diff options
| author | Vadim Bendebury <vbendeb@chromium.org> | 2022-11-21 15:01:03 -0800 |
|---|---|---|
| committer | Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2022-12-01 02:59:48 +0000 |
| commit | 68d9ba190fe8a68f8cdd0fb0e20a38433def1984 (patch) | |
| tree | 4b237bbaa649328d5e22ba7e308928c5ce4057cc | |
| parent | f3de19ddfc9bc14fd44a032ae835af2e9a977361 (diff) | |
| download | vboot-68d9ba190fe8a68f8cdd0fb0e20a38433def1984.tar.gz | |
ap_ro_signing: do not sign unless RO_GSCVD present
The sign_official_build.sh script uses the presence of the AP RO
verification keys as the indicator that AP RO verification signing is
required. But it is possible to have they keys created, but the AP
firmware image still not have the RO_GSCVD section in FMAP.
Using the presence of RO_GSVD section is a more reliable indicator of
the need to sign for AP RO verification. Let's use it and fail the
signer if the section is present, but the AP RO signing keys are not
found in the keys directory.
BRANCH=none
BUG=b:259965578
TEST=removed the generated arv_root key and tried signing an image
requiring AP RO verification signing, observed the script
terminate with error reporting the missing key
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: I4ad3272fb62a91154458d3b770b2c91a2beffc5b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4045049
Reviewed-by: Mike Frysinger <vapier@chromium.org>
| -rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 60 |
1 files changed, 33 insertions, 27 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 7c2f6949..a8586b34 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -570,36 +570,42 @@ resign_firmware_payload() { echo "After setting GBB on ${bios_path}: md5 =" \ $(md5sum ${bios_path} | awk '{print $1}') - if [[ -n ${brand_code} ]]; then - local arv_root="${KEY_DIR}/arv_root.vbpubk" - - if [[ -f ${arv_root} ]]; then - # Resign the RO_GSCVD FMAP area. - if [[ -z ${shellball_keyset_dir} ]]; then - extra_args=() - else - extra_args=( --gscvd_out - "${shellball_keyset_dir}/gscvd.${output_name}" ) - fi - full_command=( - "${FUTILITY}" gscvd - --keyblock "${KEY_DIR}/arv_platform.keyblock" - --platform_priv "${KEY_DIR}/arv_platform.vbprivk" - --board_id "${brand_code}" - --root_pub_key "${arv_root}" - "${extra_args[@]}" - "${bios_path}" - ) - echo "Setting RO_GSCVD with: ${full_command[*]}" - "${full_command[@]}" + # Do not attempt AP RO verification signing if the image FMAP does not + # include the RO_GSCVD section. + if futility dump_fmap -p "${bios_path}" | grep -q RO_GSCVD; then + local arv_root - echo "After signing RO_GSCVD on ${bios_path}: md5 =" \ - "$(md5sum "${bios_path}" | awk '{print $1}')" - else - echo "No AP RO verification keys, skipping GSCVD signing" + if [[ -z ${brand_code} ]]; then + die "No brand code for ${bios_path} in signer_config.csv" fi + + arv_root="${KEY_DIR}/arv_root.vbpubk" + if [[ ! -f ${arv_root} ]]; then + die "No AP RO verification keys, could not create RO_GSCVD" + fi + + # Resign the RO_GSCVD FMAP area. + full_command=( + "${FUTILITY}" gscvd + --keyblock "${KEY_DIR}/arv_platform.keyblock" + --platform_priv "${KEY_DIR}/arv_platform.vbprivk" + --board_id "${brand_code}" + --root_pub_key "${arv_root}" + "${bios_path}" + ) + if [[ -n ${shellball_keyset_dir} ]]; then + full_command+=( + --gscvd_out + "${shellball_keyset_dir}/gscvd.${output_name}" + ) + fi + echo "Setting RO_GSCVD with: ${full_command[*]}" + "${full_command[@]}" + + echo "After signing RO_GSCVD on ${bios_path}: md5 =" \ + "$(md5sum "${bios_path}" | awk '{print $1}')" else - warn "No brand code for ${bios_path} in signer_config.csv" + echo "No RO_GSCVD section in the image, skipping AP RO signing" fi info "Signed firmware image output to ${bios_path}" done |