Upgrade signing key generation (#379)

* adds the upgrade signing key generation and the partition offset

* use openssl in build.rs instead

tools/gen_key_materials.sh

@@ -26,6 +26,11 @@ generate_crypto_materials () {
   local opensk_key=crypto_data/opensk.key
   local opensk_cert_name=crypto_data/opensk_cert
 
+  # The upgrade private key is used for signing, the corresponding public key
+  # will be COSE encoded and embedded into the firmware.
+  local opensk_upgrade=crypto_data/opensk_upgrade.key
+  local opensk_upgrade_pub=crypto_data/opensk_upgrade_pub.pem
+
   # Allow invoker to override the command with a full path.
   local openssl=${OPENSSL:-$(which openssl)}
 
@@ -88,6 +93,17 @@ generate_crypto_materials () {
       -sha256
   fi
 
+  if [ "${force_generate}" = "Y" -o ! -f "${opensk_upgrade}" ]
+  then
+    "${openssl}" ecparam -genkey -name prime256v1 -out "${opensk_upgrade}"
+    rm -f "${opensk_upgrade_pub}"
+  fi
+
+  if [ "${force_generate}" = "Y" -o ! -f "${opensk_upgrade_pub}" ]
+  then
+    "${openssl}" ec -in "${opensk_upgrade}" -pubout -out "${opensk_upgrade_pub}"
+  fi
+
   if [ "${force_generate}" = "Y" -o ! -f "${aaguid_file}" ]
   then
     uuidgen > "${aaguid_file}"