diff options
author | Joel Kitching <kitching@google.com> | 2021-06-26 07:31:07 +0800 |
---|---|---|
committer | Mike Frysinger <vapier@chromium.org> | 2021-07-23 18:49:44 +0000 |
commit | 1c56856cd7199734aa86359ee17864d86f3a347f (patch) | |
tree | a0ddc6809fc90f14a9971fd587bb76c4eda7079b /scripts | |
parent | 2755840d372bf9b8ddbfe12ab7e34891cc129846 (diff) | |
download | vboot-1c56856cd7199734aa86359ee17864d86f3a347f.tar.gz |
Reland "vboot/sign_official_build: re-sign miniOS partitions"
This is a reland of 43325cb9b2568c4a03c849f3474fcee8de3ae893
Looks like this was reverted incorrectly in CL:3044633, culprit
turned out to be an unrelated flake (see b/194293181).
Original change's description:
> vboot/sign_official_build: re-sign miniOS partitions
>
> sign_official_build.sh needs to be taught how to re-sign miniOS
> partitions, depending on whether the particular image at hand
> contains them or not.
>
> BUG=b:188121855
> TEST=make clean && make runtests
> BRANCH=none
>
> Cq-Depend: chromium:3027786
> Signed-off-by: Joel Kitching <kitching@google.com>
> Change-Id: Iaf847e14588011dd0fea6b59405091ae36ef038f
> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2989640
> Tested-by: Joel Kitching <kitching@chromium.org>
> Reviewed-by: Mike Frysinger <vapier@chromium.org>
> Commit-Queue: Joel Kitching <kitching@chromium.org>
Bug: b:188121855
Signed-off-by: Julius Werner <jwerner@google.com>
Change-Id: I2e29a6e85f7d41ad365365ffb7e694f0c291d4f3
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3046439
Reviewed-by: Sergey Frolov <sfrolov@google.com>
Reviewed-by: Joel Kitching <kitching@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Tested-by: Julius Werner <jwerner@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Diffstat (limited to 'scripts')
-rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 65 |
1 files changed, 62 insertions, 3 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 92c9a3f3..88c58d8d 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -15,6 +15,8 @@ # e2fsck # sha1sum +MINIOS_KERNEL_GUID="09845860-705f-4bb5-b16c-8a8a099caf52" + # Load common constants and variables. . "$(dirname "$0")/common.sh" @@ -885,6 +887,49 @@ update_recovery_kernel_hash() { --config ${new_kerna_config} } +# Re-sign miniOS kernels with new keys. +# Args: LOOPDEV KEYBLOCK PRIVKEY +resign_minios_kernels() { + local loopdev="$1" + local keyblock="$2" + local priv_key="$3" + + info "Searching for miniOS kernels to resign..." + + local loop_kern + for loop_kern in "${loopdev}p"*; do + local part_type_guid=$(sudo lsblk -rnb -o PARTTYPE "${loop_kern}") + if [[ "${part_type_guid}" != "${MINIOS_KERNEL_GUID}" ]]; then + continue + fi + + # Delay checking that keyblock and private key exist until we are certain + # of a valid miniOS partition. Images that don't support miniOS might not + # provide these. (This check is repeated twice, but that's okay.) + if [[ ! -e "${keyblock}" ]]; then + error "Resign miniOS: keyblock doesn't exist: ${keyblock}" + return 1 + fi + if [[ ! -e "${priv_key}" ]]; then + error "Resign miniOS: private key doesn't exist: ${priv_key}" + return 1 + fi + + # Assume this is a miniOS kernel. + local minios_kernel_version=$((KERNEL_VERSION >> 24)) + if sudo ${FUTILITY} vbutil_kernel --repack "${loop_kern}" \ + --keyblock "${keyblock}" \ + --signprivate "${priv_key}" \ + --version "${minios_kernel_version}" \ + --oldblob "${loop_kern}"; then + info "Resign miniOS ${loop_kern}: done" + else + error "Resign miniOS ${loop_kern}: failed" + return 1 + fi + done +} + # Update the legacy bootloader templates in EFI partition if available. # Args: LOOPDEV KERNEL update_legacy_bootloader() { @@ -932,7 +977,7 @@ update_legacy_bootloader() { # Sign an image file with proper keys. # Args: IMAGE_TYPE INPUT OUTPUT DM_PARTNO KERN_A_KEYBLOCK KERN_A_PRIVKEY \ -# KERN_B_KEYBLOCK KERN_B_PRIVKEY +# KERN_B_KEYBLOCK KERN_B_PRIVKEY MINIOS_KEYBLOCK MINIOS_PRIVKEY # # A ChromiumOS image file (INPUT) always contains 2 partitions (kernel A & B). # This function will rebuild hash data by DM_PARTNO, resign kernel partitions by @@ -949,6 +994,8 @@ sign_image_file() { local kernA_privkey="$6" local kernB_keyblock="$7" local kernB_privkey="$8" + local minios_keyblock="$9" + local minios_privkey="${10}" info "Preparing ${image_type} image..." cp --sparse=always "${input}" "${output}" @@ -982,6 +1029,10 @@ sign_image_file() { if [[ "${image_type}" == "recovery" ]]; then update_recovery_kernel_hash "${loopdev}" fi + if ! resign_minios_kernels "${loopdev}" "${minios_keyblock}" \ + "${minios_privkey}"; then + return 1 + fi if ! update_legacy_bootloader "${loopdev}" "${loop_kern}"; then # Error is already logged. return 1 @@ -1028,20 +1079,28 @@ info "Using kernel version: ${KERNEL_VERSION}" # Make all modifications on output copy. if [[ "${TYPE}" == "base" ]]; then sign_image_file "base" "${INPUT_IMAGE}" "${OUTPUT_IMAGE}" 2 \ - "${KEY_DIR}/kernel.keyblock" "${KEY_DIR}/kernel_data_key.vbprivk" \ - "${KEY_DIR}/kernel.keyblock" "${KEY_DIR}/kernel_data_key.vbprivk" + "${KEY_DIR}/kernel.keyblock" \ + "${KEY_DIR}/kernel_data_key.vbprivk" \ + "${KEY_DIR}/kernel.keyblock" \ + "${KEY_DIR}/kernel_data_key.vbprivk" \ + "${KEY_DIR}/minios_kernel.keyblock" \ + "${KEY_DIR}/minios_kernel_data_key.vbprivk" elif [[ "${TYPE}" == "recovery" ]]; then sign_image_file "recovery" "${INPUT_IMAGE}" "${OUTPUT_IMAGE}" 4 \ "${KEY_DIR}/recovery_kernel.keyblock" \ "${KEY_DIR}/recovery_kernel_data_key.vbprivk" \ "${KEY_DIR}/kernel.keyblock" \ "${KEY_DIR}/kernel_data_key.vbprivk" + "${KEY_DIR}/minios_kernel.keyblock" \ + "${KEY_DIR}/minios_kernel_data_key.vbprivk" elif [[ "${TYPE}" == "factory" ]]; then sign_image_file "factory_install" "${INPUT_IMAGE}" "${OUTPUT_IMAGE}" 2 \ "${KEY_DIR}/installer_kernel.keyblock" \ "${KEY_DIR}/installer_kernel_data_key.vbprivk" \ "${KEY_DIR}/kernel.keyblock" \ "${KEY_DIR}/kernel_data_key.vbprivk" + "${KEY_DIR}/minios_kernel.keyblock" \ + "${KEY_DIR}/minios_kernel_data_key.vbprivk" elif [[ "${TYPE}" == "firmware" ]]; then if [[ -e "${KEY_DIR}/loem.ini" ]]; then die "LOEM signing not implemented yet for firmware images" |