sign_official_build: Don't sign miniOS kernels in factory shimsstabilize-15381.B

Factory shims contain miniOS kernels, but they are not used, so don't
sign them. They will remain in the image signed with dev keys.

BRANCH=None
BUG=None
TEST=Run sign_official_build.sh on factory shim. Logs show miniOS
kernels are not signed, and shim still boots.

Change-Id: I4a1b72726edb7d780a3f2c2fe783f568a012ee77
Signed-off-by: Reka Norman <rekanorman@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4321706
Tested-by: Reka Norman <rekanorman@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Commit-Queue: Reka Norman <rekanorman@chromium.org>

1 files changed, 7 insertions, 5 deletions

diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index de73504a..896f2b13 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -1203,9 +1203,11 @@ sign_image_file() {
         "${kernC_privkey}"
     fi
   fi
-  if ! resign_minios_kernels "${loopdev}" "${minios_keyblock}" \
-      "${minios_privkey}"; then
-    return 1
+  if [[ -n "${minios_keyblock}" ]]; then
+    if ! resign_minios_kernels "${loopdev}" "${minios_keyblock}" \
+        "${minios_privkey}"; then
+      return 1
+    fi
   fi
   if ! update_legacy_bootloader "${loopdev}" "${loop_kern}"; then
     # Error is already logged.
@@ -1280,8 +1282,8 @@ elif [[ "${TYPE}" == "factory" ]]; then
     "${KEY_DIR}/installer_kernel_data_key.vbprivk" \
     "" \
     "" \
-    "${KEY_DIR}/minios_kernel.keyblock" \
-    "${KEY_DIR}/minios_kernel_data_key.vbprivk"
+    "" \
+    ""
 elif [[ "${TYPE}" == "firmware" ]]; then
   if [[ -e "${KEY_DIR}/loem.ini" ]]; then
     die "LOEM signing not implemented yet for firmware images"