diff options
| author | Mike Frysinger <vapier@chromium.org> | 2020-07-21 05:15:50 -0400 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2020-07-24 04:11:45 +0000 |
| commit | c9c14da9bbc256618d11cfccac0bf72d0b524a21 (patch) | |
| tree | 42f6b1543ebf2a7b7badc966612a52678addae03 | |
| parent | 9d4986f4dbefa423ed64728db94c772f45391a62 (diff) | |
| download | vboot-c9c14da9bbc256618d11cfccac0bf72d0b524a21.tar.gz | |
image_signing: drop support for signing nvidia lp0_firmware
This was only used by smaug which went EOL a while ago and we've
already deleted supporting logic.
BUG=None
TEST=CQ passes
BRANCH=None
Change-Id: Ia639c7da3c70c62ee102f11d510ffaa928ab244a
Signed-off-by: Mike Frysinger <vapier@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2309221
Reviewed-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-by: Joel Kitching <kitching@chromium.org>
| -rwxr-xr-x | scripts/image_signing/sign_firmware.sh | 10 | ||||
| -rwxr-xr-x | scripts/image_signing/sign_nv_cbootimage.sh | 262 | ||||
| -rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 18 |
3 files changed, 0 insertions, 290 deletions
diff --git a/scripts/image_signing/sign_firmware.sh b/scripts/image_signing/sign_firmware.sh index 54c3a4d9..0e7ac7c4 100755 --- a/scripts/image_signing/sign_firmware.sh +++ b/scripts/image_signing/sign_firmware.sh @@ -128,16 +128,6 @@ main() { sign_one gbb_update "${temp_fw}" "${key_dir}" "${out_firmware}" \ "${key_dir}/root_key.vbpubk" - - # Additional signing step for nVidia T210 SoC. - # Currently, cbootimage is unable to handle path with double slash. - if [[ -e ${key_dir}/nv_pkc.pem ]]; then - "${SCRIPT_DIR}/sign_nv_cbootimage.sh" \ - "bootloader" \ - "${key_dir%/}/nv_pkc.pem" \ - "${out_firmware}" \ - tegra210 - fi fi } main "$@" diff --git a/scripts/image_signing/sign_nv_cbootimage.sh b/scripts/image_signing/sign_nv_cbootimage.sh deleted file mode 100755 index da978e84..00000000 --- a/scripts/image_signing/sign_nv_cbootimage.sh +++ /dev/null @@ -1,262 +0,0 @@ -#!/bin/bash -# Copyright 2015 The Chromium OS Authors. All rights reserved. -# Use of this source code is governed by a BSD-style license that can be -# found in the LICENSE file. - -# Wrapper script for signing firmware image using cbootimage. - -# Determine script directory. -SCRIPT_DIR=$(dirname "$0") - -# Load common constants and variables. -. "${SCRIPT_DIR}/common_minimal.sh" - -# Abort on error. -set -e - -usage() { - cat<<EOF -Usage: $0 <type> <pkc_key> <firmware_image> <soc> - -Signs <firmware_image> of <type> with <pkc_key> using cbootimage for <soc>. -where type is one of - bootloader = sign bootloader image - lp0_firmware = sign lp0 firmware -EOF - exit 1 -} - -# Signs bootloader image using pkc_key provided for given soc -# Args: TYPE=bootloader PKC_KEY FIRMWARE_IMAGE SOC -sign_bootloader() { - local type=$1 - local pkc_key="$(readlink -f "$2")" - local firmware_image="$(readlink -f "$3")" - local soc=$4 - - local work_dir=$(make_temp_dir) - local config_file=$(make_temp_file) - local signed_fw=$(make_temp_file) - - pushd "${work_dir}" >/dev/null - - # Get bootloader length. - # - # Example: - # $ bct_dump image.fastboot.bin - # Version = 0x00210001; - # BlockSize = 0x00008000; - # ... - # ... - # # Bootloader[0].Length = 69324; - # ... - # ... - # - # then, bl_length=69324 (size of bootloader that needs to be signed) - local bl_length=$(bct_dump "${firmware_image}" | \ - sed -n '/Bootloader\[0\].Length/{ s/.*=\s*//; s/;//; p; q}') - - # Extract bootloader to sign. - dd \ - if="${firmware_image}" \ - of="${signed_fw}.bl.tosig" \ - count="${bl_length}" \ - ibs=1 \ - skip=32768 >/dev/null 2>&1 - - # Calculate rsa signature for bootloader. - openssl \ - dgst -sha256 \ - -sigopt rsa_padding_mode:pss \ - -sigopt rsa_pss_saltlen:-1 \ - -sign "${pkc_key}" \ - -out "${signed_fw}.bl.sig" \ - "${signed_fw}.bl.tosig" - - # Update bootloader's rsa signature, aes hash and bct's aes hash. - echo "RsaPssSigBlFile = ${signed_fw}.bl.sig;" > "${config_file}" - echo "RehashBl;" >> "${config_file}" - cbootimage \ - -s "${soc}" \ - -u "${config_file}" \ - "${firmware_image}" \ - "${signed_fw}.tmp" >/dev/null - - # Extract the part of bct which needs to be rsa signed. - dd \ - if="${signed_fw}.tmp" \ - of="${signed_fw}.bct.tosig" \ - count=8944 \ - ibs=1 \ - skip=1296 >/dev/null 2>&1 - - # Calculate rsa signature for bct. - openssl \ - dgst -sha256 \ - -sigopt rsa_padding_mode:pss \ - -sigopt rsa_pss_saltlen:-1 \ - -sign "${pkc_key}" \ - -out "${signed_fw}.bct.sig" \ - "${signed_fw}.bct.tosig" - - # Create public key modulus from key file. - openssl \ - rsa -in "${pkc_key}" \ - -noout \ - -modulus \ - -out "${signed_fw}.key.mod" - - # Remove prefix. - cut \ - -d= \ - -f2 "${signed_fw}.key.mod" > "${signed_fw}.key.mod.tmp1" - dd \ - if="${signed_fw}.key.mod.tmp1" \ - of="${signed_fw}.key.mod.tmp" \ - count=512 \ - ibs=1 >/dev/null 2>&1 - - # Convert from hexdecimal to binary. - perl -pe 's/([0-9a-f]{2})/chr hex $1/gie' \ - < "${signed_fw}.key.mod.tmp" \ - > "${signed_fw}.key.mod.bin" - - # Update bct's rsa signature and modulus. - echo "RsaPssSigBctFile = ${signed_fw}.bct.sig;" > "${config_file}" - echo "RsaKeyModulusFile = ${signed_fw}.key.mod.bin;" >> "${config_file}" - cbootimage \ - -s "${soc}" \ - -u "${config_file}" \ - "${signed_fw}.tmp" \ - "${signed_fw}" >/dev/null - - # Calculate hash of public key modulus. - objcopy \ - -I binary \ - --reverse-bytes=256 \ - "${signed_fw}.key.mod.bin" \ - "${signed_fw}.key.mod.bin.rev" - openssl \ - dgst -sha256 \ - -binary \ - -out "${signed_fw}.key.sha" \ - "${signed_fw}.key.mod.bin.rev" - - popd >/dev/null - - # Copy signed firmware image and public key hash to current directory.. - mv "${signed_fw}" "${firmware_image}" - mv "${signed_fw}.key.sha" "${firmware_image}.pubkey.sha" -} - -# Signs lp0 firmware image using pkc_key provided for given soc -# Args: TYPE=lp0_firmware PKC_KEY FIRMWARE_IMAGE SOC -sign_lp0_firmware() { - local type=$1 - local pkc_key="$(readlink -f "$2")" - local firmware_image="$(readlink -f "$3")" - local soc=$4 - - local work_dir=$(make_temp_dir) - local signed_fw=$(make_temp_file) - - pushd "${work_dir}" >/dev/null - - cp "${firmware_image}" "${signed_fw}" - - # Extract the part of the binary which needs to be signed. - dd \ - if="${firmware_image}" \ - of="${signed_fw}.tosig" \ - ibs=1 \ - skip=544 >/dev/null 2>&1 - - # Calculate rsa-pss signature. - openssl \ - dgst -sha256 \ - -sigopt rsa_padding_mode:pss \ - -sigopt rsa_pss_saltlen:-1 \ - -sign "${pkc_key}" \ - -out "${signed_fw}.rsa.sig" \ - "${signed_fw}.tosig" - - # Reverse rsa signature to meet tegra soc ordering requirement. - objcopy \ - -I binary \ - --reverse-bytes=256 \ - "${signed_fw}.rsa.sig" \ - "${signed_fw}.rsa.sig.rev" - - # Inject rsa-pss signature into the binary image's header. - dd \ - if="${signed_fw}.rsa.sig.rev" \ - of="${signed_fw}" \ - count=256 \ - obs=1 \ - seek=288 \ - conv=notrunc >/dev/null 2>&1 - - # Generate public key modulus from key file. - openssl \ - rsa -in "${pkc_key}" \ - -noout \ - -modulus \ - -out "${signed_fw}.key.mod" - - # Remove prefix. - cut \ - -d= \ - -f2 "${signed_fw}.key.mod" > "${signed_fw}.key.mod.tmp1" - - dd \ - if="${signed_fw}.key.mod.tmp1" \ - of="${signed_fw}.key.mod.tmp" \ - count=512 \ - ibs=1 >/dev/null 2>&1 - - # Convert from hexdecimal to binary. - perl -pe 's/([0-9a-f]{2})/chr hex $1/gie' \ - < "${signed_fw}.key.mod.tmp" \ - > "${signed_fw}.key.mod.bin" - - # Reverse byte order. - objcopy \ - -I binary \ - --reverse-bytes=256 \ - "${signed_fw}.key.mod.bin" \ - "${signed_fw}.key.mod.bin.rev" - - # Inject public key modulus into the binary image's header. - dd \ - if="${signed_fw}.key.mod.bin.rev" \ - of="${signed_fw}" \ - count=256 \ - obs=1 \ - seek=16 \ - conv=notrunc >/dev/null 2>&1 - - popd >/dev/null - mv "${signed_fw}" "${firmware_image}" -} - -main() { - if [[ $# -ne 4 ]]; then - usage - fi - - local type=$1 - - case ${type} in - bootloader) - sign_bootloader "$@" - ;; - lp0_firmware) - sign_lp0_firmware "$@" - ;; - *) - usage - ;; - esac -} - -main "$@" diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 3777032c..0d02fe34 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -37,7 +37,6 @@ where <type> is one of: firmware (sign a firmware image) usb (sign an image to boot directly from USB) verify (verify an image including rootfs hashes) - nv_lp0_firmware (sign nvidia lp0 firmware) accessory_usbpd (sign USB-PD accessory firmware) accessory_rwsig (sign accessory RW firmware) cr50_firmware (sign a cr50 firmware image) @@ -403,17 +402,6 @@ sign_firmware() { info "Signed firmware image output to ${image}" } -# Sign nvidia lp0 firmware with the given keys. -# Args: NV_LP0_FIRMWARE_IMAGE KEY_DIR -sign_nv_lp0_firmware() { - local nv_lp0_fw_image=$1 - local key_dir=$2 - - "${SCRIPT_DIR}/sign_nv_cbootimage.sh" "lp0_firmware" \ - "${key_dir%/}/nv_pkc.pem" "${nv_lp0_fw_image}" "tegra210" - info "Signed nvidia lp0 firmware image output to ${nv_lp0_fw_image}" -} - # Sign a kernel in-place with the given keys. # Args: KERNEL_IMAGE KEY_DIR KERNEL_VERSION sign_kernel() { @@ -1108,12 +1096,6 @@ elif [[ "${TYPE}" == "firmware" ]]; then fi cp ${INPUT_IMAGE} ${OUTPUT_IMAGE} sign_firmware ${OUTPUT_IMAGE} ${KEY_DIR} ${FIRMWARE_VERSION} -elif [[ "${TYPE}" == "nv_lp0_firmware" ]]; then - if [[ -e "${KEY_DIR}/loem.ini" ]]; then - die "LOEM signing not implemented yet for nv_lp0_firmware images" - fi - cp "${INPUT_IMAGE}" "${OUTPUT_IMAGE}" - sign_nv_lp0_firmware "${OUTPUT_IMAGE}" "${KEY_DIR}" elif [[ "${TYPE}" == "kernel" ]]; then if [[ -e "${KEY_DIR}/loem.ini" ]]; then die "LOEM signing not implemented yet for kernel images" |