OLD | NEW |
1 #!/bin/bash | 1 #!/bin/bash |
2 | 2 |
3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | 3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
6 | 6 |
7 # Sign the final build image using the "official" keys. | 7 # Sign the final build image using the "official" keys. |
8 # | 8 # |
9 # Prerequisite tools needed in the system path: | 9 # Prerequisite tools needed in the system path: |
10 # | 10 # |
(...skipping 107 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
118 # Args: IMAGE KEYBLOCK PRIVATEKEY | 118 # Args: IMAGE KEYBLOCK PRIVATEKEY |
119 update_rootfs_hash() { | 119 update_rootfs_hash() { |
120 echo "Recalculating rootfs" | 120 echo "Recalculating rootfs" |
121 local image=$1 # Input image. | 121 local image=$1 # Input image. |
122 local keyblock=$2 # Keyblock for re-generating signed kernel partition | 122 local keyblock=$2 # Keyblock for re-generating signed kernel partition |
123 local signprivate=$3 # Private key to use for signing. | 123 local signprivate=$3 # Private key to use for signing. |
124 | 124 |
125 local rootfs_image=$(make_temp_file) | 125 local rootfs_image=$(make_temp_file) |
126 extract_image_partition ${image} 3 ${rootfs_image} | 126 extract_image_partition ${image} 3 ${rootfs_image} |
127 local kernel_config=$(grab_kernel_config "${image}") | 127 local kernel_config=$(grab_kernel_config "${image}") |
| 128 echo "got: $kernel_config" |
128 local hash_image=$(make_temp_file) | 129 local hash_image=$(make_temp_file) |
129 | 130 |
130 local new_kernel_config=$(calculate_rootfs_hash "${rootfs_image}" \ | 131 local new_kernel_config=$(calculate_rootfs_hash "${rootfs_image}" \ |
131 "${kernel_config}" "${hash_image}") | 132 "${kernel_config}" "${hash_image}") |
| 133 echo "changing to: $new_kernel_config" |
132 | 134 |
133 local rootfs_blocks=$(sudo dumpe2fs "${rootfs_image}" 2> /dev/null | | 135 local rootfs_blocks=$(sudo dumpe2fs "${rootfs_image}" 2> /dev/null | |
134 grep "Block count" | | 136 grep "Block count" | |
135 tr -d ' ' | | 137 tr -d ' ' | |
136 cut -f2 -d:) | 138 cut -f2 -d:) |
137 local rootfs_sectors=$((rootfs_blocks * 8)) | 139 local rootfs_sectors=$((rootfs_blocks * 8)) |
| 140 echo "rootfs sectors = $rootfs_blocks" |
138 | 141 |
139 # Overwrite the appended hashes in the rootfs | 142 # Overwrite the appended hashes in the rootfs |
140 local temp_config=$(make_temp_file) | 143 local temp_config=$(make_temp_file) |
141 echo ${new_kernel_config} >${temp_config} | 144 echo ${new_kernel_config} >${temp_config} |
142 dd if=${hash_image} of=${rootfs_image} bs=512 \ | 145 dd if=${hash_image} of=${rootfs_image} bs=512 \ |
143 seek=${rootfs_sectors} conv=notrunc | 146 seek=${rootfs_sectors} conv=notrunc |
144 | 147 |
145 local temp_kimage=$(make_temp_file) | 148 local temp_kimage=$(make_temp_file) |
146 extract_image_partition ${image} 2 ${temp_kimage} | 149 extract_image_partition ${image} 2 ${temp_kimage} |
147 # Re-calculate kernel partition signature and command line. | 150 # Re-calculate kernel partition signature and command line. |
(...skipping 23 matching lines...) Expand all Loading... |
171 } | 174 } |
172 | 175 |
173 # Re-sign the firmware AU payload inside the image rootfs with a new keys. | 176 # Re-sign the firmware AU payload inside the image rootfs with a new keys. |
174 # Args: IMAGE | 177 # Args: IMAGE |
175 resign_firmware_payload() { | 178 resign_firmware_payload() { |
176 local image=$1 | 179 local image=$1 |
177 | 180 |
178 # Grab firmware image from the autoupdate shellball. | 181 # Grab firmware image from the autoupdate shellball. |
179 local rootfs_dir=$(make_temp_dir) | 182 local rootfs_dir=$(make_temp_dir) |
180 mount_image_partition ${image} 3 ${rootfs_dir} | 183 mount_image_partition ${image} 3 ${rootfs_dir} |
181 | 184 # Force unmount of the rootfs on function exit as it is needed later. |
| 185 trap "sudo umount -d ${rootfs_dir}" RETURN |
| 186 |
182 local shellball_dir=$(make_temp_dir) | 187 local shellball_dir=$(make_temp_dir) |
183 # get_firmwarebin_from_shellball can fail if the image has no | 188 # get_firmwarebin_from_shellball can fail if the image has no |
184 # firmware update. | 189 # firmware update. |
185 get_firmwarebin_from_shellball \ | 190 get_firmwarebin_from_shellball \ |
186 ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate ${shellball_dir} || \ | 191 ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate ${shellball_dir} || \ |
187 { echo "Didn't find a firmware update. Not signing firmware." | 192 { echo "Didn't find a firmware update. Not signing firmware." |
188 return; } | 193 return; } |
189 echo "Found a valid firmware update shellball." | 194 echo "Found a valid firmware update shellball." |
190 | 195 |
191 temp_outfd=$(make_temp_file) | 196 temp_outfd=$(make_temp_file) |
(...skipping 28 matching lines...) Expand all Loading... |
220 # Re-generate firmware_update.tgz and copy over encoded archive in | 225 # Re-generate firmware_update.tgz and copy over encoded archive in |
221 # the original shell ball. | 226 # the original shell ball. |
222 new_fwblob=$(make_temp_file) | 227 new_fwblob=$(make_temp_file) |
223 tar zcf - -C ${shellball_dir} . | \ | 228 tar zcf - -C ${shellball_dir} . | \ |
224 uuencode firmware_package.tgz > ${new_fwblob} | 229 uuencode firmware_package.tgz > ${new_fwblob} |
225 new_shellball=$(make_temp_file) | 230 new_shellball=$(make_temp_file) |
226 cat ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate | \ | 231 cat ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate | \ |
227 sed -e '/^begin .*firmware_package/,/end/D' | \ | 232 sed -e '/^begin .*firmware_package/,/end/D' | \ |
228 cat - ${new_fwblob} >${new_shellball} | 233 cat - ${new_fwblob} >${new_shellball} |
229 sudo cp ${new_shellball} ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate | 234 sudo cp ${new_shellball} ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate |
230 # Force unmount of the image as it is needed later. | |
231 sudo umount -d ${rootfs_dir} | |
232 echo "Re-signed firmware AU payload in $image" | 235 echo "Re-signed firmware AU payload in $image" |
233 } | 236 } |
234 | 237 |
235 # Verify an image including rootfs hash using the specified keys. | 238 # Verify an image including rootfs hash using the specified keys. |
236 verify_image() { | 239 verify_image() { |
237 local kernel_config=$(grab_kernel_config ${INPUT_IMAGE}) | 240 local kernel_config=$(grab_kernel_config ${INPUT_IMAGE}) |
| 241 echo "got $kernel_config" |
238 local rootfs_image=$(make_temp_file) | 242 local rootfs_image=$(make_temp_file) |
239 extract_image_partition ${INPUT_IMAGE} 3 ${rootfs_image} | 243 extract_image_partition ${INPUT_IMAGE} 3 ${rootfs_image} |
240 local hash_image=$(make_temp_file) | 244 local hash_image=$(make_temp_file) |
241 local type="" | 245 local type="" |
242 | 246 |
243 | 247 |
244 # First, perform RootFS verification | 248 # First, perform RootFS verification |
245 echo "Verifying RootFS hash..." | 249 echo "Verifying RootFS hash..." |
246 local new_kernel_config=$(calculate_rootfs_hash "${rootfs_image}" \ | 250 local new_kernel_config=$(calculate_rootfs_hash "${rootfs_image}" \ |
247 "${kernel_config}" "${hash_image}") | 251 "${kernel_config}" "${hash_image}") |
(...skipping 101 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
349 elif [ "${TYPE}" == "install" ]; then | 353 elif [ "${TYPE}" == "install" ]; then |
350 resign_firmware_payload ${INPUT_IMAGE} | 354 resign_firmware_payload ${INPUT_IMAGE} |
351 update_rootfs_hash ${INPUT_IMAGE} \ | 355 update_rootfs_hash ${INPUT_IMAGE} \ |
352 ${KEY_DIR}/installer_kernel.keyblock \ | 356 ${KEY_DIR}/installer_kernel.keyblock \ |
353 ${KEY_DIR}/recovery_kernel_data_key.vbprivk | 357 ${KEY_DIR}/recovery_kernel_data_key.vbprivk |
354 sign_for_factory_install | 358 sign_for_factory_install |
355 else | 359 else |
356 echo "Invalid type ${TYPE}" | 360 echo "Invalid type ${TYPE}" |
357 exit 1 | 361 exit 1 |
358 fi | 362 fi |
OLD | NEW |