s6: update gen_scs scripts for new key dir naming [1/1]
PD#SWPL-172432
Problem:
New gen_scs scripts
Solution:
Update it
chipset-keygen commit 35952ad
Verify:
./mk s6_skt with dv signing enabled
Change-Id: I55bd76bfec1990df75263a9622203243f6948617
Signed-off-by: Lawrence Mok <lawrence.mok@amlogic.com>
diff --git a/s6/bin/gen-bl3x-blobs.sh b/s6/bin/gen-bl3x-blobs.sh
index 87c14a3..1fabcef 100755
--- a/s6/bin/gen-bl3x-blobs.sh
+++ b/s6/bin/gen-bl3x-blobs.sh
@@ -28,22 +28,17 @@
DV_SIGNING_SCHEME=$7
CS_SIGNING_SCHEME=$8
-SIGNING_SCHEME_FULL=${CS_SIGNING_SCHEME}
-if [ "$CS_SIGNING_SCHEME" == "rsa-mldsa" ] || [ "$CS_SIGNING_SCHEME" == "mldsa" ]; then
- SIGNING_SCHEME_FULL+=-draft1
-fi
-
BASEDIR_AESKEY_PROT_BL2="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC}/chipset/bl2/aes/${CHIPSET_NAME}"
-BASEDIR_RSAKEY_LVLX_BL2="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC}/chipset/bl2/$SIGNING_SCHEME_FULL/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL2="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC}/chipset/bl2/$CS_SIGNING_SCHEME/${CHIPSET_NAME}"
BASEDIR_AESKEY_PROT_BL31="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC}/chipset/bl31/aes/${CHIPSET_NAME}"
-BASEDIR_RSAKEY_LVLX_BL31="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC}/chipset/bl31/$SIGNING_SCHEME_FULL/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL31="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC}/chipset/bl31/$CS_SIGNING_SCHEME/${CHIPSET_NAME}"
BASEDIR_AESKEY_PROT_BL32="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC}/chipset/bl32/aes/${CHIPSET_NAME}"
-BASEDIR_RSAKEY_LVLX_BL32="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC}/chipset/bl32/$SIGNING_SCHEME_FULL/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL32="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC}/chipset/bl32/$CS_SIGNING_SCHEME/${CHIPSET_NAME}"
BASEDIR_AESKEY_PROT_BL40="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC}/chipset/bl40/aes/${CHIPSET_NAME}"
-BASEDIR_RSAKEY_LVLX_BL40="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC}/chipset/bl40/$SIGNING_SCHEME_FULL/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL40="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC}/chipset/bl40/$CS_SIGNING_SCHEME/${CHIPSET_NAME}"
BASEDIR_OUTPUT_BLOB=$3
postfix=.signed
diff --git a/s6/bin/gen-boot-blob-bl2-final.sh b/s6/bin/gen-boot-blob-bl2-final.sh
index d8d8aeb..d798953 100755
--- a/s6/bin/gen-boot-blob-bl2-final.sh
+++ b/s6/bin/gen-boot-blob-bl2-final.sh
@@ -27,22 +27,17 @@
CS_SIGNING_SCHEME=$7
CHIPSET_VARIANT_SUFFIX=$8
-SIGNING_SCHEME_FULL=${CS_SIGNING_SCHEME}
-if [ "$CS_SIGNING_SCHEME" == "rsa-mldsa" ] || [ "$CS_SIGNING_SCHEME" == "mldsa" ]; then
- SIGNING_SCHEME_FULL+=-draft1
-fi
-
BASEDIR_AESKEY_PROT_BL2="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl2/aes/${CHIPSET_NAME}"
-BASEDIR_RSAKEY_LVLX_BL2="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl2/$SIGNING_SCHEME_FULL/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL2="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl2/$CS_SIGNING_SCHEME/${CHIPSET_NAME}"
BASEDIR_AESKEY_PROT_BL31="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl31/aes/${CHIPSET_NAME}"
-BASEDIR_RSAKEY_LVLX_BL31="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl31/$SIGNING_SCHEME_FULL/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL31="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl31/$CS_SIGNING_SCHEME/${CHIPSET_NAME}"
BASEDIR_AESKEY_PROT_BL32="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl32/aes/${CHIPSET_NAME}"
-BASEDIR_RSAKEY_LVLX_BL32="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl32/$SIGNING_SCHEME_FULL/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL32="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl32/$CS_SIGNING_SCHEME/${CHIPSET_NAME}"
BASEDIR_AESKEY_PROT_BL40="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl40/aes/${CHIPSET_NAME}"
-BASEDIR_RSAKEY_LVLX_BL40="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl40/$SIGNING_SCHEME_FULL/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL40="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl40/$CS_SIGNING_SCHEME/${CHIPSET_NAME}"
BASEDIR_TEMPLATE="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/cert-template/${CHIPSET_NAME}"
diff --git a/s6/bin/gen-boot-blob-bl2-only.sh b/s6/bin/gen-boot-blob-bl2-only.sh
index fb9b15c..2820fa1 100755
--- a/s6/bin/gen-boot-blob-bl2-only.sh
+++ b/s6/bin/gen-boot-blob-bl2-only.sh
@@ -27,22 +27,17 @@
CS_SIGNING_SCHEME=$7
CHIPSET_VARIANT_SUFFIX=$8
-SIGNING_SCHEME_FULL=${CS_SIGNING_SCHEME}
-if [ "$CS_SIGNING_SCHEME" == "rsa-mldsa" ] || [ "$CS_SIGNING_SCHEME" == "mldsa" ]; then
- SIGNING_SCHEME_FULL+=-draft1
-fi
-
BASEDIR_AESKEY_PROT_BL2="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl2/aes/${CHIPSET_NAME}"
-BASEDIR_RSAKEY_LVLX_BL2="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl2/$SIGNING_SCHEME_FULL/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL2="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl2/$CS_SIGNING_SCHEME/${CHIPSET_NAME}"
BASEDIR_AESKEY_PROT_BL31="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl31/aes/${CHIPSET_NAME}"
-BASEDIR_RSAKEY_LVLX_BL31="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl31/$SIGNING_SCHEME_FULL/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL31="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl31/$CS_SIGNING_SCHEME/${CHIPSET_NAME}"
BASEDIR_AESKEY_PROT_BL32="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl32/aes/${CHIPSET_NAME}"
-BASEDIR_RSAKEY_LVLX_BL32="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl32/$SIGNING_SCHEME_FULL/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL32="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl32/$CS_SIGNING_SCHEME/${CHIPSET_NAME}"
BASEDIR_AESKEY_PROT_BL40="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl40/aes/${CHIPSET_NAME}"
-BASEDIR_RSAKEY_LVLX_BL40="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl40/$SIGNING_SCHEME_FULL/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL40="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl40/$CS_SIGNING_SCHEME/${CHIPSET_NAME}"
BASEDIR_TEMPLATE="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/cert-template/${CHIPSET_NAME}"
template_ext=".${DV_SIGNING_SCHEME}.${CS_SIGNING_SCHEME}"
diff --git a/s6/bin/gen-boot-blobs.sh b/s6/bin/gen-boot-blobs.sh
index 6018f21..57541d9 100755
--- a/s6/bin/gen-boot-blobs.sh
+++ b/s6/bin/gen-boot-blobs.sh
@@ -27,22 +27,17 @@
CS_SIGNING_SCHEME=$7
CHIPSET_VARIANT_SUFFIX=$8
-SIGNING_SCHEME_FULL=${CS_SIGNING_SCHEME}
-if [ "$CS_SIGNING_SCHEME" == "rsa-mldsa" ] || [ "$CS_SIGNING_SCHEME" == "mldsa" ]; then
- SIGNING_SCHEME_FULL+=-draft1
-fi
-
BASEDIR_AESKEY_PROT_BL2="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl2/aes/${CHIPSET_NAME}"
-BASEDIR_RSAKEY_LVLX_BL2="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl2/$SIGNING_SCHEME_FULL/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL2="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl2/$CS_SIGNING_SCHEME/${CHIPSET_NAME}"
BASEDIR_AESKEY_PROT_BL31="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl31/aes/${CHIPSET_NAME}"
-BASEDIR_RSAKEY_LVLX_BL31="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl31/$SIGNING_SCHEME_FULL/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL31="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl31/$CS_SIGNING_SCHEME/${CHIPSET_NAME}"
BASEDIR_AESKEY_PROT_BL32="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl32/aes/${CHIPSET_NAME}"
-BASEDIR_RSAKEY_LVLX_BL32="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl32/$SIGNING_SCHEME_FULL/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL32="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl32/$CS_SIGNING_SCHEME/${CHIPSET_NAME}"
BASEDIR_AESKEY_PROT_BL40="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl40/aes/${CHIPSET_NAME}"
-BASEDIR_RSAKEY_LVLX_BL40="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl40/$SIGNING_SCHEME_FULL/${CHIPSET_NAME}"
+BASEDIR_RSAKEY_LVLX_BL40="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/bl40/$CS_SIGNING_SCHEME/${CHIPSET_NAME}"
BASEDIR_TEMPLATE="${BASEDIR_TOP}/keys/${KEY_TYPE}/${SOC_FAMILY}/chipset/cert-template/${CHIPSET_NAME}"
template_ext=".${DV_SIGNING_SCHEME}.${CS_SIGNING_SCHEME}"
diff --git a/s6/bin/sign-kernel-boot.sh b/s6/bin/sign-kernel-boot.sh
index 7ffe458..3902630 100755
--- a/s6/bin/sign-kernel-boot.sh
+++ b/s6/bin/sign-kernel-boot.sh
@@ -290,7 +290,7 @@
echo Error: Missing output file option --output; exit 1;
fi
- rsakey=$(readlink -f ${key_dir})/fip/rsa/${part}/rootrsa-${rootkey_index}/key/krnl-level-3-rsa-priv.pem
+ rsakey=$(readlink -f ${key_dir})/fip/rsa/${part}/trustchain-${rootkey_index}/key/krnl-level-3-rsa-priv.pem
check_file "RSA key" "${rsakey}"
aeskey=$(readlink -f ${key_dir})/fip/aes/${part}/protkey/genkey-prot-krnl.bin
check_file "AES key" "${aeskey}"
diff --git a/s6/generate-binaries/bin/gen-boot-blobs.sh b/s6/generate-binaries/bin/gen-boot-blobs.sh
index 47ccc9b..3551615 100755
--- a/s6/generate-binaries/bin/gen-boot-blobs.sh
+++ b/s6/generate-binaries/bin/gen-boot-blobs.sh
@@ -32,25 +32,12 @@
echo "============ KEY_DIR ${BASEDIR_ROOT}"
echo "============ PROJECT ${PROJECT}"
-
-# rsa -> rsa-mldsa-draft1
-# rootrsa-0 -> rootkey-0
-
-SIGNING_SCHEME_FULL=${DV_SIGNING_SCHEME}
-if [ "$DV_SIGNING_SCHEME" == "rsa-mldsa" ]; then
- SIGNING_SCHEME_FULL+=-draft1
-fi
-SIGNING_KEY_DIR_PREFIX=rootrsa
-if [ "$DV_SIGNING_SCHEME" != "rsa" ]; then
- SIGNING_KEY_DIR_PREFIX=rootkey
-fi
-
if [ -z "$PROJECT" ]; then
- BASEDIR_BOOTBLOBS_SIGKEY_ROOT="${BASEDIR_ROOT}/boot-blobs/$SIGNING_SCHEME_FULL/$SIGNING_KEY_DIR_PREFIX-${DEVICE_ROOTRSA_INDEX}"
- BASEDIR_BOOTBLOBS_TEMPLATE_ROOT="${BASEDIR_ROOT}/boot-blobs/template/root$SIGNING_SCHEME_FULL-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_BOOTBLOBS_SIGKEY_ROOT="${BASEDIR_ROOT}/boot-blobs/$DV_SIGNING_SCHEME/trustchain-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_BOOTBLOBS_TEMPLATE_ROOT="${BASEDIR_ROOT}/boot-blobs/template/trustchain-${DEVICE_ROOTRSA_INDEX}"
else
- BASEDIR_BOOTBLOBS_SIGKEY_ROOT="${BASEDIR_ROOT}/boot-blobs/$SIGNING_SCHEME_FULL/${PROJECT}/$SIGNING_KEY_DIR_PREFIX-${DEVICE_ROOTRSA_INDEX}"
- BASEDIR_BOOTBLOBS_TEMPLATE_ROOT="${BASEDIR_ROOT}/boot-blobs/template/${PROJECT}/root$SIGNING_SCHEME_FULL-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_BOOTBLOBS_SIGKEY_ROOT="${BASEDIR_ROOT}/boot-blobs/$DV_SIGNING_SCHEME/${PROJECT}/trustchain-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_BOOTBLOBS_TEMPLATE_ROOT="${BASEDIR_ROOT}/boot-blobs/template/${PROJECT}/trustchain-${DEVICE_ROOTRSA_INDEX}"
fi
BASEDIR_DEVICE_TEMPLATE="${BASEDIR_BOOTBLOBS_TEMPLATE_ROOT}"
diff --git a/s6/generate-binaries/bin/gen-device-fip.sh b/s6/generate-binaries/bin/gen-device-fip.sh
index 657a11d..68e6c04 100755
--- a/s6/generate-binaries/bin/gen-device-fip.sh
+++ b/s6/generate-binaries/bin/gen-device-fip.sh
@@ -37,23 +37,14 @@
echo "============ KEY_DIR ${BASEDIR_ROOT}"
echo "============ PROJECT ${PROJECT}"
-SIGNING_SCHEME_FULL=${DV_SIGNING_SCHEME}
-if [ "$DV_SIGNING_SCHEME" == "rsa-mldsa" ]; then
- SIGNING_SCHEME_FULL+=-draft1
-fi
-SIGNING_KEY_DIR_PREFIX=rootrsa
-if [ "$DV_SIGNING_SCHEME" != "rsa" ]; then
- SIGNING_KEY_DIR_PREFIX=rootkey
-fi
-
if [ -z "$PROJECT" ]; then
- BASEDIR_FIP_SIGKEY_ROOT="${BASEDIR_ROOT}/fip/rsa/$SIGNING_KEY_DIR_PREFIX-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_SIGKEY_ROOT="${BASEDIR_ROOT}/fip/rsa/trustchain-${DEVICE_ROOTRSA_INDEX}"
BASEDIR_FIP_AESKEY_ROOT="${BASEDIR_ROOT}/fip/aes/protkey"
- BASEDIR_FIP_TEMPLATE_ROOT="${BASEDIR_ROOT}/fip/template/root$SIGNING_SCHEME_FULL-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_TEMPLATE_ROOT="${BASEDIR_ROOT}/fip/template/trustchain-${DEVICE_ROOTRSA_INDEX}"
else
- BASEDIR_FIP_SIGKEY_ROOT="${BASEDIR_ROOT}/fip/$SIGNING_SCHEME_FULL/${PROJECT}/$SIGNING_KEY_DIR_PREFIX-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_SIGKEY_ROOT="${BASEDIR_ROOT}/fip/$DV_SIGNING_SCHEME/${PROJECT}/trustchain-${DEVICE_ROOTRSA_INDEX}"
BASEDIR_FIP_AESKEY_ROOT="${BASEDIR_ROOT}/fip/aes/${PROJECT}/protkey"
- BASEDIR_FIP_TEMPLATE_ROOT="${BASEDIR_ROOT}/fip/template/${PROJECT}/root$SIGNING_SCHEME_FULL-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_TEMPLATE_ROOT="${BASEDIR_ROOT}/fip/template/${PROJECT}/trustchain-${DEVICE_ROOTRSA_INDEX}"
fi
BASEDIR_DEVICE_TEMPLATE="${BASEDIR_FIP_TEMPLATE_ROOT}"
diff --git a/s6/generate-device-keys/bin/export_dv_scs_signing_keys.sh b/s6/generate-device-keys/bin/export_dv_scs_signing_keys.sh
index 8b5ab32..6690ed9 100755
--- a/s6/generate-device-keys/bin/export_dv_scs_signing_keys.sh
+++ b/s6/generate-device-keys/bin/export_dv_scs_signing_keys.sh
@@ -118,12 +118,7 @@
usage
fi
-sig_scheme_full=$sig_scheme
-rootchain_name=$sig_scheme
-if [ "$sig_scheme" == "rsa-mldsa" ] || [ "$sig_scheme" == "mldsa" ]; then
- sig_scheme_full+="-draft1"
- rootchain_name="key"
-fi
+trustchain_name="trustchain"
BASEDIR_ROOT=$key_dir
BASEDIR_OUT_ROOT=$output_dir
@@ -131,37 +126,37 @@
if [ -z "$project" ]; then
BASEDIR_AESKEY_ROOT="${BASEDIR_ROOT}/root/aes/rootkey"
- BASEDIR_RSAKEY_ROOT="${BASEDIR_ROOT}/root/$sig_scheme_full/"
- BASEDIR_BOOTBLOBS_RSAKEY_ROOT="${BASEDIR_ROOT}/boot-blobs/$sig_scheme_full/root${rootchain_name}-${DEVICE_ROOTRSA_INDEX}"
- BASEDIR_FIP_RSAKEY_ROOT="${BASEDIR_ROOT}/fip/$sig_scheme_full/root${rootchain_name}-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_RSAKEY_ROOT="${BASEDIR_ROOT}/root/$sig_scheme/"
+ BASEDIR_BOOTBLOBS_RSAKEY_ROOT="${BASEDIR_ROOT}/boot-blobs/${sig_scheme}/${trustchain_name}-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_RSAKEY_ROOT="${BASEDIR_ROOT}/fip/${sig_scheme}/${trustchain_name}-${DEVICE_ROOTRSA_INDEX}"
BASEDIR_FIP_AESKEY_ROOT="${BASEDIR_ROOT}/fip/aes/protkey"
- BASEDIR_BOOTBLOBS_TEMPLATE_ROOT="${BASEDIR_ROOT}/boot-blobs/template/root${sig_scheme_full}-${DEVICE_ROOTRSA_INDEX}"
- BASEDIR_FIP_TEMPLATE_ROOT="${BASEDIR_ROOT}/fip/template/root${sig_scheme_full}-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_BOOTBLOBS_TEMPLATE_ROOT="${BASEDIR_ROOT}/boot-blobs/template/${trustchain_name}-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_TEMPLATE_ROOT="${BASEDIR_ROOT}/fip/template/${trustchain_name}-${DEVICE_ROOTRSA_INDEX}"
BASEDIR_AESKEY_OUT_ROOT="${BASEDIR_OUT_ROOT}/root/aes/rootkey"
- BASEDIR_RSAKEY_OUT_ROOT="${BASEDIR_OUT_ROOT}/root/$sig_scheme_full/"
- BASEDIR_BOOTBLOBS_RSAKEY_OUT_ROOT="${BASEDIR_OUT_ROOT}/boot-blobs/$sig_scheme_full/root${rootchain_name}-${DEVICE_ROOTRSA_INDEX}"
- BASEDIR_FIP_RSAKEY_OUT_ROOT="${BASEDIR_OUT_ROOT}/fip/$sig_scheme_full/root${rootchain_name}-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_RSAKEY_OUT_ROOT="${BASEDIR_OUT_ROOT}/root/$sig_scheme/"
+ BASEDIR_BOOTBLOBS_RSAKEY_OUT_ROOT="${BASEDIR_OUT_ROOT}/boot-blobs/$sig_scheme/${trustchain_name}-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_RSAKEY_OUT_ROOT="${BASEDIR_OUT_ROOT}/fip/$sig_scheme/${trustchain_name}-${DEVICE_ROOTRSA_INDEX}"
BASEDIR_FIP_AESKEY_OUT_ROOT="${BASEDIR_OUT_ROOT}/fip/aes/protkey"
- BASEDIR_BOOTBLOBS_TEMPLATE_OUT_ROOT="${BASEDIR_OUT_ROOT}/boot-blobs/template/root${sig_scheme_full}-${DEVICE_ROOTRSA_INDEX}"
- BASEDIR_FIP_TEMPLATE_OUT_ROOT="${BASEDIR_OUT_ROOT}/fip/template/root${sig_scheme_full}-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_BOOTBLOBS_TEMPLATE_OUT_ROOT="${BASEDIR_OUT_ROOT}/boot-blobs/template/${trustchain_name}-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_TEMPLATE_OUT_ROOT="${BASEDIR_OUT_ROOT}/fip/template/${trustchain_name}-${DEVICE_ROOTRSA_INDEX}"
else
BASEDIR_AESKEY_ROOT="${BASEDIR_ROOT}/root/aes/${project}/rootkey"
- BASEDIR_RSAKEY_ROOT="${BASEDIR_ROOT}/root/$sig_scheme_full/${project}"
- BASEDIR_BOOTBLOBS_RSAKEY_ROOT="${BASEDIR_ROOT}/boot-blobs/$sig_scheme_full/${project}/root${rootchain_name}-${DEVICE_ROOTRSA_INDEX}"
- BASEDIR_FIP_RSAKEY_ROOT="${BASEDIR_ROOT}/fip/$sig_scheme_full/${project}/root${rootchain_name}-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_RSAKEY_ROOT="${BASEDIR_ROOT}/root/$sig_scheme/${project}"
+ BASEDIR_BOOTBLOBS_RSAKEY_ROOT="${BASEDIR_ROOT}/boot-blobs/$sig_scheme/${project}/${trustchain_name}-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_RSAKEY_ROOT="${BASEDIR_ROOT}/fip/$sig_scheme/${project}/${trustchain_name}-${DEVICE_ROOTRSA_INDEX}"
BASEDIR_FIP_AESKEY_ROOT="${BASEDIR_ROOT}/fip/aes/${project}/protkey"
- BASEDIR_BOOTBLOBS_TEMPLATE_ROOT="${BASEDIR_ROOT}/boot-blobs/template/${project}/root${sig_scheme_full}-${DEVICE_ROOTRSA_INDEX}"
- BASEDIR_FIP_TEMPLATE_ROOT="${BASEDIR_ROOT}/fip/template/${project}/root${sig_scheme_full}-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_BOOTBLOBS_TEMPLATE_ROOT="${BASEDIR_ROOT}/boot-blobs/template/${project}/${trustchain_name}-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_TEMPLATE_ROOT="${BASEDIR_ROOT}/fip/template/${project}/${trustchain_name}-${DEVICE_ROOTRSA_INDEX}"
BASEDIR_AESKEY_OUT_ROOT="${BASEDIR_OUT_ROOT}/root/aes/${project}/rootkey"
- BASEDIR_RSAKEY_OUT_ROOT="${BASEDIR_OUT_ROOT}/root/$sig_scheme_full/${project}"
- BASEDIR_BOOTBLOBS_RSAKEY_OUT_ROOT="${BASEDIR_OUT_ROOT}/boot-blobs/$sig_scheme_full/${project}/root${rootchain_name}-${DEVICE_ROOTRSA_INDEX}"
- BASEDIR_FIP_RSAKEY_OUT_ROOT="${BASEDIR_OUT_ROOT}/fip/$sig_scheme_full/${project}/root${rootchain_name}-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_RSAKEY_OUT_ROOT="${BASEDIR_OUT_ROOT}/root/$sig_scheme/${project}"
+ BASEDIR_BOOTBLOBS_RSAKEY_OUT_ROOT="${BASEDIR_OUT_ROOT}/boot-blobs/$sig_scheme/${project}/${trustchain_name}-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_RSAKEY_OUT_ROOT="${BASEDIR_OUT_ROOT}/fip/$sig_scheme/${project}/${trustchain_name}-${DEVICE_ROOTRSA_INDEX}"
BASEDIR_FIP_AESKEY_OUT_ROOT="${BASEDIR_OUT_ROOT}/fip/aes/${project}/protkey"
- BASEDIR_BOOTBLOBS_TEMPLATE_OUT_ROOT="${BASEDIR_OUT_ROOT}/boot-blobs/template/${project}/root${sig_scheme_full}-${DEVICE_ROOTRSA_INDEX}"
- BASEDIR_FIP_TEMPLATE_OUT_ROOT="${BASEDIR_OUT_ROOT}/fip/template/${project}/root${sig_scheme_full}-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_BOOTBLOBS_TEMPLATE_OUT_ROOT="${BASEDIR_OUT_ROOT}/boot-blobs/template/${project}/${trustchain_name}-${DEVICE_ROOTRSA_INDEX}"
+ BASEDIR_FIP_TEMPLATE_OUT_ROOT="${BASEDIR_OUT_ROOT}/fip/template/${project}/${trustchain_name}-${DEVICE_ROOTRSA_INDEX}"
fi
### Input: Root Cert ###
diff --git a/s6/generate-device-keys/bin/gen_scs_keys.sh b/s6/generate-device-keys/bin/gen_scs_keys.sh
index 9db1c9b..edee899 100755
--- a/s6/generate-device-keys/bin/gen_scs_keys.sh
+++ b/s6/generate-device-keys/bin/gen_scs_keys.sh
@@ -47,286 +47,286 @@
trace ()
{
- if [ ${dbg_trace} -ne 0 ]; then
- #echo ">>> $@" > /dev/null
- echo ">>> $@"
- fi
+ if [ ${dbg_trace} -ne 0 ]; then
+ #echo ">>> $@" > /dev/null
+ echo ">>> $@"
+ fi
}
check_dir() {
- if [ ! -d "$1" ]; then echo "Error: directory \""$1"\" does NOT exist"; usage ; fi
+ if [ ! -d "$1" ]; then echo "Error: directory \""$1"\" does NOT exist"; usage ; fi
}
rsa_sig() {
- if [ $is_rsa -eq 1 ]; then
- local chain_num=$1
- local path=$2
- local files=$3
- local payload=$4
- local ops=$5
+ if [ $is_rsa -eq 1 ]; then
+ local chain_num=$1
+ local path=$2
+ local files=$3
+ local payload=$4
+ local ops=$5
- local test_vector_file="$path/test-payload-${payload}.bin"
+ local test_vector_file="$path/test-payload-${payload}.bin"
- if [ $ops == "verify" ]; then
- echo "Verifying $chain_num ${rsa_algo_name^^} key test payload signature ..."
- else
- echo "Generating $chain_num ${rsa_algo_name^^} key test payload signature ..."
- fi
+ if [ $ops == "verify" ]; then
+ echo "Verifying $chain_num ${rsa_algo_name^^} key test payload signature ..."
+ else
+ echo "Generating $chain_num ${rsa_algo_name^^} key test payload signature ..."
+ fi
- if [ ! -f $test_vector_file ]; then
- if [ $ops == "verify" ]; then
- echo "No test payload file found"
- exit -1
- else
- trace "Creating dummy test payload $test_vector_file"
- dd if=/dev/random of=$test_vector_file bs=1024 count=2 iflag=fullblock
- fi
- fi
+ if [ ! -f $test_vector_file ]; then
+ if [ $ops == "verify" ]; then
+ echo "No test payload file found"
+ exit -1
+ else
+ trace "Creating dummy test payload $test_vector_file"
+ dd if=/dev/random of=$test_vector_file bs=1024 count=2 iflag=fullblock
+ fi
+ fi
- # Sign a dummy payload with openssl 3.0.2
- #openssl pkeyutl -sign -rawin -in <dummy-payload.bin> -inkey <private-key.pem> -digest sha256 -out <pss.sha256.sig> -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
+ # Sign a dummy payload with openssl 3.0.2
+ #openssl pkeyutl -sign -rawin -in <dummy-payload.bin> -inkey <private-key.pem> -digest sha256 -out <pss.sha256.sig> -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
- # Verify signature using public key with openssl 3.0.2
- #openssl pkeyutl -verify -rawin -in <dummy-payload.bin> -sigfile <pss.sha256.sig> -pubin -inkey <public-key.pem> -digest sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
+ # Verify signature using public key with openssl 3.0.2
+ #openssl pkeyutl -verify -rawin -in <dummy-payload.bin> -sigfile <pss.sha256.sig> -pubin -inkey <public-key.pem> -digest sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
- for f in $files
- do
- if [ $ops == "verify" ]; then
- trace "openssl pkeyutl -verify -rawin -in $test_vector_file -sigfile $path/test-payload-${payload}-$f-pub.sig -pubin -inkey $path/$f-pub.pem -digest sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest"
- openssl pkeyutl -verify -rawin -in $test_vector_file -sigfile $path/test-payload-${payload}-$f-pub.sig -pubin -inkey $path/$f-pub.pem -digest sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
- else
- trace "openssl pkeyutl -sign -rawin -in $test_vector_file -inkey $path/$f-priv.pem -digest sha256 -out $path/test-payload-${payload}-$f-pub.sig -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest"
- openssl pkeyutl -sign -rawin -in $test_vector_file -inkey $path/$f-priv.pem -digest sha256 -out $path/test-payload-${payload}-$f-pub.sig -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
- fi
- done
- fi
+ for f in $files
+ do
+ if [ $ops == "verify" ]; then
+ trace "openssl pkeyutl -verify -rawin -in $test_vector_file -sigfile $path/test-payload-${payload}-$f-pub.sig -pubin -inkey $path/$f-pub.pem -digest sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest"
+ openssl pkeyutl -verify -rawin -in $test_vector_file -sigfile $path/test-payload-${payload}-$f-pub.sig -pubin -inkey $path/$f-pub.pem -digest sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
+ else
+ trace "openssl pkeyutl -sign -rawin -in $test_vector_file -inkey $path/$f-priv.pem -digest sha256 -out $path/test-payload-${payload}-$f-pub.sig -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest"
+ openssl pkeyutl -sign -rawin -in $test_vector_file -inkey $path/$f-priv.pem -digest sha256 -out $path/test-payload-${payload}-$f-pub.sig -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
+ fi
+ done
+ fi
}
rsa_gen() {
- if [ $is_rsa -eq 1 ]; then
- local chain_num=$1
- local path=$2
- local files=$3
- local size=$4
+ if [ $is_rsa -eq 1 ]; then
+ local chain_num=$1
+ local path=$2
+ local files=$3
+ local size=$4
- echo "Generating trust chain $chain_num ${rsa_algo_name^^}-${size} key ..."
+ echo "Generating trust chain $chain_num ${rsa_algo_name^^}-${size} key ..."
- for f in $files
- do
- local kpriv="$path/$f-priv.pem"
- local kpub="$path/$f-pub.pem"
- openssl genrsa -out $kpriv $size
- echo $kpriv
- echo $kpub
- openssl rsa -in $kpriv -outform PEM -pubout -out $kpub
- #openssl rsa -noout -text -inform PEM -in $kpub -pubin
- done
- fi
+ for f in $files
+ do
+ local kpriv="$path/$f-priv.pem"
+ local kpub="$path/$f-pub.pem"
+ openssl genrsa -out $kpriv $size
+ echo $kpriv
+ echo $kpub
+ openssl rsa -in $kpriv -outform PEM -pubout -out $kpub
+ #openssl rsa -noout -text -inform PEM -in $kpub -pubin
+ done
+ fi
}
ml_dsa_sig() {
- if [ $is_ml_dsa -eq 1 ]; then
- local chain_num=$1
- local path=$2
- local files=$3
- local payload=$4
- local ops=$5
+ if [ $is_ml_dsa -eq 1 ]; then
+ local chain_num=$1
+ local path=$2
+ local files=$3
+ local payload=$4
+ local ops=$5
- local test_vector_file="$path/test-payload-${payload}.bin"
+ local test_vector_file="$path/test-payload-${payload}.bin"
- if [ $ops == "verify" ]; then
- echo "Verifying $chain_num ${ml_dsa_algo_name^^} key test payload signature ..."
- else
- echo "Generating $chain_num ${ml_dsa_algo_name^^} key test payload signature ..."
- fi
+ if [ $ops == "verify" ]; then
+ echo "Verifying $chain_num ${ml_dsa_algo_name^^} key test payload signature ..."
+ else
+ echo "Generating $chain_num ${ml_dsa_algo_name^^} key test payload signature ..."
+ fi
- if [ ! -f $test_vector_file ]; then
- if [ $ops == "verify" ]; then
- echo "No test payload file found"
- exit -1
- else
- trace "Creating dummy test payload $test_vector_file"
- dd if=/dev/random of=$test_vector_file bs=1024 count=2 iflag=fullblock
- fi
- fi
+ if [ ! -f $test_vector_file ]; then
+ if [ $ops == "verify" ]; then
+ echo "No test payload file found"
+ exit -1
+ else
+ trace "Creating dummy test payload $test_vector_file"
+ dd if=/dev/random of=$test_vector_file bs=1024 count=2 iflag=fullblock
+ fi
+ fi
- # Sign a dummy payload with private openssl-dilithium 1.1.1u build
- #openssl dgst -sha3-512 -sign <private-key.pem> -keyform pem -out <ml-dsa.sig> <dummy-payload.bin>
+ # Sign a dummy payload with private openssl-dilithium 1.1.1u build
+ #openssl dgst -sha3-512 -sign <private-key.pem> -keyform pem -out <ml-dsa.sig> <dummy-payload.bin>
- # Verify signature using public key with private openssl-dilithium 1.1.1u build
- #openssl dgst -sha3-512 -verify <public-key.pem> -keyform pem -signature <ml-dsa.sig> <dummy-payload.bin>
+ # Verify signature using public key with private openssl-dilithium 1.1.1u build
+ #openssl dgst -sha3-512 -verify <public-key.pem> -keyform pem -signature <ml-dsa.sig> <dummy-payload.bin>
- for f in $files
- do
- if [ $ops == "verify" ]; then
- trace "${OPENSSL} dgst -sha3-512 -verify $path/$f-pub.pem -keyform pem -signature $path/test-payload-${payload}-$f-pub.sig $test_vector_file"
- ${OPENSSL} dgst -sha3-512 -verify $path/$f-pub.pem -keyform pem -signature $path/test-payload-${payload}-$f-pub.sig $test_vector_file
- else
- trace "${OPENSSL} dgst -sha3-512 -sign $path/$f-priv.pem -keyform pem -out $path/test-payload-${payload}-$f-pub.sig $test_vector_file"
- ${OPENSSL} dgst -sha3-512 -sign $path/$f-priv.pem -keyform pem -out $path/test-payload-${payload}-$f-pub.sig $test_vector_file
- fi
- done
- fi
+ for f in $files
+ do
+ if [ $ops == "verify" ]; then
+ trace "${OPENSSL} dgst -sha3-512 -verify $path/$f-pub.pem -keyform pem -signature $path/test-payload-${payload}-$f-pub.sig $test_vector_file"
+ ${OPENSSL} dgst -sha3-512 -verify $path/$f-pub.pem -keyform pem -signature $path/test-payload-${payload}-$f-pub.sig $test_vector_file
+ else
+ trace "${OPENSSL} dgst -sha3-512 -sign $path/$f-priv.pem -keyform pem -out $path/test-payload-${payload}-$f-pub.sig $test_vector_file"
+ ${OPENSSL} dgst -sha3-512 -sign $path/$f-priv.pem -keyform pem -out $path/test-payload-${payload}-$f-pub.sig $test_vector_file
+ fi
+ done
+ fi
}
ml_dsa_gen() {
- if [ $is_ml_dsa -eq 1 ]; then
- local chain_num=$1
- local path=$2
- local files=$3
- local size=$4
+ if [ $is_ml_dsa -eq 1 ]; then
+ local chain_num=$1
+ local path=$2
+ local files=$3
+ local size=$4
- echo "Generating trust chain $chain_num ${ml_dsa_algo_name^^}-${size} key ..."
+ echo "Generating trust chain $chain_num ${ml_dsa_algo_name^^}-${size} key ..."
- for f in $files
- do
- local kpriv="$path/$f-priv.pem"
- local kpub="$path/$f-pub.pem"
- ${OPENSSL} genpkey -algorithm dilithium${size} -outform PEM -out $kpriv
- echo $kpriv
- echo $kpub
- ${OPENSSL} pkey -in $kpriv -outform PEM -pubout -out $kpub
- done
- fi
+ for f in $files
+ do
+ local kpriv="$path/$f-priv.pem"
+ local kpub="$path/$f-pub.pem"
+ ${OPENSSL} genpkey -algorithm dilithium${size} -outform PEM -out $kpriv
+ echo $kpriv
+ echo $kpub
+ ${OPENSSL} pkey -in $kpriv -outform PEM -pubout -out $kpub
+ done
+ fi
}
key_link() {
- local chain_num=$1
- local path=$2
- local src=$3
- local files=$4
+ local chain_num=$1
+ local path=$2
+ local src=$3
+ local files=$4
- echo "Linking trust chain $chain_num key ..."
+ echo "Linking trust chain $chain_num key ..."
- local kpriv_src="$src-priv.pem"
- local kpub_src="$src-pub.pem"
- echo $kpriv_src
- echo $kpub_src
+ local kpriv_src="$src-priv.pem"
+ local kpub_src="$src-pub.pem"
+ echo $kpriv_src
+ echo $kpub_src
- pushd $path
- for f in $files
- do
- local kpriv="$f-priv.pem"
- local kpub="$f-pub.pem"
+ pushd $path
+ for f in $files
+ do
+ local kpriv="$f-priv.pem"
+ local kpub="$f-pub.pem"
- echo $kpriv
- echo $kpub
+ echo $kpriv
+ echo $kpub
- ln -s $kpriv_src $kpriv
- ln -s $kpub_src $kpub
+ ln -s $kpriv_src $kpriv
+ ln -s $kpub_src $kpub
- ls -l $kpriv
- ls -l $kpub
- #openssl pkey -noout -text -inform PEM -in $kpub -pubin
- done
- popd
+ ls -l $kpriv
+ ls -l $kpub
+ #openssl pkey -noout -text -inform PEM -in $kpub -pubin
+ done
+ popd
}
ek_link() {
- local chain_num=$1
- local path=$2
- local src=$3
- local files=$4
+ local chain_num=$1
+ local path=$2
+ local src=$3
+ local files=$4
- echo "Linking trust chain $chain_num EKs ..."
+ echo "Linking trust chain $chain_num EKs ..."
- local file_src=$src
- echo $file_src
+ local file_src=$src
+ echo $file_src
- pushd $path
- for f in $files
- do
- local file="$f"
- echo $file
+ pushd $path
+ for f in $files
+ do
+ local file="$f"
+ echo $file
- ln -s $file_src $file
+ ln -s $file_src $file
- ls -l $file
- #dd if=/dev/random of=$file iflag=fullblock bs=64 count=1
- #xxd -p -c16 $file
- done
- popd
+ ls -l $file
+ #dd if=/dev/random of=$file iflag=fullblock bs=64 count=1
+ #xxd -p -c16 $file
+ done
+ popd
}
ek_gen() {
- local chain_num=$1
- local path=$2
- local files=$3
+ local chain_num=$1
+ local path=$2
+ local files=$3
- echo "Generating trust chain $chain_num EKs ..."
+ echo "Generating trust chain $chain_num EKs ..."
- for f in $files
- do
- local file="$path/$f"
- echo $file
- dd if=/dev/random of=$file iflag=fullblock bs=64 count=1
- #xxd -p -c16 $file
- done
+ for f in $files
+ do
+ local file="$path/$f"
+ echo $file
+ dd if=/dev/random of=$file iflag=fullblock bs=64 count=1
+ #xxd -p -c16 $file
+ done
}
nonce_link() {
- local chain_num=$1
- local path=$2
- local src=$3
- local files=$4
+ local chain_num=$1
+ local path=$2
+ local src=$3
+ local files=$4
- echo "Linking trust chain $chain_num NONCE ..."
+ echo "Linking trust chain $chain_num NONCE ..."
- local file_src=$src
- echo $file_src
+ local file_src=$src
+ echo $file_src
- pushd $path
- for f in $files
- do
- local file="$f"
- echo $file
+ pushd $path
+ for f in $files
+ do
+ local file="$f"
+ echo $file
- ln -s $file_src $file
+ ln -s $file_src $file
- ls -l $file
- #dd if=/dev/random of=$file iflag=fullblock bs=16 count=1
- #xxd -p -c16 $file
- done
- popd
+ ls -l $file
+ #dd if=/dev/random of=$file iflag=fullblock bs=16 count=1
+ #xxd -p -c16 $file
+ done
+ popd
}
nonce_gen() {
- local chain_num=$1
- local path=$2
- local files=$3
+ local chain_num=$1
+ local path=$2
+ local files=$3
- echo "Generating trust chain $chain_num NONCE ..."
+ echo "Generating trust chain $chain_num NONCE ..."
- for f in $files
- do
- local file="$path/$f"
- echo $file
- dd if=/dev/random of=$file iflag=fullblock bs=16 count=1
- #xxd -p -c16 $file
- done
+ for f in $files
+ do
+ local file="$path/$f"
+ echo $file
+ dd if=/dev/random of=$file iflag=fullblock bs=16 count=1
+ #xxd -p -c16 $file
+ done
}
usage() {
- cat << EOF
+ cat << EOF
Usage: $(basename $0) --help | --version
- Generate Amlogic Secure Chipset Startup (SCS) keys
+ Generate Amlogic Secure Chipset Startup (SCS) keys
- $(basename $0)
- --key-dir <key-dir> \\
- --stage [root | boot-blobs] \\
- {--sig-scheme [rsa | mldsa | rsa-mldsa]} \\
- {--prefix [cs | dv]} \\
- {--rsa-size [2048 | 4096]} \\
- {--ml-dsa-level [2 | 3 | 5]} \\
- {--ml-dsa-version [draft1]} \\
- {--gen-sig} \\
- {--verify-sig} \\
- {--link-gen-file [0 | 1]} \\
- {--link-lvl3-to-lvl2-file [0 | 1]} \\
- {--project <project-name>}
+ $(basename $0)
+ --key-dir <key-dir> \\
+ --stage [root | boot-blobs] \\
+ {--sig-scheme [rsa | mldsa | rsa-mldsa]} \\
+ {--prefix [cs | dv]} \\
+ {--rsa-size [2048 | 4096]} \\
+ {--ml-dsa-level [2 | 3 | 5]} \\
+ {--ml-dsa-version [draft1]} \\
+ {--gen-sig} \\
+ {--verify-sig} \\
+ {--link-gen-file [0 | 1]} \\
+ {--link-lvl3-to-lvl2-file [0 | 1]} \\
+ {--project <project-name>}
EOF
- exit 1
+ exit 1
}
PREFIX="cs-"
@@ -340,11 +340,11 @@
link_gen_file=0
link_lvl3_to_lvl2_file=0
sig_scheme=""
+sig_scheme_version=""
prefix=""
-# Default to original root trust chain name (rootrsa) before
-# hybrid PQC introduction
-rootchain_name="rsa"
+# Change root trust chain name from "rootrsa" to "trustchain"
+trustchain_name="trustchain"
is_rsa=1
is_ml_dsa=0
@@ -356,79 +356,79 @@
ml_dsa_version=""
parse_main() {
- local i=0
- local argv=()
- for arg in "$@" ; do
- argv[$i]="$arg"
- i=$((i + 1))
- done
+ local i=0
+ local argv=()
+ for arg in "$@" ; do
+ argv[$i]="$arg"
+ i=$((i + 1))
+ done
- i=0
- while [ $i -lt $# ]; do
- arg="${argv[$i]}"
- i=$((i + 1))
- case "$arg" in
- -h|--help)
- usage
- break
- ;;
- -v|--version)
- echo "Version $version";
- exit 0
- ;;
- --key-dir)
- key_dir="${argv[$i]}"
- check_dir "${key_dir}"
- ;;
- --project)
- part="${argv[$i]}"
- ;;
- # Backward compatible
- --size)
- rsa_size="${argv[$i]}"
- ;;
- --rsa-size)
- rsa_size="${argv[$i]}"
- ;;
- --stage)
- stage="${argv[$i]}"
- ;;
- --fw-type)
- fw_type="${argv[$i]}"
- ;;
- --gen-sig)
- gen_sig=1
- i=$((i - 1))
- ;;
- --verify-sig)
- verify_sig=1
- i=$((i - 1))
- ;;
- --link-gen-file)
- link_gen_file="${argv[$i]}"
- ;;
- --link-lvl3-to-lvl2-file)
- link_lvl3_to_lvl2_file="${argv[$i]}"
- ;;
- --sig-scheme)
- sig_scheme="${argv[$i]}"
- ;;
- --prefix)
- prefix_name="${argv[$i]}"
- ;;
- --ml-dsa-level)
- ml_dsa_level="${argv[$i]}"
- ;;
- --ml-dsa-version)
- ml_dsa_version="${argv[$i]}"
- ;;
- *)
- echo "Unknown option $arg";
- usage
- ;;
- esac
- i=$((i + 1))
- done
+ i=0
+ while [ $i -lt $# ]; do
+ arg="${argv[$i]}"
+ i=$((i + 1))
+ case "$arg" in
+ -h|--help)
+ usage
+ break
+ ;;
+ -v|--version)
+ echo "Version $version";
+ exit 0
+ ;;
+ --key-dir)
+ key_dir="${argv[$i]}"
+ check_dir "${key_dir}"
+ ;;
+ --project)
+ part="${argv[$i]}"
+ ;;
+ # Backward compatible
+ --size)
+ rsa_size="${argv[$i]}"
+ ;;
+ --rsa-size)
+ rsa_size="${argv[$i]}"
+ ;;
+ --stage)
+ stage="${argv[$i]}"
+ ;;
+ --fw-type)
+ fw_type="${argv[$i]}"
+ ;;
+ --gen-sig)
+ gen_sig=1
+ i=$((i - 1))
+ ;;
+ --verify-sig)
+ verify_sig=1
+ i=$((i - 1))
+ ;;
+ --link-gen-file)
+ link_gen_file="${argv[$i]}"
+ ;;
+ --link-lvl3-to-lvl2-file)
+ link_lvl3_to_lvl2_file="${argv[$i]}"
+ ;;
+ --sig-scheme)
+ sig_scheme="${argv[$i]}"
+ ;;
+ --prefix)
+ prefix_name="${argv[$i]}"
+ ;;
+ --ml-dsa-level)
+ ml_dsa_level="${argv[$i]}"
+ ;;
+ --ml-dsa-version)
+ ml_dsa_version="${argv[$i]}"
+ ;;
+ *)
+ echo "Unknown option $arg";
+ usage
+ ;;
+ esac
+ i=$((i + 1))
+ done
}
parse_main "$@"
@@ -449,33 +449,33 @@
trace " link-lvl3-to-lvl2-file $link_lvl3_to_lvl2_file"
if [ -z "$key_dir" ]; then
- usage
+ usage
fi
if [ -z "$rsa_size" ]; then
- rsa_size=4096
+ rsa_size=4096
fi
if [ -z "$ml_dsa_level" ]; then
- ml_dsa_level=3
+ ml_dsa_level=3
fi
if [ -z "$sig_scheme" ]; then
- sig_scheme="rsa"
+ sig_scheme="rsa"
fi
if [ -z "$prefix_name" ]; then
- prefix_name="cs"
+ prefix_name="cs"
fi
if [ -z "$stage" ]; then
- usage
+ usage
fi
tmp=${rsa_size_list[$rsa_size]}
if [ "$tmp" == "" ]; then
- echo "Error: Invalid RSA key size $rsa_size"
- usage
+ echo "Error: Invalid RSA key size $rsa_size"
+ usage
fi
#
@@ -484,375 +484,388 @@
#
tmp=${stage_list[$stage]}
if [ "$tmp" == "" ]; then
- echo "Error: Invalid stage $stage"
- usage
+ echo "Error: Invalid stage $stage"
+ usage
fi
PREFIX=${prefix_name_list[$prefix_name]}
if [ "$PREFIX" == "" ] && [ "$prefix_name" != "none" ]; then
- echo "Error: Invalid prefix $prefix_name"
- usage
+ echo "Error: Invalid prefix $prefix_name"
+ usage
fi
tmp=${sig_scheme_list[$sig_scheme]}
if [ "${tmp}" == "" ]; then
- echo "Error: Invalid signature scheme $sig_scheme"
- usage
+ echo "Error: Invalid signature scheme $sig_scheme"
+ usage
fi
sig_scheme=$tmp
if [ ${sig_scheme} == "mldsa" ] || [ ${sig_scheme} == "rsa-mldsa" ]; then
- if [ -z "$ml_dsa_version" ]; then
- echo "Error: Missing ML-DSA version"
- usage
- fi
+ if [ -z "$ml_dsa_version" ]; then
+ echo "Error: Missing ML-DSA version"
+ usage
+ fi
- tmp=${ml_dsa_level_list[$ml_dsa_level]}
- if [ "$tmp" == "" ]; then
- echo "Error: Invalid ML-DSA key level $ml_dsa_level"
- usage
- fi
-
- tmp=${ml_dsa_version_list[$ml_dsa_version]}
- if [ "$tmp" == "" ]; then
- echo "Error: Invalid ML-DSA version $ml_dsa_version"
- usage
- fi
+ tmp=${ml_dsa_level_list[$ml_dsa_level]}
+ if [ "$tmp" == "" ]; then
+ echo "Error: Invalid ML-DSA key level $ml_dsa_level"
+ usage
+ fi
+
+ tmp=${ml_dsa_version_list[$ml_dsa_version]}
+ if [ "$tmp" == "" ]; then
+ echo "Error: Invalid ML-DSA version $ml_dsa_version"
+ usage
+ fi
fi
if [ ${sig_scheme} == "rsa" ]; then
- is_rsa=1
- is_ml_dsa=0
- is_hybrid=0
- rootchain_name="rsa"
+ is_rsa=1
+ is_ml_dsa=0
+ is_hybrid=0
+ sig_scheme_version=${sig_scheme}
fi
if [ ${sig_scheme} == "mldsa" ]; then
- is_rsa=0
- is_ml_dsa=1
- is_hybrid=0
- rootchain_name="key"
- if [ "${ml_dsa_version}" != "final" ]; then
- sig_scheme=${sig_scheme}-${ml_dsa_version}
- ml_dsa_algo_name=${ml_dsa_algo_name}-${ml_dsa_version}
- fi
+ is_rsa=0
+ is_ml_dsa=1
+ is_hybrid=0
+ if [ "${ml_dsa_version}" != "final" ]; then
+ sig_scheme_version=${sig_scheme}-${ml_dsa_version}
+ ml_dsa_algo_name=${ml_dsa_algo_name}-${ml_dsa_version}
+ fi
fi
if [ ${sig_scheme} == "rsa-mldsa" ]; then
- is_rsa=1
- is_ml_dsa=1
- is_hybrid=1
- rootchain_name="key"
- if [ "${ml_dsa_version}" != "final" ]; then
- sig_scheme=${sig_scheme}-${ml_dsa_version}
- ml_dsa_algo_name=${ml_dsa_algo_name}-${ml_dsa_version}
- fi
+ is_rsa=1
+ is_ml_dsa=1
+ is_hybrid=1
+ if [ "${ml_dsa_version}" != "final" ]; then
+ sig_scheme_version=${sig_scheme}-${ml_dsa_version}
+ ml_dsa_algo_name=${ml_dsa_algo_name}-${ml_dsa_version}
+ fi
fi
root_key_path=${key_dir}/root/${sig_scheme}
boot_blobs_key_root=${key_dir}/boot-blobs/${sig_scheme}
fip_key_root=${key_dir}/fip/${sig_scheme}
boot_blobs_key_rel_to_fip_path=../../boot-blobs/${sig_scheme}
-fw_key_root=${key_dir}/firmware/${sig_scheme}
-ta_key_root=${key_dir}/ta/${sig_scheme}
+fw_key_root=${key_dir}/firmware/rsa
+ta_key_root=${key_dir}/ta/rsa
if [ ! -z "$part" ]; then
- root_key_path=${root_key_path}/$part
- boot_blobs_key_root=${boot_blobs_key_root}/$part
- fip_key_root=${fip_key_root}/$part
- boot_blobs_key_rel_to_fip_path=../../../boot-blobs/${sig_scheme}/$part
- fw_key_root=${fw_key_root}/$part
- ta_key_root=${ta_key_root}/$part
+ root_key_path=${root_key_path}/$part
+ boot_blobs_key_root=${boot_blobs_key_root}/$part
+ fip_key_root=${fip_key_root}/$part
+ boot_blobs_key_rel_to_fip_path=../../../boot-blobs/${sig_scheme}/$part
+ fw_key_root=${fw_key_root}/$part
+ ta_key_root=${ta_key_root}/$part
fi
-trace " PREFIX $PREFIX"
-trace " rsa-size $rsa_size"
-trace " ml-dsa-level $ml_dsa_level"
-trace "ml-dsa-version $ml_dsa_version"
-trace " sig-scheme $sig_scheme"
-trace " is_rsa $is_rsa"
-trace " is_ml_dsa $is_ml_dsa"
-trace " is_hybrid $is_hybrid"
+trace " PREFIX $PREFIX"
+trace " rsa-size $rsa_size"
+trace " ml-dsa-level $ml_dsa_level"
+trace " ml-dsa-version $ml_dsa_version"
+trace " sig-scheme $sig_scheme"
+trace "sig-scheme-version $sig_scheme_version"
+trace " is_rsa $is_rsa"
+trace " is_ml_dsa $is_ml_dsa"
+trace " is_hybrid $is_hybrid"
if [ $gen_sig -eq 1 ]; then
- if [ $stage == "root" ]; then
- rsa_sig "Root" "${root_key_path}/key" "${PREFIX}root${rsa_algo_name}-0 ${PREFIX}root${rsa_algo_name}-1 ${PREFIX}root${rsa_algo_name}-2 ${PREFIX}root${rsa_algo_name}-3" "root" "sign"
- ml_dsa_sig "Root" "${root_key_path}/key" "${PREFIX}root${ml_dsa_algo_name}-0 ${PREFIX}root${ml_dsa_algo_name}-1 ${PREFIX}root${ml_dsa_algo_name}-2 ${PREFIX}root${ml_dsa_algo_name}-3" "root" "sign"
- fi
+ if [ $stage == "root" ]; then
+ rsa_sig "Root" "${root_key_path}/key" "${PREFIX}root${rsa_algo_name}-0 ${PREFIX}root${rsa_algo_name}-1 ${PREFIX}root${rsa_algo_name}-2 ${PREFIX}root${rsa_algo_name}-3" "root" "sign"
+ ml_dsa_sig "Root" "${root_key_path}/key" "${PREFIX}root${ml_dsa_algo_name}-0 ${PREFIX}root${ml_dsa_algo_name}-1 ${PREFIX}root${ml_dsa_algo_name}-2 ${PREFIX}root${ml_dsa_algo_name}-3" "root" "sign"
+ fi
+
+ if [ $stage == "boot-blobs" ]; then
+ for i in 0 1 2 3
+ do
+ boot_blobs_key_path=${boot_blobs_key_root}/${trustchain_name}-${i}
+ trace " boot_blobs_key_path ${boot_blobs_key_path}"
+
+ rsa_sig "${PREFIX}lvl1/2-$i" "${boot_blobs_key_path}/key" "${PREFIX}level-1-${rsa_algo_name} ${PREFIX}level-2-${rsa_algo_name}" "boot-blobs-$i" "sign"
+ ml_dsa_sig "${PREFIX}lvl1/2-$i" "${boot_blobs_key_path}/key" "${PREFIX}level-1-${ml_dsa_algo_name} ${PREFIX}level-2-${ml_dsa_algo_name}" "boot-blobs-$i" "sign"
+ done
+ fi
- if [ $stage == "boot-blobs" ]; then
- for i in 0 1 2 3
- do
- boot_blobs_key_path=${boot_blobs_key_root}/root${rootchain_name}-${i}
- trace " boot_blobs_key_path ${boot_blobs_key_path}"
-
- rsa_sig "${PREFIX}lvl1/2-$i" "${boot_blobs_key_path}/key" "${PREFIX}level-1-${rsa_algo_name} ${PREFIX}level-2-${rsa_algo_name}" "boot-blobs-$i" "sign"
- ml_dsa_sig "${PREFIX}lvl1/2-$i" "${boot_blobs_key_path}/key" "${PREFIX}level-1-${ml_dsa_algo_name} ${PREFIX}level-2-${ml_dsa_algo_name}" "boot-blobs-$i" "sign"
- done
- fi
+ if [ $stage == "fip" ]; then
+ for i in 0 1 2 3
+ do
+ fip_key_path=${fip_key_root}/${trustchain_name}-${i}
+ trace " fip_key_path ${fip_key_path}"
- if [ $stage == "fip" ]; then
- for i in 0 1 2 3
- do
- fip_key_path=${fip_key_root}/root${rootchain_name}-${i}
- trace " fip_key_path ${fip_key_path}"
- rsa_sig "${PREFIX}fip-$i" "${fip_key_path}/key" "${PREFIX}bl31-level-3-${rsa_algo_name} ${PREFIX}bl32-level-3-${rsa_algo_name} ${PREFIX}bl40-level-3-${rsa_algo_name}" "fip-$i" "sign"
- ml_dsa_sig "${PREFIX}fip-$i" "${fip_key_path}/key" "${PREFIX}bl31-level-3-${ml_dsa_algo_name} ${PREFIX}bl32-level-3-${ml_dsa_algo_name} ${PREFIX}bl40-level-3-${ml_dsa_algo_name}" "fip-$i" "sign"
- done
- fi
+ rsa_sig "${PREFIX}fip-$i" "${fip_key_path}/key" "${PREFIX}bl31-level-3-${rsa_algo_name} ${PREFIX}bl32-level-3-${rsa_algo_name} ${PREFIX}bl40-level-3-${rsa_algo_name}" "fip-$i" "sign"
+ ml_dsa_sig "${PREFIX}fip-$i" "${fip_key_path}/key" "${PREFIX}bl31-level-3-${ml_dsa_algo_name} ${PREFIX}bl32-level-3-${ml_dsa_algo_name} ${PREFIX}bl40-level-3-${ml_dsa_algo_name}" "fip-$i" "sign"
+ done
+ fi
- if [ $stage == "fw" ]; then
- # HACK: Force is_dsa to 1 in case of FIP as no PQC support for FW
- is_rsa=1
- for i in ${fw_type}
- do
- fw_key_path=${fw_key_root}/${i}
- trace " fw_key_path ${fw_key_path}"
-
- rsa_sig $i "${fw_key_path}/key" "${PREFIX}fw-${i}-${rsa_algo_name}" "fw-$i" "sign"
- # No ML-DSA for FW
- #ml_dsa_sig $i "${fw_key_path}/key" "${PREFIX}fw-${i}-${ml_dsa_algo_name}" "fw-$i" "sign"
- done
- fi
+ if [ $stage == "fw" ]; then
+ # HACK: Force is_dsa to 1 as no PQC support for FW
+ is_rsa=1
+ for i in ${fw_type}
+ do
+ fw_key_path=${fw_key_root}/${i}
+ trace " fw_key_path ${fw_key_path}"
- if [ $stage == "ta" ]; then
- # HACK: Force is_dsa to 1 in case of FIP as no PQC support for TA
- is_rsa=1
- for i in rsk
- do
- ta_key_path=${ta_key_root}/${i}
- trace " ta_key_path ${ta_key_path}"
+ rsa_sig $i "${fw_key_path}/key" "${PREFIX}fw-${i}-${rsa_algo_name}" "fw-$i" "sign"
+ # No ML-DSA for FW
+ #ml_dsa_sig $i "${fw_key_path}/key" "${PREFIX}fw-${i}-${ml_dsa_algo_name}" "fw-$i" "sign"
+ done
+ fi
- rsa_sig $i "${ta_key_path}/key" "${PREFIX}ta-${i}-${rsa_algo_name}" "ta-$i" "sign"
- # No ML-DSA for TA
- #ml_dsa_sig $i "${ta_key_path}/key" "${PREFIX}ta-${i}-${ml_dsa_algo_name}" "ta-$i" "sign"
- done
- fi
+ if [ $stage == "ta" ]; then
+ # HACK: Force is_dsa to 1 as no PQC support for TA
+ is_rsa=1
+ for i in rsk
+ do
+ ta_key_path=${ta_key_root}/${i}
+ trace " ta_key_path ${ta_key_path}"
- #
- # HACK: Set stage to un-supported name to skip generation
- #
- stage="skip"
+ rsa_sig $i "${ta_key_path}/key" "${PREFIX}ta-${i}-${rsa_algo_name}" "ta-$i" "sign"
+ # No ML-DSA for TA
+ #ml_dsa_sig $i "${ta_key_path}/key" "${PREFIX}ta-${i}-${ml_dsa_algo_name}" "ta-$i" "sign"
+ done
+ fi
+
+ #
+ # HACK: Set stage to un-supported name to skip generation
+ #
+ stage="skip"
fi
if [ $verify_sig -eq 1 ]; then
- if [ $stage == "root" ]; then
- rsa_sig "Root" "${root_key_path}/key" "${PREFIX}root${rsa_algo_name}-0 ${PREFIX}root${rsa_algo_name}-1 ${PREFIX}root${rsa_algo_name}-2 ${PREFIX}root${rsa_algo_name}-3" "root" "verify"
- ml_dsa_sig "Root" "${root_key_path}/key" "${PREFIX}root${ml_dsa_algo_name}-0 ${PREFIX}root${ml_dsa_algo_name}-1 ${PREFIX}root${ml_dsa_algo_name}-2 ${PREFIX}root${ml_dsa_algo_name}-3" "root" "verify"
- fi
+ if [ $stage == "root" ]; then
+ rsa_sig "Root" "${root_key_path}/key" "${PREFIX}root${rsa_algo_name}-0 ${PREFIX}root${rsa_algo_name}-1 ${PREFIX}root${rsa_algo_name}-2 ${PREFIX}root${rsa_algo_name}-3" "root" "verify"
+ ml_dsa_sig "Root" "${root_key_path}/key" "${PREFIX}root${ml_dsa_algo_name}-0 ${PREFIX}root${ml_dsa_algo_name}-1 ${PREFIX}root${ml_dsa_algo_name}-2 ${PREFIX}root${ml_dsa_algo_name}-3" "root" "verify"
+ fi
- if [ $stage == "boot-blobs" ]; then
- for i in 0 1 2 3
- do
- boot_blobs_key_path=${boot_blobs_key_root}/root${rootchain_name}-${i}
- trace " boot_blobs_key_path ${boot_blobs_key_path}"
+ if [ $stage == "boot-blobs" ]; then
+ for i in 0 1 2 3
+ do
+ boot_blobs_key_path=${boot_blobs_key_root}/${trustchain_name}-${i}
+ trace " boot_blobs_key_path ${boot_blobs_key_path}"
- rsa_sig "${PREFIX}lvl1/2-$i" "${boot_blobs_key_path}/key" "${PREFIX}level-1-${rsa_algo_name} ${PREFIX}level-2-${rsa_algo_name}" "boot-blobs-$i" "verify"
- ml_dsa_sig "${PREFIX}lvl1/2-$i" "${boot_blobs_key_path}/key" "${PREFIX}level-1-${ml_dsa_algo_name} ${PREFIX}level-2-${ml_dsa_algo_name}" "boot-blobs-$i" "verify"
- done
- fi
+ rsa_sig "${PREFIX}lvl1/2-$i" "${boot_blobs_key_path}/key" "${PREFIX}level-1-${rsa_algo_name} ${PREFIX}level-2-${rsa_algo_name}" "boot-blobs-$i" "verify"
+ ml_dsa_sig "${PREFIX}lvl1/2-$i" "${boot_blobs_key_path}/key" "${PREFIX}level-1-${ml_dsa_algo_name} ${PREFIX}level-2-${ml_dsa_algo_name}" "boot-blobs-$i" "verify"
+ done
+ fi
- if [ $stage == "fip" ]; then
- for i in 0 1 2 3
- do
- fip_key_path=${fip_key_root}/root${rootchain_name}-${i}
- trace " fip_key_path ${fip_key_path}"
+ if [ $stage == "fip" ]; then
+ for i in 0 1 2 3
+ do
+ fip_key_path=${fip_key_root}/${trustchain_name}-${i}
+ trace " fip_key_path ${fip_key_path}"
- rsa_sig "${PREFIX}fip-$i" "${fip_key_path}/key" "${PREFIX}bl31-level-3-${rsa_algo_name} ${PREFIX}bl32-level-3-${rsa_algo_name} ${PREFIX}bl40-level-3-${rsa_algo_name}" "fip-$i" "verify"
- ml_dsa_sig "${PREFIX}fip-$i" "${fip_key_path}/key" "${PREFIX}bl31-level-3-${ml_dsa_algo_name} ${PREFIX}bl32-level-3-${ml_dsa_algo_name} ${PREFIX}bl40-level-3-${ml_dsa_algo_name}" "fip-$i" "verify"
- done
- fi
+ rsa_sig "${PREFIX}fip-$i" "${fip_key_path}/key" "${PREFIX}bl31-level-3-${rsa_algo_name} ${PREFIX}bl32-level-3-${rsa_algo_name} ${PREFIX}bl40-level-3-${rsa_algo_name}" "fip-$i" "verify"
+ ml_dsa_sig "${PREFIX}fip-$i" "${fip_key_path}/key" "${PREFIX}bl31-level-3-${ml_dsa_algo_name} ${PREFIX}bl32-level-3-${ml_dsa_algo_name} ${PREFIX}bl40-level-3-${ml_dsa_algo_name}" "fip-$i" "verify"
+ done
+ fi
- if [ $stage == "fw" ]; then
- # HACK: Force is_dsa to 1 in case of FIP as no PQC support for FW
- is_rsa=1
- for i in ${fw_type}
- do
- fw_key_path=${fw_key_root}/${i}
- trace " fw_key_path ${fw_key_path}"
+ if [ $stage == "fw" ]; then
+ # HACK: Force is_dsa to 1 as no PQC support for FW
+ is_rsa=1
+ for i in ${fw_type}
+ do
+ fw_key_path=${fw_key_root}/${i}
+ trace " fw_key_path ${fw_key_path}"
- rsa_sig $i "${fw_key_path}/key" "${PREFIX}fw-${i}-${rsa_algo_name}" "fw-$i" "verify"
- # No ML-DSA for FW
- #ml_dsa_sig $i "${fw_key_path}/key" "${PREFIX}fw-${i}-${ml_dsa_algo_name}" "fw-$i" "verify"
- done
- fi
+ rsa_sig $i "${fw_key_path}/key" "${PREFIX}fw-${i}-${rsa_algo_name}" "fw-$i" "verify"
+ # No ML-DSA for FW
+ #ml_dsa_sig $i "${fw_key_path}/key" "${PREFIX}fw-${i}-${ml_dsa_algo_name}" "fw-$i" "verify"
+ done
+ fi
- if [ $stage == "ta" ]; then
- # HACK: Force is_dsa to 1 in case of FIP as no PQC support for TA
- is_rsa=1
- for i in rsk
- do
- ta_key_path=${ta_key_root}/${i}
- trace " ta_key_path ${ta_key_path}"
-
- rsa_sig $i "${ta_key_path}/key" "${PREFIX}ta-${i}-${rsa_algo_name}" "ta-$i" "verify"
- # No ML-DSA for TA
- #ml_dsa_sig $i "${ta_key_path}/key" "${PREFIX}ta-${i}-${ml_dsa_algo_name}" "ta-$i" "verify"
- done
- fi
+ if [ $stage == "ta" ]; then
+ # HACK: Force is_dsa to 1 as no PQC support for TA
+ is_rsa=1
+ for i in rsk
+ do
+ ta_key_path=${ta_key_root}/${i}
+ trace " ta_key_path ${ta_key_path}"
+
+ rsa_sig $i "${ta_key_path}/key" "${PREFIX}ta-${i}-${rsa_algo_name}" "ta-$i" "verify"
+ # No ML-DSA for TA
+ #ml_dsa_sig $i "${ta_key_path}/key" "${PREFIX}ta-${i}-${ml_dsa_algo_name}" "ta-$i" "verify"
+ done
+ fi
- #
- # HACK: Set stage to un-supported name to skip generation
- #
- stage="skip"
+ #
+ # HACK: Set stage to un-supported name to skip generation
+ #
+ stage="skip"
fi
if [ $stage == "root" ]; then
- trace " root_key_path ${root_key_path}"
- mkdir -p ${root_key_path}/key
- mkdir -p ${root_key_path}/epk
- mkdir -p ${root_key_path}/nonce
+ trace " root_key_path ${root_key_path}"
+ mkdir -p ${root_key_path}/key
+ mkdir -p ${root_key_path}/epk
+ mkdir -p ${root_key_path}/nonce
- echo "Generate Root keys"
+ echo "Generate Root keys"
- rsa_gen "Root" "$root_key_path/key" "${PREFIX}root${rsa_algo_name}-0 ${PREFIX}root${rsa_algo_name}-1 ${PREFIX}root${rsa_algo_name}-2 ${PREFIX}root${rsa_algo_name}-3" $rsa_size
- ml_dsa_gen "Root" "$root_key_path/key" "${PREFIX}root${ml_dsa_algo_name}-0 ${PREFIX}root${ml_dsa_algo_name}-1 ${PREFIX}root${ml_dsa_algo_name}-2 ${PREFIX}root${ml_dsa_algo_name}-3" $ml_dsa_level
+ rsa_gen "Root" "$root_key_path/key" "${PREFIX}root${rsa_algo_name}-0 ${PREFIX}root${rsa_algo_name}-1 ${PREFIX}root${rsa_algo_name}-2 ${PREFIX}root${rsa_algo_name}-3" $rsa_size
+ ml_dsa_gen "Root" "$root_key_path/key" "${PREFIX}root${ml_dsa_algo_name}-0 ${PREFIX}root${ml_dsa_algo_name}-1 ${PREFIX}root${ml_dsa_algo_name}-2 ${PREFIX}root${ml_dsa_algo_name}-3" $ml_dsa_level
- ek_gen "Root" "$root_key_path/epk" "${PREFIX}rootcert-epks.bin"
- nonce_gen "Root" "$root_key_path/nonce" "${PREFIX}root${sig_scheme}-0-nonce.bin ${PREFIX}root${sig_scheme}-1-nonce.bin ${PREFIX}root${sig_scheme}-2-nonce.bin ${PREFIX}root${sig_scheme}-3-nonce.bin"
+ ek_gen "Root" "$root_key_path/epk" "${PREFIX}rootcert-epks.bin"
+ nonce_gen "Root" "$root_key_path/nonce" "${PREFIX}rootkey-0-nonce.bin ${PREFIX}rootkey-1-nonce.bin ${PREFIX}rootkey-2-nonce.bin ${PREFIX}rootkey-3-nonce.bin"
fi
if [ $stage == "boot-blobs" ]; then
- trace " boot_blobs_key_root ${boot_blobs_key_root}"
- mkdir -p ${boot_blobs_key_root}
+ trace " boot_blobs_key_root ${boot_blobs_key_root}"
+ mkdir -p ${boot_blobs_key_root}
- for i in 0 1 2 3
- do
- boot_blobs_key_path=${boot_blobs_key_root}/root${rootchain_name}-${i}
- trace " boot_blobs_key_path ${boot_blobs_key_path}"
+ for i in 0 1 2 3
+ do
+ boot_blobs_key_path=${boot_blobs_key_root}/${trustchain_name}-${i}
+ trace " boot_blobs_key_path ${boot_blobs_key_path}"
- mkdir -p ${boot_blobs_key_path}/key
- mkdir -p ${boot_blobs_key_path}/epk
- mkdir -p ${boot_blobs_key_path}/nonce
+ mkdir -p ${boot_blobs_key_path}/key
+ mkdir -p ${boot_blobs_key_path}/epk
+ mkdir -p ${boot_blobs_key_path}/nonce
- if [ $link_gen_file -eq 1 ]; then
- echo "Generate & link $stage chain #$i key"
- rsa_gen $i "${boot_blobs_key_path}/key" "${PREFIX}level-1-2-${rsa_algo_name}" $rsa_size
- ml_dsa_gen $i "${boot_blobs_key_path}/key" "${PREFIX}level-1-2-${ml_dsa_algo_name}" $ml_dsa_level
- if [ $is_rsa -eq 1 ]; then
- key_link $i "${boot_blobs_key_path}/key" "${PREFIX}level-1-2-${rsa_algo_name}" "${PREFIX}level-1-${rsa_algo_name} ${PREFIX}level-2-${rsa_algo_name}"
- fi
- if [ $is_ml_dsa -eq 1 ]; then
- key_link $i "${boot_blobs_key_path}/key" "${PREFIX}level-1-2-${ml_dsa_algo_name}" "${PREFIX}level-1-${ml_dsa_algo_name} ${PREFIX}level-2-${ml_dsa_algo_name}"
- fi
+ if [ $link_gen_file -eq 1 ]; then
+ echo "Generate & link $stage chain #$i key"
+ rsa_gen $i "${boot_blobs_key_path}/key" "${PREFIX}level-1-2-${rsa_algo_name}" $rsa_size
+ ml_dsa_gen $i "${boot_blobs_key_path}/key" "${PREFIX}level-1-2-${ml_dsa_algo_name}" $ml_dsa_level
+ if [ $is_rsa -eq 1 ]; then
+ key_link $i "${boot_blobs_key_path}/key" "${PREFIX}level-1-2-${rsa_algo_name}" "${PREFIX}level-1-${rsa_algo_name} ${PREFIX}level-2-${rsa_algo_name}"
+ fi
+ if [ $is_ml_dsa -eq 1 ]; then
+ key_link $i "${boot_blobs_key_path}/key" "${PREFIX}level-1-2-${ml_dsa_algo_name}" "${PREFIX}level-1-${ml_dsa_algo_name} ${PREFIX}level-2-${ml_dsa_algo_name}"
+ fi
- # TODO: Nonce and EK should be separated generated and linked here
- ek_gen $i "${boot_blobs_key_path}/epk" "${PREFIX}lvl-1-2-cert-epks.bin"
- nonce_gen $i "${boot_blobs_key_path}/nonce" "${PREFIX}lvl-1-2-${sig_scheme}-nonce.bin"
- ek_link $i "${boot_blobs_key_path}/epk" "${PREFIX}lvl-1-2-cert-epks.bin" "${PREFIX}lvl1cert-epks.bin ${PREFIX}lvl2cert-epks.bin"
- nonce_link $i "${boot_blobs_key_path}/nonce" "${PREFIX}lvl-1-2-${sig_scheme}-nonce.bin" "${PREFIX}lvl1${sig_scheme}-nonce.bin ${PREFIX}lvl2${sig_scheme}-nonce.bin"
- else
- echo "Generate $stage chain #$i key"
- rsa_gen $i "${boot_blobs_key_path}/key" "${PREFIX}level-1-${rsa_algo_name} ${PREFIX}level-2-${rsa_algo_name}" $rsa_size
- ml_dsa_gen $i "${boot_blobs_key_path}/key" "${PREFIX}level-1-${ml_dsa_algo_name} ${PREFIX}level-2-${ml_dsa_algo_name}" $ml_dsa_level
+ # TODO: Nonce and EK should be separated generated and linked here
+ ek_gen $i "${boot_blobs_key_path}/epk" "${PREFIX}lvl-1-2-cert-epks.bin"
+ nonce_gen $i "${boot_blobs_key_path}/nonce" "${PREFIX}lvl-1-2-key-nonce.bin"
+ ek_link $i "${boot_blobs_key_path}/epk" "${PREFIX}lvl-1-2-cert-epks.bin" "${PREFIX}lvl1cert-epks.bin ${PREFIX}lvl2cert-epks.bin"
+ nonce_link $i "${boot_blobs_key_path}/nonce" "${PREFIX}lvl-1-2-key-nonce.bin" "${PREFIX}lvl1key-nonce.bin ${PREFIX}lvl2key-nonce.bin"
+ else
+ echo "Generate $stage chain #$i key"
+ rsa_gen $i "${boot_blobs_key_path}/key" "${PREFIX}level-1-${rsa_algo_name} ${PREFIX}level-2-${rsa_algo_name}" $rsa_size
+ ml_dsa_gen $i "${boot_blobs_key_path}/key" "${PREFIX}level-1-${ml_dsa_algo_name} ${PREFIX}level-2-${ml_dsa_algo_name}" $ml_dsa_level
- # TODO: Nonce and EK should be separated generated and linked here
- ek_gen $i "${boot_blobs_key_path}/epk" "${PREFIX}lvl1cert-epks.bin ${PREFIX}lvl2cert-epks.bin"
- nonce_gen $i "${boot_blobs_key_path}/nonce" "${PREFIX}lvl1${sig_scheme}-nonce.bin ${PREFIX}lvl2${sig_scheme}-nonce.bin"
- fi
- done
+ # TODO: Nonce and EK should be separated generated and linked here
+ ek_gen $i "${boot_blobs_key_path}/epk" "${PREFIX}lvl1cert-epks.bin ${PREFIX}lvl2cert-epks.bin"
+ nonce_gen $i "${boot_blobs_key_path}/nonce" "${PREFIX}lvl1key-nonce.bin ${PREFIX}lvl2key-nonce.bin"
+ fi
+ done
fi
if [ $stage == "fip" ]; then
- trace " fip_key_root ${fip_key_root}"
- mkdir -p ${fip_key_root}
+ trace " fip_key_root ${fip_key_root}"
+ mkdir -p ${fip_key_root}
- # HACK: Force is_dsa to 1 in case of FIP as no PQC support for FIP
- is_rsa=1
- for i in 0 1 2 3
- do
- fip_key_path=${fip_key_root}/root${rootchain_name}-${i}
- trace " fip_key_path ${fip_key_path}"
+ for i in 0 1 2 3
+ do
+ fip_key_path=${fip_key_root}/${trustchain_name}-${i}
+ trace " fip_key_path ${fip_key_path}"
- mkdir -p ${fip_key_path}/key
- mkdir -p ${fip_key_path}/epk
- mkdir -p ${fip_key_path}/nonce
+ mkdir -p ${fip_key_path}/key
+ mkdir -p ${fip_key_path}/epk
+ mkdir -p ${fip_key_path}/nonce
- # Link level-3 keys to level-2 for compatibility
- if [ $link_gen_file -eq 1 ]; then
- echo "Generate & link ${stage^^} chain #$i key"
- rsa_gen $i "${fip_key_path}/key" "${PREFIX}bl3x-level-3-${rsa_algo_name}" $rsa_size
- ek_gen $i "${fip_key_path}/epk" "${PREFIX}bl3x-lvl3cert-epks.bin"
- nonce_gen $i "${fip_key_path}/nonce" "${PREFIX}bl3x-lvl3cert-nonce.bin"
+ # Link level-3 keys to level-2 for compatibility
+ if [ $link_gen_file -eq 1 ]; then
+ echo "Generate & link ${stage^^} chain #$i key"
+ if [ $is_ml_dsa -eq 1 ]; then
+ echo "Error: No compact FIP header support for ML-DSA"
+ exit 1
+ fi
- key_link $i "${fip_key_path}/key" "${PREFIX}bl3x-level-3-${rsa_algo_name}" "${PREFIX}bl31-level-3-${rsa_algo_name} ${PREFIX}bl32-level-3-${rsa_algo_name} ${PREFIX}bl40-level-3-${rsa_algo_name}" $rsa_size
- ek_link $i "${fip_key_path}/epk" "${PREFIX}bl3x-lvl3cert-epks.bin" "${PREFIX}bl31-lvl3cert-epks.bin ${PREFIX}bl32-lvl3cert-epks.bin ${PREFIX}bl40-lvl3cert-epks.bin"
- nonce_link $i "${fip_key_path}/nonce" "${PREFIX}bl3x-lvl3cert-nonce.bin" "${PREFIX}bl31-lvl3cert-nonce.bin ${PREFIX}bl32-lvl3cert-nonce.bin ${PREFIX}bl40-lvl3cert-nonce.bin"
- elif [ $link_lvl3_to_lvl2_file -eq 1 ]; then
- # To keep compatibility of old script, create linked Level-3 key to Level-2 key
- #boot_blobs_key_path=${boot_blobs_key_root}/root${rootchain_name}-${i}
- boot_blobs_key_rel_path=../../${boot_blobs_key_rel_to_fip_path}/root${rootchain_name}-${i}
- trace " boot_blobs_key_path ${boot_blobs_key_path}"
+ rsa_gen $i "${fip_key_path}/key" "${PREFIX}bl3x-level-3-${rsa_algo_name}" $rsa_size
+ ek_gen $i "${fip_key_path}/epk" "${PREFIX}bl3x-lvl3cert-epks.bin"
+ nonce_gen $i "${fip_key_path}/nonce" "${PREFIX}bl3x-lvl3key-nonce.bin"
- echo "link ${stage^^} chain #$i to level-2 key"
- key_link $i "${fip_key_path}/key" "${boot_blobs_key_rel_path}/key/${PREFIX}level-2-${rsa_algo_name}" "${PREFIX}bl31-level-3-${rsa_algo_name} ${PREFIX}bl32-level-3-${rsa_algo_name} ${PREFIX}bl40-level-3-${rsa_algo_name}"
- key_link $i "${fip_key_path}/key" "${boot_blobs_key_rel_path}/key/${PREFIX}level-2-${ml_dsa_algo_name}" "${PREFIX}bl31-level-3-${ml_dsa_algo_name} ${PREFIX}bl32-level-3-${ml_dsa_algo_name} ${PREFIX}bl40-level-3-${ml_dsa_algo_name}"
- ek_link $i "${fip_key_path}/epk" "${boot_blobs_key_rel_path}/epk/${PREFIX}lvl2cert-epks.bin" "${PREFIX}bl31-lvl3cert-epks.bin ${PREFIX}bl32-lvl3cert-epks.bin ${PREFIX}bl40-lvl3cert-epks.bin"
- nonce_link $i "${fip_key_path}/nonce" "${boot_blobs_key_rel_path}/nonce/${PREFIX}lvl2${sig_scheme}-nonce.bin" "${PREFIX}bl31-lvl3cert-nonce.bin ${PREFIX}bl32-lvl3cert-nonce.bin ${PREFIX}bl40-lvl3cert-nonce.bin"
+ key_link $i "${fip_key_path}/key" "${PREFIX}bl3x-level-3-${rsa_algo_name}" "${PREFIX}bl31-level-3-${rsa_algo_name} ${PREFIX}bl32-level-3-${rsa_algo_name} ${PREFIX}bl40-level-3-${rsa_algo_name}" $rsa_size
+ ek_link $i "${fip_key_path}/epk" "${PREFIX}bl3x-lvl3cert-epks.bin" "${PREFIX}bl31-lvl3cert-epks.bin ${PREFIX}bl32-lvl3cert-epks.bin ${PREFIX}bl40-lvl3cert-epks.bin"
+ nonce_link $i "${fip_key_path}/nonce" "${PREFIX}bl3x-lvl3key-nonce.bin" "${PREFIX}bl31-lvl3key-nonce.bin ${PREFIX}bl32-lvl3key-nonce.bin ${PREFIX}bl40-lvl3key-nonce.bin"
+ elif [ $link_lvl3_to_lvl2_file -eq 1 ]; then
+ # To keep compatibility of old script, create linked Level-3 key to Level-2 key
+ #boot_blobs_key_path=${boot_blobs_key_root}/{trustchain_name}-${i}
+ boot_blobs_key_rel_path=../../${boot_blobs_key_rel_to_fip_path}/${trustchain_name}-${i}
+ trace " boot_blobs_key_path ${boot_blobs_key_path}"
- if [ "$prefix_name" == "dv" ] || [ "$prefix_name" == "none" ]; then
- key_link $i "${fip_key_path}/key" "${boot_blobs_key_rel_path}/key/${PREFIX}level-2-${rsa_algo_name}" "${PREFIX}bl30-level-3-${rsa_algo_name} ${PREFIX}bl33-level-3-${rsa_algo_name} ${PREFIX}krnl-level-3-${rsa_algo_name}"
- key_link $i "${fip_key_path}/key" "${boot_blobs_key_rel_path}/key/${PREFIX}level-2-${ml_dsa_algo_name}" "${PREFIX}bl30-level-3-${ml_dsa_algo_name} ${PREFIX}bl33-level-3-${ml_dsa_algo_name} ${PREFIX}krnl-level-3-${ml_dsa_algo_name}"
- ek_link $i "${fip_key_path}/epk" "${boot_blobs_key_rel_path}/epk/${PREFIX}lvl2cert-epks.bin" "${PREFIX}bl30-lvl3cert-epks.bin ${PREFIX}bl33-lvl3cert-epks.bin ${PREFIX}krnl-lvl3cert-epks.bin"
- nonce_link $i "${fip_key_path}/nonce" "${boot_blobs_key_rel_path}/nonce/${PREFIX}lvl2${sig_scheme}-nonce.bin" "${PREFIX}bl30-lvl3cert-nonce.bin ${PREFIX}bl33-lvl3cert-nonce.bin ${PREFIX}krnl-lvl3cert-nonce.bin"
- fi
- else
- echo "Generate ${stage^^} chain #$i key"
- rsa_gen $i "${fip_key_path}/key" "${PREFIX}bl31-level-3-${rsa_algo_name} ${PREFIX}bl32-level-3-${rsa_algo_name} ${PREFIX}bl40-level-3-${rsa_algo_name}" $rsa_size
- ek_gen $i "${fip_key_path}/epk" "${PREFIX}bl31-lvl3cert-epks.bin ${PREFIX}bl32-lvl3cert-epks.bin ${PREFIX}bl40-lvl3cert-epks.bin"
- nonce_gen $i "${fip_key_path}/nonce" "${PREFIX}bl31-lvl3cert-nonce.bin ${PREFIX}bl32-lvl3cert-nonce.bin ${PREFIX}bl40-lvl3cert-nonce.bin"
+ echo "link ${stage^^} chain #$i to level-2 key"
+ key_link $i "${fip_key_path}/key" "${boot_blobs_key_rel_path}/key/${PREFIX}level-2-${rsa_algo_name}" "${PREFIX}bl31-level-3-${rsa_algo_name} ${PREFIX}bl32-level-3-${rsa_algo_name} ${PREFIX}bl40-level-3-${rsa_algo_name}"
+ if [ $is_ml_dsa -eq 1 ]; then
+ key_link $i "${fip_key_path}/key" "${boot_blobs_key_rel_path}/key/${PREFIX}level-2-${ml_dsa_algo_name}" "${PREFIX}bl31-level-3-${ml_dsa_algo_name} ${PREFIX}bl32-level-3-${ml_dsa_algo_name} ${PREFIX}bl40-level-3-${ml_dsa_algo_name}"
+ fi
+ ek_link $i "${fip_key_path}/epk" "${boot_blobs_key_rel_path}/epk/${PREFIX}lvl2cert-epks.bin" "${PREFIX}bl31-lvl3cert-epks.bin ${PREFIX}bl32-lvl3cert-epks.bin ${PREFIX}bl40-lvl3cert-epks.bin"
+ nonce_link $i "${fip_key_path}/nonce" "${boot_blobs_key_rel_path}/nonce/${PREFIX}lvl2key-nonce.bin" "${PREFIX}bl31-lvl3key-nonce.bin ${PREFIX}bl32-lvl3key-nonce.bin ${PREFIX}bl40-lvl3key-nonce.bin"
- if [ "$prefix_name" == "dv" ] || [ "$prefix_name" == "none" ]; then
- rsa_gen $i "${fip_key_path}/key" "${PREFIX}bl30-level-3-${rsa_algo_name} ${PREFIX}bl33-level-3-${rsa_algo_name} ${PREFIX}krnl-level-3-${rsa_algo_name}" $rsa_size
- ek_gen $i "${fip_key_path}/epk" "${PREFIX}bl30-lvl3cert-epks.bin ${PREFIX}bl33-lvl3cert-epks.bin ${PREFIX}krnl-lvl3cert-epks.bin"
- nonce_gen $i "${fip_key_path}/nonce" "${PREFIX}bl30-dvlvl3cert-nonce.bin ${PREFIX}bl33-dvlvl3cert-nonce.bin ${PREFIX}krnl-dvlvl3cert-nonce.bin"
- fi
- fi
- done
+ if [ "$prefix_name" == "dv" ] || [ "$prefix_name" == "none" ]; then
+ key_link $i "${fip_key_path}/key" "${boot_blobs_key_rel_path}/key/${PREFIX}level-2-${rsa_algo_name}" "${PREFIX}bl30-level-3-${rsa_algo_name} ${PREFIX}bl33-level-3-${rsa_algo_name} ${PREFIX}krnl-level-3-${rsa_algo_name}"
+ if [ $is_ml_dsa -eq 1 ]; then
+ key_link $i "${fip_key_path}/key" "${boot_blobs_key_rel_path}/key/${PREFIX}level-2-${ml_dsa_algo_name}" "${PREFIX}bl30-level-3-${ml_dsa_algo_name} ${PREFIX}bl33-level-3-${ml_dsa_algo_name} ${PREFIX}krnl-level-3-${ml_dsa_algo_name}"
+ fi
+ ek_link $i "${fip_key_path}/epk" "${boot_blobs_key_rel_path}/epk/${PREFIX}lvl2cert-epks.bin" "${PREFIX}bl30-lvl3cert-epks.bin ${PREFIX}bl33-lvl3cert-epks.bin ${PREFIX}krnl-lvl3cert-epks.bin"
+ nonce_link $i "${fip_key_path}/nonce" "${boot_blobs_key_rel_path}/nonce/${PREFIX}lvl2key-nonce.bin" "${PREFIX}bl30-lvl3key-nonce.bin ${PREFIX}bl33-lvl3key-nonce.bin ${PREFIX}krnl-lvl3key-nonce.bin"
+ fi
+ else
+ echo "Generate ${stage^^} chain #$i key"
+ rsa_gen $i "${fip_key_path}/key" "${PREFIX}bl31-level-3-${rsa_algo_name} ${PREFIX}bl32-level-3-${rsa_algo_name} ${PREFIX}bl40-level-3-${rsa_algo_name}" $rsa_size
+ if [ $is_ml_dsa -eq 1 ]; then
+ ml_dsa_gen $i "${fip_key_path}/key" "${PREFIX}bl31-level-3-${ml_dsa_algo_name} ${PREFIX}bl32-level-3-${ml_dsa_algo_name} ${PREFIX}bl40-level-3-${ml_dsa_algo_name}" $ml_dsa_level
+ fi
+ ek_gen $i "${fip_key_path}/epk" "${PREFIX}bl31-lvl3cert-epks.bin ${PREFIX}bl32-lvl3cert-epks.bin ${PREFIX}bl40-lvl3cert-epks.bin"
+ nonce_gen $i "${fip_key_path}/nonce" "${PREFIX}bl31-lvl3key-nonce.bin ${PREFIX}bl32-lvl3key-nonce.bin ${PREFIX}bl40-lvl3key-nonce.bin"
+
+ if [ "$prefix_name" == "dv" ] || [ "$prefix_name" == "none" ]; then
+ rsa_gen $i "${fip_key_path}/key" "${PREFIX}bl30-level-3-${rsa_algo_name} ${PREFIX}bl33-level-3-${rsa_algo_name} ${PREFIX}krnl-level-3-${rsa_algo_name}" $rsa_size
+ if [ $is_ml_dsa -eq 1 ]; then
+ ml_dsa_gen $i "${fip_key_path}/key" "${PREFIX}bl30-level-3-${ml_dsa_algo_name} ${PREFIX}bl33-level-3-${ml_dsa_algo_name} ${PREFIX}krnl-level-3-${ml_dsa_algo_name}" $ml_dsa_level
+ fi
+ ek_gen $i "${fip_key_path}/epk" "${PREFIX}bl30-lvl3cert-epks.bin ${PREFIX}bl33-lvl3cert-epks.bin ${PREFIX}krnl-lvl3cert-epks.bin"
+ nonce_gen $i "${fip_key_path}/nonce" "${PREFIX}bl30-dvlvl3key-nonce.bin ${PREFIX}bl33-dvlvl3key-nonce.bin ${PREFIX}krnl-dvlvl3key-nonce.bin"
+ fi
+ fi
+ done
fi
if [ $stage == "fw" ]; then
- trace " fw_key_root ${fw_key_root}"
- mkdir -p ${fw_key_root}
+ trace " fw_key_root ${fw_key_root}"
+ mkdir -p ${fw_key_root}
- # HACK: Force is_dsa to 1 in case of FIP as no PQC support for FW
- is_rsa=1
+ # HACK: Force is_dsa to 1 in case of FIP as no PQC support for FW
+ is_rsa=1
- # No FW ML-DSA support yet
- for i in ${fw_type}
- do
- fw_key_path=${fw_key_root}/${i}
- trace " fw_key_path ${fw_key_path}"
+ # No FW ML-DSA support yet
+ for i in ${fw_type}
+ do
+ fw_key_path=${fw_key_root}/${i}
+ trace " fw_key_path ${fw_key_path}"
- mkdir -p ${fw_key_path}/key
- mkdir -p ${fw_key_path}/epk
- mkdir -p ${fw_key_path}/nonce
+ mkdir -p ${fw_key_path}/key
+ mkdir -p ${fw_key_path}/epk
+ mkdir -p ${fw_key_path}/nonce
- echo "Generate FW ${i} key"
- rsa_gen $i "${fw_key_path}/key" "${PREFIX}fw-${i}-${rsa_algo_name}" $rsa_size
- ek_gen $i "${fw_key_path}/epk" "${PREFIX}fw-${i}-cert-epks.bin"
- nonce_gen $i "${fw_key_path}/nonce" "${PREFIX}fw-${i}-cert-nonce.bin"
- done
+ echo "Generate FW ${i} key"
+ rsa_gen $i "${fw_key_path}/key" "${PREFIX}fw-${i}-${rsa_algo_name}" $rsa_size
+ ek_gen $i "${fw_key_path}/epk" "${PREFIX}fw-${i}-cert-epks.bin"
+ nonce_gen $i "${fw_key_path}/nonce" "${PREFIX}fw-${i}-key-nonce.bin"
+ done
fi
if [ $stage == "ta" ]; then
- trace " ta_key_root ${ta_key_root}"
- mkdir -p ${ta_key_root}
+ trace " ta_key_root ${ta_key_root}"
+ mkdir -p ${ta_key_root}
- # HACK: Force is_dsa to 1 in case of FIP as no PQC support for TA
- is_rsa=1
+ # HACK: Force is_dsa to 1 in case of FIP as no PQC support for TA
+ is_rsa=1
- # No TA ML-DSA support yet
- for i in rsk
- do
- ta_key_path=${ta_key_root}/${i}
- trace " ta_key_path ${ta_key_path}"
+ # No TA ML-DSA support yet
+ for i in rsk
+ do
+ ta_key_path=${ta_key_root}/${i}
+ trace " ta_key_path ${ta_key_path}"
- mkdir -p ${ta_key_path}/key
- #mkdir -p $ta_key_path/epk
- #mkdir -p $ta_key_path/nonce
+ mkdir -p ${ta_key_path}/key
+ #mkdir -p $ta_key_path/epk
+ #mkdir -p $ta_key_path/nonce
- echo "Generate TA ${i} key"
- rsa_gen $i "${ta_key_path}/key" "${PREFIX}ta-${i}-${rsa_algo_name}" $rsa_size
- #ek_gen $i "${ta_key_path}/epk" "${PREFIX}ta-${i}-cert-epks.bin"
- #nonce_gen $i "${ta_key_path}/nonce" "${PREFIX}ta-${i}-cert-nonce.bin"
- done
+ echo "Generate TA ${i} key"
+ rsa_gen $i "${ta_key_path}/key" "${PREFIX}ta-${i}-${rsa_algo_name}" $rsa_size
+ #ek_gen $i "${ta_key_path}/epk" "${PREFIX}ta-${i}-cert-epks.bin"
+ #nonce_gen $i "${ta_key_path}/nonce" "${PREFIX}ta-${i}-key-nonce.bin"
+ done
fi
diff --git a/s6/generate-device-keys/bin/gen_scs_root_hash.sh b/s6/generate-device-keys/bin/gen_scs_root_hash.sh
index 9a61ecd..2f15541 100755
--- a/s6/generate-device-keys/bin/gen_scs_root_hash.sh
+++ b/s6/generate-device-keys/bin/gen_scs_root_hash.sh
@@ -79,11 +79,13 @@
return -1
fi
- local tmp2=${ml_dsa_version_list[$version]}
- if [ "${tmp2}" == "" ]; then
- echo "Error: Invalid ML-DSA version $version"
- return -1
- fi
+ # FIXME: Hardcoded to "draft1"
+ local tmp2="draft1"
+ #local tmp2=${ml_dsa_version_list[$version]}
+ #if [ "${tmp2}" == "" ]; then
+ # echo "Error: Invalid ML-DSA version $version"
+ # return -1
+ #fi
eval $__resultvar="mldsa-${tmp2}"
return 0
@@ -270,9 +272,8 @@
DEVICE_REE_VERS=0x0
DEVICE_SCS_VERS=0x0
-# Default to original root trust chain name (rootrsa) before
-# hybrid PQC introduction
-rootchain_name="rsa"
+# Change root trust chain name from "rootrsa" to "trustchain"
+trustchain_name="trustchain"
is_rsa=1
is_ml_dsa=0
@@ -391,7 +392,6 @@
is_rsa=1
is_ml_dsa=0
is_hybrid=0
- rootchain_name="rsa"
if [ ${trust_chain^^} == "CHIPSET" ]; then
COMMON_CREATE_BOOT_BLOBS_ARGS="--chipset-authen-algorithm=${rsa_algo_name},none"
COMMON_CREATE_DEVICE_FIP_ARGS="--chipset-authen-algorithm=${rsa_algo_name},none"
@@ -404,7 +404,6 @@
is_rsa=0
is_ml_dsa=1
is_hybrid=0
- rootchain_name="key"
if [ "${ml_dsa_version}" != "final" ]; then
sig_scheme_version=${sig_scheme}-${ml_dsa_version}
ml_dsa_algo_name=${ml_dsa_algo_name}-${ml_dsa_version}
@@ -421,7 +420,6 @@
is_rsa=1
is_ml_dsa=1
is_hybrid=1
- rootchain_name="key"
if [ "${ml_dsa_version}" != "final" ]; then
sig_scheme_version=${sig_scheme}-${ml_dsa_version}
ml_dsa_algo_name=${ml_dsa_algo_name}-${ml_dsa_version}
@@ -458,12 +456,15 @@
else
if [ ${trust_chain^^} == "CHIPSET" ]; then
COMMON_CREATE_BOOT_BLOBS_ARGS+=" --device-authen-algorithm=${rsa_algo_name},none"
- COMMON_CREATE_DEVICE_FIP_ARGS+=" --device-authen-algorithm=${rsa_algo_name},none}"
+ COMMON_CREATE_DEVICE_FIP_ARGS+=" --device-authen-algorithm=${rsa_algo_name},none"
fi
fi
+# FIXME: Hard code to "draft1"
+# TODO: Is SOC die passed down during template and signing operation?
if [ ${trust_chain^^} == "DEVICE-VENDOR" ]; then
if [ "$device_soc" == "s6" ]; then
+ #FIXME cs_sig_scheme should be based on template-layout which would indicate CS scheme
cs_sig_scheme="${template_layout:-rsa-mldsa}"
template_ext=".$sig_scheme.$cs_sig_scheme"
else
@@ -471,7 +472,6 @@
fi
fi
-
#trace " --> $COMMON_CREATE_BOOT_BLOBS_ARGS"
trace " sig-scheme $sig_scheme"
trace "sig-scheme-version $sig_scheme_version"
@@ -502,30 +502,28 @@
if [ -z "$project" ]; then
BASEDIR_AESKEY_ROOT="${BASEDIR_ROOT}/root/aes/rootkey"
- BASEDIR_RSAKEY_ROOT="${BASEDIR_ROOT}/root/${sig_scheme_version}/"
- BASEDIR_BOOTBLOBS_RSAKEY_ROOT="${BASEDIR_ROOT}/boot-blobs/${sig_scheme_version}/root${rootchain_name}-${ROOTRSA_INDEX}"
- #BASEDIR_BOOTBLOBS_AESKEY_ROOT="${BASEDIR_ROOT}/boot-blobs/aes/root${sig_scheme_version}-${ROOTRSA_INDEX}/protkey"
- BASEDIR_FIP_RSAKEY_ROOT="${BASEDIR_ROOT}/fip/${sig_scheme_version}/root${rootchain_name}-${ROOTRSA_INDEX}"
+ BASEDIR_RSAKEY_ROOT="${BASEDIR_ROOT}/root/${sig_scheme}/"
+ BASEDIR_BOOTBLOBS_RSAKEY_ROOT="${BASEDIR_ROOT}/boot-blobs/${sig_scheme}/${trustchain_name}-${ROOTRSA_INDEX}"
+ #BASEDIR_BOOTBLOBS_AESKEY_ROOT="${BASEDIR_ROOT}/boot-blobs/aes/${trustchain_name}-${ROOTRSA_INDEX}/protkey"
+ BASEDIR_FIP_RSAKEY_ROOT="${BASEDIR_ROOT}/fip/${sig_scheme}/${trustchain_name}-${ROOTRSA_INDEX}"
BASEDIR_ROOTHASH_OUTPUT="${BASEDIR_RSAKEY_ROOT}/roothash"
- # Use ${sig_scheme_version} for aes and template instead of ${rootchain_name} as they are at same level as ${sig_scheme_version}
- BASEDIR_BOOTBLOBS_PROTKEY_OUTPUT="${BASEDIR_ROOT}/boot-blobs/aes/root${sig_scheme_version}-${ROOTRSA_INDEX}/protkey"
- BASEDIR_BOOTBLOBS_TEMPLATE_OUTPUT="${BASEDIR_ROOT}/boot-blobs/template/root${sig_scheme_version}-${ROOTRSA_INDEX}"
- BASEDIR_FIP_TEMPLATE_OUTPUT="${BASEDIR_ROOT}/fip/template/root${sig_scheme_version}-${ROOTRSA_INDEX}"
- BASEDIR_FIP_PROTKEY_OUTPUT="${BASEDIR_ROOT}/fip/aes/root${sig_scheme_version}-${ROOTRSA_INDEX}/protkey"
+ BASEDIR_BOOTBLOBS_PROTKEY_OUTPUT="${BASEDIR_ROOT}/boot-blobs/aes/${trustchain_name}-${ROOTRSA_INDEX}/protkey"
+ BASEDIR_BOOTBLOBS_TEMPLATE_OUTPUT="${BASEDIR_ROOT}/boot-blobs/template/${trustchain_name}-${ROOTRSA_INDEX}"
+ BASEDIR_FIP_TEMPLATE_OUTPUT="${BASEDIR_ROOT}/fip/template/${trustchain_name}-${ROOTRSA_INDEX}"
+ BASEDIR_FIP_PROTKEY_OUTPUT="${BASEDIR_ROOT}/fip/aes/${trustchain_name}-${ROOTRSA_INDEX}/protkey"
else
BASEDIR_AESKEY_ROOT="${BASEDIR_ROOT}/root/aes/${project}/rootkey"
- BASEDIR_RSAKEY_ROOT="${BASEDIR_ROOT}/root/${sig_scheme_version}/${project}"
- BASEDIR_BOOTBLOBS_RSAKEY_ROOT="${BASEDIR_ROOT}/boot-blobs/${sig_scheme_version}/${project}/root${rootchain_name}-${ROOTRSA_INDEX}"
- #BASEDIR_BOOTBLOBS_AESKEY_ROOT="${BASEDIR_ROOT}/boot-blobs/aes/${project}/root${sig_scheme_version}-${ROOTRSA_INDEX}/protkey"
- BASEDIR_FIP_RSAKEY_ROOT="${BASEDIR_ROOT}/fip/${sig_scheme_version}/${project}/root${rootchain_name}-${ROOTRSA_INDEX}"
+ BASEDIR_RSAKEY_ROOT="${BASEDIR_ROOT}/root/${sig_scheme}/${project}"
+ BASEDIR_BOOTBLOBS_RSAKEY_ROOT="${BASEDIR_ROOT}/boot-blobs/${sig_scheme}/${project}/${trustchain_name}-${ROOTRSA_INDEX}"
+ #BASEDIR_BOOTBLOBS_AESKEY_ROOT="${BASEDIR_ROOT}/boot-blobs/aes/${project}/${trustchain_name}-${ROOTRSA_INDEX}/protkey"
+ BASEDIR_FIP_RSAKEY_ROOT="${BASEDIR_ROOT}/fip/${sig_scheme}/${project}/${trustchain_name}-${ROOTRSA_INDEX}"
BASEDIR_ROOTHASH_OUTPUT="${BASEDIR_RSAKEY_ROOT}/roothash"
- BASEDIR_BOOTBLOBS_PROTKEY_OUTPUT="${BASEDIR_ROOT}/boot-blobs/aes/${project}/root${sig_scheme_version}-${ROOTRSA_INDEX}/protkey"
- # Use ${sig_scheme_version} for template instead of ${rootchain_name} as template is at same level as ${sig_scheme_version} for FIP and BOOT-BLOBS
- BASEDIR_BOOTBLOBS_TEMPLATE_OUTPUT="${BASEDIR_ROOT}/boot-blobs/template/${project}/root${sig_scheme_version}-${ROOTRSA_INDEX}"
- BASEDIR_FIP_TEMPLATE_OUTPUT="${BASEDIR_ROOT}/fip/template/${project}/root${sig_scheme_version}-${ROOTRSA_INDEX}"
- BASEDIR_FIP_PROTKEY_OUTPUT="${BASEDIR_ROOT}/fip/aes/${project}/root${sig_scheme_version}-${ROOTRSA_INDEX}/protkey"
+ BASEDIR_BOOTBLOBS_PROTKEY_OUTPUT="${BASEDIR_ROOT}/boot-blobs/aes/${project}/${trustchain_name}-${ROOTRSA_INDEX}/protkey"
+ BASEDIR_BOOTBLOBS_TEMPLATE_OUTPUT="${BASEDIR_ROOT}/boot-blobs/template/${project}/${trustchain_name}-${ROOTRSA_INDEX}"
+ BASEDIR_FIP_TEMPLATE_OUTPUT="${BASEDIR_ROOT}/fip/template/${project}/${trustchain_name}-${ROOTRSA_INDEX}"
+ BASEDIR_FIP_PROTKEY_OUTPUT="${BASEDIR_ROOT}/fip/aes/${project}/${trustchain_name}-${ROOTRSA_INDEX}/protkey"
fi
if [ -z "$output_dir" ]; then
@@ -593,9 +591,9 @@
PQC_CREATE_BOOT_BLOBS_FILE_CHECKLIST+=" ${BASEDIR_RSAKEY_ROOT}/key/${PREFIX}root${ml_dsa_algo_name}-3-pub.pem"
COMMON_CREATE_BOOT_BLOBS_FILE_CHECKLIST+=" ${BASEDIR_RSAKEY_ROOT}/epk/${PREFIX}rootcert-epks.bin"
-COMMON_CREATE_BOOT_BLOBS_FILE_CHECKLIST+=" ${BASEDIR_RSAKEY_ROOT}/nonce/${PREFIX}root${sig_scheme_version}-${ROOTRSA_INDEX}-nonce.bin"
+COMMON_CREATE_BOOT_BLOBS_FILE_CHECKLIST+=" ${BASEDIR_RSAKEY_ROOT}/nonce/${PREFIX}rootkey-${ROOTRSA_INDEX}-nonce.bin"
#check_file "${BASEDIR_RSAKEY_ROOT}/epk/${PREFIX}rootcert-epks.bin"
-#check_file "${BASEDIR_RSAKEY_ROOT}/nonce/${PREFIX}root${sig_scheme_version}-${ROOTRSA_INDEX}-nonce.bin"
+#check_file "${BASEDIR_RSAKEY_ROOT}/nonce/${PREFIX}rootkey-${ROOTRSA_INDEX}-nonce.bin"
RSA_CREATE_BOOT_BLOBS_FILE_CHECKLIST+=" ${BASEDIR_RSAKEY_ROOT}/key/${PREFIX}root${rsa_algo_name}-${ROOTRSA_INDEX}-priv.pem"
RSA_CREATE_BOOT_BLOBS_FILE_CHECKLIST+=" ${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/${PREFIX}level-1-${rsa_algo_name}-pub.pem"
@@ -606,9 +604,9 @@
PQC_CREATE_BOOT_BLOBS_FILE_CHECKLIST+=" ${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/${PREFIX}level-1-${ml_dsa_algo_name}-pub.pem"
COMMON_CREATE_BOOT_BLOBS_FILE_CHECKLIST+=" ${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/epk/${PREFIX}lvl1cert-epks.bin"
-COMMON_CREATE_BOOT_BLOBS_FILE_CHECKLIST+=" ${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/nonce/${PREFIX}lvl1${sig_scheme_version}-nonce.bin"
+COMMON_CREATE_BOOT_BLOBS_FILE_CHECKLIST+=" ${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/nonce/${PREFIX}lvl1key-nonce.bin"
#check_file "${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/epk/${PREFIX}lvl1cert-epks.bin"
-#check_file "${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/nonce/${PREFIX}lvl1${sig_scheme_version}-nonce.bin"
+#check_file "${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/nonce/${PREFIX}lvl1key-nonce.bin"
RSA_CREATE_BOOT_BLOBS_FILE_CHECKLIST+=" ${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/${PREFIX}level-1-${rsa_algo_name}-priv.pem"
RSA_CREATE_BOOT_BLOBS_FILE_CHECKLIST+=" ${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/${PREFIX}level-2-${rsa_algo_name}-pub.pem"
@@ -619,9 +617,9 @@
PQC_CREATE_BOOT_BLOBS_FILE_CHECKLIST+=" ${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/${PREFIX}level-2-${ml_dsa_algo_name}-pub.pem"
COMMON_CREATE_BOOT_BLOBS_FILE_CHECKLIST+=" ${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/epk/${PREFIX}lvl2cert-epks.bin"
-COMMON_CREATE_BOOT_BLOBS_FILE_CHECKLIST+=" ${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/nonce/${PREFIX}lvl2${sig_scheme_version}-nonce.bin"
+COMMON_CREATE_BOOT_BLOBS_FILE_CHECKLIST+=" ${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/nonce/${PREFIX}lvl2key-nonce.bin"
#check_file "${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/epk/${PREFIX}lvl2cert-epks.bin"
-#check_file "${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/nonce/${PREFIX}lvl2${sig_scheme_version}-nonce.bin"
+#check_file "${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/nonce/${PREFIX}lvl2key-nonce.bin"
RSA_CREATE_DEVICE_FIP_FILE_CHECKLIST+=" ${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/${PREFIX}level-2-${rsa_algo_name}-priv.pem"
#check_file "${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/${PREFIX}level-2-${rsa_algo_name}-priv.pem"
@@ -699,9 +697,9 @@
# EK is common for all root RSA
# NONCE is per root RSA
COMMON_CREATE_BOOT_BLOBS_ARGS+=" --infile-epks-${PREFIX_ARG}-rootcert=${BASEDIR_RSAKEY_ROOT}/epk/${PREFIX}rootcert-epks.bin"
-COMMON_CREATE_BOOT_BLOBS_ARGS+=" --infile-nonce-${PREFIX_ARG}-rootrsa=${BASEDIR_RSAKEY_ROOT}/nonce/${PREFIX}root${sig_scheme_version}-${ROOTRSA_INDEX}-nonce.bin"
+COMMON_CREATE_BOOT_BLOBS_ARGS+=" --infile-nonce-${PREFIX_ARG}-rootrsa=${BASEDIR_RSAKEY_ROOT}/nonce/${PREFIX}rootkey-${ROOTRSA_INDEX}-nonce.bin"
#BB1ST_ARGS="${BB1ST_ARGS} --infile-epks-${PREFIX_ARG}-rootcert=${BASEDIR_RSAKEY_ROOT}/epk/${PREFIX}rootcert-epks.bin"
-#BB1ST_ARGS="${BB1ST_ARGS} --infile-nonce-${PREFIX_ARG}-rootrsa=${BASEDIR_RSAKEY_ROOT}/nonce/${PREFIX}root${sig_scheme_version}-${ROOTRSA_INDEX}-nonce.bin"
+#BB1ST_ARGS="${BB1ST_ARGS} --infile-nonce-${PREFIX_ARG}-rootrsa=${BASEDIR_RSAKEY_ROOT}/nonce/${PREFIX}rootkey-${ROOTRSA_INDEX}-nonce.bin"
# Select root RSA to use
COMMON_CREATE_BOOT_BLOBS_ARGS+=" --${PREFIX_ARG}-rootrsa-index=${ROOTRSA_INDEX}"
@@ -717,9 +715,9 @@
PQC_CREATE_BOOT_BLOBS_ARGS+=" --infile-pubkey-${PREFIX_ARG}-lvl1cert-pqc=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/${PREFIX}level-1-${ml_dsa_algo_name}-pub.pem"
COMMON_CREATE_BOOT_BLOBS_ARGS+=" --infile-epks-${PREFIX_ARG}-lvl1cert=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/epk/${PREFIX}lvl1cert-epks.bin"
-COMMON_CREATE_BOOT_BLOBS_ARGS+=" --infile-nonce-${PREFIX_ARG}-lvl1rsa=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/nonce/${PREFIX}lvl1${sig_scheme_version}-nonce.bin"
+COMMON_CREATE_BOOT_BLOBS_ARGS+=" --infile-nonce-${PREFIX_ARG}-lvl1rsa=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/nonce/${PREFIX}lvl1key-nonce.bin"
#BB1ST_ARGS="${BB1ST_ARGS} --infile-epks-${PREFIX_ARG}-lvl1cert=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/epk/${PREFIX}lvl1cert-epks.bin"
-#BB1ST_ARGS="${BB1ST_ARGS} --infile-nonce-${PREFIX_ARG}-lvl1rsa=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/nonce/${PREFIX}lvl1${sig_scheme_version}-nonce.bin"
+#BB1ST_ARGS="${BB1ST_ARGS} --infile-nonce-${PREFIX_ARG}-lvl1rsa=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/nonce/${PREFIX}lvl1key-nonce.bin"
RSA_CREATE_BOOT_BLOBS_ARGS+=" --infile-signkey-${PREFIX_ARG}-lvl1=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/${PREFIX}level-1-${rsa_algo_name}-priv.pem"
#BB1ST_ARGS="${BB1ST_ARGS} --infile-signkey-${PREFIX_ARG}-lvl1=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/${PREFIX}level-1-${rsa_algo_name}-priv.pem"
@@ -731,9 +729,9 @@
PQC_CREATE_BOOT_BLOBS_ARGS+=" --infile-pubkey-${PREFIX_ARG}-lvl2cert-pqc=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/${PREFIX}level-2-${ml_dsa_algo_name}-pub.pem"
COMMON_CREATE_BOOT_BLOBS_ARGS+=" --infile-epks-${PREFIX_ARG}-lvl2cert=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/epk/${PREFIX}lvl2cert-epks.bin"
-COMMON_CREATE_BOOT_BLOBS_ARGS+=" --infile-nonce-${PREFIX_ARG}-lvl2rsa=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/nonce/${PREFIX}lvl2${sig_scheme_version}-nonce.bin"
+COMMON_CREATE_BOOT_BLOBS_ARGS+=" --infile-nonce-${PREFIX_ARG}-lvl2rsa=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/nonce/${PREFIX}lvl2key-nonce.bin"
#BB1ST_ARGS="${BB1ST_ARGS} --infile-epks-${PREFIX_ARG}-lvl2cert=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/epk/${PREFIX}lvl2cert-epks.bin"
-#BB1ST_ARGS="${BB1ST_ARGS} --infile-nonce-${PREFIX_ARG}-lvl2rsa=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/nonce/${PREFIX}lvl2${sig_scheme_version}-nonce.bin"
+#BB1ST_ARGS="${BB1ST_ARGS} --infile-nonce-${PREFIX_ARG}-lvl2rsa=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/nonce/${PREFIX}lvl2key-nonce.bin"
RSA_CREATE_DEVICE_FIP_ARGS+=" --infile-signkey-${PREFIX_ARG}-lvl2=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/${PREFIX}level-2-${rsa_algo_name}-priv.pem"
#BB1ST_ARGS="${BB1ST_ARGS} --infile-signkey-${PREFIX_ARG}-lvl2=${BASEDIR_BOOTBLOBS_RSAKEY_ROOT}/key/${PREFIX}level-2-${rsa_algo_name}-priv.pem"
@@ -742,27 +740,27 @@
### Input: Chipset Level-3 Certs ###
RSA_CREATE_DEVICE_FIP_ARGS+=" --infile-pubkey-bl40-${PREFIX_ARG}-lvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/key/${PREFIX}bl40-level-3-${rsa_algo_name}-pub.pem"
RSA_CREATE_DEVICE_FIP_ARGS+=" --infile-epks-bl40-${PREFIX_ARG}-lvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/epk/${PREFIX}bl40-lvl3cert-epks.bin"
-RSA_CREATE_DEVICE_FIP_CS_ARGS+=" --infile-nonce-bl40-cslvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/nonce/${PREFIX}bl40-lvl3cert-nonce.bin"
-RSA_CREATE_DEVICE_FIP_DV_ARGS+=" --infile-nonce-bl40-dvlvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/nonce/${PREFIX}bl40-lvl3cert-nonce.bin"
+RSA_CREATE_DEVICE_FIP_CS_ARGS+=" --infile-nonce-bl40-cslvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/nonce/${PREFIX}bl40-lvl3key-nonce.bin"
+RSA_CREATE_DEVICE_FIP_DV_ARGS+=" --infile-nonce-bl40-dvlvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/nonce/${PREFIX}bl40-lvl3key-nonce.bin"
#BB1ST_ARGS="${BB1ST_ARGS} --infile-pubkey-bl40-chipset-lvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/key/cs-bl40-level-3-${rsa_algo_name}-pub.pem"
#BB1ST_ARGS="${BB1ST_ARGS} --infile-epks-bl40-chipset-lvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/epk/cs-bl40-lvl3cert-epks.bin"
-#BB1ST_ARGS="${BB1ST_ARGS} --infile-nonce-bl40-cslvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/nonce/cs-bl40-lvl3cert-nonce.bin"
+#BB1ST_ARGS="${BB1ST_ARGS} --infile-nonce-bl40-cslvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/nonce/cs-bl40-lvl3key-nonce.bin"
RSA_CREATE_DEVICE_FIP_ARGS+=" --infile-pubkey-bl31-${PREFIX_ARG}-lvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/key/${PREFIX}bl31-level-3-${rsa_algo_name}-pub.pem"
RSA_CREATE_DEVICE_FIP_ARGS+=" --infile-epks-bl31-${PREFIX_ARG}-lvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/epk/${PREFIX}bl31-lvl3cert-epks.bin"
-RSA_CREATE_DEVICE_FIP_CS_ARGS+=" --infile-nonce-bl31-cslvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/nonce/${PREFIX}bl31-lvl3cert-nonce.bin"
-RSA_CREATE_DEVICE_FIP_DV_ARGS+=" --infile-nonce-bl31-dvlvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/nonce/${PREFIX}bl31-lvl3cert-nonce.bin"
+RSA_CREATE_DEVICE_FIP_CS_ARGS+=" --infile-nonce-bl31-cslvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/nonce/${PREFIX}bl31-lvl3key-nonce.bin"
+RSA_CREATE_DEVICE_FIP_DV_ARGS+=" --infile-nonce-bl31-dvlvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/nonce/${PREFIX}bl31-lvl3key-nonce.bin"
#BB1ST_ARGS="${BB1ST_ARGS} --infile-pubkey-bl31-chipset-lvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/key/cs-bl31-level-3-${rsa_algo_name}-pub.pem"
#BB1ST_ARGS="${BB1ST_ARGS} --infile-epks-bl31-chipset-lvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/epk/cs-bl31-lvl3cert-epks.bin"
-#BB1ST_ARGS="${BB1ST_ARGS} --infile-nonce-bl31-cslvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/nonce/cs-bl31-lvl3cert-nonce.bin"
+#BB1ST_ARGS="${BB1ST_ARGS} --infile-nonce-bl31-cslvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/nonce/cs-bl31-lvl3key-nonce.bin"
RSA_CREATE_DEVICE_FIP_ARGS+=" --infile-pubkey-bl32-${PREFIX_ARG}-lvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/key/${PREFIX}bl32-level-3-${rsa_algo_name}-pub.pem"
RSA_CREATE_DEVICE_FIP_ARGS+=" --infile-epks-bl32-${PREFIX_ARG}-lvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/epk/${PREFIX}bl32-lvl3cert-epks.bin"
-RSA_CREATE_DEVICE_FIP_CS_ARGS+=" --infile-nonce-bl32-cslvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/nonce/${PREFIX}bl32-lvl3cert-nonce.bin"
-RSA_CREATE_DEVICE_FIP_DV_ARGS+=" --infile-nonce-bl32-dvlvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/nonce/${PREFIX}bl32-lvl3cert-nonce.bin"
+RSA_CREATE_DEVICE_FIP_CS_ARGS+=" --infile-nonce-bl32-cslvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/nonce/${PREFIX}bl32-lvl3key-nonce.bin"
+RSA_CREATE_DEVICE_FIP_DV_ARGS+=" --infile-nonce-bl32-dvlvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/nonce/${PREFIX}bl32-lvl3key-nonce.bin"
#BB1ST_ARGS="${BB1ST_ARGS} --infile-pubkey-bl32-chipset-lvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/key/cs-bl32-level-3-${rsa_algo_name}-pub.pem"
#BB1ST_ARGS="${BB1ST_ARGS} --infile-epks-bl32-chipset-lvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/epk/cs-bl32-lvl3cert-epks.bin"
-#BB1ST_ARGS="${BB1ST_ARGS} --infile-nonce-bl32-cslvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/nonce/cs-bl32-lvl3cert-nonce.bin"
+#BB1ST_ARGS="${BB1ST_ARGS} --infile-nonce-bl32-cslvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/nonce/cs-bl32-lvl3key-nonce.bin"
### Input: Chipset Level-3 privae RSA Keys ###
#BB1ST_ARGS="${BB1ST_ARGS} --infile-signkey-bl40-chipset-lvl3=${BASEDIR_FIP_RSAKEY_ROOT}/key/cs-bl40-level-3-rsa-priv.pem"
@@ -771,13 +769,13 @@
RSA_CREATE_DEVICE_FIP_DV_ARGS+=" --infile-pubkey-bl30-${PREFIX_ARG}-lvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/key/bl30-level-3-${rsa_algo_name}-pub.pem"
RSA_CREATE_DEVICE_FIP_DV_ARGS+=" --infile-epks-bl30-${PREFIX_ARG}-lvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/epk/bl30-lvl3cert-epks.bin"
-RSA_CREATE_DEVICE_FIP_DV_ARGS+=" --infile-nonce-bl30-dvlvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/nonce/bl30-lvl3cert-nonce.bin"
+RSA_CREATE_DEVICE_FIP_DV_ARGS+=" --infile-nonce-bl30-dvlvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/nonce/bl30-lvl3key-nonce.bin"
RSA_CREATE_DEVICE_FIP_DV_ARGS+=" --infile-pubkey-bl33-${PREFIX_ARG}-lvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/key/bl33-level-3-${rsa_algo_name}-pub.pem"
RSA_CREATE_DEVICE_FIP_DV_ARGS+=" --infile-epks-bl33-${PREFIX_ARG}-lvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/epk/bl33-lvl3cert-epks.bin"
-RSA_CREATE_DEVICE_FIP_DV_ARGS+=" --infile-nonce-bl33-dvlvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/nonce/bl33-lvl3cert-nonce.bin"
+RSA_CREATE_DEVICE_FIP_DV_ARGS+=" --infile-nonce-bl33-dvlvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/nonce/bl33-lvl3key-nonce.bin"
RSA_CREATE_DEVICE_FIP_DV_ARGS+=" --infile-pubkey-krnl-${PREFIX_ARG}-lvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/key/krnl-level-3-${rsa_algo_name}-pub.pem"
RSA_CREATE_DEVICE_FIP_DV_ARGS+=" --infile-epks-krnl-${PREFIX_ARG}-lvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/epk/krnl-lvl3cert-epks.bin"
-RSA_CREATE_DEVICE_FIP_DV_ARGS+=" --infile-nonce-krnl-dvlvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/nonce/krnl-lvl3cert-nonce.bin"
+RSA_CREATE_DEVICE_FIP_DV_ARGS+=" --infile-nonce-krnl-dvlvl3cert=${BASEDIR_FIP_RSAKEY_ROOT}/nonce/krnl-lvl3key-nonce.bin"
if [ ${with_encryption} -eq 1 ]; then
### Input: Protection RootKey ###
@@ -845,7 +843,7 @@
### Output: hash of root cert ###
if [ ${write_root_hash} -eq 1 ]; then
COMMON_CREATE_BOOT_BLOBS_ARGS+=" --outfile-hash-${PREFIX_ARG}-rootcert=${BASEDIR_OUTPUT_BLOB}/hash-${PREFIX_BS}rootcert-${sig_scheme}.bin"
- #BB1ST_ARGS="${BB1ST_ARGS} --outfile-hash-${PREFIX_ARG}-rootcert=${BASEDIR_OUTPUT_BLOB}/hash-${PREFIX}rootcert.bin.${sig_scheme}"
+ #BB1ST_ARGS="${BB1ST_ARGS} --outfile-hash-${PREFIX_ARG}-rootcert=${BASEDIR_OUTPUT_BLOB}/hash-${PREFIX}rootcert-${sig_scheme}.bin"
fi
### Output: generated protection keys ###
diff --git a/s6/generate-device-keys/gen_all_device_key.sh b/s6/generate-device-keys/gen_all_device_key.sh
index 14fd5c1..1b4b628 100755
--- a/s6/generate-device-keys/gen_all_device_key.sh
+++ b/s6/generate-device-keys/gen_all_device_key.sh
@@ -210,7 +210,7 @@
done
# Link to be compatible with old script
-ln -r -s -v "$key_dir/fip/aes/${part}/root${sig_scheme_full}-${rootkey_index}/protkey" \
+ln -r -s -v "$key_dir/fip/aes/${part}/trustchain-${rootkey_index}/protkey" \
"$key_dir/fip/aes/${part}/protkey"
${EXEC_BASEDIR}/bin/export_dv_scs_signing_keys.sh --key-dir "$key_dir" --out-dir "$output_dir" --rootkey-index "$rootkey_index" --project "$part" --sig-scheme $sig_scheme --template-layout $template_layout