diff options
| author | Mike Frysinger <vapier@chromium.org> | 2014-06-17 03:16:51 -0400 |
|---|---|---|
| committer | chrome-internal-fetch <chrome-internal-fetch@google.com> | 2014-06-18 01:40:05 +0000 |
| commit | 4521c1f19f3b3f6000bb437140b85389d38bf655 (patch) | |
| tree | db0b5b65f9cf4d1252ac4242fb76a4af8dbc8203 | |
| parent | 51ca0b82a66f416842d97149010b77297ba62998 (diff) | |
| download | vboot-4521c1f19f3b3f6000bb437140b85389d38bf655.tar.gz | |
image_signing: tweak loem firmware signing to have real keys
Rather than leave the default set of keys in the firmware untouched
(which are dev keys), insert the first loem keyset we find. This is
for people who extract the bios.bin by hand and then blindly burn it
into their flash. This way they'll still get some valid loem keys.
It's not a great solution, but it's better than nothing.
BUG=chromium:381862
TEST=signed recovery image by hand w/loemkeys and looked at packed bios.bin
TEST=signed recovery image by hand w/devkeys and looked at packed bios.bin
TEST=signed recovery image by hand w/custom loemkeys and looked at packed bios.bin
BRANCH=none
Change-Id: I8db1e34d9f4d85be6edf81fecf79a72031571b01
Reviewed-on: https://chromium-review.googlesource.com/204262
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Commit-Queue: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
| -rwxr-xr-x | scripts/image_signing/resign_firmwarefd.sh | 20 | ||||
| -rwxr-xr-x | scripts/image_signing/sign_firmware.sh | 43 |
2 files changed, 38 insertions, 25 deletions
diff --git a/scripts/image_signing/resign_firmwarefd.sh b/scripts/image_signing/resign_firmwarefd.sh index 1f9bd219..98dbf8d5 100755 --- a/scripts/image_signing/resign_firmwarefd.sh +++ b/scripts/image_signing/resign_firmwarefd.sh @@ -204,12 +204,11 @@ vbutil_firmware \ --fv "${temp_fwimage_a}" \ --kernelkey "${KERNEL_SUBKEY}" -if [ -z "${LOEMID}" ]; then - # Create a copy of the input image and put in the new vblock for firmware A - cp "${SRC_FD}" "${DST_FD}" - dd if="${temp_out_vb}" of="${DST_FD}" seek="${fwA_vblock_offset}" bs=1 \ - count="${fwA_vblock_size}" conv=notrunc 2>/dev/null -else +# Create a copy of the input image and put in the new vblock for firmware A +cp "${SRC_FD}" "${DST_FD}" +dd if="${temp_out_vb}" of="${DST_FD}" seek="${fwA_vblock_offset}" bs=1 \ + count="${fwA_vblock_size}" conv=notrunc 2>/dev/null +if [ -n "${LOEMID}" ]; then cp "${temp_out_vb}" "${LOEM_OUTPUT_DIR}/vblock_A.${LOEMID}" fi @@ -223,11 +222,10 @@ vbutil_firmware \ --fv "${temp_fwimage_b}" \ --kernelkey "${KERNEL_SUBKEY}" -if [[ -z ${LOEMID} ]]; then - # Destination image has already been created. - dd if="${temp_out_vb}" of="${DST_FD}" seek="${fwB_vblock_offset}" bs=1 \ - count="${fwB_vblock_size}" conv=notrunc 2>/dev/null -else +# Destination image has already been created. +dd if="${temp_out_vb}" of="${DST_FD}" seek="${fwB_vblock_offset}" bs=1 \ + count="${fwB_vblock_size}" conv=notrunc 2>/dev/null +if [ -n "${LOEMID}" ]; then cp "${temp_out_vb}" "${LOEM_OUTPUT_DIR}/vblock_A.${LOEMID}" fi diff --git a/scripts/image_signing/sign_firmware.sh b/scripts/image_signing/sign_firmware.sh index fa200837..7b9ac944 100755 --- a/scripts/image_signing/sign_firmware.sh +++ b/scripts/image_signing/sign_firmware.sh @@ -26,6 +26,24 @@ EOF exit 1 } +gbb_update() { + local in_firmware="$1" + local key_dir="$2" + local out_firmware="$3" + local rootkey="$4" + + # Replace the root and recovery key in the Google Binary Block of the + # firmware. Note: This needs to happen after calling resign_firmwarefd.sh + # since it needs to be able to verify the firmware using the root key to + # determine the preamble flags. + gbb_utility \ + -s \ + --recoverykey="${key_dir}/recovery_key.vbpubk" \ + --rootkey="${rootkey}" \ + "${in_firmware}" \ + "${out_firmware}" +} + # Sign a single firmware image. # ARGS: [loem_key] [loemid] sign_one() { @@ -45,26 +63,14 @@ sign_one() { "" \ "${loem_output_dir}" \ "${loemid}" - - # Replace the root and recovery key in the Google Binary Block of the - # firmware. Note: This needs to happen after calling resign_firmwarefd.sh - # since it needs to be able to verify the firmware using the root key to - # determine the preamble flags. - local rootkey="${key_dir}/root_key${loem_key}.vbpubk" - local gbb_args=( -s --recoverykey="${key_dir}/recovery_key.vbpubk" ) - if [[ -z ${loemid} ]]; then - gbb_args+=( --rootkey="${rootkey}" "${temp_fw}" ) - else - gbb_args+=( "${in_firmware}" ) - cp "${rootkey}" "${loem_output_dir}/rootkey.${loemid}" - fi - gbb_utility "${gbb_args[@]}" "${out_firmware}" } # Process all the keysets in the loem.ini file. sign_loems() { local line loem_section=false loem_index loemid + local rootkey + rm -f "${out_firmware}" while read line; do # Find the [loem] section. if ! ${loem_section}; then @@ -84,6 +90,13 @@ sign_loems() { echo "### Processing LOEM ${loem_index} ${loemid}" sign_one ".loem${loem_index}" "${loemid}" + + rootkey="${key_dir}/root_key.loem${loem_index}.vbpubk" + cp "${rootkey}" "${loem_output_dir}/rootkey.${loemid}" + + if [[ ! -e ${out_firmware} ]]; then + gbb_update "${temp_fw}" "${key_dir}" "${out_firmware}" "${rootkey}" + fi echo done <"${key_dir}/loem.ini" } @@ -108,6 +121,8 @@ main() { sign_loems else sign_one + gbb_update "${temp_fw}" "${key_dir}" "${out_firmware}" \ + "${key_dir}/root_key.vbpubk" fi } main "$@" |