Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(280)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: scripts/image_signing/sign_official_build.sh

Issue 3106027: Fix signing script: Add missing quotes around string test. (Closed) Base URL: http://src.chromium.org/git/vboot_reference.git
Patch Set: Created 10 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 #!/bin/bash 1 #!/bin/bash
2 2
3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. 3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
4 # Use of this source code is governed by a BSD-style license that can be 4 # Use of this source code is governed by a BSD-style license that can be
5 # found in the LICENSE file. 5 # found in the LICENSE file.
6 6
7 # Sign the final build image using the "official" keys. 7 # Sign the final build image using the "official" keys.
8 # 8 #
9 # Prerequisite tools needed in the system path: 9 # Prerequisite tools needed in the system path:
10 # 10 #
(...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after
45 done 45 done
46 46
47 TYPE=$1 47 TYPE=$1
48 INPUT_IMAGE=$2 48 INPUT_IMAGE=$2
49 KEY_DIR=$3 49 KEY_DIR=$3
50 OUTPUT_IMAGE=$4 50 OUTPUT_IMAGE=$4
51 51
52 # Re-calculate rootfs hash, update rootfs and kernel command line. 52 # Re-calculate rootfs hash, update rootfs and kernel command line.
53 # Args: IMAGE KEYBLOCK PRIVATEKEY 53 # Args: IMAGE KEYBLOCK PRIVATEKEY
54 recalculate_rootfs_hash() { 54 recalculate_rootfs_hash() {
55 echo "Recalculating rootfs"
55 local image=$1 # Input image. 56 local image=$1 # Input image.
56 local keyblock=$2 # Keyblock for re-generating signed kernel partition 57 local keyblock=$2 # Keyblock for re-generating signed kernel partition
57 local signprivate=$3 # Private key to use for signing. 58 local signprivate=$3 # Private key to use for signing.
58 59
59 # First, grab the existing kernel partition and get the kernel config. 60 # First, grab the existing kernel partition and get the kernel config.
60 temp_kimage=$(make_temp_file) 61 temp_kimage=$(make_temp_file)
61 extract_image_partition ${image} 2 ${temp_kimage} 62 extract_image_partition ${image} 2 ${temp_kimage}
62 local kernel_config=$(sudo dump_kernel_config ${temp_kimage}) 63 local kernel_config=$(sudo dump_kernel_config ${temp_kimage})
63 local dm_config=$(echo $kernel_config | 64 local dm_config=$(echo $kernel_config |
64 sed -e 's/.*dm="\([^"]*\)".*/\1/g' | 65 sed -e 's/.*dm="\([^"]*\)".*/\1/g' |
65 cut -f2- -d,) 66 cut -f2- -d,)
66 # We extract dm=... portion of the config command line. Here's an example: 67 # We extract dm=... portion of the config command line. Here's an example:
67 # 68 #
68 # dm="0 2097152 verity ROOT_DEV HASH_DEV 2097152 1 \ 69 # dm="0 2097152 verity ROOT_DEV HASH_DEV 2097152 1 \
69 # sha1 63b7ad16cb9db4b70b28593f825aa6b7825fdcf2" 70 # sha1 63b7ad16cb9db4b70b28593f825aa6b7825fdcf2"
70 # 71 #
71 72
72 if [ -z ${dm_config} ]; then 73 if [ -z "${dm_config}" ]; then
73 echo "WARNING: Couldn't grab dm_config. Aborting rootfs hash calculation" 74 echo "WARNING: Couldn't grab dm_config. Aborting rootfs hash calculation"
74 return 75 return
75 fi 76 fi
76 local rootfs_sectors=$(echo ${dm_config} | cut -f2 -d' ') 77 local rootfs_sectors=$(echo ${dm_config} | cut -f2 -d' ')
77 local root_dev=$(echo ${dm_config} | cut -f4 -d ' ') 78 local root_dev=$(echo ${dm_config} | cut -f4 -d ' ')
78 local hash_dev=$(echo ${dm_config} | cut -f5 -d ' ') 79 local hash_dev=$(echo ${dm_config} | cut -f5 -d ' ')
79 local verity_depth=$(echo ${dm_config} | cut -f7 -d' ') 80 local verity_depth=$(echo ${dm_config} | cut -f7 -d' ')
80 local verity_algorithm=$(echo ${dm_config} | cut -f8 -d' ') 81 local verity_algorithm=$(echo ${dm_config} | cut -f8 -d' ')
81 82
82 # Mount the rootfs and run the verity tool on it. 83 # Mount the rootfs and run the verity tool on it.
(...skipping 18 matching lines...) Expand all
101 dd if=${hash_image} of=${rootfs_img} bs=512 \ 102 dd if=${hash_image} of=${rootfs_img} bs=512 \
102 seek=${rootfs_sectors} conv=notrunc 103 seek=${rootfs_sectors} conv=notrunc
103 104
104 # Re-calculate kernel partition signature and command line. 105 # Re-calculate kernel partition signature and command line.
105 local updated_kimage=$(make_temp_file) 106 local updated_kimage=$(make_temp_file)
106 vbutil_kernel --repack ${updated_kimage} \ 107 vbutil_kernel --repack ${updated_kimage} \
107 --keyblock ${keyblock} \ 108 --keyblock ${keyblock} \
108 --signprivate ${signprivate} \ 109 --signprivate ${signprivate} \
109 --oldblob ${temp_kimage} \ 110 --oldblob ${temp_kimage} \
110 --config ${temp_config} 111 --config ${temp_config}
111 112
112 replace_image_partition ${image} 2 ${updated_kimage} 113 replace_image_partition ${image} 2 ${updated_kimage}
113 replace_image_partition ${image} 3 ${rootfs_img} 114 replace_image_partition ${image} 3 ${rootfs_img}
114 } 115 }
115 116
116 # Extracts the firmware update binaries from the a firmware update 117 # Extracts the firmware update binaries from the a firmware update
117 # shell ball (generated by src/platform/firmware/pack_firmware.sh) 118 # shell ball (generated by src/platform/firmware/pack_firmware.sh)
118 # Args: INPUT_SCRIPT OUTPUT_DIR 119 # Args: INPUT_SCRIPT OUTPUT_DIR
119 get_firmwarebin_from_shellball() { 120 get_firmwarebin_from_shellball() {
120 local input=$1 121 local input=$1
121 local output_dir=$2 122 local output_dir=$2
122 uudecode -o - ${input} | tar -C ${output_dir} -zxf - 2>/dev/null || \ 123 uudecode -o - ${input} | tar -C ${output_dir} -zxf - 2>/dev/null || \
123 echo "Extracting firmware autoupdate failed. 124 echo "Extracting firmware autoupdate failed." && exit 1
124 Try re-running with FW_NOUPDATE=1." && exit 1
125 } 125 }
126 126
127 # Re-sign the firmware AU payload inside the image rootfs with a new keys. 127 # Re-sign the firmware AU payload inside the image rootfs with a new keys.
128 # Args: IMAGE 128 # Args: IMAGE
129 resign_firmware_payload() { 129 resign_firmware_payload() {
130 local image=$1 130 local image=$1
131 131
132 # Grab firmware image from the autoupdate shellball. 132 # Grab firmware image from the autoupdate shellball.
133 local rootfs_dir=$(make_temp_dir) 133 local rootfs_dir=$(make_temp_dir)
134 mount_image_partition ${image} 3 ${rootfs_dir} 134 mount_image_partition ${image} 3 ${rootfs_dir}
(...skipping 71 matching lines...) Expand 10 before | Expand all | Expand 10 after
206 # Generate the factory install image. 206 # Generate the factory install image.
207 sign_for_factory_install() { 207 sign_for_factory_install() {
208 ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \ 208 ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \
209 ${KEY_DIR}/recovery_kernel_data_key.vbprivk \ 209 ${KEY_DIR}/recovery_kernel_data_key.vbprivk \
210 ${KEY_DIR}/installer_kernel.keyblock 210 ${KEY_DIR}/installer_kernel.keyblock
211 echo "Output signed factory install image to ${OUTPUT_IMAGE}" 211 echo "Output signed factory install image to ${OUTPUT_IMAGE}"
212 } 212 }
213 213
214 # Firmware payload signing hidden behind a flag until it actually makes 214 # Firmware payload signing hidden behind a flag until it actually makes
215 # it into the image. 215 # it into the image.
216 if [ ! "${FW_UPDATE}" == "1" ]; then 216 if [ "${FW_UPDATE}" == "1" ]; then
217 resign_firmware_payload ${INPUT_IMAGE} 217 resign_firmware_payload ${INPUT_IMAGE}
218 fi 218 fi
219 219
220 if [ "${TYPE}" == "ssd" ]; then 220 if [ "${TYPE}" == "ssd" ]; then
221 recalculate_rootfs_hash ${INPUT_IMAGE} \ 221 recalculate_rootfs_hash ${INPUT_IMAGE} \
222 ${KEY_DIR}/kernel.keyblock \ 222 ${KEY_DIR}/kernel.keyblock \
223 ${KEY_DIR}/kernel_data_key.vbprivk 223 ${KEY_DIR}/kernel_data_key.vbprivk
224 sign_for_ssd 224 sign_for_ssd
225 elif [ "${TYPE}" == "recovery" ]; then 225 elif [ "${TYPE}" == "recovery" ]; then
226 recalculate_rootfs_hash ${INPUT_IMAGE} \ 226 recalculate_rootfs_hash ${INPUT_IMAGE} \
227 ${KEY_DIR}/recovery_kernel.keyblock \ 227 ${KEY_DIR}/recovery_kernel.keyblock \
228 ${KEY_DIR}/recovery_kernel_data_key.vbprivk 228 ${KEY_DIR}/recovery_kernel_data_key.vbprivk
229 sign_for_recovery 229 sign_for_recovery
230 elif [ "${TYPE}" == "install" ]; then 230 elif [ "${TYPE}" == "install" ]; then
231 recalculate_rootfs_hash ${INPUT_IMAGE} \ 231 recalculate_rootfs_hash ${INPUT_IMAGE} \
232 ${KEY_DIR}/installer_kernel.keyblock \ 232 ${KEY_DIR}/installer_kernel.keyblock \
233 ${KEY_DIR}/recovery_kernel_data_key.vbprivk 233 ${KEY_DIR}/recovery_kernel_data_key.vbprivk
234 sign_for_factory_install 234 sign_for_factory_install
235 else 235 else
236 echo "Invalid type ${TYPE}" 236 echo "Invalid type ${TYPE}"
237 exit 1 237 exit 1
238 fi 238 fi
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698