Chromium Code Reviews Chromium Code Reviews
Issue 6840047:
vboot_reference: check developer firmware before running make_dev_ssd (Closed)
Base URL: ssh://gitrw.chromium.org:9222/vboot_reference.git@master| OLD | NEW |
|---|---|
| 1 #!/bin/sh | 1 #!/bin/sh |
| 2 # | 2 # |
| 3 # Copyright (c) 2011 The Chromium OS Authors. All rights reserved. | 3 # Copyright (c) 2011 The Chromium OS Authors. All rights reserved. |
| 4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
| 5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
| 6 # | 6 # |
| 7 # This script can change key (usually developer keys) and kernel config | 7 # This script can change key (usually developer keys) and kernel config |
| 8 # of a kernels on SSD. | 8 # of a kernels on SSD. |
| 9 | 9 |
| 10 SCRIPT_BASE="$(dirname "$0")" | 10 SCRIPT_BASE="$(dirname "$0")" |
| 11 . "$SCRIPT_BASE/common_minimal.sh" | 11 . "$SCRIPT_BASE/common_minimal.sh" |
| 12 load_shflags || exit 1 | 12 load_shflags || exit 1 |
| 13 | 13 |
| 14 # Constants used by DEFINE_* | 14 # Constants used by DEFINE_* |
| 15 VBOOT_BASE='/usr/share/vboot' | 15 VBOOT_BASE='/usr/share/vboot' |
| 16 DEFAULT_KEYS_FOLDER="$VBOOT_BASE/devkeys" | 16 DEFAULT_KEYS_FOLDER="$VBOOT_BASE/devkeys" |
| 17 DEFAULT_BACKUP_FOLDER='/mnt/stateful_partition/backups' | 17 DEFAULT_BACKUP_FOLDER='/mnt/stateful_partition/backups' |
| 18 DEFAULT_PARTITIONS='2 4' | 18 DEFAULT_PARTITIONS='2 4' |
| 19 | 19 |
| 20 # TODO(hungte) or use "rootdev -s" in future | |
| 21 DEFAULT_IMAGE="/dev/sda" | |
| 22 | |
| 20 # DEFINE_string name default_value description flag | 23 # DEFINE_string name default_value description flag |
| 21 DEFINE_string image "/dev/sda" "Path to device or image file" "i" | 24 DEFINE_string image "$DEFAULT_IMAGE" "Path to device or image file" "i" |
| 22 DEFINE_string keys "$DEFAULT_KEYS_FOLDER" "Path to folder of dev keys" "k" | 25 DEFINE_string keys "$DEFAULT_KEYS_FOLDER" "Path to folder of dev keys" "k" |
| 23 DEFINE_boolean remove_rootfs_verification \ | 26 DEFINE_boolean remove_rootfs_verification \ |
| 24 $FLAGS_FALSE "Modify kernel boot config to disable rootfs verification" "" | 27 $FLAGS_FALSE "Modify kernel boot config to disable rootfs verification" "" |
| 25 DEFINE_string backup_dir \ | 28 DEFINE_string backup_dir \ |
| 26 "$DEFAULT_BACKUP_FOLDER" "Path of directory to store kernel backups" "" | 29 "$DEFAULT_BACKUP_FOLDER" "Path of directory to store kernel backups" "" |
| 27 DEFINE_string save_config "" \ | 30 DEFINE_string save_config "" \ |
| 28 "Base filename to store kernel configs to, instead of resigning." "" | 31 "Base filename to store kernel configs to, instead of resigning." "" |
| 29 DEFINE_string set_config "" \ | 32 DEFINE_string set_config "" \ |
| 30 "Base filename to load kernel configs from" "" | 33 "Base filename to load kernel configs from" "" |
| 31 DEFINE_string partitions "$DEFAULT_PARTITIONS" \ | 34 DEFINE_string partitions "$DEFAULT_PARTITIONS" \ |
| 32 "List of partitions to examine" "" | 35 "List of partitions to examine" "" |
| 33 DEFINE_boolean recovery_key "$FLAGS_FALSE" \ | 36 DEFINE_boolean recovery_key "$FLAGS_FALSE" \ |
| 34 "Use recovery key to sign image (to boot from USB" "" | 37 "Use recovery key to sign image (to boot from USB" "" |
| 38 DEFINE_boolean force "$FLAGS_FALSE" "Skip sanity checks and make the change" "f" | |
| 35 | 39 |
| 36 # Parse command line | 40 # Parse command line |
| 37 FLAGS "$@" || exit 1 | 41 FLAGS "$@" || exit 1 |
| 38 eval set -- "$FLAGS_ARGV" | 42 eval set -- "$FLAGS_ARGV" |
| 39 | 43 |
| 40 # Globals | 44 # Globals |
| 41 # ---------------------------------------------------------------------------- | 45 # ---------------------------------------------------------------------------- |
| 42 set -e | 46 set -e |
| 43 | 47 |
| 44 # a log file to keep the output results of executed command | 48 # a log file to keep the output results of executed command |
| (...skipping 240 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 285 fi | 289 fi |
| 286 | 290 |
| 287 debug_msg "Prerequisite check" | 291 debug_msg "Prerequisite check" |
| 288 ensure_files_exist \ | 292 ensure_files_exist \ |
| 289 "$KERNEL_KEYBLOCK" \ | 293 "$KERNEL_KEYBLOCK" \ |
| 290 "$KERNEL_DATAKEY" \ | 294 "$KERNEL_DATAKEY" \ |
| 291 "$KERNEL_PUBKEY" \ | 295 "$KERNEL_PUBKEY" \ |
| 292 "$FLAGS_image" || | 296 "$FLAGS_image" || |
| 293 exit 1 | 297 exit 1 |
| 294 | 298 |
| 299 debug_msg "Firmware compatbility sanity check" | |
|
Randall Spangler
2011/04/14 16:19:10
compatibility
Hung-Te
2011/04/15 03:06:59
Done.
| |
| 300 if [ "$FLAGS_force" = "$FLAGS_FALSE" ] && | |
| 301 [ "$FLAGS_image" = "$DEFAULT_IMAGE" ] && | |
| 302 [ "$(crossystem mainfw_type)" != "developer" ]; then | |
| 303 | |
| 304 # TODO(hungte) we can check if the fimware rootkey is already dev keys." | |
| 305 echo " | |
| 306 ERROR: YOU ARE NOT USING DEVELOPER FIRMWARE, AND RUNNING THIS COMMAND MAY | |
| 307 THROW YOUR CHROMEOS DEVICE INTO UNBOOTABLE STATE. | |
| 308 | |
| 309 You need to either install developer firmware, or change system rootkey. | |
| 310 | |
| 311 - To install developer firmware: type command | |
| 312 sudo chromeos-firmwareupdate --force --mode=todev | |
|
Randall Spangler
2011/04/14 16:19:10
If --force is required now, also should change the
Hung-Te
2011/04/15 03:06:59
It actually not required - but just to make sure p
| |
| 313 | |
| 314 - To change system rootkey: disable write protection, then type command: | |
|
Randall Spangler
2011/04/14 16:19:10
disable firmware write protection
Hung-Te
2011/04/15 03:06:59
Done.
| |
| 315 sudo ./make_dev_firmware.sh | |
| 316 | |
| 317 If you are sure that you want to make such image without developer | |
| 318 firmware or you've already changed system root keys, please run this | |
| 319 command again with -f param: | |
|
Randall Spangler
2011/04/14 16:19:10
-f --> --force
Hung-Te
2011/04/15 03:06:59
Done.
| |
| 320 | |
| 321 sudo ./make_dev_ssd.sh --force | |
|
Randall Spangler
2011/04/14 16:19:10
Bonus points for echoing the original args ($@) +
Hung-Te
2011/04/15 03:06:59
Done.
| |
| 322 " | |
| 323 exit 1 | |
| 324 fi | |
| 325 | |
| 295 resign_ssd_kernel "$FLAGS_image" || num_signed=$? | 326 resign_ssd_kernel "$FLAGS_image" || num_signed=$? |
| 296 | 327 |
| 297 debug_msg "Complete." | 328 debug_msg "Complete." |
| 298 if [ $num_signed -gt 0 -a $num_signed -le $num_given ]; then | 329 if [ $num_signed -gt 0 -a $num_signed -le $num_given ]; then |
| 299 # signed something at least | 330 # signed something at least |
| 300 echo "Successfully re-signed $num_signed of $num_given kernel(s)" \ | 331 echo "Successfully re-signed $num_signed of $num_given kernel(s)" \ |
| 301 " on device $FLAGS_image". | 332 " on device $FLAGS_image". |
| 302 else | 333 else |
| 303 err_die "Failed re-signing kernels." | 334 err_die "Failed re-signing kernels." |
| 304 fi | 335 fi |
| 305 } | 336 } |
| 306 | 337 |
| 307 # People using this to process images may forget to add "-i", | 338 # People using this to process images may forget to add "-i", |
| 308 # so adding parameter check is safer. | 339 # so adding parameter check is safer. |
| 309 if [ "$#" -gt 0 ]; then | 340 if [ "$#" -gt 0 ]; then |
| 310 flags_help | 341 flags_help |
| 311 err_die "Unknown parameters: $@" | 342 err_die "Unknown parameters: $@" |
| 312 fi | 343 fi |
| 313 | 344 |
| 314 main | 345 main |
| OLD | NEW |
