diff options
| -rwxr-xr-x | scripts/image_signing/resign_firmwarefd.sh | 20 | ||||
| -rwxr-xr-x | scripts/image_signing/sign_firmware.sh | 43 |
2 files changed, 38 insertions, 25 deletions
diff --git a/scripts/image_signing/resign_firmwarefd.sh b/scripts/image_signing/resign_firmwarefd.sh index 1f9bd219..98dbf8d5 100755 --- a/scripts/image_signing/resign_firmwarefd.sh +++ b/scripts/image_signing/resign_firmwarefd.sh @@ -204,12 +204,11 @@ vbutil_firmware \ --fv "${temp_fwimage_a}" \ --kernelkey "${KERNEL_SUBKEY}" -if [ -z "${LOEMID}" ]; then - # Create a copy of the input image and put in the new vblock for firmware A - cp "${SRC_FD}" "${DST_FD}" - dd if="${temp_out_vb}" of="${DST_FD}" seek="${fwA_vblock_offset}" bs=1 \ - count="${fwA_vblock_size}" conv=notrunc 2>/dev/null -else +# Create a copy of the input image and put in the new vblock for firmware A +cp "${SRC_FD}" "${DST_FD}" +dd if="${temp_out_vb}" of="${DST_FD}" seek="${fwA_vblock_offset}" bs=1 \ + count="${fwA_vblock_size}" conv=notrunc 2>/dev/null +if [ -n "${LOEMID}" ]; then cp "${temp_out_vb}" "${LOEM_OUTPUT_DIR}/vblock_A.${LOEMID}" fi @@ -223,11 +222,10 @@ vbutil_firmware \ --fv "${temp_fwimage_b}" \ --kernelkey "${KERNEL_SUBKEY}" -if [[ -z ${LOEMID} ]]; then - # Destination image has already been created. - dd if="${temp_out_vb}" of="${DST_FD}" seek="${fwB_vblock_offset}" bs=1 \ - count="${fwB_vblock_size}" conv=notrunc 2>/dev/null -else +# Destination image has already been created. +dd if="${temp_out_vb}" of="${DST_FD}" seek="${fwB_vblock_offset}" bs=1 \ + count="${fwB_vblock_size}" conv=notrunc 2>/dev/null +if [ -n "${LOEMID}" ]; then cp "${temp_out_vb}" "${LOEM_OUTPUT_DIR}/vblock_A.${LOEMID}" fi diff --git a/scripts/image_signing/sign_firmware.sh b/scripts/image_signing/sign_firmware.sh index fa200837..7b9ac944 100755 --- a/scripts/image_signing/sign_firmware.sh +++ b/scripts/image_signing/sign_firmware.sh @@ -26,6 +26,24 @@ EOF exit 1 } +gbb_update() { + local in_firmware="$1" + local key_dir="$2" + local out_firmware="$3" + local rootkey="$4" + + # Replace the root and recovery key in the Google Binary Block of the + # firmware. Note: This needs to happen after calling resign_firmwarefd.sh + # since it needs to be able to verify the firmware using the root key to + # determine the preamble flags. + gbb_utility \ + -s \ + --recoverykey="${key_dir}/recovery_key.vbpubk" \ + --rootkey="${rootkey}" \ + "${in_firmware}" \ + "${out_firmware}" +} + # Sign a single firmware image. # ARGS: [loem_key] [loemid] sign_one() { @@ -45,26 +63,14 @@ sign_one() { "" \ "${loem_output_dir}" \ "${loemid}" - - # Replace the root and recovery key in the Google Binary Block of the - # firmware. Note: This needs to happen after calling resign_firmwarefd.sh - # since it needs to be able to verify the firmware using the root key to - # determine the preamble flags. - local rootkey="${key_dir}/root_key${loem_key}.vbpubk" - local gbb_args=( -s --recoverykey="${key_dir}/recovery_key.vbpubk" ) - if [[ -z ${loemid} ]]; then - gbb_args+=( --rootkey="${rootkey}" "${temp_fw}" ) - else - gbb_args+=( "${in_firmware}" ) - cp "${rootkey}" "${loem_output_dir}/rootkey.${loemid}" - fi - gbb_utility "${gbb_args[@]}" "${out_firmware}" } # Process all the keysets in the loem.ini file. sign_loems() { local line loem_section=false loem_index loemid + local rootkey + rm -f "${out_firmware}" while read line; do # Find the [loem] section. if ! ${loem_section}; then @@ -84,6 +90,13 @@ sign_loems() { echo "### Processing LOEM ${loem_index} ${loemid}" sign_one ".loem${loem_index}" "${loemid}" + + rootkey="${key_dir}/root_key.loem${loem_index}.vbpubk" + cp "${rootkey}" "${loem_output_dir}/rootkey.${loemid}" + + if [[ ! -e ${out_firmware} ]]; then + gbb_update "${temp_fw}" "${key_dir}" "${out_firmware}" "${rootkey}" + fi echo done <"${key_dir}/loem.ini" } @@ -108,6 +121,8 @@ main() { sign_loems else sign_one + gbb_update "${temp_fw}" "${key_dir}" "${out_firmware}" \ + "${key_dir}/root_key.vbpubk" fi } main "$@" |