OLD | NEW |
1 #!/bin/bash | 1 #!/bin/bash |
2 | 2 |
3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | 3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
6 | 6 |
7 # Sign the final build image using the "official" keys. | 7 # Sign the final build image using the "official" keys. |
8 # | 8 # |
9 # Prerequisite tools needed in the system path: | 9 # Prerequisite tools needed in the system path: |
10 # | 10 # |
(...skipping 144 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
155 replace_image_partition ${image} 2 ${updated_kimage} | 155 replace_image_partition ${image} 2 ${updated_kimage} |
156 replace_image_partition ${image} 3 ${rootfs_image} | 156 replace_image_partition ${image} 3 ${rootfs_image} |
157 } | 157 } |
158 | 158 |
159 # Extracts the firmware update binaries from the a firmware update | 159 # Extracts the firmware update binaries from the a firmware update |
160 # shell ball (generated by src/platform/firmware/pack_firmware.sh) | 160 # shell ball (generated by src/platform/firmware/pack_firmware.sh) |
161 # Args: INPUT_SCRIPT OUTPUT_DIR | 161 # Args: INPUT_SCRIPT OUTPUT_DIR |
162 get_firmwarebin_from_shellball() { | 162 get_firmwarebin_from_shellball() { |
163 local input=$1 | 163 local input=$1 |
164 local output_dir=$2 | 164 local output_dir=$2 |
165 uudecode -o - ${input} | tar -C ${output_dir} -zxf - 2>/dev/null || \ | 165 if [ -s "${input}" ]; then |
166 echo "Extracting firmware autoupdate failed." && exit 1 | 166 uudecode -o - ${input} | tar -C ${output_dir} -zxf - 2>/dev/null || \ |
| 167 { echo "Extracting firmware autoupdate failed." && exit 1; } |
| 168 else |
| 169 return 1 |
| 170 fi |
167 } | 171 } |
168 | 172 |
169 # Re-sign the firmware AU payload inside the image rootfs with a new keys. | 173 # Re-sign the firmware AU payload inside the image rootfs with a new keys. |
170 # Args: IMAGE | 174 # Args: IMAGE |
171 resign_firmware_payload() { | 175 resign_firmware_payload() { |
172 local image=$1 | 176 local image=$1 |
173 | 177 |
174 # Grab firmware image from the autoupdate shellball. | 178 # Grab firmware image from the autoupdate shellball. |
175 local rootfs_dir=$(make_temp_dir) | 179 local rootfs_dir=$(make_temp_dir) |
176 mount_image_partition ${image} 3 ${rootfs_dir} | 180 mount_image_partition ${image} 3 ${rootfs_dir} |
177 | 181 |
178 local shellball_dir=$(make_temp_dir) | 182 local shellball_dir=$(make_temp_dir) |
| 183 # get_firmwarebin_from_shellball can fail if the image has no |
| 184 # firmware update. |
179 get_firmwarebin_from_shellball \ | 185 get_firmwarebin_from_shellball \ |
180 ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate ${shellball_dir} | 186 ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate ${shellball_dir} || \ |
| 187 { echo "Didn't find a firmware update. Not signing firmware." |
| 188 return; } |
| 189 echo "Found a valid firmware update shellball." |
181 | 190 |
182 temp_outfd=$(make_temp_file) | 191 temp_outfd=$(make_temp_file) |
183 # Replace the root key in the GBB | 192 # Replace the root key in the GBB |
184 # TODO(gauravsh): Remove when we lock down the R/O portion of firmware. | 193 # TODO(gauravsh): Remove when we lock down the R/O portion of firmware. |
185 gbb_utility -s \ | 194 if [ -e "${KEY_DIR}/hwid" ]; then |
186 --rootkey=${KEY_DIR}/root_key.vbpubk \ | 195 # Only update the hwid if we see one in the key directory. |
187 --recoverykey=${KEY_DIR}/recovery_key.vbpubk \ | 196 gbb_utility -s \ |
188 ${shellball_dir}/bios.bin ${temp_outfd} | 197 --rootkey=${KEY_DIR}/root_key.vbpubk \ |
189 | 198 --recoverykey=${KEY_DIR}/recovery_key.vbpubk \ |
| 199 --hwid="$(cat ${KEY_DIR}/hwid)" \ |
| 200 ${shellball_dir}/bios.bin ${temp_outfd} |
| 201 else |
| 202 gbb_utility -s \ |
| 203 --rootkey=${KEY_DIR}/root_key.vbpubk \ |
| 204 --recoverykey=${KEY_DIR}/recovery_key.vbpubk \ |
| 205 ${shellball_dir}/bios.bin ${temp_outfd} |
| 206 fi |
190 # Resign the firmware with new keys | 207 # Resign the firmware with new keys |
191 ${SCRIPT_DIR}/resign_firmwarefd.sh ${temp_outfd} ${temp_dir}/bios.bin \ | 208 ${SCRIPT_DIR}/resign_firmwarefd.sh ${temp_outfd} ${shellball_dir}/bios.bin \ |
192 ${KEY_DIR}/firmware_data_key.vbprivk \ | 209 ${KEY_DIR}/firmware_data_key.vbprivk \ |
193 ${KEY_DIR}/firmware.keyblock \ | 210 ${KEY_DIR}/firmware.keyblock \ |
194 ${KEY_DIR}/kernel_subkey.vbpubk | 211 ${KEY_DIR}/kernel_subkey.vbpubk |
195 | 212 |
196 # Replace MD5 checksum in the firmware update payload | 213 # Replace MD5 checksum in the firmware update payload |
197 newfd_checksum=$(md5sum ${shellball_dir}/bios.bin | cut -f 1 -d ' ') | 214 newfd_checksum=$(md5sum ${shellball_dir}/bios.bin | cut -f 1 -d ' ') |
198 temp_version=$(make_temp_file) | 215 temp_version=$(make_temp_file) |
199 cat ${shellball_dir}/VERSION | | 216 cat ${shellball_dir}/VERSION | |
200 sed -e "s#\(.*\)\ \(.*bios.bin.*\)#${newfd_checksum}\ \2#" > ${temp_version} | 217 sed -e "s#\(.*\)\ \(.*bios.bin.*\)#${newfd_checksum}\ \2#" > ${temp_version} |
201 sudo cp ${temp_version} ${shellball_dir}/VERSION | 218 sudo cp ${temp_version} ${shellball_dir}/VERSION |
(...skipping 62 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
264 set -e | 281 set -e |
265 | 282 |
266 # TODO(gauravsh): Check embedded firmware AU signatures. | 283 # TODO(gauravsh): Check embedded firmware AU signatures. |
267 } | 284 } |
268 | 285 |
269 # Generate the SSD image | 286 # Generate the SSD image |
270 sign_for_ssd() { | 287 sign_for_ssd() { |
271 ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \ | 288 ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \ |
272 ${KEY_DIR}/kernel_data_key.vbprivk \ | 289 ${KEY_DIR}/kernel_data_key.vbprivk \ |
273 ${KEY_DIR}/kernel.keyblock | 290 ${KEY_DIR}/kernel.keyblock |
274 echo "Output signed SSD image to ${OUTPUT_IMAGE}" | 291 echo "Signed SSD image output to ${OUTPUT_IMAGE}" |
275 } | 292 } |
276 | 293 |
277 # Generate the USB (recovery + install) image | 294 # Generate the USB (recovery + install) image |
278 sign_for_recovery() { | 295 sign_for_recovery() { |
279 ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \ | 296 ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \ |
280 ${KEY_DIR}/recovery_kernel_data_key.vbprivk \ | 297 ${KEY_DIR}/recovery_kernel_data_key.vbprivk \ |
281 ${KEY_DIR}/recovery_kernel.keyblock | 298 ${KEY_DIR}/recovery_kernel.keyblock |
282 | 299 |
283 # Now generate the installer vblock with the SSD keys. | 300 # Now generate the installer vblock with the SSD keys. |
284 temp_kimage=$(make_temp_file) | 301 temp_kimage=$(make_temp_file) |
285 temp_out_vb=$(make_temp_file) | 302 temp_out_vb=$(make_temp_file) |
286 extract_image_partition ${OUTPUT_IMAGE} 2 ${temp_kimage} | 303 extract_image_partition ${OUTPUT_IMAGE} 2 ${temp_kimage} |
287 ${SCRIPT_DIR}/resign_kernel_partition.sh ${temp_kimage} ${temp_out_vb} \ | 304 ${SCRIPT_DIR}/resign_kernel_partition.sh ${temp_kimage} ${temp_out_vb} \ |
288 ${KEY_DIR}/kernel_data_key.vbprivk \ | 305 ${KEY_DIR}/kernel_data_key.vbprivk \ |
289 ${KEY_DIR}/kernel.keyblock | 306 ${KEY_DIR}/kernel.keyblock |
290 | 307 |
291 # Copy the installer vblock to the stateful partition. | 308 # Copy the installer vblock to the stateful partition. |
292 local stateful_dir=$(make_temp_dir) | 309 local stateful_dir=$(make_temp_dir) |
293 mount_image_partition ${OUTPUT_IMAGE} 1 ${stateful_dir} | 310 mount_image_partition ${OUTPUT_IMAGE} 1 ${stateful_dir} |
294 sudo cp ${temp_out_vb} ${stateful_dir}/vmlinuz_hd.vblock | 311 sudo cp ${temp_out_vb} ${stateful_dir}/vmlinuz_hd.vblock |
295 | 312 |
296 echo "Output signed recovery image to ${OUTPUT_IMAGE}" | 313 echo "Signed recovery image output to ${OUTPUT_IMAGE}" |
297 } | 314 } |
298 | 315 |
299 # Generate the factory install image. | 316 # Generate the factory install image. |
300 sign_for_factory_install() { | 317 sign_for_factory_install() { |
301 ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \ | 318 ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \ |
302 ${KEY_DIR}/recovery_kernel_data_key.vbprivk \ | 319 ${KEY_DIR}/recovery_kernel_data_key.vbprivk \ |
303 ${KEY_DIR}/installer_kernel.keyblock | 320 ${KEY_DIR}/installer_kernel.keyblock |
304 echo "Output signed factory install image to ${OUTPUT_IMAGE}" | 321 echo "Signed factory install image output to ${OUTPUT_IMAGE}" |
305 } | 322 } |
306 | 323 |
307 # Firmware payload signing hidden behind a flag until it actually makes | |
308 # it into the image. | |
309 if [ "${FW_UPDATE}" == "1" ]; then | |
310 resign_firmware_payload ${INPUT_IMAGE} | |
311 fi | |
312 | |
313 # Verification | 324 # Verification |
314 if [ "${TYPE}" == "verify" ]; then | 325 if [ "${TYPE}" == "verify" ]; then |
315 verify_image | 326 verify_image |
316 exit 1 | 327 exit 1 |
317 fi | 328 fi |
318 | 329 |
319 | |
320 # Signing requires an output image name | 330 # Signing requires an output image name |
321 if [ -z "${OUTPUT_IMAGE}" ]; then | 331 if [ -z "${OUTPUT_IMAGE}" ]; then |
322 usage | 332 usage |
323 exit 1 | 333 exit 1 |
324 fi | 334 fi |
325 | 335 |
| 336 |
326 if [ "${TYPE}" == "ssd" ]; then | 337 if [ "${TYPE}" == "ssd" ]; then |
| 338 resign_firmware_payload ${INPUT_IMAGE} |
327 update_rootfs_hash ${INPUT_IMAGE} \ | 339 update_rootfs_hash ${INPUT_IMAGE} \ |
328 ${KEY_DIR}/kernel.keyblock \ | 340 ${KEY_DIR}/kernel.keyblock \ |
329 ${KEY_DIR}/kernel_data_key.vbprivk | 341 ${KEY_DIR}/kernel_data_key.vbprivk |
330 sign_for_ssd | 342 sign_for_ssd |
331 elif [ "${TYPE}" == "recovery" ]; then | 343 elif [ "${TYPE}" == "recovery" ]; then |
| 344 resign_firmware_payload ${INPUT_IMAGE} |
332 update_rootfs_hash ${INPUT_IMAGE} \ | 345 update_rootfs_hash ${INPUT_IMAGE} \ |
333 ${KEY_DIR}/recovery_kernel.keyblock \ | 346 ${KEY_DIR}/recovery_kernel.keyblock \ |
334 ${KEY_DIR}/recovery_kernel_data_key.vbprivk | 347 ${KEY_DIR}/recovery_kernel_data_key.vbprivk |
335 sign_for_recovery | 348 sign_for_recovery |
336 elif [ "${TYPE}" == "install" ]; then | 349 elif [ "${TYPE}" == "install" ]; then |
| 350 resign_firmware_payload ${INPUT_IMAGE} |
337 update_rootfs_hash ${INPUT_IMAGE} \ | 351 update_rootfs_hash ${INPUT_IMAGE} \ |
338 ${KEY_DIR}/installer_kernel.keyblock \ | 352 ${KEY_DIR}/installer_kernel.keyblock \ |
339 ${KEY_DIR}/recovery_kernel_data_key.vbprivk | 353 ${KEY_DIR}/recovery_kernel_data_key.vbprivk |
340 sign_for_factory_install | 354 sign_for_factory_install |
341 else | 355 else |
342 echo "Invalid type ${TYPE}" | 356 echo "Invalid type ${TYPE}" |
343 exit 1 | 357 exit 1 |
344 fi | 358 fi |
OLD | NEW |