From 010630f18c8880b80e564fc6a0bcf8e5eb7f9de6 Mon Sep 17 00:00:00 2001
From: Hung-Te Lin <hungte@chromium.org>
Date: Wed, 10 Aug 2011 12:00:13 +0800
Subject: make_dev_firmware: handle developer firmware keyblock correctly

We should detect keyblock from existing firmware and decide if a developer
firmware keyblock should be used.

BUG=chromium-os:18946
TEST=./make_dev_firmware.sh -f zgb.bin -t zgb_dev.bin
      # seeing Using keyblocks (developer, normal)...
      ./make_dev_firmware.sh -f mario.bin -t mario_dev.bin
      # seeing Using keyblocks (normal, normal)...
      ./make_dev_firmware.sh -f arm.bin -t arm_dev.bin
      # seeing Using keyblocks (normal, normal)...

Change-Id: I74fa0db980e26a6a19a4393303e8c5b3260c84c7
Reviewed-on: http://gerrit.chromium.org/gerrit/5623
Tested-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
---
 scripts/image_signing/make_dev_firmware.sh | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/scripts/image_signing/make_dev_firmware.sh b/scripts/image_signing/make_dev_firmware.sh
index b2fa4fc9..db2a83e1 100755
--- a/scripts/image_signing/make_dev_firmware.sh
+++ b/scripts/image_signing/make_dev_firmware.sh
@@ -39,6 +39,7 @@ set -e
 
 # the image we are (temporary) working with
 IMAGE="$(make_temp_file)"
+IMAGE="$(readlink -f "$IMAGE")"
 
 # a log file to keep the output results of executed command
 EXEC_LOG="$(make_temp_file)"
@@ -194,6 +195,34 @@ main() {
     cp -f "$IMAGE" "$backup_image"
   fi
 
+  debug_msg "Detecting developer firmware keyblock"
+  local expanded_firmware_dir="$(make_temp_dir)"
+  local use_devfw_keyblock="$FLAGS_FALSE"
+  (cd "$expanded_firmware_dir"; dump_fmap -x "$IMAGE" >/dev/null 2>&1) ||
+    err_die "Failed to extract firmware image."
+  if [ -f "$expanded_firmware_dir/VBLOCK_A" ]; then
+    local has_dev=$FLAGS_TRUE has_norm=$FLAGS_TRUE
+    # In output of vbutil_keyblock, "!DEV" means "bootable on normal mode" and
+    # "DEV" means "bootable on developer mode". Here we try to match the pattern
+    # in output of vbutil_block, and disable the flags (has_dev, has_norm) if
+    # the pattern was not found.
+    vbutil_keyblock --unpack "$expanded_firmware_dir/VBLOCK_A" |
+      grep -qw '!DEV' || has_norm=$FLAGS_FALSE
+    vbutil_keyblock --unpack "$expanded_firmware_dir/VBLOCK_A" |
+      grep -qw '[^!]DEV' || has_dev=$FLAGS_FALSE
+    if [ "$has_norm" = "$FLAGS_FALSE" -a "$has_dev" = "$FLAGS_TRUE" ]; then
+      use_devfw_keyblock=$FLAGS_TRUE
+    fi
+  fi
+
+  if [ "$use_devfw_keyblock" = "$FLAGS_TRUE" ]; then
+    echo "Using keyblocks (developer, normal)..."
+  else
+    echo "Using keyblocks (normal, normal)..."
+    dev_firmware_prvkey="$firmware_prvkey"
+    dev_firmware_keyblock="$firmware_keyblock"
+  fi
+
   # TODO(hungte) We can use vbutil_firmware to check if the current firmware is
   # valid so that we know keys and vbutil_firmware are all working fine.
 
-- 
cgit v1.2.1