summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xscripts/image_signing/sign_official_build.sh32
1 files changed, 9 insertions, 23 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index 2ab05796..cc3d6af0 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -325,29 +325,15 @@ resign_firmware_payload() {
echo "Found a valid firmware update shellball."
temp_outfd=$(make_temp_file)
- # Replace the root key in the GBB.
- # TODO(gauravsh): Remove when we lock down the R/O portion of firmware.
- if [ -e "${KEY_DIR}/hwid" ]; then
- # Only update the hwid if we see one in the key directory.
- gbb_utility -s \
- --rootkey=${KEY_DIR}/root_key.vbpubk \
- --recoverykey=${KEY_DIR}/recovery_key.vbpubk \
- --hwid="$(cat ${KEY_DIR}/hwid)" \
- ${shellball_dir}/bios.bin ${temp_outfd}
- else
- gbb_utility -s \
- --rootkey=${KEY_DIR}/root_key.vbpubk \
- --recoverykey=${KEY_DIR}/recovery_key.vbpubk \
- ${shellball_dir}/bios.bin ${temp_outfd}
- fi
- # Resign the firmware with new keys.
- ${SCRIPT_DIR}/resign_firmwarefd.sh ${temp_outfd} ${shellball_dir}/bios.bin \
- ${KEY_DIR}/firmware_data_key.vbprivk \
- ${KEY_DIR}/firmware.keyblock \
- ${KEY_DIR}/dev_firmware_data_key.vbprivk \
- ${KEY_DIR}/dev_firmware.keyblock \
- ${KEY_DIR}/kernel_subkey.vbpubk \
- ${FIRMWARE_VERSION}
+ # Resign the firmware with new keys, also replacing the root and recovery
+ # public keys in the GBB.
+ ${SCRIPT_DIR}/sign_firmware.sh ${shellball_dir}/bios.bin ${KEY_DIR} \
+ ${temp_outfd}
+ # Note: Although sign_firmware.sh may correctly handle specifying the same
+ # output file as the input file, we do not want to rely on it correctly
+ # handing that. Hence, the use of a temporary file.
+ cp ${temp_outfd} ${shellball_dir}/bios.bin
+
local signer_notes="${shellball_dir}/VERSION.signer"
echo "" >"$signer_notes"
echo "Signed with keyset in $(readlink -f "${KEY_DIR}") ." >>"$signer_notes"