From 39b755ea1477d183c5eaa14947cb0ebb8373d8e4 Mon Sep 17 00:00:00 2001 From: Vadim Bendebury Date: Thu, 16 May 2019 13:26:11 -0700 Subject: cr50: relax signature type verification for test runs If the key file directory name includes string 'test' do not check if the image being signed has the prod RO. BRANCH=none BUG=b:74100307 TEST=manual Change-Id: I3241d31f6612c1dc44c217958d74d4da784c5dfb Signed-off-by: Vadim Bendebury Reviewed-on: https://chromium-review.googlesource.com/1614793 Reviewed-by: LaMont Jones --- scripts/image_signing/sign_cr50_firmware.sh | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/scripts/image_signing/sign_cr50_firmware.sh b/scripts/image_signing/sign_cr50_firmware.sh index 1616e49b..c87b3124 100755 --- a/scripts/image_signing/sign_cr50_firmware.sh +++ b/scripts/image_signing/sign_cr50_firmware.sh @@ -224,18 +224,28 @@ sign_rw() { # A very crude RO verification function. The key signature found at a fixed # offset into the RO blob must match the RO type. Prod keys have bit D2 set to # one, dev keys have this bit set to zero. +# +# The check is bypassed if the key file directory name includes string 'test'. verify_ro() { - if [[ $# -ne 1 ]]; then - die "Usage: verify_ro " + if [[ $# -ne 2 ]]; then + die "Usage: verify_ro " fi local ro_bin="$1" + local key_file="$2" local key_byte + local key_path if [[ ! -f "${ro_bin}" ]]; then die "${ro_bin} not a file!" fi + key_path="$(dirname "${key_file}")" + if [[ ${key_path##*/} == *"test"* ]]; then + info "Test run, ignoring key type verification" + return 0 + fi + # Key signature's lowest byte is byte #5 in the line at offset 0001a0. key_byte="$(od -Ax -t x1 -v "${ro_bin}" | awk '/0001a0/ {print $6}')" case "${key_byte}" in @@ -299,7 +309,7 @@ sign_cr50_firmware() { if ! objcopy -I ihex "${f}" -O binary "${temp_dir}/${count}.bin"; then die "Failed to convert ${f} from hex to bin" fi - verify_ro "${temp_dir}/${count}.bin" + verify_ro "${temp_dir}/${count}.bin" "${key_file}" : $(( count++ )) done -- cgit v1.2.1