Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1320)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: scripts/image_signing/sign_official_build.sh

Issue 6368064: Allow signing scripts to (optionally) set the firmware and kernel versions (Closed) Base URL: ssh://git@gitrw.chromium.org:9222/vboot_reference.git@master
Patch Set: ws fix for real Created 9 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « scripts/image_signing/resign_kernel_partition.sh ('k') | scripts/image_signing/versions.default » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: scripts/image_signing/sign_official_build.sh
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index 85d315fe2b236abf4c742dcdb8ecf054c519df51..3737d943c7d4643de08d6f6c287becfc4fe107cb 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -23,7 +23,7 @@
# Print usage string
usage() {
cat <<EOF
-Usage: $PROG <type> input_image /path/to/keys/dir [output_image]
+Usage: $PROG <type> input_image /path/to/keys/dir [output_image] [version_file]
where <type> is one of:
ssd (sign an SSD image)
recovery (sign a USB recovery image)
@@ -31,11 +31,16 @@ where <type> is one of:
usb (sign an image to boot directly from USB)
verify (verify an image including rootfs hashes)
-If you are signing an image, you must specify an [output_image].
+output_image: File name of the signed output image
+version_file: File name of where to read the kernel and firmware versions.
+
+If you are signing an image, you must specify an [output_image] and
+optionally, a [version_file].
+
EOF
}
-if [ $# -ne 3 ] && [ $# -ne 4 ]; then
+if [ $# -lt 3 ] || [ $# -gt 5 ]; then
usage
exit 1
fi
@@ -55,6 +60,10 @@ TYPE=$1
INPUT_IMAGE=$2
KEY_DIR=$3
OUTPUT_IMAGE=$4
+VERSION_FILE=$5
+
+FIRMWARE_VERSION=1
+KERNEL_VERSION=1
# Get current rootfs hash and kernel command line
# ARGS: IMAGE KERNELPART
@@ -125,7 +134,7 @@ update_rootfs_hash() {
local signprivate=$3 # Private key to use for signing.
local kernelpart=$4 # Kernel partition number to update (usually 2 or 4)
- echo "Updating rootfs hash and updating config for Kernel partition " \
+ echo "Updating rootfs hash and updating config for Kernel partition" \
"$kernelpart"
# check and clear need_to_resign tag
@@ -171,6 +180,7 @@ update_rootfs_hash() {
vbutil_kernel --repack ${updated_kimage} \
--keyblock ${keyblock} \
--signprivate ${signprivate} \
+ --version "${KERNEL_VERSION}" \
--oldblob ${temp_kimage} \
--config ${temp_config}
@@ -191,7 +201,7 @@ verify_image_rootfs() {
sudo e2fsck -fn "${rootfs_image}" ||
{ echo "Root file system has errors!" && exit 1;}
}
-
+
# Extracts the firmware update binaries from the a firmware update
# shell ball (generated by src/platform/firmware/pack_firmware.sh)
# Args: INPUT_SCRIPT OUTPUT_DIR
@@ -242,7 +252,7 @@ resign_firmware_payload() {
--hwid="$(cat ${KEY_DIR}/hwid)" \
${shellball_dir}/bios.bin ${temp_outfd}
else
- gbb_utility -s \
+ gbb_utility -s \
--rootkey=${KEY_DIR}/root_key.vbpubk \
--recoverykey=${KEY_DIR}/recovery_key.vbpubk \
${shellball_dir}/bios.bin ${temp_outfd}
@@ -251,7 +261,8 @@ resign_firmware_payload() {
${SCRIPT_DIR}/resign_firmwarefd.sh ${temp_outfd} ${shellball_dir}/bios.bin \
${KEY_DIR}/firmware_data_key.vbprivk \
${KEY_DIR}/firmware.keyblock \
- ${KEY_DIR}/kernel_subkey.vbpubk
+ ${KEY_DIR}/kernel_subkey.vbpubk \
+ ${FIRMWARE_VERSION}
# Replace MD5 checksum in the firmware update payload
newfd_checksum=$(md5sum ${shellball_dir}/bios.bin | cut -f 1 -d ' ')
@@ -329,7 +340,8 @@ EOF
sign_for_ssd() {
${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \
${KEY_DIR}/kernel_data_key.vbprivk \
- ${KEY_DIR}/kernel.keyblock
+ ${KEY_DIR}/kernel.keyblock \
+ "${KERNEL_VERSION}"
echo "Signed SSD image output to ${OUTPUT_IMAGE}"
}
@@ -337,7 +349,8 @@ sign_for_ssd() {
sign_for_usb() {
${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \
${KEY_DIR}/recovery_kernel_data_key.vbprivk \
- ${KEY_DIR}/recovery_kernel.keyblock
+ ${KEY_DIR}/recovery_kernel.keyblock \
+ "${KERNEL_VERSION}"
# Now generate the installer vblock with the SSD keys.
# The installer vblock is for KERN-A on direct boot images.
@@ -346,7 +359,8 @@ sign_for_usb() {
extract_image_partition ${OUTPUT_IMAGE} 2 ${temp_kimagea}
${SCRIPT_DIR}/resign_kernel_partition.sh ${temp_kimagea} ${temp_out_vb} \
${KEY_DIR}/kernel_data_key.vbprivk \
- ${KEY_DIR}/kernel.keyblock
+ ${KEY_DIR}/kernel.keyblock \
+ "${KERNEL_VERSION}"
# Copy the installer vblock to the stateful partition.
local stateful_dir=$(make_temp_dir)
@@ -365,7 +379,7 @@ sign_for_recovery() {
local kern_b_hash=$(sha1sum ${temp_kimageb} | cut -f1 -d' ')
temp_configa=$(make_temp_file)
- echo "$kern_a_config" |
+ echo "$kern_a_config" |
sed -e "s#\(kern_b_hash=\)[a-z0-9]*#\1${kern_b_hash}#" > ${temp_configa}
echo "New config for kernel partition 2 is"
cat $temp_configa
@@ -379,9 +393,10 @@ sign_for_recovery() {
vbutil_kernel --repack ${updated_kimagea} \
--keyblock ${KEY_DIR}/recovery_kernel.keyblock \
--signprivate ${KEY_DIR}/recovery_kernel_data_key.vbprivk \
+ --version "${KERNEL_VERSION}" \
--oldblob ${temp_kimagea} \
--config ${temp_configa}
-
+
replace_image_partition ${OUTPUT_IMAGE} 2 ${updated_kimagea}
# Now generate the installer vblock with the SSD keys.
@@ -390,7 +405,8 @@ sign_for_recovery() {
extract_image_partition ${OUTPUT_IMAGE} 4 ${temp_kimageb}
${SCRIPT_DIR}/resign_kernel_partition.sh ${temp_kimageb} ${temp_out_vb} \
${KEY_DIR}/kernel_data_key.vbprivk \
- ${KEY_DIR}/kernel.keyblock
+ ${KEY_DIR}/kernel.keyblock \
+ "${KERNEL_VERSION}"
# Copy the installer vblock to the stateful partition.
# TODO(gauravsh): Remove this if we get rid of the need to overwrite
@@ -407,7 +423,8 @@ sign_for_recovery() {
sign_for_factory_install() {
${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \
${KEY_DIR}/installer_kernel_data_key.vbprivk \
- ${KEY_DIR}/installer_kernel.keyblock
+ ${KEY_DIR}/installer_kernel.keyblock \
+ "${KERNEL_VERSION}"
echo "Signed factory install image output to ${OUTPUT_IMAGE}"
}
@@ -423,6 +440,14 @@ if [ -z "${OUTPUT_IMAGE}" ]; then
exit 1
fi
+# If a version file was specified, read the firmware and kernel
+# versions from there.
+if [ -n "${VERSION_FILE}" ]; then
+ FIRMWARE_VERSION=$(sed -n 's#^firmware_version=\(.*\)#\1#pg' ${VERSION_FILE})
+ KERNEL_VERSION=$(sed -n 's#^kernel_version=\(.*\)#\1#pg' ${VERSION_FILE})
+fi
+echo "Using firmware version: ${FIRMWARE_VERSION}"
+echo "Using kernel version: ${KERNEL_VERSION}"
if [ "${TYPE}" == "ssd" ]; then
resign_firmware_payload ${INPUT_IMAGE}
« no previous file with comments | « scripts/image_signing/resign_kernel_partition.sh ('k') | scripts/image_signing/versions.default » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698