diff options
| author | Hung-Te Lin <hungte@chromium.org> | 2012-07-31 17:23:03 +0800 |
|---|---|---|
| committer | Gerrit <chrome-bot@google.com> | 2012-08-01 09:07:06 -0700 |
| commit | af44dce1e80ebd818770b906a328423762389753 (patch) | |
| tree | 2f40b19da64f5b69b40e719c8d63564918df22ce | |
| parent | 5b8210bd559437010ef3692122af008bffe29b4c (diff) | |
| download | vboot-af44dce1e80ebd818770b906a328423762389753.tar.gz | |
vboot_reference: Improve make_dev_firmware script.
Developers testing firmware preamble flags (usually for turn on/off RO-NORMAL
bits) need a easy way to change existing firmware, without hacking FDT source /
looking for complex script.
Also included some minor improvements:
* Always enable FORCE_DEV_BOOT_USB and DISABLE_FW_ROLLBACK_CHECK. These are
flags most developers need when leaving official signed normal firmware.
* --bmpfv is deprecated because our latest firmware now always include
official bitmaps in updater, no more DEV bitmaps.
BUG=none
TEST=./make_dev_firmware.sh -f bios.bin -t new_bios.bin --preamble_flags 0
./make_dev_firmware.sh -f bios.bin -t new_bios.bin --preamble_flags 1
Change-Id: I7ee72d32b4b7fa28f2be635fd8c7bb678852e132
Reviewed-on: https://gerrit.chromium.org/gerrit/28792
Tested-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Commit-Ready: Hung-Te Lin <hungte@chromium.org>
| -rwxr-xr-x | scripts/image_signing/make_dev_firmware.sh | 83 |
1 files changed, 35 insertions, 48 deletions
diff --git a/scripts/image_signing/make_dev_firmware.sh b/scripts/image_signing/make_dev_firmware.sh index db2a83e1..6e69ac76 100755 --- a/scripts/image_signing/make_dev_firmware.sh +++ b/scripts/image_signing/make_dev_firmware.sh @@ -1,11 +1,11 @@ #!/bin/sh # -# Copyright (c) 2011 The Chromium OS Authors. All rights reserved. +# Copyright (c) 2012 The Chromium OS Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. # # This script can change key (usually developer keys) in a firmware binary -# image or system live firmware (EEPROM), and assign proper HWID, BMPFV as well. +# image or system live firmware (EEPROM), and assign proper HWID, FLAGS as well. SCRIPT_BASE="$(dirname "$0")" . "$SCRIPT_BASE/common_minimal.sh" @@ -14,16 +14,17 @@ load_shflags || exit 1 # Constants used by DEFINE_* VBOOT_BASE='/usr/share/vboot' DEFAULT_KEYS_FOLDER="$VBOOT_BASE/devkeys" -DEFAULT_BMPFV_FILE="<auto>" DEFAULT_BACKUP_FOLDER='/mnt/stateful_partition/backups' -DEFAULT_FIRMWARE_UPDATER='/usr/sbin/chromeos-firmwareupdate' # DEFINE_string name default_value description flag DEFINE_string from "" "Path of input file (empty for system live firmware)" "f" DEFINE_string to "" "Path of output file (empty for system live firmware)" "t" DEFINE_string keys "$DEFAULT_KEYS_FOLDER" "Path to folder of dev keys" "k" -DEFINE_string bmpfv "$DEFAULT_BMPFV_FILE" \ - "Path to the new bitmaps, <auto> to extract from system, empty to keep." "" +DEFINE_string preamble_flags "" "Override preamble flags value. Known values: + 0: None. (Using RW to boot in normal. aka, two-stop) + 1: VB_FIRMWARE_PREAMBLE_USE_RO_NORMAL (one-stop)" "p" +DEFINE_boolean mod_gbb_flags \ + $FLAGS_TRUE "Modify GBB flags to enable developer friendly features" "" DEFINE_boolean force_backup \ $FLAGS_TRUE "Create backup even if source is not live" "" DEFINE_string backup_dir \ @@ -101,8 +102,6 @@ echo_dev_hwid() { # NOTE: Some DEV firmware image files may put GUID in HWID. # These are not officially supported and they will see "{GUID} DEV". - # Also there's some length limitation in chromeos_acpi/HWID, so - # a "{GUID} DEV" will become "{GUID} " in that case. if [ "$hwid" != "$hwid_no_dev" ]; then hwid="$hwid_no_dev" @@ -112,28 +111,6 @@ echo_dev_hwid() { echo "$hwid_dev" } -# Explores compatible firmware bitmaps -explore_bmpfv() { - local tmp_folder="" - - if [ -s "$DEFAULT_FIRMWARE_UPDATER" ]; then - # try to extract from built-in firmware updater - debug_msg "found default firmware updater, trying to fetch bitmap..." - tmp_folder=$("$DEFAULT_FIRMWARE_UPDATER" --sb_extract | sed "s'[^/]*''") - debug_msg "updater resources extrated to: $tmp_folder" - - if [ -d "$tmp_folder" -a -s "$tmp_folder/bios.bin" ]; then - new_bmpfv="$tmp_folder/bmpfv.bin" - echo "$new_bmpfv" - gbb_utility --bmpfv="$new_bmpfv" "$tmp_folder/bios.bin" >/dev/null 2>&1 - else - debug_msg "failed to find valid BIOS image file." - fi - else - debug_msg "no firmware updater in system. not changing bitmaps." - fi -} - # Main # ---------------------------------------------------------------------------- main() { @@ -145,15 +122,8 @@ main() { local dev_firmware_keyblock="$FLAGS_keys/dev_firmware.keyblock" local dev_firmware_prvkey="$FLAGS_keys/dev_firmware_data_key.vbprivk" local kernel_sub_pubkey="$FLAGS_keys/kernel_subkey.vbpubk" - local new_bmpfv="$FLAGS_bmpfv" local is_from_live=0 local backup_image= - local opt_bmpfv="" - - if [ "$new_bmpfv" = "$DEFAULT_BMPFV_FILE" ]; then - new_bmpfv=$(explore_bmpfv) && - debug_msg "Using bitmaps from $new_bmpfv" - fi debug_msg "Prerequisite check" ensure_files_exist \ @@ -164,11 +134,6 @@ main() { "$kernel_sub_pubkey" || exit 1 - if [ -n "$new_bmpfv" ]; then - opt_bmpfv="--bmpfv=$new_bmpfv" - ensure_files_exist "$new_bmpfv" || exit 1 - fi - if [ -z "$FLAGS_from" ]; then is_from_live=1 else @@ -230,26 +195,47 @@ main() { debug_msg "Extract current HWID and rootkey" local old_hwid old_hwid="$(gbb_utility --get --hwid "$IMAGE" 2>"$EXEC_LOG" | - grep '^hardware_id:' | - sed 's/^hardware_id: //')" + sed -rne 's/^hardware_id: (.*)$/\1/p')" debug_msg "Decide new HWID" - if [ -z "$old_hwid" ]; then + [ -z "$old_hwid" ] && err_die "Cannot find current HWID. (message: $(cat "$EXEC_LOG"))" - fi local new_hwid="$(echo_dev_hwid "$old_hwid")" + local old_gbb_flags + old_gbb_flags="$(gbb_utility --get --flags "$IMAGE" 2>"$EXEC_LOG" | + sed -rne 's/^flags: (.*)$/\1/p')" + debug_msg "Decide new GBB flags from: $old_gbb_flags" + [ -z "$old_gbb_flags" ] && + err_die "Cannot find GBB flags. (message: $(cat "$EXEC_LOG"))" + # 0x30: GBB_FLAG_FORCE_DEV_BOOT_USB | GBB_FLAG_DISABLE_FW_ROLLBACK_CHECK + local new_gbb_flags="$((old_gbb_flags | 0x30))" + debug_msg "Replace GBB parts (gbb_utility allows changing on-the-fly)" gbb_utility --set \ --hwid="$new_hwid" \ --rootkey="$root_pubkey" \ --recoverykey="$recovery_pubkey" \ - $opt_bmpfv \ "$IMAGE" >"$EXEC_LOG" 2>&1 || err_die "Failed to change GBB Data. (message: $(cat "$EXEC_LOG"))" + # Old firmware does not support GBB flags, so let's make it an exception. + if [ "$FLAGS_mod_gbb_flags" = "$FLAGS_TRUE" ]; then + debug_msg "Changing GBB flags from $old_gbb_flags to $new_gbb_flags" + gbb_utility --set \ + --flags="$new_gbb_flags" \ + "$IMAGE" >"$EXEC_LOG" 2>&1 || + echo "Warning: GBB flags ($old_gbb_flags -> $new_gbb_flags) can't be set." + fi + debug_msg "Resign the firmware code (A/B) with new keys" local unsigned_image="$(make_temp_file)" + local optional_opts="" + if [ -n "$FLAGS_preamble_flags" ]; then + # optional_opts: VERSION FLAGS + debug_msg "Setting new VERSION=1, FLAGS=$FLAGS_preamble_flags" + optional_opts="1 $FLAGS_preamble_flags" + fi cp -f "$IMAGE" "$unsigned_image" # TODO(hungte) derive kernel key and preamble flag from existing firmware "$SCRIPT_BASE/resign_firmwarefd.sh" \ @@ -259,7 +245,8 @@ main() { "$firmware_keyblock" \ "$dev_firmware_prvkey" \ "$dev_firmware_keyblock" \ - "$kernel_sub_pubkey" >"$EXEC_LOG" 2>&1 || + "$kernel_sub_pubkey" \ + $optional_opts >"$EXEC_LOG" 2>&1 || err_die "Failed to re-sign firmware. (message: $(cat "$EXEC_LOG"))" if is_debug_mode; then cat "$EXEC_LOG" |