diff options
Diffstat (limited to 'scripts/image_signing/sign_firmware.sh')
-rwxr-xr-x | scripts/image_signing/sign_firmware.sh | 99 |
1 files changed, 77 insertions, 22 deletions
diff --git a/scripts/image_signing/sign_firmware.sh b/scripts/image_signing/sign_firmware.sh index 9a0c7830..fa200837 100755 --- a/scripts/image_signing/sign_firmware.sh +++ b/scripts/image_signing/sign_firmware.sh @@ -8,12 +8,16 @@ # Determine script directory. SCRIPT_DIR=$(dirname "$0") +# Load common constants and variables. +. "${SCRIPT_DIR}/common_minimal.sh" + # Abort on error. set -e usage() { cat<<EOF -Usage: $0 <input_firmware> <key_dir> <output_firmware> [firmware_version] +Usage: $0 <input_firmware> <key_dir> <output_firmware> [firmware_version] \ +[loem_output_dir] Signs <input_firmware> with keys in <key_dir>, setting firmware version to <firmware_version>. Outputs signed firmware to <output_firmware>. @@ -22,37 +26,88 @@ EOF exit 1 } -main() { - if [[ $# -lt 3 || $# -gt 4 ]]; then - usage - fi - - local in_firmware=$1 - local key_dir=$2 - local out_firmware=$3 - local firmware_version=${4:-1} - - local temp_fw=$(mktemp) - trap "rm -f '${temp_fw}'" EXIT +# Sign a single firmware image. +# ARGS: [loem_key] [loemid] +sign_one() { + local loem_key="$1" + local loemid="$2" # Resign the firmware with new keys. "${SCRIPT_DIR}/resign_firmwarefd.sh" \ "${in_firmware}" \ "${temp_fw}" \ - "${key_dir}/firmware_data_key.vbprivk" \ - "${key_dir}/firmware.keyblock" \ - "${key_dir}/dev_firmware_data_key.vbprivk" \ - "${key_dir}/dev_firmware.keyblock" \ + "${key_dir}/firmware_data_key${loem_key}.vbprivk" \ + "${key_dir}/firmware${loem_key}.keyblock" \ + "${key_dir}/dev_firmware_data_key${loem_key}.vbprivk" \ + "${key_dir}/dev_firmware${loem_key}.keyblock" \ "${key_dir}/kernel_subkey.vbpubk" \ - "${firmware_version}" + "${firmware_version}" \ + "" \ + "${loem_output_dir}" \ + "${loemid}" # Replace the root and recovery key in the Google Binary Block of the # firmware. Note: This needs to happen after calling resign_firmwarefd.sh # since it needs to be able to verify the firmware using the root key to # determine the preamble flags. - gbb_utility -s \ - --rootkey="${key_dir}/root_key.vbpubk" \ - --recoverykey="${key_dir}/recovery_key.vbpubk" \ - "${temp_fw}" "${out_firmware}" + local rootkey="${key_dir}/root_key${loem_key}.vbpubk" + local gbb_args=( -s --recoverykey="${key_dir}/recovery_key.vbpubk" ) + if [[ -z ${loemid} ]]; then + gbb_args+=( --rootkey="${rootkey}" "${temp_fw}" ) + else + gbb_args+=( "${in_firmware}" ) + cp "${rootkey}" "${loem_output_dir}/rootkey.${loemid}" + fi + gbb_utility "${gbb_args[@]}" "${out_firmware}" +} + +# Process all the keysets in the loem.ini file. +sign_loems() { + local line loem_section=false loem_index loemid + + while read line; do + # Find the [loem] section. + if ! ${loem_section}; then + if grep -q "^ *\[loem\] *$" <<<"${line}"; then + loem_section=true + fi + continue + # Abort when we hit the next section. + elif [[ ${line} == *"["* ]]; then + break + fi + + # Strip comments/whitespace. + line=$(sed -e 's:#.*::' -e 's:^ *::' -e 's: *$::' <<<"${line}") + loem_index=$(cut -d= -f1 <<<"${line}" | sed 's: *$::') + loemid=$(cut -d= -f2 <<<"${line}" | sed 's:^ *::') + + echo "### Processing LOEM ${loem_index} ${loemid}" + sign_one ".loem${loem_index}" "${loemid}" + echo + done <"${key_dir}/loem.ini" +} + +main() { + if [[ $# -lt 3 || $# -gt 5 ]]; then + usage + fi + + local in_firmware=$1 + local key_dir=$2 + local out_firmware=$3 + local firmware_version=${4:-1} + local loem_output_dir=${5:-} + + local temp_fw=$(make_temp_file) + + if [[ -e ${key_dir}/loem.ini ]]; then + if [[ -z ${loem_output_dir} ]]; then + err_die "need loem_output_dir w/loem keysets" + fi + sign_loems + else + sign_one + fi } main "$@" |