| OLD | NEW |
|---|
| 1 #!/bin/bash | 1 #!/bin/bash |
| 2 | 2 |
| 3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | 3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
| 4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
| 5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
| 6 | 6 |
| 7 # Sign the final build image using the "official" keys. | 7 # Sign the final build image using the "official" keys. |
| 8 # | 8 # |
| 9 # Prerequisite tools needed in the system path: | 9 # Prerequisite tools needed in the system path: |
| 10 # | 10 # |
| (...skipping 283 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 294 local hash_image=$(make_temp_file) | 294 local hash_image=$(make_temp_file) |
| 295 local type="" | 295 local type="" |
| 296 | 296 |
| 297 # First, perform RootFS verification | 297 # First, perform RootFS verification |
| 298 echo "Verifying RootFS hash..." | 298 echo "Verifying RootFS hash..." |
| 299 local new_kernel_config=$(calculate_rootfs_hash "${rootfs_image}" \ | 299 local new_kernel_config=$(calculate_rootfs_hash "${rootfs_image}" \ |
| 300 "${kernel_config}" "${hash_image}") | 300 "${kernel_config}" "${hash_image}") |
| 301 local expected_hash=$(get_hash_from_config "${new_kernel_config}") | 301 local expected_hash=$(get_hash_from_config "${new_kernel_config}") |
| 302 local got_hash=$(get_hash_from_config "${kernel_config}") | 302 local got_hash=$(get_hash_from_config "${kernel_config}") |
| 303 | 303 |
| 304 if [ -z "${expected_hash}" ]; then |
| 305 echo "FAILED: RootFS hash is empty!" |
| 306 exit 1 |
| 307 fi |
| 304 if [ ! "${got_hash}" = "${expected_hash}" ]; then | 308 if [ ! "${got_hash}" = "${expected_hash}" ]; then |
| 305 cat <<EOF | 309 cat <<EOF |
| 306 FAILED: RootFS hash is incorrect. | 310 FAILED: RootFS hash is incorrect. |
| 307 Expected: ${expected_hash} | 311 Expected: ${expected_hash} |
| 308 Got: ${got_hash} | 312 Got: ${got_hash} |
| 309 EOF | 313 EOF |
| 314 exit 1 |
| 310 else | 315 else |
| 311 echo "PASS: RootFS hash is correct (${expected_hash})" | 316 echo "PASS: RootFS hash is correct (${expected_hash})" |
| 312 fi | 317 fi |
| 313 | 318 |
| 314 # Now try and verify kernel partition signature. | 319 # Now try and verify kernel partition signature. |
| 315 set +e | 320 set +e |
| 316 local try_key=${KEY_DIR}/recovery_key.vbpubk | 321 local try_key=${KEY_DIR}/recovery_key.vbpubk |
| 317 echo "Testing key verification..." | 322 echo "Testing key verification..." |
| 318 # The recovery key is only used in the recovery mode. | 323 # The recovery key is only used in the recovery mode. |
| 319 echo -n "With Recovery Key (Recovery Mode ON, Dev Mode OFF): " && \ | 324 echo -n "With Recovery Key (Recovery Mode ON, Dev Mode OFF): " && \ |
| (...skipping 191 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 511 resign_firmware_payload ${OUTPUT_IMAGE} | 516 resign_firmware_payload ${OUTPUT_IMAGE} |
| 512 update_rootfs_hash ${OUTPUT_IMAGE} \ | 517 update_rootfs_hash ${OUTPUT_IMAGE} \ |
| 513 ${KEY_DIR}/installer_kernel.keyblock \ | 518 ${KEY_DIR}/installer_kernel.keyblock \ |
| 514 ${KEY_DIR}/installer_kernel_data_key.vbprivk \ | 519 ${KEY_DIR}/installer_kernel_data_key.vbprivk \ |
| 515 2 | 520 2 |
| 516 sign_for_factory_install ${OUTPUT_IMAGE} | 521 sign_for_factory_install ${OUTPUT_IMAGE} |
| 517 else | 522 else |
| 518 echo "Invalid type ${TYPE}" | 523 echo "Invalid type ${TYPE}" |
| 519 exit 1 | 524 exit 1 |
| 520 fi | 525 fi |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 6720043:
Fail verification if the rootfs hash is empty. (Closed)
Base URL: ssh://git@gitrw.chromium.org:9222/vboot_reference.git@master