diff options
author | Reka Norman <rekanorman@google.com> | 2023-03-03 11:39:53 +1100 |
---|---|---|
committer | Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2023-03-29 08:19:53 +0000 |
commit | e826e4c95913d8fc063de2fb7039992f642d3605 (patch) | |
tree | 4b98a39763622d12267f3d1b0673b60891c24b92 | |
parent | ee87680f3faf44ec76beec3e8227c2480208f5d0 (diff) | |
download | vboot-e826e4c95913d8fc063de2fb7039992f642d3605.tar.gz |
sign_official_build: Don't sign miniOS kernels in factory shims
Factory shims contain miniOS kernels, but they are not used, so don't
sign them. They will remain in the image signed with dev keys.
BRANCH=None
BUG=None
TEST=Run sign_official_build.sh on factory shim. Logs show miniOS
kernels are not signed, and shim still boots.
Change-Id: I4a1b72726edb7d780a3f2c2fe783f568a012ee77
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4321706
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4381007
Reviewed-by: Cheng Yueh <cyueh@chromium.org>
Commit-Queue: Cheng Yueh <cyueh@chromium.org>
Auto-Submit: Phoebe Wang <phoebewang@chromium.org>
Tested-by: Phoebe Wang <phoebewang@chromium.org>
-rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index de73504a..896f2b13 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -1203,9 +1203,11 @@ sign_image_file() { "${kernC_privkey}" fi fi - if ! resign_minios_kernels "${loopdev}" "${minios_keyblock}" \ - "${minios_privkey}"; then - return 1 + if [[ -n "${minios_keyblock}" ]]; then + if ! resign_minios_kernels "${loopdev}" "${minios_keyblock}" \ + "${minios_privkey}"; then + return 1 + fi fi if ! update_legacy_bootloader "${loopdev}" "${loop_kern}"; then # Error is already logged. @@ -1280,8 +1282,8 @@ elif [[ "${TYPE}" == "factory" ]]; then "${KEY_DIR}/installer_kernel_data_key.vbprivk" \ "" \ "" \ - "${KEY_DIR}/minios_kernel.keyblock" \ - "${KEY_DIR}/minios_kernel_data_key.vbprivk" + "" \ + "" elif [[ "${TYPE}" == "firmware" ]]; then if [[ -e "${KEY_DIR}/loem.ini" ]]; then die "LOEM signing not implemented yet for firmware images" |