diff options
author | Jakub Czapiga <jacz@semihalf.com> | 2022-04-12 14:49:22 +0200 |
---|---|---|
committer | Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2022-05-30 14:12:59 +0000 |
commit | 3000736e2da72115f1350b6d9c0c66d208ddd1be (patch) | |
tree | cdffce0a346021eba308728628831e51561a4ec3 | |
parent | fb0ddbbdf6018d9305248eb3138cb3cfcd532b31 (diff) | |
download | vboot-3000736e2da72115f1350b6d9c0c66d208ddd1be.tar.gz |
futility: Remove --devsign and --devkeyblock
This feature has not been needed since pre-2012 devices which have long
since reached their end of life. We can safely remove it to simplify the
code.
Also remove ZGB image, as it is no longer needed.
BUG=b:197114807
TEST=sudo FEATURES=test emerge vboot_reference
BRANCH=none
Signed-off-by: Jakub Czapiga <jacz@semihalf.com>
Cq-Depend: chromium:3650757
Change-Id: I889dc6300c5cb72bdfcb9c2b66d63e97d3f8c862
Disallow-Recycled-Builds: test-failures
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3578968
Commit-Queue: Jakub Czapiga <czapiga@google.com>
Auto-Submit: Jakub Czapiga <czapiga@google.com>
Tested-by: Jakub Czapiga <czapiga@google.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>
-rw-r--r-- | futility/cmd_sign.c | 22 | ||||
-rw-r--r-- | futility/file_type_bios.c | 26 | ||||
-rw-r--r-- | futility/futility_options.h | 2 | ||||
-rwxr-xr-x | scripts/image_signing/make_dev_firmware.sh | 6 | ||||
-rwxr-xr-x | scripts/image_signing/resign_firmwarefd.sh | 20 | ||||
-rwxr-xr-x | scripts/image_signing/sign_firmware.sh | 2 | ||||
-rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 12 | ||||
-rwxr-xr-x | scripts/keygeneration/create_new_keys.sh | 16 | ||||
-rw-r--r-- | tests/futility/data/README | 1 | ||||
-rw-r--r-- | tests/futility/data/bios_zgb_mp.bin | bin | 4194304 -> 0 bytes | |||
-rw-r--r-- | tests/futility/data_bios_zgb_mp.bin_expect.txt | 6 | ||||
-rw-r--r-- | tests/futility/expect_output/show.tests_futility_data_bios_peppy_mp.bin (renamed from tests/futility/expect_output/show.tests_futility_data_bios_zgb_mp.bin) | 40 | ||||
-rw-r--r-- | tests/futility/test_file_types.c | 2 | ||||
-rwxr-xr-x | tests/futility/test_file_types.sh | 2 | ||||
-rwxr-xr-x | tests/futility/test_show_contents.sh | 2 | ||||
-rwxr-xr-x | tests/futility/test_sign_firmware.sh | 14 |
16 files changed, 31 insertions, 142 deletions
diff --git a/futility/cmd_sign.c b/futility/cmd_sign.c index 59999977..b35712a3 100644 --- a/futility/cmd_sign.c +++ b/futility/cmd_sign.c @@ -367,11 +367,6 @@ static const char usage_bios[] = "\n" " [--infile] INFILE Input firmware image (modified\n" " in place if no OUTFILE given)\n" "\n" - "These are required if the A and B firmware differ:\n" - " -S|--devsign FILE.vbprivk The DEV private firmware data key\n" - " -B|--devkeyblock FILE.keyblock The keyblock containing the\n" - " DEV public firmware data key\n" - "\n" "Optional PARAMS:\n" " -v|--version NUM The firmware version number" " (default %d)\n" @@ -620,8 +615,6 @@ static const struct option long_opts[] = { {"signprivate", 1, NULL, 's'}, {"keyblock", 1, NULL, 'b'}, {"kernelkey", 1, NULL, 'k'}, - {"devsign", 1, NULL, 'S'}, - {"devkeyblock", 1, NULL, 'B'}, {"version", 1, NULL, 'v'}, {"flags", 1, NULL, 'f'}, {"loemdir", 1, NULL, 'd'}, @@ -703,21 +696,6 @@ static int do_sign(int argc, char *argv[]) errorcnt++; } break; - case 'S': - sign_option.devsignprivate = - vb2_read_private_key(optarg); - if (!sign_option.devsignprivate) { - fprintf(stderr, "Error reading %s\n", optarg); - errorcnt++; - } - break; - case 'B': - sign_option.devkeyblock = vb2_read_keyblock(optarg); - if (!sign_option.devkeyblock) { - fprintf(stderr, "Error reading %s\n", optarg); - errorcnt++; - } - break; case 'v': sign_option.version_specified = 1; sign_option.version = strtoul(optarg, &e, 0); diff --git a/futility/file_type_bios.c b/futility/file_type_bios.c index 17efddec..13428c14 100644 --- a/futility/file_type_bios.c +++ b/futility/file_type_bios.c @@ -408,31 +408,11 @@ static int sign_bios_at_end(struct bios_state_s *state) return 1; } - /* Do A & B differ ? */ - if (fw_a->len != fw_b->len || - memcmp(fw_a->buf, fw_b->buf, fw_a->len)) { - /* Yes, must use DEV keys for A */ - if (!sign_option.devsignprivate || !sign_option.devkeyblock) { - fprintf(stderr, - "FW A & B differ. DEV keys are required.\n"); - return 1; - } - retval |= write_new_preamble(vblock_a, fw_a, - sign_option.devsignprivate, - sign_option.devkeyblock); - } else { - retval |= write_new_preamble(vblock_a, fw_a, - sign_option.signprivate, - sign_option.keyblock); - } - - /* FW B is always normal keys */ - retval |= write_new_preamble(vblock_b, fw_b, - sign_option.signprivate, + retval |= write_new_preamble(vblock_a, fw_a, sign_option.signprivate, sign_option.keyblock); - - + retval |= write_new_preamble(vblock_b, fw_b, sign_option.signprivate, + sign_option.keyblock); if (sign_option.loemid) { retval |= write_loem("A", vblock_a); diff --git a/futility/futility_options.h b/futility/futility_options.h index 9c99bba1..da839586 100644 --- a/futility/futility_options.h +++ b/futility/futility_options.h @@ -34,8 +34,6 @@ struct sign_option_s { struct vb2_private_key *signprivate; struct vb2_keyblock *keyblock; struct vb2_packed_key *kernel_subkey; - struct vb2_private_key *devsignprivate; - struct vb2_keyblock *devkeyblock; uint32_t version; int version_specified; uint32_t flags; diff --git a/scripts/image_signing/make_dev_firmware.sh b/scripts/image_signing/make_dev_firmware.sh index 0db56382..20c8414a 100755 --- a/scripts/image_signing/make_dev_firmware.sh +++ b/scripts/image_signing/make_dev_firmware.sh @@ -167,8 +167,6 @@ main() { local recovery_pubkey="${FLAGS_keys}/recovery_key.vbpubk" local firmware_keyblock="${FLAGS_keys}/firmware.keyblock" local firmware_prvkey="${FLAGS_keys}/firmware_data_key.vbprivk" - local dev_firmware_keyblock="${FLAGS_keys}/dev_firmware.keyblock" - local dev_firmware_prvkey="${FLAGS_keys}/dev_firmware_data_key.vbprivk" local kernel_sub_pubkey="${FLAGS_keys}/kernel_subkey.vbpubk" local ec_efs_pubkey="${FLAGS_keys}/key_ec_efs.vbpubk2" local ec_efs_prvkey="${FLAGS_keys}/key_ec_efs.vbprik2" @@ -281,8 +279,6 @@ main() { echo "Using keyblocks (developer, normal)..." else echo "Using keyblocks (normal, normal)..." - dev_firmware_prvkey="$firmware_prvkey" - dev_firmware_keyblock="$firmware_keyblock" fi debug_msg "Extract firmware version and data key version" @@ -351,8 +347,6 @@ main() { "${IMAGE_BIOS}" \ "${firmware_prvkey}" \ "${firmware_keyblock}" \ - "${dev_firmware_prvkey}" \ - "${dev_firmware_keyblock}" \ "${kernel_sub_pubkey}" \ "${firmware_version}" \ ${optional_opts} || diff --git a/scripts/image_signing/resign_firmwarefd.sh b/scripts/image_signing/resign_firmwarefd.sh index d4cb5b8c..ea233157 100755 --- a/scripts/image_signing/resign_firmwarefd.sh +++ b/scripts/image_signing/resign_firmwarefd.sh @@ -20,20 +20,12 @@ SRC_FD=$1 DST_FD=$2 FIRMWARE_DATAKEY=$3 FIRMWARE_KEYBLOCK=$4 -DEV_FIRMWARE_DATAKEY=$5 -DEV_FIRMWARE_KEYBLOCK=$6 -KERNEL_SUBKEY=$7 +KERNEL_SUBKEY=$5 # optional -VERSION=$8 -PREAMBLE_FLAG=$9 -LOEM_OUTPUT_DIR=${10} -LOEMID=${11} - -if [ ! -e $DEV_FIRMWARE_KEYBLOCK ] || [ ! -e $DEV_FIRMWARE_DATAKEY ] ; then - echo "No dev firmware keyblock/datakey found. Reusing normal keys." - DEV_FIRMWARE_KEYBLOCK="$FIRMWARE_KEYBLOCK" - DEV_FIRMWARE_DATAKEY="$FIRMWARE_DATAKEY" -fi +VERSION=$6 +PREAMBLE_FLAG=$7 +LOEM_OUTPUT_DIR=$8 +LOEMID=$9 # pass optional args [ -n "$VERSION" ] && VERSION="--version $VERSION" @@ -44,8 +36,6 @@ fi exec ${FUTILITY} sign \ --signprivate $FIRMWARE_DATAKEY \ --keyblock $FIRMWARE_KEYBLOCK \ - --devsign $DEV_FIRMWARE_DATAKEY \ - --devkeyblock $DEV_FIRMWARE_KEYBLOCK \ --kernelkey $KERNEL_SUBKEY \ $VERSION \ $PREAMBLE_FLAG \ diff --git a/scripts/image_signing/sign_firmware.sh b/scripts/image_signing/sign_firmware.sh index 0e7ac7c4..ebc6cdc7 100755 --- a/scripts/image_signing/sign_firmware.sh +++ b/scripts/image_signing/sign_firmware.sh @@ -57,8 +57,6 @@ sign_one() { "${temp_fw}" \ "${key_dir}/firmware_data_key${loem_key}.vbprivk" \ "${key_dir}/firmware${loem_key}.keyblock" \ - "${key_dir}/dev_firmware_data_key${loem_key}.vbprivk" \ - "${key_dir}/dev_firmware${loem_key}.keyblock" \ "${key_dir}/kernel_subkey.vbpubk" \ "${firmware_version}" \ "" \ diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 98c86104..e9c219e6 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -515,14 +515,6 @@ resign_firmware_payload() { local signprivate="${KEY_DIR}/firmware_data_key${key_suffix}.vbprivk" local keyblock="${KEY_DIR}/firmware${key_suffix}.keyblock" - local devsign="${KEY_DIR}/dev_firmware_data_key${key_suffix}.vbprivk" - local devkeyblock="${KEY_DIR}/dev_firmware${key_suffix}.keyblock" - - if [ ! -e "${devsign}" ] || [ ! -e "${devkeyblock}" ] ; then - echo "No dev firmware keyblock/datakey found. Reusing normal keys." - devsign="${signprivate}" - devkeyblock="${keyblock}" - fi # Path to bios.bin. local bios_path="${shellball_dir}/${bios_image}" @@ -566,8 +558,6 @@ resign_firmware_payload() { echo "Signing Bios with:" ${FUTILITY} sign \ --signprivate "${signprivate}" \ --keyblock "${keyblock}" \ - --devsign "${devsign}" \ - --devkeyblock "${devkeyblock}" \ --kernelkey "${KEY_DIR}/kernel_subkey.vbpubk" \ --version "${FIRMWARE_VERSION}" \ "${extra_args[@]}" \ @@ -576,8 +566,6 @@ resign_firmware_payload() { ${FUTILITY} sign \ --signprivate "${signprivate}" \ --keyblock "${keyblock}" \ - --devsign "${devsign}" \ - --devkeyblock "${devkeyblock}" \ --kernelkey "${KEY_DIR}/kernel_subkey.vbpubk" \ --version "${FIRMWARE_VERSION}" \ "${extra_args[@]}" \ diff --git a/scripts/keygeneration/create_new_keys.sh b/scripts/keygeneration/create_new_keys.sh index 2e1fd22c..4a2ad33a 100755 --- a/scripts/keygeneration/create_new_keys.sh +++ b/scripts/keygeneration/create_new_keys.sh @@ -14,7 +14,6 @@ usage() { Usage: ${PROG} [options] Options: - --devkeyblock Also generate developer firmware keyblock and data key --android Also generate android keys --uefi Also generate UEFI keys --8k Use 8k keys instead of 4k (enables options below) @@ -36,8 +35,6 @@ EOF main() { set -e - # Flag to indicate whether we should be generating a developer keyblock flag. - local dev_keyblock="false" local android_keys="false" local uefi_keys="false" local root_key_algoid=${ROOT_KEY_ALGOID} @@ -50,11 +47,6 @@ main() { while [[ $# -gt 0 ]]; do case $1 in - --devkeyblock) - echo "Will also generate developer firmware keyblock and data key." - dev_keyblock="true" - ;; - --android) echo "Will also generate Android keys." android_keys="true" @@ -158,9 +150,6 @@ main() { make_pair ec_data_key ${EC_DATAKEY_ALGOID} ${eckey_version} make_pair root_key ${root_key_algoid} make_pair firmware_data_key ${FIRMWARE_DATAKEY_ALGOID} ${fkey_version} - if [[ "${dev_keyblock}" == "true" ]]; then - make_pair dev_firmware_data_key ${DEV_FIRMWARE_DATAKEY_ALGOID} ${fkey_version} - fi make_pair kernel_subkey ${KERNEL_SUBKEY_ALGOID} ${ksubkey_version} make_pair kernel_data_key ${KERNEL_DATAKEY_ALGOID} ${kdatakey_version} @@ -178,11 +167,6 @@ main() { # Ditto EC keyblock make_keyblock ec ${EC_KEYBLOCK_MODE} ec_data_key ec_root_key - if [[ "${dev_keyblock}" == "true" ]]; then - # Create the dev firmware keyblock for use only in Developer mode. - make_keyblock dev_firmware ${DEV_FIRMWARE_KEYBLOCK_MODE} dev_firmware_data_key root_key - fi - # Create the recovery kernel keyblock for use only in Recovery mode. make_keyblock recovery_kernel ${RECOVERY_KERNEL_KEYBLOCK_MODE} recovery_kernel_data_key recovery_key diff --git a/tests/futility/data/README b/tests/futility/data/README index 57038c37..933de029 100644 --- a/tests/futility/data/README +++ b/tests/futility/data/README @@ -1,5 +1,4 @@ These are officially signed BIOS images from existing Chromebooks. - bios_zgb_mp.bin RW firmware A and B are different bios_link_mp.bin uses the RO_NORMAL flag to skip RW firmware validation bios_peppy_mp.bin doesn't do any of those things diff --git a/tests/futility/data/bios_zgb_mp.bin b/tests/futility/data/bios_zgb_mp.bin Binary files differdeleted file mode 100644 index c85d8202..00000000 --- a/tests/futility/data/bios_zgb_mp.bin +++ /dev/null diff --git a/tests/futility/data_bios_zgb_mp.bin_expect.txt b/tests/futility/data_bios_zgb_mp.bin_expect.txt deleted file mode 100644 index 2a021ce1..00000000 --- a/tests/futility/data_bios_zgb_mp.bin_expect.txt +++ /dev/null @@ -1,6 +0,0 @@ -9f59876c7f7dc881f02d934786c6b7c2c17dcaac -9bd99a594c45b6739899a17ec29ac2289ee75463 -a0e4415cd4e271802504cce3a211b54562178fc8 -5d2b220899c4403d564092ada3f12d3cc4483223 -e2c1c92d7d7aa7dfed5e8375edd30b7ae52b7450 -5d2b220899c4403d564092ada3f12d3cc4483223 diff --git a/tests/futility/expect_output/show.tests_futility_data_bios_zgb_mp.bin b/tests/futility/expect_output/show.tests_futility_data_bios_peppy_mp.bin index 2f9f8073..88733c9e 100644 --- a/tests/futility/expect_output/show.tests_futility_data_bios_zgb_mp.bin +++ b/tests/futility/expect_output/show.tests_futility_data_bios_peppy_mp.bin @@ -1,47 +1,47 @@ -BIOS: tests/futility/data/bios_zgb_mp.bin +BIOS: tests/futility/data/bios_peppy_mp.bin GBB header: GBB - Version: 1.0 - Flags: 0x00000000 + Version: 1.1 + Flags: 0x00000039 Regions: offset size hwid 0x00000080 0x00000100 - bmpvf 0x00001180 0x0003de80 + bmpvf 0x00001180 0x000ece80 rootkey 0x00000180 0x00001000 - recovery_key 0x0003f000 0x00001000 - Size: 0x00040000 / 0x00040000 + recovery_key 0x000ee000 0x00001000 + Size: 0x000ef000 / 0x000ef000 GBB content: - HWID: {FA42644C-CF3A-4692-A9D3-1A667CB232E9} + HWID: X86 PEPPY TEST 4211 digest: <none> Root Key: Vboot API: 1.0 Algorithm: 11 RSA8192 SHA512 Key Version: 1 - Key sha1sum: 9f59876c7f7dc881f02d934786c6b7c2c17dcaac + Key sha1sum: fc68bcb88bf9af1907289a9f377d658b3b9fe5b0 Recovery Key: Vboot API: 1.0 Algorithm: 11 RSA8192 SHA512 Key Version: 1 - Key sha1sum: 9bd99a594c45b6739899a17ec29ac2289ee75463 + Key sha1sum: bf39d0d3e30cbf6a121416d04df4603ad5310779 Firmware body: FW_MAIN_A - Offset: 0x00030000 - Size: 0x000dffc0 + Offset: 0x00210000 + Size: 0x000c0000 Firmware body: FW_MAIN_B - Offset: 0x00120000 - Size: 0x000dffc0 + Offset: 0x00300000 + Size: 0x000c0000 Keyblock: VBLOCK_A Signature: valid Size: 0x8b8 - Flags: 6 DEV !REC + Flags: 7 !DEV DEV !REC Data key algorithm: 8 RSA4096 SHA512 Data key version: 1 - Data key sha1sum: a78aaa1691c2125ef8ccefa1a8a6bea92d38fae6 + Data key sha1sum: f917ad29e36aa8a286f978c1aa0550ea31c6a561 Firmware Preamble: Size: 2164 Header version: 2.1 Firmware version: 2 Kernel key algorithm: 7 RSA4096 SHA256 Kernel key version: 2 - Kernel key sha1sum: 0c9fd5b03ab47d37924ba8a7beb64039d84ed0e1 - Firmware body size: 917440 + Kernel key sha1sum: cc05423373b76acbec23ec45dfa3696a2ea6dc0f + Firmware body size: 146456 Preamble flags: 0 Body verification succeeded. Keyblock: VBLOCK_B @@ -50,14 +50,14 @@ Keyblock: VBLOCK_B Flags: 7 !DEV DEV !REC Data key algorithm: 8 RSA4096 SHA512 Data key version: 1 - Data key sha1sum: 4fe08ed739069d6834b68612eb707998a0825f34 + Data key sha1sum: f917ad29e36aa8a286f978c1aa0550ea31c6a561 Firmware Preamble: Size: 2164 Header version: 2.1 Firmware version: 2 Kernel key algorithm: 7 RSA4096 SHA256 Kernel key version: 2 - Kernel key sha1sum: 0c9fd5b03ab47d37924ba8a7beb64039d84ed0e1 - Firmware body size: 917440 + Kernel key sha1sum: cc05423373b76acbec23ec45dfa3696a2ea6dc0f + Firmware body size: 146456 Preamble flags: 0 Body verification succeeded. diff --git a/tests/futility/test_file_types.c b/tests/futility/test_file_types.c index d53760c3..17388cfd 100644 --- a/tests/futility/test_file_types.c +++ b/tests/futility/test_file_types.c @@ -26,7 +26,7 @@ static struct { {FILE_TYPE_KEYBLOCK, "tests/devkeys/kernel.keyblock"}, {FILE_TYPE_FW_PREAMBLE, "tests/futility/data/fw_vblock.bin"}, {FILE_TYPE_GBB, "tests/futility/data/fw_gbb.bin"}, - {FILE_TYPE_BIOS_IMAGE, "tests/futility/data/bios_zgb_mp.bin"}, + {FILE_TYPE_BIOS_IMAGE, "tests/futility/data/bios_peppy_mp.bin"}, {FILE_TYPE_KERN_PREAMBLE, "tests/futility/data/kern_preamble.bin"}, {FILE_TYPE_RAW_FIRMWARE, }, /* need a test for this */ {FILE_TYPE_RAW_KERNEL, }, /* need a test for this */ diff --git a/tests/futility/test_file_types.sh b/tests/futility/test_file_types.sh index 93c63913..c51e38f2 100755 --- a/tests/futility/test_file_types.sh +++ b/tests/futility/test_file_types.sh @@ -32,7 +32,7 @@ test_case "pubkey" "tests/devkeys/root_key.vbpubk" test_case "keyblock" "tests/devkeys/kernel.keyblock" test_case "fw_pre" "tests/futility/data/fw_vblock.bin" test_case "gbb" "tests/futility/data/fw_gbb.bin" -test_case "bios" "tests/futility/data/bios_zgb_mp.bin" +test_case "bios" "tests/futility/data/bios_peppy_mp.bin" test_case "kernel" "tests/futility/data/kern_preamble.bin" # We don't have a way to identify these (yet?) # test_case "RAW_FIRMWARE" diff --git a/tests/futility/test_show_contents.sh b/tests/futility/test_show_contents.sh index 1533ba4c..fddebe81 100755 --- a/tests/futility/test_show_contents.sh +++ b/tests/futility/test_show_contents.sh @@ -16,7 +16,7 @@ SHOW_FILES=" tests/devkeys/kernel.keyblock tests/futility/data/fw_vblock.bin tests/futility/data/fw_gbb.bin - tests/futility/data/bios_zgb_mp.bin + tests/futility/data/bios_peppy_mp.bin tests/futility/data/kern_preamble.bin tests/futility/data/sample.vbpubk2 tests/futility/data/sample.vbprik2 diff --git a/tests/futility/test_sign_firmware.sh b/tests/futility/test_sign_firmware.sh index 8e303e32..04eb385f 100755 --- a/tests/futility/test_sign_firmware.sh +++ b/tests/futility/test_sign_firmware.sh @@ -30,17 +30,6 @@ INFILES="${INFILES} ${ONEMORE}" set -o pipefail -# We've removed dev_firmware keyblock and private keys from ToT test key dir. -# It's currently only available on few legacy (alex, zgb) devices' key folders -# on signer bot. Add them to ${KEYDIR} if you need to test that. -DEV_FIRMWARE_PARAMS="" -if [ -f "${KEYDIR}/dev_firmware.keyblock" ]; then - DEV_FIRMWARE_PARAMS=" - -S ${KEYDIR}/dev_firmware_data_key.vbprivk - -B ${KEYDIR}/dev_firmware.keyblock" - INFILES="${INFILES} ${SCRIPT_DIR}/futility/data/bios_zgb_mp.bin" -fi - count=0 for infile in $INFILES; do @@ -85,7 +74,6 @@ for infile in $INFILES; do ${FUTILITY} sign \ -s ${KEYDIR}/firmware_data_key.vbprivk \ -b ${KEYDIR}/firmware.keyblock \ - ${DEV_FIRMWARE_PARAMS} \ -k ${KEYDIR}/kernel_subkey.vbpubk \ -v 14 \ -f 8 \ @@ -155,7 +143,6 @@ echo -n "$count " 1>&3 ${FUTILITY} sign \ -s ${KEYDIR}/firmware_data_key.vbprivk \ -b ${KEYDIR}/firmware.keyblock \ - ${DEV_FIRMWARE_PARAMS} \ -k ${KEYDIR}/kernel_subkey.vbpubk \ ${MORE_OUT} ${MORE_OUT}.2 @@ -172,7 +159,6 @@ ${FUTILITY} load_fmap ${MORE_OUT} VBLOCK_A:/dev/urandom VBLOCK_B:/dev/zero ${FUTILITY} sign \ -s ${KEYDIR}/firmware_data_key.vbprivk \ -b ${KEYDIR}/firmware.keyblock \ - ${DEV_FIRMWARE_PARAMS} \ -k ${KEYDIR}/kernel_subkey.vbpubk \ ${MORE_OUT} ${MORE_OUT}.3 |