image_signing: workaround ecrw signing breakage

It looks like cbfstool removing & inserting blobs into the bios, even
if the contents are the same, break the signatures run over the region.
Until we can figure out what's going on, avoid re-adding content that's
the same to keep the signatures valid.

BRANCH=None
BUG=chromium:889716
TEST=signing fizz image has valid vblock hashes

Change-Id: I00ba84cf22b6fffc594e60b78f91e7cb49c98f06
Reviewed-on: https://chromium-review.googlesource.com/1248201
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: C Shapiro <shapiroc@chromium.org>

1 files changed, 12 insertions, 0 deletions

diff --git a/scripts/image_signing/common_minimal.sh b/scripts/image_signing/common_minimal.sh
index 8166d698..86a69db6 100644
--- a/scripts/image_signing/common_minimal.sh
+++ b/scripts/image_signing/common_minimal.sh
@@ -443,6 +443,18 @@ store_file_in_cbfs() {
   local file="$2"
   local name="$3"
   local compression=$(get_cbfs_compression "$1" "${name}")
+
+  # Don't re-add a file to a section if it's unchanged.  Otherwise this seems
+  # to break signature of existing contents.  https://crbug.com/889716
+  if cbfstool "${image}" extract -r "FW_MAIN_A,FW_MAIN_B" \
+       -f "${file}.orig" -n "${name}"; then
+    if cmp -s "${file}" "${file}.orig"; then
+      rm -f "${file}.orig"
+      return
+    fi
+    rm -f "${file}.orig"
+  fi
+
   cbfstool "${image}" remove -r "FW_MAIN_A,FW_MAIN_B" -n "${name}" || return
   # This add can fail if
   # 1. Size of a signature after compression is larger