From bea5f3a127755508289b09b034f1ed9f0a3c331f Mon Sep 17 00:00:00 2001
From: Furquan Shaikh <furquan@google.com>
Date: Tue, 4 Aug 2015 00:41:08 -0700
Subject: image_signing: Add tool for pkc_signing required on smaug

CQ-DEPEND=CL:*225267
BUG=chrome-os-partner:43572
BRANCH=None
TEST=sudo emerge vboot_reference installs nv_pkc_signing.sh in /usr/bin

Change-Id: I2b3803197c13f62ffe4e1d85de1c1ad5a72ef955
Signed-off-by: Furquan Shaikh <furquan@google.com>
Reviewed-on: https://chromium-review.googlesource.com/290473
Trybot-Ready: Furquan Shaikh <furquan@chromium.org>
Tested-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-by: Stefan Reinauer <reinauer@chromium.org>
Commit-Queue: Furquan Shaikh <furquan@chromium.org>
---
 Makefile                                |  3 ++-
 scripts/image_signing/nv_pkc_signing.sh | 37 +++++++++++++++++++++++++++++++++
 2 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100755 scripts/image_signing/nv_pkc_signing.sh

diff --git a/Makefile b/Makefile
index 225097fc..17971155 100644
--- a/Makefile
+++ b/Makefile
@@ -589,7 +589,8 @@ SIGNING_SCRIPTS_DEV = \
 	scripts/image_signing/resign_firmwarefd.sh \
 	scripts/image_signing/make_dev_firmware.sh \
 	scripts/image_signing/make_dev_ssd.sh \
-	scripts/image_signing/set_gbb_flags.sh
+	scripts/image_signing/set_gbb_flags.sh \
+	scripts/image_signing/nv_pkc_signing.sh
 
 # Installed, but not made executable.
 SIGNING_COMMON = scripts/image_signing/common_minimal.sh
diff --git a/scripts/image_signing/nv_pkc_signing.sh b/scripts/image_signing/nv_pkc_signing.sh
new file mode 100755
index 00000000..9eae81f5
--- /dev/null
+++ b/scripts/image_signing/nv_pkc_signing.sh
@@ -0,0 +1,37 @@
+#!/bin/bash
+#
+# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+set +e
+
+# If tools are not present, do not continue signing
+if [ ! type nv_tegrasign ] || [ ! type nv_bct_dump ] || [ ! type nv_cbootimage ]; then
+    exit 0
+fi
+
+bootloader_length=`nv_bct_dump $2  | grep "Bootloader\[0\]\.Length" | awk '{print$NF}' | cut -d';' -f1`
+block_size=`nv_bct_dump $2  | grep "BlockSize" | awk '{print$NF}' | cut -d';' -f1`
+start_block=`nv_bct_dump $2  | grep "Bootloader\[0\]\.Start block" | awk '{print$NF}' | cut -d';' -f1`
+bootloader_offset=$(($block_size * $start_block))
+
+# Sign bootloader
+nv_tegrasign --key $1/nv_pkc.privk --file $2 --offset $bootloader_offset --length $bootloader_length --pubkey pubkey.mod --out bl.sig
+cat >update_bl_sig.cfg <<EOF
+RsaKeyModulus = pubkey.mod;
+RsaPssSigBl = bl.sig;
+EOF
+nv_cbootimage -s tegra210 -u update_bl_sig.cfg $2 $2-bl-signed
+
+# Sign BCT
+bct_offset=`nv_bct_dump $2  | grep "Crypto offset" | awk '{print$NF}' | cut -d';' -f1`
+bct_length=`nv_bct_dump $2  | grep "Crypto length" | awk '{print$NF}' | cut -d';' -f1`
+nv_tegrasign --key $1/nv_pkc.privk --file $2-bl-signed --offset $bct_offset --length $bct_length --out bct.sig
+cat >update_bct_sig.cfg <<EOF
+RsaPssSigBct = bct.sig;
+EOF
+nv_cbootimage -s tegra210 -u update_bct_sig.cfg $2-bl-signed $2-bl-final
+
+cp $2-bl-final $2
+exit 0
-- 
cgit v1.2.1