diff options
| author | Furquan Shaikh <furquan@google.com> | 2015-09-11 16:05:37 -0700 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2015-09-17 17:35:14 -0700 |
| commit | 45e3021c409cd4cf7c09077c5693c1054ebd4a40 (patch) | |
| tree | b33977e769872aacfabc97579303b0a93452e076 | |
| parent | c8e48545d5cbf43ebbe9acd008aa6b9985d514d6 (diff) | |
| download | vboot-45e3021c409cd4cf7c09077c5693c1054ebd4a40.tar.gz | |
sign_official_build: support signing 'recovery_kernel' image type
BRANCH=None
BUG=chrome-os-partner:44227
TEST='sign_official_build.sh recovery_kernel boot.img keys
boot.img.recovery-signed' works fine and able to boot in locked recovery mode
using fastboot boot.
Change-Id: Iabde28bb2068b8294fc3d03f2f771c63368ecbb5
Signed-off-by: Furquan Shaikh <furquan@google.com>
Reviewed-on: https://chromium-review.googlesource.com/300250
Commit-Ready: Furquan Shaikh <furquan@chromium.org>
Tested-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-by: David Riley <davidriley@chromium.org>
| -rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index f3def18a..72d4f58b 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -32,6 +32,7 @@ where <type> is one of: install (old alias to "factory") update_payload (sign a delta update hash) kernel (sign a kernel image) + recovery_kernel (sign a recovery_kernel image) firmware (sign a firmware image) usb (sign an image to boot directly from USB) verify (verify an image including rootfs hashes) @@ -483,6 +484,29 @@ sign_kernel() { echo "Signed kernel image output to ${image}" } +# Sign a recovery kernel in-place with the given keys. +# Args: KERNEL_IMAGE KEY_DIR KERNEL_VERSION +sign_recovery_kernel() { + local image=$1 + local key_dir=$2 + local kernel_version=$3 + + # Note: Although vbutil_kernel may correctly handle specifying the same + # output file as the input file, we do not want to rely on it correctly + # handing that. Hence, the use of a temporary file. + local temp_kernel=$(make_temp_file) + + # Resign the kernel with new recovery keys. + vbutil_kernel --repack "${temp_kernel}" \ + --keyblock "${key_dir}/recovery_kernel.keyblock" \ + --signprivate "${key_dir}/recovery_kernel_data_key.vbprivk" \ + --version "${kernel_version}" \ + --oldblob "${image}" + + mv "${temp_kernel}" "${image}" + echo "Signed recovery_kernel image output to ${image}" +} + # Sign a delta update payload (usually created by paygen). # Args: INPUT_IMAGE KEY_DIR OUTPUT_IMAGE sign_update_payload() { @@ -793,6 +817,13 @@ elif [[ "${TYPE}" == "kernel" ]]; then fi cp "${INPUT_IMAGE}" "${OUTPUT_IMAGE}" sign_kernel "${OUTPUT_IMAGE}" "${KEY_DIR}" "${KERNEL_VERSION}" +elif [[ "${TYPE}" == "recovery_kernel" ]]; then + if [[ -e "${KEY_DIR}/loem.ini" ]]; then + echo "LOEM signing not implemented yet for recovery_kernel images" + exit 1 + fi + cp "${INPUT_IMAGE}" "${OUTPUT_IMAGE}" + sign_recovery_kernel "${OUTPUT_IMAGE}" "${KEY_DIR}" "${KERNEL_VERSION}" elif [[ "${TYPE}" == "update_payload" ]]; then sign_update_payload ${INPUT_IMAGE} ${KEY_DIR} ${OUTPUT_IMAGE} else |