From 350498f03a000e43a2a39100c7722997ba0db074 Mon Sep 17 00:00:00 2001
From: Reka Norman <rekanorman@google.com>
Date: Thu, 20 Apr 2023 15:50:06 +1000
Subject: sign_official_build: Add support for a second miniOS key

For recovery images, if minios_kernel.v1.keyblock exists, sign
- MINIOS-A with minios_kernel.v1.keyblock
- MINIOS-B with minios_kernel.keyblock
Otherwise, sign both with minios_kernel.keyblock.

BRANCH=None
BUG=b:266502803
TEST=- Run replace_recovery_key.sh in devkeys directory to get test keys
- Run sign_official_build.sh on a nissa recovery image
- Set recovery_key.v1.vbpubk in GBB and run recovery. After recovery
  completes, check NBR still works.
- Repeat with recovery_key.vbpubk.

Change-Id: I2336e5261ef24114c5fee302ed95b4dfa1f67c11
Signed-off-by: Reka Norman <rekanorman@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4452079
Tested-by: Reka Norman <rekanorman@chromium.org>
Commit-Queue: Reka Norman <rekanorman@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
---
 scripts/image_signing/sign_official_build.sh | 40 +++++++++++++++++++++++-----
 1 file changed, 33 insertions(+), 7 deletions(-)

diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index fbc844ce..102cb3b9 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -997,11 +997,12 @@ update_recovery_kernel_hash() {
 }
 
 # Re-sign miniOS kernels with new keys.
-# Args: LOOPDEV KEYBLOCK PRIVKEY
+# Args: LOOPDEV MINIOS_A_KEYBLOCK MINIOS_B_KEYBLOCK PRIVKEY
 resign_minios_kernels() {
   local loopdev="$1"
-  local keyblock="$2"
-  local priv_key="$3"
+  local minios_a_keyblock="$2"
+  local minios_b_keyblock="$3"
+  local priv_key="$4"
 
   info "Searching for miniOS kernels to resign..."
 
@@ -1013,6 +1014,16 @@ resign_minios_kernels() {
       continue
     fi
 
+    local keyblock
+    if [[ "${loop_minios}" == "${loopdev}p9" ]]; then
+      keyblock="${minios_a_keyblock}"
+    elif [[ "${loop_minios}" == "${loopdev}p10" ]]; then
+      keyblock="${minios_b_keyblock}"
+    else
+      error "Unexpected miniOS partition ${loop_minios}"
+      return 1
+    fi
+
     # Skip miniOS partitions which are empty. This happens when miniOS
     # kernels aren't written to the partitions because the feature is not
     # enabled.
@@ -1098,7 +1109,7 @@ update_legacy_bootloader() {
 # Sign an image file with proper keys.
 # Args: IMAGE_TYPE INPUT OUTPUT DM_PARTNO KERN_A_KEYBLOCK KERN_A_PRIVKEY \
 #       KERN_B_KEYBLOCK KERN_B_PRIVKEY KERN_C_KEYBLOCK KERN_C_PRIVKEY \
-#       MINIOS_KEYBLOCK MINIOS_PRIVKEY
+#       MINIOS_KEYBLOCK MINIOS_KEYBLOCK_V1 MINIOS_PRIVKEY
 #
 # A ChromiumOS image file (INPUT) always contains 2 partitions (kernel A & B).
 # This function will rebuild hash data by DM_PARTNO, resign kernel partitions by
@@ -1120,7 +1131,8 @@ sign_image_file() {
   local kernC_keyblock="$9"
   local kernC_privkey="${10}"
   local minios_keyblock="${11}"
-  local minios_privkey="${12}"
+  local minios_keyblock_v1="${12}"
+  local minios_privkey="${13}"
 
   info "Preparing ${image_type} image..."
   cp --sparse=always "${input}" "${output}"
@@ -1206,12 +1218,23 @@ sign_image_file() {
         "${kernC_privkey}"
     fi
   fi
+
   if [[ -n "${minios_keyblock}" ]]; then
-    if ! resign_minios_kernels "${loopdev}" "${minios_keyblock}" \
-        "${minios_privkey}"; then
+    # b/266502803: If it's a recovery image and minios_kernel.v1.keyblock
+    # exists, sign MINIOS-A with minios_kernel.v1.keyblock and MINIOS-B with
+    # minios_kernel.keyblock. Otherwise, sign both with minios_kernel.keyblock.
+    local miniosA_keyblock="${minios_keyblock}"
+    local miniosB_keyblock="${minios_keyblock}"
+    if [[ -f "${minios_keyblock_v1}" ]]; then
+      miniosA_keyblock="${minios_keyblock_v1}"
+    fi
+
+    if ! resign_minios_kernels "${loopdev}" "${miniosA_keyblock}" \
+        "${miniosB_keyblock}" "${minios_privkey}"; then
       return 1
     fi
   fi
+
   if ! update_legacy_bootloader "${loopdev}" "${loop_kern}"; then
     # Error is already logged.
     return 1
@@ -1266,6 +1289,7 @@ if [[ "${TYPE}" == "base" ]]; then
     "" \
     "" \
     "${KEY_DIR}/minios_kernel.keyblock" \
+    "" \
     "${KEY_DIR}/minios_kernel_data_key.vbprivk"
 elif [[ "${TYPE}" == "recovery" ]]; then
   sign_image_file "recovery" "${INPUT_IMAGE}" "${OUTPUT_IMAGE}" 4 \
@@ -1276,6 +1300,7 @@ elif [[ "${TYPE}" == "recovery" ]]; then
     "${KEY_DIR}/recovery_kernel.v1.keyblock" \
     "${KEY_DIR}/recovery_kernel_data_key.vbprivk" \
     "${KEY_DIR}/minios_kernel.keyblock" \
+    "${KEY_DIR}/minios_kernel.v1.keyblock" \
     "${KEY_DIR}/minios_kernel_data_key.vbprivk"
 elif [[ "${TYPE}" == "factory" ]]; then
   sign_image_file "factory_install" "${INPUT_IMAGE}" "${OUTPUT_IMAGE}" 2 \
@@ -1286,6 +1311,7 @@ elif [[ "${TYPE}" == "factory" ]]; then
     "" \
     "" \
     "" \
+    "" \
     ""
 elif [[ "${TYPE}" == "firmware" ]]; then
   if [[ -e "${KEY_DIR}/loem.ini" ]]; then
-- 
cgit v1.2.1