cr50: relax signature type verification for test runs

If the key file directory name includes string 'test' do not check if
the image being signed has the prod RO.

BRANCH=none
BUG=b:74100307
TEST=manual

Change-Id: I3241d31f6612c1dc44c217958d74d4da784c5dfb
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1614793
Reviewed-by: LaMont Jones <lamontjones@chromium.org>

1 files changed, 13 insertions, 3 deletions

diff --git a/scripts/image_signing/sign_cr50_firmware.sh b/scripts/image_signing/sign_cr50_firmware.sh
index 1616e49b..c87b3124 100755
--- a/scripts/image_signing/sign_cr50_firmware.sh
+++ b/scripts/image_signing/sign_cr50_firmware.sh
@@ -224,18 +224,28 @@ sign_rw() {
 # A very crude RO verification function. The key signature found at a fixed
 # offset into the RO blob must match the RO type. Prod keys have bit D2 set to
 # one, dev keys have this bit set to zero.
+#
+# The check is bypassed if the key file directory name includes string 'test'.
 verify_ro() {
-  if [[ $# -ne 1 ]]; then
-    die "Usage: verify_ro <ro_bin>"
+  if [[ $# -ne 2 ]]; then
+    die "Usage: verify_ro <ro_bin> <key_file>"
   fi
 
   local ro_bin="$1"
+  local key_file="$2"
   local key_byte
+  local key_path
 
   if [[ ! -f "${ro_bin}" ]]; then
     die "${ro_bin} not a file!"
   fi
 
+  key_path="$(dirname "${key_file}")"
+  if [[ ${key_path##*/} == *"test"* ]]; then
+    info "Test run, ignoring key type verification"
+    return 0
+  fi
+
   # Key signature's lowest byte is byte #5 in the line at offset 0001a0.
   key_byte="$(od -Ax -t x1 -v "${ro_bin}" | awk '/0001a0/ {print $6}')"
   case "${key_byte}" in
@@ -299,7 +309,7 @@ sign_cr50_firmware() {
     if ! objcopy -I ihex "${f}" -O binary "${temp_dir}/${count}.bin"; then
       die "Failed to convert ${f} from hex to bin"
     fi
-    verify_ro "${temp_dir}/${count}.bin"
+    verify_ro "${temp_dir}/${count}.bin" "${key_file}"
     : $(( count++ ))
   done