Google Git
Sign in
fuchsia / third_party / vboot_reference / refs/heads/upstream/stabilize-nocturne.10736.B^! / .
commit29f51dc30dfef564147ecd0555ac53f24bb7c1e9[log] [tgz]
authorEdward Hyunkoo Jee <edjee@google.com>Wed Apr 25 21:09:00 2018 -0700
committerchrome-bot <chrome-bot@chromium.org>Tue May 29 21:22:46 2018 -0700
treef9b882d9ff64fc420bcd57a4c175457764c95422
parent41c585ed7482da8ccd898b4118d1414028fe749f [diff]
keygeneration: add --no-pk option for UEFI key generation

In case PK has been generated in HSM, no need to generate them in
software.

BUG=b:62189155
TEST=See CL:*630434.
BRANCH=none

Change-Id: I2180b340e992b678e46920a1142d3b7101c8158f
Reviewed-on: https://chromium-review.googlesource.com/1071242
Commit-Ready: Edward Jee <edjee@google.com>
Tested-by: Edward Jee <edjee@google.com>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

diff --git a/scripts/keygeneration/create_new_keys.sh b/scripts/keygeneration/create_new_keys.sh
index a41140c..7a68fe9 100755
--- a/scripts/keygeneration/create_new_keys.sh
+++ b/scripts/keygeneration/create_new_keys.sh

@@ -177,7 +177,7 @@
 
   if [[ "${uefi_keys}" == "true" ]]; then
     mkdir -p uefi
-    "${SCRIPT_DIR}"/uefi/create_new_uefi_keys.sh uefi
+    "${SCRIPT_DIR}"/uefi/create_new_uefi_keys.sh --output uefi
   fi
 
   if [[ "${setperms}" == "true" ]]; then

diff --git a/scripts/keygeneration/uefi/create_new_uefi_keys.sh b/scripts/keygeneration/uefi/create_new_uefi_keys.sh
index 5a57b2f..2e91b01 100755
--- a/scripts/keygeneration/uefi/create_new_uefi_keys.sh
+++ b/scripts/keygeneration/uefi/create_new_uefi_keys.sh

@@ -8,13 +8,18 @@
 
 usage() {
   cat <<EOF
-Usage: ${PROG} <OUTPUT_DIR>
+Usage: ${PROG} [options]
 
 Generate key pairs for UEFI secure boot.
+
+Options:
+  --output <dir>  Where to write the keys (default is cwd).
+                  The base name must be '.../uefi'.
+  --no-pk         Do not generate PK.
 EOF
 
   if [[ $# -ne 0 ]]; then
-    die "$*"
+    die "unknown option $*"
   else
     exit 0
   fi
@@ -23,28 +28,31 @@
 main() {
   set -e
 
+  local generate_pk="true"
+  local output_dir="${PWD}"
+
   while [[ $# -gt 0 ]]; do
     case $1 in
+    --output)
+      output_dir="$2"
+      shift
+      ;;
+    --no-pk)
+      info "Will not generate PK."
+      generate_pk="false"
+      ;;
     -h|--help)
       usage
       ;;
-    -*)
+    *)
       usage "Unknown option: $1"
       ;;
-    *)
-      break
-      ;;
     esac
+    shift
   done
 
-  if [[ $# -ne 1 ]]; then
-    usage "Missing output directory"
-  fi
-
-  local dir="$1"
-
-  check_uefi_key_dir_name "${dir}"
-  pushd "${dir}" >/dev/null || die "Wrong output directory name"
+  check_uefi_key_dir_name "${output_dir}"
+  pushd "${output_dir}" >/dev/null || die "Wrong output directory name"
 
   if [[ ! -e "${UEFI_VERSION_FILE}" ]]; then
     echo "No version file found. Creating default ${UEFI_VERSION_FILE}."
@@ -59,7 +67,9 @@
   db_key_version=$(get_uefi_version "db_key_version")
   db_child_key_version=$(get_uefi_version "db_child_key_version")
 
-  make_pk_keypair "${pk_key_version}"
+  if [[ "${generate_pk}" == "true" ]]; then
+    make_pk_keypair "${pk_key_version}"
+  fi
   make_kek_keypair "${kek_key_version}"
   make_db_keypair "${db_key_version}"
   make_db_child_keypair "${db_key_version}" "${db_child_key_version}"