msm-kernel: add keygen to generate key-pair using openssl

Module signing and dm-verity needs key pair to be generated using openssl. Add keygen file which is needed to generate keys using openssl. Change-Id: Ib3b11c50029e5f58c7b3c3a98cfdefb0c45a7d2b Signed-off-by: Keerthi Gowda Balehalli Satyanarayana <kbalehal@codeaurora.org>
2021-07-13 08:32:53 -07:00 · 2021-07-13 08:32:53 -07:00 · 94bef41ef9
commit 94bef41ef9
parent c726fb53ae
2 changed files with 49 additions and 0 deletions
--- a/build.config.msm.vm
+++ b/build.config.msm.vm
@ -1,6 +1,36 @@
 ################################################################################
 # Common configuration for building kernel for Virtual Machines
 DEFCONFIG="generic_vm_defconfig"
+OPENSSL_DIR=${KERNEL_DIR}/../build/build-tools/path/linux-x86/openssl
+
+append_cmd POST_DEFCONFIG_CMDS 'update_signing_keys_config'
+
+function update_signing_keys_config() {
+	if test -f "${OPENSSL_DIR}"; then
+		${OPENSSL_DIR} req -new -nodes -utf8 -newkey rsa:1024 -days 36500 \
+		             -batch -x509 -config ${KERNEL_DIR}/certs/qcom_x509.genkey \
+		             -outform PEM -out ${OUT_DIR}/verity_cert.pem -keyout ${OUT_DIR}/verity_key.pem
+
+		${OPENSSL_DIR} req -new -nodes -utf8 -sha256 -days 36500 \
+		             -batch -x509 -config ${KERNEL_DIR}/certs/qcom_x509.genkey \
+		             -outform PEM -out ${OUT_DIR}/signing_key.pem -keyout ${OUT_DIR}/signing_key.pem
+
+		${KERNEL_DIR}/scripts/config --file ${OUT_DIR}/.config \
+		--set-str CONFIG_MODULE_SIG_KEY "${OUT_DIR}/signing_key.pem" \
+		--set-str CONFIG_SYSTEM_TRUSTED_KEYS "${OUT_DIR}/verity_cert.pem"
+
+		(cd ${OUT_DIR} && \
+		make ${CC_LD_ARG} O=${OUT_DIR} ${MAKE_ARGS} olddefconfig)
+	fi
+}
+
+append_cmd POST_KERNEL_BUILD_CMDS 'move_signing_keys'
+
+function move_signing_keys() {
+  cp ${OUT_DIR}/signing_key.pem ${OUT_DIR}/certs
+  cp ${OUT_DIR}/verity_key.pem ${OUT_DIR}/certs
+  cp ${OUT_DIR}/verity_cert.pem ${OUT_DIR}/certs
+}

 function build_defconfig_fragments() {
 	if [[ "${VARIANT}" =~ ^(defconfig|debug_defconfig)$ ]]; then
--- a/certs/qcom_x509.genkey
+++ b/certs/qcom_x509.genkey
@ -0,0 +1,19 @@
+# SPDX-License-Identifier: GPL-2.0-only
+
+[ req ]
+default_bits = 4096
+distinguished_name = req_distinguished_name
+prompt = no
+string_mask = utf8only
+x509_extensions = myexts
+
+[ req_distinguished_name ]
+#O = Unspecified company
+CN = Build time autogenerated kernel key
+#emailAddress = unspecified.user@unspecified.company
+
+[ myexts ]
+basicConstraints=critical,CA:FALSE
+keyUsage=digitalSignature
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid