diff options
| author | Vadim Bendebury <vbendeb@chromium.org> | 2019-10-31 19:43:27 -0700 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2019-11-02 07:06:31 +0000 |
| commit | ff76f72ac363d090cb2a076cc771cc450b166340 (patch) | |
| tree | 7e7a90097ebac8f97c8243b16e2d63a76ed3f873 | |
| parent | 52714545cdb62d15ada66ac55b734c70b1910690 (diff) | |
| download | vboot-ff76f72ac363d090cb2a076cc771cc450b166340.tar.gz | |
cr50_signing: add code to sign pre-pvt, pre-release and release
This patch adds checks necessary before various types of images
signing could proceed.
The checks include verifying that Board ID flags and major version
number match the image type.
Also, manifest modification for node locked images is enhanced by
setting the least significant bit of the tag field to one. This will
ensure that the prod key ladder is not available to node locked images
even though they are signed with a prod key.
BRANCH=none
BUG=b:74100307
TEST=verified various cases by manually editing prod.json and
signing_instructions.sh and observing results: either error
messages or successful modification of the manifest and signing.
Change-Id: I0bc4a8acae1ca4e983999fd47e515c48786ded6c
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1894848
| -rwxr-xr-x | scripts/image_signing/sign_cr50_firmware.sh | 92 |
1 files changed, 59 insertions, 33 deletions
diff --git a/scripts/image_signing/sign_cr50_firmware.sh b/scripts/image_signing/sign_cr50_firmware.sh index 5cbd6252..d11afbbc 100755 --- a/scripts/image_signing/sign_cr50_firmware.sh +++ b/scripts/image_signing/sign_cr50_firmware.sh @@ -37,7 +37,7 @@ to_int32() { } # This function accepts one argument, the name of the Cr50 manifest file which -# needs to be verified. +# needs to be verified and in certain cases altered. # # The function verifies that the input manifest is a proper json file, and # that the manifest conforms to Cr50 version numbering and board ID flags @@ -83,40 +83,66 @@ verify_and_prepare_cr50_manifest() { die "bid_flags not found in ${manifest_json}" fi - if [[ ${INSN_TARGET:-} == NodeLocked ]]; then - if [[ -z ${INSN_DEVICE_ID:-} ]]; then - die "Node locked target without Device ID value" - fi - # Case of a node locked image, it must have the fixed factory version. The - # manifest fields must be modified as follows: - # - # - DEV_ID values spliced in into the "fuses" section - # - board_id related fields removed - # - config1 field bit 0x80000000 set - - local sub - local devid0 - local devid1 - - if [[ $epoch.$major.$minor != $CR50_FACTORY_VERSION ]];then - die "Will not create node locked images for version $epoch.$major.$minor" - fi + case "${INSN_TARGET:-}" in + + (NodeLocked) + if [[ -z ${INSN_DEVICE_ID:-} ]]; then + die "Node locked target without Device ID value" + fi + # Case of a node locked image, it must have the fixed factory version. + if [[ $epoch.$major.$minor != $CR50_FACTORY_VERSION ]];then + die "Won't create node locked images for version $epoch.$major.$minor" + fi + + local sub + local devid0 + local devid1 + + devid0="$(to_int32 "0x${INSN_DEVICE_ID/-*}")" + devid1="$(to_int32 "0x${INSN_DEVICE_ID/*-}")" + cf1="$(to_int32 $(( 0x80000000 + ${config1} )))" + sub="$(printf " \"DEV_ID0\": %s,\\\n \"DEV_ID1\": %s," \ + "${devid0}" "${devid1}")" + + # Manifest fields must be modified as follows: + # + # - board_id related fields removed + # - 'config1' field bit 0x80000000 set + # - least significant bit of the 'tag' field originally set to all zeros + # changed from zero to one + # - DEV_ID values spliced in into the 'fuses' section + sed -i "/board_id/d;\ + s/\"config1\":.*/\"config1\": ${cf1},/;\ + s/\(tag.*0\+\)0/\11/;\ + /\"fuses\":/ a\ + $sub" "${manifest_json}" || die "Failed to edit the manifest" + return 0 + ;; + + (PrePVT) + # All we care about for pre pvt images is that major version number is + # even and the 0x10 Board ID flag is set. + if (( !(major & 1 ) && (bid_flags & PRE_PVT_BID_FLAG) )); then + return 0 + fi + ;; + + (ReleaseCandidate|GeneralRelease) + if (( (bid_flags & MP_BID_FLAG) && (major & 1) )); then + if [[ ${INSN_TARGET} == GeneralRelease ]]; then + # Strip Board ID information for approved for release MP images. + sed -i "/board_id/d" "${manifest_json}" + fi + return 0 + fi + ;; + + (*) + die "Unsupported target '${INSN_TARGET:-}'" + esac - devid0="$(to_int32 "0x${INSN_DEVICE_ID/-*}")" - devid1="$(to_int32 "0x${INSN_DEVICE_ID/*-}")" - cf1="$(to_int32 $(( 0x80000000 + ${config1} )))" - sub="$(printf " \"DEV_ID0\": %s,\\\n \"DEV_ID1\": %s," \ - "${devid0}" "${devid1}")" - sed -i "/board_id/d;s/\"config1\":.*/\"config1\": ${cf1},/;/\"fuses\":/ a\ -$sub" "${manifest_json}" || die "Failed to edit the manifest" - return 0 - elif (( major & 1 )); then - return 0 - elif (( bid_flags & PRE_PVT_BID_FLAG )); then - return 0 - fi die "Inconsistent manifest ${manifest_json}: major = '${major}'," \ - "board_id_flags = '${bid_flags}'" + "board_id_flags = '${bid_flags}' target = '${INSN_TARGET}'" } # This function accepts two arguments, names of two binary files. |