Reland "vboot/sign_official_build: re-sign miniOS partitions"

This is a reland of 43325cb9b2568c4a03c849f3474fcee8de3ae893 Looks like this was reverted incorrectly in CL:3044633, culprit turned out to be an unrelated flake (see b/194293181). Original change's description: > vboot/sign_official_build: re-sign miniOS partitions > > sign_official_build.sh needs to be taught how to re-sign miniOS > partitions, depending on whether the particular image at hand > contains them or not. > > BUG=b:188121855 > TEST=make clean && make runtests > BRANCH=none > > Cq-Depend: chromium:3027786 > Signed-off-by: Joel Kitching <kitching@google.com> > Change-Id: Iaf847e14588011dd0fea6b59405091ae36ef038f > Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2989640 > Tested-by: Joel Kitching <kitching@chromium.org> > Reviewed-by: Mike Frysinger <vapier@chromium.org> > Commit-Queue: Joel Kitching <kitching@chromium.org> Bug: b:188121855 Signed-off-by: Julius Werner <jwerner@google.com> Change-Id: I2e29a6e85f7d41ad365365ffb7e694f0c291d4f3 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3046439 Reviewed-by: Sergey Frolov <sfrolov@google.com> Reviewed-by: Joel Kitching <kitching@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> Tested-by: Julius Werner <jwerner@chromium.org> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
author: Joel Kitching <kitching@google.com> 2021-06-26 07:31:07 +0800
committer: Mike Frysinger <vapier@chromium.org> 2021-07-23 18:49:44 +0000
commit: 1c56856cd7199734aa86359ee17864d86f3a347f (patch)
tree: a0ddc6809fc90f14a9971fd587bb76c4eda7079b
parent: 2755840d372bf9b8ddbfe12ab7e34891cc129846 (diff)
download: vboot-1c56856cd7199734aa86359ee17864d86f3a347f.tar.gz
1 files changed, 62 insertions, 3 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index 92c9a3f3..88c58d8d 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -15,6 +15,8 @@
 #  e2fsck
 #  sha1sum
 
+MINIOS_KERNEL_GUID="09845860-705f-4bb5-b16c-8a8a099caf52"
+
 # Load common constants and variables.
 . "$(dirname "$0")/common.sh"
 
@@ -885,6 +887,49 @@ update_recovery_kernel_hash() {
     --config ${new_kerna_config}
 }
 
+# Re-sign miniOS kernels with new keys.
+# Args: LOOPDEV KEYBLOCK PRIVKEY
+resign_minios_kernels() {
+  local loopdev="$1"
+  local keyblock="$2"
+  local priv_key="$3"
+
+  info "Searching for miniOS kernels to resign..."
+
+  local loop_kern
+  for loop_kern in "${loopdev}p"*; do
+    local part_type_guid=$(sudo lsblk -rnb -o PARTTYPE "${loop_kern}")
+    if [[ "${part_type_guid}" != "${MINIOS_KERNEL_GUID}" ]]; then
+      continue
+    fi
+
+    # Delay checking that keyblock and private key exist until we are certain
+    # of a valid miniOS partition.  Images that don't support miniOS might not
+    # provide these.  (This check is repeated twice, but that's okay.)
+    if [[ ! -e "${keyblock}" ]]; then
+      error "Resign miniOS: keyblock doesn't exist: ${keyblock}"
+      return 1
+    fi
+    if [[ ! -e "${priv_key}" ]]; then
+      error "Resign miniOS: private key doesn't exist: ${priv_key}"
+      return 1
+    fi
+
+    # Assume this is a miniOS kernel.
+    local minios_kernel_version=$((KERNEL_VERSION >> 24))
+    if sudo ${FUTILITY} vbutil_kernel --repack "${loop_kern}" \
+        --keyblock "${keyblock}" \
+        --signprivate "${priv_key}" \
+        --version "${minios_kernel_version}" \
+        --oldblob "${loop_kern}"; then
+      info "Resign miniOS ${loop_kern}: done"
+    else
+      error "Resign miniOS ${loop_kern}: failed"
+      return 1
+    fi
+  done
+}
+
 # Update the legacy bootloader templates in EFI partition if available.
 # Args: LOOPDEV KERNEL
 update_legacy_bootloader() {
@@ -932,7 +977,7 @@ update_legacy_bootloader() {
 
 # Sign an image file with proper keys.
 # Args: IMAGE_TYPE INPUT OUTPUT DM_PARTNO KERN_A_KEYBLOCK KERN_A_PRIVKEY \
-#       KERN_B_KEYBLOCK KERN_B_PRIVKEY
+#       KERN_B_KEYBLOCK KERN_B_PRIVKEY MINIOS_KEYBLOCK MINIOS_PRIVKEY
 #
 # A ChromiumOS image file (INPUT) always contains 2 partitions (kernel A & B).
 # This function will rebuild hash data by DM_PARTNO, resign kernel partitions by
@@ -949,6 +994,8 @@ sign_image_file() {
   local kernA_privkey="$6"
   local kernB_keyblock="$7"
   local kernB_privkey="$8"
+  local minios_keyblock="$9"
+  local minios_privkey="${10}"
 
   info "Preparing ${image_type} image..."
   cp --sparse=always "${input}" "${output}"
@@ -982,6 +1029,10 @@ sign_image_file() {
   if [[ "${image_type}" == "recovery" ]]; then
     update_recovery_kernel_hash "${loopdev}"
   fi
+  if ! resign_minios_kernels "${loopdev}" "${minios_keyblock}" \
+      "${minios_privkey}"; then
+    return 1
+  fi
   if ! update_legacy_bootloader "${loopdev}" "${loop_kern}"; then
     # Error is already logged.
     return 1
@@ -1028,20 +1079,28 @@ info "Using kernel version: ${KERNEL_VERSION}"
 # Make all modifications on output copy.
 if [[ "${TYPE}" == "base" ]]; then
   sign_image_file "base" "${INPUT_IMAGE}" "${OUTPUT_IMAGE}" 2 \
-    "${KEY_DIR}/kernel.keyblock" "${KEY_DIR}/kernel_data_key.vbprivk" \
-    "${KEY_DIR}/kernel.keyblock" "${KEY_DIR}/kernel_data_key.vbprivk"
+    "${KEY_DIR}/kernel.keyblock" \
+    "${KEY_DIR}/kernel_data_key.vbprivk" \
+    "${KEY_DIR}/kernel.keyblock" \
+    "${KEY_DIR}/kernel_data_key.vbprivk" \
+    "${KEY_DIR}/minios_kernel.keyblock" \
+    "${KEY_DIR}/minios_kernel_data_key.vbprivk"
 elif [[ "${TYPE}" == "recovery" ]]; then
   sign_image_file "recovery" "${INPUT_IMAGE}" "${OUTPUT_IMAGE}" 4 \
     "${KEY_DIR}/recovery_kernel.keyblock" \
     "${KEY_DIR}/recovery_kernel_data_key.vbprivk" \
     "${KEY_DIR}/kernel.keyblock" \
     "${KEY_DIR}/kernel_data_key.vbprivk"
+    "${KEY_DIR}/minios_kernel.keyblock" \
+    "${KEY_DIR}/minios_kernel_data_key.vbprivk"
 elif [[ "${TYPE}" == "factory" ]]; then
   sign_image_file "factory_install" "${INPUT_IMAGE}" "${OUTPUT_IMAGE}" 2 \
     "${KEY_DIR}/installer_kernel.keyblock" \
     "${KEY_DIR}/installer_kernel_data_key.vbprivk" \
     "${KEY_DIR}/kernel.keyblock" \
     "${KEY_DIR}/kernel_data_key.vbprivk"
+    "${KEY_DIR}/minios_kernel.keyblock" \
+    "${KEY_DIR}/minios_kernel_data_key.vbprivk"
 elif [[ "${TYPE}" == "firmware" ]]; then
   if [[ -e "${KEY_DIR}/loem.ini" ]]; then
     die "LOEM signing not implemented yet for firmware images"
author	Joel Kitching <kitching@google.com>	2021-06-26 07:31:07 +0800
committer	Mike Frysinger <vapier@chromium.org>	2021-07-23 18:49:44 +0000
commit	1c56856cd7199734aa86359ee17864d86f3a347f (patch)
tree	a0ddc6809fc90f14a9971fd587bb76c4eda7079b
parent	2755840d372bf9b8ddbfe12ab7e34891cc129846 (diff)
download	vboot-1c56856cd7199734aa86359ee17864d86f3a347f.tar.gz