diff options
| author | Stefan Reinauer <reinauer@chromium.org> | 2011-11-16 18:34:01 -0800 |
|---|---|---|
| committer | Duncan Laurie <dlaurie@chromium.org> | 2011-11-16 18:37:32 -0800 |
| commit | b416cbccc74e7ef8458184c055321bc124a475bb (patch) | |
| tree | abca5e40c0433df9755d952961bcd8957c9c7421 | |
| parent | eb09534c1f934f5773dc38e025668b0104c5b4aa (diff) | |
| download | vboot-b416cbccc74e7ef8458184c055321bc124a475bb.tar.gz | |
Replace root and recovery keys in the GBB after firmware sections have been re-signed
resign_firmwarefd.sh needs a verifiable copy of the firmware (and associated root key)
to determine the preamble flag value to use.
BUG=chrome-os-partner:6874
TEST=manually tested resigning a firmware .bin using sign_firmware.sh. Verified correct
preamble flag determination.
Change-Id: I898a967253f8daa54ec2bef2990624b7928dc157
Reviewed-on: https://gerrit.chromium.org/gerrit/11776
Reviewed-by: Duncan Laurie <dlaurie@chromium.org>
Commit-Ready: Gaurav Shah <gauravsh@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/11829
Commit-Ready: Stefan Reinauer <reinauer@chromium.org>
Tested-by: Stefan Reinauer <reinauer@chromium.org>
| -rwxr-xr-x | scripts/image_signing/sign_firmware.sh | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/scripts/image_signing/sign_firmware.sh b/scripts/image_signing/sign_firmware.sh index 1d20e10c..364a8c75 100755 --- a/scripts/image_signing/sign_firmware.sh +++ b/scripts/image_signing/sign_firmware.sh @@ -31,17 +31,21 @@ OUT_FIRMWARE=$3 temp_fw=$(mktemp) trap "rm ${temp_fw}" EXIT -# Replace the root and recovery key in the Google Binary Block of the firmware. -gbb_utility -s \ - --rootkey=${KEY_DIR}/root_key.vbpubk \ - --recoverykey=${KEY_DIR}/recovery_key.vbpubk \ - ${IN_FIRMWARE} ${temp_fw} - # Resign the firmware with new keys -${SCRIPT_DIR}/resign_firmwarefd.sh ${temp_fw} ${OUT_FIRMWARE} \ +${SCRIPT_DIR}/resign_firmwarefd.sh ${IN_FIRMWARE} ${temp_fw} \ ${KEY_DIR}/firmware_data_key.vbprivk \ ${KEY_DIR}/firmware.keyblock \ ${KEY_DIR}/dev_firmware_data_key.vbprivk \ ${KEY_DIR}/dev_firmware.keyblock \ ${KEY_DIR}/kernel_subkey.vbpubk \ ${FIRMWARE_VERSION} + +# Replace the root and recovery key in the Google Binary Block of the firmware. +# Note: This needs to happen after calling resign_firmwarefd.sh since it needs +# to be able to verify the firmware using the root key to determine the preamble +# flags. +gbb_utility -s \ + --rootkey=${KEY_DIR}/root_key.vbpubk \ + --recoverykey=${KEY_DIR}/recovery_key.vbpubk \ + ${temp_fw} ${OUT_FIRMWARE} + |