diff options
| author | Nicholas Bishop <nicholasbishop@google.com> | 2021-11-04 17:00:15 -0400 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2021-11-08 17:12:51 +0000 |
| commit | 4200cb21c7f6c79dacee511400c88994bca5cf7f (patch) | |
| tree | 5379a8536be1b5d956bc54446e553c73429fb44b | |
| parent | f5deada0fcabe07115fe6797bffe7c2e3b1217b1 (diff) | |
| download | vboot-stabilize-14345.B.tar.gz | |
image_signing: skip signing of boot*.efi on reven boardstabilize-14345.Bstabilize-14336.Bstabilize-14333.B
The reven board's first stage bootloader (bootia32.efi/bootx64.efi) is
signed by Microsoft so that it can boot with the default UEFI Secure
Boot keys. These two files should not be modified by the signing
scripts.
Implement this by adding a third argument to sign_uefi.sh,
"efi_glob". This argument is set to "*.efi" by default, maintaining the
existing behavior. If the key dir matches "*Reven*", the glob is changed
to "grub*.efi".
Tested by running sign_official_build.sh on a reven base image, once
with a keys dir matching "*Reven*", once with it not matching. When the
keys dir matches Reven, grub*.efi is signed but boot*.efi is not. When
the keys dir does not match Reven, both grub*.efi and boot*.efi are
signed:
Matching "*Reven*":
platform/vboot_reference/scripts/image_signing/sign_official_build.sh \
base build/images/reven/latest/chromiumos_base_image.bin \
platform/vboot_reference/tests/Reven \
build/images/reven/latest/chromiumos_base_image.bin.signed
Not matching:
platform/vboot_reference/scripts/image_signing/sign_official_build.sh \
base build/images/reven/latest/chromiumos_base_image.bin \
platform/vboot_reference/tests/devkeys \
build/images/reven/latest/chromiumos_base_image.bin.signed
BUG=b:205145491
TEST=Build a reven base image and test as described above
BRANCH=none
Change-Id: Iec2800c276ca82bfd6e5b465ff821b11e0b0bb08
Signed-off-by: Nicholas Bishop <nicholasbishop@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3262479
Reviewed-by: Joseph Sussman <josephsussman@google.com>
| -rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 10 | ||||
| -rwxr-xr-x | scripts/image_signing/sign_uefi.sh | 10 |
2 files changed, 14 insertions, 6 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index d96250d1..d35db6f7 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -711,6 +711,7 @@ resign_android_image_if_exists() { # Args: LOOPDEV sign_uefi_binaries() { local loopdev="$1" + local efi_glob="*.efi" if [[ ! -d "${KEY_DIR}/uefi" ]]; then return 0 @@ -727,13 +728,18 @@ sign_uefi_binaries() { # in the signing repo. This is a temporary fix to unblock reven-release. if [[ "${KEY_DIR}" != *"Reven"* ]]; then "${SCRIPT_DIR}/install_gsetup_certs.sh" "${esp_dir}" "${KEY_DIR}/uefi" + else + # b/205145491: the reven board's boot*.efi files are already signed, + # change the glob so that they don't get resigned. + efi_glob="grub*.efi" fi - "${SCRIPT_DIR}/sign_uefi.sh" "${esp_dir}" "${KEY_DIR}/uefi" + "${SCRIPT_DIR}/sign_uefi.sh" "${esp_dir}" "${KEY_DIR}/uefi" "${efi_glob}" sudo umount "${esp_dir}" local rootfs_dir="$(make_temp_dir)" mount_loop_image_partition "${loopdev}" 3 "${rootfs_dir}" - "${SCRIPT_DIR}/sign_uefi.sh" "${rootfs_dir}/boot" "${KEY_DIR}/uefi" + "${SCRIPT_DIR}/sign_uefi.sh" "${rootfs_dir}/boot" "${KEY_DIR}/uefi" \ + "${efi_glob}" sudo umount "${rootfs_dir}" info "Signed UEFI binaries" diff --git a/scripts/image_signing/sign_uefi.sh b/scripts/image_signing/sign_uefi.sh index 6deb2804..a053a4a0 100755 --- a/scripts/image_signing/sign_uefi.sh +++ b/scripts/image_signing/sign_uefi.sh @@ -9,7 +9,7 @@ set -e usage() { cat <<EOF -Usage: $PROG /path/to/target/dir /path/to/uefi/keys/dir +Usage: $PROG /path/to/target/dir /path/to/uefi/keys/dir efi_glob Sign the UEFI binaries in the target directory. The target directory can be either the root of ESP or /boot of root filesystem. @@ -47,9 +47,10 @@ sign_efi_file() { main() { local target_dir="$1" local key_dir="$2" + local efi_glob="$3" - if [[ $# -ne 2 ]]; then - usage "command takes exactly 2 args" + if [[ $# -ne 3 ]]; then + usage "command takes exactly 3 args" fi if ! type -P sbattach &>/dev/null; then @@ -84,7 +85,8 @@ main() { local working_dir="$(make_temp_dir)" local efi_file - for efi_file in "${bootloader_dir}"/*.efi; do + # Leave ${efi_glob} unquoted so that globbing occurs. + for efi_file in "${bootloader_dir}"/${efi_glob}; do if [[ ! -f "${efi_file}" ]]; then continue fi |