diff options
author | Vadim Bendebury <vbendeb@google.com> | 2023-02-02 10:52:55 -0800 |
---|---|---|
committer | Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2023-02-06 06:22:51 +0000 |
commit | ec6c5e657bffa23fe54e2caf0a3fee6fe8959c62 (patch) | |
tree | 268156591999b0327da0057896e2d13767be2ce4 | |
parent | 72f605d2bb21dcfc6879c4a32324f56286180b86 (diff) | |
download | vboot-ec6c5e657bffa23fe54e2caf0a3fee6fe8959c62.tar.gz |
sing_official_build: do not attempt signing AP RO for guybrush
Guybrush firmware archive pinned to ChromeOS firmware releases
starting with 108 includes the uninitialized RO_GSCVD section, which
causes signer failures.
Fixing and qualifying the firmware is going to take a long time, as a
workaround this patch adds a check for the keyset name, and does not
attempt AP RO signing in case the keyset name includes the string
'guybrush', case insensitive.
BRANCH=none
BUG=b:263378945
TEST=downloaded a ChromeOS guybrush recovery image
hromeOS-recovery-R108-15183.72.0-guybrush.tar.xz, extracted the
binary and attempted to sign it by running
./scripts/image_signing/sign_official_build.sh base \
<path to>/recovery_image.bin ./test/devkeys /tmp/signed
observed the expected message on the console:
"Not looking for RO_GSCVD on guygrush, b/263378945"
as well as successful firmware singing.
The same invocation before this patch is applied is failing.
Also verified that when singing a Nissa recovery image the AP RO
verification section is signed as expected.
Change-Id: Ifd93e3ebc8fc35e2ba29c7a364767e4414df051d
Signed-off-by: Vadim Bendebury <vbendeb@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4217481
Reviewed-by: Raul Rangel <rrangel@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
-rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 34258b3a..36033bca 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -461,6 +461,7 @@ resign_firmware_payload() { local key_suffix='' local extra_args=() local full_command=() + local board_name rootkey="${KEY_DIR}/root_key.vbpubk" @@ -570,9 +571,14 @@ resign_firmware_payload() { echo "After setting GBB on ${bios_path}: md5 =" \ $(md5sum ${bios_path} | awk '{print $1}') - # Do not attempt AP RO verification signing if the image FMAP does not - # include the RO_GSCVD section. - if futility dump_fmap -p "${bios_path}" | grep -q RO_GSCVD; then + board_name="$(lsbval "${rootfs_dir}/etc/lsb-release" \ + "CHROMEOS_RELEASE_BOARD")" + + if [[ ${board_name} == "guybrush" ]]; then + echo "Not looking for RO_GSCVD on guygrush, b/263378945" + elif futility dump_fmap -p "${bios_path}" | grep -q RO_GSCVD; then + # Attempt AP RO verification signing only in case the FMAP includes + # the RO_GSCVD section. local arv_root if [[ -z ${brand_code} ]]; then |