Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(153)

Side by Side Diff: scripts/image_signing/sign_official_build.sh

Issue 3327005: Add a "verify" option to sign_official_build.sh. (Closed) Base URL: ssh://git@gitrw.chromium.org:9222/vboot_reference.git
Patch Set: nosudo Created 10 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « scripts/image_signing/common.sh ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 #!/bin/bash 1 #!/bin/bash
2 2
3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. 3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
4 # Use of this source code is governed by a BSD-style license that can be 4 # Use of this source code is governed by a BSD-style license that can be
5 # found in the LICENSE file. 5 # found in the LICENSE file.
6 6
7 # Sign the final build image using the "official" keys. 7 # Sign the final build image using the "official" keys.
8 # 8 #
9 # Prerequisite tools needed in the system path: 9 # Prerequisite tools needed in the system path:
10 # 10 #
11 # gbb_utility (from src/platform/vboot_reference) 11 # gbb_utility (from src/platform/vboot_reference)
12 # vbutil_kernel (from src/platform/vboot_reference) 12 # vbutil_kernel (from src/platform/vboot_reference)
13 # cgpt (from src/platform/vboot_reference) 13 # cgpt (from src/platform/vboot_reference)
14 # dump_kernel_config (from src/platform/vboot_reference) 14 # dump_kernel_config (from src/platform/vboot_reference)
15 # verity (from src/platform/verity) 15 # verity (from src/platform/verity)
16 # 16 # load_kernel_test (from src/platform/vboot_reference)
17 # Usage: sign_for_ssd.sh <type> input_image /path/to/keys/dir output_image
18 #
19 # where <type> is one of:
20 # ssd (sign an SSD image)
21 # recovery (sign a USB recovery image)
22 # install (sign a factory install image)
23 17
24 # Load common constants and variables. 18 # Load common constants and variables.
25 . "$(dirname "$0")/common.sh" 19 . "$(dirname "$0")/common.sh"
26 20
27 if [ $# -ne 4 ]; then 21 # Print usage string
22 usage() {
28 cat <<EOF 23 cat <<EOF
29 Usage: $0 <type> input_image /path/to/keys/dir output_image" 24 Usage: $PROG <type> input_image /path/to/keys/dir [output_image]
30 where <type> is one of: 25 where <type> is one of:
31 ssd (sign an SSD image) 26 ssd (sign an SSD image)
32 recovery (sign a USB recovery image) 27 recovery (sign a USB recovery image)
33 install (sign a factory install image) 28 install (sign a factory install image)
29 verify (verify an image including rootfs hashes)
30
31 If you are signing an image, you must specify an [output_image].
34 EOF 32 EOF
33 }
34
35 if [ $# -ne 3 ] && [ $# -ne 4 ]; then
36 usage
35 exit 1 37 exit 1
36 fi 38 fi
37 39
38 # Abort on errors. 40 # Abort on errors.
39 set -e 41 set -e
40 42
41 # Make sure the tools we need are available. 43 # Make sure the tools we need are available.
42 for prereqs in gbb_utility vbutil_kernel cgpt dump_kernel_config verity; do 44 for prereqs in gbb_utility vbutil_kernel cgpt dump_kernel_config verity \
45 load_kernel_test;
46 do
43 type -P "${prereqs}" &>/dev/null || \ 47 type -P "${prereqs}" &>/dev/null || \
44 { echo "${prereqs} tool not found."; exit 1; } 48 { echo "${prereqs} tool not found."; exit 1; }
45 done 49 done
46 50
47 TYPE=$1 51 TYPE=$1
48 INPUT_IMAGE=$2 52 INPUT_IMAGE=$2
49 KEY_DIR=$3 53 KEY_DIR=$3
50 OUTPUT_IMAGE=$4 54 OUTPUT_IMAGE=$4
51 55
52 # Re-calculate rootfs hash, update rootfs and kernel command line. 56 # Get current rootfs hash and kernel command line
53 # Args: IMAGE KEYBLOCK PRIVATEKEY 57 # ARGS: IMAGE
54 recalculate_rootfs_hash() { 58 grab_kernel_config() {
55 echo "Recalculating rootfs" 59 local image=$1
56 local image=$1 # Input image. 60 # Grab the existing kernel partition and get the kernel config.
57 local keyblock=$2 # Keyblock for re-generating signed kernel partition
58 local signprivate=$3 # Private key to use for signing.
59
60 # First, grab the existing kernel partition and get the kernel config.
61 temp_kimage=$(make_temp_file) 61 temp_kimage=$(make_temp_file)
62 extract_image_partition ${image} 2 ${temp_kimage} 62 extract_image_partition ${image} 2 ${temp_kimage}
63 local kernel_config=$(sudo dump_kernel_config ${temp_kimage}) 63 dump_kernel_config ${temp_kimage}
64 local dm_config=$(echo $kernel_config | 64 }
65
66 # Get the hash from a kernel config command line
67 get_hash_from_config() {
68 local kernel_config=$1
69 echo ${kernel_config} | sed -e 's/.*dm="\([^"]*\)".*/\1/g' | \
70 cut -f2- -d, | cut -f9 -d ' '
71 }
72
73 # Calculate rootfs hash of an image
74 # Args: ROOTFS_IMAGE KERNEL_CONFIG HASH_IMAGE
75 #
76 # rootfs calculation parameters are grabbed from KERNEL_CONFIG
77 #
78 # Returns an updated kernel config command line with the new hash.
79 # and writes the new hash image to the file HASH_IMAGE
80 calculate_rootfs_hash() {
81 local rootfs_image=$1
82 local kernel_config=$2
83 local hash_image=$3
84 local dm_config=$(echo ${kernel_config} |
65 sed -e 's/.*dm="\([^"]*\)".*/\1/g' | 85 sed -e 's/.*dm="\([^"]*\)".*/\1/g' |
66 cut -f2- -d,) 86 cut -f2- -d,)
67 # We extract dm=... portion of the config command line. Here's an example: 87 # We extract dm=... portion of the config command line. Here's an example:
68 # 88 #
69 # dm="0 2097152 verity ROOT_DEV HASH_DEV 2097152 1 \ 89 # dm="0 2097152 verity ROOT_DEV HASH_DEV 2097152 1 \
70 # sha1 63b7ad16cb9db4b70b28593f825aa6b7825fdcf2" 90 # sha1 63b7ad16cb9db4b70b28593f825aa6b7825fdcf2"
71 # 91 #
72 92
73 if [ -z "${dm_config}" ]; then 93 if [ -z "${dm_config}" ]; then
74 echo "WARNING: Couldn't grab dm_config. Aborting rootfs hash calculation" 94 echo "WARNING: Couldn't grab dm_config. Aborting rootfs hash calculation"
75 return 95 exit 1
76 fi 96 fi
77 local rootfs_sectors=$(echo ${dm_config} | cut -f2 -d' ') 97 local rootfs_sectors=$(echo ${dm_config} | cut -f2 -d' ')
78 local root_dev=$(echo ${dm_config} | cut -f4 -d ' ') 98 local root_dev=$(echo ${dm_config} | cut -f4 -d ' ')
79 local hash_dev=$(echo ${dm_config} | cut -f5 -d ' ') 99 local hash_dev=$(echo ${dm_config} | cut -f5 -d ' ')
80 local verity_depth=$(echo ${dm_config} | cut -f7 -d' ') 100 local verity_depth=$(echo ${dm_config} | cut -f7 -d' ')
81 local verity_algorithm=$(echo ${dm_config} | cut -f8 -d' ') 101 local verity_algorithm=$(echo ${dm_config} | cut -f8 -d' ')
82 102
83 # Mount the rootfs and run the verity tool on it. 103 # Run the verity tool on the rootfs partition.
84 local hash_image=$(make_temp_file)
85 local rootfs_img=$(make_temp_file)
86 extract_image_partition ${image} 3 ${rootfs_img}
87 local table="vroot none ro,"$(sudo verity create \ 104 local table="vroot none ro,"$(sudo verity create \
88 ${verity_depth} \ 105 ${verity_depth} \
89 ${verity_algorithm} \ 106 ${verity_algorithm} \
90 ${rootfs_img} \ 107 ${rootfs_image} \
91 $((rootfs_sectors / 8)) \ 108 $((rootfs_sectors / 8)) \
92 ${hash_image}) 109 ${hash_image})
93 # Reconstruct new kernel config command line and replace placeholders. 110 # Reconstruct new kernel config command line and replace placeholders.
94 table="$(echo "$table" | 111 table="$(echo "$table" |
95 sed -s "s|ROOT_DEV|${root_dev}|g;s|HASH_DEV|${hash_dev}|")" 112 sed -s "s|ROOT_DEV|${root_dev}|g;s|HASH_DEV|${hash_dev}|")"
96 kernel_config=$(echo ${kernel_config} | 113 echo ${kernel_config} | sed -e 's#\(.*dm="\)\([^"]*\)\(".*\)'"#\1${table}\3#g"
97 sed -e 's#\(.*dm="\)\([^"]*\)\(".*\)'"#\1${table}\3#g") 114 }
115
116 # Re-calculate rootfs hash, update rootfs and kernel command line.
117 # Args: IMAGE KEYBLOCK PRIVATEKEY
118 update_rootfs_hash() {
119 echo "Recalculating rootfs"
120 local image=$1 # Input image.
121 local keyblock=$2 # Keyblock for re-generating signed kernel partition
122 local signprivate=$3 # Private key to use for signing.
123
124 local rootfs_image=$(make_temp_file)
125 extract_image_partition ${image} 3 ${rootfs_image}
126 local kernel_config=$(grab_kernel_config "${image}")
127 local hash_image=$(make_temp_file)
128
129 local new_kernel_config=$(calculate_rootfs_hash "${rootfs_image}" \
130 "${kernel_config}" "${hash_image}")
131
132 local rootfs_blocks=$(dumpe2fs "${rootfs_image}" 2> /dev/null |
133 grep "Block count" |
134 tr -d ' ' |
135 cut -f2 -d:)
136 local rootfs_sectors=$((rootfs_blocks * 8))
98 137
99 # Overwrite the appended hashes in the rootfs 138 # Overwrite the appended hashes in the rootfs
100 local temp_config=$(make_temp_file) 139 local temp_config=$(make_temp_file)
101 echo ${kernel_config} >${temp_config} 140 echo ${new_kernel_config} >${temp_config}
102 dd if=${hash_image} of=${rootfs_img} bs=512 \ 141 dd if=${hash_image} of=${rootfs_image} bs=512 \
103 seek=${rootfs_sectors} conv=notrunc 142 seek=${rootfs_sectors} conv=notrunc
104 143
144 local temp_kimage=$(make_temp_file)
145 extract_image_partition ${image} 2 ${temp_kimage}
105 # Re-calculate kernel partition signature and command line. 146 # Re-calculate kernel partition signature and command line.
106 local updated_kimage=$(make_temp_file) 147 local updated_kimage=$(make_temp_file)
107 vbutil_kernel --repack ${updated_kimage} \ 148 vbutil_kernel --repack ${updated_kimage} \
108 --keyblock ${keyblock} \ 149 --keyblock ${keyblock} \
109 --signprivate ${signprivate} \ 150 --signprivate ${signprivate} \
110 --oldblob ${temp_kimage} \ 151 --oldblob ${temp_kimage} \
111 --config ${temp_config} 152 --config ${temp_config}
112 153
113 replace_image_partition ${image} 2 ${updated_kimage} 154 replace_image_partition ${image} 2 ${updated_kimage}
114 replace_image_partition ${image} 3 ${rootfs_img} 155 replace_image_partition ${image} 3 ${rootfs_image}
115 } 156 }
116 157
117 # Extracts the firmware update binaries from the a firmware update 158 # Extracts the firmware update binaries from the a firmware update
118 # shell ball (generated by src/platform/firmware/pack_firmware.sh) 159 # shell ball (generated by src/platform/firmware/pack_firmware.sh)
119 # Args: INPUT_SCRIPT OUTPUT_DIR 160 # Args: INPUT_SCRIPT OUTPUT_DIR
120 get_firmwarebin_from_shellball() { 161 get_firmwarebin_from_shellball() {
121 local input=$1 162 local input=$1
122 local output_dir=$2 163 local output_dir=$2
123 uudecode -o - ${input} | tar -C ${output_dir} -zxf - 2>/dev/null || \ 164 uudecode -o - ${input} | tar -C ${output_dir} -zxf - 2>/dev/null || \
124 echo "Extracting firmware autoupdate failed." && exit 1 165 echo "Extracting firmware autoupdate failed." && exit 1
125 } 166 }
126 167
127 # Re-sign the firmware AU payload inside the image rootfs with a new keys. 168 # Re-sign the firmware AU payload inside the image rootfs with a new keys.
128 # Args: IMAGE 169 # Args: IMAGE
129 resign_firmware_payload() { 170 resign_firmware_payload() {
130 local image=$1 171 local image=$1
131 172
132 # Grab firmware image from the autoupdate shellball. 173 # Grab firmware image from the autoupdate shellball.
133 local rootfs_dir=$(make_temp_dir) 174 local rootfs_dir=$(make_temp_dir)
134 mount_image_partition ${image} 3 ${rootfs_dir} 175 mount_image_partition ${image} 3 ${rootfs_dir}
135 176
136 local shellball_dir=$(make_temp_dir) 177 local shellball_dir=$(make_temp_dir)
137 get_firmwarebin_from_shellball \ 178 get_firmwarebin_from_shellball \
138 ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate ${shellball_dir} 179 ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate ${shellball_dir}
139 180
140 temp_outfd=$(make_temp_file) 181 temp_outfd=$(make_temp_file)
141 # Replace the root key in the GBB 182 # Replace the root key in the GBB
142 # TODO(gauravsh): Remove when we lock down the R/O portion of firmware. 183 # TODO(gauravsh): Remove when we lock down the R/O portion of firmware.
143 gbb_utility -s \ 184 gbb_utility -s \
144 --rootkey=${KEY_DIR}/root_key.vbpubk \ 185 --rootkey=${KEY_DIR}/root_key.vbpubk \
145 --recoverykey=${KEY_DIR}/recovery_key.vbpubk \ 186 --recoverykey=${KEY_DIR}/recovery_key.vbpubk \
146 ${shellball_dir}/bios.bin ${temp_outfd} 187 ${shellball_dir}/bios.bin ${temp_outfd}
147 188
148 # Resign the firmware with new keys 189 # Resign the firmware with new keys
149 ${SCRIPT_DIR}/resign_firmwarefd.sh ${temp_outfd} ${temp_dir}/bios.bin \ 190 ${SCRIPT_DIR}/resign_firmwarefd.sh ${temp_outfd} ${temp_dir}/bios.bin \
150 ${KEY_DIR}/firmware_data_key.vbprivk \ 191 ${KEY_DIR}/firmware_data_key.vbprivk \
151 ${KEY_DIR}/firmware.keyblock \ 192 ${KEY_DIR}/firmware.keyblock \
152 ${KEY_DIR}/kernel_subkey.vbpubk 193 ${KEY_DIR}/kernel_subkey.vbpubk
153 194
154 # Replace MD5 checksum in the firmware update payload 195 # Replace MD5 checksum in the firmware update payload
155 newfd_checksum=$(md5sum ${shellball_dir}/bios.bin | cut -f 1 -d ' ') 196 newfd_checksum=$(md5sum ${shellball_dir}/bios.bin | cut -f 1 -d ' ')
156 temp_version=$(make_temp_file) 197 temp_version=$(make_temp_file)
157 cat ${shellball_dir}/VERSION | 198 cat ${shellball_dir}/VERSION |
158 sed -e "s#\(.*\)\ \(.*bios.bin.*\)#${newfd_checksum}\ \2#" > ${temp_version} 199 sed -e "s#\(.*\)\ \(.*bios.bin.*\)#${newfd_checksum}\ \2#" > ${temp_version}
159 sudo cp ${temp_version} ${shellball_dir}/VERSION 200 sudo cp ${temp_version} ${shellball_dir}/VERSION
160 201
161 # Re-generate firmware_update.tgz and copy over encoded archive in 202 # Re-generate firmware_update.tgz and copy over encoded archive in
162 # the original shell ball. 203 # the original shell ball.
163 new_fwblob=$(make_temp_file) 204 new_fwblob=$(make_temp_file)
164 tar zcf - -C ${shellball_dir} . | \ 205 tar zcf - -C ${shellball_dir} . | \
165 uuencode firmware_package.tgz > ${new_fwblob} 206 uuencode firmware_package.tgz > ${new_fwblob}
166 new_shellball=$(make_temp_file) 207 new_shellball=$(make_temp_file)
167 cat ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate | \ 208 cat ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate | \
168 sed -e '/^begin .*firmware_package/,/end/D' | \ 209 sed -e '/^begin .*firmware_package/,/end/D' | \
169 cat - ${new_fwblob} >${new_shellball} 210 cat - ${new_fwblob} >${new_shellball}
170 sudo cp ${new_shellball} ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate 211 sudo cp ${new_shellball} ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate
171 # Force unmount of the image as it is needed later. 212 # Force unmount of the image as it is needed later.
172 sudo umount -d ${rootfs_dir} 213 sudo umount -d ${rootfs_dir}
173 echo "Re-signed firmware AU payload in $image" 214 echo "Re-signed firmware AU payload in $image"
174 } 215 }
175 216
217 # Verify an image including rootfs hash using the specified keys.
218 verify_image() {
219 local kernel_config=$(grab_kernel_config ${INPUT_IMAGE})
220 local rootfs_image=$(make_temp_file)
221 extract_image_partition ${INPUT_IMAGE} 3 ${rootfs_image}
222 local hash_image=$(make_temp_file)
223 local type=""
224
225
226 # First, perform RootFS verification
227 echo "Verifying RootFS hash..."
228 local new_kernel_config=$(calculate_rootfs_hash "${rootfs_image}" \
229 "${kernel_config}" "${hash_image}")
230 local expected_hash=$(get_hash_from_config "${new_kernel_config}")
231 local got_hash=$(get_hash_from_config "${kernel_config}")
232
233 if [ ! "${got_hash}" = "${expected_hash}" ]; then
234 cat <<EOF
235 FAILED: RootFS hash is incorrect.
236 Expected: ${expected_hash}
237 Got: ${got_hash}
238 EOF
239 else
240 echo "PASS: RootFS hash is correct (${expected_hash})"
241 fi
242
243 # Now try and verify kernel partition signature.
244 set +e
245 local try_key=${KEY_DIR}/recovery_key.vbpubk
246 echo "Testing key verification..."
247 # The recovery key is only used in the recovery mode.
248 echo -n "With Recovery Key (Recovery Mode ON, Dev Mode OFF): " && \
249 { load_kernel_test "${INPUT_IMAGE}" "${try_key}" -b 2 >/dev/null 2>&1 && \
250 echo "YES"; } || echo "NO"
251 echo -n "With Recovery Key (Recovery Mode ON, Dev Mode ON): " && \
252 { load_kernel_test "${INPUT_IMAGE}" "${try_key}" -b 3 >/dev/null 2>&1 && \
253 echo "YES"; } || echo "NO"
254
255 try_key=${KEY_DIR}/kernel_subkey.vbpubk
256 # The SSD key is only used in non-recovery mode.
257 echo -n "With SSD Key (Recovery Mode OFF, Dev Mode OFF): " && \
258 { load_kernel_test "${INPUT_IMAGE}" "${try_key}" -b 0 >/dev/null 2>&1 && \
259 echo "YES"; } || echo "NO"
260 echo -n "With SSD Key (Recovery Mode OFF, Dev Mode ON): " && \
261 { load_kernel_test "${INPUT_IMAGE}" "${try_key}" -b 1 >/dev/null 2>&1 && \
262 echo "YES"; } || echo "NO"
263 set -e
264
265 # TODO(gauravsh): Check embedded firmware AU signatures.
266 }
267
176 # Generate the SSD image 268 # Generate the SSD image
177 sign_for_ssd() { 269 sign_for_ssd() {
178 ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \ 270 ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \
179 ${KEY_DIR}/kernel_data_key.vbprivk \ 271 ${KEY_DIR}/kernel_data_key.vbprivk \
180 ${KEY_DIR}/kernel.keyblock 272 ${KEY_DIR}/kernel.keyblock
181 echo "Output signed SSD image to ${OUTPUT_IMAGE}" 273 echo "Output signed SSD image to ${OUTPUT_IMAGE}"
182 } 274 }
183 275
184 # Generate the USB (recovery + install) image 276 # Generate the USB (recovery + install) image
185 sign_for_recovery() { 277 sign_for_recovery() {
186 ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \ 278 ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \
187 ${KEY_DIR}/recovery_kernel_data_key.vbprivk \ 279 ${KEY_DIR}/recovery_kernel_data_key.vbprivk \
188 ${KEY_DIR}/recovery_kernel.keyblock 280 ${KEY_DIR}/recovery_kernel.keyblock
189 281
190 # Now generate the installer vblock with the SSD keys. 282 # Now generate the installer vblock with the SSD keys.
191 temp_kimage=$(make_temp_file) 283 temp_kimage=$(make_temp_file)
192 temp_out_vb=$(make_temp_file) 284 temp_out_vb=$(make_temp_file)
193 extract_image_partition ${OUTPUT_IMAGE} 2 ${temp_kimage} 285 extract_image_partition ${OUTPUT_IMAGE} 2 ${temp_kimage}
194 ${SCRIPT_DIR}/resign_kernel_partition.sh ${temp_kimage} ${temp_out_vb} \ 286 ${SCRIPT_DIR}/resign_kernel_partition.sh ${temp_kimage} ${temp_out_vb} \
195 ${KEY_DIR}/kernel_data_key.vbprivk \ 287 ${KEY_DIR}/kernel_data_key.vbprivk \
196 ${KEY_DIR}/kernel.keyblock 288 ${KEY_DIR}/kernel.keyblock
197 289
198 # Copy the installer vblock to the stateful partition. 290 # Copy the installer vblock to the stateful partition.
(...skipping 11 matching lines...) Expand all
210 ${KEY_DIR}/installer_kernel.keyblock 302 ${KEY_DIR}/installer_kernel.keyblock
211 echo "Output signed factory install image to ${OUTPUT_IMAGE}" 303 echo "Output signed factory install image to ${OUTPUT_IMAGE}"
212 } 304 }
213 305
214 # Firmware payload signing hidden behind a flag until it actually makes 306 # Firmware payload signing hidden behind a flag until it actually makes
215 # it into the image. 307 # it into the image.
216 if [ "${FW_UPDATE}" == "1" ]; then 308 if [ "${FW_UPDATE}" == "1" ]; then
217 resign_firmware_payload ${INPUT_IMAGE} 309 resign_firmware_payload ${INPUT_IMAGE}
218 fi 310 fi
219 311
312 # Verification
313 if [ "${TYPE}" == "verify" ]; then
314 verify_image
315 exit 1
316 fi
317
318
319 # Signing requires an output image name
320 if [ -z "${OUTPUT_IMAGE}" ]; then
321 usage
322 exit 1
323 fi
324
220 if [ "${TYPE}" == "ssd" ]; then 325 if [ "${TYPE}" == "ssd" ]; then
221 recalculate_rootfs_hash ${INPUT_IMAGE} \ 326 update_rootfs_hash ${INPUT_IMAGE} \
222 ${KEY_DIR}/kernel.keyblock \ 327 ${KEY_DIR}/kernel.keyblock \
223 ${KEY_DIR}/kernel_data_key.vbprivk 328 ${KEY_DIR}/kernel_data_key.vbprivk
224 sign_for_ssd 329 sign_for_ssd
225 elif [ "${TYPE}" == "recovery" ]; then 330 elif [ "${TYPE}" == "recovery" ]; then
226 recalculate_rootfs_hash ${INPUT_IMAGE} \ 331 update_rootfs_hash ${INPUT_IMAGE} \
227 ${KEY_DIR}/recovery_kernel.keyblock \ 332 ${KEY_DIR}/recovery_kernel.keyblock \
228 ${KEY_DIR}/recovery_kernel_data_key.vbprivk 333 ${KEY_DIR}/recovery_kernel_data_key.vbprivk
229 sign_for_recovery 334 sign_for_recovery
230 elif [ "${TYPE}" == "install" ]; then 335 elif [ "${TYPE}" == "install" ]; then
231 recalculate_rootfs_hash ${INPUT_IMAGE} \ 336 update_rootfs_hash ${INPUT_IMAGE} \
232 ${KEY_DIR}/installer_kernel.keyblock \ 337 ${KEY_DIR}/installer_kernel.keyblock \
233 ${KEY_DIR}/recovery_kernel_data_key.vbprivk 338 ${KEY_DIR}/recovery_kernel_data_key.vbprivk
234 sign_for_factory_install 339 sign_for_factory_install
235 else 340 else
236 echo "Invalid type ${TYPE}" 341 echo "Invalid type ${TYPE}"
237 exit 1 342 exit 1
238 fi 343 fi
OLDNEW
« no previous file with comments | « scripts/image_signing/common.sh ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698