OLD | NEW |
1 #!/bin/bash | 1 #!/bin/bash |
2 | 2 |
3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | 3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
6 | 6 |
7 # Sign the final build image using the "official" keys. | 7 # Sign the final build image using the "official" keys. |
8 # | 8 # |
9 # Prerequisite tools needed in the system path: | 9 # Prerequisite tools needed in the system path: |
10 # | 10 # |
(...skipping 104 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
115 } | 115 } |
116 | 116 |
117 # Re-calculate rootfs hash, update rootfs and kernel command line. | 117 # Re-calculate rootfs hash, update rootfs and kernel command line. |
118 # Args: IMAGE KEYBLOCK PRIVATEKEY | 118 # Args: IMAGE KEYBLOCK PRIVATEKEY |
119 update_rootfs_hash() { | 119 update_rootfs_hash() { |
120 echo "Recalculating rootfs" | 120 echo "Recalculating rootfs" |
121 local image=$1 # Input image. | 121 local image=$1 # Input image. |
122 local keyblock=$2 # Keyblock for re-generating signed kernel partition | 122 local keyblock=$2 # Keyblock for re-generating signed kernel partition |
123 local signprivate=$3 # Private key to use for signing. | 123 local signprivate=$3 # Private key to use for signing. |
124 | 124 |
| 125 # check and clear need_to_resign tag |
| 126 local rootfs_dir=$(make_temp_dir) |
| 127 mount_image_partition_ro "${image}" 3 "${rootfs_dir}" |
| 128 if has_needs_to_be_resigned_tag "${rootfs_dir}"; then |
| 129 # remount as RW |
| 130 sudo umount -d "${rootfs_dir}" |
| 131 mount_image_partition "${image}" 3 "${rootfs_dir}" |
| 132 sudo rm -f "${rootfs_dir}/${TAG_NEEDS_TO_BE_SIGNED}" |
| 133 fi |
| 134 sudo umount -d "${rootfs_dir}" |
| 135 |
125 local rootfs_image=$(make_temp_file) | 136 local rootfs_image=$(make_temp_file) |
126 extract_image_partition ${image} 3 ${rootfs_image} | 137 extract_image_partition ${image} 3 ${rootfs_image} |
127 local kernel_config=$(grab_kernel_config "${image}") | 138 local kernel_config=$(grab_kernel_config "${image}") |
128 local hash_image=$(make_temp_file) | 139 local hash_image=$(make_temp_file) |
129 | 140 |
130 local new_kernel_config=$(calculate_rootfs_hash "${rootfs_image}" \ | 141 local new_kernel_config=$(calculate_rootfs_hash "${rootfs_image}" \ |
131 "${kernel_config}" "${hash_image}") | 142 "${kernel_config}" "${hash_image}") |
132 | 143 |
133 local rootfs_blocks=$(sudo dumpe2fs "${rootfs_image}" 2> /dev/null | | 144 local rootfs_blocks=$(sudo dumpe2fs "${rootfs_image}" 2> /dev/null | |
134 grep "Block count" | | 145 grep "Block count" | |
(...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
173 # Re-sign the firmware AU payload inside the image rootfs with a new keys. | 184 # Re-sign the firmware AU payload inside the image rootfs with a new keys. |
174 # Args: IMAGE | 185 # Args: IMAGE |
175 resign_firmware_payload() { | 186 resign_firmware_payload() { |
176 local image=$1 | 187 local image=$1 |
177 | 188 |
178 # Grab firmware image from the autoupdate shellball. | 189 # Grab firmware image from the autoupdate shellball. |
179 local rootfs_dir=$(make_temp_dir) | 190 local rootfs_dir=$(make_temp_dir) |
180 mount_image_partition ${image} 3 ${rootfs_dir} | 191 mount_image_partition ${image} 3 ${rootfs_dir} |
181 # Force unmount of the rootfs on function exit as it is needed later. | 192 # Force unmount of the rootfs on function exit as it is needed later. |
182 trap "sudo umount -d ${rootfs_dir}" RETURN | 193 trap "sudo umount -d ${rootfs_dir}" RETURN |
183 | 194 |
184 local shellball_dir=$(make_temp_dir) | 195 local shellball_dir=$(make_temp_dir) |
185 # get_firmwarebin_from_shellball can fail if the image has no | 196 # get_firmwarebin_from_shellball can fail if the image has no |
186 # firmware update. | 197 # firmware update. |
187 get_firmwarebin_from_shellball \ | 198 get_firmwarebin_from_shellball \ |
188 ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate ${shellball_dir} || \ | 199 ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate ${shellball_dir} || \ |
189 { echo "Didn't find a firmware update. Not signing firmware." | 200 { echo "Didn't find a firmware update. Not signing firmware." |
190 return; } | 201 return; } |
191 echo "Found a valid firmware update shellball." | 202 echo "Found a valid firmware update shellball." |
192 | 203 |
193 temp_outfd=$(make_temp_file) | 204 temp_outfd=$(make_temp_file) |
(...skipping 155 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
349 elif [ "${TYPE}" == "install" ]; then | 360 elif [ "${TYPE}" == "install" ]; then |
350 resign_firmware_payload ${INPUT_IMAGE} | 361 resign_firmware_payload ${INPUT_IMAGE} |
351 update_rootfs_hash ${INPUT_IMAGE} \ | 362 update_rootfs_hash ${INPUT_IMAGE} \ |
352 ${KEY_DIR}/installer_kernel.keyblock \ | 363 ${KEY_DIR}/installer_kernel.keyblock \ |
353 ${KEY_DIR}/recovery_kernel_data_key.vbprivk | 364 ${KEY_DIR}/recovery_kernel_data_key.vbprivk |
354 sign_for_factory_install | 365 sign_for_factory_install |
355 else | 366 else |
356 echo "Invalid type ${TYPE}" | 367 echo "Invalid type ${TYPE}" |
357 exit 1 | 368 exit 1 |
358 fi | 369 fi |
OLD | NEW |