Generate and use .vbprivk files for signing now.

Review URL: http://codereview.chromium.org/2817047
2025-09-24 07:01:13 +02:00 · 2010-07-01 10:23:27 -07:00 · 2010-07-01 10:23:27 -07:00 · 2ace49e0a4
commit 2ace49e0a4
parent f2dee6c5df
2 changed files with 53 additions and 27 deletions
--- a/9
+++ b/9
@ -559,7 +559,7 @@ EOF
  if [[ "${ARCH}" = "x86" ]]; then
    # Verify the final image.
    load_kernel_test "${OUTPUT_DIR}/${image_name}" \
-      "${OUTPUT_DIR}/key_alg8.vbpubk"
+      "${OUTPUT_DIR}/kernel_subkey.vbpubk"
  fi
 }
@ -603,8 +603,11 @@ fi
 # Clean up temporary files.
 rm -f "${ROOT_FS_IMG}" "${STATEFUL_FS_IMG}" "${OUTPUT_DIR}/vmlinuz.image" \
-  "${ESP_FS_IMG}" "${OUTPUT_DIR}/data4_sign8.keyblock" \
+  "${ESP_FS_IMG}" "${OUTPUT_DIR}/kernel.keyblock" \
-  "${OUTPUT_DIR}/key_alg4.vbpubk" "${OUTPUT_DIR}/key_alg8.vbpubk" \
+  "${OUTPUT_DIR}/kernel_subkey.vbpubk" \
  "${OUTPUT_DIR}/kernel_subkey.vbprivk" \
  "${OUTPUT_DIR}/kernel_data_key.vbpubk" \
  "${OUTPUT_DIR}/kernel_data_key.vbprivk" \
  "${OEM_FS_IMG}"
 rmdir "${ROOT_FS_DIR}" "${STATEFUL_FS_DIR}" "${OEM_FS_DIR}" "${ESP_FS_DIR}"
--- a/build_kernel_image.sh
+++ b/build_kernel_image.sh
@ -22,7 +22,7 @@ DEFINE_string working_dir "/tmp/vmlinuz.working" \
 DEFINE_boolean keep_work ${FLAGS_FALSE} \
  "Keep temporary files (*.keyblock, *.vbpubk). (Default: false)"
 DEFINE_string keys_dir "${SRC_ROOT}/platform/vboot_reference/tests/testkeys" \
-  "Directory with the signing keys. (Defaults to test keys)"
+  "Directory with the RSA signing keys. (Defaults to test keys)"
 # Note, to enable verified boot, the caller would pass:
 # --boot_args='dm="... /dev/sd%D%P /dev/sd%D%P ..." \
 # --root=/dev/dm-0
@ -65,41 +65,64 @@ ${FLAGS_boot_args}
 EOF
 WORK="${FLAGS_working_dir}/config.txt"
-# Wrap the public keys with VbPublicKey headers.
+
 # FIX: The .vbprivk files are not encrypted, so we shouldn't just leave them
 # lying around as a general thing.
 # Wrap the kernel data keypair, used for the kernel body
 vbutil_key \
-  --pack \
+  --pack "${FLAGS_working_dir}/kernel_data_key.vbpubk" \
-  --in "${FLAGS_keys_dir}/key_rsa2048.keyb" \
+  --key "${FLAGS_keys_dir}/key_rsa2048.keyb" \
  --version 1 \
-  --algorithm 4 \
+  --algorithm 4
-  --out "${FLAGS_working_dir}/key_alg4.vbpubk"
+WORK="${WORK} ${FLAGS_working_dir}/kernel_data_key.vbpubk"
 WORK="${WORK} ${FLAGS_working_dir}/key_alg4.vbpubk"
 vbutil_key \
-  --pack \
+  --pack "${FLAGS_working_dir}/kernel_data_key.vbprivk" \
-  --in "${FLAGS_keys_dir}/key_rsa4096.keyb" \
+  --key "${FLAGS_keys_dir}/key_rsa2048.pem" \
-  --version 1 \
+  --algorithm 4
-  --algorithm 8 \
+WORK="${WORK} ${FLAGS_working_dir}/kernel_data_key.vbprivk"
  --out "${FLAGS_working_dir}/key_alg8.vbpubk"
 WORK="${WORK} ${FLAGS_working_dir}/key_alg8.vbpubk"
 # Wrap the kernel subkey pair, used for the kernel's keyblock
 vbutil_key \
  --pack "${FLAGS_working_dir}/kernel_subkey.vbpubk" \
  --key "${FLAGS_keys_dir}/key_rsa4096.keyb" \
  --version 1 \
  --algorithm 8
 WORK="${WORK} ${FLAGS_working_dir}/kernel_subkey.vbpubk"
 vbutil_key \
  --pack "${FLAGS_working_dir}/kernel_subkey.vbprivk" \
  --key "${FLAGS_keys_dir}/key_rsa4096.pem" \
  --algorithm 8
 WORK="${WORK} ${FLAGS_working_dir}/kernel_subkey.vbprivk"
 # Create the kernel keyblock, containing the kernel data key
 vbutil_keyblock \
-  --pack "${FLAGS_working_dir}/data4_sign8.keyblock" \
+  --pack "${FLAGS_working_dir}/kernel.keyblock" \
-  --datapubkey "${FLAGS_working_dir}/key_alg4.vbpubk" \
+  --datapubkey "${FLAGS_working_dir}/kernel_data_key.vbpubk" \
-  --signprivate "${FLAGS_keys_dir}/key_rsa4096.pem" \
+  --signprivate "${FLAGS_working_dir}/kernel_subkey.vbprivk" \
  --algorithm 8 \
  --flags 15
-WORK="${WORK} ${FLAGS_working_dir}/data4_sign8.keyblock"
+WORK="${WORK} ${FLAGS_working_dir}/kernel.keyblock"
 # Verify the keyblock.
 vbutil_keyblock \
-  --unpack "${FLAGS_working_dir}/data4_sign8.keyblock" \
+  --unpack "${FLAGS_working_dir}/kernel.keyblock" \
-  --signpubkey "${FLAGS_working_dir}/key_alg8.vbpubk"
+  --signpubkey "${FLAGS_working_dir}/kernel_subkey.vbpubk"
-# Sign the kernel:
+# TODO: We should sign the kernel blob using the recovery root key and recovery
 # kernel data key instead (to create the recovery image), and then re-sign it
 # this way for the install image. But we'll want to keep the install vblock
 # separate, so we can just copy that part over separately when we install it
 # instead of the whole kernel blob.
 # Create and sign the kernel blob
 vbutil_kernel \
  --pack "${FLAGS_to}" \
-  --keyblock "${FLAGS_working_dir}/data4_sign8.keyblock" \
+  --keyblock "${FLAGS_working_dir}/kernel.keyblock" \
-  --signprivate "${FLAGS_keys_dir}/key_rsa2048.pem" \
+  --signprivate "${FLAGS_working_dir}/kernel_data_key.vbprivk" \
  --version 1 \
  --config "${FLAGS_working_dir}/config.txt" \
  --bootloader /lib64/bootstub/bootstub.efi \
@ -108,7 +131,7 @@ vbutil_kernel \
 # And verify it.
 vbutil_kernel \
  --verify "${FLAGS_to}" \
-  --signpubkey "${FLAGS_working_dir}/key_alg8.vbpubk"
+  --signpubkey "${FLAGS_working_dir}/kernel_subkey.vbpubk"
 else
  # FIXME: For now, ARM just uses the unsigned kernel by itself.