diff options
| author | C Shapiro <shapiroc@chromium.org> | 2017-08-29 11:36:03 -0600 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2017-08-30 13:04:21 -0700 |
| commit | d2ee3ca7c190879d5262b6b00aa77fb93786b292 (patch) | |
| tree | 5c3645003e9d7f0c6874b70af08775494f61d4d8 | |
| parent | bbd5c6e9e59e8a897b04f56a91cf6be4902fb1c4 (diff) | |
| download | vboot-d2ee3ca7c190879d5262b6b00aa77fb93786b292.tar.gz | |
image_signing: Don't create empty keyset subdir
updater4.sh uses the /keyset subdir from the firmware updater shellball
to indicate if it should use model specific keys or not. This won't
work for any case where the signers haven't been updated with model
specific keys yet.
Changed the output for unibuilds to be consistent with non-uni builds
where the /keyset subdir won't be created if loem.ini doesn't exist on
the signer.
BUG=b:65128657
TEST=crrev.com/c/626718 and crrev.com/c/636344 test cases, which cover
both the shared and non-shared key use cases
BRANCH=None
Change-Id: I38db1385fa99ac4a9843a750c336c58b74b127b4
Reviewed-on: https://chromium-review.googlesource.com/642031
Commit-Ready: Simon Glass <sjg@chromium.org>
Tested-by: Simon Glass <sjg@chromium.org>
Tested-by: C Shapiro <shapiroc@google.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Jason Clinton <jclinton@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
| -rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index d56c1569..e4426af1 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -574,12 +574,15 @@ resign_firmware_payload() { while IFS="," read -r model_name image key_id do local key_suffix='' + local extra_args=() # If there are OEM specific keys available, we're going to use them. # Otherwise, we're going to ignore key_id from the config file and # just use the common keys present in the keyset. - # Regardless, a model specific vblock will be generated, which the - # updater script will be looking for. + # + # The presence of the /keyset subdir in the shellball will indicate + # whether model specific keyblocks are available or not. + # This is what updater4.sh currently uses to make the decision. if [[ -e "${KEY_DIR}/loem.ini" ]]; then # loem.ini has the format KEY_ID_VALUE = KEY_INDEX local match="$(grep -E "[0-9]+ = ${key_id}" "${KEY_DIR}/loem.ini")" @@ -590,6 +593,11 @@ resign_firmware_payload() { "${model_name}" fi key_suffix=".loem${key_index}" + mkdir -p "${shellball_dir}/keyset" + extra_args+=( + --loemdir "${shellball_dir}/keyset" + --loemid "${model_name}" + ) fi info "Signing firmware image ${image} for model ${model_name} " \ @@ -608,7 +616,6 @@ resign_firmware_payload() { devkeyblock="${keyblock}" fi - mkdir -p "${shellball_dir}/keyset" local image_path="${shellball_dir}/${image}" ${FUTILITY} sign \ --signprivate "${signprivate}" \ @@ -617,8 +624,7 @@ resign_firmware_payload() { --devkeyblock "${devkeyblock}" \ --kernelkey "${KEY_DIR}/kernel_subkey.vbpubk" \ --version "${FIRMWARE_VERSION}" \ - --loemdir "${shellball_dir}/keyset" \ - --loemid "${model_name}" \ + "${extra_args[@]}" \ ${image_path} \ ${temp_fw} |