OLD | NEW |
1 #!/bin/bash | 1 #!/bin/bash |
2 | 2 |
3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | 3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
6 | 6 |
7 # Sign the final build image using the "official" keys. | 7 # Sign the final build image using the "official" keys. |
8 # | 8 # |
9 # Prerequisite tools needed in the system path: | 9 # Prerequisite tools needed in the system path: |
10 # | 10 # |
(...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
45 done | 45 done |
46 | 46 |
47 TYPE=$1 | 47 TYPE=$1 |
48 INPUT_IMAGE=$2 | 48 INPUT_IMAGE=$2 |
49 KEY_DIR=$3 | 49 KEY_DIR=$3 |
50 OUTPUT_IMAGE=$4 | 50 OUTPUT_IMAGE=$4 |
51 | 51 |
52 # Re-calculate rootfs hash, update rootfs and kernel command line. | 52 # Re-calculate rootfs hash, update rootfs and kernel command line. |
53 # Args: IMAGE KEYBLOCK PRIVATEKEY | 53 # Args: IMAGE KEYBLOCK PRIVATEKEY |
54 recalculate_rootfs_hash() { | 54 recalculate_rootfs_hash() { |
| 55 echo "Recalculating rootfs" |
55 local image=$1 # Input image. | 56 local image=$1 # Input image. |
56 local keyblock=$2 # Keyblock for re-generating signed kernel partition | 57 local keyblock=$2 # Keyblock for re-generating signed kernel partition |
57 local signprivate=$3 # Private key to use for signing. | 58 local signprivate=$3 # Private key to use for signing. |
58 | 59 |
59 # First, grab the existing kernel partition and get the kernel config. | 60 # First, grab the existing kernel partition and get the kernel config. |
60 temp_kimage=$(make_temp_file) | 61 temp_kimage=$(make_temp_file) |
61 extract_image_partition ${image} 2 ${temp_kimage} | 62 extract_image_partition ${image} 2 ${temp_kimage} |
62 local kernel_config=$(sudo dump_kernel_config ${temp_kimage}) | 63 local kernel_config=$(sudo dump_kernel_config ${temp_kimage}) |
63 local dm_config=$(echo $kernel_config | | 64 local dm_config=$(echo $kernel_config | |
64 sed -e 's/.*dm="\([^"]*\)".*/\1/g' | | 65 sed -e 's/.*dm="\([^"]*\)".*/\1/g' | |
65 cut -f2- -d,) | 66 cut -f2- -d,) |
66 # We extract dm=... portion of the config command line. Here's an example: | 67 # We extract dm=... portion of the config command line. Here's an example: |
67 # | 68 # |
68 # dm="0 2097152 verity ROOT_DEV HASH_DEV 2097152 1 \ | 69 # dm="0 2097152 verity ROOT_DEV HASH_DEV 2097152 1 \ |
69 # sha1 63b7ad16cb9db4b70b28593f825aa6b7825fdcf2" | 70 # sha1 63b7ad16cb9db4b70b28593f825aa6b7825fdcf2" |
70 # | 71 # |
71 | 72 |
72 if [ -z ${dm_config} ]; then | 73 if [ -z "${dm_config}" ]; then |
73 echo "WARNING: Couldn't grab dm_config. Aborting rootfs hash calculation" | 74 echo "WARNING: Couldn't grab dm_config. Aborting rootfs hash calculation" |
74 return | 75 return |
75 fi | 76 fi |
76 local rootfs_sectors=$(echo ${dm_config} | cut -f2 -d' ') | 77 local rootfs_sectors=$(echo ${dm_config} | cut -f2 -d' ') |
77 local root_dev=$(echo ${dm_config} | cut -f4 -d ' ') | 78 local root_dev=$(echo ${dm_config} | cut -f4 -d ' ') |
78 local hash_dev=$(echo ${dm_config} | cut -f5 -d ' ') | 79 local hash_dev=$(echo ${dm_config} | cut -f5 -d ' ') |
79 local verity_depth=$(echo ${dm_config} | cut -f7 -d' ') | 80 local verity_depth=$(echo ${dm_config} | cut -f7 -d' ') |
80 local verity_algorithm=$(echo ${dm_config} | cut -f8 -d' ') | 81 local verity_algorithm=$(echo ${dm_config} | cut -f8 -d' ') |
81 | 82 |
82 # Mount the rootfs and run the verity tool on it. | 83 # Mount the rootfs and run the verity tool on it. |
(...skipping 18 matching lines...) Expand all Loading... |
101 dd if=${hash_image} of=${rootfs_img} bs=512 \ | 102 dd if=${hash_image} of=${rootfs_img} bs=512 \ |
102 seek=${rootfs_sectors} conv=notrunc | 103 seek=${rootfs_sectors} conv=notrunc |
103 | 104 |
104 # Re-calculate kernel partition signature and command line. | 105 # Re-calculate kernel partition signature and command line. |
105 local updated_kimage=$(make_temp_file) | 106 local updated_kimage=$(make_temp_file) |
106 vbutil_kernel --repack ${updated_kimage} \ | 107 vbutil_kernel --repack ${updated_kimage} \ |
107 --keyblock ${keyblock} \ | 108 --keyblock ${keyblock} \ |
108 --signprivate ${signprivate} \ | 109 --signprivate ${signprivate} \ |
109 --oldblob ${temp_kimage} \ | 110 --oldblob ${temp_kimage} \ |
110 --config ${temp_config} | 111 --config ${temp_config} |
111 | 112 |
112 replace_image_partition ${image} 2 ${updated_kimage} | 113 replace_image_partition ${image} 2 ${updated_kimage} |
113 replace_image_partition ${image} 3 ${rootfs_img} | 114 replace_image_partition ${image} 3 ${rootfs_img} |
114 } | 115 } |
115 | 116 |
116 # Extracts the firmware update binaries from the a firmware update | 117 # Extracts the firmware update binaries from the a firmware update |
117 # shell ball (generated by src/platform/firmware/pack_firmware.sh) | 118 # shell ball (generated by src/platform/firmware/pack_firmware.sh) |
118 # Args: INPUT_SCRIPT OUTPUT_DIR | 119 # Args: INPUT_SCRIPT OUTPUT_DIR |
119 get_firmwarebin_from_shellball() { | 120 get_firmwarebin_from_shellball() { |
120 local input=$1 | 121 local input=$1 |
121 local output_dir=$2 | 122 local output_dir=$2 |
122 uudecode -o - ${input} | tar -C ${output_dir} -zxf - 2>/dev/null || \ | 123 uudecode -o - ${input} | tar -C ${output_dir} -zxf - 2>/dev/null || \ |
123 echo "Extracting firmware autoupdate failed. | 124 echo "Extracting firmware autoupdate failed." && exit 1 |
124 Try re-running with FW_NOUPDATE=1." && exit 1 | |
125 } | 125 } |
126 | 126 |
127 # Re-sign the firmware AU payload inside the image rootfs with a new keys. | 127 # Re-sign the firmware AU payload inside the image rootfs with a new keys. |
128 # Args: IMAGE | 128 # Args: IMAGE |
129 resign_firmware_payload() { | 129 resign_firmware_payload() { |
130 local image=$1 | 130 local image=$1 |
131 | 131 |
132 # Grab firmware image from the autoupdate shellball. | 132 # Grab firmware image from the autoupdate shellball. |
133 local rootfs_dir=$(make_temp_dir) | 133 local rootfs_dir=$(make_temp_dir) |
134 mount_image_partition ${image} 3 ${rootfs_dir} | 134 mount_image_partition ${image} 3 ${rootfs_dir} |
(...skipping 71 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
206 # Generate the factory install image. | 206 # Generate the factory install image. |
207 sign_for_factory_install() { | 207 sign_for_factory_install() { |
208 ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \ | 208 ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \ |
209 ${KEY_DIR}/recovery_kernel_data_key.vbprivk \ | 209 ${KEY_DIR}/recovery_kernel_data_key.vbprivk \ |
210 ${KEY_DIR}/installer_kernel.keyblock | 210 ${KEY_DIR}/installer_kernel.keyblock |
211 echo "Output signed factory install image to ${OUTPUT_IMAGE}" | 211 echo "Output signed factory install image to ${OUTPUT_IMAGE}" |
212 } | 212 } |
213 | 213 |
214 # Firmware payload signing hidden behind a flag until it actually makes | 214 # Firmware payload signing hidden behind a flag until it actually makes |
215 # it into the image. | 215 # it into the image. |
216 if [ ! "${FW_UPDATE}" == "1" ]; then | 216 if [ "${FW_UPDATE}" == "1" ]; then |
217 resign_firmware_payload ${INPUT_IMAGE} | 217 resign_firmware_payload ${INPUT_IMAGE} |
218 fi | 218 fi |
219 | 219 |
220 if [ "${TYPE}" == "ssd" ]; then | 220 if [ "${TYPE}" == "ssd" ]; then |
221 recalculate_rootfs_hash ${INPUT_IMAGE} \ | 221 recalculate_rootfs_hash ${INPUT_IMAGE} \ |
222 ${KEY_DIR}/kernel.keyblock \ | 222 ${KEY_DIR}/kernel.keyblock \ |
223 ${KEY_DIR}/kernel_data_key.vbprivk | 223 ${KEY_DIR}/kernel_data_key.vbprivk |
224 sign_for_ssd | 224 sign_for_ssd |
225 elif [ "${TYPE}" == "recovery" ]; then | 225 elif [ "${TYPE}" == "recovery" ]; then |
226 recalculate_rootfs_hash ${INPUT_IMAGE} \ | 226 recalculate_rootfs_hash ${INPUT_IMAGE} \ |
227 ${KEY_DIR}/recovery_kernel.keyblock \ | 227 ${KEY_DIR}/recovery_kernel.keyblock \ |
228 ${KEY_DIR}/recovery_kernel_data_key.vbprivk | 228 ${KEY_DIR}/recovery_kernel_data_key.vbprivk |
229 sign_for_recovery | 229 sign_for_recovery |
230 elif [ "${TYPE}" == "install" ]; then | 230 elif [ "${TYPE}" == "install" ]; then |
231 recalculate_rootfs_hash ${INPUT_IMAGE} \ | 231 recalculate_rootfs_hash ${INPUT_IMAGE} \ |
232 ${KEY_DIR}/installer_kernel.keyblock \ | 232 ${KEY_DIR}/installer_kernel.keyblock \ |
233 ${KEY_DIR}/recovery_kernel_data_key.vbprivk | 233 ${KEY_DIR}/recovery_kernel_data_key.vbprivk |
234 sign_for_factory_install | 234 sign_for_factory_install |
235 else | 235 else |
236 echo "Invalid type ${TYPE}" | 236 echo "Invalid type ${TYPE}" |
237 exit 1 | 237 exit 1 |
238 fi | 238 fi |
OLD | NEW |