1 files changed, 66 insertions, 0 deletions

diff --git a/scripts/image_signing/sign_nv_cbootimage.sh b/scripts/image_signing/sign_nv_cbootimage.sh
new file mode 100755
index 00000000..890ca6a9
--- /dev/null
+++ b/scripts/image_signing/sign_nv_cbootimage.sh
@@ -0,0 +1,66 @@
+#!/bin/bash
+# Copyright 2015 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Wrapper script for signing firmware image using cbootimage.
+
+# Determine script directory.
+SCRIPT_DIR=$(dirname "$0")
+
+# Load common constants and variables.
+. "${SCRIPT_DIR}/common_minimal.sh"
+
+# Abort on error.
+set -e
+
+usage() {
+  cat<<EOF
+Usage: $0 <type> <pkc_key> <firmware_image> <soc>
+
+Signs <firmware_image> of <type> with <pkc_key> using cbootimage for <soc>.
+where type is one of
+      bootloader = sign bootloader image
+EOF
+  exit 1
+}
+
+main() {
+  if [[ $# -ne 4 ]]; then
+    usage
+  fi
+
+  local type=$1
+  local pkc_key="$(readlink -f "$2")"
+  local firmware_image="$(readlink -f "$3")"
+  local soc=$4
+
+  local work_dir=$(make_temp_dir)
+  local signed_fw=$(make_temp_file)
+
+  if [[ "${type}" == "bootloader" ]]; then
+
+    pushd "${work_dir}" >/dev/null
+
+    cat >update.cfg <<EOF
+PkcKey = ${pkc_key}, --save;
+ReSignBl;
+EOF
+
+    # This also generates a file pubkey.sha which contains the hash of public
+    # key required by factory to burn into PKC fuses. Move pubkey.sha into
+    # ${firmware_image}.pubkey.sha.
+    cbootimage -s "${soc}" -u update.cfg "${firmware_image}" \
+      "${signed_fw}"
+
+    popd >/dev/null
+    # Copy signed firmware image and public key hash to current directory.
+    mv "${work_dir}/pubkey.sha" "${firmware_image}.pubkey.sha"
+    mv "${signed_fw}" "${firmware_image}"
+
+  else
+    usage
+  fi
+}
+
+main "$@"