| #!/bin/bash |
| |
| # Copyright 2023 The ChromiumOS Authors |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| # Declare these arrays up-front so they can be used. |
| declare -a KEYCFG_ROOT_KEY_VBPUBK_LOEM KEYCFG_FIRMARE_VBPRIVK_LOEM \ |
| KEYCFG_FIRMARE_KEYBLOCK_LOEM |
| |
| # Setup the default key configuration by using the local key in `key_dir`. |
| setup_default_keycfg() { |
| local key_dir=$1 |
| |
| # Root keys with LOEM variants. Avoid using them directly; instead, use |
| # get_root_key_vbpubk(). |
| export KEYCFG_ROOT_KEY_VBPUBK="${key_dir}/root_key.vbpubk" |
| # Firmware data keys with LOEM variants. Avoid using them directly; instead, use |
| # get_firmware_vbprivk() and get_firmware_keyblock(). |
| export KEYCFG_FIRMWARE_VBPRIVK="${key_dir}/firmware_data_key.vbprivk" |
| export KEYCFG_FIRMWARE_KEYBLOCK="${key_dir}/firmware.keyblock" |
| |
| # Kernel subkey |
| export KEYCFG_KERNEL_SUBKEY_VBPUBK="${key_dir}/kernel_subkey.vbpubk" |
| # Kernel data keys |
| export KEYCFG_KERNEL_KEYBLOCK="${key_dir}/kernel.keyblock" |
| export KEYCFG_KERNEL_VBPRIVK="${key_dir}/kernel_data_key.vbprivk" |
| # Recovery root key |
| export KEYCFG_RECOVERY_KEY_VBPUBK="${key_dir}/recovery_key.vbpubk" |
| # Recovery kernel data keys |
| export KEYCFG_RECOVERY_KERNEL_KEYBLOCK="${key_dir}/recovery_kernel.keyblock" |
| export KEYCFG_RECOVERY_KERNEL_V1_KEYBLOCK="${key_dir}/recovery_kernel.v1.keyblock" |
| export KEYCFG_RECOVERY_KERNEL_VBPRIVK="${key_dir}/recovery_kernel_data_key.vbprivk" |
| # Installer kernel data keys |
| export KEYCFG_INSTALLER_KERNEL_KEYBLOCK="${key_dir}/installer_kernel.keyblock" |
| export KEYCFG_INSTALLER_KERNEL_V1_KEYBLOCK="${key_dir}/installer_kernel.v1.keyblock" |
| export KEYCFG_INSTALLER_KERNEL_VBPRIVK="${key_dir}/installer_kernel_data_key.vbprivk" |
| # MiniOS kernel data keys |
| export KEYCFG_MINIOS_KERNEL_KEYBLOCK="${key_dir}/minios_kernel.keyblock" |
| export KEYCFG_MINIOS_KERNEL_V1_KEYBLOCK="${key_dir}/minios_kernel.v1.keyblock" |
| export KEYCFG_MINIOS_KERNEL_VBPRIVK="${key_dir}/minios_kernel_data_key.vbprivk" |
| |
| # AP RO verification keys |
| export KEYCFG_ARV_ROOT_VBPUBK="${key_dir}/arv_root.vbpubk" |
| export KEYCFG_ARV_PLATFORM_KEYBLOCK="${key_dir}/arv_platform.keyblock" |
| export KEYCFG_ARV_PLATFORM_VBPRIVK="${key_dir}/arv_platform.vbprivk" |
| # UEFI keys and certs |
| export KEYCFG_UEFI_PRIVATE_KEY="${key_dir}/uefi/db/db.children/db_child.rsa" |
| export KEYCFG_UEFI_SIGN_CERT="${key_dir}/uefi/db/db.children/db_child.pem" |
| export KEYCFG_UEFI_VERIFY_CERT="${key_dir}/uefi/db/db.pem" |
| export KEYCFG_UEFI_CRDYSHIM_PRIVATE_KEY="${key_dir}/uefi/crdyshim.priv.pem" |
| # EC EFS key |
| export KEYCFG_KEY_EC_EFS_VBPRIK2="${key_dir}/key_ec_efs.vbprik2" |
| # This is for `sign_official_build.sh accessory_rwsig`, which uses arbitrary |
| # one of .vbprik2 in KEY_DIR if KEYCFG_ACCESSORY_RWSIG_VBPRIK2 is empty or unset. |
| export KEYCFG_ACCESSORY_RWSIG_VBPRIK2="" |
| # update payload key |
| export KEYCFG_UPDATE_KEY_PEM="${key_dir}/update_key.pem" |
| } |
| |
| # Setup the key configuration. This setups the default configuration and source |
| # the key_config.sh in `key_dir` to overwrite the default value. |
| setup_keycfg() { |
| local key_dir=$1 |
| setup_default_keycfg "${key_dir}" |
| export KEYCFG_KEY_DIR="${key_dir}" |
| if [ -f "${key_dir}/key_config.sh" ]; then |
| # Use process substitution to pass in the array to the key_config.sh file. |
| BASH_ENV=<(declare -p KEYCFG_ROOT_KEY_VBPUBK_LOEM \ |
| KEYCFG_FIRMARE_VBPRIVK_LOEM KEYCFG_FIRMARE_KEYBLOCK_LOEM) \ |
| . "${key_dir}/key_config.sh" |
| fi |
| } |
| |
| # Check if KEYCFG_KEY_DIR is set properly. |
| check_key_dir() { |
| if [[ -z "${KEYCFG_KEY_DIR}" ]]; then |
| echo "KEYCFG_KEY_DIR is unset. Try run setup_keycfg first." >&2 |
| exit 1 |
| fi |
| if [[ ! -d "${KEYCFG_KEY_DIR}" ]]; then |
| echo "The key directory '${KEYCFG_KEY_DIR}' doesn't exist." >&2 |
| exit 1 |
| fi |
| } |
| |
| # Get the default or configured path of root key with loem suffix. It could be |
| # either local or PKCS#11 path. If LOEM_INDEX is not specified, the non-loem |
| # root key would be returned. |
| # Args: [LOEM_INDEX] |
| get_root_key_vbpubk() { |
| local loem_index=$1 |
| check_key_dir |
| if [[ -z "${loem_index}" ]]; then |
| echo "${KEYCFG_ROOT_KEY_VBPUBK}" |
| return |
| fi |
| local default="${KEYCFG_KEY_DIR}/root_key.loem${loem_index}.vbpubk" |
| echo "${KEYCFG_ROOT_KEY_VBPUBK_LOEM[${loem_index}]:-${default}}" |
| } |
| |
| # Get the default or configured path of firmware data key with loem suffix. It |
| # could be either local or PKCS#11 path. If LOEM_INDEX is not specified, the |
| # non-loem data key would be returned. |
| # Args: [LOEM_INDEX] |
| get_firmware_vbprivk() { |
| local loem_index=$1 |
| check_key_dir |
| if [[ -z "${loem_index}" ]]; then |
| echo "${KEYCFG_FIRMWARE_VBPRIVK}" |
| return |
| fi |
| local default="${KEYCFG_KEY_DIR}/firmware_data_key.loem${loem_index}.vbprivk" |
| echo "${KEYCFG_FIRMWARE_VBPRIVK_LOEM[${loem_index}]:-${default}}" |
| } |
| |
| # Get the default or configured path of firmware key block with loem suffix. It |
| # could be either local or PKCS#11 path. If LOEM_INDEX is not specified, the |
| # non-loem key block would be returned. |
| # Args: [LOEM_INDEX] |
| get_firmware_keyblock() { |
| local loem_index=$1 |
| check_key_dir |
| if [[ -z "${loem_index}" ]]; then |
| echo "${KEYCFG_FIRMWARE_KEYBLOCK}" |
| return |
| fi |
| local default="${KEYCFG_KEY_DIR}/firmware.loem${loem_index}.keyblock" |
| echo "${KEYCFG_FIRMWARE_KEYBLOCK_LOEM[${loem_index}]:-${default}}" |
| } |