diff options
author | Nicholas Bishop <nicholasbishop@google.com> | 2023-03-21 18:24:09 -0400 |
---|---|---|
committer | Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2023-03-29 08:20:00 +0000 |
commit | 6fde161e4cb24f5a2659b0c40676eaa5d8f77ca6 (patch) | |
tree | 4162ee03d0fb77e68385c9922cd694be0c5f1d81 | |
parent | 312260ac6331f229da4627d638c104b4921d644b (diff) | |
download | vboot-6fde161e4cb24f5a2659b0c40676eaa5d8f77ca6.tar.gz |
sign_official_build: Fix is-reven check
The `get_is_reven` function added in https://crrev.com/c/4206907 was too
restrictive. When run by the signer, the board name has been modified
from "reven" to "reven-signed-mp-v2keys". Change the condition to accept
either `reven` or `reven-signed*` (note the glob). Allowing plain
"reven" is not strictly necessary, but useful for local testing.
Tested the updated function by building a reven base image, then making
variants with different CHROMEOS_RELEASE_BOARD values: "reven",
"reven-signed-mp-v2keys", and "revenator". Running
`sign_official_build.sh` on them shows that the first two are identified
as reven, and the last one is not. This can be seen by checking if
boot*.efi is signed or not, since that should not happen for reven.
BRANCH=none
BUG=b:274648121
TEST=See above
TEST=FEATURES=test emerge-reven vboot_reference
Change-Id: I099abf372b71ea3e064e91a57c5e8888de298028
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4358400
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4381012
Tested-by: Phoebe Wang <phoebewang@chromium.org>
Reviewed-by: Cheng Yueh <cyueh@chromium.org>
Auto-Submit: Phoebe Wang <phoebewang@chromium.org>
Commit-Queue: Cheng Yueh <cyueh@chromium.org>
-rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 896f2b13..fbc844ce 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -782,7 +782,10 @@ get_is_reven() { sudo umount "${rootfs_dir}" - if [[ "${board}" == "reven" ]]; then + # When run by the signer, the board name will look like + # "reven-signed-mp-v2keys". Also accept plain "reven" for local + # testing. + if [[ "${board}" == "reven-signed"* || "${board}" == "reven" ]]; then echo "true" else echo "false" |