| OLD | NEW |
|---|
| 1 #!/bin/bash | 1 #!/bin/bash |
| 2 | 2 |
| 3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | 3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
| 4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
| 5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
| 6 | 6 |
| 7 # Sign the final build image using the "official" keys. | 7 # Sign the final build image using the "official" keys. |
| 8 # | 8 # |
| 9 # Prerequisite tools needed in the system path: | 9 # Prerequisite tools needed in the system path: |
| 10 # | 10 # |
| (...skipping 20 matching lines...) Expand all Loading... |
| 31 ssd (sign an SSD image) | 31 ssd (sign an SSD image) |
| 32 recovery (sign a USB recovery image) | 32 recovery (sign a USB recovery image) |
| 33 install (sign a factory install image) | 33 install (sign a factory install image) |
| 34 EOF | 34 EOF |
| 35 exit 1 | 35 exit 1 |
| 36 fi | 36 fi |
| 37 | 37 |
| 38 # Abort on errors. | 38 # Abort on errors. |
| 39 set -e | 39 set -e |
| 40 | 40 |
| 41 # Make sure the tools we need are available. |
| 42 for prereqs in gbb_utility vbutil_kernel cgpt dump_kernel_config verity; do |
| 43 type -P "${prereqs}" &>/dev/null || \ |
| 44 { echo "${prereqs} tool not found."; exit 1; } |
| 45 done |
| 46 |
| 41 TYPE=$1 | 47 TYPE=$1 |
| 42 INPUT_IMAGE=$2 | 48 INPUT_IMAGE=$2 |
| 43 KEY_DIR=$3 | 49 KEY_DIR=$3 |
| 44 OUTPUT_IMAGE=$4 | 50 OUTPUT_IMAGE=$4 |
| 45 | 51 |
| 46 # Re-calculate rootfs hash, update rootfs and kernel command line. | 52 # Re-calculate rootfs hash, update rootfs and kernel command line. |
| 47 # Args: IMAGE KEYBLOCK PRIVATEKEY | 53 # Args: IMAGE KEYBLOCK PRIVATEKEY |
| 48 recalculate_rootfs_hash() { | 54 recalculate_rootfs_hash() { |
| 49 local image=$1 # Input image. | 55 local image=$1 # Input image. |
| 50 local keyblock=$2 # Keyblock for re-generating signed kernel partition | 56 local keyblock=$2 # Keyblock for re-generating signed kernel partition |
| (...skipping 147 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 198 } | 204 } |
| 199 | 205 |
| 200 # Generate the factory install image. | 206 # Generate the factory install image. |
| 201 sign_for_factory_install() { | 207 sign_for_factory_install() { |
| 202 ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \ | 208 ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \ |
| 203 ${KEY_DIR}/recovery_kernel_data_key.vbprivk \ | 209 ${KEY_DIR}/recovery_kernel_data_key.vbprivk \ |
| 204 ${KEY_DIR}/installer_kernel.keyblock | 210 ${KEY_DIR}/installer_kernel.keyblock |
| 205 echo "Output signed factory install image to ${OUTPUT_IMAGE}" | 211 echo "Output signed factory install image to ${OUTPUT_IMAGE}" |
| 206 } | 212 } |
| 207 | 213 |
| 208 if [ ! "${FW_NOUPDATE}" == "1" ]; then | 214 # Firmware payload signing hidden behind a flag until it actually makes |
| 215 # it into the image. |
| 216 if [ ! "${FW_UPDATE}" == "1" ]; then |
| 209 resign_firmware_payload ${INPUT_IMAGE} | 217 resign_firmware_payload ${INPUT_IMAGE} |
| 210 fi | 218 fi |
| 211 | 219 |
| 212 if [ "${TYPE}" == "ssd" ]; then | 220 if [ "${TYPE}" == "ssd" ]; then |
| 213 recalculate_rootfs_hash ${INPUT_IMAGE} \ | 221 recalculate_rootfs_hash ${INPUT_IMAGE} \ |
| 214 ${KEY_DIR}/kernel.keyblock \ | 222 ${KEY_DIR}/kernel.keyblock \ |
| 215 ${KEY_DIR}/kernel_data_key.vbprivk | 223 ${KEY_DIR}/kernel_data_key.vbprivk |
| 216 sign_for_ssd | 224 sign_for_ssd |
| 217 elif [ "${TYPE}" == "recovery" ]; then | 225 elif [ "${TYPE}" == "recovery" ]; then |
| 218 recalculate_rootfs_hash ${INPUT_IMAGE} \ | 226 recalculate_rootfs_hash ${INPUT_IMAGE} \ |
| 219 ${KEY_DIR}/recovery_kernel.keyblock \ | 227 ${KEY_DIR}/recovery_kernel.keyblock \ |
| 220 ${KEY_DIR}/recovery_kernel_data_key.vbprivk | 228 ${KEY_DIR}/recovery_kernel_data_key.vbprivk |
| 221 sign_for_recovery | 229 sign_for_recovery |
| 222 elif [ "${TYPE}" == "install" ]; then | 230 elif [ "${TYPE}" == "install" ]; then |
| 223 recalculate_rootfs_hash ${INPUT_IMAGE} \ | 231 recalculate_rootfs_hash ${INPUT_IMAGE} \ |
| 224 ${KEY_DIR}/installer_kernel.keyblock \ | 232 ${KEY_DIR}/installer_kernel.keyblock \ |
| 225 ${KEY_DIR}/recovery_kernel_data_key.vbprivk | 233 ${KEY_DIR}/recovery_kernel_data_key.vbprivk |
| 226 sign_for_factory_install | 234 sign_for_factory_install |
| 227 else | 235 else |
| 228 echo "Invalid type ${TYPE}" | 236 echo "Invalid type ${TYPE}" |
| 229 exit 1 | 237 exit 1 |
| 230 fi | 238 fi |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 3151027:
Hide packaged firmware AU signing behind a flag for now. (Closed)
Base URL: http://src.chromium.org/git/vboot_reference.git