OLD | NEW |
1 #!/bin/bash | 1 #!/bin/bash |
2 | 2 |
3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | 3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
6 | 6 |
7 # Sign the final build image using the "official" keys. | 7 # Sign the final build image using the "official" keys. |
8 # | 8 # |
9 # Prerequisite tools needed in the system path: | 9 # Prerequisite tools needed in the system path: |
10 # | 10 # |
11 # gbb_utility (from src/platform/vboot_reference) | 11 # gbb_utility (from src/platform/vboot_reference) |
12 # vbutil_kernel (from src/platform/vboot_reference) | 12 # vbutil_kernel (from src/platform/vboot_reference) |
13 # cgpt (from src/platform/vboot_reference) | 13 # cgpt (from src/platform/vboot_reference) |
14 # dump_kernel_config (from src/platform/vboot_reference) | 14 # dump_kernel_config (from src/platform/vboot_reference) |
15 # verity (from src/platform/verity) | 15 # verity (from src/platform/verity) |
16 # | 16 # load_kernel_test (from src/platform/vboot_reference) |
17 # Usage: sign_for_ssd.sh <type> input_image /path/to/keys/dir output_image | |
18 # | |
19 # where <type> is one of: | |
20 # ssd (sign an SSD image) | |
21 # recovery (sign a USB recovery image) | |
22 # install (sign a factory install image) | |
23 | 17 |
24 # Load common constants and variables. | 18 # Load common constants and variables. |
25 . "$(dirname "$0")/common.sh" | 19 . "$(dirname "$0")/common.sh" |
26 | 20 |
27 if [ $# -ne 4 ]; then | 21 # Print usage string |
| 22 usage() { |
28 cat <<EOF | 23 cat <<EOF |
29 Usage: $0 <type> input_image /path/to/keys/dir output_image" | 24 Usage: $PROG <type> input_image /path/to/keys/dir [output_image] |
30 where <type> is one of: | 25 where <type> is one of: |
31 ssd (sign an SSD image) | 26 ssd (sign an SSD image) |
32 recovery (sign a USB recovery image) | 27 recovery (sign a USB recovery image) |
33 install (sign a factory install image) | 28 install (sign a factory install image) |
| 29 verify (verify an image including rootfs hashes) |
| 30 |
| 31 If you are signing an image, you must specify an [output_image]. |
34 EOF | 32 EOF |
| 33 } |
| 34 |
| 35 if [ $# -ne 3 ] && [ $# -ne 4 ]; then |
| 36 usage |
35 exit 1 | 37 exit 1 |
36 fi | 38 fi |
37 | 39 |
38 # Abort on errors. | 40 # Abort on errors. |
39 set -e | 41 set -e |
40 | 42 |
41 # Make sure the tools we need are available. | 43 # Make sure the tools we need are available. |
42 for prereqs in gbb_utility vbutil_kernel cgpt dump_kernel_config verity; do | 44 for prereqs in gbb_utility vbutil_kernel cgpt dump_kernel_config verity \ |
| 45 load_kernel_test; |
| 46 do |
43 type -P "${prereqs}" &>/dev/null || \ | 47 type -P "${prereqs}" &>/dev/null || \ |
44 { echo "${prereqs} tool not found."; exit 1; } | 48 { echo "${prereqs} tool not found."; exit 1; } |
45 done | 49 done |
46 | 50 |
47 TYPE=$1 | 51 TYPE=$1 |
48 INPUT_IMAGE=$2 | 52 INPUT_IMAGE=$2 |
49 KEY_DIR=$3 | 53 KEY_DIR=$3 |
50 OUTPUT_IMAGE=$4 | 54 OUTPUT_IMAGE=$4 |
51 | 55 |
52 # Re-calculate rootfs hash, update rootfs and kernel command line. | 56 # Get current rootfs hash and kernel command line |
53 # Args: IMAGE KEYBLOCK PRIVATEKEY | 57 # ARGS: IMAGE |
54 recalculate_rootfs_hash() { | 58 grab_kernel_config() { |
55 echo "Recalculating rootfs" | 59 local image=$1 |
56 local image=$1 # Input image. | 60 # Grab the existing kernel partition and get the kernel config. |
57 local keyblock=$2 # Keyblock for re-generating signed kernel partition | |
58 local signprivate=$3 # Private key to use for signing. | |
59 | |
60 # First, grab the existing kernel partition and get the kernel config. | |
61 temp_kimage=$(make_temp_file) | 61 temp_kimage=$(make_temp_file) |
62 extract_image_partition ${image} 2 ${temp_kimage} | 62 extract_image_partition ${image} 2 ${temp_kimage} |
63 local kernel_config=$(sudo dump_kernel_config ${temp_kimage}) | 63 dump_kernel_config ${temp_kimage} |
64 local dm_config=$(echo $kernel_config | | 64 } |
| 65 |
| 66 # Get the hash from a kernel config command line |
| 67 get_hash_from_config() { |
| 68 local kernel_config=$1 |
| 69 echo ${kernel_config} | sed -e 's/.*dm="\([^"]*\)".*/\1/g' | \ |
| 70 cut -f2- -d, | cut -f9 -d ' ' |
| 71 } |
| 72 |
| 73 # Calculate rootfs hash of an image |
| 74 # Args: ROOTFS_IMAGE KERNEL_CONFIG HASH_IMAGE |
| 75 # |
| 76 # rootfs calculation parameters are grabbed from KERNEL_CONFIG |
| 77 # |
| 78 # Returns an updated kernel config command line with the new hash. |
| 79 # and writes the new hash image to the file HASH_IMAGE |
| 80 calculate_rootfs_hash() { |
| 81 local rootfs_image=$1 |
| 82 local kernel_config=$2 |
| 83 local hash_image=$3 |
| 84 local dm_config=$(echo ${kernel_config} | |
65 sed -e 's/.*dm="\([^"]*\)".*/\1/g' | | 85 sed -e 's/.*dm="\([^"]*\)".*/\1/g' | |
66 cut -f2- -d,) | 86 cut -f2- -d,) |
67 # We extract dm=... portion of the config command line. Here's an example: | 87 # We extract dm=... portion of the config command line. Here's an example: |
68 # | 88 # |
69 # dm="0 2097152 verity ROOT_DEV HASH_DEV 2097152 1 \ | 89 # dm="0 2097152 verity ROOT_DEV HASH_DEV 2097152 1 \ |
70 # sha1 63b7ad16cb9db4b70b28593f825aa6b7825fdcf2" | 90 # sha1 63b7ad16cb9db4b70b28593f825aa6b7825fdcf2" |
71 # | 91 # |
72 | 92 |
73 if [ -z "${dm_config}" ]; then | 93 if [ -z "${dm_config}" ]; then |
74 echo "WARNING: Couldn't grab dm_config. Aborting rootfs hash calculation" | 94 echo "WARNING: Couldn't grab dm_config. Aborting rootfs hash calculation" |
75 return | 95 exit 1 |
76 fi | 96 fi |
77 local rootfs_sectors=$(echo ${dm_config} | cut -f2 -d' ') | 97 local rootfs_sectors=$(echo ${dm_config} | cut -f2 -d' ') |
78 local root_dev=$(echo ${dm_config} | cut -f4 -d ' ') | 98 local root_dev=$(echo ${dm_config} | cut -f4 -d ' ') |
79 local hash_dev=$(echo ${dm_config} | cut -f5 -d ' ') | 99 local hash_dev=$(echo ${dm_config} | cut -f5 -d ' ') |
80 local verity_depth=$(echo ${dm_config} | cut -f7 -d' ') | 100 local verity_depth=$(echo ${dm_config} | cut -f7 -d' ') |
81 local verity_algorithm=$(echo ${dm_config} | cut -f8 -d' ') | 101 local verity_algorithm=$(echo ${dm_config} | cut -f8 -d' ') |
82 | 102 |
83 # Mount the rootfs and run the verity tool on it. | 103 # Run the verity tool on the rootfs partition. |
84 local hash_image=$(make_temp_file) | |
85 local rootfs_img=$(make_temp_file) | |
86 extract_image_partition ${image} 3 ${rootfs_img} | |
87 local table="vroot none ro,"$(sudo verity create \ | 104 local table="vroot none ro,"$(sudo verity create \ |
88 ${verity_depth} \ | 105 ${verity_depth} \ |
89 ${verity_algorithm} \ | 106 ${verity_algorithm} \ |
90 ${rootfs_img} \ | 107 ${rootfs_image} \ |
91 $((rootfs_sectors / 8)) \ | 108 $((rootfs_sectors / 8)) \ |
92 ${hash_image}) | 109 ${hash_image}) |
93 # Reconstruct new kernel config command line and replace placeholders. | 110 # Reconstruct new kernel config command line and replace placeholders. |
94 table="$(echo "$table" | | 111 table="$(echo "$table" | |
95 sed -s "s|ROOT_DEV|${root_dev}|g;s|HASH_DEV|${hash_dev}|")" | 112 sed -s "s|ROOT_DEV|${root_dev}|g;s|HASH_DEV|${hash_dev}|")" |
96 kernel_config=$(echo ${kernel_config} | | 113 echo ${kernel_config} | sed -e 's#\(.*dm="\)\([^"]*\)\(".*\)'"#\1${table}\3#g" |
97 sed -e 's#\(.*dm="\)\([^"]*\)\(".*\)'"#\1${table}\3#g") | 114 } |
| 115 |
| 116 # Re-calculate rootfs hash, update rootfs and kernel command line. |
| 117 # Args: IMAGE KEYBLOCK PRIVATEKEY |
| 118 update_rootfs_hash() { |
| 119 echo "Recalculating rootfs" |
| 120 local image=$1 # Input image. |
| 121 local keyblock=$2 # Keyblock for re-generating signed kernel partition |
| 122 local signprivate=$3 # Private key to use for signing. |
| 123 |
| 124 local rootfs_image=$(make_temp_file) |
| 125 extract_image_partition ${image} 3 ${rootfs_image} |
| 126 local kernel_config=$(grab_kernel_config "${image}") |
| 127 local hash_image=$(make_temp_file) |
| 128 |
| 129 local new_kernel_config=$(calculate_rootfs_hash "${rootfs_image}" \ |
| 130 "${kernel_config}" "${hash_image}") |
| 131 |
| 132 local rootfs_blocks=$(dumpe2fs "${rootfs_image}" 2> /dev/null | |
| 133 grep "Block count" | |
| 134 tr -d ' ' | |
| 135 cut -f2 -d:) |
| 136 local rootfs_sectors=$((rootfs_blocks * 8)) |
98 | 137 |
99 # Overwrite the appended hashes in the rootfs | 138 # Overwrite the appended hashes in the rootfs |
100 local temp_config=$(make_temp_file) | 139 local temp_config=$(make_temp_file) |
101 echo ${kernel_config} >${temp_config} | 140 echo ${new_kernel_config} >${temp_config} |
102 dd if=${hash_image} of=${rootfs_img} bs=512 \ | 141 dd if=${hash_image} of=${rootfs_image} bs=512 \ |
103 seek=${rootfs_sectors} conv=notrunc | 142 seek=${rootfs_sectors} conv=notrunc |
104 | 143 |
| 144 local temp_kimage=$(make_temp_file) |
| 145 extract_image_partition ${image} 2 ${temp_kimage} |
105 # Re-calculate kernel partition signature and command line. | 146 # Re-calculate kernel partition signature and command line. |
106 local updated_kimage=$(make_temp_file) | 147 local updated_kimage=$(make_temp_file) |
107 vbutil_kernel --repack ${updated_kimage} \ | 148 vbutil_kernel --repack ${updated_kimage} \ |
108 --keyblock ${keyblock} \ | 149 --keyblock ${keyblock} \ |
109 --signprivate ${signprivate} \ | 150 --signprivate ${signprivate} \ |
110 --oldblob ${temp_kimage} \ | 151 --oldblob ${temp_kimage} \ |
111 --config ${temp_config} | 152 --config ${temp_config} |
112 | 153 |
113 replace_image_partition ${image} 2 ${updated_kimage} | 154 replace_image_partition ${image} 2 ${updated_kimage} |
114 replace_image_partition ${image} 3 ${rootfs_img} | 155 replace_image_partition ${image} 3 ${rootfs_image} |
115 } | 156 } |
116 | 157 |
117 # Extracts the firmware update binaries from the a firmware update | 158 # Extracts the firmware update binaries from the a firmware update |
118 # shell ball (generated by src/platform/firmware/pack_firmware.sh) | 159 # shell ball (generated by src/platform/firmware/pack_firmware.sh) |
119 # Args: INPUT_SCRIPT OUTPUT_DIR | 160 # Args: INPUT_SCRIPT OUTPUT_DIR |
120 get_firmwarebin_from_shellball() { | 161 get_firmwarebin_from_shellball() { |
121 local input=$1 | 162 local input=$1 |
122 local output_dir=$2 | 163 local output_dir=$2 |
123 uudecode -o - ${input} | tar -C ${output_dir} -zxf - 2>/dev/null || \ | 164 uudecode -o - ${input} | tar -C ${output_dir} -zxf - 2>/dev/null || \ |
124 echo "Extracting firmware autoupdate failed." && exit 1 | 165 echo "Extracting firmware autoupdate failed." && exit 1 |
125 } | 166 } |
126 | 167 |
127 # Re-sign the firmware AU payload inside the image rootfs with a new keys. | 168 # Re-sign the firmware AU payload inside the image rootfs with a new keys. |
128 # Args: IMAGE | 169 # Args: IMAGE |
129 resign_firmware_payload() { | 170 resign_firmware_payload() { |
130 local image=$1 | 171 local image=$1 |
131 | 172 |
132 # Grab firmware image from the autoupdate shellball. | 173 # Grab firmware image from the autoupdate shellball. |
133 local rootfs_dir=$(make_temp_dir) | 174 local rootfs_dir=$(make_temp_dir) |
134 mount_image_partition ${image} 3 ${rootfs_dir} | 175 mount_image_partition ${image} 3 ${rootfs_dir} |
135 | 176 |
136 local shellball_dir=$(make_temp_dir) | 177 local shellball_dir=$(make_temp_dir) |
137 get_firmwarebin_from_shellball \ | 178 get_firmwarebin_from_shellball \ |
138 ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate ${shellball_dir} | 179 ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate ${shellball_dir} |
139 | 180 |
140 temp_outfd=$(make_temp_file) | 181 temp_outfd=$(make_temp_file) |
141 # Replace the root key in the GBB | 182 # Replace the root key in the GBB |
142 # TODO(gauravsh): Remove when we lock down the R/O portion of firmware. | 183 # TODO(gauravsh): Remove when we lock down the R/O portion of firmware. |
143 gbb_utility -s \ | 184 gbb_utility -s \ |
144 --rootkey=${KEY_DIR}/root_key.vbpubk \ | 185 --rootkey=${KEY_DIR}/root_key.vbpubk \ |
145 --recoverykey=${KEY_DIR}/recovery_key.vbpubk \ | 186 --recoverykey=${KEY_DIR}/recovery_key.vbpubk \ |
146 ${shellball_dir}/bios.bin ${temp_outfd} | 187 ${shellball_dir}/bios.bin ${temp_outfd} |
147 | 188 |
148 # Resign the firmware with new keys | 189 # Resign the firmware with new keys |
149 ${SCRIPT_DIR}/resign_firmwarefd.sh ${temp_outfd} ${temp_dir}/bios.bin \ | 190 ${SCRIPT_DIR}/resign_firmwarefd.sh ${temp_outfd} ${temp_dir}/bios.bin \ |
150 ${KEY_DIR}/firmware_data_key.vbprivk \ | 191 ${KEY_DIR}/firmware_data_key.vbprivk \ |
151 ${KEY_DIR}/firmware.keyblock \ | 192 ${KEY_DIR}/firmware.keyblock \ |
152 ${KEY_DIR}/kernel_subkey.vbpubk | 193 ${KEY_DIR}/kernel_subkey.vbpubk |
153 | 194 |
154 # Replace MD5 checksum in the firmware update payload | 195 # Replace MD5 checksum in the firmware update payload |
155 newfd_checksum=$(md5sum ${shellball_dir}/bios.bin | cut -f 1 -d ' ') | 196 newfd_checksum=$(md5sum ${shellball_dir}/bios.bin | cut -f 1 -d ' ') |
156 temp_version=$(make_temp_file) | 197 temp_version=$(make_temp_file) |
157 cat ${shellball_dir}/VERSION | | 198 cat ${shellball_dir}/VERSION | |
158 sed -e "s#\(.*\)\ \(.*bios.bin.*\)#${newfd_checksum}\ \2#" > ${temp_version} | 199 sed -e "s#\(.*\)\ \(.*bios.bin.*\)#${newfd_checksum}\ \2#" > ${temp_version} |
159 sudo cp ${temp_version} ${shellball_dir}/VERSION | 200 sudo cp ${temp_version} ${shellball_dir}/VERSION |
160 | 201 |
161 # Re-generate firmware_update.tgz and copy over encoded archive in | 202 # Re-generate firmware_update.tgz and copy over encoded archive in |
162 # the original shell ball. | 203 # the original shell ball. |
163 new_fwblob=$(make_temp_file) | 204 new_fwblob=$(make_temp_file) |
164 tar zcf - -C ${shellball_dir} . | \ | 205 tar zcf - -C ${shellball_dir} . | \ |
165 uuencode firmware_package.tgz > ${new_fwblob} | 206 uuencode firmware_package.tgz > ${new_fwblob} |
166 new_shellball=$(make_temp_file) | 207 new_shellball=$(make_temp_file) |
167 cat ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate | \ | 208 cat ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate | \ |
168 sed -e '/^begin .*firmware_package/,/end/D' | \ | 209 sed -e '/^begin .*firmware_package/,/end/D' | \ |
169 cat - ${new_fwblob} >${new_shellball} | 210 cat - ${new_fwblob} >${new_shellball} |
170 sudo cp ${new_shellball} ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate | 211 sudo cp ${new_shellball} ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate |
171 # Force unmount of the image as it is needed later. | 212 # Force unmount of the image as it is needed later. |
172 sudo umount -d ${rootfs_dir} | 213 sudo umount -d ${rootfs_dir} |
173 echo "Re-signed firmware AU payload in $image" | 214 echo "Re-signed firmware AU payload in $image" |
174 } | 215 } |
175 | 216 |
| 217 # Verify an image including rootfs hash using the specified keys. |
| 218 verify_image() { |
| 219 local kernel_config=$(grab_kernel_config ${INPUT_IMAGE}) |
| 220 local rootfs_image=$(make_temp_file) |
| 221 extract_image_partition ${INPUT_IMAGE} 3 ${rootfs_image} |
| 222 local hash_image=$(make_temp_file) |
| 223 local type="" |
| 224 |
| 225 |
| 226 # First, perform RootFS verification |
| 227 echo "Verifying RootFS hash..." |
| 228 local new_kernel_config=$(calculate_rootfs_hash "${rootfs_image}" \ |
| 229 "${kernel_config}" "${hash_image}") |
| 230 local expected_hash=$(get_hash_from_config "${new_kernel_config}") |
| 231 local got_hash=$(get_hash_from_config "${kernel_config}") |
| 232 |
| 233 if [ ! "${got_hash}" = "${expected_hash}" ]; then |
| 234 cat <<EOF |
| 235 FAILED: RootFS hash is incorrect. |
| 236 Expected: ${expected_hash} |
| 237 Got: ${got_hash} |
| 238 EOF |
| 239 else |
| 240 echo "PASS: RootFS hash is correct (${expected_hash})" |
| 241 fi |
| 242 |
| 243 # Now try and verify kernel partition signature. |
| 244 set +e |
| 245 local try_key=${KEY_DIR}/recovery_key.vbpubk |
| 246 echo "Testing key verification..." |
| 247 # The recovery key is only used in the recovery mode. |
| 248 echo -n "With Recovery Key (Recovery Mode ON, Dev Mode OFF): " && \ |
| 249 { load_kernel_test "${INPUT_IMAGE}" "${try_key}" -b 2 >/dev/null 2>&1 && \ |
| 250 echo "YES"; } || echo "NO" |
| 251 echo -n "With Recovery Key (Recovery Mode ON, Dev Mode ON): " && \ |
| 252 { load_kernel_test "${INPUT_IMAGE}" "${try_key}" -b 3 >/dev/null 2>&1 && \ |
| 253 echo "YES"; } || echo "NO" |
| 254 |
| 255 try_key=${KEY_DIR}/kernel_subkey.vbpubk |
| 256 # The SSD key is only used in non-recovery mode. |
| 257 echo -n "With SSD Key (Recovery Mode OFF, Dev Mode OFF): " && \ |
| 258 { load_kernel_test "${INPUT_IMAGE}" "${try_key}" -b 0 >/dev/null 2>&1 && \ |
| 259 echo "YES"; } || echo "NO" |
| 260 echo -n "With SSD Key (Recovery Mode OFF, Dev Mode ON): " && \ |
| 261 { load_kernel_test "${INPUT_IMAGE}" "${try_key}" -b 1 >/dev/null 2>&1 && \ |
| 262 echo "YES"; } || echo "NO" |
| 263 set -e |
| 264 |
| 265 # TODO(gauravsh): Check embedded firmware AU signatures. |
| 266 } |
| 267 |
176 # Generate the SSD image | 268 # Generate the SSD image |
177 sign_for_ssd() { | 269 sign_for_ssd() { |
178 ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \ | 270 ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \ |
179 ${KEY_DIR}/kernel_data_key.vbprivk \ | 271 ${KEY_DIR}/kernel_data_key.vbprivk \ |
180 ${KEY_DIR}/kernel.keyblock | 272 ${KEY_DIR}/kernel.keyblock |
181 echo "Output signed SSD image to ${OUTPUT_IMAGE}" | 273 echo "Output signed SSD image to ${OUTPUT_IMAGE}" |
182 } | 274 } |
183 | 275 |
184 # Generate the USB (recovery + install) image | 276 # Generate the USB (recovery + install) image |
185 sign_for_recovery() { | 277 sign_for_recovery() { |
186 ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \ | 278 ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \ |
187 ${KEY_DIR}/recovery_kernel_data_key.vbprivk \ | 279 ${KEY_DIR}/recovery_kernel_data_key.vbprivk \ |
188 ${KEY_DIR}/recovery_kernel.keyblock | 280 ${KEY_DIR}/recovery_kernel.keyblock |
189 | 281 |
190 # Now generate the installer vblock with the SSD keys. | 282 # Now generate the installer vblock with the SSD keys. |
191 temp_kimage=$(make_temp_file) | 283 temp_kimage=$(make_temp_file) |
192 temp_out_vb=$(make_temp_file) | 284 temp_out_vb=$(make_temp_file) |
193 extract_image_partition ${OUTPUT_IMAGE} 2 ${temp_kimage} | 285 extract_image_partition ${OUTPUT_IMAGE} 2 ${temp_kimage} |
194 ${SCRIPT_DIR}/resign_kernel_partition.sh ${temp_kimage} ${temp_out_vb} \ | 286 ${SCRIPT_DIR}/resign_kernel_partition.sh ${temp_kimage} ${temp_out_vb} \ |
195 ${KEY_DIR}/kernel_data_key.vbprivk \ | 287 ${KEY_DIR}/kernel_data_key.vbprivk \ |
196 ${KEY_DIR}/kernel.keyblock | 288 ${KEY_DIR}/kernel.keyblock |
197 | 289 |
198 # Copy the installer vblock to the stateful partition. | 290 # Copy the installer vblock to the stateful partition. |
(...skipping 11 matching lines...) Expand all Loading... |
210 ${KEY_DIR}/installer_kernel.keyblock | 302 ${KEY_DIR}/installer_kernel.keyblock |
211 echo "Output signed factory install image to ${OUTPUT_IMAGE}" | 303 echo "Output signed factory install image to ${OUTPUT_IMAGE}" |
212 } | 304 } |
213 | 305 |
214 # Firmware payload signing hidden behind a flag until it actually makes | 306 # Firmware payload signing hidden behind a flag until it actually makes |
215 # it into the image. | 307 # it into the image. |
216 if [ "${FW_UPDATE}" == "1" ]; then | 308 if [ "${FW_UPDATE}" == "1" ]; then |
217 resign_firmware_payload ${INPUT_IMAGE} | 309 resign_firmware_payload ${INPUT_IMAGE} |
218 fi | 310 fi |
219 | 311 |
| 312 # Verification |
| 313 if [ "${TYPE}" == "verify" ]; then |
| 314 verify_image |
| 315 exit 1 |
| 316 fi |
| 317 |
| 318 |
| 319 # Signing requires an output image name |
| 320 if [ -z "${OUTPUT_IMAGE}" ]; then |
| 321 usage |
| 322 exit 1 |
| 323 fi |
| 324 |
220 if [ "${TYPE}" == "ssd" ]; then | 325 if [ "${TYPE}" == "ssd" ]; then |
221 recalculate_rootfs_hash ${INPUT_IMAGE} \ | 326 update_rootfs_hash ${INPUT_IMAGE} \ |
222 ${KEY_DIR}/kernel.keyblock \ | 327 ${KEY_DIR}/kernel.keyblock \ |
223 ${KEY_DIR}/kernel_data_key.vbprivk | 328 ${KEY_DIR}/kernel_data_key.vbprivk |
224 sign_for_ssd | 329 sign_for_ssd |
225 elif [ "${TYPE}" == "recovery" ]; then | 330 elif [ "${TYPE}" == "recovery" ]; then |
226 recalculate_rootfs_hash ${INPUT_IMAGE} \ | 331 update_rootfs_hash ${INPUT_IMAGE} \ |
227 ${KEY_DIR}/recovery_kernel.keyblock \ | 332 ${KEY_DIR}/recovery_kernel.keyblock \ |
228 ${KEY_DIR}/recovery_kernel_data_key.vbprivk | 333 ${KEY_DIR}/recovery_kernel_data_key.vbprivk |
229 sign_for_recovery | 334 sign_for_recovery |
230 elif [ "${TYPE}" == "install" ]; then | 335 elif [ "${TYPE}" == "install" ]; then |
231 recalculate_rootfs_hash ${INPUT_IMAGE} \ | 336 update_rootfs_hash ${INPUT_IMAGE} \ |
232 ${KEY_DIR}/installer_kernel.keyblock \ | 337 ${KEY_DIR}/installer_kernel.keyblock \ |
233 ${KEY_DIR}/recovery_kernel_data_key.vbprivk | 338 ${KEY_DIR}/recovery_kernel_data_key.vbprivk |
234 sign_for_factory_install | 339 sign_for_factory_install |
235 else | 340 else |
236 echo "Invalid type ${TYPE}" | 341 echo "Invalid type ${TYPE}" |
237 exit 1 | 342 exit 1 |
238 fi | 343 fi |
OLD | NEW |