From 3602040b74ac7b558d3c709a5291e2d91c0e7f59 Mon Sep 17 00:00:00 2001 From: Louis Yung-Chieh Lo Date: Mon, 5 Jul 2010 13:23:34 +0800 Subject: [PATCH] Use the new developer keys to sign things. (submit for Bill) The original CL is http://codereview.chromium.org/2868044/show Review URL: http://codereview.chromium.org/2818045 --- build_image | 18 +++++---- build_kernel_image.sh | 88 ++++++++++++++++--------------------------- 2 files changed, 43 insertions(+), 63 deletions(-) diff --git a/build_image b/build_image index b8802152e1..2bdbbc7220 100755 --- a/build_image +++ b/build_image @@ -292,11 +292,14 @@ make_image_bootable() { sudo mount -o remount,ro "${ROOT_FS_DIR}" root_dev=$(mount | grep -- "${ROOT_FS_DIR}" | cut -f1 -d' ' | tail -1) + DEVKEYSDIR="${SRC_ROOT}/platform/vboot_reference/tests/devkeys" + # Builds the kernel partition image. The temporary files are kept around # so that we can perform a load_kernel_test later on the final image. ${SCRIPTS_DIR}/build_kernel_image.sh \ --arch="${ARCH}" \ --to="${OUTPUT_DIR}/vmlinuz.image" \ + --hd_vblock="${OUTPUT_DIR}/vmlinuz_hd.vblock" \ --vmlinuz="${OUTPUT_DIR}/boot/vmlinuz" \ --working_dir="${OUTPUT_DIR}" \ --keep_work \ @@ -307,7 +310,7 @@ make_image_bootable() { --vboot_max_ios=${FLAGS_vboot_max_ios} \ --vboot_error_behavior=${FLAGS_vboot_behavior} \ --root=${cros_root} \ - --keys_dir="${SRC_ROOT}/platform/vboot_reference/tests/testkeys" + --keys_dir="${DEVKEYSDIR}" # START_KERN_A is set by the first call to install the gpt. local koffset="$(partoffset ${OUTPUT_DIR}/${image_name} 2)" @@ -599,6 +602,10 @@ create_base_image() { # Create an empty esp image to be updated in by update_bootloaders.sh. ${SCRIPTS_DIR}/create_esp.sh --to="${ESP_FS_IMG}" + # Move the verification block needed for the hard disk install to the + # stateful partition. + sudo cp "${OUTPUT_DIR}/vmlinuz_hd.vblock" "${STATEFUL_FS_DIR}" + cleanup trap delete_prompt EXIT @@ -649,7 +656,7 @@ make_image_bootable ${PRISTINE_IMAGE_NAME} if [[ "${ARCH}" = "x86" ]]; then # Verify the final image. load_kernel_test "${OUTPUT_DIR}/${PRISTINE_IMAGE_NAME}" \ - "${OUTPUT_DIR}/kernel_subkey.vbpubk" + "${DEVKEYSDIR}/recovery_key.vbpubk" fi # Create a developer image based on the chromium os base image. @@ -665,12 +672,7 @@ fi # Clean up temporary files. rm -f "${ROOT_FS_IMG}" "${STATEFUL_FS_IMG}" "${OUTPUT_DIR}/vmlinuz.image" \ - "${ESP_FS_IMG}" "${OUTPUT_DIR}/kernel.keyblock" \ - "${OUTPUT_DIR}/kernel_subkey.vbpubk" \ - "${OUTPUT_DIR}/kernel_subkey.vbprivk" \ - "${OUTPUT_DIR}/kernel_data_key.vbpubk" \ - "${OUTPUT_DIR}/kernel_data_key.vbprivk" \ - "${OEM_FS_IMG}" + "${ESP_FS_IMG}" "${OEM_FS_IMG}" "${OUTPUT_DIR}/vmlinuz_hd.vblock" rmdir "${ROOT_FS_DIR}" "${STATEFUL_FS_DIR}" "${OEM_FS_DIR}" "${ESP_FS_DIR}" echo "Done. Image created in ${OUTPUT_DIR}" diff --git a/build_kernel_image.sh b/build_kernel_image.sh index e20f16e784..e06dcb528c 100755 --- a/build_kernel_image.sh +++ b/build_kernel_image.sh @@ -15,6 +15,8 @@ DEFINE_string arch "x86" \ "The boot architecture: arm or x86. (Default: x86)" DEFINE_string to "/tmp/vmlinuz.image" \ "The path to the kernel image to be created. (Default: /tmp/vmlinuz.image)" +DEFINE_string hd_vblock "/tmp/vmlinuz_hd.vblock" \ + "The path to the installed kernel's vblock (Default: /tmp/vmlinuz_hd.vblock)" DEFINE_string vmlinuz "vmlinuz" \ "The path to the kernel (Default: vmlinuz)" DEFINE_string working_dir "/tmp/vmlinuz.working" \ @@ -130,64 +132,14 @@ cros_secure EOF WORK="${WORK} ${FLAGS_working_dir}/config.txt" - - # FIX: The .vbprivk files are not encrypted, so we shouldn't just leave them - # lying around as a general thing. - - # Wrap the kernel data keypair, used for the kernel body - vbutil_key \ - --pack "${FLAGS_working_dir}/kernel_data_key.vbpubk" \ - --key "${FLAGS_keys_dir}/key_rsa2048.keyb" \ - --version 1 \ - --algorithm 4 - WORK="${WORK} ${FLAGS_working_dir}/kernel_data_key.vbpubk" - - vbutil_key \ - --pack "${FLAGS_working_dir}/kernel_data_key.vbprivk" \ - --key "${FLAGS_keys_dir}/key_rsa2048.pem" \ - --algorithm 4 - WORK="${WORK} ${FLAGS_working_dir}/kernel_data_key.vbprivk" - - - # Wrap the kernel subkey pair, used for the kernel's keyblock - vbutil_key \ - --pack "${FLAGS_working_dir}/kernel_subkey.vbpubk" \ - --key "${FLAGS_keys_dir}/key_rsa4096.keyb" \ - --version 1 \ - --algorithm 8 - WORK="${WORK} ${FLAGS_working_dir}/kernel_subkey.vbpubk" - - vbutil_key \ - --pack "${FLAGS_working_dir}/kernel_subkey.vbprivk" \ - --key "${FLAGS_keys_dir}/key_rsa4096.pem" \ - --algorithm 8 - WORK="${WORK} ${FLAGS_working_dir}/kernel_subkey.vbprivk" - - - # Create the kernel keyblock, containing the kernel data key - vbutil_keyblock \ - --pack "${FLAGS_working_dir}/kernel.keyblock" \ - --datapubkey "${FLAGS_working_dir}/kernel_data_key.vbpubk" \ - --signprivate "${FLAGS_working_dir}/kernel_subkey.vbprivk" \ - --flags 15 - WORK="${WORK} ${FLAGS_working_dir}/kernel.keyblock" - - # Verify the keyblock. - vbutil_keyblock \ - --unpack "${FLAGS_working_dir}/kernel.keyblock" \ - --signpubkey "${FLAGS_working_dir}/kernel_subkey.vbpubk" - - # TODO: We should sign the kernel blob using the recovery root key and - # recovery kernel data key instead (to create the recovery image), and then - # re-sign it this way for the install image. But we'll want to keep the - # install vblock separate, so we can just copy that part over separately when - # we install it instead of the whole kernel blob. + # We sign the image with the recovery_key, because this is what goes onto the + # USB key. We can only boot from the USB drive in recovery mode. # Create and sign the kernel blob vbutil_kernel \ --pack "${FLAGS_to}" \ - --keyblock "${FLAGS_working_dir}/kernel.keyblock" \ - --signprivate "${FLAGS_working_dir}/kernel_data_key.vbprivk" \ + --keyblock "${FLAGS_keys_dir}/recovery_kernel.keyblock" \ + --signprivate "${FLAGS_keys_dir}/recovery_kernel_data_key.vbprivk" \ --version 1 \ --config "${FLAGS_working_dir}/config.txt" \ --bootloader /lib64/bootstub/bootstub.efi \ @@ -196,7 +148,33 @@ EOF # And verify it. vbutil_kernel \ --verify "${FLAGS_to}" \ - --signpubkey "${FLAGS_working_dir}/kernel_subkey.vbpubk" + --signpubkey "${FLAGS_keys_dir}/recovery_key.vbpubk" + + + # Now we re-sign the same image using the normal keys. This is the kernel + # image that is put on the hard disk by the installer. Note: To save space on + # the USB image, we're only emitting the new verfication block, and the + # installer just replaces that part of the hard disk's kernel partition. + vbutil_kernel \ + --repack "${FLAGS_hd_vblock}" \ + --vblockonly \ + --keyblock "${FLAGS_keys_dir}/kernel.keyblock" \ + --signprivate "${FLAGS_keys_dir}/kernel_data_key.vbprivk" \ + --oldblob "${FLAGS_to}" + + + # To verify it, we have to replace the vblock from the original image. + tempfile=$(mktemp) + trap "rm -f $tempfile" EXIT + cat "${FLAGS_hd_vblock}" > $tempfile + dd if="${FLAGS_to}" bs=65536 skip=1 >> $tempfile + + vbutil_kernel \ + --verify $tempfile \ + --signpubkey "${FLAGS_keys_dir}/kernel_subkey.vbpubk" + + rm -f $tempfile + trap - EXIT elif [[ "${FLAGS_arch}" = "arm" ]]; then # FIXME: For now, ARM just uses the unsigned kernel by itself.