Allow signing scripts to (optionally) set the firmware and kernel versions

scripts/image_signing/sign_official_build.sh

 #!/bin/bash
 
 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 # Sign the final build image using the "official" keys.
 #
 # Prerequisite tools needed in the system path:
 #
 #  gbb_utility (from src/platform/vboot_reference)
 #  vbutil_kernel (from src/platform/vboot_reference)
 #  cgpt (from src/platform/vboot_reference)
 #  dump_kernel_config (from src/platform/vboot_reference)
 #  verity (from src/platform/verity)
 #  load_kernel_test (from src/platform/vboot_reference)
 #  dumpe2fs
 #  sha1sum
 
 # Load common constants and variables.
 . "$(dirname "$0")/common.sh"
 
 # Print usage string
 usage() {
   cat <<EOF
-Usage: $PROG <type> input_image /path/to/keys/dir [output_image]
+Usage: $PROG <type> input_image /path/to/keys/dir [output_image] [version_file]
 where <type> is one of:
              ssd  (sign an SSD image)
              recovery (sign a USB recovery image)
              install (sign a factory install image)
              usb  (sign an image to boot directly from USB)
              verify (verify an image including rootfs hashes)
 
-If you are signing an image, you must specify an [output_image].
+output_image: File name of the signed output image
+version_file: File name of where to read the kernel and firmware versions.
+
+If you are signing an image, you must specify an [output_image] and
+optionally, a [version_file].
+
 EOF
 }
 
-if [ $# -ne 3 ] && [ $# -ne 4 ]; then
+if [ $# -lt 3 ] || [ $# -gt 5 ]; then
   usage
   exit 1
 fi
 
 # Abort on errors.
 set -e
 
 # Make sure the tools we need are available.
 for prereqs in gbb_utility vbutil_kernel cgpt dump_kernel_config verity \
   load_kernel_test dumpe2fs sha1sum e2fsck;
 do
   type -P "${prereqs}" &>/dev/null || \
     { echo "${prereqs} tool not found."; exit 1; }
 done
 
 TYPE=$1
 INPUT_IMAGE=$2
 KEY_DIR=$3
 OUTPUT_IMAGE=$4
+VERSION_FILE=$5
+
+FIRMWARE_VERSION=1
+KERNEL_VERSION=1
 
 # Get current rootfs hash and kernel command line
 # ARGS: IMAGE KERNELPART
 grab_kernel_config() {
   local image=$1
   local kernelpart=$2  # Kernel partition number to grab.
   # Grab the existing kernel partition and get the kernel config.
   temp_kimage=$(make_temp_file)
   extract_image_partition ${image} ${kernelpart} ${temp_kimage}
   dump_kernel_config ${temp_kimage}
@@ skipping 50 matching lines @@
 }
 
 # Re-calculate rootfs hash, update rootfs and kernel command line.
 # Args: IMAGE KEYBLOCK PRIVATEKEY KERNELPART
 update_rootfs_hash() {
   local image=$1  # Input image.
   local keyblock=$2  # Keyblock for re-generating signed kernel partition
   local signprivate=$3  # Private key to use for signing.
   local kernelpart=$4  # Kernel partition number to update (usually 2 or 4)
 
-  echo "Updating rootfs hash and updating config for Kernel partition " \
+  echo "Updating rootfs hash and updating config for Kernel partition" \
     "$kernelpart"
 
   # check and clear need_to_resign tag
   local rootfs_dir=$(make_temp_dir)
   mount_image_partition_ro "${image}" 3 "${rootfs_dir}"
   if has_needs_to_be_resigned_tag "${rootfs_dir}"; then
     # remount as RW
     sudo umount -d "${rootfs_dir}"
     mount_image_partition "${image}" 3 "${rootfs_dir}"
     sudo rm -f "${rootfs_dir}/${TAG_NEEDS_TO_BE_SIGNED}"
@@ skipping 25 matching lines @@
   dd if=${hash_image} of=${rootfs_image} bs=512 \
     seek=${rootfs_sectors} conv=notrunc
 
   local temp_kimage=$(make_temp_file)
   extract_image_partition ${image} ${kernelpart} ${temp_kimage}
   # Re-calculate kernel partition signature and command line.
   local updated_kimage=$(make_temp_file)
   vbutil_kernel --repack ${updated_kimage} \
     --keyblock ${keyblock} \
     --signprivate ${signprivate} \
+    --version "${KERNEL_VERSION}" \
     --oldblob ${temp_kimage} \
     --config ${temp_config}
 
   replace_image_partition ${image} ${kernelpart} ${updated_kimage}
   replace_image_partition ${image} 3 ${rootfs_image}
 }
 
 # Do a sanity check on the image's rootfs
 # ARGS: Image
 verify_image_rootfs() {
   local image=$1
   local rootfs_image=$(make_temp_file)
   extract_image_partition ${image} 3 ${rootfs_image}
   # This flips the read-only compatibility flag, so that e2fsck does not
   # complain about unknown file system capabilities.
   enable_rw_mount ${rootfs_image}
   echo "Running e2fsck to check root file system for errors"
   sudo e2fsck -fn "${rootfs_image}" ||
     { echo "Root file system has errors!" && exit 1;}
 }
-  
+
 # Extracts the firmware update binaries from the a firmware update
 # shell ball (generated by src/platform/firmware/pack_firmware.sh)
 # Args: INPUT_SCRIPT OUTPUT_DIR
 get_firmwarebin_from_shellball() {
   local input=$1
   local output_dir=$2
   if [ -s "${input}" ]; then
     uudecode -o - ${input} | tar -C ${output_dir} -zxf - 2>/dev/null || \
       { echo "Extracting firmware autoupdate failed." && exit 1; }
   else
@@ skipping 30 matching lines @@
   # Replace the root key in the GBB
   # TODO(gauravsh): Remove when we lock down the R/O portion of firmware.
   if [ -e "${KEY_DIR}/hwid" ]; then
     # Only update the hwid if we see one in the key directory.
     gbb_utility -s \
       --rootkey=${KEY_DIR}/root_key.vbpubk \
       --recoverykey=${KEY_DIR}/recovery_key.vbpubk \
       --hwid="$(cat ${KEY_DIR}/hwid)" \
       ${shellball_dir}/bios.bin ${temp_outfd}
   else
-        gbb_utility -s \
+    gbb_utility -s \
       --rootkey=${KEY_DIR}/root_key.vbpubk \
       --recoverykey=${KEY_DIR}/recovery_key.vbpubk \
       ${shellball_dir}/bios.bin ${temp_outfd}
   fi
   # Resign the firmware with new keys
   ${SCRIPT_DIR}/resign_firmwarefd.sh ${temp_outfd} ${shellball_dir}/bios.bin \
     ${KEY_DIR}/firmware_data_key.vbprivk \
     ${KEY_DIR}/firmware.keyblock \
-    ${KEY_DIR}/kernel_subkey.vbpubk
+    ${KEY_DIR}/kernel_subkey.vbpubk \
+    ${FIRMWARE_VERSION}
 
   # Replace MD5 checksum in the firmware update payload
   newfd_checksum=$(md5sum ${shellball_dir}/bios.bin | cut -f 1 -d ' ')
   temp_version=$(make_temp_file)
   cat ${shellball_dir}/VERSION |
   sed -e "s#\(.*\)\ \(.*bios.bin.*\)#${newfd_checksum}\ \2#" > ${temp_version}
   sudo cp ${temp_version} ${shellball_dir}/VERSION
 
   # Re-generate firmware_update.tgz and copy over encoded archive in
   # the original shell ball.
@@ skipping 57 matching lines @@
 
   verify_image_rootfs "${INPUT_IMAGE}"
 
   # TODO(gauravsh): Check embedded firmware AU signatures.
 }
 
 # Generate the SSD image
 sign_for_ssd() {
   ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \
     ${KEY_DIR}/kernel_data_key.vbprivk \
-    ${KEY_DIR}/kernel.keyblock
+    ${KEY_DIR}/kernel.keyblock \
+    "${KERNEL_VERSION}"
   echo "Signed SSD image output to ${OUTPUT_IMAGE}"
 }
 
 # Generate the USB image (direct boot)
 sign_for_usb() {
   ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \
     ${KEY_DIR}/recovery_kernel_data_key.vbprivk \
-    ${KEY_DIR}/recovery_kernel.keyblock
+    ${KEY_DIR}/recovery_kernel.keyblock \
+    "${KERNEL_VERSION}"
 
   # Now generate the installer vblock with the SSD keys.
   # The installer vblock is for KERN-A on direct boot images.
   temp_kimagea=$(make_temp_file)
   temp_out_vb=$(make_temp_file)
   extract_image_partition ${OUTPUT_IMAGE} 2 ${temp_kimagea}
   ${SCRIPT_DIR}/resign_kernel_partition.sh ${temp_kimagea} ${temp_out_vb} \
     ${KEY_DIR}/kernel_data_key.vbprivk \
-    ${KEY_DIR}/kernel.keyblock
+    ${KEY_DIR}/kernel.keyblock \
+    "${KERNEL_VERSION}"
 
   # Copy the installer vblock to the stateful partition.
   local stateful_dir=$(make_temp_dir)
   mount_image_partition ${OUTPUT_IMAGE} 1 ${stateful_dir}
   sudo cp ${temp_out_vb} ${stateful_dir}/vmlinuz_hd.vblock
 
   echo "Signed USB image output to ${OUTPUT_IMAGE}"
 }
 
 # Generate the USB (recovery + install) image
 sign_for_recovery() {
   # Update the Kernel B hash in Kernel A command line
   temp_kimageb=$(make_temp_file)
   extract_image_partition ${INPUT_IMAGE} 4 ${temp_kimageb}
   local kern_a_config=$(grab_kernel_config "${INPUT_IMAGE}" 2)
   local kern_b_hash=$(sha1sum ${temp_kimageb} | cut -f1 -d' ')
 
   temp_configa=$(make_temp_file)
-  echo "$kern_a_config" | 
+  echo "$kern_a_config" |
     sed -e "s#\(kern_b_hash=\)[a-z0-9]*#\1${kern_b_hash}#" > ${temp_configa}
   echo "New config for kernel partition 2 is"
   cat $temp_configa
 
   # Make a copy of the input image
   cp "${INPUT_IMAGE}" "${OUTPUT_IMAGE}"
   local temp_kimagea=$(make_temp_file)
   extract_image_partition ${OUTPUT_IMAGE} 2 ${temp_kimagea}
   # Re-calculate kernel partition signature and command line.
   local updated_kimagea=$(make_temp_file)
   vbutil_kernel --repack ${updated_kimagea} \
     --keyblock ${KEY_DIR}/recovery_kernel.keyblock \
     --signprivate ${KEY_DIR}/recovery_kernel_data_key.vbprivk \
+    --version "${KERNEL_VERSION}" \
     --oldblob ${temp_kimagea} \
     --config ${temp_configa}
-  
+
   replace_image_partition ${OUTPUT_IMAGE} 2 ${updated_kimagea}
 
   # Now generate the installer vblock with the SSD keys.
   # The installer vblock is for KERN-B on recovery images.
   temp_out_vb=$(make_temp_file)
   extract_image_partition ${OUTPUT_IMAGE} 4 ${temp_kimageb}
   ${SCRIPT_DIR}/resign_kernel_partition.sh ${temp_kimageb} ${temp_out_vb} \
     ${KEY_DIR}/kernel_data_key.vbprivk \
-    ${KEY_DIR}/kernel.keyblock
+    ${KEY_DIR}/kernel.keyblock \
+    "${KERNEL_VERSION}"
 
   # Copy the installer vblock to the stateful partition.
   # TODO(gauravsh): Remove this if we get rid of the need to overwrite
   # the vblock during installs. Kern B could directly be signed by the
   # SSD keys.
   local stateful_dir=$(make_temp_dir)
   mount_image_partition ${OUTPUT_IMAGE} 1 ${stateful_dir}
   sudo cp ${temp_out_vb} ${stateful_dir}/vmlinuz_hd.vblock
 
   echo "Signed recovery image output to ${OUTPUT_IMAGE}"
 }
 
 # Generate the factory install image.
 sign_for_factory_install() {
   ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \
     ${KEY_DIR}/installer_kernel_data_key.vbprivk \
-    ${KEY_DIR}/installer_kernel.keyblock
+    ${KEY_DIR}/installer_kernel.keyblock \
+    "${KERNEL_VERSION}"
   echo "Signed factory install image output to ${OUTPUT_IMAGE}"
 }
 
 # Verification
 if [ "${TYPE}" == "verify" ]; then
   verify_image
   exit 0
 fi
 
 # Signing requires an output image name
 if [ -z "${OUTPUT_IMAGE}" ]; then
   usage
   exit 1
 fi
 
+# If a version file was specified, read the firmware and kernel
+# versions from there.
+if [ -n "${VERSION_FILE}" ]; then
+  FIRMWARE_VERSION=$(sed -n 's#^firmware_version=\(.*\)#\1#pg' ${VERSION_FILE})
+  KERNEL_VERSION=$(sed -n 's#^kernel_version=\(.*\)#\1#pg' ${VERSION_FILE})
+fi
+echo "Using firmware version: ${FIRMWARE_VERSION}"
+echo "Using kernel version: ${KERNEL_VERSION}"
 
 if [ "${TYPE}" == "ssd" ]; then
   resign_firmware_payload ${INPUT_IMAGE}
   update_rootfs_hash ${INPUT_IMAGE} \
     ${KEY_DIR}/kernel.keyblock \
     ${KEY_DIR}/kernel_data_key.vbprivk \
     2
   sign_for_ssd
 elif [ "${TYPE}" == "usb" ]; then
   resign_firmware_payload ${INPUT_IMAGE}
@@ skipping 18 matching lines @@
   resign_firmware_payload ${INPUT_IMAGE}
   update_rootfs_hash ${INPUT_IMAGE} \
     ${KEY_DIR}/installer_kernel.keyblock \
     ${KEY_DIR}/installer_kernel_data_key.vbprivk \
     2
   sign_for_factory_install
 else
   echo "Invalid type ${TYPE}"
   exit 1
 fi