Add a script to re-sign Chrome OS images with keys of our choosing.

Add a script to re-sign Chrome OS images with keys of our choosing.

Currently the output of build_image signs the kernel partition with the recovery keys on the final image. This script allows us to replace the kernel vblock and resign the kernel with the right set of keys (for example, using the normal boot path kernel keys, or the keys for factory install, etc.)

BUG=4623
TEST=Tested by running the script on one of the latest builbot images (801) and resigning with test kernel keys. The resulting image was dd-ed off to an SSD and was succesfully able to boot on one of our dev systems with our custom firmware with both dev mode and recovery mode turned off.

To test (can do outside chroot):

1) Download the latest image from the buildbot (I used build 801)
2) Run script with the following arguments and paths adjusted below

resign_image
 --from /path/to/chromiumos_image.bin \
 --datakey /path/to/vboot_reference/tests/devkeys/kernel_data_key.vbprivk \
 --keyblock /path/to/vboot_reference/tests/devkeys/kernel.keyblock \
 --vsubkey /path/to/vboot_reference/tests/devkeys/kernel_subkey.vbpubk \
 --vbutil_dir /path/to/vbutil/binaries
 --to image.out

This re-signs the image with the normal test keys (instead of recovery as done by build_image)

3) Copy the image to an SSD drive

dd if=image.out of=/dev/ssd [replace with the correct device]

4) Boot with the latest custom firmware in normal mode (recovery and dev mode turned off).
5) Profit!

[anush, 2010-07-09 21:34:38]

Drive by. Can we starting naming all new scripts with cros_* prefix and put
them in the crosutils.git:bin/ directory? We want to be able to install the
crosutils scripts in the chroot going forward. And having it all named
cros_* will be easier to find the scripts with tab completion.

Thanks
Anush

On Fri, Jul 9, 2010 at 2:30 PM, <gauravsh@chromium.org> wrote:

> Reviewers: Randall Spangler, Nick Sanders,
>
> Description:
> Add a script to re-sign Chrome OS images with keys of our choosing.
>
> Currently the output of build_image signs the kernel partition with the
> recovery
> keys on the final image. This script allows us to replace the kernel vblock
> and
> resign the kernel with the right set of keys (for example, using the normal
> boot
> path kernel keys, or the keys for factory install, etc.)
>
> BUG=4623
> TEST=Tested by running the script on one of the latest builbot images (801)
> and
> resigning with test kernel keys. The resulting image was dd-ed off to an
> SSD and
> was succesfully able to boot on one of our dev systems with our custom
> firmware
> with both dev mode and recovery mode turned off.
>
> To test (can do outside chroot):
>
> 1) Download the latest image from the buildbot (I used build 801)
> 2) Run script with the following arguments and paths adjusted below
>
> resign_image
>  --from /path/to/chromiumos_image.bin \
>  --datakey /path/to/vboot_reference/tests/devkeys/kernel_data_key.vbprivk \
>  --keyblock /path/to/vboot_reference/tests/devkeys/kernel.keyblock \
>  --vsubkey ~/vbootref/tests/devkeys/kernel_subkey.vbpubk \
>  --vbutil_dir /path/to/vbutil/binaries
>  --to image.out
>
> This re-signs the image with the normal test keys (instead of recovery as
> done
> by build_image)
>
> 3) Copy the image to an SSD drive
>
> dd if=image.out of=/dev/ssd [replace with the correct device]
>
> 4) Boot with the latest custom firmware in normal mode (recovery and dev
> mode
> turned off).
> 5) Profit!
>
> Please review this at http://codereview.chromium.org/2938004/show
>
> SVN Base: ssh://git@chromiumos-git/crosutils.git
>
> Affected files:
>  A resign_image
>
>
>

[Randall Spangler, 2010-07-09 21:39:05]

lgtm, thanks

[gauravsh, 2010-07-09 21:50:10]

Moved and renamed script as per Anush's comment.

Nick: I will wait for your lgtm on this before pushing this. Can you make sure
this will work for your factory install needs as we discussed yesterday. Thanks!

[Nick Sanders, 2010-07-10 00:46:00]

lgtm, 
thanks! this is exactly what I was looking for!