diff options
| author | Hung-Te Lin <hungte@chromium.org> | 2014-04-23 18:09:10 +0800 |
|---|---|---|
| committer | chrome-internal-fetch <chrome-internal-fetch@google.com> | 2014-04-25 01:55:21 +0000 |
| commit | 9fc41a02f5106a318c2e0d02be39b51e45337e77 (patch) | |
| tree | 263b6c4ae9d1b631aef7613c95e2cc5027d34a7d | |
| parent | 841126fec6a0c17540f7b5dddb232a36fe4a06f1 (diff) | |
| download | vboot-stabilize-5807.0.B.tar.gz | |
make_dev_firmware.sh: Correct firmware body size when changing rootkey.stabilize-5807.0.B
make_dev_firmware.sh calls resign_firmwarefd.sh, which extracts rootkey from
input image for checking VBLOCK firmware body size. As a result, we should
resign firmware before changing rootkey / GBB.
BUG=chromium:365738
TEST=Install Nyan/Peppy PreMP-signed firmware, run make_dev_firmware.sh, and
then boot in normal mode.
BRANCH=none
Change-Id: I45dbcacb40b7b77bbf89f1ba244bf7fb25f9ae27
Signed-off-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/196521
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
| -rwxr-xr-x | scripts/image_signing/make_dev_firmware.sh | 53 |
1 files changed, 28 insertions, 25 deletions
diff --git a/scripts/image_signing/make_dev_firmware.sh b/scripts/image_signing/make_dev_firmware.sh index 6e69ac76..c44e6717 100755 --- a/scripts/image_signing/make_dev_firmware.sh +++ b/scripts/image_signing/make_dev_firmware.sh @@ -192,7 +192,34 @@ main() { # valid so that we know keys and vbutil_firmware are all working fine. echo "Preparing new firmware image..." - debug_msg "Extract current HWID and rootkey" + + debug_msg "Resign the firmware code (A/B) with new keys" + # Note resign_firmwarefd.sh needs the original rootkey to determine firmware + # body size, so we must resign image before changing GBB rootkey. + + local unsigned_image="$(make_temp_file)" + local optional_opts="" + if [ -n "$FLAGS_preamble_flags" ]; then + # optional_opts: VERSION FLAGS + debug_msg "Setting new VERSION=1, FLAGS=$FLAGS_preamble_flags" + optional_opts="1 $FLAGS_preamble_flags" + fi + cp -f "$IMAGE" "$unsigned_image" + "$SCRIPT_BASE/resign_firmwarefd.sh" \ + "$unsigned_image" \ + "$IMAGE" \ + "$firmware_prvkey" \ + "$firmware_keyblock" \ + "$dev_firmware_prvkey" \ + "$dev_firmware_keyblock" \ + "$kernel_sub_pubkey" \ + $optional_opts >"$EXEC_LOG" 2>&1 || + err_die "Failed to re-sign firmware. (message: $(cat "$EXEC_LOG"))" + if is_debug_mode; then + cat "$EXEC_LOG" + fi + + debug_msg "Extract current HWID" local old_hwid old_hwid="$(gbb_utility --get --hwid "$IMAGE" 2>"$EXEC_LOG" | sed -rne 's/^hardware_id: (.*)$/\1/p')" @@ -228,30 +255,6 @@ main() { echo "Warning: GBB flags ($old_gbb_flags -> $new_gbb_flags) can't be set." fi - debug_msg "Resign the firmware code (A/B) with new keys" - local unsigned_image="$(make_temp_file)" - local optional_opts="" - if [ -n "$FLAGS_preamble_flags" ]; then - # optional_opts: VERSION FLAGS - debug_msg "Setting new VERSION=1, FLAGS=$FLAGS_preamble_flags" - optional_opts="1 $FLAGS_preamble_flags" - fi - cp -f "$IMAGE" "$unsigned_image" - # TODO(hungte) derive kernel key and preamble flag from existing firmware - "$SCRIPT_BASE/resign_firmwarefd.sh" \ - "$unsigned_image" \ - "$IMAGE" \ - "$firmware_prvkey" \ - "$firmware_keyblock" \ - "$dev_firmware_prvkey" \ - "$dev_firmware_keyblock" \ - "$kernel_sub_pubkey" \ - $optional_opts >"$EXEC_LOG" 2>&1 || - err_die "Failed to re-sign firmware. (message: $(cat "$EXEC_LOG"))" - if is_debug_mode; then - cat "$EXEC_LOG" - fi - # TODO(hungte) compare if the image really needs to be changed. debug_msg "Check if we need to make backup file(s)" |