From 42d23c664dbd1334c82b48b504b7d8499955963d Mon Sep 17 00:00:00 2001 From: Gaurav Shah Date: Mon, 5 Dec 2011 15:43:44 -0800 Subject: sign_official_build: Use sign_firmware.sh for in-place firmware signing. We recently fixed a bug in the sign_firmware.sh script to perform root key replacement after signing FWA and FWB to allow resign_firmwarefd.sh to correctly determine the preamble flag to use. As it turns out, the sign_official_build.sh script used by the signer for in-place firmware re-signing was using a different code path (by directly calling resign_firmwarefd.sh). This change makes sign_official_build script call sign_firmware.sh instead. BUG=chrome-os-partner:6874 TEST=tried signing a vanilla lumpy image with and without the fix, and observed the value of preamble flag used. Change-Id: Icffb1d86fbe44f69e444da51fe251ad3427635c6 Reviewed-on: https://gerrit.chromium.org/gerrit/12471 Reviewed-by: Duncan Laurie Tested-by: Gaurav Shah --- scripts/image_signing/sign_official_build.sh | 32 ++++++++-------------------- 1 file changed, 9 insertions(+), 23 deletions(-) diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 2ab05796..cc3d6af0 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -325,29 +325,15 @@ resign_firmware_payload() { echo "Found a valid firmware update shellball." temp_outfd=$(make_temp_file) - # Replace the root key in the GBB. - # TODO(gauravsh): Remove when we lock down the R/O portion of firmware. - if [ -e "${KEY_DIR}/hwid" ]; then - # Only update the hwid if we see one in the key directory. - gbb_utility -s \ - --rootkey=${KEY_DIR}/root_key.vbpubk \ - --recoverykey=${KEY_DIR}/recovery_key.vbpubk \ - --hwid="$(cat ${KEY_DIR}/hwid)" \ - ${shellball_dir}/bios.bin ${temp_outfd} - else - gbb_utility -s \ - --rootkey=${KEY_DIR}/root_key.vbpubk \ - --recoverykey=${KEY_DIR}/recovery_key.vbpubk \ - ${shellball_dir}/bios.bin ${temp_outfd} - fi - # Resign the firmware with new keys. - ${SCRIPT_DIR}/resign_firmwarefd.sh ${temp_outfd} ${shellball_dir}/bios.bin \ - ${KEY_DIR}/firmware_data_key.vbprivk \ - ${KEY_DIR}/firmware.keyblock \ - ${KEY_DIR}/dev_firmware_data_key.vbprivk \ - ${KEY_DIR}/dev_firmware.keyblock \ - ${KEY_DIR}/kernel_subkey.vbpubk \ - ${FIRMWARE_VERSION} + # Resign the firmware with new keys, also replacing the root and recovery + # public keys in the GBB. + ${SCRIPT_DIR}/sign_firmware.sh ${shellball_dir}/bios.bin ${KEY_DIR} \ + ${temp_outfd} + # Note: Although sign_firmware.sh may correctly handle specifying the same + # output file as the input file, we do not want to rely on it correctly + # handing that. Hence, the use of a temporary file. + cp ${temp_outfd} ${shellball_dir}/bios.bin + local signer_notes="${shellball_dir}/VERSION.signer" echo "" >"$signer_notes" echo "Signed with keyset in $(readlink -f "${KEY_DIR}") ." >>"$signer_notes" -- cgit v1.2.1