From 1196aa05d438b440f6e690204f6fe5cd9bbf2290 Mon Sep 17 00:00:00 2001
From: Furquan Shaikh <furquan@google.com>
Date: Mon, 31 Aug 2015 11:30:42 -0700
Subject: sign_firmware: Add nv_pkc_signing step if required

If nv_pkc.pem file is present for a device, use nv_pkc_signing for
adding PKC signature in the firmware image.

BUG=chrome-os-partner:44227
BRANCH=None
TEST=unittests run fine. verified image boots on fused system.

Change-Id: I9b2f48da55137a0e4a75f23d16d3779be1aa94c8
Signed-off-by: Furquan Shaikh <furquan@google.com>
Reviewed-on: https://chromium-review.googlesource.com/296452
Commit-Ready: Furquan Shaikh <furquan@chromium.org>
Tested-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
---
 scripts/image_signing/sign_firmware.sh      | 10 +++++
 scripts/image_signing/sign_nv_cbootimage.sh | 66 +++++++++++++++++++++++++++++
 2 files changed, 76 insertions(+)
 create mode 100755 scripts/image_signing/sign_nv_cbootimage.sh

diff --git a/scripts/image_signing/sign_firmware.sh b/scripts/image_signing/sign_firmware.sh
index 7b9ac944..349988cc 100755
--- a/scripts/image_signing/sign_firmware.sh
+++ b/scripts/image_signing/sign_firmware.sh
@@ -123,6 +123,16 @@ main() {
     sign_one
     gbb_update "${temp_fw}" "${key_dir}" "${out_firmware}" \
       "${key_dir}/root_key.vbpubk"
+
+    # Additional signing step for nVidia T210 SoC.
+    # Currently, cbootimage is unable to handle path with double slash.
+    if [[ -e ${key_dir}/nv_pkc.pem ]]; then
+      "${SCRIPT_DIR}/sign_nv_cbootimage.sh" \
+        "bootloader" \
+        "${key_dir%/}/nv_pkc.pem" \
+        "${out_firmware}" \
+        tegra210
+    fi
   fi
 }
 main "$@"
diff --git a/scripts/image_signing/sign_nv_cbootimage.sh b/scripts/image_signing/sign_nv_cbootimage.sh
new file mode 100755
index 00000000..890ca6a9
--- /dev/null
+++ b/scripts/image_signing/sign_nv_cbootimage.sh
@@ -0,0 +1,66 @@
+#!/bin/bash
+# Copyright 2015 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Wrapper script for signing firmware image using cbootimage.
+
+# Determine script directory.
+SCRIPT_DIR=$(dirname "$0")
+
+# Load common constants and variables.
+. "${SCRIPT_DIR}/common_minimal.sh"
+
+# Abort on error.
+set -e
+
+usage() {
+  cat<<EOF
+Usage: $0 <type> <pkc_key> <firmware_image> <soc>
+
+Signs <firmware_image> of <type> with <pkc_key> using cbootimage for <soc>.
+where type is one of
+      bootloader = sign bootloader image
+EOF
+  exit 1
+}
+
+main() {
+  if [[ $# -ne 4 ]]; then
+    usage
+  fi
+
+  local type=$1
+  local pkc_key="$(readlink -f "$2")"
+  local firmware_image="$(readlink -f "$3")"
+  local soc=$4
+
+  local work_dir=$(make_temp_dir)
+  local signed_fw=$(make_temp_file)
+
+  if [[ "${type}" == "bootloader" ]]; then
+
+    pushd "${work_dir}" >/dev/null
+
+    cat >update.cfg <<EOF
+PkcKey = ${pkc_key}, --save;
+ReSignBl;
+EOF
+
+    # This also generates a file pubkey.sha which contains the hash of public
+    # key required by factory to burn into PKC fuses. Move pubkey.sha into
+    # ${firmware_image}.pubkey.sha.
+    cbootimage -s "${soc}" -u update.cfg "${firmware_image}" \
+      "${signed_fw}"
+
+    popd >/dev/null
+    # Copy signed firmware image and public key hash to current directory.
+    mv "${work_dir}/pubkey.sha" "${firmware_image}.pubkey.sha"
+    mv "${signed_fw}" "${firmware_image}"
+
+  else
+    usage
+  fi
+}
+
+main "$@"
-- 
cgit v1.2.1