diff options
author | Reka Norman <rekanorman@google.com> | 2023-03-03 11:39:53 +1100 |
---|---|---|
committer | Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2023-03-09 07:08:43 +0000 |
commit | 83315261e69bec0f2a1a4c9de8317ba0c9c84975 (patch) | |
tree | 4b98a39763622d12267f3d1b0673b60891c24b92 | |
parent | bba8c8e143560c1c82f413fda1c21cdc6d87c571 (diff) | |
download | vboot-83315261e69bec0f2a1a4c9de8317ba0c9c84975.tar.gz |
sign_official_build: Don't sign miniOS kernels in factory shimsstabilize-15381.B
Factory shims contain miniOS kernels, but they are not used, so don't
sign them. They will remain in the image signed with dev keys.
BRANCH=None
BUG=None
TEST=Run sign_official_build.sh on factory shim. Logs show miniOS
kernels are not signed, and shim still boots.
Change-Id: I4a1b72726edb7d780a3f2c2fe783f568a012ee77
Signed-off-by: Reka Norman <rekanorman@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4321706
Tested-by: Reka Norman <rekanorman@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Commit-Queue: Reka Norman <rekanorman@chromium.org>
-rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index de73504a..896f2b13 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -1203,9 +1203,11 @@ sign_image_file() { "${kernC_privkey}" fi fi - if ! resign_minios_kernels "${loopdev}" "${minios_keyblock}" \ - "${minios_privkey}"; then - return 1 + if [[ -n "${minios_keyblock}" ]]; then + if ! resign_minios_kernels "${loopdev}" "${minios_keyblock}" \ + "${minios_privkey}"; then + return 1 + fi fi if ! update_legacy_bootloader "${loopdev}" "${loop_kern}"; then # Error is already logged. @@ -1280,8 +1282,8 @@ elif [[ "${TYPE}" == "factory" ]]; then "${KEY_DIR}/installer_kernel_data_key.vbprivk" \ "" \ "" \ - "${KEY_DIR}/minios_kernel.keyblock" \ - "${KEY_DIR}/minios_kernel_data_key.vbprivk" + "" \ + "" elif [[ "${TYPE}" == "firmware" ]]; then if [[ -e "${KEY_DIR}/loem.ini" ]]; then die "LOEM signing not implemented yet for firmware images" |