with the signing keys. (Defaults to test keys)"
+  "Directory with the RSA signing keys. (Defaults to test keys)"
 # Note, to enable verified boot, the caller would pass:
 # --boot_args='dm="... /dev/sd%D%P /dev/sd%D%P ..." \
 # --root=/dev/dm-0
@@ -65,41 +65,64 @@ ${FLAGS_boot_args}
 EOF
 WORK="${FLAGS_working_dir}/config.txt"
 
-# Wrap the public keys with VbPublicKey headers.
+
+# FIX: The .vbprivk files are not encrypted, so we shouldn't just leave them
+# lying around as a general thing.
+
+# Wrap the kernel data keypair, used for the kernel body
 vbutil_key \
-  --pack \
-  --in "${FLAGS_keys_dir}/key_rsa2048.keyb" \
+  --pack "${FLAGS_working_dir}/kernel_data_key.vbpubk" \
+  --key "${FLAGS_keys_dir}/key_rsa2048.keyb" \
   --version 1 \
-  --algorithm 4 \
-  --out "${FLAGS_working_dir}/key_alg4.vbpubk"
-WORK="${WORK} ${FLAGS_working_dir}/key_alg4.vbpubk"
+  --algorithm 4
+WORK="${WORK} ${FLAGS_working_dir}/kernel_data_key.vbpubk"
 
 vbutil_key \
-  --pack \
-  --in "${FLAGS_keys_dir}/key_rsa4096.keyb" \
-  --version 1 \
-  --algorithm 8 \
-  --out "${FLAGS_working_dir}/key_alg8.vbpubk"
-WORK="${WORK} ${FLAGS_working_dir}/key_alg8.vbpubk"
+  --pack "${FLAGS_working_dir}/kernel_data_key.vbprivk" \
+  --key "${FLAGS_keys_dir}/key_rsa2048.pem" \
+  --algorithm 4
+WORK="${WORK} ${FLAGS_working_dir}/kernel_data_key.vbprivk"
 
+
+# Wrap the kernel subkey pair, used for the kernel's keyblock
+vbutil_key \
+  --pack "${FLAGS_working_dir}/kernel_subkey.vbpubk" \
+  --key "${FLAGS_keys_dir}/key_rsa4096.keyb" \
+  --version 1 \
+  --algorithm 8
+WORK="${WORK} ${FLAGS_working_dir}/kernel_subkey.vbpubk"
+
+vbutil_key \
+  --pack "${FLAGS_working_dir}/kernel_subkey.vbprivk" \
+  --key "${FLAGS_keys_dir}/key_rsa4096.pem" \
+  --algorithm 8
+WORK="${WORK} ${FLAGS_working_dir}/kernel_subkey.vbprivk"
+
+
+# Create the kernel keyblock, containing the kernel data key
 vbutil_keyblock \
-  --pack "${FLAGS_working_dir}/data4_sign8.keyblock" \
-  --datapubkey "${FLAGS_working_dir}/key_alg4.vbpubk" \
-  --signprivate "${FLAGS_keys_dir}/key_rsa4096.pem" \
-  --algorithm 8 \
+  --pack "${FLAGS_working_dir}/kernel.keyblock" \
+  --datapubkey "${FLAGS_working_dir}/kernel_data_key.vbpubk" \
+  --signprivate "${FLAGS_working_dir}/kernel_subkey.vbprivk" \
   --flags 15
-WORK="${WORK} ${FLAGS_working_dir}/data4_sign8.keyblock"
+WORK="${WORK} ${FLAGS_working_dir}/kernel.keyblock"
 
 # Verify the keyblock.
 vbutil_keyblock \
-  --unpack "${FLAGS_working_dir}/data4_sign8.keyblock" \
-  --signpubkey "${FLAGS_working_dir}/key_alg8.vbpubk"
+  --unpack "${FLAGS_working_dir}/kernel.keyblock" \
+  --signpubkey "${FLAGS_working_dir}/kernel_subkey.vbpubk"
 
-# Sign the kernel:
+# TODO: We should sign the kernel blob using the recovery root key and recovery
+# kernel data key instead (to create the recovery image), and then re-sign it
+# this way for the install image. But we'll want to keep the install vblock
+# separate, so we can just copy that part over separately when we install it
+# instead of the whole kernel blob.
+
+# Create and sign the kernel blob
 vbutil_kernel \
   --pack "${FLAGS_to}" \
-  --keyblock "${FLAGS_working_dir}/data4_sign8.keyblock" \
-  --signprivate "${FLAGS_keys_dir}/key_rsa2048.pem" \
+  --keyblock "${FLAGS_working_dir}/kernel.keyblock" \
+  --signprivate "${FLAGS_working_dir}/kernel_data_key.vbprivk" \
   --version 1 \
   --config "${FLAGS_working_dir}/config.txt" \
   --bootloader /lib64/bootstub/bootstub.efi \
@@ -108,7 +131,7 @@ vbutil_kernel \
 # And verify it.
 vbutil_kernel \
   --verify "${FLAGS_to}" \
-  --signpubkey "${FLAGS_working_dir}/key_alg8.vbpubk"
+  --signpubkey "${FLAGS_working_dir}/kernel_subkey.vbpubk"
 
 else
   # FIXME: For now, ARM just uses the unsigned kernel by itself.