summaryrefslogtreecommitdiffstats
path: root/libstb/sign-with-local-keys.sh
blob: b78a079bfefe9b10488224e90504f16a4d43e89c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#!/bin/bash

PAYLOAD=$1
OUTPUT=$2

if [ ! -f $PAYLOAD ]; then
	echo "Can't read PAYLOAD";
	exit 1;
fi

KEYLOC=$3
LABEL=$4

T=$(mktemp -d)
LABEL_ARG=""
if [ ! -z "$LABEL" ]; then
	LABEL_ARG="-L $LABEL"
fi

# Build enough of the container to create the Prefix and Software headers.
# (reuse HW key for SW key P)
./libstb/create-container -a $KEYLOC/hw_key_a.key -b $KEYLOC/hw_key_b.key -c $KEYLOC/hw_key_c.key \
                   -p $KEYLOC/hw_key_a.key \
                    --payload $PAYLOAD --imagefile $OUTPUT $LABEL_ARG \
                    --dumpPrefixHdr $T/prefix_hdr --dumpSwHdr $T/software_hdr

# Sign the Prefix header.
openssl dgst -SHA512 -sign $KEYLOC/hw_key_a.key $T/prefix_hdr > $T/hw_key_a.sig
openssl dgst -SHA512 -sign $KEYLOC/hw_key_b.key $T/prefix_hdr > $T/hw_key_b.sig
openssl dgst -SHA512 -sign $KEYLOC/hw_key_c.key $T/prefix_hdr > $T/hw_key_c.sig

# Sign the Software header.
openssl dgst -SHA512 -sign $KEYLOC/hw_key_a.key $T/software_hdr > $T/sw_key_p.sig

# Build the full container with signatures.
./libstb/create-container -a $KEYLOC/hw_key_a.key -b $KEYLOC/hw_key_b.key -c $KEYLOC/hw_key_c.key \
                   -p $KEYLOC/hw_key_a.key $LABEL_ARG \
                   -A $T/hw_key_a.sig -B $T/hw_key_b.sig -C $T/hw_key_c.sig \
                   -P $T/sw_key_p.sig \
                    --payload $PAYLOAD --imagefile $OUTPUT

rm -rf $T
OpenPOWER on IntegriCloud