Replace root and recovery keys in the GBB after firmware sections have been re-signed

resign_firmwarefd.sh needs a verifiable copy of the firmware (and associated root key)
to determine the preamble flag value to use.

BUG=chrome-os-partner:6874
TEST=manually tested resigning a firmware .bin using sign_firmware.sh. Verified correct
     preamble flag determination.

Change-Id: Ifb132f54f4891dec4fa7250d3a00e7b4feda24c1
Reviewed-on: https://gerrit.chromium.org/gerrit/11776
Reviewed-by: Duncan Laurie <dlaurie@chromium.org>
Commit-Ready: Gaurav Shah <gauravsh@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>

1 files changed, 11 insertions, 7 deletions

diff --git a/scripts/image_signing/sign_firmware.sh b/scripts/image_signing/sign_firmware.sh
index 1d20e10c..364a8c75 100755
--- a/scripts/image_signing/sign_firmware.sh
+++ b/scripts/image_signing/sign_firmware.sh
@@ -31,17 +31,21 @@ OUT_FIRMWARE=$3
 temp_fw=$(mktemp)
 trap "rm ${temp_fw}" EXIT
 
-# Replace the root and recovery key in the Google Binary Block of the firmware.
-gbb_utility -s \
-  --rootkey=${KEY_DIR}/root_key.vbpubk \
-  --recoverykey=${KEY_DIR}/recovery_key.vbpubk \
-  ${IN_FIRMWARE} ${temp_fw}
-
 # Resign the firmware with new keys
-${SCRIPT_DIR}/resign_firmwarefd.sh ${temp_fw} ${OUT_FIRMWARE} \
+${SCRIPT_DIR}/resign_firmwarefd.sh ${IN_FIRMWARE} ${temp_fw} \
   ${KEY_DIR}/firmware_data_key.vbprivk \
   ${KEY_DIR}/firmware.keyblock \
   ${KEY_DIR}/dev_firmware_data_key.vbprivk \
   ${KEY_DIR}/dev_firmware.keyblock \
   ${KEY_DIR}/kernel_subkey.vbpubk \
   ${FIRMWARE_VERSION}
+
+# Replace the root and recovery key in the Google Binary Block of the firmware.
+# Note: This needs to happen after calling resign_firmwarefd.sh since it needs
+# to be able to verify the firmware using the root key to determine the preamble
+# flags.
+gbb_utility -s \
+  --rootkey=${KEY_DIR}/root_key.vbpubk \
+  --recoverykey=${KEY_DIR}/recovery_key.vbpubk \
+  ${temp_fw} ${OUT_FIRMWARE}
+