diff options
author | Vadim Bendebury <vbendeb@chromium.org> | 2022-11-13 14:43:23 -0800 |
---|---|---|
committer | Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2022-11-14 16:26:06 +0000 |
commit | 69d6d85c20910cc1d07752c9468f7822d421339e (patch) | |
tree | f013e250e059ea82f448adcf9405709462480737 | |
parent | c7ee78b2c297e13ec6a151cd497e931243ef4c16 (diff) | |
download | vboot-69d6d85c20910cc1d07752c9468f7822d421339e.tar.gz |
sign_official_build: do not fail if AP RO signing is not neededstabilize-15245.B
Most of AP firmware images do not include the RO_GSCVD section and are
not supposed to be signed for AP RO verification.
The presence of AP RO verification keys (files prefixed with arv_...)
can be considered an indicator of the need to sign the RO_GSCVD
section.
This patch adds logic to skip signing of AP RO in case the appropriate
signing keys are not present.
BRANCH=none
BUG=b:247645824, cros:1382709
TEST=ran sign_official_build.sh to re-sign a Nissa test tarball,
observed successful completion with log messages confirming
RO_GSCVD signing.
then removed tests/devkeys/arv_root.vbpubk and ran the script
again, observed successful completion and log messages
confirming skipping AP RO verification signing.
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: Iee5a2adcceb7ecc86f48d7c56755cc10405e5eed
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4024432
Commit-Queue: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
-rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 50 |
1 files changed, 28 insertions, 22 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 61bdffd6..14300d05 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -575,30 +575,36 @@ resign_firmware_payload() { $(md5sum ${bios_path} | awk '{print $1}') if [[ -n ${brand_code} ]]; then - # Resign the RO_GSCVD FMAP area. - if [[ -z ${shellball_keyset_dir} ]]; then - extra_args=() - else - extra_args=( --gscvd_out + local arv_root="${KEY_DIR}/arv_root.vbpubk" + + if [[ -f ${arv_root} ]]; then + # Resign the RO_GSCVD FMAP area. + if [[ -z ${shellball_keyset_dir} ]]; then + extra_args=() + else + extra_args=( --gscvd_out "${shellball_keyset_dir}/gscvd.${output_name}" ) + fi + echo "Setting RO_GSCVD with: ${FUTILITY} gscvd" \ + --keyblock "${KEY_DIR}/arv_platform.keyblock" \ + --platform_priv "${KEY_DIR}/arv_platform.vbprivk" \ + --board_id "${brand_code}" \ + --root_pub_key "${arv_root}" \ + "${extra_args[@]}" \ + "${bios_path}" + ${FUTILITY} gscvd \ + --keyblock "${KEY_DIR}/arv_platform.keyblock" \ + --platform_priv "${KEY_DIR}/arv_platform.vbprivk" \ + --board_id "${brand_code}" \ + --root_pub_key "${arv_root}" \ + "${extra_args[@]}" \ + "${bios_path}" + + echo "After signing RO_GSCVD on ${bios_path}: md5 =" \ + "$(md5sum "${bios_path}" | awk '{print $1}')" + else + echo "No AP RO verification keys, skipping GSCVD signing" fi - echo "Setting RO_GSCVD with: ${FUTILITY} gscvd" \ - --keyblock "${KEY_DIR}/arv_platform.keyblock" \ - --platform_priv "${KEY_DIR}/arv_platform.vbprivk" \ - --board_id "${brand_code}" \ - --root_pub_key "${KEY_DIR}/arv_root.vbpubk" \ - "${extra_args[@]}" \ - "${bios_path}" - ${FUTILITY} gscvd \ - --keyblock "${KEY_DIR}/arv_platform.keyblock" \ - --platform_priv "${KEY_DIR}/arv_platform.vbprivk" \ - --board_id "${brand_code}" \ - --root_pub_key "${KEY_DIR}/arv_root.vbpubk" \ - "${extra_args[@]}" \ - "${bios_path}" - - echo "After signing RO_GSCVD on ${bios_path}: md5 =" \ - "$(md5sum "${bios_path}" | awk '{print $1}')" else warn "No brand code for ${bios_path} in signer_config.csv" fi |