From ec6c5e657bffa23fe54e2caf0a3fee6fe8959c62 Mon Sep 17 00:00:00 2001
From: Vadim Bendebury <vbendeb@google.com>
Date: Thu, 2 Feb 2023 10:52:55 -0800
Subject: sing_official_build: do not attempt signing AP RO for guybrush

Guybrush firmware archive pinned to ChromeOS firmware releases
starting with 108 includes the uninitialized RO_GSCVD section, which
causes signer failures.

Fixing and qualifying the firmware is going to take a long time, as a
workaround this patch adds a check for the keyset name, and does not
attempt AP RO signing in case the keyset name includes the string
'guybrush', case insensitive.

BRANCH=none
BUG=b:263378945

TEST=downloaded a ChromeOS guybrush recovery image
     hromeOS-recovery-R108-15183.72.0-guybrush.tar.xz, extracted the
     binary and attempted to sign it by running

     ./scripts/image_signing/sign_official_build.sh base \
        <path to>/recovery_image.bin ./test/devkeys /tmp/signed

    observed the expected message on the console:

     "Not looking for RO_GSCVD on guygrush, b/263378945"

   as well as successful firmware singing.

   The same invocation before this patch is applied is failing.

   Also verified that when singing a Nissa recovery image the AP RO
   verification section is signed as expected.

Change-Id: Ifd93e3ebc8fc35e2ba29c7a364767e4414df051d
Signed-off-by: Vadim Bendebury <vbendeb@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4217481
Reviewed-by: Raul Rangel <rrangel@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
---
 scripts/image_signing/sign_official_build.sh | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

(limited to 'scripts')

diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index 34258b3a..36033bca 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -461,6 +461,7 @@ resign_firmware_payload() {
         local key_suffix=''
         local extra_args=()
         local full_command=()
+        local board_name
 
         rootkey="${KEY_DIR}/root_key.vbpubk"
 
@@ -570,9 +571,14 @@ resign_firmware_payload() {
         echo "After setting GBB on ${bios_path}: md5 =" \
           $(md5sum ${bios_path} | awk '{print $1}')
 
-        # Do not attempt AP RO verification signing if the image FMAP does not
-        # include the RO_GSCVD section.
-        if futility dump_fmap -p "${bios_path}" | grep -q RO_GSCVD; then
+        board_name="$(lsbval "${rootfs_dir}/etc/lsb-release" \
+           "CHROMEOS_RELEASE_BOARD")"
+
+        if [[ ${board_name} == "guybrush" ]]; then
+          echo "Not looking for RO_GSCVD on guygrush, b/263378945"
+        elif futility dump_fmap -p "${bios_path}" | grep -q RO_GSCVD; then
+          # Attempt AP RO verification signing only in case the FMAP includes
+          # the RO_GSCVD section.
           local arv_root
 
           if [[ -z ${brand_code} ]]; then
-- 
cgit v1.2.1