From c9c14da9bbc256618d11cfccac0bf72d0b524a21 Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vapier@chromium.org>
Date: Tue, 21 Jul 2020 05:15:50 -0400
Subject: image_signing: drop support for signing nvidia lp0_firmware

This was only used by smaug which went EOL a while ago and we've
already deleted supporting logic.

BUG=None
TEST=CQ passes
BRANCH=None

Change-Id: Ia639c7da3c70c62ee102f11d510ffaa928ab244a
Signed-off-by: Mike Frysinger <vapier@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2309221
Reviewed-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-by: Joel Kitching <kitching@chromium.org>
---
 scripts/image_signing/sign_firmware.sh       |  10 -
 scripts/image_signing/sign_nv_cbootimage.sh  | 262 ---------------------------
 scripts/image_signing/sign_official_build.sh |  18 --
 3 files changed, 290 deletions(-)
 delete mode 100755 scripts/image_signing/sign_nv_cbootimage.sh

diff --git a/scripts/image_signing/sign_firmware.sh b/scripts/image_signing/sign_firmware.sh
index 54c3a4d9..0e7ac7c4 100755
--- a/scripts/image_signing/sign_firmware.sh
+++ b/scripts/image_signing/sign_firmware.sh
@@ -128,16 +128,6 @@ main() {
     sign_one
     gbb_update "${temp_fw}" "${key_dir}" "${out_firmware}" \
       "${key_dir}/root_key.vbpubk"
-
-    # Additional signing step for nVidia T210 SoC.
-    # Currently, cbootimage is unable to handle path with double slash.
-    if [[ -e ${key_dir}/nv_pkc.pem ]]; then
-      "${SCRIPT_DIR}/sign_nv_cbootimage.sh" \
-        "bootloader" \
-        "${key_dir%/}/nv_pkc.pem" \
-        "${out_firmware}" \
-        tegra210
-    fi
   fi
 }
 main "$@"
diff --git a/scripts/image_signing/sign_nv_cbootimage.sh b/scripts/image_signing/sign_nv_cbootimage.sh
deleted file mode 100755
index da978e84..00000000
--- a/scripts/image_signing/sign_nv_cbootimage.sh
+++ /dev/null
@@ -1,262 +0,0 @@
-#!/bin/bash
-# Copyright 2015 The Chromium OS Authors. All rights reserved.
-# Use of this source code is governed by a BSD-style license that can be
-# found in the LICENSE file.
-
-# Wrapper script for signing firmware image using cbootimage.
-
-# Determine script directory.
-SCRIPT_DIR=$(dirname "$0")
-
-# Load common constants and variables.
-. "${SCRIPT_DIR}/common_minimal.sh"
-
-# Abort on error.
-set -e
-
-usage() {
-  cat<<EOF
-Usage: $0 <type> <pkc_key> <firmware_image> <soc>
-
-Signs <firmware_image> of <type> with <pkc_key> using cbootimage for <soc>.
-where type is one of
-      bootloader = sign bootloader image
-      lp0_firmware = sign lp0 firmware
-EOF
-  exit 1
-}
-
-# Signs bootloader image using pkc_key provided for given soc
-# Args: TYPE=bootloader PKC_KEY FIRMWARE_IMAGE SOC
-sign_bootloader() {
-  local type=$1
-  local pkc_key="$(readlink -f "$2")"
-  local firmware_image="$(readlink -f "$3")"
-  local soc=$4
-
-  local work_dir=$(make_temp_dir)
-  local config_file=$(make_temp_file)
-  local signed_fw=$(make_temp_file)
-
-  pushd "${work_dir}" >/dev/null
-
-  # Get bootloader length.
-  #
-  # Example:
-  # $ bct_dump image.fastboot.bin
-  # Version       = 0x00210001;
-  # BlockSize     = 0x00008000;
-  # ...
-  # ...
-  # # Bootloader[0].Length       = 69324;
-  # ...
-  # ...
-  #
-  # then, bl_length=69324 (size of bootloader that needs to be signed)
-  local bl_length=$(bct_dump "${firmware_image}" | \
-      sed -n '/Bootloader\[0\].Length/{ s/.*=\s*//; s/;//; p; q}')
-
-  # Extract bootloader to sign.
-  dd \
-    if="${firmware_image}" \
-    of="${signed_fw}.bl.tosig" \
-    count="${bl_length}" \
-    ibs=1 \
-    skip=32768 >/dev/null 2>&1
-
-  # Calculate rsa signature for bootloader.
-  openssl \
-    dgst -sha256 \
-    -sigopt rsa_padding_mode:pss \
-    -sigopt rsa_pss_saltlen:-1 \
-    -sign "${pkc_key}" \
-    -out "${signed_fw}.bl.sig" \
-    "${signed_fw}.bl.tosig"
-
-  # Update bootloader's rsa signature, aes hash and bct's aes hash.
-  echo "RsaPssSigBlFile = ${signed_fw}.bl.sig;" > "${config_file}"
-  echo "RehashBl;" >> "${config_file}"
-  cbootimage \
-    -s "${soc}" \
-    -u "${config_file}" \
-    "${firmware_image}" \
-    "${signed_fw}.tmp" >/dev/null
-
-  # Extract the part of bct which needs to be rsa signed.
-  dd \
-    if="${signed_fw}.tmp" \
-    of="${signed_fw}.bct.tosig" \
-    count=8944 \
-    ibs=1 \
-    skip=1296 >/dev/null 2>&1
-
-  # Calculate rsa signature for bct.
-  openssl \
-    dgst -sha256 \
-    -sigopt rsa_padding_mode:pss \
-    -sigopt rsa_pss_saltlen:-1 \
-    -sign "${pkc_key}" \
-    -out "${signed_fw}.bct.sig" \
-    "${signed_fw}.bct.tosig"
-
-  # Create public key modulus from key file.
-  openssl \
-    rsa -in "${pkc_key}" \
-    -noout \
-    -modulus \
-    -out "${signed_fw}.key.mod"
-
-  # Remove prefix.
-  cut \
-    -d= \
-    -f2 "${signed_fw}.key.mod" > "${signed_fw}.key.mod.tmp1"
-  dd \
-    if="${signed_fw}.key.mod.tmp1" \
-    of="${signed_fw}.key.mod.tmp" \
-    count=512 \
-    ibs=1 >/dev/null 2>&1
-
-  # Convert from hexdecimal to binary.
-  perl -pe 's/([0-9a-f]{2})/chr hex $1/gie' \
-    < "${signed_fw}.key.mod.tmp" \
-    > "${signed_fw}.key.mod.bin"
-
-  # Update bct's rsa signature and modulus.
-  echo "RsaPssSigBctFile = ${signed_fw}.bct.sig;" > "${config_file}"
-  echo "RsaKeyModulusFile = ${signed_fw}.key.mod.bin;" >> "${config_file}"
-  cbootimage \
-    -s "${soc}" \
-    -u "${config_file}" \
-    "${signed_fw}.tmp" \
-    "${signed_fw}" >/dev/null
-
-  # Calculate hash of public key modulus.
-  objcopy \
-    -I binary \
-    --reverse-bytes=256 \
-    "${signed_fw}.key.mod.bin" \
-    "${signed_fw}.key.mod.bin.rev"
-  openssl \
-    dgst -sha256 \
-    -binary \
-    -out "${signed_fw}.key.sha" \
-    "${signed_fw}.key.mod.bin.rev"
-
-  popd >/dev/null
-
-  # Copy signed firmware image and public key hash to current directory..
-  mv "${signed_fw}" "${firmware_image}"
-  mv "${signed_fw}.key.sha" "${firmware_image}.pubkey.sha"
-}
-
-# Signs lp0 firmware image using pkc_key provided for given soc
-# Args: TYPE=lp0_firmware PKC_KEY FIRMWARE_IMAGE SOC
-sign_lp0_firmware() {
-  local type=$1
-  local pkc_key="$(readlink -f "$2")"
-  local firmware_image="$(readlink -f "$3")"
-  local soc=$4
-
-  local work_dir=$(make_temp_dir)
-  local signed_fw=$(make_temp_file)
-
-  pushd "${work_dir}" >/dev/null
-
-  cp "${firmware_image}" "${signed_fw}"
-
-  # Extract the part of the binary which needs to be signed.
-  dd \
-    if="${firmware_image}" \
-    of="${signed_fw}.tosig" \
-    ibs=1 \
-    skip=544 >/dev/null 2>&1
-
-  # Calculate rsa-pss signature.
-  openssl \
-    dgst -sha256 \
-    -sigopt rsa_padding_mode:pss \
-    -sigopt rsa_pss_saltlen:-1 \
-    -sign "${pkc_key}" \
-    -out "${signed_fw}.rsa.sig" \
-    "${signed_fw}.tosig"
-
-  # Reverse rsa signature to meet tegra soc ordering requirement.
-  objcopy \
-    -I binary \
-    --reverse-bytes=256 \
-    "${signed_fw}.rsa.sig" \
-    "${signed_fw}.rsa.sig.rev"
-
-  # Inject rsa-pss signature into the binary image's header.
-  dd \
-    if="${signed_fw}.rsa.sig.rev" \
-    of="${signed_fw}" \
-    count=256 \
-    obs=1 \
-    seek=288 \
-    conv=notrunc >/dev/null 2>&1
-
-  # Generate public key modulus from key file.
-  openssl \
-    rsa -in "${pkc_key}" \
-    -noout \
-    -modulus \
-    -out "${signed_fw}.key.mod"
-
-  # Remove prefix.
-  cut \
-    -d= \
-    -f2 "${signed_fw}.key.mod" > "${signed_fw}.key.mod.tmp1"
-
-  dd \
-    if="${signed_fw}.key.mod.tmp1" \
-    of="${signed_fw}.key.mod.tmp" \
-    count=512 \
-    ibs=1 >/dev/null 2>&1
-
-  # Convert from hexdecimal to binary.
-  perl -pe 's/([0-9a-f]{2})/chr hex $1/gie' \
-    < "${signed_fw}.key.mod.tmp" \
-    > "${signed_fw}.key.mod.bin"
-
-  # Reverse byte order.
-  objcopy \
-    -I binary \
-    --reverse-bytes=256 \
-    "${signed_fw}.key.mod.bin" \
-    "${signed_fw}.key.mod.bin.rev"
-
-  # Inject public key modulus into the binary image's header.
-  dd \
-    if="${signed_fw}.key.mod.bin.rev" \
-    of="${signed_fw}" \
-    count=256 \
-    obs=1 \
-    seek=16 \
-    conv=notrunc >/dev/null 2>&1
-
-  popd >/dev/null
-  mv "${signed_fw}" "${firmware_image}"
-}
-
-main() {
-  if [[ $# -ne 4 ]]; then
-    usage
-  fi
-
-  local type=$1
-
-  case ${type} in
-    bootloader)
-      sign_bootloader "$@"
-      ;;
-    lp0_firmware)
-      sign_lp0_firmware "$@"
-      ;;
-    *)
-      usage
-      ;;
-  esac
-}
-
-main "$@"
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index 3777032c..0d02fe34 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -37,7 +37,6 @@ where <type> is one of:
              firmware (sign a firmware image)
              usb  (sign an image to boot directly from USB)
              verify (verify an image including rootfs hashes)
-             nv_lp0_firmware (sign nvidia lp0 firmware)
              accessory_usbpd (sign USB-PD accessory firmware)
              accessory_rwsig (sign accessory RW firmware)
              cr50_firmware (sign a cr50 firmware image)
@@ -403,17 +402,6 @@ sign_firmware() {
   info "Signed firmware image output to ${image}"
 }
 
-# Sign nvidia lp0 firmware with the given keys.
-# Args: NV_LP0_FIRMWARE_IMAGE KEY_DIR
-sign_nv_lp0_firmware() {
-  local nv_lp0_fw_image=$1
-  local key_dir=$2
-
-  "${SCRIPT_DIR}/sign_nv_cbootimage.sh" "lp0_firmware" \
-      "${key_dir%/}/nv_pkc.pem" "${nv_lp0_fw_image}" "tegra210"
-  info "Signed nvidia lp0 firmware image output to ${nv_lp0_fw_image}"
-}
-
 # Sign a kernel in-place with the given keys.
 # Args: KERNEL_IMAGE KEY_DIR KERNEL_VERSION
 sign_kernel() {
@@ -1108,12 +1096,6 @@ elif [[ "${TYPE}" == "firmware" ]]; then
   fi
   cp ${INPUT_IMAGE} ${OUTPUT_IMAGE}
   sign_firmware ${OUTPUT_IMAGE} ${KEY_DIR} ${FIRMWARE_VERSION}
-elif [[ "${TYPE}" == "nv_lp0_firmware" ]]; then
-  if [[ -e "${KEY_DIR}/loem.ini" ]]; then
-    die "LOEM signing not implemented yet for nv_lp0_firmware images"
-  fi
-  cp "${INPUT_IMAGE}" "${OUTPUT_IMAGE}"
-  sign_nv_lp0_firmware "${OUTPUT_IMAGE}" "${KEY_DIR}"
 elif [[ "${TYPE}" == "kernel" ]]; then
   if [[ -e "${KEY_DIR}/loem.ini" ]]; then
     die "LOEM signing not implemented yet for kernel images"
-- 
cgit v1.2.1