diff options
| author | Vadim Bendebury <vbendeb@chromium.org> | 2022-10-01 10:38:35 -0700 |
|---|---|---|
| committer | Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2022-12-02 01:19:59 +0000 |
| commit | bea2fd0950a304438062fc8a74d0b622a347a987 (patch) | |
| tree | 8222db04d2b75f10d390fd97fec33787a54e3db9 | |
| parent | 8bd4bd66c529eb000e85296f61959fc9d3a1258c (diff) | |
| download | vboot-stabilize-15183.69.B.tar.gz | |
sign_official_build: add AP RO signingstabilize-quickfix-15183.78.Bstabilize-15183.82.Bstabilize-15183.69.B
When signing AP RO images, in cases when signer_config.csv manifest
includes the brand code column add a futility invocation to sign the
RO_GSCVD section of the image. If the <path to unpacked>/keyset
directory is found, save the gscvd.<model> blob in that directory.
BRANCH=none
BUG=b:247652363
TEST=built ChromeOS test image for Nissa, then invoked
$ scripts/image_signing/sign_official_build.sh \
base \
~/trunk/src/build/images/nissa/latest/chromiumos_test_image.bin \
tests/devkeys \
/tmp/signed.bin
and observed 'futility gscvd' invocation in the log.
Cq-Depend: 3954963
Cq-Depend: 4063101
Change-Id: I55cec75794560662ed2cfb2dac7f44d972a8571f
Signed-off-by: Vadim Bendebury <vbendeb@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3935034
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Auto-Submit: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
(cherry picked from commit befd35f018be4ff6465b15f7bc1bc64c8e65426d)
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4063103
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Knox Chiou <knoxchiou@chromium.org>
Commit-Queue: Knox Chiou <knoxchiou@chromium.org>
| -rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 30 |
1 files changed, 29 insertions, 1 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index d1c95c93..49ac33b2 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -456,7 +456,7 @@ resign_firmware_payload() { info "See go/cros-unibuild-signing for details" { read # Burn the first line (header line) - while IFS="," read -r output_name bios_image key_id ec_image + while IFS="," read -r output_name bios_image key_id ec_image brand_code do local key_suffix='' local extra_args=() @@ -574,6 +574,34 @@ resign_firmware_payload() { echo "After setting GBB on ${bios_path}: md5 =" \ $(md5sum ${bios_path} | awk '{print $1}') + if [[ -n ${brand_code} ]]; then + # Resign the RO_GSCVD FMAP area. + if [[ -z ${shellball_keyset_dir} ]]; then + extra_args=() + else + extra_args=( --gscvd_out + "${shellball_keyset_dir}/gscvd.${output_name}" ) + fi + echo "Setting RO_GSCVD with: ${FUTILITY} gscvd" \ + --keyblock "${KEY_DIR}/arv_platform.keyblock" \ + --platform_priv "${KEY_DIR}/arv_platform.vbprivk" \ + --board_id "${brand_code}" \ + --root_pub_key "${KEY_DIR}/arv_root.vbpubk" \ + "${extra_args[@]}" \ + "${bios_path}" + ${FUTILITY} gscvd \ + --keyblock "${KEY_DIR}/arv_platform.keyblock" \ + --platform_priv "${KEY_DIR}/arv_platform.vbprivk" \ + --board_id "${brand_code}" \ + --root_pub_key "${KEY_DIR}/arv_root.vbpubk" \ + "${extra_args[@]}" \ + "${bios_path}" + + echo "After signing RO_GSCVD on ${bios_path}: md5 =" \ + "$(md5sum "${bios_path}" | awk '{print $1}')" + else + warn "No brand code for ${bios_path} in signer_config.csv" + fi info "Signed firmware image output to ${bios_path}" done unset IFS |