image_signing: Add tool for pkc_signing required on smaug

CQ-DEPEND=CL:*225267 BUG=chrome-os-partner:43572 BRANCH=None TEST=sudo emerge vboot_reference installs nv_pkc_signing.sh in /usr/bin Change-Id: I2b3803197c13f62ffe4e1d85de1c1ad5a72ef955 Signed-off-by: Furquan Shaikh <furquan@google.com> Reviewed-on: https://chromium-review.googlesource.com/290473 Trybot-Ready: Furquan Shaikh <furquan@chromium.org> Tested-by: Furquan Shaikh <furquan@chromium.org> Reviewed-by: Stefan Reinauer <reinauer@chromium.org> Commit-Queue: Furquan Shaikh <furquan@chromium.org>
author: Furquan Shaikh <furquan@google.com> 2015-08-04 00:41:08 -0700
committer: ChromeOS Commit Bot <chromeos-commit-bot@chromium.org> 2015-08-05 07:09:15 +0000
commit: bea5f3a127755508289b09b034f1ed9f0a3c331f (patch)
tree: f07f15ec2275756ebc0ce73db720b1400b73ab5f
parent: d87618767e6d338de2dcdc5f4af16aa3225d9695 (diff)
download: vboot-bea5f3a127755508289b09b034f1ed9f0a3c331f.tar.gz
2 files changed, 39 insertions, 1 deletions
diff --git a/Makefile b/Makefile
index 225097fc..17971155 100644
--- a/Makefile
+++ b/Makefile
@@ -589,7 +589,8 @@ SIGNING_SCRIPTS_DEV = \
 	scripts/image_signing/resign_firmwarefd.sh \
 	scripts/image_signing/make_dev_firmware.sh \
 	scripts/image_signing/make_dev_ssd.sh \
-	scripts/image_signing/set_gbb_flags.sh
+	scripts/image_signing/set_gbb_flags.sh \
+	scripts/image_signing/nv_pkc_signing.sh
 
 # Installed, but not made executable.
 SIGNING_COMMON = scripts/image_signing/common_minimal.sh
diff --git a/scripts/image_signing/nv_pkc_signing.sh b/scripts/image_signing/nv_pkc_signing.sh
new file mode 100755
index 00000000..9eae81f5
--- /dev/null
+++ b/scripts/image_signing/nv_pkc_signing.sh
@@ -0,0 +1,37 @@
+#!/bin/bash
+#
+# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+set +e
+
+# If tools are not present, do not continue signing
+if [ ! type nv_tegrasign ] || [ ! type nv_bct_dump ] || [ ! type nv_cbootimage ]; then
+    exit 0
+fi
+
+bootloader_length=`nv_bct_dump $2  | grep "Bootloader\[0\]\.Length" | awk '{print$NF}' | cut -d';' -f1`
+block_size=`nv_bct_dump $2  | grep "BlockSize" | awk '{print$NF}' | cut -d';' -f1`
+start_block=`nv_bct_dump $2  | grep "Bootloader\[0\]\.Start block" | awk '{print$NF}' | cut -d';' -f1`
+bootloader_offset=$(($block_size * $start_block))
+
+# Sign bootloader
+nv_tegrasign --key $1/nv_pkc.privk --file $2 --offset $bootloader_offset --length $bootloader_length --pubkey pubkey.mod --out bl.sig
+cat >update_bl_sig.cfg <<EOF
+RsaKeyModulus = pubkey.mod;
+RsaPssSigBl = bl.sig;
+EOF
+nv_cbootimage -s tegra210 -u update_bl_sig.cfg $2 $2-bl-signed
+
+# Sign BCT
+bct_offset=`nv_bct_dump $2  | grep "Crypto offset" | awk '{print$NF}' | cut -d';' -f1`
+bct_length=`nv_bct_dump $2  | grep "Crypto length" | awk '{print$NF}' | cut -d';' -f1`
+nv_tegrasign --key $1/nv_pkc.privk --file $2-bl-signed --offset $bct_offset --length $bct_length --out bct.sig
+cat >update_bct_sig.cfg <<EOF
+RsaPssSigBct = bct.sig;
+EOF
+nv_cbootimage -s tegra210 -u update_bct_sig.cfg $2-bl-signed $2-bl-final
+
+cp $2-bl-final $2
+exit 0
author	Furquan Shaikh <furquan@google.com>	2015-08-04 00:41:08 -0700
committer	ChromeOS Commit Bot <chromeos-commit-bot@chromium.org>	2015-08-05 07:09:15 +0000
commit	bea5f3a127755508289b09b034f1ed9f0a3c331f (patch)
tree	f07f15ec2275756ebc0ce73db720b1400b73ab5f
parent	d87618767e6d338de2dcdc5f4af16aa3225d9695 (diff)
download	vboot-bea5f3a127755508289b09b034f1ed9f0a3c331f.tar.gz