diff options
| author | Nicholas Bishop <nicholasbishop@google.com> | 2023-01-30 19:03:17 -0500 |
|---|---|---|
| committer | Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2023-03-29 08:19:06 +0000 |
| commit | 5a0743c1dd6e71a572ffb6e417e405479b05aa34 (patch) | |
| tree | 2d60ecdc04fa005a48d56d6e52b148e5a3b48aad | |
| parent | 3eed0bd571209e9f6d9e022c07ef1d64fb9124ee (diff) | |
| download | vboot-5a0743c1dd6e71a572ffb6e417e405479b05aa34.tar.gz | |
sign_official_build: Sign reven recovery images like base images
Reven generates recovery images for use with the ChromeOS Recovery
Utility. Since those images are used to install Reven, they should be
signed like base images rather than recovery images (i.e. kern-a/root-a
should be signed with the normal key, not the recovery key).
With our current boot stack this difference doesn't actually matter
since it boots with the kernel image on the ESP, but with crdyboot we'll
boot with the ChromeOS kernel partitions, so they need to be signed
correctly.
BRANCH=none
BUG=b:256621033
TEST=USE=crdyboot build_packages
TEST=build_image
TEST=platform/vboot_reference/scripts/image_signing/sign_official_build.sh
TEST= recovery build/images/reven/latest/chromiumos_image.bin
TEST= platform/vboot_reference/tests/devkeys
TEST= build/images/reven/latest/chromiumos_image.bin.signed
TEST=Boot in a UEFI VM
Change-Id: Ie3f6dd829a8bc15eeffc1d7fe1fc07e14cb30ef0
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4206908
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4380970
Reviewed-by: Cheng Yueh <cyueh@chromium.org>
Commit-Queue: Cheng Yueh <cyueh@chromium.org>
Auto-Submit: Phoebe Wang <phoebewang@chromium.org>
Tested-by: Phoebe Wang <phoebewang@chromium.org>
| -rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index a2460357..1ca50092 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -1054,6 +1054,25 @@ sign_image_file() { local loop_rootfs="${loopdev}p3" local is_reven=$(get_is_reven "${loopdev}") + # The reven board needs to produce recovery images since some + # downstream tools (e.g. the Chromebook Recovery Utility) expect + # them. However, reven's recovery images are not like other boards + # since reven is installed on generic PC hardware, and "recovery" + # actually means reinstalling. + # + # Installation occurs via liveboot, which loads the 'A' partitions. + # The UEFI bootloader expects the kernel partition to be signed with + # the normal board key, not the recovery key, so for reven we sign + # recovery images like base images: using the non-recovery key for + # both the 'A' and 'B' partitions. + local sign_recovery_like_base="${is_reven}" + + if [[ "${image_type}" == "recovery" && + "${sign_recovery_like_base}" == "true" ]]; then + kernA_keyblock="${kernB_keyblock}" + kernA_privkey="${kernB_privkey}" + fi + resign_firmware_payload "${loopdev}" remove_old_container_key "${loopdev}" resign_android_image_if_exists "${loopdev}" @@ -1076,7 +1095,8 @@ sign_image_file() { "${kernA_keyblock}" "${kernA_privkey}" \ "${kernB_keyblock}" "${kernB_privkey}" update_stateful_partition_vblock "${loopdev}" - if [[ "${image_type}" == "recovery" ]]; then + if [[ "${image_type}" == "recovery" && + "${sign_recovery_like_base}" == "false" ]]; then update_recovery_kernel_hash "${loopdev}" fi if ! resign_minios_kernels "${loopdev}" "${minios_keyblock}" \ |