| OLD | NEW |
|---|
| 1 #!/bin/bash | 1 #!/bin/bash |
| 2 | 2 |
| 3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | 3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
| 4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
| 5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
| 6 | 6 |
| 7 # Sign the final build image using the "official" keys. | 7 # Sign the final build image using the "official" keys. |
| 8 # | 8 # |
| 9 # Prerequisite tools needed in the system path: | 9 # Prerequisite tools needed in the system path: |
| 10 # | 10 # |
| 11 # gbb_utility (from src/platform/vboot_reference) | 11 # gbb_utility (from src/platform/vboot_reference) |
| 12 # vbutil_kernel (from src/platform/vboot_reference) | 12 # vbutil_kernel (from src/platform/vboot_reference) |
| 13 # cgpt (from src/platform/vboot_reference) | 13 # cgpt (from src/platform/vboot_reference) |
| 14 # dump_kernel_config (from src/platform/vboot_reference) | 14 # dump_kernel_config (from src/platform/vboot_reference) |
| 15 # verity (from src/platform/verity) | 15 # verity (from src/platform/verity) |
| 16 # | 16 # load_kernel_test (from src/platform/vboot_reference) |
| 17 # Usage: sign_for_ssd.sh <type> input_image /path/to/keys/dir output_image | |
| 18 # | |
| 19 # where <type> is one of: | |
| 20 # ssd (sign an SSD image) | |
| 21 # recovery (sign a USB recovery image) | |
| 22 # install (sign a factory install image) | |
| 23 | 17 |
| 24 # Load common constants and variables. | 18 # Load common constants and variables. |
| 25 . "$(dirname "$0")/common.sh" | 19 . "$(dirname "$0")/common.sh" |
| 26 | 20 |
| 27 if [ $# -ne 4 ]; then | 21 # Print usage string |
| 22 usage() { |
| 28 cat <<EOF | 23 cat <<EOF |
| 29 Usage: $0 <type> input_image /path/to/keys/dir output_image" | 24 Usage: $PROG <type> input_image /path/to/keys/dir [output_image] |
| 30 where <type> is one of: | 25 where <type> is one of: |
| 31 ssd (sign an SSD image) | 26 ssd (sign an SSD image) |
| 32 recovery (sign a USB recovery image) | 27 recovery (sign a USB recovery image) |
| 33 install (sign a factory install image) | 28 install (sign a factory install image) |
| 29 verify (verify an image including rootfs hashes) |
| 30 |
| 31 If you are signing an image, you must specify an [output_image]. |
| 34 EOF | 32 EOF |
| 33 } |
| 34 |
| 35 if [ $# -ne 3 ] && [ $# -ne 4 ]; then |
| 36 usage |
| 35 exit 1 | 37 exit 1 |
| 36 fi | 38 fi |
| 37 | 39 |
| 38 # Abort on errors. | 40 # Abort on errors. |
| 39 set -e | 41 set -e |
| 40 | 42 |
| 41 # Make sure the tools we need are available. | 43 # Make sure the tools we need are available. |
| 42 for prereqs in gbb_utility vbutil_kernel cgpt dump_kernel_config verity; do | 44 for prereqs in gbb_utility vbutil_kernel cgpt dump_kernel_config verity \ |
| 45 load_kernel_test; |
| 46 do |
| 43 type -P "${prereqs}" &>/dev/null || \ | 47 type -P "${prereqs}" &>/dev/null || \ |
| 44 { echo "${prereqs} tool not found."; exit 1; } | 48 { echo "${prereqs} tool not found."; exit 1; } |
| 45 done | 49 done |
| 46 | 50 |
| 47 TYPE=$1 | 51 TYPE=$1 |
| 48 INPUT_IMAGE=$2 | 52 INPUT_IMAGE=$2 |
| 49 KEY_DIR=$3 | 53 KEY_DIR=$3 |
| 50 OUTPUT_IMAGE=$4 | 54 OUTPUT_IMAGE=$4 |
| 51 | 55 |
| 52 # Re-calculate rootfs hash, update rootfs and kernel command line. | 56 # Get current rootfs hash and kernel command line |
| 53 # Args: IMAGE KEYBLOCK PRIVATEKEY | 57 # ARGS: IMAGE |
| 54 recalculate_rootfs_hash() { | 58 grab_kernel_config() { |
| 55 echo "Recalculating rootfs" | 59 local image=$1 |
| 56 local image=$1 # Input image. | 60 # Grab the existing kernel partition and get the kernel config. |
| 57 local keyblock=$2 # Keyblock for re-generating signed kernel partition | |
| 58 local signprivate=$3 # Private key to use for signing. | |
| 59 | |
| 60 # First, grab the existing kernel partition and get the kernel config. | |
| 61 temp_kimage=$(make_temp_file) | 61 temp_kimage=$(make_temp_file) |
| 62 extract_image_partition ${image} 2 ${temp_kimage} | 62 extract_image_partition ${image} 2 ${temp_kimage} |
| 63 local kernel_config=$(sudo dump_kernel_config ${temp_kimage}) | 63 dump_kernel_config ${temp_kimage} |
| 64 local dm_config=$(echo $kernel_config | | 64 } |
| 65 |
| 66 # Get the hash from a kernel config command line |
| 67 get_hash_from_config() { |
| 68 local kernel_config=$1 |
| 69 echo ${kernel_config} | sed -e 's/.*dm="\([^"]*\)".*/\1/g' | \ |
| 70 cut -f2- -d, | cut -f9 -d ' ' |
| 71 } |
| 72 |
| 73 # Calculate rootfs hash of an image |
| 74 # Args: ROOTFS_IMAGE KERNEL_CONFIG HASH_IMAGE |
| 75 # |
| 76 # rootfs calculation parameters are grabbed from KERNEL_CONFIG |
| 77 # |
| 78 # Returns an updated kernel config command line with the new hash. |
| 79 # and writes the new hash image to the file HASH_IMAGE |
| 80 calculate_rootfs_hash() { |
| 81 local rootfs_image=$1 |
| 82 local kernel_config=$2 |
| 83 local hash_image=$3 |
| 84 local dm_config=$(echo ${kernel_config} | |
| 65 sed -e 's/.*dm="\([^"]*\)".*/\1/g' | | 85 sed -e 's/.*dm="\([^"]*\)".*/\1/g' | |
| 66 cut -f2- -d,) | 86 cut -f2- -d,) |
| 67 # We extract dm=... portion of the config command line. Here's an example: | 87 # We extract dm=... portion of the config command line. Here's an example: |
| 68 # | 88 # |
| 69 # dm="0 2097152 verity ROOT_DEV HASH_DEV 2097152 1 \ | 89 # dm="0 2097152 verity ROOT_DEV HASH_DEV 2097152 1 \ |
| 70 # sha1 63b7ad16cb9db4b70b28593f825aa6b7825fdcf2" | 90 # sha1 63b7ad16cb9db4b70b28593f825aa6b7825fdcf2" |
| 71 # | 91 # |
| 72 | 92 |
| 73 if [ -z "${dm_config}" ]; then | 93 if [ -z "${dm_config}" ]; then |
| 74 echo "WARNING: Couldn't grab dm_config. Aborting rootfs hash calculation" | 94 echo "WARNING: Couldn't grab dm_config. Aborting rootfs hash calculation" |
| 75 return | 95 exit 1 |
| 76 fi | 96 fi |
| 77 local rootfs_sectors=$(echo ${dm_config} | cut -f2 -d' ') | 97 local rootfs_sectors=$(echo ${dm_config} | cut -f2 -d' ') |
| 78 local root_dev=$(echo ${dm_config} | cut -f4 -d ' ') | 98 local root_dev=$(echo ${dm_config} | cut -f4 -d ' ') |
| 79 local hash_dev=$(echo ${dm_config} | cut -f5 -d ' ') | 99 local hash_dev=$(echo ${dm_config} | cut -f5 -d ' ') |
| 80 local verity_depth=$(echo ${dm_config} | cut -f7 -d' ') | 100 local verity_depth=$(echo ${dm_config} | cut -f7 -d' ') |
| 81 local verity_algorithm=$(echo ${dm_config} | cut -f8 -d' ') | 101 local verity_algorithm=$(echo ${dm_config} | cut -f8 -d' ') |
| 82 | 102 |
| 83 # Mount the rootfs and run the verity tool on it. | 103 # Run the verity tool on the rootfs partition. |
| 84 local hash_image=$(make_temp_file) | |
| 85 local rootfs_img=$(make_temp_file) | |
| 86 extract_image_partition ${image} 3 ${rootfs_img} | |
| 87 local table="vroot none ro,"$(sudo verity create \ | 104 local table="vroot none ro,"$(sudo verity create \ |
| 88 ${verity_depth} \ | 105 ${verity_depth} \ |
| 89 ${verity_algorithm} \ | 106 ${verity_algorithm} \ |
| 90 ${rootfs_img} \ | 107 ${rootfs_image} \ |
| 91 $((rootfs_sectors / 8)) \ | 108 $((rootfs_sectors / 8)) \ |
| 92 ${hash_image}) | 109 ${hash_image}) |
| 93 # Reconstruct new kernel config command line and replace placeholders. | 110 # Reconstruct new kernel config command line and replace placeholders. |
| 94 table="$(echo "$table" | | 111 table="$(echo "$table" | |
| 95 sed -s "s|ROOT_DEV|${root_dev}|g;s|HASH_DEV|${hash_dev}|")" | 112 sed -s "s|ROOT_DEV|${root_dev}|g;s|HASH_DEV|${hash_dev}|")" |
| 96 kernel_config=$(echo ${kernel_config} | | 113 echo ${kernel_config} | sed -e 's#\(.*dm="\)\([^"]*\)\(".*\)'"#\1${table}\3#g" |
| 97 sed -e 's#\(.*dm="\)\([^"]*\)\(".*\)'"#\1${table}\3#g") | 114 } |
| 115 |
| 116 # Re-calculate rootfs hash, update rootfs and kernel command line. |
| 117 # Args: IMAGE KEYBLOCK PRIVATEKEY |
| 118 update_rootfs_hash() { |
| 119 echo "Recalculating rootfs" |
| 120 local image=$1 # Input image. |
| 121 local keyblock=$2 # Keyblock for re-generating signed kernel partition |
| 122 local signprivate=$3 # Private key to use for signing. |
| 123 |
| 124 local rootfs_image=$(make_temp_file) |
| 125 extract_image_partition ${image} 3 ${rootfs_image} |
| 126 local kernel_config=$(grab_kernel_config "${image}") |
| 127 local hash_image=$(make_temp_file) |
| 128 |
| 129 local new_kernel_config=$(calculate_rootfs_hash "${rootfs_image}" \ |
| 130 "${kernel_config}" "${hash_image}") |
| 131 |
| 132 local rootfs_blocks=$(dumpe2fs "${rootfs_image}" 2> /dev/null | |
| 133 grep "Block count" | |
| 134 tr -d ' ' | |
| 135 cut -f2 -d:) |
| 136 local rootfs_sectors=$((rootfs_blocks * 8)) |
| 98 | 137 |
| 99 # Overwrite the appended hashes in the rootfs | 138 # Overwrite the appended hashes in the rootfs |
| 100 local temp_config=$(make_temp_file) | 139 local temp_config=$(make_temp_file) |
| 101 echo ${kernel_config} >${temp_config} | 140 echo ${new_kernel_config} >${temp_config} |
| 102 dd if=${hash_image} of=${rootfs_img} bs=512 \ | 141 dd if=${hash_image} of=${rootfs_image} bs=512 \ |
| 103 seek=${rootfs_sectors} conv=notrunc | 142 seek=${rootfs_sectors} conv=notrunc |
| 104 | 143 |
| 144 local temp_kimage=$(make_temp_file) |
| 145 extract_image_partition ${image} 2 ${temp_kimage} |
| 105 # Re-calculate kernel partition signature and command line. | 146 # Re-calculate kernel partition signature and command line. |
| 106 local updated_kimage=$(make_temp_file) | 147 local updated_kimage=$(make_temp_file) |
| 107 vbutil_kernel --repack ${updated_kimage} \ | 148 vbutil_kernel --repack ${updated_kimage} \ |
| 108 --keyblock ${keyblock} \ | 149 --keyblock ${keyblock} \ |
| 109 --signprivate ${signprivate} \ | 150 --signprivate ${signprivate} \ |
| 110 --oldblob ${temp_kimage} \ | 151 --oldblob ${temp_kimage} \ |
| 111 --config ${temp_config} | 152 --config ${temp_config} |
| 112 | 153 |
| 113 replace_image_partition ${image} 2 ${updated_kimage} | 154 replace_image_partition ${image} 2 ${updated_kimage} |
| 114 replace_image_partition ${image} 3 ${rootfs_img} | 155 replace_image_partition ${image} 3 ${rootfs_image} |
| 115 } | 156 } |
| 116 | 157 |
| 117 # Extracts the firmware update binaries from the a firmware update | 158 # Extracts the firmware update binaries from the a firmware update |
| 118 # shell ball (generated by src/platform/firmware/pack_firmware.sh) | 159 # shell ball (generated by src/platform/firmware/pack_firmware.sh) |
| 119 # Args: INPUT_SCRIPT OUTPUT_DIR | 160 # Args: INPUT_SCRIPT OUTPUT_DIR |
| 120 get_firmwarebin_from_shellball() { | 161 get_firmwarebin_from_shellball() { |
| 121 local input=$1 | 162 local input=$1 |
| 122 local output_dir=$2 | 163 local output_dir=$2 |
| 123 uudecode -o - ${input} | tar -C ${output_dir} -zxf - 2>/dev/null || \ | 164 uudecode -o - ${input} | tar -C ${output_dir} -zxf - 2>/dev/null || \ |
| 124 echo "Extracting firmware autoupdate failed." && exit 1 | 165 echo "Extracting firmware autoupdate failed." && exit 1 |
| 125 } | 166 } |
| 126 | 167 |
| 127 # Re-sign the firmware AU payload inside the image rootfs with a new keys. | 168 # Re-sign the firmware AU payload inside the image rootfs with a new keys. |
| 128 # Args: IMAGE | 169 # Args: IMAGE |
| 129 resign_firmware_payload() { | 170 resign_firmware_payload() { |
| 130 local image=$1 | 171 local image=$1 |
| 131 | 172 |
| 132 # Grab firmware image from the autoupdate shellball. | 173 # Grab firmware image from the autoupdate shellball. |
| 133 local rootfs_dir=$(make_temp_dir) | 174 local rootfs_dir=$(make_temp_dir) |
| 134 mount_image_partition ${image} 3 ${rootfs_dir} | 175 mount_image_partition ${image} 3 ${rootfs_dir} |
| 135 | 176 |
| 136 local shellball_dir=$(make_temp_dir) | 177 local shellball_dir=$(make_temp_dir) |
| 137 get_firmwarebin_from_shellball \ | 178 get_firmwarebin_from_shellball \ |
| 138 ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate ${shellball_dir} | 179 ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate ${shellball_dir} |
| 139 | 180 |
| 140 temp_outfd=$(make_temp_file) | 181 temp_outfd=$(make_temp_file) |
| 141 # Replace the root key in the GBB | 182 # Replace the root key in the GBB |
| 142 # TODO(gauravsh): Remove when we lock down the R/O portion of firmware. | 183 # TODO(gauravsh): Remove when we lock down the R/O portion of firmware. |
| 143 gbb_utility -s \ | 184 gbb_utility -s \ |
| 144 --rootkey=${KEY_DIR}/root_key.vbpubk \ | 185 --rootkey=${KEY_DIR}/root_key.vbpubk \ |
| 145 --recoverykey=${KEY_DIR}/recovery_key.vbpubk \ | 186 --recoverykey=${KEY_DIR}/recovery_key.vbpubk \ |
| 146 ${shellball_dir}/bios.bin ${temp_outfd} | 187 ${shellball_dir}/bios.bin ${temp_outfd} |
| 147 | 188 |
| 148 # Resign the firmware with new keys | 189 # Resign the firmware with new keys |
| 149 ${SCRIPT_DIR}/resign_firmwarefd.sh ${temp_outfd} ${temp_dir}/bios.bin \ | 190 ${SCRIPT_DIR}/resign_firmwarefd.sh ${temp_outfd} ${temp_dir}/bios.bin \ |
| 150 ${KEY_DIR}/firmware_data_key.vbprivk \ | 191 ${KEY_DIR}/firmware_data_key.vbprivk \ |
| 151 ${KEY_DIR}/firmware.keyblock \ | 192 ${KEY_DIR}/firmware.keyblock \ |
| 152 ${KEY_DIR}/kernel_subkey.vbpubk | 193 ${KEY_DIR}/kernel_subkey.vbpubk |
| 153 | 194 |
| 154 # Replace MD5 checksum in the firmware update payload | 195 # Replace MD5 checksum in the firmware update payload |
| 155 newfd_checksum=$(md5sum ${shellball_dir}/bios.bin | cut -f 1 -d ' ') | 196 newfd_checksum=$(md5sum ${shellball_dir}/bios.bin | cut -f 1 -d ' ') |
| 156 temp_version=$(make_temp_file) | 197 temp_version=$(make_temp_file) |
| 157 cat ${shellball_dir}/VERSION | | 198 cat ${shellball_dir}/VERSION | |
| 158 sed -e "s#\(.*\)\ \(.*bios.bin.*\)#${newfd_checksum}\ \2#" > ${temp_version} | 199 sed -e "s#\(.*\)\ \(.*bios.bin.*\)#${newfd_checksum}\ \2#" > ${temp_version} |
| 159 sudo cp ${temp_version} ${shellball_dir}/VERSION | 200 sudo cp ${temp_version} ${shellball_dir}/VERSION |
| 160 | 201 |
| 161 # Re-generate firmware_update.tgz and copy over encoded archive in | 202 # Re-generate firmware_update.tgz and copy over encoded archive in |
| 162 # the original shell ball. | 203 # the original shell ball. |
| 163 new_fwblob=$(make_temp_file) | 204 new_fwblob=$(make_temp_file) |
| 164 tar zcf - -C ${shellball_dir} . | \ | 205 tar zcf - -C ${shellball_dir} . | \ |
| 165 uuencode firmware_package.tgz > ${new_fwblob} | 206 uuencode firmware_package.tgz > ${new_fwblob} |
| 166 new_shellball=$(make_temp_file) | 207 new_shellball=$(make_temp_file) |
| 167 cat ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate | \ | 208 cat ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate | \ |
| 168 sed -e '/^begin .*firmware_package/,/end/D' | \ | 209 sed -e '/^begin .*firmware_package/,/end/D' | \ |
| 169 cat - ${new_fwblob} >${new_shellball} | 210 cat - ${new_fwblob} >${new_shellball} |
| 170 sudo cp ${new_shellball} ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate | 211 sudo cp ${new_shellball} ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate |
| 171 # Force unmount of the image as it is needed later. | 212 # Force unmount of the image as it is needed later. |
| 172 sudo umount -d ${rootfs_dir} | 213 sudo umount -d ${rootfs_dir} |
| 173 echo "Re-signed firmware AU payload in $image" | 214 echo "Re-signed firmware AU payload in $image" |
| 174 } | 215 } |
| 175 | 216 |
| 217 # Verify an image including rootfs hash using the specified keys. |
| 218 verify_image() { |
| 219 local kernel_config=$(grab_kernel_config ${INPUT_IMAGE}) |
| 220 local rootfs_image=$(make_temp_file) |
| 221 extract_image_partition ${INPUT_IMAGE} 3 ${rootfs_image} |
| 222 local hash_image=$(make_temp_file) |
| 223 local type="" |
| 224 |
| 225 |
| 226 # First, perform RootFS verification |
| 227 echo "Verifying RootFS hash..." |
| 228 local new_kernel_config=$(calculate_rootfs_hash "${rootfs_image}" \ |
| 229 "${kernel_config}" "${hash_image}") |
| 230 local expected_hash=$(get_hash_from_config "${new_kernel_config}") |
| 231 local got_hash=$(get_hash_from_config "${kernel_config}") |
| 232 |
| 233 if [ ! "${got_hash}" = "${expected_hash}" ]; then |
| 234 cat <<EOF |
| 235 FAILED: RootFS hash is incorrect. |
| 236 Expected: ${expected_hash} |
| 237 Got: ${got_hash} |
| 238 EOF |
| 239 else |
| 240 echo "PASS: RootFS hash is correct (${expected_hash})" |
| 241 fi |
| 242 |
| 243 # Now try and verify kernel partition signature. |
| 244 set +e |
| 245 local try_key=${KEY_DIR}/recovery_key.vbpubk |
| 246 echo "Testing key verification..." |
| 247 # The recovery key is only used in the recovery mode. |
| 248 echo -n "With Recovery Key (Recovery Mode ON, Dev Mode OFF): " && \ |
| 249 { load_kernel_test "${INPUT_IMAGE}" "${try_key}" -b 2 >/dev/null 2>&1 && \ |
| 250 echo "YES"; } || echo "NO" |
| 251 echo -n "With Recovery Key (Recovery Mode ON, Dev Mode ON): " && \ |
| 252 { load_kernel_test "${INPUT_IMAGE}" "${try_key}" -b 3 >/dev/null 2>&1 && \ |
| 253 echo "YES"; } || echo "NO" |
| 254 |
| 255 try_key=${KEY_DIR}/kernel_subkey.vbpubk |
| 256 # The SSD key is only used in non-recovery mode. |
| 257 echo -n "With SSD Key (Recovery Mode OFF, Dev Mode OFF): " && \ |
| 258 { load_kernel_test "${INPUT_IMAGE}" "${try_key}" -b 0 >/dev/null 2>&1 && \ |
| 259 echo "YES"; } || echo "NO" |
| 260 echo -n "With SSD Key (Recovery Mode OFF, Dev Mode ON): " && \ |
| 261 { load_kernel_test "${INPUT_IMAGE}" "${try_key}" -b 1 >/dev/null 2>&1 && \ |
| 262 echo "YES"; } || echo "NO" |
| 263 set -e |
| 264 |
| 265 # TODO(gauravsh): Check embedded firmware AU signatures. |
| 266 } |
| 267 |
| 176 # Generate the SSD image | 268 # Generate the SSD image |
| 177 sign_for_ssd() { | 269 sign_for_ssd() { |
| 178 ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \ | 270 ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \ |
| 179 ${KEY_DIR}/kernel_data_key.vbprivk \ | 271 ${KEY_DIR}/kernel_data_key.vbprivk \ |
| 180 ${KEY_DIR}/kernel.keyblock | 272 ${KEY_DIR}/kernel.keyblock |
| 181 echo "Output signed SSD image to ${OUTPUT_IMAGE}" | 273 echo "Output signed SSD image to ${OUTPUT_IMAGE}" |
| 182 } | 274 } |
| 183 | 275 |
| 184 # Generate the USB (recovery + install) image | 276 # Generate the USB (recovery + install) image |
| 185 sign_for_recovery() { | 277 sign_for_recovery() { |
| 186 ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \ | 278 ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \ |
| 187 ${KEY_DIR}/recovery_kernel_data_key.vbprivk \ | 279 ${KEY_DIR}/recovery_kernel_data_key.vbprivk \ |
| 188 ${KEY_DIR}/recovery_kernel.keyblock | 280 ${KEY_DIR}/recovery_kernel.keyblock |
| 189 | 281 |
| 190 # Now generate the installer vblock with the SSD keys. | 282 # Now generate the installer vblock with the SSD keys. |
| 191 temp_kimage=$(make_temp_file) | 283 temp_kimage=$(make_temp_file) |
| 192 temp_out_vb=$(make_temp_file) | 284 temp_out_vb=$(make_temp_file) |
| 193 extract_image_partition ${OUTPUT_IMAGE} 2 ${temp_kimage} | 285 extract_image_partition ${OUTPUT_IMAGE} 2 ${temp_kimage} |
| 194 ${SCRIPT_DIR}/resign_kernel_partition.sh ${temp_kimage} ${temp_out_vb} \ | 286 ${SCRIPT_DIR}/resign_kernel_partition.sh ${temp_kimage} ${temp_out_vb} \ |
| 195 ${KEY_DIR}/kernel_data_key.vbprivk \ | 287 ${KEY_DIR}/kernel_data_key.vbprivk \ |
| 196 ${KEY_DIR}/kernel.keyblock | 288 ${KEY_DIR}/kernel.keyblock |
| 197 | 289 |
| 198 # Copy the installer vblock to the stateful partition. | 290 # Copy the installer vblock to the stateful partition. |
| (...skipping 11 matching lines...) Expand all Loading... |
| 210 ${KEY_DIR}/installer_kernel.keyblock | 302 ${KEY_DIR}/installer_kernel.keyblock |
| 211 echo "Output signed factory install image to ${OUTPUT_IMAGE}" | 303 echo "Output signed factory install image to ${OUTPUT_IMAGE}" |
| 212 } | 304 } |
| 213 | 305 |
| 214 # Firmware payload signing hidden behind a flag until it actually makes | 306 # Firmware payload signing hidden behind a flag until it actually makes |
| 215 # it into the image. | 307 # it into the image. |
| 216 if [ "${FW_UPDATE}" == "1" ]; then | 308 if [ "${FW_UPDATE}" == "1" ]; then |
| 217 resign_firmware_payload ${INPUT_IMAGE} | 309 resign_firmware_payload ${INPUT_IMAGE} |
| 218 fi | 310 fi |
| 219 | 311 |
| 312 # Verification |
| 313 if [ "${TYPE}" == "verify" ]; then |
| 314 verify_image |
| 315 exit 1 |
| 316 fi |
| 317 |
| 318 |
| 319 # Signing requires an output image name |
| 320 if [ -z "${OUTPUT_IMAGE}" ]; then |
| 321 usage |
| 322 exit 1 |
| 323 fi |
| 324 |
| 220 if [ "${TYPE}" == "ssd" ]; then | 325 if [ "${TYPE}" == "ssd" ]; then |
| 221 recalculate_rootfs_hash ${INPUT_IMAGE} \ | 326 update_rootfs_hash ${INPUT_IMAGE} \ |
| 222 ${KEY_DIR}/kernel.keyblock \ | 327 ${KEY_DIR}/kernel.keyblock \ |
| 223 ${KEY_DIR}/kernel_data_key.vbprivk | 328 ${KEY_DIR}/kernel_data_key.vbprivk |
| 224 sign_for_ssd | 329 sign_for_ssd |
| 225 elif [ "${TYPE}" == "recovery" ]; then | 330 elif [ "${TYPE}" == "recovery" ]; then |
| 226 recalculate_rootfs_hash ${INPUT_IMAGE} \ | 331 update_rootfs_hash ${INPUT_IMAGE} \ |
| 227 ${KEY_DIR}/recovery_kernel.keyblock \ | 332 ${KEY_DIR}/recovery_kernel.keyblock \ |
| 228 ${KEY_DIR}/recovery_kernel_data_key.vbprivk | 333 ${KEY_DIR}/recovery_kernel_data_key.vbprivk |
| 229 sign_for_recovery | 334 sign_for_recovery |
| 230 elif [ "${TYPE}" == "install" ]; then | 335 elif [ "${TYPE}" == "install" ]; then |
| 231 recalculate_rootfs_hash ${INPUT_IMAGE} \ | 336 update_rootfs_hash ${INPUT_IMAGE} \ |
| 232 ${KEY_DIR}/installer_kernel.keyblock \ | 337 ${KEY_DIR}/installer_kernel.keyblock \ |
| 233 ${KEY_DIR}/recovery_kernel_data_key.vbprivk | 338 ${KEY_DIR}/recovery_kernel_data_key.vbprivk |
| 234 sign_for_factory_install | 339 sign_for_factory_install |
| 235 else | 340 else |
| 236 echo "Invalid type ${TYPE}" | 341 echo "Invalid type ${TYPE}" |
| 237 exit 1 | 342 exit 1 |
| 238 fi | 343 fi |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 3327005:
Add a "verify" option to sign_official_build.sh. (Closed)
Base URL: ssh://git@gitrw.chromium.org:9222/vboot_reference.git