Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(279)

Unified Diff: scripts/image_signing/sign_official_build.sh

Issue 3292016: sign_official_build.sh: If found, sign the packaged firmware autoupdate. (Closed) Base URL: ssh://git@gitrw.chromium.org:9222/vboot_reference.git
Patch Set: review fixes Created 10 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: scripts/image_signing/sign_official_build.sh
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index 8bf6d6cc4bd822f0495abac3bc29752c9fcde603..6d66ce921626f0a7f7cf22abc525d08e5196e89a 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -162,8 +162,12 @@ update_rootfs_hash() {
get_firmwarebin_from_shellball() {
local input=$1
local output_dir=$2
- uudecode -o - ${input} | tar -C ${output_dir} -zxf - 2>/dev/null || \
- echo "Extracting firmware autoupdate failed." && exit 1
+ if [ -s "${input}" ]; then
+ uudecode -o - ${input} | tar -C ${output_dir} -zxf - 2>/dev/null || \
+ { echo "Extracting firmware autoupdate failed." && exit 1; }
+ else
+ return 1
+ fi
}
# Re-sign the firmware AU payload inside the image rootfs with a new keys.
@@ -176,19 +180,32 @@ resign_firmware_payload() {
mount_image_partition ${image} 3 ${rootfs_dir}
local shellball_dir=$(make_temp_dir)
+ # get_firmwarebin_from_shellball can fail if the image has no
+ # firmware update.
get_firmwarebin_from_shellball \
- ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate ${shellball_dir}
+ ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate ${shellball_dir} || \
+ { echo "Didn't find a firmware update. Not signing firmware."
+ return; }
+ echo "Found a valid firmware update shellball."
temp_outfd=$(make_temp_file)
# Replace the root key in the GBB
# TODO(gauravsh): Remove when we lock down the R/O portion of firmware.
- gbb_utility -s \
- --rootkey=${KEY_DIR}/root_key.vbpubk \
- --recoverykey=${KEY_DIR}/recovery_key.vbpubk \
- ${shellball_dir}/bios.bin ${temp_outfd}
-
+ if [ -e "${KEY_DIR}/hwid" ]; then
+ # Only update the hwid if we see one in the key directory.
+ gbb_utility -s \
+ --rootkey=${KEY_DIR}/root_key.vbpubk \
+ --recoverykey=${KEY_DIR}/recovery_key.vbpubk \
+ --hwid="$(cat ${KEY_DIR}/hwid)" \
+ ${shellball_dir}/bios.bin ${temp_outfd}
+ else
+ gbb_utility -s \
+ --rootkey=${KEY_DIR}/root_key.vbpubk \
+ --recoverykey=${KEY_DIR}/recovery_key.vbpubk \
+ ${shellball_dir}/bios.bin ${temp_outfd}
+ fi
# Resign the firmware with new keys
- ${SCRIPT_DIR}/resign_firmwarefd.sh ${temp_outfd} ${temp_dir}/bios.bin \
+ ${SCRIPT_DIR}/resign_firmwarefd.sh ${temp_outfd} ${shellball_dir}/bios.bin \
${KEY_DIR}/firmware_data_key.vbprivk \
${KEY_DIR}/firmware.keyblock \
${KEY_DIR}/kernel_subkey.vbpubk
@@ -271,7 +288,7 @@ sign_for_ssd() {
${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \
${KEY_DIR}/kernel_data_key.vbprivk \
${KEY_DIR}/kernel.keyblock
- echo "Output signed SSD image to ${OUTPUT_IMAGE}"
+ echo "Signed SSD image output to ${OUTPUT_IMAGE}"
}
# Generate the USB (recovery + install) image
@@ -293,7 +310,7 @@ sign_for_recovery() {
mount_image_partition ${OUTPUT_IMAGE} 1 ${stateful_dir}
sudo cp ${temp_out_vb} ${stateful_dir}/vmlinuz_hd.vblock
- echo "Output signed recovery image to ${OUTPUT_IMAGE}"
+ echo "Signed recovery image output to ${OUTPUT_IMAGE}"
}
# Generate the factory install image.
@@ -301,39 +318,36 @@ sign_for_factory_install() {
${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \
${KEY_DIR}/recovery_kernel_data_key.vbprivk \
${KEY_DIR}/installer_kernel.keyblock
- echo "Output signed factory install image to ${OUTPUT_IMAGE}"
+ echo "Signed factory install image output to ${OUTPUT_IMAGE}"
}
-# Firmware payload signing hidden behind a flag until it actually makes
-# it into the image.
-if [ "${FW_UPDATE}" == "1" ]; then
- resign_firmware_payload ${INPUT_IMAGE}
-fi
-
# Verification
if [ "${TYPE}" == "verify" ]; then
verify_image
exit 1
fi
-
# Signing requires an output image name
if [ -z "${OUTPUT_IMAGE}" ]; then
usage
exit 1
fi
+
if [ "${TYPE}" == "ssd" ]; then
+ resign_firmware_payload ${INPUT_IMAGE}
update_rootfs_hash ${INPUT_IMAGE} \
${KEY_DIR}/kernel.keyblock \
${KEY_DIR}/kernel_data_key.vbprivk
sign_for_ssd
elif [ "${TYPE}" == "recovery" ]; then
+ resign_firmware_payload ${INPUT_IMAGE}
update_rootfs_hash ${INPUT_IMAGE} \
${KEY_DIR}/recovery_kernel.keyblock \
${KEY_DIR}/recovery_kernel_data_key.vbprivk
sign_for_recovery
elif [ "${TYPE}" == "install" ]; then
+ resign_firmware_payload ${INPUT_IMAGE}
update_rootfs_hash ${INPUT_IMAGE} \
${KEY_DIR}/installer_kernel.keyblock \
${KEY_DIR}/recovery_kernel_data_key.vbprivk
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698