diff options
author | Gaurav Shah <gauravsh@chromium.org> | 2011-11-16 10:35:53 -0800 |
---|---|---|
committer | Gaurav Shah <gauravsh@chromium.org> | 2011-11-16 10:50:56 -0800 |
commit | 4c1f3c8e540beab8f44e48877611a01e98fd9a40 (patch) | |
tree | 8f74e9a188d7b2dfa7d7a35f9c1b8a897d461f88 /scripts | |
parent | 0d11efb0dc1d8d2b5eafdd5b65bce82e73fdeecc (diff) | |
download | vboot-4c1f3c8e540beab8f44e48877611a01e98fd9a40.tar.gz |
Replace root and recovery keys in the GBB after firmware sections have been re-signed
resign_firmwarefd.sh needs a verifiable copy of the firmware (and associated root key)
to determine the preamble flag value to use.
BUG=chrome-os-partner:6874
TEST=manually tested resigning a firmware .bin using sign_firmware.sh. Verified correct
preamble flag determination.
Change-Id: Ifb132f54f4891dec4fa7250d3a00e7b4feda24c1
Reviewed-on: https://gerrit.chromium.org/gerrit/11776
Reviewed-by: Duncan Laurie <dlaurie@chromium.org>
Commit-Ready: Gaurav Shah <gauravsh@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
Diffstat (limited to 'scripts')
-rwxr-xr-x | scripts/image_signing/sign_firmware.sh | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/scripts/image_signing/sign_firmware.sh b/scripts/image_signing/sign_firmware.sh index 1d20e10c..364a8c75 100755 --- a/scripts/image_signing/sign_firmware.sh +++ b/scripts/image_signing/sign_firmware.sh @@ -31,17 +31,21 @@ OUT_FIRMWARE=$3 temp_fw=$(mktemp) trap "rm ${temp_fw}" EXIT -# Replace the root and recovery key in the Google Binary Block of the firmware. -gbb_utility -s \ - --rootkey=${KEY_DIR}/root_key.vbpubk \ - --recoverykey=${KEY_DIR}/recovery_key.vbpubk \ - ${IN_FIRMWARE} ${temp_fw} - # Resign the firmware with new keys -${SCRIPT_DIR}/resign_firmwarefd.sh ${temp_fw} ${OUT_FIRMWARE} \ +${SCRIPT_DIR}/resign_firmwarefd.sh ${IN_FIRMWARE} ${temp_fw} \ ${KEY_DIR}/firmware_data_key.vbprivk \ ${KEY_DIR}/firmware.keyblock \ ${KEY_DIR}/dev_firmware_data_key.vbprivk \ ${KEY_DIR}/dev_firmware.keyblock \ ${KEY_DIR}/kernel_subkey.vbpubk \ ${FIRMWARE_VERSION} + +# Replace the root and recovery key in the Google Binary Block of the firmware. +# Note: This needs to happen after calling resign_firmwarefd.sh since it needs +# to be able to verify the firmware using the root key to determine the preamble +# flags. +gbb_utility -s \ + --rootkey=${KEY_DIR}/root_key.vbpubk \ + --recoverykey=${KEY_DIR}/recovery_key.vbpubk \ + ${temp_fw} ${OUT_FIRMWARE} + |