summaryrefslogtreecommitdiff
path: root/scripts/image_signing/sign_official_build.sh
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/image_signing/sign_official_build.sh')
-rwxr-xr-xscripts/image_signing/sign_official_build.sh31
1 files changed, 31 insertions, 0 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index f3def18a..72d4f58b 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -32,6 +32,7 @@ where <type> is one of:
install (old alias to "factory")
update_payload (sign a delta update hash)
kernel (sign a kernel image)
+ recovery_kernel (sign a recovery_kernel image)
firmware (sign a firmware image)
usb (sign an image to boot directly from USB)
verify (verify an image including rootfs hashes)
@@ -483,6 +484,29 @@ sign_kernel() {
echo "Signed kernel image output to ${image}"
}
+# Sign a recovery kernel in-place with the given keys.
+# Args: KERNEL_IMAGE KEY_DIR KERNEL_VERSION
+sign_recovery_kernel() {
+ local image=$1
+ local key_dir=$2
+ local kernel_version=$3
+
+ # Note: Although vbutil_kernel may correctly handle specifying the same
+ # output file as the input file, we do not want to rely on it correctly
+ # handing that. Hence, the use of a temporary file.
+ local temp_kernel=$(make_temp_file)
+
+ # Resign the kernel with new recovery keys.
+ vbutil_kernel --repack "${temp_kernel}" \
+ --keyblock "${key_dir}/recovery_kernel.keyblock" \
+ --signprivate "${key_dir}/recovery_kernel_data_key.vbprivk" \
+ --version "${kernel_version}" \
+ --oldblob "${image}"
+
+ mv "${temp_kernel}" "${image}"
+ echo "Signed recovery_kernel image output to ${image}"
+}
+
# Sign a delta update payload (usually created by paygen).
# Args: INPUT_IMAGE KEY_DIR OUTPUT_IMAGE
sign_update_payload() {
@@ -793,6 +817,13 @@ elif [[ "${TYPE}" == "kernel" ]]; then
fi
cp "${INPUT_IMAGE}" "${OUTPUT_IMAGE}"
sign_kernel "${OUTPUT_IMAGE}" "${KEY_DIR}" "${KERNEL_VERSION}"
+elif [[ "${TYPE}" == "recovery_kernel" ]]; then
+ if [[ -e "${KEY_DIR}/loem.ini" ]]; then
+ echo "LOEM signing not implemented yet for recovery_kernel images"
+ exit 1
+ fi
+ cp "${INPUT_IMAGE}" "${OUTPUT_IMAGE}"
+ sign_recovery_kernel "${OUTPUT_IMAGE}" "${KEY_DIR}" "${KERNEL_VERSION}"
elif [[ "${TYPE}" == "update_payload" ]]; then
sign_update_payload ${INPUT_IMAGE} ${KEY_DIR} ${OUTPUT_IMAGE}
else