diff options
author | Gaurav Shah <gauravsh@chromium.org> | 2012-06-06 14:34:20 -0700 |
---|---|---|
committer | Gerrit <chrome-bot@google.com> | 2012-06-07 12:39:38 -0700 |
commit | 9c783ce3c132491e28efe84751b20d82fc571560 (patch) | |
tree | c30142b216f9b6ce5ff5de65445f6a7e84eaa5c0 | |
parent | bb5c49b3437e5d905f9b58722ccdde6b7204a1de (diff) | |
download | vboot-9c783ce3c132491e28efe84751b20d82fc571560.tar.gz |
Signing scripts: Add firmware signing to sign_official_build.sh
This makes it easy to integrate firmware signing into the signer
since we can reuse the base signing script.
BUG=chromium-os:10094
TEST=try signing both firmware and normal images.
Change-Id: I8beb598e267de33a2c3468dcf8d7c4b74d4de9fd
Reviewed-on: https://gerrit.chromium.org/gerrit/24654
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Ready: Gaurav Shah <gauravsh@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
-rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 33 |
1 files changed, 24 insertions, 9 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index bab99264..0c256d8e 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -28,6 +28,7 @@ where <type> is one of: ssd (sign an SSD image) recovery (sign a USB recovery image) install (sign a factory install image) + firmware (sign a firmware image) usb (sign an image to boot directly from USB) verify (verify an image including rootfs hashes) @@ -317,6 +318,25 @@ repack_firmware_bundle() { fi } +# Sign a firmware in-place with the given keys. +# Args: FIRMWARE_IMAGE KEY_DIR FIRMWARE_VERSION +sign_firmware() { + local image=$1 + local key_dir=$2 + local firmware_version=$3 + + local temp_firmware=$(make_temp_file) + # Resign the firmware with new keys, also replacing the root and recovery + # public keys in the GBB. + ${SCRIPT_DIR}/sign_firmware.sh ${image} ${key_dir} ${temp_firmware} \ + ${firmware_version} + # Note: Although sign_firmware.sh may correctly handle specifying the same + # output file as the input file, we do not want to rely on it correctly + # handing that. Hence, the use of a temporary file. + mv ${temp_firmware} ${image} + echo "Signed firmware image output to ${image}" +} + # Re-sign the firmware AU payload inside the image rootfs with a new keys. # Args: IMAGE resign_firmware_payload() { @@ -341,15 +361,7 @@ resign_firmware_payload() { return; } echo "Found a valid firmware update shellball." - temp_outfd=$(make_temp_file) - # Resign the firmware with new keys, also replacing the root and recovery - # public keys in the GBB. - ${SCRIPT_DIR}/sign_firmware.sh ${shellball_dir}/bios.bin ${KEY_DIR} \ - ${temp_outfd} ${FIRMWARE_VERSION} - # Note: Although sign_firmware.sh may correctly handle specifying the same - # output file as the input file, we do not want to rely on it correctly - # handing that. Hence, the use of a temporary file. - cp ${temp_outfd} ${shellball_dir}/bios.bin + sign_firmware ${shellball_dir}/bios.bin ${KEY_DIR} ${FIRMWARE_VERSION} local signer_notes="${shellball_dir}/VERSION.signer" echo "" >"$signer_notes" @@ -624,6 +636,9 @@ elif [ "${TYPE}" == "install" ]; then ${KEY_DIR}/installer_kernel_data_key.vbprivk \ 2 sign_for_factory_install ${OUTPUT_IMAGE} +elif [ "${TYPE}" == "firmware" ]; then + cp ${INPUT_IMAGE} ${OUTPUT_IMAGE} + sign_firmware ${OUTPUT_IMAGE} ${KEY_DIR} ${FIRMWARE_VERSION} else echo "Invalid type ${TYPE}" exit 1 |