diff options
| author | Furquan Shaikh <furquan@google.com> | 2015-09-01 00:11:35 -0700 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2015-09-01 19:19:04 -0700 |
| commit | 90cd023d0132a13ba85b592ceafd60064ce1857d (patch) | |
| tree | 504c540a03db21f46a807e0ea4bebe7504e03c3e | |
| parent | 1196aa05d438b440f6e690204f6fe5cd9bbf2290 (diff) | |
| download | vboot-90cd023d0132a13ba85b592ceafd60064ce1857d.tar.gz | |
signer: Add signing support for nvidia lp0 firmware
BUG=chrome-os-partner:44227
BRANCH=None
TEST=unittests run fine.
Change-Id: I7d623a22d73a1749ebebd323fe09cbbeb8cbd61e
Signed-off-by: Furquan Shaikh <furquan@google.com>
Reviewed-on: https://chromium-review.googlesource.com/296429
Commit-Ready: Furquan Shaikh <furquan@chromium.org>
Tested-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
| -rwxr-xr-x | scripts/image_signing/sign_nv_cbootimage.sh | 15 | ||||
| -rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 17 |
2 files changed, 32 insertions, 0 deletions
diff --git a/scripts/image_signing/sign_nv_cbootimage.sh b/scripts/image_signing/sign_nv_cbootimage.sh index 890ca6a9..71be794d 100755 --- a/scripts/image_signing/sign_nv_cbootimage.sh +++ b/scripts/image_signing/sign_nv_cbootimage.sh @@ -21,6 +21,7 @@ Usage: $0 <type> <pkc_key> <firmware_image> <soc> Signs <firmware_image> of <type> with <pkc_key> using cbootimage for <soc>. where type is one of bootloader = sign bootloader image + lp0_firmware = sign lp0 firmware EOF exit 1 } @@ -58,6 +59,20 @@ EOF mv "${work_dir}/pubkey.sha" "${firmware_image}.pubkey.sha" mv "${signed_fw}" "${firmware_image}" + elif [[ "${type}" == "lp0_firmware" ]]; then + + pushd "${work_dir}" >/dev/null + + cat >update.cfg <<EOF +PkcKey = ${pkc_key}; +RsaSign = 0x220,, 288, 16, Complete; +EOF + + cbootimage --sign update.cfg "${firmware_image}" "${signed_fw}" + + popd >/dev/null + mv "${signed_fw}" "${firmware_image}" + else usage fi diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 7cb89a0a..de155967 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -35,6 +35,7 @@ where <type> is one of: firmware (sign a firmware image) usb (sign an image to boot directly from USB) verify (verify an image including rootfs hashes) + nv_lp0_firmware (sign nvidia lp0 firmware) output_image: File name of the signed output image version_file: File name of where to read the kernel and firmware versions. @@ -453,6 +454,17 @@ sign_firmware() { echo "Signed firmware image output to ${image}" } +# Sign nvidia lp0 firmware with the given keys. +# Args: NV_LP0_FIRMWARE_IMAGE KEY_DIR +sign_nv_lp0_firmware() { + local nv_lp0_fw_image=$1 + local key_dir=$2 + + "${SCRIPT_DIR}/sign_nv_cbootimage.sh" "lp0_firmware" \ + "${key_dir%/}/nv_pkc.pem" "${nv_lp0_fw_image}" "tegra210" + echo "Signed nvidia lp0 firmware image output to ${nv_lp0_fw_image}" +} + # Sign a kernel in-place with the given keys. # Args: KERNEL_IMAGE KEY_DIR KERNEL_VERSION sign_kernel() { @@ -723,6 +735,11 @@ verify) verify_image exit 0 ;; +nv_lp0_firmware) + check_argc $# 3 + sign_nv_lp0_firmware "${INPUT_IMAGE}" "${KEY_DIR}" + exit 0 + ;; *) # All other signing commands take 4 to 5 args. if [ -z "${OUTPUT_IMAGE}" ]; then |