Use the new developer keys to sign things. (submit for Bill)

The original CL is http://codereview.chromium.org/2868044/show

Review URL: http://codereview.chromium.org/2818045

build_image

@@ -292,11 +292,14 @@ make_image_bootable() {
   sudo mount -o remount,ro "${ROOT_FS_DIR}"
   root_dev=$(mount | grep -- "${ROOT_FS_DIR}" | cut -f1 -d' ' | tail -1)
 
+  DEVKEYSDIR="${SRC_ROOT}/platform/vboot_reference/tests/devkeys"
+
   # Builds the kernel partition image.  The temporary files are kept around
   # so that we can perform a load_kernel_test later on the final image.
   ${SCRIPTS_DIR}/build_kernel_image.sh \
     --arch="${ARCH}" \
     --to="${OUTPUT_DIR}/vmlinuz.image" \
+    --hd_vblock="${OUTPUT_DIR}/vmlinuz_hd.vblock" \
     --vmlinuz="${OUTPUT_DIR}/boot/vmlinuz" \
     --working_dir="${OUTPUT_DIR}" \
     --keep_work \
@@ -307,7 +310,7 @@ make_image_bootable() {
     --vboot_max_ios=${FLAGS_vboot_max_ios} \
     --vboot_error_behavior=${FLAGS_vboot_behavior} \
     --root=${cros_root} \
-    --keys_dir="${SRC_ROOT}/platform/vboot_reference/tests/testkeys"
+    --keys_dir="${DEVKEYSDIR}"
 
   # START_KERN_A is set by the first call to install the gpt.
   local koffset="$(partoffset ${OUTPUT_DIR}/${image_name} 2)"
@@ -599,6 +602,10 @@ create_base_image() {
   # Create an empty esp image to be updated in by update_bootloaders.sh.
   ${SCRIPTS_DIR}/create_esp.sh --to="${ESP_FS_IMG}"
 
+  # Move the verification block needed for the hard disk install to the
+  # stateful partition.
+  sudo cp "${OUTPUT_DIR}/vmlinuz_hd.vblock" "${STATEFUL_FS_DIR}"
+
   cleanup
 
   trap delete_prompt EXIT
@@ -649,7 +656,7 @@ make_image_bootable ${PRISTINE_IMAGE_NAME}
 if [[ "${ARCH}" = "x86" ]]; then
   # Verify the final image.
   load_kernel_test "${OUTPUT_DIR}/${PRISTINE_IMAGE_NAME}" \
-    "${OUTPUT_DIR}/kernel_subkey.vbpubk"
+    "${DEVKEYSDIR}/recovery_key.vbpubk"
 fi
 
 # Create a developer image based on the chromium os base image.
@@ -665,12 +672,7 @@ fi
 
 # Clean up temporary files.
 rm -f "${ROOT_FS_IMG}" "${STATEFUL_FS_IMG}" "${OUTPUT_DIR}/vmlinuz.image" \
-  "${ESP_FS_IMG}" "${OUTPUT_DIR}/kernel.keyblock" \
+  "${ESP_FS_IMG}" "${OEM_FS_IMG}" "${OUTPUT_DIR}/vmlinuz_hd.vblock"
-  "${OUTPUT_DIR}/kernel_subkey.vbpubk" \
-  "${OUTPUT_DIR}/kernel_subkey.vbprivk" \
-  "${OUTPUT_DIR}/kernel_data_key.vbpubk" \
-  "${OUTPUT_DIR}/kernel_data_key.vbprivk" \
-  "${OEM_FS_IMG}"
 rmdir "${ROOT_FS_DIR}" "${STATEFUL_FS_DIR}" "${OEM_FS_DIR}" "${ESP_FS_DIR}"
 
 echo "Done.  Image created in ${OUTPUT_DIR}"

build_kernel_image.sh

@@ -15,6 +15,8 @@ DEFINE_string arch "x86" \
   "The boot architecture: arm or x86. (Default: x86)"
 DEFINE_string to "/tmp/vmlinuz.image" \
   "The path to the kernel image to be created. (Default: /tmp/vmlinuz.image)"
+DEFINE_string hd_vblock "/tmp/vmlinuz_hd.vblock" \
+  "The path to the installed kernel's vblock (Default: /tmp/vmlinuz_hd.vblock)"
 DEFINE_string vmlinuz "vmlinuz" \
   "The path to the kernel (Default: vmlinuz)"
 DEFINE_string working_dir "/tmp/vmlinuz.working" \
@@ -130,64 +132,14 @@ cros_secure
 EOF
   WORK="${WORK} ${FLAGS_working_dir}/config.txt"
 
-
+  # We sign the image with the recovery_key, because this is what goes onto the
-  # FIX: The .vbprivk files are not encrypted, so we shouldn't just leave them
+  # USB key. We can only boot from the USB drive in recovery mode.
-  # lying around as a general thing.
-
-  # Wrap the kernel data keypair, used for the kernel body
-  vbutil_key \
-    --pack "${FLAGS_working_dir}/kernel_data_key.vbpubk" \
-    --key "${FLAGS_keys_dir}/key_rsa2048.keyb" \
-    --version 1 \
-    --algorithm 4
-  WORK="${WORK} ${FLAGS_working_dir}/kernel_data_key.vbpubk"
-
-  vbutil_key \
-    --pack "${FLAGS_working_dir}/kernel_data_key.vbprivk" \
-    --key "${FLAGS_keys_dir}/key_rsa2048.pem" \
-    --algorithm 4
-  WORK="${WORK} ${FLAGS_working_dir}/kernel_data_key.vbprivk"
-
-
-  # Wrap the kernel subkey pair, used for the kernel's keyblock
-  vbutil_key \
-    --pack "${FLAGS_working_dir}/kernel_subkey.vbpubk" \
-    --key "${FLAGS_keys_dir}/key_rsa4096.keyb" \
-    --version 1 \
-    --algorithm 8
-  WORK="${WORK} ${FLAGS_working_dir}/kernel_subkey.vbpubk"
-
-  vbutil_key \
-    --pack "${FLAGS_working_dir}/kernel_subkey.vbprivk" \
-    --key "${FLAGS_keys_dir}/key_rsa4096.pem" \
-    --algorithm 8
-  WORK="${WORK} ${FLAGS_working_dir}/kernel_subkey.vbprivk"
-
-
-  # Create the kernel keyblock, containing the kernel data key
-  vbutil_keyblock \
-    --pack "${FLAGS_working_dir}/kernel.keyblock" \
-    --datapubkey "${FLAGS_working_dir}/kernel_data_key.vbpubk" \
-    --signprivate "${FLAGS_working_dir}/kernel_subkey.vbprivk" \
-    --flags 15
-  WORK="${WORK} ${FLAGS_working_dir}/kernel.keyblock"
-
-  # Verify the keyblock.
-  vbutil_keyblock \
-    --unpack "${FLAGS_working_dir}/kernel.keyblock" \
-    --signpubkey "${FLAGS_working_dir}/kernel_subkey.vbpubk"
-
-  # TODO: We should sign the kernel blob using the recovery root key and
-  # recovery kernel data key instead (to create the recovery image), and then
-  # re-sign it this way for the install image. But we'll want to keep the
-  # install vblock separate, so we can just copy that part over separately when
-  # we install it instead of the whole kernel blob.
 
   # Create and sign the kernel blob
   vbutil_kernel \
     --pack "${FLAGS_to}" \
-    --keyblock "${FLAGS_working_dir}/kernel.keyblock" \
+    --keyblock "${FLAGS_keys_dir}/recovery_kernel.keyblock" \
-    --signprivate "${FLAGS_working_dir}/kernel_data_key.vbprivk" \
+    --signprivate "${FLAGS_keys_dir}/recovery_kernel_data_key.vbprivk" \
     --version 1 \
     --config "${FLAGS_working_dir}/config.txt" \
     --bootloader /lib64/bootstub/bootstub.efi \
@@ -196,7 +148,33 @@ EOF
   # And verify it.
   vbutil_kernel \
     --verify "${FLAGS_to}" \
-    --signpubkey "${FLAGS_working_dir}/kernel_subkey.vbpubk"
+    --signpubkey "${FLAGS_keys_dir}/recovery_key.vbpubk"
+
+
+  # Now we re-sign the same image using the normal keys. This is the kernel
+  # image that is put on the hard disk by the installer. Note: To save space on
+  # the USB image, we're only emitting the new verfication block, and the
+  # installer just replaces that part of the hard disk's kernel partition.
+  vbutil_kernel \
+    --repack "${FLAGS_hd_vblock}" \
+    --vblockonly \
+    --keyblock "${FLAGS_keys_dir}/kernel.keyblock" \
+    --signprivate "${FLAGS_keys_dir}/kernel_data_key.vbprivk" \
+    --oldblob "${FLAGS_to}"
+
+
+  # To verify it, we have to replace the vblock from the original image.
+  tempfile=$(mktemp)
+  trap "rm -f $tempfile" EXIT
+  cat "${FLAGS_hd_vblock}" > $tempfile
+  dd if="${FLAGS_to}" bs=65536 skip=1 >> $tempfile
+
+  vbutil_kernel \
+    --verify $tempfile \
+    --signpubkey "${FLAGS_keys_dir}/kernel_subkey.vbpubk"
+
+  rm -f $tempfile
+  trap - EXIT
 
 elif [[ "${FLAGS_arch}" = "arm" ]]; then
   # FIXME: For now, ARM just uses the unsigned kernel by itself.