From 45e3021c409cd4cf7c09077c5693c1054ebd4a40 Mon Sep 17 00:00:00 2001 From: Furquan Shaikh Date: Fri, 11 Sep 2015 16:05:37 -0700 Subject: sign_official_build: support signing 'recovery_kernel' image type BRANCH=None BUG=chrome-os-partner:44227 TEST='sign_official_build.sh recovery_kernel boot.img keys boot.img.recovery-signed' works fine and able to boot in locked recovery mode using fastboot boot. Change-Id: Iabde28bb2068b8294fc3d03f2f771c63368ecbb5 Signed-off-by: Furquan Shaikh Reviewed-on: https://chromium-review.googlesource.com/300250 Commit-Ready: Furquan Shaikh Tested-by: Furquan Shaikh Reviewed-by: David Riley --- scripts/image_signing/sign_official_build.sh | 31 ++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index f3def18a..72d4f58b 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -32,6 +32,7 @@ where is one of: install (old alias to "factory") update_payload (sign a delta update hash) kernel (sign a kernel image) + recovery_kernel (sign a recovery_kernel image) firmware (sign a firmware image) usb (sign an image to boot directly from USB) verify (verify an image including rootfs hashes) @@ -483,6 +484,29 @@ sign_kernel() { echo "Signed kernel image output to ${image}" } +# Sign a recovery kernel in-place with the given keys. +# Args: KERNEL_IMAGE KEY_DIR KERNEL_VERSION +sign_recovery_kernel() { + local image=$1 + local key_dir=$2 + local kernel_version=$3 + + # Note: Although vbutil_kernel may correctly handle specifying the same + # output file as the input file, we do not want to rely on it correctly + # handing that. Hence, the use of a temporary file. + local temp_kernel=$(make_temp_file) + + # Resign the kernel with new recovery keys. + vbutil_kernel --repack "${temp_kernel}" \ + --keyblock "${key_dir}/recovery_kernel.keyblock" \ + --signprivate "${key_dir}/recovery_kernel_data_key.vbprivk" \ + --version "${kernel_version}" \ + --oldblob "${image}" + + mv "${temp_kernel}" "${image}" + echo "Signed recovery_kernel image output to ${image}" +} + # Sign a delta update payload (usually created by paygen). # Args: INPUT_IMAGE KEY_DIR OUTPUT_IMAGE sign_update_payload() { @@ -793,6 +817,13 @@ elif [[ "${TYPE}" == "kernel" ]]; then fi cp "${INPUT_IMAGE}" "${OUTPUT_IMAGE}" sign_kernel "${OUTPUT_IMAGE}" "${KEY_DIR}" "${KERNEL_VERSION}" +elif [[ "${TYPE}" == "recovery_kernel" ]]; then + if [[ -e "${KEY_DIR}/loem.ini" ]]; then + echo "LOEM signing not implemented yet for recovery_kernel images" + exit 1 + fi + cp "${INPUT_IMAGE}" "${OUTPUT_IMAGE}" + sign_recovery_kernel "${OUTPUT_IMAGE}" "${KEY_DIR}" "${KERNEL_VERSION}" elif [[ "${TYPE}" == "update_payload" ]]; then sign_update_payload ${INPUT_IMAGE} ${KEY_DIR} ${OUTPUT_IMAGE} else -- cgit v1.2.1