summaryrefslogtreecommitdiff
path: root/scripts/image_signing/make_dev_firmware.sh
Commit message (Collapse)AuthorAgeFilesLines
* make_dev_firmware.sh should use key.versions filestabilize-8798.BBill Richardson2016-09-121-3/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The 'key.versions' file is used by the image signing scripts to ensure that newly generated keys and re-signed buildbot images have the correct version numbers to avoid rollback in officially-signed Chrome OS images. If a skilled user is re-keying her Chromebook to use personal keys in normal mode (which requires disabling WP and changing the GBB and VBLOCK_A/B), she can avoid clearing the TPM rollback counters if make_dev_firmware.sh will obtain the firmware_version from the key.versions file in her personal key directory. BUG=none BRANCH=none TEST=make runtests, manual tests Extract an MP-signed BIOS from a Chromebook Peppy. flashrom -p host -r peppy.bin Resign it without this CL: make_dev_firmware.sh -f peppy.bin -k tests/devkeys -t dev_peppy.bin Resign it with this CL: make_dev_firmware.sh -f peppy.bin -k tests/devkeys -t dev_peppy_new.bin Confirm no difference: cmp dev_peppy.bin dev_peppy_new.bin Temporarily edit tests/devkeys/key.versions to contain firmware_key_version=2 firmware_version=3 kernel_key_version=4 kernel_version=5 Resign again: make_dev_firmware.sh -f peppy.bin -k tests/devkeys -t dev_peppy_new2.bin Confirm that the only difference is the firmware version in VBLOCK_A/B: futility show dev_peppy_new*.bin Change-Id: I133f1b58fb969eaeb239a44a4800750c4eee1d5f Signed-off-by: Bill Richardson <wfrichar@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/383887 Reviewed-by: Mike Frysinger <vapier@chromium.org>
* make_dev_firmware.sh: Correct firmware body size when changing rootkey.stabilize-5807.0.BHung-Te Lin2014-04-251-25/+28
| | | | | | | | | | | | | | | | make_dev_firmware.sh calls resign_firmwarefd.sh, which extracts rootkey from input image for checking VBLOCK firmware body size. As a result, we should resign firmware before changing rootkey / GBB. BUG=chromium:365738 TEST=Install Nyan/Peppy PreMP-signed firmware, run make_dev_firmware.sh, and then boot in normal mode. BRANCH=none Change-Id: I45dbcacb40b7b77bbf89f1ba244bf7fb25f9ae27 Signed-off-by: Hung-Te Lin <hungte@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/196521 Reviewed-by: Bill Richardson <wfrichar@chromium.org>
* vboot_reference: Improve make_dev_firmware script.Hung-Te Lin2012-08-011-48/+35
| | | | | | | | | | | | | | | | | | | | | | Developers testing firmware preamble flags (usually for turn on/off RO-NORMAL bits) need a easy way to change existing firmware, without hacking FDT source / looking for complex script. Also included some minor improvements: * Always enable FORCE_DEV_BOOT_USB and DISABLE_FW_ROLLBACK_CHECK. These are flags most developers need when leaving official signed normal firmware. * --bmpfv is deprecated because our latest firmware now always include official bitmaps in updater, no more DEV bitmaps. BUG=none TEST=./make_dev_firmware.sh -f bios.bin -t new_bios.bin --preamble_flags 0 ./make_dev_firmware.sh -f bios.bin -t new_bios.bin --preamble_flags 1 Change-Id: I7ee72d32b4b7fa28f2be635fd8c7bb678852e132 Reviewed-on: https://gerrit.chromium.org/gerrit/28792 Tested-by: Hung-Te Lin <hungte@chromium.org> Reviewed-by: Randall Spangler <rspangler@chromium.org> Commit-Ready: Hung-Te Lin <hungte@chromium.org>
* make_dev_firmware: handle developer firmware keyblock correctlyfirmware-u-boot-v1firmware-881-u-boot-v1Hung-Te Lin2011-08-101-0/+29
| | | | | | | | | | | | | | | | | | We should detect keyblock from existing firmware and decide if a developer firmware keyblock should be used. BUG=chromium-os:18946 TEST=./make_dev_firmware.sh -f zgb.bin -t zgb_dev.bin # seeing Using keyblocks (developer, normal)... ./make_dev_firmware.sh -f mario.bin -t mario_dev.bin # seeing Using keyblocks (normal, normal)... ./make_dev_firmware.sh -f arm.bin -t arm_dev.bin # seeing Using keyblocks (normal, normal)... Change-Id: I74fa0db980e26a6a19a4393303e8c5b3260c84c7 Reviewed-on: http://gerrit.chromium.org/gerrit/5623 Tested-by: Hung-Te Lin <hungte@chromium.org> Reviewed-by: Hung-Te Lin <hungte@chromium.org>
* resign_firmwarefd.sh: support new "flag" (for hinting two-stop FW)Hung-Te Lin2011-07-221-0/+4
| | | | | | | | | | | | | | The two-stop firmware relies on the "flag" field which may be useful for the resign_firmwarefd.sh. BUG=chrome-os-partner:5095 TEST=./resign_firmwarefd [params] 1 vbutil_firmware --verify ..... # seeing flag = 1 Change-Id: I56b44ee5b610e36384e15e6eb31286f0f838734b Reviewed-on: http://gerrit.chromium.org/gerrit/4561 Tested-by: Hung-Te Lin <hungte@chromium.org> Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
* vboot_reference: fix make_dev_firmware failureHung-Te Lin2011-03-241-0/+4
| | | | | | | | | | | | | | | The script to resign firmware (resign_firmwarefd.sh) has changed its syntax, due to the new "dev firmware" design. BUG=chromium-os:13375 TEST=./make_dev_firmware.sh # seeing the "changed firmware to Developer Keys" message. Change-Id: Id553f3ce1641f13e732bd5e208cb2fb00ca9c078 R=rspangler@chromium.org,gauravsh@chromium.org Review URL: http://codereview.chromium.org/6727019
* vboot/make_dev_firmware: extract bitmaps from system firmware instead of ↵Hung-Te Lin2011-03-041-6/+40
| | | | | | | | | | | | | | | | | | | prebuilts. make_dev_firmware should trust system firmware blobs instead of using its own prebuilt binaries. BUG=chromium-os:12400 TEST=1. make a build with .49+ BIOS, and create the firmware updater 2. install the new BIOS, turn on developer switch and reboot 3. an ugly "DEV" screen (in .49) is shown on screen 4. run the new make_dev_firmware.sh 5. reboot. seeing the ugly DEV instead of the prebuilt blue screen (verified successfully) Change-Id: If75d2821170649fa869db6a82d879b697f7588e6 Review URL: http://codereview.chromium.org/6614006
* Split common.sh into bash-only and dash-only sectionsGaurav Shah2011-01-181-2/+2
| | | | | | | | | Change-Id: I044331dc3558a4f7428b75fe43ef739498d65803 BUG=chromium-os:10836 TEST=scripts that use common.sh seem to work, would appreciate help in testing Chrome OS client scripts! Review URL: http://codereview.chromium.org/6294002
* vboot_reference/make_dev_firmware: check write protection status before ↵Hung-Te Lin2011-01-061-1/+23
| | | | | | | | | | | | | | | | | | | making changes Complete the missing part of "checking (and disabling) write protection status. This also helps to prevent erasing RW regions on system with WP enabled and then causing boot failure. BUG=chrome-os-partner:1276 TEST=(1) On CR-48 with WP enabled, run make_dev_firmware.sh without turning off WP. Result: Error message "Write protection is still enabled. Please verify that hardware write protection is disabled." (as expected) (2) Disable WP and run again. Result: firmware has been changed successfully. Change-Id: Iaf2243cb2cd3c7f83ce4f36543ea3da1e3ca55a1 Review URL: http://codereview.chromium.org/5987010
* Check in tofactory script.Randall Spangler2011-01-041-18/+0
| | | | | | | | | | | Also refactor the other scripts to move more common functions (debug output, etc.) to common.sh. BUG=chrome-os-partner:1903 TEST=manual; ran on a Chrome notebook, verified the right things got copied. Review URL: http://codereview.chromium.org/5878005 Change-Id: Ib7131356ecb6f88eee3d529a518f23b94756d0c0
* make_dev_firmware: provide more usage help for backup filesHung-Te Lin2010-10-191-1/+18
| | | | | | | | | | | | Provide more clear instruction on how to use the backup files, and to try more effort to store backup files BUG=none TEST=emerge-x86-generic vboot-reference; executed make_dev_firmware and got correct message Change-Id: I2062f45dd3019d0e56adc18bdd1861991aafe5ed Review URL: http://codereview.chromium.org/3785014
* make_dev_ssd: new script to change SSD image to dev keyHung-Te Lin2010-10-161-37/+30
| | | | | | | | | | | | | | | | | | | | | The make_dev_ssd.sh is made for devinstall shim to change SSD kernels to be signed by dev keys. - Kernel A, B will be resigned with dev keys (ignore if A/B seems not bootable) - Adding param --remove_rootfs_verification can even disable rootfs hash check This CL also includes some shared refine/fix to make_dev_firmware.sh BUG=chrome-os-partner:1276 TEST=sudo ./make_dev_ssd.sh; (seeing Kernel A is resigned and B is ignored) then reboot without developer mode (OK), rootdev shows /dev/dm-0, rootdev -s shows /dev/sda3 sudo ./make_dev_ssd.sh --remove_rootfs_verification; then reboot without developer mode (OK), rootdev shows /dev/sda3 Change-Id: Ic20f734b2af42e50a43c19a565a166a39d57a7fd Review URL: http://codereview.chromium.org/3772013
* make_dev_firmware: new script to change firmware to dev keyHung-Te Lin2010-10-151-0/+231
The make_dev_firmware.sh is made for devinstall shim to change firmware rootkey/HWID/BMPFV smoothly. - HWID will be changed to "$ORIGINAL_FWID DEV" (no change if already postfixed with DEV) - rootkey/recoverykey will be changed by keyset from --keys - FVMAIN/FVMAINB will be resigned by keyset from --keys - BMPFV will be changed to anything assigned by --bmpfv If --from and --to are omitted, the system firmware will be changed. A new ebuild is be created to put all resources (bmpfv and keyset) into devinstall shim (ref: http://codereview.chromium.org/3776003) BUG=chrome-os-partner:1276 TEST=sudo ./make_dev_firmware.sh --from input_bios.bin --to output_bios.in \ --keys ../../tests/devkeys --bmpfv some_bmpfv.bin HWID is changed from "XXX MARIO EVT DDDD" to "XXX MARIO EVT DDDD DEV". System can then boot a USB signed with devkey without developer mode. Change-Id: Id80126495dcbf4d993a4372af645580cd4b60ca6 Review URL: http://codereview.chromium.org/3822002
View Lorry Controller Status