diff options
author | Vadim Bendebury <vbendeb@chromium.org> | 2018-09-24 17:50:36 -0700 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2018-10-18 19:01:25 -0700 |
commit | f4d4224e4e3f0dd2137c9afcf08a5a949669a568 (patch) | |
tree | 7e9d436bbe4dbb14df78eb1bcef45aee2a7f5258 | |
parent | 2b837df5b8f363c3e224dab794ade7202843e410 (diff) | |
download | chrome-ec-f4d4224e4e3f0dd2137c9afcf08a5a949669a568.tar.gz |
cr50 signer: do not verify RMA keys when signing factory image,
On rare occasions when a new chip factory image needs to be signed, do
not worry about the RMA keys curve and type, as Cr50 factory branch
does not know anything about RMA keys.
BRANCH=none
BUG=none
TEST=successfully signed a new 0.0.22 image.
Change-Id: I369794b4b96ba7eefba89e9d05108083e3d1ae32
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1242194
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
-rwxr-xr-x | util/signer/bs | 39 |
1 files changed, 28 insertions, 11 deletions
diff --git a/util/signer/bs b/util/signer/bs index 4482dda761..c06d611ef0 100755 --- a/util/signer/bs +++ b/util/signer/bs @@ -250,7 +250,20 @@ if [[ -n "${do_prod}" && -n "${do_b1}" ]]; then exit 1 fi -rma_key_base="$(determine_rma_key_base ${elves[@]})" +# If signing a chip factory image (version 0.0.22) do not try figuring out the +# RMA keys. +ignore_rma_keys="$(awk ' + BEGIN {count = 0}; + /"major": 0,/ {count += 1}; + /"minor": 22,/ {count += 1}; + END {{if (count == 2) {print "yes"};}}' \ + "${EC_BIN_ROOT}/ec_RW-manifest-prod.json")" + +if [ "${ignore_rma_keys}" != "yes" ]; then + rma_key_base="$(determine_rma_key_base ${elves[@]})" +else + echo "Ignofing RMA keys for factory branch" +fi signer_command_params=() signer_command_params+=(--b -x ${EC_BIN_ROOT}/fuses.xml) @@ -260,7 +273,9 @@ else cp "${EC_BIN_ROOT}/ec_RW-manifest-prod.json" "${tmpf}" signer_command_params+=(-k ${EC_BIN_ROOT}/cr50_RW-prod.pem.pub) # Swap test public RMA server key with the prod version. - signer_command_params+=(-S "${rma_key_base}.test","${rma_key_base}.prod") + if [ "${ignore_rma_keys}" != "yes" ]; then + signer_command_params+=(-S "${rma_key_base}.test","${rma_key_base}.prod") + fi fi signer_command_params+=(-j ${tmpf}) @@ -291,16 +306,18 @@ for elf in ${elves[@]}; do exit 1 fi - if find_blob_in_blob "${signed_file}" "${rma_key_base}.test"; then - echo "${progname}: test RMA key in the signed image!" >&2 - rm *."${dst_suffix}" - exit 1 - fi + if [ "${ignore_rma_keys}" != "yes" ]; then + if find_blob_in_blob "${signed_file}" "${rma_key_base}.test"; then + echo "${progname}: test RMA key in the signed image!" >&2 + rm *."${dst_suffix}" + exit 1 + fi - if ! find_blob_in_blob "${signed_file}" "${rma_key_base}.prod"; then - echo "${progname}: prod RMA key not in the signed image!" >&2 - rm *."${dst_suffix}" - exit 1 + if ! find_blob_in_blob "${signed_file}" "${rma_key_base}.prod"; then + echo "${progname}: prod RMA key not in the signed image!" >&2 + rm *."${dst_suffix}" + exit 1 + fi fi : $(( count++ )) done |