make_dev_ssd: new script to change SSD image to dev key

scripts/image_signing/make_dev_firmware.sh

Index: scripts/image_signing/make_dev_firmware.sh
diff --git a/scripts/image_signing/make_dev_firmware.sh b/scripts/image_signing/make_dev_firmware.sh
index aec2b8d3048abfe186e608b942e68bebee6302e0..b8bf6e9298fd117f2fcfce2bee7b909211d17657 100755
--- a/scripts/image_signing/make_dev_firmware.sh
+++ b/scripts/image_signing/make_dev_firmware.sh
@@ -5,19 +5,23 @@
 # found in the LICENSE file.
 #
 # This script can change key (usually developer keys) in a firmware binary
-# image or system live firmware, and assign proper HWID, BMPFV as well.
+# image or system live firmware (EEPROM), and assign proper HWID, BMPFV as well.
 
 SCRIPT_BASE="$(dirname "$0")"
 . "$SCRIPT_BASE/common.sh"
+load_shflags || exit 1
 
 # Constants used by DEFINE_*
+VBOOT_BASE='/usr/share/vboot'
+DEFAULT_KEYS_FOLDER="$VBOOT_BASE/devkeys"
+DEFAULT_BMPFV_FILE="$DEFAULT_KEYS_FOLDER/firmware_bmpfv.bin"
 DEFAULT_BACKUP_FOLDER='/mnt/stateful_partition/backups'
 
 # DEFINE_string name default_value description flag
 DEFINE_string from "" "Path of input file (empty for system live firmware)" "f"
 DEFINE_string to "" "Path of output file (empty for system live firmware)" "t"
-DEFINE_string keys "$SCRIPT_BASE/keys" "Path of folder of dev keys" "k"
-DEFINE_string bmpfv "$SCRIPT_BASE/rsrc/bmpfv.bin" "Path to the new bitmap FV" ""
+DEFINE_string keys "$DEFAULT_KEYS_FOLDER" "Path to folder of dev keys" "k"
+DEFINE_string bmpfv "$DEFAULT_BMPFV_FILE" "Path to the new bitmap FV" ""
 DEFINE_boolean force_backup \
   $FLAGS_TRUE "Create backup even if source is not live" ""
 DEFINE_string backup_dir \
@@ -33,10 +37,10 @@ eval set -- "$FLAGS_ARGV"
 set -e
 
 # the image we are (temporary) working with
-IMAGE=$(make_temp_file)
+IMAGE="$(make_temp_file)"
 
 # a log file to keep the output results of executed command
-EXEC_LOG=$(make_temp_file)
+EXEC_LOG="$(make_temp_file)"
 
 # Functions
 # ----------------------------------------------------------------------------
@@ -77,6 +81,7 @@ read_image() {
 write_image() {
   if [ -z "$FLAGS_to" ]; then
     echo "Writing system live firmware..."
+    # TODO(hungte) we can enable partial write to make this faster
     if is_debug_mode; then
       flashrom -V -w "$IMAGE"
     else
@@ -96,6 +101,8 @@ echo_dev_hwid() {
 
   # NOTE: Some DEV firmware image files may put GUID in HWID.
   # These are not officially supported and they will see "{GUID} DEV".
+  # Also there's some length limitation in chromeos_acpi/HWID, so
+  # a "{GUID} DEV" will become "{GUID} " in that case.
 
   if [ "$hwid" != "$hwid_no_dev" ]; then
     hwid="$hwid_no_dev"
@@ -105,21 +112,6 @@ echo_dev_hwid() {
   echo "$hwid_dev"
 }
 
-# Checks if the files given by parameters all exist.
-check_exist_or_die() {
-  local file is_success=$FLAGS_TRUE
-  for file in "$@"; do
-    if [ ! -s "$file" ]; then
-      echo "ERROR: Cannot find required file: $file"
-      is_success=$FLAGS_FALSE
-    fi
-  done
-
-  if [ "$is_success" = $FLAGS_FALSE ]; then
-    exit 1
-  fi
-}
-
 # Main
 # ----------------------------------------------------------------------------
 main() {
@@ -133,19 +125,20 @@ main() {
   local is_from_live=0
   local backup_image=
 
-  debug_msg "Pre-requisition check"
-  check_exist_or_die \
+  debug_msg "Prerequisite check"
+  ensure_files_exist \
     "$root_pubkey" \
     "$recovery_pubkey" \
     "$firmware_keyblock" \
     "$firmware_prvkey" \
     "$kernel_sub_pubkey" \
-    "$new_bmpfv"
+    "$new_bmpfv" ||
+    exit 1
 
   if [ -z "$FLAGS_from" ]; then
     is_from_live=1
   else
-    check_exist_or_die "$FLAGS_from"
+    ensure_files_exist "$FLAGS_from"
   fi
 
   # TODO(hungte) check if GPIO.3 (WP) is enabled
@@ -156,27 +149,26 @@ main() {
 
   debug_msg "Prepare to backup the file"
   if [ -n "$is_from_live" -o $FLAGS_force_backup = $FLAGS_TRUE ]; then
-    backup_image=$(make_temp_file)
+    backup_image="$(make_temp_file)"
     debug_msg "Creating backup file to $backup_image..."
     cp -f "$IMAGE" "$backup_image"
   fi
 
   # TODO(hungte) We can use vbutil_firmware to check if the current firmware is
-  # valid, so that we can know both they key, vbutil_firmware are working fine.
+  # valid so that we know keys and vbutil_firmware are all working fine.
 
   echo "Preparing new firmware image..."
-
   debug_msg "Extract current HWID and rootkey"
   local old_hwid
-  old_hwid=$(gbb_utility --get --hwid "$IMAGE" 2>"$EXEC_LOG" |
-             grep '^hardware_id:' |
-             sed 's/^hardware_id: //')
+  old_hwid="$(gbb_utility --get --hwid "$IMAGE" 2>"$EXEC_LOG" |
+              grep '^hardware_id:' |
+              sed 's/^hardware_id: //')"
 
   debug_msg "Decide new HWID"
   if [ -z "$old_hwid" ]; then
     err_die "Cannot find current HWID. (message: $(cat "$EXEC_LOG"))"
   fi
-  local new_hwid=$(echo_dev_hwid "$old_hwid")
+  local new_hwid="$(echo_dev_hwid "$old_hwid")"
 
   debug_msg "Replace GBB parts (gbb_utility allows changing on-the-fly)"
   gbb_utility --set \
@@ -188,7 +180,7 @@ main() {
     err_die "Failed to change GBB Data. (message: $(cat "$EXEC_LOG"))"
 
   debug_msg "Resign the firmware code (A/B) with new keys"
-  local unsigned_image=$(make_temp_file)
+  local unsigned_image="$(make_temp_file)"
   cp -f "$IMAGE" "$unsigned_image"
   "$SCRIPT_BASE/resign_firmwarefd.sh" \
     "$unsigned_image" \
@@ -200,21 +192,22 @@ main() {
 
   # TODO(hungte) compare if the image really needs to be changed.
 
-  debug_msg "Backup files when reading from system live image."
+  debug_msg "Check if we need to make backup file(s)"
   if [ -n "$backup_image" ]; then
-    local backup_hwid_name=$(echo "$old_hwid" | sed 's/ /_/g')
-    local backup_date_time=$(date +'%Y%m%d_%H%M%S')
+    local backup_hwid_name="$(echo "$old_hwid" | sed 's/ /_/g')"
+    local backup_date_time="$(date +'%Y%m%d_%H%M%S')"
     local backup_file_name="firmware_${backup_hwid_name}_${backup_date_time}.fd"
     local backup_file_path="$FLAGS_backup_dir/$backup_file_name"
     if mkdir -p "$FLAGS_backup_dir" &&
        cp -f "$backup_image" "$backup_file_path"; then
       echo "Backup of current firmware image is stored in: $backup_file_path"
     else
-      echo "Cannot create file in $FLAGS_backup_dir... Ignore backups."
+      echo "WARNING: Cannot create file in $FLAGS_backup_dir... Ignore backups."
     fi
   fi
 
   # TODO(hungte) use vbutil_firmware to check if the new firmware is valid.
+  # Or, do verification in resign_firmwarefd.sh and trust it.
 
   debug_msg "Write the image"
   write_image ||
@@ -224,7 +217,7 @@ main() {
   if [ -z "$FLAGS_to" ]; then
     echo "Successfully changed firmware to Developer Keys. New HWID: $new_hwid"
   else
-    echo "Firmware image '$FLAGS_to' now uses Developer Keys. HWID: $new_hwid"
+    echo "Firmware '$FLAGS_to' now uses Developer Keys. New HWID: $new_hwid"
   fi
 }