diff options
author | Vadim Bendebury <vbendeb@chromium.org> | 2022-10-01 10:38:35 -0700 |
---|---|---|
committer | Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2022-10-27 22:10:24 +0000 |
commit | 3988f3db003cfe87a9d3925bfe6c1726eeda3529 (patch) | |
tree | 99a9fe72bd61de7ac0a090722bc1d61a2ef4df6e /scripts | |
parent | 148e5b836dc52e8d81bb67f29dea7c81aa3d720f (diff) | |
download | vboot-3988f3db003cfe87a9d3925bfe6c1726eeda3529.tar.gz |
sign_official_build: add AP RO signing
When signing AP RO images, in cases when signer_config.csv manifest
includes the brand code column add a futility invocation to sign the
RO_GSCVD section of the image. If the <path to unpacked>/keyset
directory is found, save the gscvd.<model> blob in that directory.
BRANCH=none
BUG=b:247652363
TEST=built ChromeOS test image for Nissa, then invoked
$ scripts/image_signing/sign_official_build.sh \
base \
~/trunk/src/build/images/nissa/latest/chromiumos_test_image.bin \
tests/devkeys \
/tmp/signed.bin
and observed 'futility gscvd' invocation in the log.
Cq-Depend: 3954963
Change-Id: I55cec75794560662ed2cfb2dac7f44d972a8571f
Signed-off-by: Vadim Bendebury <vbendeb@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3935034
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Auto-Submit: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
Diffstat (limited to 'scripts')
-rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 30 |
1 files changed, 29 insertions, 1 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 443c1cc1..61bdffd6 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -456,7 +456,7 @@ resign_firmware_payload() { info "See go/cros-unibuild-signing for details" { read # Burn the first line (header line) - while IFS="," read -r output_name bios_image key_id ec_image + while IFS="," read -r output_name bios_image key_id ec_image brand_code do local key_suffix='' local extra_args=() @@ -574,6 +574,34 @@ resign_firmware_payload() { echo "After setting GBB on ${bios_path}: md5 =" \ $(md5sum ${bios_path} | awk '{print $1}') + if [[ -n ${brand_code} ]]; then + # Resign the RO_GSCVD FMAP area. + if [[ -z ${shellball_keyset_dir} ]]; then + extra_args=() + else + extra_args=( --gscvd_out + "${shellball_keyset_dir}/gscvd.${output_name}" ) + fi + echo "Setting RO_GSCVD with: ${FUTILITY} gscvd" \ + --keyblock "${KEY_DIR}/arv_platform.keyblock" \ + --platform_priv "${KEY_DIR}/arv_platform.vbprivk" \ + --board_id "${brand_code}" \ + --root_pub_key "${KEY_DIR}/arv_root.vbpubk" \ + "${extra_args[@]}" \ + "${bios_path}" + ${FUTILITY} gscvd \ + --keyblock "${KEY_DIR}/arv_platform.keyblock" \ + --platform_priv "${KEY_DIR}/arv_platform.vbprivk" \ + --board_id "${brand_code}" \ + --root_pub_key "${KEY_DIR}/arv_root.vbpubk" \ + "${extra_args[@]}" \ + "${bios_path}" + + echo "After signing RO_GSCVD on ${bios_path}: md5 =" \ + "$(md5sum "${bios_path}" | awk '{print $1}')" + else + warn "No brand code for ${bios_path} in signer_config.csv" + fi info "Signed firmware image output to ${bios_path}" done unset IFS |