| OLD | NEW |
|---|
| 1 #!/bin/bash | 1 #!/bin/bash |
| 2 | 2 |
| 3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | 3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
| 4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
| 5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
| 6 | 6 |
| 7 # Sign the final build image using the "official" keys. | 7 # Sign the final build image using the "official" keys. |
| 8 # | 8 # |
| 9 # Prerequisite tools needed in the system path: | 9 # Prerequisite tools needed in the system path: |
| 10 # | 10 # |
| (...skipping 104 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 115 } | 115 } |
| 116 | 116 |
| 117 # Re-calculate rootfs hash, update rootfs and kernel command line. | 117 # Re-calculate rootfs hash, update rootfs and kernel command line. |
| 118 # Args: IMAGE KEYBLOCK PRIVATEKEY | 118 # Args: IMAGE KEYBLOCK PRIVATEKEY |
| 119 update_rootfs_hash() { | 119 update_rootfs_hash() { |
| 120 echo "Recalculating rootfs" | 120 echo "Recalculating rootfs" |
| 121 local image=$1 # Input image. | 121 local image=$1 # Input image. |
| 122 local keyblock=$2 # Keyblock for re-generating signed kernel partition | 122 local keyblock=$2 # Keyblock for re-generating signed kernel partition |
| 123 local signprivate=$3 # Private key to use for signing. | 123 local signprivate=$3 # Private key to use for signing. |
| 124 | 124 |
| 125 # check and clear need_to_resign tag |
| 126 local rootfs_dir=$(make_temp_dir) |
| 127 mount_image_partition_ro "${image}" 3 "${rootfs_dir}" |
| 128 if has_needs_to_be_resigned_tag "${rootfs_dir}"; then |
| 129 # remount as RW |
| 130 sudo umount -d "${rootfs_dir}" |
| 131 mount_image_partition "${image}" 3 "${rootfs_dir}" |
| 132 sudo rm -f "${rootfs_dir}/${TAG_NEEDS_TO_BE_SIGNED}" |
| 133 fi |
| 134 sudo umount -d "${rootfs_dir}" |
| 135 |
| 125 local rootfs_image=$(make_temp_file) | 136 local rootfs_image=$(make_temp_file) |
| 126 extract_image_partition ${image} 3 ${rootfs_image} | 137 extract_image_partition ${image} 3 ${rootfs_image} |
| 127 local kernel_config=$(grab_kernel_config "${image}") | 138 local kernel_config=$(grab_kernel_config "${image}") |
| 128 local hash_image=$(make_temp_file) | 139 local hash_image=$(make_temp_file) |
| 129 | 140 |
| 130 local new_kernel_config=$(calculate_rootfs_hash "${rootfs_image}" \ | 141 local new_kernel_config=$(calculate_rootfs_hash "${rootfs_image}" \ |
| 131 "${kernel_config}" "${hash_image}") | 142 "${kernel_config}" "${hash_image}") |
| 132 | 143 |
| 133 local rootfs_blocks=$(sudo dumpe2fs "${rootfs_image}" 2> /dev/null | | 144 local rootfs_blocks=$(sudo dumpe2fs "${rootfs_image}" 2> /dev/null | |
| 134 grep "Block count" | | 145 grep "Block count" | |
| (...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 173 # Re-sign the firmware AU payload inside the image rootfs with a new keys. | 184 # Re-sign the firmware AU payload inside the image rootfs with a new keys. |
| 174 # Args: IMAGE | 185 # Args: IMAGE |
| 175 resign_firmware_payload() { | 186 resign_firmware_payload() { |
| 176 local image=$1 | 187 local image=$1 |
| 177 | 188 |
| 178 # Grab firmware image from the autoupdate shellball. | 189 # Grab firmware image from the autoupdate shellball. |
| 179 local rootfs_dir=$(make_temp_dir) | 190 local rootfs_dir=$(make_temp_dir) |
| 180 mount_image_partition ${image} 3 ${rootfs_dir} | 191 mount_image_partition ${image} 3 ${rootfs_dir} |
| 181 # Force unmount of the rootfs on function exit as it is needed later. | 192 # Force unmount of the rootfs on function exit as it is needed later. |
| 182 trap "sudo umount -d ${rootfs_dir}" RETURN | 193 trap "sudo umount -d ${rootfs_dir}" RETURN |
| 183 | 194 |
| 184 local shellball_dir=$(make_temp_dir) | 195 local shellball_dir=$(make_temp_dir) |
| 185 # get_firmwarebin_from_shellball can fail if the image has no | 196 # get_firmwarebin_from_shellball can fail if the image has no |
| 186 # firmware update. | 197 # firmware update. |
| 187 get_firmwarebin_from_shellball \ | 198 get_firmwarebin_from_shellball \ |
| 188 ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate ${shellball_dir} || \ | 199 ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate ${shellball_dir} || \ |
| 189 { echo "Didn't find a firmware update. Not signing firmware." | 200 { echo "Didn't find a firmware update. Not signing firmware." |
| 190 return; } | 201 return; } |
| 191 echo "Found a valid firmware update shellball." | 202 echo "Found a valid firmware update shellball." |
| 192 | 203 |
| 193 temp_outfd=$(make_temp_file) | 204 temp_outfd=$(make_temp_file) |
| (...skipping 155 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 349 elif [ "${TYPE}" == "install" ]; then | 360 elif [ "${TYPE}" == "install" ]; then |
| 350 resign_firmware_payload ${INPUT_IMAGE} | 361 resign_firmware_payload ${INPUT_IMAGE} |
| 351 update_rootfs_hash ${INPUT_IMAGE} \ | 362 update_rootfs_hash ${INPUT_IMAGE} \ |
| 352 ${KEY_DIR}/installer_kernel.keyblock \ | 363 ${KEY_DIR}/installer_kernel.keyblock \ |
| 353 ${KEY_DIR}/recovery_kernel_data_key.vbprivk | 364 ${KEY_DIR}/recovery_kernel_data_key.vbprivk |
| 354 sign_for_factory_install | 365 sign_for_factory_install |
| 355 else | 366 else |
| 356 echo "Invalid type ${TYPE}" | 367 echo "Invalid type ${TYPE}" |
| 357 exit 1 | 368 exit 1 |
| 358 fi | 369 fi |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 3604001:
New utility to tag/stamp image (Closed)
Base URL: ssh://git@gitrw.chromium.org:9222/vboot_reference.git