diff options
author | Nicholas Bishop <nicholasbishop@google.com> | 2022-12-06 19:56:36 -0500 |
---|---|---|
committer | Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2022-12-15 10:22:44 +0000 |
commit | c4102fe4eef8c0539c03d60c7256fd4bc599bf4a (patch) | |
tree | 95c7dfb32ed6868cae4850145359f63b1aec37a9 | |
parent | 47594a266056d8fc0acc94b3fdf39c261086a0f3 (diff) | |
download | vboot-c4102fe4eef8c0539c03d60c7256fd4bc599bf4a.tar.gz |
Replace sign_uefi.sh with sign_uefi.pystabilize-quickfix-15278.72.Bstabilize-15278.64.Brelease-R110-15278.B
Remove the sign_uefi.sh script and call sign_uefi.py instead. This is in
a separate commit from the one adding the Python script in case we need
to revert.
Test command:
platform/vboot_reference/scripts/image_signing/sign_official_build.sh \
base build/images/reven/latest/chromiumos_test_image.bin \
platform/vboot_reference/tests/devkeys \
build/images/reven/latest/chromiumos_test_image.bin.signed
BRANCH=none
BUG=b:261631233
TEST=Run test command above, verify expected files are signed
Change-Id: Icf59b6b1a36acf6332cd6f402ef6072b99c44796
Signed-off-by: Nicholas Bishop <nicholasbishop@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4083507
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
-rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 4 | ||||
-rwxr-xr-x | scripts/image_signing/sign_uefi.sh | 113 |
2 files changed, 2 insertions, 115 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index a8586b34..34258b3a 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -735,12 +735,12 @@ sign_uefi_binaries() { # change the glob so that they don't get resigned. efi_glob="grub*.efi" fi - "${SCRIPT_DIR}/sign_uefi.sh" "${esp_dir}" "${KEY_DIR}/uefi" "${efi_glob}" + "${SCRIPT_DIR}/sign_uefi.py" "${esp_dir}" "${KEY_DIR}/uefi" "${efi_glob}" sudo umount "${esp_dir}" local rootfs_dir="$(make_temp_dir)" mount_loop_image_partition "${loopdev}" 3 "${rootfs_dir}" - "${SCRIPT_DIR}/sign_uefi.sh" "${rootfs_dir}/boot" "${KEY_DIR}/uefi" \ + "${SCRIPT_DIR}/sign_uefi.py" "${rootfs_dir}/boot" "${KEY_DIR}/uefi" \ "${efi_glob}" sudo umount "${rootfs_dir}" diff --git a/scripts/image_signing/sign_uefi.sh b/scripts/image_signing/sign_uefi.sh deleted file mode 100755 index 1bd0c2b1..00000000 --- a/scripts/image_signing/sign_uefi.sh +++ /dev/null @@ -1,113 +0,0 @@ -#!/bin/bash -# Copyright 2018 The ChromiumOS Authors -# Use of this source code is governed by a BSD-style license that can be -# found in the LICENSE file. - -. "$(dirname "$0")/common.sh" - -set -e - -usage() { - cat <<EOF -Usage: $PROG /path/to/target/dir /path/to/uefi/keys/dir efi_glob - -Sign the UEFI binaries in the target directory. -The target directory can be either the root of ESP or /boot of root filesystem. -EOF - if [[ $# -gt 0 ]]; then - error "$*" - exit 1 - fi - exit 0 -} - -# Signs an EFI binary file, if possible. -# Args: TARGET_FILE TEMP_DIR PRIVATE_KEY SIGN_CERT VERIFY_CERT -sign_efi_file() { - local target="$1" - local temp_dir="$2" - local priv_key="$3" - local sign_cert="$4" - local verify_cert="$5" - if [[ -z "${verify_cert}" ]]; then - verify_cert="${sign_cert}" - fi - - info "Signing efi file ${target}" - sudo sbattach --remove "${target}" || true - local signed_file="${temp_dir}/$(basename "${target}")" - sbsign --key="${priv_key}" --cert="${sign_cert}" \ - --output="${signed_file}" "${target}" || warn "Cannot sign ${target}" - if [[ -f "${signed_file}" ]]; then - sudo cp -f "${signed_file}" "${target}" - sbverify --cert "${verify_cert}" "${target}" || die "Verification failed" - fi -} - -main() { - local target_dir="$1" - local key_dir="$2" - local efi_glob="$3" - - if [[ $# -ne 3 ]]; then - usage "command takes exactly 3 args" - fi - - if ! type -P sbattach &>/dev/null; then - die "Cannot sign UEFI binaries (sbattach not found)." - fi - if ! type -P sbsign &>/dev/null; then - die "Cannot sign UEFI binaries (sbsign not found)." - fi - if ! type -P sbverify &>/dev/null; then - die "Cannot sign UEFI binaries (sbverify not found)." - fi - - local bootloader_dir="${target_dir}/efi/boot" - local syslinux_dir="${target_dir}/syslinux" - local kernel_dir="${target_dir}" - - local verify_cert="${key_dir}/db/db.pem" - if [[ ! -f "${verify_cert}" ]]; then - die "No verification cert: ${verify_cert}" - fi - - local sign_cert="${key_dir}/db/db.children/db_child.pem" - if [[ ! -f "${sign_cert}" ]]; then - die "No signing cert: ${sign_cert}" - fi - - local sign_key="${key_dir}/db/db.children/db_child.rsa" - if [[ ! -f "${sign_key}" ]]; then - die "No signing key: ${sign_key}" - fi - - local working_dir="$(make_temp_dir)" - - local efi_file - # Leave ${efi_glob} unquoted so that globbing occurs. - for efi_file in "${bootloader_dir}"/${efi_glob}; do - if [[ ! -f "${efi_file}" ]]; then - continue - fi - sign_efi_file "${efi_file}" "${working_dir}" \ - "${sign_key}" "${sign_cert}" "${verify_cert}" - done - - local syslinux_kernel_file - for syslinux_kernel_file in "${syslinux_dir}"/vmlinuz.?; do - if [[ ! -f "${syslinux_kernel_file}" ]]; then - continue - fi - sign_efi_file "${syslinux_kernel_file}" "${working_dir}" \ - "${sign_key}" "${sign_cert}" "${verify_cert}" - done - - local kernel_file="$(readlink -f "${kernel_dir}/vmlinuz")" - if [[ -f "${kernel_file}" ]]; then - sign_efi_file "${kernel_file}" "${working_dir}" \ - "${sign_key}" "${sign_cert}" "${verify_cert}" - fi -} - -main "$@" |