summaryrefslogtreecommitdiff
path: root/scripts
Commit message (Collapse)AuthorAgeFilesLines
* ensure_not_tainted_license: fix exit codesSergey Frolov2021-01-211-1/+5
| | | | | | | | | | | | | | | | | | | | | grep returns exit code 1, if pattern was not found, and due to `set -e` ensure_not_tainted_license.sh exits immediately with code 1. This change fixes it. This change also ensures that the correct code 1 is returned when the pattern is found. BUG=chromium:1163996 TEST=N/A BRANCH=none Signed-off-by: Sergey Frolov <sfrolov@google.com> Change-Id: Idd33cec8795420ca1aab9ab1490a338a04d20257 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2638856 Tested-by: George Engelbrecht <engeg@google.com> Commit-Queue: George Engelbrecht <engeg@google.com> Reviewed-by: Mike Frysinger <vapier@chromium.org> Reviewed-by: George Engelbrecht <engeg@google.com>
* ensure_not_tainted_license: skip if not foundSergey Frolov2021-01-161-2/+3
| | | | | | | | | | | | | | | | This change makes ensure_not_tainted_license.sh only emit a warning if license file is not found, as opposed to failing. BUG=chromium:1163996 TEST=N/A BRANCH=none Change-Id: I14103bc520efabf3e0c1424e8a5cae259d42c966 Signed-off-by: Sergey Frolov <sfrolov@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2632876 Commit-Queue: George Engelbrecht <engeg@google.com> Reviewed-by: George Engelbrecht <engeg@google.com> Reviewed-by: Mike Frysinger <vapier@chromium.org>
* Add ensure_not_tainted_license.shstabilize-rust-13720.Bmasterfactory-zork-13700.BSergey Frolov2021-01-011-0/+66
| | | | | | | | | | | | | | | | | | | This is a part of the work to ensure that tainted images are never signed with MP keys. A special tainted tag was added to the license file by https://chromium-review.googlesource.com/c/chromiumos/chromite/+/2560225 and in ensure_not_tainted.sh we detect the presence of this tag. This script has been manually tested on tainted and non-tainted images. BUG=chromium:1059363 TEST=manual BRANCH=none Change-Id: I17ca27bb7895f268a79cca3ad948808f0f96b8c7 Signed-off-by: Sergey Frolov <sfrolov@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2607414 Commit-Queue: Mike Frysinger <vapier@chromium.org> Reviewed-by: Allen Webb <allenwebb@google.com>
* Revert "sign_gsc_firmware: update generated file name"factory-dalboz-13695.BVadim Bendebury2020-12-291-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit bc2317695965bb92b8809d9c06327adedcb0653c. The reason for revert is that the signer needs to know the generated file name, and in case vboot reference alters the name the signer remains unaware of the change and is still looking for the file named @CHIP@... Some other means of figuring out the file name will be required, let's stick with the @CHIP@ prefix for now. BRANCH=none BUG=b:173049030 TEST=none Change-Id: I23ea65314d49e86fc4edb015e89b6076f87a54dd Signed-off-by: Vadim Bendebury <vbendeb@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2605238 Tested-by: Vadim Bendebury <vbendeb@chromium.org> Tested-by: George Engelbrecht <engeg@google.com> Auto-Submit: Vadim Bendebury <vbendeb@chromium.org> Reviewed-by: George Engelbrecht <engeg@google.com> Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
* sign_gsc_firmware: update generated file namefactory-test-13683.Bfactory-dedede-13683.BVadim Bendebury2020-12-181-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | When processing Gsc image singing request the signing server is not aware of which chip the image is being signed for, the output file name includes the string @CHIP@ and it is the responsibility of the actual signing scripts to figure out if the image is for Cr50 or Ti50. The destination image type is determined based no the signing manifest contents, this patch add code to replace @CHIP@ with the actual image type. BRANCH=none BUG=b:173049030 TEST=invoked the script to sign a Ti50 image locally, verified that the produced signed image file had the expected name. Change-Id: Ib1534ce50e0a44d0ec014e8dbee4e4d85c2082c9 Signed-off-by: Vadim Bendebury <vbendeb@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2596695 Tested-by: Vadim Bendebury <vbendeb@chromium.org> Auto-Submit: Vadim Bendebury <vbendeb@chromium.org> Reviewed-by: George Engelbrecht <engeg@google.com> Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
* sign_gsc_firmware: refactor and extend to support D2Vadim Bendebury2020-12-111-90/+136
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The major difference between Cr50 and Ti50 signing is that the RW sections are represented differently: elf files in Cr50 case and ihex files in Ti50 case. Other differences include the produced signed final image size and the offsets of the components in the final image. The signing script is being updated to figure out all these differences at run time. A new optional field is introduced in the signing manifest, the 'generation'. If this field is absent or set to 'h' (for H1), the script proceeds with the Cr50 signing process. If 'generation' is set to 'd' (for D2), the script proceeds with the Ti50 signing process. Instead of using fixed offsets into the final image, the base addresses of the components in ihex format are used, the only fixed value is the base address of the flash image in the chip address space (0x40000 for H1 vs 0x80000 for D2). To make this work for H1 the output format of the signed blob produced by gsc-codesigner is changed from binary to ihex. BRANCH=none BUG=b:173049030 TEST=using this script and the signing_istructions.sh module produced by the real Cr50 signer was able to produce functional images for both Cr50 and Ti50. Change-Id: I845be1101b09c9476fa27fbddb72607dc6cea901 Signed-off-by: Vadim Bendebury <vbendeb@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2570009 Tested-by: Vadim Bendebury <vbendeb@chromium.org> Reviewed-by: George Engelbrecht <engeg@google.com> Auto-Submit: Vadim Bendebury <vbendeb@chromium.org> Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
* sign_gsc_firmware: add functions to determine ihex module base addressVadim Bendebury2020-12-111-0/+86
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With the advent of D2 memory layout scheme it became impossible to hardcode the base address of various components of the D2 firmware image. Luckily, the components are represented as binary blobs in Intel ihex format, which allows to retrieve the base address of the component from the ihex records. The address is composed of two elements: the segment base supplied in the record type 02 or 04, and the record offset into the segment, supplied in the data record of type 0. The segment address is expressed as a 16 bit value, the actual value shifted right either 4 bits (in case of record type 02) or 16 bits (in case of record type 04). The data record offset is also a 16 bit value. The base address of the blob is calculated as <segment address> + <first data record offset> and is available from the first two records in the ihex module. Detailed information of ihex file format can be found in https://en.wikipedia.org/wiki/Intel_HEX . BRANCH=none BUG=b:173049030 TEST=with the next patch in the stack applied was able to successfully build a multicomponent ti50 image. Change-Id: I135c2f9960f1f218532c82bafd7acbe362414fc9 Signed-off-by: Vadim Bendebury <vbendeb@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2570008 Tested-by: Vadim Bendebury <vbendeb@chromium.org> Reviewed-by: George Engelbrecht <engeg@google.com> Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
* image_signing: use GSC nomenclature instead of Cr50Vadim Bendebury2020-12-112-57/+105
| | | | | | | | | | | | | | | | | | | | | This patch does not yet provide the ability to sign Ti50 images, but prepares the signing scripts for further modifications to support a variety of security chip signing flows. BRANCH=none BUG=b:173049030 TEST=verified successful signing of a Cr50 image in a test signer setup also created a functional Cr50 image invoking sign_official_build.sh by hand. Change-Id: Ic103c9fdf7d1c4ea160c7f6849d5ae5a8303c343 Signed-off-by: Vadim Bendebury <vbendeb@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2537078 Tested-by: Vadim Bendebury <vbendeb@chromium.org> Reviewed-by: George Engelbrecht <engeg@google.com> Commit-Queue: Vadim Bendebury <vbendeb@chromium.org> Auto-Submit: Vadim Bendebury <vbendeb@chromium.org>
* signer: Verify many Android signer operations that content is unchanged.stabilize-13654.BYury Khmel2020-12-051-8/+29
| | | | | | | | | | | | | | This adds extra verifications to many Android signer operation in order to narrow down the problem when empty folders are removed from the disk. BUG=chromium:1154734 TEST=Locally image signing passed. Emulated problem and it was detected. BRANCH=none Signed-off-by: Yury Khmel <khmel@google.com> Change-Id: If8bb9fced290117766bfa9ff76a25fc86ed263dc Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2572240 Reviewed-by: Mike Frysinger <vapier@chromium.org>
* common: log loopback detachesGeorge Engelbrecht2020-11-031-0/+1
| | | | | | | | | | | | | | We want to find the culprit loopback device which isn't detatching on crbug.com/1141907. We might as well log our cleanup actions anyway, and this will allow us to see the last loopback processed in production. BUG=chromium:1141907 TEST=just a log message BRANCH=None Signed-off-by: George Engelbrecht <engeg@google.com> Change-Id: I126efceae4f67993069675c23f6c4af61c7e5667 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2514561 Reviewed-by: LaMont Jones <lamontjones@chromium.org>
* common: save the existing return value on cleanupGeorge Engelbrecht2020-11-031-0/+3
| | | | | | | | | | | | | | Currently this trap initiated function will not save the orginal return value of the script. Save it and return it on exit. BUG=chromium:1141907 TEST=unittest and manually on a signer BRANCH=None Signed-off-by: George Engelbrecht <engeg@google.com> Change-Id: Icd807f4d153e4bcc1d309fbcea43c2b3344771ca Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2514560 Reviewed-by: Sean McAllister <smcallis@google.com> Reviewed-by: LaMont Jones <lamontjones@chromium.org>
* cleanup_minimal: remove duplicate trap for temps and mountsGeorge Engelbrecht2020-11-031-1/+0
| | | | | | | | | | | | | | BUG=chromium:1141907 TEST=unit tests and manual signing run Signed-off-by: George Engelbrecht <engeg@google.com> BRANCH=none Change-Id: I0316f464e138dea9e77b2554a3b31250e8b92c07 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2514559 Reviewed-by: Sean McAllister <smcallis@google.com> Reviewed-by: LaMont Jones <lamontjones@chromium.org> Commit-Queue: George Engelbrecht <engeg@google.com> Tested-by: George Engelbrecht <engeg@google.com>
* common.sh: adapt to get clean shellcheckGeorge Engelbrecht2020-11-032-28/+42
| | | | | | | | | | | | | | BUG=chromium:1141907 TEST=unit tests and manual signing run Signed-off-by: George Engelbrecht <engeg@google.com> BRANCH=none Change-Id: I39b133ca69e717576140b418fc59dd167f068d59 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2514558 Reviewed-by: Sean McAllister <smcallis@google.com> Reviewed-by: LaMont Jones <lamontjones@chromium.org> Commit-Queue: George Engelbrecht <engeg@google.com> Tested-by: George Engelbrecht <engeg@google.com>
* common.sh: don't let eval terminate cleanupGeorge Engelbrecht2020-10-311-1/+1
| | | | | | | | | | | | | | | | | | | Eval will terminate the shell on non-zero error code. "POSIX says that an error in a special built-in utility (such as eval) should cause the non-interactive shell to terminate" This is the case and is causing cleanup to terminate android signing with a non-zero error when it is clear the intent (given the set +e) is that we should be best effort here. BUG=chromium:1141907 TEST=unittest and manually on a signer Change-Id: Ie6374b292c7982371d549b919b44328ea71a09dd Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2513228 Reviewed-by: George Engelbrecht <engeg@google.com> Tested-by: George Engelbrecht <engeg@google.com>
* sign_android: don't use xattrs from unsquashfsGeorge Engelbrecht2020-10-301-2/+2
| | | | | | | | | | | | | | | | | | | | | We've moved to applying a file based set of selinux policies instead of taking the ones that were snagged from the image. Remove the policy attributes and let unsquash do whatever it would do by default. See https://chat.google.com/room/AAAA45hbdCQ/jkXYe7jMEDk. BUG=chromium:1141907 TEST=unittests Change-Id: I0a976fb216e0a07c00c4bb2fb68df6fa1ea00d79 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2511121 Reviewed-by: Yury Khmel <khmel@chromium.org> Reviewed-by: Julius Werner <jwerner@chromium.org> Reviewed-by: Yury Khmel <khmel@google.com> Commit-Queue: George Engelbrecht <engeg@google.com> Commit-Queue: Yury Khmel <khmel@google.com> Tested-by: George Engelbrecht <engeg@google.com> Auto-Submit: George Engelbrecht <engeg@google.com>
* sign_official_build: dump more info in resign_android_image_if_existsstabilize-rust-13562.BBrian Norris2020-10-281-1/+10
| | | | | | | | | | | | | | | We're getting silent errors in here somewhere. BRANCH=none BUG=chromium:1141907 TEST=none Change-Id: I9af0a3ea1696920fe67c915660f82a68c1bddf34 Signed-off-by: Brian Norris <briannorris@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2504358 Reviewed-by: LaMont Jones <lamontjones@chromium.org> Commit-Queue: LaMont Jones <lamontjones@chromium.org> Tested-by: LaMont Jones <lamontjones@chromium.org>
* signer: syncronize image packing to what we have in build image phase.Yury Khmel2020-10-141-26/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This follows steps we have in build image phase to have parity in image packing. * Discard reapply selinex context. This looks not needed once re-signing should not change selinux context. Instead we could do similar to build image, pass file context to mksquashfs * Apply mksquashfs params based on image type, container/vm. This fixes proper block size and image compression algorithm * Remove old image before packing to prevent mksquashfs merge attempt BUG=b:170400225 BUG=b:170220295 BUG=b:170219920 BRANCH=none TEST=locally signed vm (kohaku) and container (hana): arc.Optin*, arc.Preopt*. Also checked final image size. With this CL it is reduced to 150Mb(vm) and very close to original image size (delta is less than 0.1%) Signed-off-by: Yury Khmel <khmel@chromium.org> Change-Id: I7037bea68fc2969345a8fabc3c6a9b9b690f02d1 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2462005 Reviewed-by: Yusuke Sato <yusukes@chromium.org> Reviewed-by: George Engelbrecht <engeg@google.com> Tested-by: Yury Khmel <khmel@google.com> Auto-Submit: Yury Khmel <khmel@google.com> Commit-Queue: Yury Khmel <khmel@google.com>
* signer: resign networkstack APKs with correct keystabilize-13525.Bfirmware-volteer-13521.BVictor Hsieh2020-10-091-1/+1
| | | | | | | | | | | | BUG=b:170156734 BRANCH=none TEST=sign rvc-arc image Signed-off-by: Victor HSieh <victorhsieh@chromium.org> Change-Id: I99fc4eb19be6cc785297e223a6603c1d777c5c77 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2458789 Reviewed-by: Yury Khmel <khmel@chromium.org> Reviewed-by: George Engelbrecht <engeg@google.com>
* Deal with Android's new networkstack keyVictor Hsieh2020-10-083-6/+15
| | | | | | | | | | | BUG=b:170156734 TEST=run signing script locally BRANCH=None Signed-off-by: Victor HSieh <victorhsieh@chromium.org> Change-Id: I4f045729241b479b56fef5687b721b5b59c2eed8 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2450551 Reviewed-by: George Engelbrecht <engeg@google.com>
* arc: Fix RVC signed image does not boot.factory-test-13517.BYury Khmel2020-10-061-9/+37
| | | | | | | | | | | | | | | | | | This supports new set of certificates plat_mac_permissions.xml and adds handling media and network_stack certificates. BRANCH=none BUG=b:169458218 TEST=Sign test image from goldeneye per instructions in bug, deploy it to device (kohaku) pass tast.arc.Optin.vm test Signed-off-by: Yury Khmel <khmel@chromium.org> Change-Id: I61c4e327eaa605ed60c0c80b3598c0f4fb6e5f5f Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2447430 Tested-by: Yury Khmel <khmel@google.com> Auto-Submit: Yury Khmel <khmel@google.com> Reviewed-by: George Engelbrecht <engeg@google.com> Commit-Queue: Yury Khmel <khmel@google.com>
* make_dev_ssd.sh: Correct root partition regular expressionHung-Te Lin2020-09-231-1/+1
| | | | | | | | | | | | | | | | Discovered by CL:2353632, the regular expression for extracting rootfs partition should include non-digit character first otherwise we won't get correct number when the partition number is longer than one digit (e.g., >=10). BUG=None TEST=./make_dev_ssd.sh BRANCH=none Change-Id: I155e04beec47c55df4d09cb78168ab0a7407c697 Signed-off-by: Hung-Te Lin <hungte@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2353776 Reviewed-by: Kuang-che Wu <kcwu@chromium.org>
* COIL: Change denylist to blocklistDaisuke Nojiri2020-09-113-5/+5
| | | | | | | | | | | | | | | The signer uses BLOCKLIST instead of DENYLIST. This patches make the language match. BUG=b:163883397 BRANCH=None TEST=egrep -i -I -r "deny.*list" TEST=make runtests Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org> Change-Id: I47c913eb2ca89cd3eea4ca3ff5f1accb223ba418 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2401968 Reviewed-by: Mike Frysinger <vapier@chromium.org>
* portability fixes: support building vboot on FreeBSDIdwer Vollering2020-09-111-1/+1
| | | | | | | | | | | Built on FreeBSD 12.1-RELEASE, 13-CURRENT, using gcc9 installed from packages. Change-Id: Ifa8bb343c7e916c1b545cf6c1e4bd0a18ea391cd Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2382790 Reviewed-by: Julius Werner <jwerner@chromium.org> Tested-by: Julius Werner <jwerner@chromium.org> Commit-Queue: Julius Werner <jwerner@chromium.org>
* Add script for signing PSP VerstageMartin Roth2020-09-091-0/+162
| | | | | | | | | | | | | This script will sign the psp_veratage.bin file and modify the fields as required. BUG=b:166095736 TEST=create verstage signed with test key. Change-Id: I234d7902f950a60a816dd5f4d46d3d5afd105489 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2390825 Tested-by: Martin Roth <martinroth@google.com> Reviewed-by: Mike Frysinger <vapier@chromium.org> Commit-Queue: Martin Roth <martinroth@google.com>
* keygeneration: psp verstagebl: refactor key gen & csr generationMike Frysinger2020-09-091-32/+70
| | | | | | | | | | | | | | | | We want to separate the stages of creating the key & using the key as our HSM tools use different commands for these. This also means we no longer need a passphrase at all. BUG=b:166095736 TEST=ran script before & after and made sure output (largely) looked the same BRANCH=None Change-Id: Id488789f83c21ffb6263489e3c22531878ceb1f2 Signed-off-by: Mike Frysinger <vapier@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2391219 Reviewed-by: Furquan Shaikh <furquan@chromium.org>
* Add CSR generation script for signing PSP VerstageMartin Roth2020-09-031-0/+103
| | | | | | | | | | | | | | This script is based on previous key generation scripts and on the AMD document describing their recommendations. BUG=b:166095736 TEST=Generate keys of different sizes with different passphrases in various directories. Change-Id: I76a31f5d592d233282c145a9a4ce5220a2d597d8 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2380612 Tested-by: Martin Roth <martinroth@google.com> Reviewed-by: Mike Frysinger <vapier@chromium.org>
* inclusive: change usage of blacklist/whitelistDaisuke Nojiri2020-08-193-4/+4
| | | | | | | | | | | | | | | | | | | | | Google is working to change its source code to use more inclusive language. To that end, replace the term "blacklist" & "whitelist" with inclusive alternatives. chrome-internal:3214766, chrome-internal:3214767, chrome-internal:3214831 will be checked in separately. They refer to a pinned vboot_reference. So, this patch won't affect the signer until the pin is moved. BUG=b:163883397 BRANCH=None TEST=grep -ir "white*list" TEST=grep -ir "black*list" TEST=make runtests Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org> Change-Id: Iff98b55713b3c7381ba092ff14b50141b8422cf2 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2353421 Reviewed-by: Julius Werner <jwerner@chromium.org>
* inclusive: change usage of sanityDaisuke Nojiri2020-08-195-23/+24
| | | | | | | | | | | | | | | | Google is working to change its source code to use more inclusive language. To that end, replace the term "sanity" with inclusive alternatives. BUG=b:163883397 BRANCH=None TEST=grep -ir sanity TEST=make runtests Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org> Change-Id: I708a044d89050c442f14fb11a8ae5e98490d56af Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2353420 Reviewed-by: Julius Werner <jwerner@chromium.org>
* sign_android_image: use ARCVM file context if neededVictor Hsieh2020-07-291-3/+10
| | | | | | | | | | | | | | Apparently the file android_file_contexts has a different name for ARCVM with _vm suffix. Choose _vm if the container one is not found. BUG=b:161828692 TEST=sign_official_build.sh base recovery_image.bin mykey signed.bin BRANCH=none Signed-off-by: Victor Hsieh <victorhsieh@chromium.org> Change-Id: I8a93d8e1dd5b824f319d7de804f8f74825166a97 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2323647 Reviewed-by: Mike Frysinger <vapier@chromium.org>
* image_signing: drop support for signing nvidia lp0_firmwareMike Frysinger2020-07-243-290/+0
| | | | | | | | | | | | | | | This was only used by smaug which went EOL a while ago and we've already deleted supporting logic. BUG=None TEST=CQ passes BRANCH=None Change-Id: Ia639c7da3c70c62ee102f11d510ffaa928ab244a Signed-off-by: Mike Frysinger <vapier@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2309221 Reviewed-by: Furquan Shaikh <furquan@chromium.org> Reviewed-by: Joel Kitching <kitching@chromium.org>
* sign_official_build: accept arcvm/bertha imageVictor Hsieh2020-07-234-3/+13
| | | | | | | | | | | | BUG=b:161828692 TEST=sign_official_build.sh base recovery_image.bin mykey signed.bin TEST=sign_android_unittests.sh BRANCH=none Signed-off-by: Victor Hsieh <victorhsieh@chromium.org> Change-Id: I158cd0c23198ffe8773b5882ba214b3ca4d26cae Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2310758 Reviewed-by: Mike Frysinger <vapier@chromium.org>
* trivial: fix spelling in add_loem_keys.shGeorge Engelbrecht2020-05-291-1/+1
| | | | | | | | | | | | | | | | ...also inflate my personal CL stats. BUG=None TEST=None BRANCH=master Signed-off-by: George Engelbrecht <engeg@chromium.org> Change-Id: I4af2d8b2aa42b4e6d4d4ea36a6ca73a340aa4814 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2220336 Reviewed-by: Mike Frysinger <vapier@chromium.org> Commit-Queue: George Engelbrecht <engeg@google.com> Tested-by: George Engelbrecht <engeg@google.com> Auto-Submit: George Engelbrecht <engeg@google.com>
* image_signing: Activate file hash cache for watchlist service for signed builds.Yury Khmel2020-05-271-1/+4
| | | | | | | | | | | | | | | This follows the logic introduced in crrev.com/i/2523754 BUG=b:148229706 TEST= ./sign_official_build.sh usb source_image \ ~/trunk/src/platform/vboot_reference/tests/devkeys out_image BRANCH=None Cq-Depend: chrome-internal:3022044 Signed-off-by: Yury Khmel <khmel@google.com> Change-Id: I5398a9ea2984f0be11cb512f845507309d5f8f8e Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2210771 Reviewed-by: Mike Frysinger <vapier@chromium.org>
* image_signing: remove firmware_boot.shJack Rosenthal2020-05-221-101/+0
| | | | | | | | | | | | | | | | | | This script was added in CL:2618. There's no references to it, and I can't find any evidence to it being documented anywhere or anyone using it. Let's remove it to see if anyone uses it. BUG=chromium:1083510 BRANCH=none TEST=emerge vboot_reference Change-Id: I6c307d3b9f7ee4c12153baf5fcd97c98badefe7b Signed-off-by: Jack Rosenthal <jrosenth@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2212646 Reviewed-by: Mike Frysinger <vapier@chromium.org>
* image_singing: remove align_rootfs.shJack Rosenthal2020-05-221-150/+0
| | | | | | | | | | | | | | | | No references to this. From commit history looks to be something Mario-only? Remove it and let's see where that goes... BUG=chromium:1085310 BRANCH=none TEST=emerge vboot_reference Signed-off-by: Jack Rosenthal <jrosenth@chromium.org> Change-Id: I7621d4673a09b85f59cdc69de1652e0b72ca1862 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2211957 Reviewed-by: Mike Frysinger <vapier@chromium.org>
* image_signing: remove unpack_firmwarefd.sh scriptJack Rosenthal2020-05-221-69/+0
| | | | | | | | | | | | | | | | | | Looks like an old script from Mario. Won't run on modern chromebooks anyway. Not installed on any devices. BUG=chromium:1084003,chromium:1085310 BRANCH=none TEST=emerge vboot_reference Signed-off-by: Jack Rosenthal <jrosenth@chromium.org> Change-Id: I4b68183bc9bc943f273630cf12c52801a74df5be Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2210762 Reviewed-by: Joel Kitching <kitching@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> Reviewed-by: Hung-Te Lin <hungte@chromium.org>
* image_signing: remove tofactory.sh scriptJack Rosenthal2020-05-221-179/+0
| | | | | | | | | | | | | | | | | | | Looks like this was an old script meant to be run on Mario. It's currently installed in the SDK only (not on the DUT), where it won't even operate anyway. I can't find any references to the script, aside from some old Mario documentation. BUG=chromium:1084003,chromium:1085310 BRANCH=none TEST=emerge vboot_reference Change-Id: I0b0bd22912170e62390e7ee1a62ef466b2ea1a7c Signed-off-by: Jack Rosenthal <jrosenth@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2210761 Reviewed-by: Joel Kitching <kitching@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org>
* vboot: Fixes bug in get_gbb_flags.sh -eRob Barnes2020-03-241-1/+1
| | | | | | | | | | | | | | | | get_gbb_flags.sh outputs incorrect information because the hex number is not parsed correctly. BUG=none TEST=Manual BRANCH=none Change-Id: Ie6428a5c50d48ae5d732b31d7a8e7b314653c2d9 Signed-off-by: Rob Barnes <robbarnes@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2108286 Reviewed-by: Joel Kitching <kitching@chromium.org> Reviewed-by: Jack Rosenthal <jrosenth@chromium.org> Commit-Queue: Jack Rosenthal <jrosenth@chromium.org>
* image_signing: Add one more cheets flavor.Lepton Wu2020-03-032-1/+5
| | | | | | | | | | | | | On Pi, the target name is sdk_cheets instead of sdk_google_cheets BUG=chromium:1057649 TEST=./sign_android_unittests.sh BRANCH=none Change-Id: Ic4e5123687eee7fc9f6c0640b7b9455f180dff6e Signed-off-by: Lepton Wu <lepton@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2083836 Reviewed-by: Nicolas Norvez <norvez@chromium.org> Reviewed-by: George Engelbrecht <engeg@google.com>
* vboot: stop using wpsw_boot and remove it from crossystemJoel Kitching2020-02-271-1/+1
| | | | | | | | | | | | | | | | | | wpsw_boot is being deprecated, so just use wpsw_cur. BUG=b:124141368, chromium:950273 TEST=make clean && make runtests BRANCH=none Change-Id: Iae63b2a76b19629a9ecd9b87e5dd6367767860b3 Cq-Depend: chromium:2066154, chromium:2068241, chromium:2068209 Cq-Depend: chromium:2068297, chromium:2067229, chromium:2067231 Cq-Depend: chromium:2068242 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2066192 Tested-by: Joel Kitching <kitching@chromium.org> Reviewed-by: Julius Werner <jwerner@chromium.org> Reviewed-by: Hung-Te Lin <hungte@chromium.org> Commit-Queue: Joel Kitching <kitching@chromium.org>
* keygeneration: add helper for generating update payload keysMike Frysinger2020-01-241-0/+8
| | | | | | | | | | | | | | We don't use this anywhere as we've only ever generated one key so far. But we never wrote this down, so this is more documentation. BUG=None TEST=ran the code manually BRANCH=None Change-Id: Ia9a318c686b1ad7ab1de31899b49ce73a4d5ad9f Signed-off-by: Mike Frysinger <vapier@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1947554 Reviewed-by: George Engelbrecht <engeg@google.com>
* vboot: rename FAFT_KEY_OVERIDE and clarify its useJoel Kitching2020-01-161-1/+1
| | | | | | | | | | | | | | | Rename GBB flag FAFT_KEY_OVERRIDE to RUNNING_FAFT. Add a comment to clarify its use. BUG=b:124141368, chromium:965914 TEST=make clean && make runtests BRANCH=none Change-Id: Ib90de7a0d22b39898fc84be8c16ff34ea1d3b504 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1977902 Tested-by: Joel Kitching <kitching@chromium.org> Reviewed-by: Julius Werner <jwerner@chromium.org> Commit-Queue: Joel Kitching <kitching@chromium.org>
* EC sync: Drop support for "PD" software sync.Tim Wawrzynczak2019-11-131-2/+2
| | | | | | | | | | | | | | | | All devices which have a PD chip running CrOS EC code have already shipped, and there is no intention to go back to using an "EC" for a TCPC anymore. BUG=b:143762298,chromium:1017093 BRANCH=none TEST=make runtests Change-Id: I177c00581089de59e4f35608b97ef5432e8b492b Signed-off-by: Tim Wawrzynczak <twawrzynczak@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1895712 Tested-by: Joel Kitching <kitching@chromium.org> Reviewed-by: Julius Werner <jwerner@chromium.org> Reviewed-by: Joel Kitching <kitching@chromium.org>
* cr50_signing: add code to sign pre-pvt, pre-release and releaseVadim Bendebury2019-11-021-33/+59
| | | | | | | | | | | | | | | | | | | | | | | This patch adds checks necessary before various types of images signing could proceed. The checks include verifying that Board ID flags and major version number match the image type. Also, manifest modification for node locked images is enhanced by setting the least significant bit of the tag field to one. This will ensure that the prod key ladder is not available to node locked images even though they are signed with a prod key. BRANCH=none BUG=b:74100307 TEST=verified various cases by manually editing prod.json and signing_instructions.sh and observing results: either error messages or successful modification of the manifest and signing. Change-Id: I0bc4a8acae1ca4e983999fd47e515c48786ded6c Signed-off-by: Vadim Bendebury <vbendeb@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1894848
* cr50_signing: add code to process node locked imagesVadim Bendebury2019-10-301-26/+85
| | | | | | | | | | | | | | | | | | | | | Node locked images signed by the builder will have to come from the factory branch and have version of 0.3.22. Signing manifest will be processed to insert Device ID values, remove Board ID values and set the top bit of config1. BRANCH=none BUG=b:74100307 TEST=ran the script manually with proper input and verified that manifest is processed as expected. Change-Id: Ib8cbe0f1ae31e79c3228a662c02231caeb901adc Signed-off-by: Vadim Bendebury <vbendeb@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1880572 Tested-by: George Engelbrecht <engeg@google.com> Reviewed-by: Ned Nguyen <nednguyen@google.com> Reviewed-by: George Engelbrecht <engeg@google.com> Commit-Queue: George Engelbrecht <engeg@google.com>
* OWNERS: engeg@ is owner.LaMont Jones2019-10-291-1/+1
| | | | | | | | | | | | | | BRANCH=None BUG=None TEST=None Change-Id: I6e10fd839e256454ce3671228116d8c3a9ec6092 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1888274 Tested-by: LaMont Jones <lamontjones@chromium.org> Tested-by: George Engelbrecht <engeg@google.com> Auto-Submit: LaMont Jones <lamontjones@chromium.org> Reviewed-by: George Engelbrecht <engeg@google.com> Commit-Queue: George Engelbrecht <engeg@google.com>
* tofactory.sh: remove usage of "mosys vpd" commandJack Rosenthal2019-10-261-6/+0
| | | | | | | | | | | | | | | No platforms support vpd in mosys anymore, so this will always fail. Drop the warning message and let the user extract it from the BIOS backup if they need. BUG=chromium:990438 BRANCH=none TEST=verified no platform offers cmd_vpd in mosys Change-Id: I5550724f13120202775245cfd252c988edd5b21f Signed-off-by: Jack Rosenthal <jrosenth@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1881473 Reviewed-by: Mike Frysinger <vapier@chromium.org>
* vboot: standardize on "keyblock" as one wordJoel Kitching2019-10-231-1/+1
| | | | | | | | | | | | | | | | Stardardize on inconsistency between "keyblock" and "key block" both in code, comments, and textual output. BUG=b:124141368, chromium:968464 TEST=make clean && make runtests BRANCH=none Change-Id: Ib8819a2426c1179286663f21f0d254f3de9d94a4 Signed-off-by: Joel Kitching <kitching@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1786385 Tested-by: Joel Kitching <kitching@chromium.org> Reviewed-by: Joel Kitching <kitching@chromium.org> Commit-Queue: Joel Kitching <kitching@chromium.org>
* vboot: format hex numbers with %#x instead of 0x%xJoel Kitching2019-10-231-1/+1
| | | | | | | | | | | | | | | | Also standardize on using hex for printing ASCII key values across vboot_ui.c and vboot_ui_menu.c. BUG=b:124141368 TEST=make clean && make runtests BRANCH=none Change-Id: Ib10288d95e29c248ebe807d99108aea75775b155 Signed-off-by: Joel Kitching <kitching@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1840191 Reviewed-by: Joel Kitching <kitching@chromium.org> Tested-by: Joel Kitching <kitching@chromium.org> Commit-Queue: Joel Kitching <kitching@chromium.org>
* image_signing: drop set_chronos_password.shMike Frysinger2019-09-201-56/+0
| | | | | | | | | | | | | | | We're dropping this from the signer, so drop it from here too. Nothing else has referred to it. BUG=None TEST=CQ passes BRANCH=None Change-Id: I855ef036b620082ec98af7aac8ea330ae472435a Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1814697 Reviewed-by: George Engelbrecht <engeg@google.com> Commit-Queue: Mike Frysinger <vapier@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org>
View Lorry Controller Status