diff options
author | Duncan Laurie <dlaurie@google.com> | 2019-05-22 17:24:37 -0700 |
---|---|---|
committer | Duncan Laurie <dlaurie@google.com> | 2019-05-23 00:37:30 +0000 |
commit | c86bb0a6736ebc5dbc7c2f621a79ff4e358d7b3d (patch) | |
tree | 29e0f1fd3beca93c3a8284e79eebf48095093148 | |
parent | 18c7c7f5c7e917f65a09be220e190ff163337b66 (diff) | |
download | vboot-c86bb0a6736ebc5dbc7c2f621a79ff4e358d7b3d.tar.gz |
Revert "cr50: relax signature type verification for test runs"
This reverts commit 18c7c7f5c7e917f65a09be220e190ff163337b66.
BUG=none
TEST=none
Change-Id: I4ea896efd2d5354630be9bb0877ecb015e81260b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1626760
Reviewed-by: Duncan Laurie <dlaurie@google.com>
Commit-Queue: Duncan Laurie <dlaurie@google.com>
Tested-by: Duncan Laurie <dlaurie@google.com>
-rwxr-xr-x | scripts/image_signing/sign_cr50_firmware.sh | 16 |
1 files changed, 3 insertions, 13 deletions
diff --git a/scripts/image_signing/sign_cr50_firmware.sh b/scripts/image_signing/sign_cr50_firmware.sh index c87b3124..1616e49b 100755 --- a/scripts/image_signing/sign_cr50_firmware.sh +++ b/scripts/image_signing/sign_cr50_firmware.sh @@ -224,28 +224,18 @@ sign_rw() { # A very crude RO verification function. The key signature found at a fixed # offset into the RO blob must match the RO type. Prod keys have bit D2 set to # one, dev keys have this bit set to zero. -# -# The check is bypassed if the key file directory name includes string 'test'. verify_ro() { - if [[ $# -ne 2 ]]; then - die "Usage: verify_ro <ro_bin> <key_file>" + if [[ $# -ne 1 ]]; then + die "Usage: verify_ro <ro_bin>" fi local ro_bin="$1" - local key_file="$2" local key_byte - local key_path if [[ ! -f "${ro_bin}" ]]; then die "${ro_bin} not a file!" fi - key_path="$(dirname "${key_file}")" - if [[ ${key_path##*/} == *"test"* ]]; then - info "Test run, ignoring key type verification" - return 0 - fi - # Key signature's lowest byte is byte #5 in the line at offset 0001a0. key_byte="$(od -Ax -t x1 -v "${ro_bin}" | awk '/0001a0/ {print $6}')" case "${key_byte}" in @@ -309,7 +299,7 @@ sign_cr50_firmware() { if ! objcopy -I ihex "${f}" -O binary "${temp_dir}/${count}.bin"; then die "Failed to convert ${f} from hex to bin" fi - verify_ro "${temp_dir}/${count}.bin" "${key_file}" + verify_ro "${temp_dir}/${count}.bin" : $(( count++ )) done |