diff options
author | Nicholas Bishop <nicholasbishop@google.com> | 2023-01-30 17:14:04 -0500 |
---|---|---|
committer | Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2023-02-09 02:09:36 +0000 |
commit | 88f6cb9e752f96bf482449193160366ea32541ca (patch) | |
tree | 54d83d5e09a11f91a93b3db94cd16688db7c840d | |
parent | 95608084816fc30764610fc60f40d233a17368ab (diff) | |
download | vboot-88f6cb9e752f96bf482449193160366ea32541ca.tar.gz |
sign_official_build: Make reven check more explicit
Add a new get_is_reven() function which uses get_board_from_lsb_release()
to determine the board name. This replaces a glob check against the
KEY_DIR with an exact string match to prevent future accidents (e.g. if
a key set named "Revenator" was added), and also checking against the
board name makes local testing easier (since the test devkeys can be
used without copying to a new "Reven" directory).
Also removed a todo about getting "is reven?" from a config in the
signing repo. The linked bug is closed, and the TODO is 16 months
old now so it's probably fine as-is.
BRANCH=none
BUG=b:256621033
TEST=platform/vboot_reference/scripts/image_signing/sign_official_build.sh
TEST= recovery build/images/reven/latest/chromiumos_image.bin
TEST= platform/vboot_reference/tests/devkeys
TEST= build/images/reven/latest/chromiumos_image.bin.signed
Change-Id: I3586b607447b0f55a4a253d9a4d9c7212889c7d6
Signed-off-by: Nicholas Bishop <nicholasbishop@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4206907
Reviewed-by: Mike Frysinger <vapier@chromium.org>
-rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 32 |
1 files changed, 27 insertions, 5 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 984d2c11..a2460357 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -714,10 +714,33 @@ resign_android_image_if_exists() { set +x } -# Sign UEFI binaries, if possible. +# Check whether the image's board is reven or not. # Args: LOOPDEV +# Outputs: "true" if the board is reven, otherwise "false". +get_is_reven() { + local loopdev="$1" + local rootfs_dir + local board + + rootfs_dir=$(make_temp_dir) + mount_loop_image_partition "${loopdev}" 3 "${rootfs_dir}" + + board=$(get_board_from_lsb_release "${rootfs_dir}") + + sudo umount "${rootfs_dir}" + + if [[ "${board}" == "reven" ]]; then + echo "true" + else + echo "false" + fi +} + +# Sign UEFI binaries, if possible. +# Args: LOOPDEV IS_REVEN sign_uefi_binaries() { local loopdev="$1" + local is_reven="$2" local efi_glob="*.efi" if [[ ! -d "${KEY_DIR}/uefi" ]]; then @@ -731,9 +754,7 @@ sign_uefi_binaries() { elif [[ -z "${esp_dir}" ]]; then return 0 fi - # TODO(b/199136347): First class this as an arg and pass from config - # in the signing repo. This is a temporary fix to unblock reven-release. - if [[ "${KEY_DIR}" != *"Reven"* ]]; then + if [[ "${is_reven}" == "false" ]]; then "${SCRIPT_DIR}/install_gsetup_certs.sh" "${esp_dir}" "${KEY_DIR}/uefi" else # b/205145491: the reven board's boot*.efi files are already signed, @@ -1031,11 +1052,12 @@ sign_image_file() { local loopdev=$(loopback_partscan "${output}") local loop_kern="${loopdev}p${dm_partno}" local loop_rootfs="${loopdev}p3" + local is_reven=$(get_is_reven "${loopdev}") resign_firmware_payload "${loopdev}" remove_old_container_key "${loopdev}" resign_android_image_if_exists "${loopdev}" - sign_uefi_binaries "${loopdev}" + sign_uefi_binaries "${loopdev}" "${is_reven}" # We do NOT strip /boot for factory installer, since some devices need it to # boot EFI. crbug.com/260512 would obsolete this requirement. # |