diff options
author | Hung-Te Lin <hungte@chromium.org> | 2011-09-03 21:46:13 +0800 |
---|---|---|
committer | Hung-Te Lin <hungte@chromium.org> | 2011-09-09 10:02:08 -0700 |
commit | 9137e8df481906c7de15d92f639a6129adedd892 (patch) | |
tree | a0b46ce733675aef4b811eee61b04a151c629b65 | |
parent | e339cbacef5cab487e2a2c4718376579d99c9b55 (diff) | |
download | vboot-9137e8df481906c7de15d92f639a6129adedd892.tar.gz |
sign_official_build: support new firmware updater repacking methodfactory-1020.B
To prevent hard-coding the procedure to repack a firmware updater, this CL
supports using new "--sb_repack" mode supported by updater so that signer does
not need to care about how the updater is packed anymore.
BUG=chromium-os:20027
TEST=./sign_official_build.sh ssd \
~/trunk/src/build/images/x86-zgb/latest/chromiumos_image.bin \
../../tests/devkeys \
~/trunk/src/build/images/x86-zgb/latest/chromiumos_new_image.bin
# success
Change-Id: I035dfaa86b05b85748e69ec039769b0c08d33f64
Reviewed-on: http://gerrit.chromium.org/gerrit/7311
Tested-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
-rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 94 |
1 files changed, 59 insertions, 35 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 8a1b4eb5..3c026e8f 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2010 The Chromium OS Authors. All rights reserved. +# Copyright (c) 2011 The Chromium OS Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. @@ -241,17 +241,51 @@ verify_image_rootfs() { { echo "Root file system has errors!" && exit 1;} } -# Extracts the firmware update binaries from the a firmware update -# shell ball (generated by src/platform/firmware/pack_firmware.sh) -# Args: INPUT_SCRIPT OUTPUT_DIR -get_firmwarebin_from_shellball() { - local input=$1 - local output_dir=$2 - if [ -s "${input}" ]; then - uudecode -o - ${input} | tar -C ${output_dir} -zxf - 2>/dev/null || \ - { echo "Extracting firmware autoupdate failed." && exit 1; } +# Extracts a firmware updater bundle (for firmware image binaries) file +# (generated by src/platform/firmware/pack_firmware.sh). +# Args: INPUT_FILE OUTPUT_DIR +extract_firmware_bundle() { + local input="$(readlink -f "$1")" + local output_dir="$2" + if [ ! -s "${input}" ]; then + return 1 + elif grep -q '^##CUTHERE##' "${input}"; then + # Bundle supports self-extraction. + "$input" --sb_extract "${output_dir}" || + die "Extracting firmware autoupdate (--sb_extract) failed." else + # Legacy bundle - try uudecode. + uudecode -o - ${input} | tar -C ${output_dir} -zxf - 2>/dev/null || + die "Extracting firmware autoupdate failed." + fi +} + +# Repacks firmware updater bundle content from given folder. +# Args: INPUT_DIR TARGET_SCRIPT +repack_firmware_bundle() { + local input_dir="$1" + local target="$(readlink -f "$2")" + + if [ ! -s "${target}" ]; then return 1 + elif grep -q '^##CUTHERE##' "${target}"; then + # Bundle supports repacking. + "$target" --sb_repack "${input_dir}" || + die "Updating firmware autoupdate (--sb_repack) failed." + else + # Legacy bundle using uuencode + tar.gz. + # Replace MD5 checksum in the firmware update payload. + local newfd_checksum="$(md5sum ${input_dir}/bios.bin | cut -f 1 -d ' ')" + local temp_version="$(make_temp_file)" + cat ${input_dir}/VERSION | + sed -e "s#\(.*\)\ \(.*bios.bin.*\)#${newfd_checksum}\ \2#" > ${temp_version} + mv ${temp_version} ${input_dir}/VERSION + + # Re-generate firmware_update.tgz and copy over encoded archive in + # the original shell ball. + sed -ine '/^begin .*firmware_package/,/end/D' "$target" + tar zcf - -C "${input_dir}" . | + uuencode firmware_package.tgz >>"${target}" fi } @@ -265,23 +299,22 @@ resign_firmware_payload() { return fi - # Grab firmware image from the autoupdate shellball. + # Grab firmware image from the autoupdate bundle (shellball). local rootfs_dir=$(make_temp_dir) mount_image_partition ${image} 3 ${rootfs_dir} # Force unmount of the rootfs on function exit as it is needed later. trap "sudo umount -d ${rootfs_dir}" RETURN - + local firmware_bundle="${rootfs_dir}/usr/sbin/chromeos-firmwareupdate" local shellball_dir=$(make_temp_dir) - # get_firmwarebin_from_shellball can fail if the image has no - # firmware update. - get_firmwarebin_from_shellball \ - ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate ${shellball_dir} || \ + + # extract_firmware_bundle can fail if the image has no firmware update. + extract_firmware_bundle "${firmware_bundle}" "${shellball_dir}" || { echo "Didn't find a firmware update. Not signing firmware." return; } echo "Found a valid firmware update shellball." temp_outfd=$(make_temp_file) - # Replace the root key in the GBB + # Replace the root key in the GBB. # TODO(gauravsh): Remove when we lock down the R/O portion of firmware. if [ -e "${KEY_DIR}/hwid" ]; then # Only update the hwid if we see one in the key directory. @@ -296,7 +329,7 @@ resign_firmware_payload() { --recoverykey=${KEY_DIR}/recovery_key.vbpubk \ ${shellball_dir}/bios.bin ${temp_outfd} fi - # Resign the firmware with new keys + # Resign the firmware with new keys. ${SCRIPT_DIR}/resign_firmwarefd.sh ${temp_outfd} ${shellball_dir}/bios.bin \ ${KEY_DIR}/firmware_data_key.vbprivk \ ${KEY_DIR}/firmware.keyblock \ @@ -304,24 +337,15 @@ resign_firmware_payload() { ${KEY_DIR}/dev_firmware.keyblock \ ${KEY_DIR}/kernel_subkey.vbpubk \ ${FIRMWARE_VERSION} + local signer_notes="${shellball_dir}/VERSION.signer" + echo "" >"$signer_notes" + echo "Signed with keyset in $(readlink -f "${KEY_DIR}") ." >>"$signer_notes" - # Replace MD5 checksum in the firmware update payload - newfd_checksum=$(md5sum ${shellball_dir}/bios.bin | cut -f 1 -d ' ') - temp_version=$(make_temp_file) - cat ${shellball_dir}/VERSION | - sed -e "s#\(.*\)\ \(.*bios.bin.*\)#${newfd_checksum}\ \2#" > ${temp_version} - sudo cp ${temp_version} ${shellball_dir}/VERSION - - # Re-generate firmware_update.tgz and copy over encoded archive in - # the original shell ball. - new_fwblob=$(make_temp_file) - tar zcf - -C ${shellball_dir} . | \ - uuencode firmware_package.tgz > ${new_fwblob} new_shellball=$(make_temp_file) - cat ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate | \ - sed -e '/^begin .*firmware_package/,/end/D' | \ - cat - ${new_fwblob} >${new_shellball} - sudo cp ${new_shellball} ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate + cp -f "${firmware_bundle}" "${new_shellball}" + repack_firmware_bundle "${shellball_dir}" "${new_shellball}" + sudo cp -f "${new_shellball}" "${firmware_bundle}" + sudo chmod a+rx "${firmware_bundle}" echo "Re-signed firmware AU payload in $image" } @@ -333,7 +357,7 @@ verify_image() { local hash_image=$(make_temp_file) local type="" - # First, perform RootFS verification + # First, perform RootFS verification. echo "Verifying RootFS hash..." local new_kernel_config=$(calculate_rootfs_hash "${rootfs_image}" \ "${kernel_config}" "${hash_image}") |