Use the new developer keys to sign things. (submit for Bill)

build_image

 #!/bin/bash
 
 # Copyright (c) 2009 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 # Script to build a bootable keyfob-based chromeos system image from within
 # a chromiumos setup. This assumes that all needed packages have been built into
 # the given target's root with binary packages turned on. This script will
 # build the Chrome OS image using only pre-built binary packages.
@@ skipping 274 matching lines @@
 
   # TODO(wad) mount the root fs to LOOP_DEV from the image
   trap "mount_gpt_cleanup" EXIT
   ${SCRIPTS_DIR}/mount_gpt_image.sh --from "${OUTPUT_DIR}" \
     --image "${image_name}" -r "${ROOT_FS_DIR}" \
     -s "${STATEFUL_FS_DIR}" -e "${ESP_FS_DIR}"
 
   sudo mount -o remount,ro "${ROOT_FS_DIR}"
   root_dev=$(mount | grep -- "${ROOT_FS_DIR}" | cut -f1 -d' ' | tail -1)
 
+  DEVKEYSDIR="${SRC_ROOT}/platform/vboot_reference/tests/devkeys"
+
   # Builds the kernel partition image.  The temporary files are kept around
   # so that we can perform a load_kernel_test later on the final image.
   ${SCRIPTS_DIR}/build_kernel_image.sh \
     --arch="${ARCH}" \
     --to="${OUTPUT_DIR}/vmlinuz.image" \
+    --hd_vblock="${OUTPUT_DIR}/vmlinuz_hd.vblock" \
     --vmlinuz="${OUTPUT_DIR}/boot/vmlinuz" \
     --working_dir="${OUTPUT_DIR}" \
     --keep_work \
     --rootfs_image=${root_dev} \
     --rootfs_hash=${OUTPUT_DIR}/rootfs.hash \
     --vboot_hash_alg=${FLAGS_vboot_algorithm} \
     --vboot_tree_depth=${FLAGS_vboot_depth} \
     --vboot_max_ios=${FLAGS_vboot_max_ios} \
     --vboot_error_behavior=${FLAGS_vboot_behavior} \
     --root=${cros_root} \
-    --keys_dir="${SRC_ROOT}/platform/vboot_reference/tests/testkeys"
+    --keys_dir="${DEVKEYSDIR}"
 
   # START_KERN_A is set by the first call to install the gpt.
   local koffset="$(partoffset ${OUTPUT_DIR}/${image_name} 2)"
   sudo dd if="${OUTPUT_DIR}/vmlinuz.image" of="${OUTPUT_DIR}/${image_name}" \
     conv=notrunc bs=512 seek=${koffset}
 
   # Populate the legacy/efi bootloader partition.
   local kernel_part="--kernel_partition='${OUTPUT_DIR}/vmlinuz.image'"
   local bootloader_to="${ESP_FS_IMG}"
   local usb_disk="${FLAGS_usb_disk}"
@@ skipping 271 matching lines @@
 
   # make_image_bootable will clobber vmlinuz.image for x86.
   # Until then, just copy the kernel to vmlinuz.image. It is
   # expected in build_gpt.sh and needed by ARM until it supports the
   # full, signed kernel partition format.
   cp "${ROOT_FS_DIR}/boot/vmlinuz" "${OUTPUT_DIR}/vmlinuz.image"
 
   # Create an empty esp image to be updated in by update_bootloaders.sh.
   ${SCRIPTS_DIR}/create_esp.sh --to="${ESP_FS_IMG}"
 
+  # Move the verification block needed for the hard disk install to the
+  # stateful partition.
+  sudo cp "${OUTPUT_DIR}/vmlinuz_hd.vblock" "${STATEFUL_FS_DIR}"
+
   cleanup
 
   trap delete_prompt EXIT
 
   # Create the GPT-formatted image.
   ${SCRIPTS_DIR}/build_gpt.sh \
     --arch=${ARCH} \
     --board=${FLAGS_board} \
     --arm_extra_bootargs="${FLAGS_arm_extra_bootargs}" \
     --rootfs_partition_size=${FLAGS_rootfs_partition_size} \
@@ skipping 30 matching lines @@
   update_base_packages ${PRISTINE_IMAGE_NAME}
 else
   create_base_image ${PRISTINE_IMAGE_NAME}
 fi
 make_image_bootable ${PRISTINE_IMAGE_NAME}
 
 # FIXME: only signing things for x86 right now.
 if [[ "${ARCH}" = "x86" ]]; then
   # Verify the final image.
   load_kernel_test "${OUTPUT_DIR}/${PRISTINE_IMAGE_NAME}" \
-    "${OUTPUT_DIR}/kernel_subkey.vbpubk"
+    "${DEVKEYSDIR}/recovery_key.vbpubk"
 fi
 
 # Create a developer image based on the chromium os base image.
 if [ "${FLAGS_withdev}" -eq "${FLAGS_TRUE}" ] ; then
   if [[ ! -f ${DEVELOPER_IMG} ]] ; then
     echo "Creating developer image from base image ${PRISTINE_IMAGE_NAME}"
     cp ${PRISTINE_IMG} ${DEVELOPER_IMG}
   fi
 
   update_dev_packages ${DEVELOPER_IMAGE_NAME}
   make_image_bootable ${DEVELOPER_IMAGE_NAME}
 fi
 
 # Clean up temporary files.
 rm -f "${ROOT_FS_IMG}" "${STATEFUL_FS_IMG}" "${OUTPUT_DIR}/vmlinuz.image" \
-  "${ESP_FS_IMG}" "${OUTPUT_DIR}/kernel.keyblock" \
-  "${OUTPUT_DIR}/kernel_subkey.vbpubk" \
-  "${OUTPUT_DIR}/kernel_subkey.vbprivk" \
-  "${OUTPUT_DIR}/kernel_data_key.vbpubk" \
-  "${OUTPUT_DIR}/kernel_data_key.vbprivk" \
-  "${OEM_FS_IMG}"
+  "${ESP_FS_IMG}" "${OEM_FS_IMG}" "${OUTPUT_DIR}/vmlinuz_hd.vblock"
 rmdir "${ROOT_FS_DIR}" "${STATEFUL_FS_DIR}" "${OEM_FS_DIR}" "${ESP_FS_DIR}"
 
 echo "Done.  Image created in ${OUTPUT_DIR}"
 echo "Chromium OS image created as ${PRISTINE_IMAGE_NAME}"
 if [ "${FLAGS_withdev}" -eq "${FLAGS_TRUE}" ]; then
   echo "Developer image created as ${DEVELOPER_IMAGE_NAME}"
 fi
 
 print_time_elapsed
 
 echo "To copy to USB keyfob, OUTSIDE the chroot, do something like:"
 echo "  ./image_to_usb.sh --from=${OUTSIDE_OUTPUT_DIR} --to=/dev/sdX"
 echo "To convert to VMWare image, OUTSIDE the chroot, do something like:"
 echo "  ./image_to_vmware.sh --from=${OUTSIDE_OUTPUT_DIR}"
 echo "from the scripts directory where you entered the chroot."