diff options
author | Furquan Shaikh <furquan@google.com> | 2015-08-04 00:41:08 -0700 |
---|---|---|
committer | ChromeOS Commit Bot <chromeos-commit-bot@chromium.org> | 2015-08-05 07:09:15 +0000 |
commit | bea5f3a127755508289b09b034f1ed9f0a3c331f (patch) | |
tree | f07f15ec2275756ebc0ce73db720b1400b73ab5f | |
parent | d87618767e6d338de2dcdc5f4af16aa3225d9695 (diff) | |
download | vboot-bea5f3a127755508289b09b034f1ed9f0a3c331f.tar.gz |
image_signing: Add tool for pkc_signing required on smaug
CQ-DEPEND=CL:*225267
BUG=chrome-os-partner:43572
BRANCH=None
TEST=sudo emerge vboot_reference installs nv_pkc_signing.sh in /usr/bin
Change-Id: I2b3803197c13f62ffe4e1d85de1c1ad5a72ef955
Signed-off-by: Furquan Shaikh <furquan@google.com>
Reviewed-on: https://chromium-review.googlesource.com/290473
Trybot-Ready: Furquan Shaikh <furquan@chromium.org>
Tested-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-by: Stefan Reinauer <reinauer@chromium.org>
Commit-Queue: Furquan Shaikh <furquan@chromium.org>
-rw-r--r-- | Makefile | 3 | ||||
-rwxr-xr-x | scripts/image_signing/nv_pkc_signing.sh | 37 |
2 files changed, 39 insertions, 1 deletions
@@ -589,7 +589,8 @@ SIGNING_SCRIPTS_DEV = \ scripts/image_signing/resign_firmwarefd.sh \ scripts/image_signing/make_dev_firmware.sh \ scripts/image_signing/make_dev_ssd.sh \ - scripts/image_signing/set_gbb_flags.sh + scripts/image_signing/set_gbb_flags.sh \ + scripts/image_signing/nv_pkc_signing.sh # Installed, but not made executable. SIGNING_COMMON = scripts/image_signing/common_minimal.sh diff --git a/scripts/image_signing/nv_pkc_signing.sh b/scripts/image_signing/nv_pkc_signing.sh new file mode 100755 index 00000000..9eae81f5 --- /dev/null +++ b/scripts/image_signing/nv_pkc_signing.sh @@ -0,0 +1,37 @@ +#!/bin/bash +# +# Copyright (c) 2012 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +set +e + +# If tools are not present, do not continue signing +if [ ! type nv_tegrasign ] || [ ! type nv_bct_dump ] || [ ! type nv_cbootimage ]; then + exit 0 +fi + +bootloader_length=`nv_bct_dump $2 | grep "Bootloader\[0\]\.Length" | awk '{print$NF}' | cut -d';' -f1` +block_size=`nv_bct_dump $2 | grep "BlockSize" | awk '{print$NF}' | cut -d';' -f1` +start_block=`nv_bct_dump $2 | grep "Bootloader\[0\]\.Start block" | awk '{print$NF}' | cut -d';' -f1` +bootloader_offset=$(($block_size * $start_block)) + +# Sign bootloader +nv_tegrasign --key $1/nv_pkc.privk --file $2 --offset $bootloader_offset --length $bootloader_length --pubkey pubkey.mod --out bl.sig +cat >update_bl_sig.cfg <<EOF +RsaKeyModulus = pubkey.mod; +RsaPssSigBl = bl.sig; +EOF +nv_cbootimage -s tegra210 -u update_bl_sig.cfg $2 $2-bl-signed + +# Sign BCT +bct_offset=`nv_bct_dump $2 | grep "Crypto offset" | awk '{print$NF}' | cut -d';' -f1` +bct_length=`nv_bct_dump $2 | grep "Crypto length" | awk '{print$NF}' | cut -d';' -f1` +nv_tegrasign --key $1/nv_pkc.privk --file $2-bl-signed --offset $bct_offset --length $bct_length --out bct.sig +cat >update_bct_sig.cfg <<EOF +RsaPssSigBct = bct.sig; +EOF +nv_cbootimage -s tegra210 -u update_bct_sig.cfg $2-bl-signed $2-bl-final + +cp $2-bl-final $2 +exit 0 |