diff options
author | Gaurav Shah <gauravsh@chromium.org> | 2011-12-05 15:43:44 -0800 |
---|---|---|
committer | Gaurav Shah <gauravsh@chromium.org> | 2011-12-05 16:02:16 -0800 |
commit | 42d23c664dbd1334c82b48b504b7d8499955963d (patch) | |
tree | 82b0dec6b74d7fa48f4a6c957e49df93c9751ef6 | |
parent | 505a047c853b87caf808a180ec2eaf1381b68279 (diff) | |
download | vboot-42d23c664dbd1334c82b48b504b7d8499955963d.tar.gz |
sign_official_build: Use sign_firmware.sh for in-place firmware signing.release-R17-1412.B
We recently fixed a bug in the sign_firmware.sh script to perform
root key replacement after signing FWA and FWB to allow
resign_firmwarefd.sh to correctly determine the preamble flag to use.
As it turns out, the sign_official_build.sh script used by the signer
for in-place firmware re-signing was using a different code path (by
directly calling resign_firmwarefd.sh).
This change makes sign_official_build script call sign_firmware.sh instead.
BUG=chrome-os-partner:6874
TEST=tried signing a vanilla lumpy image with and without the fix, and
observed the value of preamble flag used.
Change-Id: Icffb1d86fbe44f69e444da51fe251ad3427635c6
Reviewed-on: https://gerrit.chromium.org/gerrit/12471
Reviewed-by: Duncan Laurie <dlaurie@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
-rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 32 |
1 files changed, 9 insertions, 23 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 2ab05796..cc3d6af0 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -325,29 +325,15 @@ resign_firmware_payload() { echo "Found a valid firmware update shellball." temp_outfd=$(make_temp_file) - # Replace the root key in the GBB. - # TODO(gauravsh): Remove when we lock down the R/O portion of firmware. - if [ -e "${KEY_DIR}/hwid" ]; then - # Only update the hwid if we see one in the key directory. - gbb_utility -s \ - --rootkey=${KEY_DIR}/root_key.vbpubk \ - --recoverykey=${KEY_DIR}/recovery_key.vbpubk \ - --hwid="$(cat ${KEY_DIR}/hwid)" \ - ${shellball_dir}/bios.bin ${temp_outfd} - else - gbb_utility -s \ - --rootkey=${KEY_DIR}/root_key.vbpubk \ - --recoverykey=${KEY_DIR}/recovery_key.vbpubk \ - ${shellball_dir}/bios.bin ${temp_outfd} - fi - # Resign the firmware with new keys. - ${SCRIPT_DIR}/resign_firmwarefd.sh ${temp_outfd} ${shellball_dir}/bios.bin \ - ${KEY_DIR}/firmware_data_key.vbprivk \ - ${KEY_DIR}/firmware.keyblock \ - ${KEY_DIR}/dev_firmware_data_key.vbprivk \ - ${KEY_DIR}/dev_firmware.keyblock \ - ${KEY_DIR}/kernel_subkey.vbpubk \ - ${FIRMWARE_VERSION} + # Resign the firmware with new keys, also replacing the root and recovery + # public keys in the GBB. + ${SCRIPT_DIR}/sign_firmware.sh ${shellball_dir}/bios.bin ${KEY_DIR} \ + ${temp_outfd} + # Note: Although sign_firmware.sh may correctly handle specifying the same + # output file as the input file, we do not want to rely on it correctly + # handing that. Hence, the use of a temporary file. + cp ${temp_outfd} ${shellball_dir}/bios.bin + local signer_notes="${shellball_dir}/VERSION.signer" echo "" >"$signer_notes" echo "Signed with keyset in $(readlink -f "${KEY_DIR}") ." >>"$signer_notes" |