| OLD | NEW |
|---|
| 1 #!/bin/bash | 1 #!/bin/bash |
| 2 | 2 |
| 3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | 3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
| 4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
| 5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
| 6 | 6 |
| 7 # Sign the final build image using the "official" keys. | 7 # Sign the final build image using the "official" keys. |
| 8 # | 8 # |
| 9 # Prerequisite tools needed in the system path: | 9 # Prerequisite tools needed in the system path: |
| 10 # | 10 # |
| (...skipping 320 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 331 echo -n "With SSD Key (Recovery Mode OFF, Dev Mode ON): " && \ | 331 echo -n "With SSD Key (Recovery Mode OFF, Dev Mode ON): " && \ |
| 332 { load_kernel_test "${INPUT_IMAGE}" "${try_key}" -b 1 >/dev/null 2>&1 && \ | 332 { load_kernel_test "${INPUT_IMAGE}" "${try_key}" -b 1 >/dev/null 2>&1 && \ |
| 333 echo "YES"; } || echo "NO" | 333 echo "YES"; } || echo "NO" |
| 334 set -e | 334 set -e |
| 335 | 335 |
| 336 verify_image_rootfs "${INPUT_IMAGE}" | 336 verify_image_rootfs "${INPUT_IMAGE}" |
| 337 | 337 |
| 338 # TODO(gauravsh): Check embedded firmware AU signatures. | 338 # TODO(gauravsh): Check embedded firmware AU signatures. |
| 339 } | 339 } |
| 340 | 340 |
| 341 # Sign the kernel partition on an image using the given keys. Modifications are |
| 342 # made in-place. |
| 343 # Args: src_bin kernel_datakey kernel_keyblock kernel_version |
| 344 sign_image_inplace() { |
| 345 src_bin=$1 |
| 346 kernel_datakey=$2 |
| 347 kernel_keyblock=$3 |
| 348 kernel_version=$4 |
| 349 |
| 350 temp_kimage=$(make_temp_file) |
| 351 extract_image_partition ${src_bin} 2 ${temp_kimage} |
| 352 updated_kimage=$(make_temp_file) |
| 353 |
| 354 vbutil_kernel --repack "${updated_kimage}" \ |
| 355 --keyblock "${kernel_keyblock}" \ |
| 356 --signprivate "${kernel_datakey}" \ |
| 357 --version "${kernel_version}" \ |
| 358 --oldblob "${temp_kimage}" |
| 359 replace_image_partition ${src_bin} 2 ${updated_kimage} |
| 360 } |
| 361 |
| 341 # Generate the SSD image | 362 # Generate the SSD image |
| 363 # Args: image_bin |
| 342 sign_for_ssd() { | 364 sign_for_ssd() { |
| 343 ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \ | 365 image_bin=$1 |
| 344 ${KEY_DIR}/kernel_data_key.vbprivk \ | 366 sign_image_inplace ${image_bin} ${KEY_DIR}/kernel_data_key.vbprivk \ |
| 345 ${KEY_DIR}/kernel.keyblock \ | 367 ${KEY_DIR}/kernel.keyblock \ |
| 346 "${KERNEL_VERSION}" | 368 "${KERNEL_VERSION}" |
| 347 echo "Signed SSD image output to ${OUTPUT_IMAGE}" | 369 echo "Signed SSD image output to ${image_bin}" |
| 348 } | 370 } |
| 349 | 371 |
| 350 # Generate the USB image (direct boot) | 372 # Generate the USB image (direct boot) |
| 351 sign_for_usb() { | 373 sign_for_usb() { |
| 352 ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \ | 374 image_bin=$1 |
| 353 ${KEY_DIR}/recovery_kernel_data_key.vbprivk \ | 375 sign_image_inplace ${image_bin} ${KEY_DIR}/recovery_kernel_data_key.vbprivk \ |
| 354 ${KEY_DIR}/recovery_kernel.keyblock \ | 376 ${KEY_DIR}/recovery_kernel.keyblock \ |
| 355 "${KERNEL_VERSION}" | 377 "${KERNEL_VERSION}" |
| 356 | 378 |
| 357 # Now generate the installer vblock with the SSD keys. | 379 # Now generate the installer vblock with the SSD keys. |
| 358 # The installer vblock is for KERN-A on direct boot images. | 380 # The installer vblock is for KERN-A on direct boot images. |
| 359 temp_kimagea=$(make_temp_file) | 381 temp_kimagea=$(make_temp_file) |
| 360 temp_out_vb=$(make_temp_file) | 382 temp_out_vb=$(make_temp_file) |
| 361 extract_image_partition ${OUTPUT_IMAGE} 2 ${temp_kimagea} | 383 extract_image_partition ${image_bin} 2 ${temp_kimagea} |
| 362 ${SCRIPT_DIR}/resign_kernel_partition.sh ${temp_kimagea} ${temp_out_vb} \ | 384 ${SCRIPT_DIR}/resign_kernel_partition.sh ${temp_kimagea} ${temp_out_vb} \ |
| 363 ${KEY_DIR}/kernel_data_key.vbprivk \ | 385 ${KEY_DIR}/kernel_data_key.vbprivk \ |
| 364 ${KEY_DIR}/kernel.keyblock \ | 386 ${KEY_DIR}/kernel.keyblock \ |
| 365 "${KERNEL_VERSION}" | 387 "${KERNEL_VERSION}" |
| 366 | 388 |
| 367 # Copy the installer vblock to the stateful partition. | 389 # Copy the installer vblock to the stateful partition. |
| 368 local stateful_dir=$(make_temp_dir) | 390 local stateful_dir=$(make_temp_dir) |
| 369 mount_image_partition ${OUTPUT_IMAGE} 1 ${stateful_dir} | 391 mount_image_partition ${image_bin} 1 ${stateful_dir} |
| 370 sudo cp ${temp_out_vb} ${stateful_dir}/vmlinuz_hd.vblock | 392 sudo cp ${temp_out_vb} ${stateful_dir}/vmlinuz_hd.vblock |
| 371 | 393 |
| 372 echo "Signed USB image output to ${OUTPUT_IMAGE}" | 394 echo "Signed USB image output to ${image_bin}" |
| 373 } | 395 } |
| 374 | 396 |
| 375 # Generate the USB (recovery + install) image | 397 # Generate the USB (recovery + install) image |
| 398 # Args: image_bin |
| 376 sign_for_recovery() { | 399 sign_for_recovery() { |
| 400 image_bin=$1 |
| 377 # Update the Kernel B hash in Kernel A command line | 401 # Update the Kernel B hash in Kernel A command line |
| 378 temp_kimageb=$(make_temp_file) | 402 temp_kimageb=$(make_temp_file) |
| 379 extract_image_partition ${INPUT_IMAGE} 4 ${temp_kimageb} | 403 extract_image_partition ${image_bin} 4 ${temp_kimageb} |
| 380 local kern_a_config=$(grab_kernel_config "${INPUT_IMAGE}" 2) | 404 local kern_a_config=$(grab_kernel_config "${image_bin}" 2) |
| 381 local kern_b_hash=$(sha1sum ${temp_kimageb} | cut -f1 -d' ') | 405 local kern_b_hash=$(sha1sum ${temp_kimageb} | cut -f1 -d' ') |
| 382 | 406 |
| 383 temp_configa=$(make_temp_file) | 407 temp_configa=$(make_temp_file) |
| 384 echo "$kern_a_config" | | 408 echo "$kern_a_config" | |
| 385 sed -e "s#\(kern_b_hash=\)[a-z0-9]*#\1${kern_b_hash}#" > ${temp_configa} | 409 sed -e "s#\(kern_b_hash=\)[a-z0-9]*#\1${kern_b_hash}#" > ${temp_configa} |
| 386 echo "New config for kernel partition 2 is" | 410 echo "New config for kernel partition 2 is" |
| 387 cat $temp_configa | 411 cat $temp_configa |
| 388 | 412 |
| 389 # Make a copy of the input image | |
| 390 cp "${INPUT_IMAGE}" "${OUTPUT_IMAGE}" | |
| 391 local temp_kimagea=$(make_temp_file) | 413 local temp_kimagea=$(make_temp_file) |
| 392 extract_image_partition ${OUTPUT_IMAGE} 2 ${temp_kimagea} | 414 extract_image_partition ${image_bin} 2 ${temp_kimagea} |
| 393 # Re-calculate kernel partition signature and command line. | 415 # Re-calculate kernel partition signature and command line. |
| 394 local updated_kimagea=$(make_temp_file) | 416 local updated_kimagea=$(make_temp_file) |
| 395 vbutil_kernel --repack ${updated_kimagea} \ | 417 vbutil_kernel --repack ${updated_kimagea} \ |
| 396 --keyblock ${KEY_DIR}/recovery_kernel.keyblock \ | 418 --keyblock ${KEY_DIR}/recovery_kernel.keyblock \ |
| 397 --signprivate ${KEY_DIR}/recovery_kernel_data_key.vbprivk \ | 419 --signprivate ${KEY_DIR}/recovery_kernel_data_key.vbprivk \ |
| 398 --version "${KERNEL_VERSION}" \ | 420 --version "${KERNEL_VERSION}" \ |
| 399 --oldblob ${temp_kimagea} \ | 421 --oldblob ${temp_kimagea} \ |
| 400 --config ${temp_configa} | 422 --config ${temp_configa} |
| 401 | 423 |
| 402 replace_image_partition ${OUTPUT_IMAGE} 2 ${updated_kimagea} | 424 replace_image_partition ${image_bin} 2 ${updated_kimagea} |
| 403 | 425 |
| 404 # Now generate the installer vblock with the SSD keys. | 426 # Now generate the installer vblock with the SSD keys. |
| 405 # The installer vblock is for KERN-B on recovery images. | 427 # The installer vblock is for KERN-B on recovery images. |
| 406 temp_out_vb=$(make_temp_file) | 428 temp_out_vb=$(make_temp_file) |
| 407 extract_image_partition ${OUTPUT_IMAGE} 4 ${temp_kimageb} | 429 extract_image_partition ${image_bin} 4 ${temp_kimageb} |
| 408 ${SCRIPT_DIR}/resign_kernel_partition.sh ${temp_kimageb} ${temp_out_vb} \ | 430 ${SCRIPT_DIR}/resign_kernel_partition.sh ${temp_kimageb} ${temp_out_vb} \ |
| 409 ${KEY_DIR}/kernel_data_key.vbprivk \ | 431 ${KEY_DIR}/kernel_data_key.vbprivk \ |
| 410 ${KEY_DIR}/kernel.keyblock \ | 432 ${KEY_DIR}/kernel.keyblock \ |
| 411 "${KERNEL_VERSION}" | 433 "${KERNEL_VERSION}" |
| 412 | 434 |
| 413 # Copy the installer vblock to the stateful partition. | 435 # Copy the installer vblock to the stateful partition. |
| 414 # TODO(gauravsh): Remove this if we get rid of the need to overwrite | 436 # TODO(gauravsh): Remove this if we get rid of the need to overwrite |
| 415 # the vblock during installs. Kern B could directly be signed by the | 437 # the vblock during installs. Kern B could directly be signed by the |
| 416 # SSD keys. | 438 # SSD keys. |
| 417 # Note: This vblock is also needed for the ability to convert a recovery | 439 # Note: This vblock is also needed for the ability to convert a recovery |
| 418 # image into the equivalent SSD image (convert_recovery_to_ssd.sh) | 440 # image into the equivalent SSD image (convert_recovery_to_ssd.sh) |
| 419 local stateful_dir=$(make_temp_dir) | 441 local stateful_dir=$(make_temp_dir) |
| 420 mount_image_partition ${OUTPUT_IMAGE} 1 ${stateful_dir} | 442 mount_image_partition ${image_bin} 1 ${stateful_dir} |
| 421 sudo cp ${temp_out_vb} ${stateful_dir}/vmlinuz_hd.vblock | 443 sudo cp ${temp_out_vb} ${stateful_dir}/vmlinuz_hd.vblock |
| 422 | 444 |
| 423 echo "Signed recovery image output to ${OUTPUT_IMAGE}" | 445 echo "Signed recovery image output to ${image_bin}" |
| 424 } | 446 } |
| 425 | 447 |
| 426 # Generate the factory install image. | 448 # Generate the factory install image. |
| 449 # Args: image_bin |
| 427 sign_for_factory_install() { | 450 sign_for_factory_install() { |
| 428 ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \ | 451 image_bin=$1 |
| 429 ${KEY_DIR}/installer_kernel_data_key.vbprivk \ | 452 sign_image_inplace ${image_bin} ${KEY_DIR}/installer_kernel_data_key.vbprivk \ |
| 430 ${KEY_DIR}/installer_kernel.keyblock \ | 453 ${KEY_DIR}/installer_kernel.keyblock \ |
| 431 "${KERNEL_VERSION}" | 454 "${KERNEL_VERSION}" |
| 432 echo "Signed factory install image output to ${OUTPUT_IMAGE}" | 455 echo "Signed factory install image output to ${image_bin}" |
| 433 } | 456 } |
| 434 | 457 |
| 435 # Verification | 458 # Verification |
| 436 if [ "${TYPE}" == "verify" ]; then | 459 if [ "${TYPE}" == "verify" ]; then |
| 437 verify_image | 460 verify_image |
| 438 exit 0 | 461 exit 0 |
| 439 fi | 462 fi |
| 440 | 463 |
| 441 # Signing requires an output image name | 464 # Signing requires an output image name |
| 442 if [ -z "${OUTPUT_IMAGE}" ]; then | 465 if [ -z "${OUTPUT_IMAGE}" ]; then |
| 443 usage | 466 usage |
| 444 exit 1 | 467 exit 1 |
| 445 fi | 468 fi |
| 446 | 469 |
| 447 # If a version file was specified, read the firmware and kernel | 470 # If a version file was specified, read the firmware and kernel |
| 448 # versions from there. | 471 # versions from there. |
| 449 if [ -n "${VERSION_FILE}" ]; then | 472 if [ -n "${VERSION_FILE}" ]; then |
| 450 FIRMWARE_VERSION=$(sed -n 's#^firmware_version=\(.*\)#\1#pg' ${VERSION_FILE}) | 473 FIRMWARE_VERSION=$(sed -n 's#^firmware_version=\(.*\)#\1#pg' ${VERSION_FILE}) |
| 451 KERNEL_VERSION=$(sed -n 's#^kernel_version=\(.*\)#\1#pg' ${VERSION_FILE}) | 474 KERNEL_VERSION=$(sed -n 's#^kernel_version=\(.*\)#\1#pg' ${VERSION_FILE}) |
| 452 fi | 475 fi |
| 453 echo "Using firmware version: ${FIRMWARE_VERSION}" | 476 echo "Using firmware version: ${FIRMWARE_VERSION}" |
| 454 echo "Using kernel version: ${KERNEL_VERSION}" | 477 echo "Using kernel version: ${KERNEL_VERSION}" |
| 455 | 478 |
| 479 # Make all modifications on output copy. |
| 456 if [ "${TYPE}" == "ssd" ]; then | 480 if [ "${TYPE}" == "ssd" ]; then |
| 457 resign_firmware_payload ${INPUT_IMAGE} | 481 cp ${INPUT_IMAGE} ${OUTPUT_IMAGE} |
| 458 update_rootfs_hash ${INPUT_IMAGE} \ | 482 resign_firmware_payload ${OUTPUT_IMAGE} |
| 483 update_rootfs_hash ${OUTPUT_IMAGE} \ |
| 459 ${KEY_DIR}/kernel.keyblock \ | 484 ${KEY_DIR}/kernel.keyblock \ |
| 460 ${KEY_DIR}/kernel_data_key.vbprivk \ | 485 ${KEY_DIR}/kernel_data_key.vbprivk \ |
| 461 2 | 486 2 |
| 462 sign_for_ssd | 487 sign_for_ssd ${OUTPUT_IMAGE} |
| 463 elif [ "${TYPE}" == "usb" ]; then | 488 elif [ "${TYPE}" == "usb" ]; then |
| 464 resign_firmware_payload ${INPUT_IMAGE} | 489 cp ${INPUT_IMAGE} ${OUTPUT_IMAGE} |
| 465 update_rootfs_hash ${INPUT_IMAGE} \ | 490 resign_firmware_payload ${OUTPUT_IMAGE} |
| 491 update_rootfs_hash ${OUTPUT_IMAGE} \ |
| 466 ${KEY_DIR}/recovery_kernel.keyblock \ | 492 ${KEY_DIR}/recovery_kernel.keyblock \ |
| 467 ${KEY_DIR}/recovery_kernel_data_key.vbprivk \ | 493 ${KEY_DIR}/recovery_kernel_data_key.vbprivk \ |
| 468 2 | 494 2 |
| 469 sign_for_usb | 495 sign_for_usb ${OUTPUT_IMAGE} |
| 470 elif [ "${TYPE}" == "recovery" ]; then | 496 elif [ "${TYPE}" == "recovery" ]; then |
| 471 resign_firmware_payload ${INPUT_IMAGE} | 497 cp ${INPUT_IMAGE} ${OUTPUT_IMAGE} |
| 498 resign_firmware_payload ${OUTPUT_IMAGE} |
| 472 # Both kernel command lines must have the correct rootfs hash | 499 # Both kernel command lines must have the correct rootfs hash |
| 473 update_rootfs_hash ${INPUT_IMAGE} \ | 500 update_rootfs_hash ${OUTPUT_IMAGE} \ |
| 474 ${KEY_DIR}/recovery_kernel.keyblock \ | 501 ${KEY_DIR}/recovery_kernel.keyblock \ |
| 475 ${KEY_DIR}/recovery_kernel_data_key.vbprivk \ | 502 ${KEY_DIR}/recovery_kernel_data_key.vbprivk \ |
| 476 4 | 503 4 |
| 477 update_rootfs_hash ${INPUT_IMAGE} \ | 504 update_rootfs_hash ${OUTPUT_IMAGE} \ |
| 478 ${KEY_DIR}/recovery_kernel.keyblock \ | 505 ${KEY_DIR}/recovery_kernel.keyblock \ |
| 479 ${KEY_DIR}/recovery_kernel_data_key.vbprivk \ | 506 ${KEY_DIR}/recovery_kernel_data_key.vbprivk \ |
| 480 2 | 507 2 |
| 481 sign_for_recovery | 508 sign_for_recovery ${OUTPUT_IMAGE} |
| 482 elif [ "${TYPE}" == "install" ]; then | 509 elif [ "${TYPE}" == "install" ]; then |
| 483 resign_firmware_payload ${INPUT_IMAGE} | 510 cp ${INPUT_IMAGE} ${OUTPUT_IMAGE} |
| 484 update_rootfs_hash ${INPUT_IMAGE} \ | 511 resign_firmware_payload ${OUTPUT_IMAGE} |
| 512 update_rootfs_hash ${OUTPUT_IMAGE} \ |
| 485 ${KEY_DIR}/installer_kernel.keyblock \ | 513 ${KEY_DIR}/installer_kernel.keyblock \ |
| 486 ${KEY_DIR}/installer_kernel_data_key.vbprivk \ | 514 ${KEY_DIR}/installer_kernel_data_key.vbprivk \ |
| 487 2 | 515 2 |
| 488 sign_for_factory_install | 516 sign_for_factory_install ${OUTPUT_IMAGE} |
| 489 else | 517 else |
| 490 echo "Invalid type ${TYPE}" | 518 echo "Invalid type ${TYPE}" |
| 491 exit 1 | 519 exit 1 |
| 492 fi | 520 fi |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 6686004:
Do not modify the input image while signing. (Closed)
Base URL: ssh://git@gitrw.chromium.org:9222/vboot_reference.git@master