diff options
author | Wai-Hong Tam <waihong@google.com> | 2018-01-25 17:45:06 -0800 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2018-02-02 13:19:42 -0800 |
commit | 3585eb3d21da676db3d87e9e0490a0df92d597d2 (patch) | |
tree | b6b587d908f819de990b40b5fde005ce671f670c | |
parent | b5c00dbcba5ab315c7f90bf474143eac4bcfde10 (diff) | |
download | vboot-3585eb3d21da676db3d87e9e0490a0df92d597d2.tar.gz |
make_dev_firmware.sh supports switching EC RO key
For the EC supporting EFS boot, the RO section contains a
public key, and the RW is signed. For running FAFT, should
replace the RO key to a known one (the dev key under
vboot_reference), such that FAFT tests can resign the RW
using a known private key.
For BIOS image, we use make_dev_firmware.sh to do a similar
job to replace the key in BIOS. This CL makes the
make_dev_firmware script support changing EC key.
BUG=b:71769443
BRANCH=none
TEST=Modify files
$ # Check the original BIOS and EC images
$ futility show ec.bin
$ futility show bios.bin
$ ./make_dev_firmware.sh --change_ec -f bios.bin -t new_bios.bin \
-e ec.bin -o new_ec.bin --backup_dir backup
$ # Check the new images, using new keys and verification succeeded
$ futility show new_ec.bin
$ futility show new_bios.bin
TEST=Modify live firmware
$ ./make_dev_firmware.sh --change_ec
And then run firmware_ECUpdateId with a Type-C charger.
TEST=Run sign_official_build.sh
$ sign_official_build.sh recovery recovery_image.bin \
~/trunk/src/platform/vboot_reference/tests/devkeys /tmp/out.bin
TEST=make runalltests
Change-Id: Id51e2c411a4e6d016e619cec91453ce918b7fff7
Reviewed-on: https://chromium-review.googlesource.com/889406
Commit-Ready: Wai-Hong Tam <waihong@google.com>
Tested-by: Wai-Hong Tam <waihong@google.com>
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
-rw-r--r-- | scripts/image_signing/common_minimal.sh | 33 | ||||
-rwxr-xr-x | scripts/image_signing/make_dev_firmware.sh | 310 | ||||
-rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 31 |
3 files changed, 240 insertions, 134 deletions
diff --git a/scripts/image_signing/common_minimal.sh b/scripts/image_signing/common_minimal.sh index c130b918..43dfd109 100644 --- a/scripts/image_signing/common_minimal.sh +++ b/scripts/image_signing/common_minimal.sh @@ -10,7 +10,8 @@ # Determine script directory SCRIPT_DIR=$(dirname $0) PROG=$(basename $0) -GPT=${GPT:-"cgpt"} +: ${GPT:=cgpt} +: ${FUTILITY:=futility} # The tag when the rootfs is changed. TAG_NEEDS_TO_BE_SIGNED="/root/.need_to_be_signed" @@ -349,6 +350,31 @@ rw_mount_disabled() { return 1 } +# Functions for CBFS management +# ---------------------------------------------------------------------------- + +# Get the compression algorithm used for the given CBFS file. +# Args: INPUT_CBFS_IMAGE CBFS_FILE_NAME +get_cbfs_compression() { + cbfstool "$1" print -r "FW_MAIN_A" | awk -vname="$2" '$1 == name {print $5}' +} + +# Store a file in CBFS. +# Args: INPUT_CBFS_IMAGE INPUT_FILE CBFS_FILE_NAME +store_file_in_cbfs() { + local image="$1" + local file="$2" + local name="$3" + local compression=$(get_cbfs_compression "$1" "${name}") + cbfstool "${image}" remove -r "FW_MAIN_A,FW_MAIN_B" -n "${name}" || return + # This add can fail if + # 1. Size of a signature after compression is larger + # 2. CBFS is full + # These conditions extremely unlikely become true at the same time. + cbfstool "${image}" add -r "FW_MAIN_A,FW_MAIN_B" -t "raw" \ + -c "${compression}" -f "${file}" -n "${name}" || return +} + # Misc functions # ---------------------------------------------------------------------------- @@ -385,4 +411,9 @@ no_chronos_password() { fi } +# Returns true if given ec.bin is signed or false if not. +is_ec_rw_signed() { + ${FUTILITY} dump_fmap "$1" | grep -q KEY_RO +} + trap "cleanup_temps_and_mounts" EXIT diff --git a/scripts/image_signing/make_dev_firmware.sh b/scripts/image_signing/make_dev_firmware.sh index cbf02112..ea32212d 100755 --- a/scripts/image_signing/make_dev_firmware.sh +++ b/scripts/image_signing/make_dev_firmware.sh @@ -17,8 +17,10 @@ DEFAULT_KEYS_FOLDER="$VBOOT_BASE/devkeys" DEFAULT_BACKUP_FOLDER='/mnt/stateful_partition/backups' # DEFINE_string name default_value description flag -DEFINE_string from "" "Path of input file (empty for system live firmware)" "f" -DEFINE_string to "" "Path of output file (empty for system live firmware)" "t" +DEFINE_string from "" "Path of input BIOS file (empty for system live BIOS)" "f" +DEFINE_string to "" "Path of output BIOS file (empty for system live BIOS)" "t" +DEFINE_string ec_from "" "Path of input EC file (empty for system live EC)" "e" +DEFINE_string ec_to "" "Path of output EC file (empty for system live EC)" "o" DEFINE_string keys "$DEFAULT_KEYS_FOLDER" "Path to folder of dev keys" "k" DEFINE_string preamble_flags "" "Override preamble flags value. Known values: 0: None. (Using RW to boot in normal. aka, two-stop) @@ -27,6 +29,8 @@ DEFINE_boolean mod_hwid \ $FLAGS_TRUE "Modify HWID to indicate this is a modified firmware" "" DEFINE_boolean mod_gbb_flags \ $FLAGS_TRUE "Modify GBB flags to enable developer friendly features" "" +DEFINE_boolean change_ec \ + $FLAGS_FALSE "Change the key in the EC binary if EC uses EFS boot" "" DEFINE_boolean force_backup \ $FLAGS_TRUE "Create backup even if source is not live" "" DEFINE_string backup_dir \ @@ -40,11 +44,13 @@ eval set -- "$FLAGS_ARGV" # ---------------------------------------------------------------------------- set -e -FLASHROM="flashrom -p host" - # the image we are (temporary) working with -IMAGE="$(make_temp_file)" -IMAGE="$(readlink -f "$IMAGE")" +IMAGE_BIOS="$(make_temp_file)" +IMAGE_BIOS="$(readlink -f "${IMAGE_BIOS}")" +if [ "${FLAGS_change_ec}" = "${FLAGS_TRUE}" ]; then + IMAGE_EC="$(make_temp_file)" + IMAGE_EC="$(readlink -f "${IMAGE_EC}")" +fi # a log file to keep the output results of executed command EXEC_LOG="$(make_temp_file)" @@ -52,6 +58,32 @@ EXEC_LOG="$(make_temp_file)" # Functions # ---------------------------------------------------------------------------- +flashrom_bios() { + if is_debug_mode; then + flashrom -V -p host "$@" + else + flashrom -p host "$@" + fi +} + +flashrom_ec() { + if is_debug_mode; then + flashrom -V -p ec "$@" + else + flashrom -p ec "$@" + fi +} + +# Execute the given command and log its output to the file ${EXEC_LOG}. +# If is_debug_mode, also print the output directly. +execute() { + if is_debug_mode; then + "$@" 2>&1 | tee "${EXEC_LOG}" + else + "$@" >"${EXEC_LOG}" 2>&1 + fi +} + # Disables write protection status registers disable_write_protection() { # No need to change WP status in file mode @@ -62,40 +94,52 @@ disable_write_protection() { # --wp-disable command may return success even if WP is still enabled, # so we should use --wp-status to verify the results. echo "Disabling system software write protection status..." - (${FLASHROM} --wp-disable && ${FLASHROM} --wp-status) 2>&1 | + (flashrom_bios --wp-disable && flashrom_bios --wp-status) 2>&1 | tee "$EXEC_LOG" | grep -q '^WP: .* is disabled\.$' } -# Reads $IMAGE from $FLAGS_from +# Reads ${IMAGE_BIOS} from ${FLAGS_from} and ${IMAGE_EC} from ${FLAGS_ec_from} read_image() { if [ -z "$FLAGS_from" ]; then - echo "Reading system live firmware..." - if is_debug_mode; then - ${FLASHROM} -V -r "$IMAGE" + echo "Reading system live BIOS firmware..." + execute flashrom_bios -r "${IMAGE_BIOS}" + else + debug_msg "reading from file: ${FLAGS_from}" + cp -f "${FLAGS_from}" "${IMAGE_BIOS}" + fi + if [ "${FLAGS_change_ec}" = "${FLAGS_TRUE}" ]; then + if [ -z "${FLAGS_ec_from}" ]; then + echo "Reading system live EC firmware..." + execute flashrom_ec -r "${IMAGE_EC}" else - ${FLASHROM} -r "$IMAGE" >"$EXEC_LOG" 2>&1 + debug_msg "reading from file: ${FLAGS_ec_from}" + cp -f "${FLAGS_ec_from}" "${IMAGE_EC}" fi - else - debug_msg "reading from file: $FLAGS_from" - cp -f "$FLAGS_from" "$IMAGE" fi } -# Writes $IMAGE to $FLAGS_to +# Writes ${IMAGE_BIOS} to ${FLAGS_to} and ${IMAGE_EC} to ${FLAGS_ec_to} write_image() { - if [ -z "$FLAGS_to" ]; then - echo "Writing system live firmware..." + if [ -z "${FLAGS_to}" ]; then + echo "Writing system live BIOS firmware..." # TODO(hungte) we can enable partial write to make this faster - if is_debug_mode; then - ${FLASHROM} -w "$IMAGE" -V + execute flashrom_bios -w "${IMAGE_BIOS}" + else + debug_msg "writing to file: ${FLAGS_to}" + cp -f "${IMAGE_BIOS}" "${FLAGS_to}" + chmod a+r "${FLAGS_to}" + fi + if [ "${FLAGS_change_ec}" = "${FLAGS_TRUE}" ]; then + if [ -z "${FLAGS_ec_to}" ]; then + echo "Writing system live EC firmware..." + # TODO(hungte) we can enable partial write to make this faster + execute flashrom_ec -w "${IMAGE_EC}" else - ${FLASHROM} -w "$IMAGE" >"$EXEC_LOG" 2>&1 + debug_msg "writing to file: ${FLAGS_ec_to}" + cp -f "${IMAGE_EC}" "${FLAGS_ec_to}" + chmod a+r "${FLAGS_ec_to}" fi - else - debug_msg "writing to file: $FLAGS_to" - cp -f "$IMAGE" "$FLAGS_to" - chmod a+r "$FLAGS_to" fi } @@ -119,29 +163,40 @@ echo_dev_hwid() { # ---------------------------------------------------------------------------- main() { # Check parameters - local root_pubkey="$FLAGS_keys/root_key.vbpubk" - local recovery_pubkey="$FLAGS_keys/recovery_key.vbpubk" - local firmware_keyblock="$FLAGS_keys/firmware.keyblock" - local firmware_prvkey="$FLAGS_keys/firmware_data_key.vbprivk" - local dev_firmware_keyblock="$FLAGS_keys/dev_firmware.keyblock" - local dev_firmware_prvkey="$FLAGS_keys/dev_firmware_data_key.vbprivk" - local kernel_sub_pubkey="$FLAGS_keys/kernel_subkey.vbpubk" + local root_pubkey="${FLAGS_keys}/root_key.vbpubk" + local recovery_pubkey="${FLAGS_keys}/recovery_key.vbpubk" + local firmware_keyblock="${FLAGS_keys}/firmware.keyblock" + local firmware_prvkey="${FLAGS_keys}/firmware_data_key.vbprivk" + local dev_firmware_keyblock="${FLAGS_keys}/dev_firmware.keyblock" + local dev_firmware_prvkey="${FLAGS_keys}/dev_firmware_data_key.vbprivk" + local kernel_sub_pubkey="${FLAGS_keys}/kernel_subkey.vbpubk" + local ec_efs_pubkey="${FLAGS_keys}/key_ec_efs.vbpubk2" + local ec_efs_prvkey="${FLAGS_keys}/key_ec_efs.vbprik2" local is_from_live=0 - local backup_image= + local backup_bios_image='' + local backup_ec_image='' debug_msg "Prerequisite check" ensure_files_exist \ - "$root_pubkey" \ - "$recovery_pubkey" \ - "$firmware_keyblock" \ - "$firmware_prvkey" \ - "$kernel_sub_pubkey" || + "${root_pubkey}" \ + "${recovery_pubkey}" \ + "${firmware_keyblock}" \ + "${firmware_prvkey}" \ + "${kernel_sub_pubkey}" \ + "${ec_efs_pubkey}" \ + "${ec_efs_prvkey}" || exit 1 - if [ -z "$FLAGS_from" ]; then + if [ -z "${FLAGS_from}" ]; then is_from_live=1 else - ensure_files_exist "$FLAGS_from" || exit 1 + ensure_files_exist "${FLAGS_from}" || exit 1 + fi + + if [ -z "${FLAGS_ec_from}" ]; then + is_from_live=1 + else + ensure_files_exist "${FLAGS_ec_from}" || exit 1 fi debug_msg "Checking software write protection status" @@ -153,22 +208,60 @@ main() { "Please verify that hardware write protection is disabled." fi - debug_msg "Pulling image to $IMAGE" - (read_image && [ -s "$IMAGE" ]) || + debug_msg "Pulling image" + (read_image && + [ -s "${IMAGE_BIOS}" ] && + [ "${FLAGS_change_ec}" = "${FLAGS_FALSE}" -o -s "${IMAGE_EC}" ]) || die "Failed to read image. Error message: $(cat "${EXEC_LOG}")" + debug_msg "Prepare to backup the file" - if [ -n "$is_from_live" -o $FLAGS_force_backup = $FLAGS_TRUE ]; then - backup_image="$(make_temp_file)" - debug_msg "Creating backup file to $backup_image..." - cp -f "$IMAGE" "$backup_image" + if [ -n "${is_from_live}" -o ${FLAGS_force_backup} = ${FLAGS_TRUE} ]; then + backup_bios_image="$(make_temp_file)" + debug_msg "Creating BIOS backup file to ${backup_bios_image}..." + cp -f "${IMAGE_BIOS}" "${backup_bios_image}" + + if [ "${FLAGS_change_ec}" = "${FLAGS_TRUE}" ]; then + backup_ec_image="$(make_temp_file)" + debug_msg "Creating EC backup file to ${backup_ec_image}..." + cp -f "${IMAGE_EC}" "${backup_ec_image}" + fi fi - debug_msg "Detecting developer firmware keyblock" local expanded_firmware_dir="$(make_temp_dir)" + if [ "${FLAGS_change_ec}" = "${FLAGS_TRUE}" ]; then + if is_ec_rw_signed "${IMAGE_EC}"; then + # TODO(waihong): These are duplicated from sign_official_build.sh. We need + # to move them to a single place for share. + debug_msg "Resign EC firmware with new EC EFS key" + local rw_bin="EC_RW.bin" + local rw_hash="EC_RW.hash" + # futility writes byproduct files to CWD, so we cd to temp dir. + local old_cwd=$(pwd) + cd "${expanded_firmware_dir}" + + ${FUTILITY} sign --type rwsig --prikey "${ec_efs_prvkey}" "${IMAGE_EC}" || + die "Failed to sign EC image" + # Above command produces EC_RW.bin. Compute its hash. + openssl dgst -sha256 -binary "${rw_bin}" > "${rw_hash}" + + debug_msg "Store ecrw and its hash to BIOS firmware" + store_file_in_cbfs "${IMAGE_BIOS}" "${rw_bin}" "ecrw" || + die "Failed to store ecrw in BIOS image" + store_file_in_cbfs "${IMAGE_BIOS}" "${rw_hash}" "ecrw.hash" || + die "Failed to store ecrw.hash in BIOS image" + + cd "${old_cwd}" + # Continuous the code below to resign the BIOS image. + else + echo "EC image is not signed. Skip changing its key." + fi + fi + + debug_msg "Detecting developer firmware keyblock" local use_devfw_keyblock="$FLAGS_FALSE" - (cd "$expanded_firmware_dir"; dump_fmap -x "$IMAGE" >/dev/null 2>&1) || - die "Failed to extract firmware image." + (cd "${expanded_firmware_dir}"; dump_fmap -x "${IMAGE_BIOS}" \ + >/dev/null 2>&1) || die "Failed to extract firmware image." if [ -f "$expanded_firmware_dir/VBLOCK_A" ]; then local has_dev=$FLAGS_TRUE has_norm=$FLAGS_TRUE # In output of vbutil_keyblock, "!DEV" means "bootable on normal mode" and @@ -193,8 +286,8 @@ main() { fi debug_msg "Extract firmware version and data key version" - futility gbb -g --rootkey="$expanded_firmware_dir/rootkey" "$IMAGE" \ - >/dev/null 2>&1 + ${FUTILITY} gbb -g --rootkey="${expanded_firmware_dir}/rootkey" \ + "${IMAGE_BIOS}" >/dev/null 2>&1 local data_key_version firmware_version # When we are going to flash directly from or to system, the versions stored @@ -209,9 +302,9 @@ main() { # need to check both and decide from largest number. debug_msg "Guessing TPM version from original firmware." local fw_info="$(vbutil_firmware \ - --verify "$expanded_firmware_dir/VBLOCK_A" \ - --signpubkey "$expanded_firmware_dir/rootkey" \ - --fv "$expanded_firmware_dir/FW_MAIN_A")" 2>/dev/null || + --verify "${expanded_firmware_dir}/VBLOCK_A" \ + --signpubkey "${expanded_firmware_dir}/rootkey" \ + --fv "${expanded_firmware_dir}/FW_MAIN_A" 2>/dev/null)" || die "Failed to verify firmware slot A." data_key_version="$( echo "$fw_info" | sed -n '/^ *Data key version:/s/.*:[ \t]*//p')" @@ -252,25 +345,22 @@ main() { debug_msg "Setting FLAGS=$FLAGS_preamble_flags" optional_opts="$FLAGS_preamble_flags" fi - cp -f "$IMAGE" "$unsigned_image" - "$SCRIPT_BASE/resign_firmwarefd.sh" \ - "$unsigned_image" \ - "$IMAGE" \ - "$firmware_prvkey" \ - "$firmware_keyblock" \ - "$dev_firmware_prvkey" \ - "$dev_firmware_keyblock" \ - "$kernel_sub_pubkey" \ - "$firmware_version" \ - $optional_opts >"$EXEC_LOG" 2>&1 || + cp -f "${IMAGE_BIOS}" "$unsigned_image" + execute "$SCRIPT_BASE/resign_firmwarefd.sh" \ + "${unsigned_image}" \ + "${IMAGE_BIOS}" \ + "${firmware_prvkey}" \ + "${firmware_keyblock}" \ + "${dev_firmware_prvkey}" \ + "${dev_firmware_keyblock}" \ + "${kernel_sub_pubkey}" \ + "${firmware_version}" \ + ${optional_opts} || die "Failed to re-sign firmware. (message: $(cat "${EXEC_LOG}"))" - if is_debug_mode; then - cat "$EXEC_LOG" - fi debug_msg "Extract current HWID" local old_hwid - old_hwid="$(futility gbb --get --hwid "$IMAGE" 2>"$EXEC_LOG" | + old_hwid="$(${FUTILITY} gbb --get --hwid "${IMAGE_BIOS}" 2>"${EXEC_LOG}" | sed -rne 's/^hardware_id: (.*)$/\1/p')" debug_msg "Decide new HWID" @@ -282,8 +372,8 @@ main() { fi local old_gbb_flags - old_gbb_flags="$(futility gbb --get --flags "$IMAGE" 2>"$EXEC_LOG" | - sed -rne 's/^flags: (.*)$/\1/p')" + old_gbb_flags="$(${FUTILITY} gbb --get --flags "${IMAGE_BIOS}" \ + 2>"${EXEC_LOG}" | sed -rne 's/^flags: (.*)$/\1/p')" debug_msg "Decide new GBB flags from: $old_gbb_flags" [ -z "$old_gbb_flags" ] && die "Cannot find GBB flags. (message: $(cat "${EXEC_LOG}"))" @@ -291,52 +381,68 @@ main() { local new_gbb_flags="$((old_gbb_flags | 0x30))" debug_msg "Replace GBB parts (futility gbb allows changing on-the-fly)" - futility gbb --set \ - --hwid="$new_hwid" \ - --rootkey="$root_pubkey" \ - --recoverykey="$recovery_pubkey" \ - "$IMAGE" >"$EXEC_LOG" 2>&1 || + ${FUTILITY} gbb --set \ + --hwid="${new_hwid}" \ + --rootkey="${root_pubkey}" \ + --recoverykey="${recovery_pubkey}" \ + "${IMAGE_BIOS}" >"${EXEC_LOG}" 2>&1 || die "Failed to change GBB Data. (message: $(cat "${EXEC_LOG}"))" # Old firmware does not support GBB flags, so let's make it an exception. - if [ "$FLAGS_mod_gbb_flags" = "$FLAGS_TRUE" ]; then - debug_msg "Changing GBB flags from $old_gbb_flags to $new_gbb_flags" - futility gbb --set \ - --flags="$new_gbb_flags" \ - "$IMAGE" >"$EXEC_LOG" 2>&1 || - echo "Warning: GBB flags ($old_gbb_flags -> $new_gbb_flags) can't be set." + if [ "${FLAGS_mod_gbb_flags}" = "${FLAGS_TRUE}" ]; then + debug_msg "Changing GBB flags from ${old_gbb_flags} to ${new_gbb_flags}" + ${FUTILITY} gbb --set \ + --flags="${new_gbb_flags}" \ + "${IMAGE_BIOS}" >"${EXEC_LOG}" 2>&1 || + echo "Warning: Can't set GBB flags ${old_gbb_flags} -> ${new_gbb_flags}." fi # TODO(hungte) compare if the image really needs to be changed. debug_msg "Check if we need to make backup file(s)" - if [ -n "$backup_image" ]; then - local backup_hwid_name="$(echo "$old_hwid" | sed 's/ /_/g')" + if [ -n "${backup_bios_image}" ]; then + local backup_hwid_name="$(echo "${old_hwid}" | sed 's/ /_/g')" local backup_date_time="$(date +'%Y%m%d_%H%M%S')" - local backup_file_name="firmware_${backup_hwid_name}_${backup_date_time}.fd" - local backup_file_path="$FLAGS_backup_dir/$backup_file_name" - if mkdir -p "$FLAGS_backup_dir" && - cp -f "$backup_image" "$backup_file_path"; then - true - elif cp -f "$backup_image" "/tmp/$backup_file_name"; then - backup_file_path="/tmp/$backup_file_name" + local backup_bios_name="bios_${backup_hwid_name}_${backup_date_time}.fd" + local backup_bios_path="${FLAGS_backup_dir}/${backup_bios_name}" + local backup_ec_name="ec_${backup_hwid_name}_${backup_date_time}.fd" + local backup_ec_path='' + if mkdir -p "${FLAGS_backup_dir}" && + cp -f "${backup_bios_image}" "${backup_bios_path}"; then + if [ -n "${backup_ec_image}" ]; then + backup_ec_path="${FLAGS_backup_dir}/${backup_ec_name}" + cp -f "${backup_ec_image}" "${backup_ec_path}" + fi + elif cp -f "${backup_bios_image}" "/tmp/${backup_bios_name}"; then + backup_bios_path="/tmp/${backup_bios_name}" + if [ -n "${backup_ec_image}" ]; then + cp -f "${backup_ec_image}" "/tmp/${backup_ec_name}" + backup_ec_path="/tmp/${backup_ec_name}" + fi else - backup_file_path='' + backup_bios_path='' fi - if [ -n "$backup_file_path" -a -s "$backup_file_path" ]; then + if [ -n "${backup_bios_path}" ]; then # TODO(hungte) maybe we can wrap the flashrom by 'make_dev_firmware.sh -r' # so that the only command to remember would be make_dev_firmware.sh. echo " - Backup of current firmware image is stored in: - $backup_file_path - Please copy the backup file to a safe place ASAP. - - To stop using devkeys and restore original firmware, execute command: - ${FLASHROM} -w [PATH_TO_BACKUP_IMAGE] - Ex: ${FLASHROM} -w $backup_file_path - " + Backup of current firmware image is stored in: + ${backup_bios_path} + ${backup_ec_path} + Please copy the backup file to a safe place ASAP. + + To stop using devkeys and restore original BIOS, execute command: + flashrom -p bios -w [PATH_TO_BACKUP_BIOS] + Ex: flashrom -p bios -w ${backup_bios_path}" + if [ -n "${backup_ec_image}" ]; then + echo " + To stop using devkeys and restore original EC, execute command: + flashrom -p ec -w [PATH_TO_BACKUP_EC] + Ex: flashrom -p ec -w ${backup_ec_path}" + fi + echo "" else - echo "WARNING: Cannot create file in $FLAGS_backup_dir... Ignore backups." + echo "WARNING: Can't create file in ${FLAGS_backup_dir}. Ignore backups." fi fi diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 1bee36df..caf8940a 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -22,10 +22,6 @@ # Load common constants and variables. . "$(dirname "$0")/common.sh" -# Which futility to run? -# futility is exception because there are local automated tests for it. -[ -z "${FUTILITY}" ] && FUTILITY=futility - # Print usage string usage() { cat <<EOF @@ -122,11 +118,6 @@ is_old_verity_argv() { return 1 } -# Returns true if given ec.bin is signed or false if not. -is_ec_rw_signed() { - ${FUTILITY} dump_fmap "$1" | grep -q KEY_RO -} - # Get the dmparams parameters from a kernel config. get_dmparams_from_config() { local kernel_config=$1 @@ -503,28 +494,6 @@ sign_recovery_kernel() { info "Signed recovery_kernel image output to ${image}" } -# Get the compression algorithm used for the given CBFS file. -# Args: INPUT_CBFS_IMAGE CBFS_FILE_NAME -get_cbfs_compression() { - cbfstool "$1" print -r "FW_MAIN_A" | awk -vname="$2" '$1 == name {print $5}' -} - -# Store a file in CBFS. -# Args: INPUT_CBFS_IMAGE INPUT_FILE CBFS_FILE_NAME -store_file_in_cbfs() { - local image="$1" - local file="$2" - local name="$3" - local compression=$(get_cbfs_compression "$1" "${name}") - cbfstool "${image}" remove -r "FW_MAIN_A,FW_MAIN_B" -n "${name}" || return - # This add can fail if - # 1. Size of a signature after compression is larger - # 2. CBFS is full - # These conditions extremely unlikely become true at the same time. - cbfstool "${image}" add -r "FW_MAIN_A,FW_MAIN_B" -t "raw" \ - -c "${compression}" -f "${file}" -n "${name}" || return -} - # Sign a delta update payload (usually created by paygen). # Args: INPUT_IMAGE KEY_DIR OUTPUT_IMAGE sign_update_payload() { |