diff options
| author | Hung-Te Lin <hungte@chromium.org> | 2015-01-28 18:47:03 +0800 |
|---|---|---|
| committer | ChromeOS Commit Bot <chromeos-commit-bot@chromium.org> | 2015-01-29 21:34:56 +0000 |
| commit | b6ebb1ab1c5a181f08b80f9a77434134645bc294 (patch) | |
| tree | 43c2d48919846cb5b004d82d252a5b8a5678de0e | |
| parent | 40837258677fca4b9bfb37b7bfb288baf40831e0 (diff) | |
| download | vboot-b6ebb1ab1c5a181f08b80f9a77434134645bc294.tar.gz | |
sign_official_build: Support old images without kernel in partition 4.
Old images don't put kernel on partition 4 and rely on vblock for installation.
The signer script has to support both old and new images, by testing if kernel
partition has valid data.
BRANCH=signer
BUG=chromium:449450
TEST=(get old image without kernel blob on partition 4)
sign_official_build.sh usb image.bin ../../tests/devkeys signed.bin \
../../tests/devkeys/key.versions
Change-Id: I92542ffb162660d86c30d9598fe1ca59ff69afe4
Signed-off-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/243874
Reviewed-by: Mike Frysinger <vapier@chromium.org>
| -rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 31 |
1 files changed, 25 insertions, 6 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 8d782add..53c9ef5a 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -302,10 +302,18 @@ update_rootfs_hash() { local kernelpart= local keyblock= local priv_key= + local new_kernel_config= for kernelpart in 2 4; do - local new_kernel_config="$(grab_kernel_config "${image}" "${kernelpart}" | - sed -e 's#\(.*dm="\)\([^"]*\)\(".*\)'"#\1${dm_args}\3#g")" + if ! new_kernel_config="$( + grab_kernel_config "${image}" "${kernelpart}" 2>/dev/null)" && + [[ "${kernelpart}" == 4 ]]; then + # Legacy images don't have partition 4. + echo "Skipping empty kernel partition 4 (legacy images)." + continue + fi + new_kernel_config="$(echo "${new_kernel_config}" | + sed -e 's#\(.*dm="\)\([^"]*\)\(".*\)'"#\1${dm_args}\3#g")" echo "New config for kernel partition ${kernelpart} is:" echo "${new_kernel_config}" | tee "${temp_config}" extract_image_partition "${image}" "${kernelpart}" "${temp_kimage}" @@ -329,15 +337,26 @@ update_rootfs_hash() { # Update the SSD install-able vblock file on stateful partition. # ARGS: Image -# This is deprecated because all new images should have a SSD boot-able kernel in -# partition 4. -# TODO(hungte) crbug.com/403031: Remove this when no one is still using it. +# This is deprecated because all new images should have a SSD boot-able kernel +# in partition 4. However, the signer needs to be able to sign new & old images +# (crbug.com/449450#c13) so we will probably never remove this. update_stateful_partition_vblock() { local image="$1" local kernb_image="$(make_temp_file)" local temp_out_vb="$(make_temp_file)" + extract_image_partition "${image}" 4 "${kernb_image}" - vbutil_kernel --verify "${kernb_image}" --keyblock "${temp_out_vb}" + if [[ "$(dump_kernel_config "${kernb_image}" 2>/dev/null)" == "" ]]; then + echo "Building vmlinuz_hd.vblock from legacy image partition 2." + extract_image_partition "${image}" 2 "${kernb_image}" + fi + + # vblock should always use kernel keyblock. + vbutil_kernel --repack "${temp_out_vb}" \ + --keyblock "${KEY_DIR}/kernel.keyblock" \ + --signprivate "${KEY_DIR}/kernel_data_key.vbprivk" \ + --oldblob "${kernb_image}" \ + --vblockonly # Copy the installer vblock to the stateful partition. local stateful_dir=$(make_temp_dir) |