diff options
| -rwxr-xr-x | scripts/image_signing/sign_cr50_firmware.sh | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/scripts/image_signing/sign_cr50_firmware.sh b/scripts/image_signing/sign_cr50_firmware.sh index 1616e49b..c87b3124 100755 --- a/scripts/image_signing/sign_cr50_firmware.sh +++ b/scripts/image_signing/sign_cr50_firmware.sh @@ -224,18 +224,28 @@ sign_rw() { # A very crude RO verification function. The key signature found at a fixed # offset into the RO blob must match the RO type. Prod keys have bit D2 set to # one, dev keys have this bit set to zero. +# +# The check is bypassed if the key file directory name includes string 'test'. verify_ro() { - if [[ $# -ne 1 ]]; then - die "Usage: verify_ro <ro_bin>" + if [[ $# -ne 2 ]]; then + die "Usage: verify_ro <ro_bin> <key_file>" fi local ro_bin="$1" + local key_file="$2" local key_byte + local key_path if [[ ! -f "${ro_bin}" ]]; then die "${ro_bin} not a file!" fi + key_path="$(dirname "${key_file}")" + if [[ ${key_path##*/} == *"test"* ]]; then + info "Test run, ignoring key type verification" + return 0 + fi + # Key signature's lowest byte is byte #5 in the line at offset 0001a0. key_byte="$(od -Ax -t x1 -v "${ro_bin}" | awk '/0001a0/ {print $6}')" case "${key_byte}" in @@ -299,7 +309,7 @@ sign_cr50_firmware() { if ! objcopy -I ihex "${f}" -O binary "${temp_dir}/${count}.bin"; then die "Failed to convert ${f} from hex to bin" fi - verify_ro "${temp_dir}/${count}.bin" + verify_ro "${temp_dir}/${count}.bin" "${key_file}" : $(( count++ )) done |