diff options
| author | Vadim Bendebury <vbendeb@chromium.org> | 2016-02-05 15:01:07 -0800 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2016-02-08 12:09:06 -0800 |
| commit | c17c447a2574273e9baecacac5d1d827eb16ca3c (patch) | |
| tree | c775bf25cbe3ffd8b6812e45724b855b513750bc | |
| parent | d6c6dc51507d4eb5a1ac7a67920e5ab944e8b8b5 (diff) | |
| download | chrome-ec-c17c447a2574273e9baecacac5d1d827eb16ca3c.tar.gz | |
cr50: provide plumbing for prod mode RO signing
Creating bootloader for the chip involves signing the image with an
'air gap' - some physical presence action is required. We don't want
this to be required when the builder is building cr50 for test
purposes.
The solution is to keep using the dummy private key when building by
default, and invoking make differently when building an image which
would be accepted by the hardware.
Setting CR50_RO_KEY variable in the environment or in the make command
line will cause the signer use the value of this variable as the name
of the file containing the key to use for signing the RO image.
Should this file be a public key, the signer will stop and look for a
fob containing the matching private key, and will stream the RO image
through the fob for signing.
Using the fob requires that the signer runs under sudo, but we do not
want the generated files to belong to root, some more code is added to
change the generated files' ownership to user running the make.
BRANCH=none
BUG=chrome-os-partner:49950
TEST=ran the following tests:
- verified that the build still succeeds by default.
- invoked make as follows:
CR50_RO_KEY=cr50_rom0-dev-blsign.pem.pub make BOARD=cr50
observed the signer stop to wait for the user to interact with the
USB fob and proceed. Made sure that the generated image runs
successfully on the evaluation board.
- verified that 'make BOARD=cr50 clean' still works (i.e. none of the
generated files is owned by root).
Change-Id: I733ec6386c1dfd838d83d22fb589fa64e5eeaced
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/326484
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
| -rw-r--r-- | Makefile.rules | 8 | ||||
| -rw-r--r-- | chip/g/build.mk | 2 |
2 files changed, 6 insertions, 4 deletions
diff --git a/Makefile.rules b/Makefile.rules index 1f776303ff..050d932e81 100644 --- a/Makefile.rules +++ b/Makefile.rules @@ -41,9 +41,9 @@ cmd_flat_to_obj = $(CC) -T $(out)/firmware_image.lds -nostdlib $(CPPFLAGS) \ # Allow the .roshared section to overlap other sections (itself) cmd_ec_elf_to_flat ?= $(OBJCOPY) --set-section-flags .roshared=share \ -O binary $< $@ -cmd_elf_to_signed ?= $(out)/util/signer --key=util/signer/$(3).pem \ +cmd_elf_to_signed ?= sudo $(out)/util/signer --key=util/signer/$(3) \ --input=$< --format=bin --output=$@.signed \ - && mv $@.signed $@ + && sudo chown $(shell whoami) $@.signed && mv $@.signed $@ cmd_elf_to_dis = $(OBJDUMP) -D $< > $@ cmd_elf_to_hex = $(OBJCOPY) -O ihex $< $@ cmd_bin_to_hex = $(OBJCOPY) -I binary -O ihex \ @@ -222,10 +222,10 @@ $(out)/RO/%.hex: $(out)/RO/%.elf $(out)/RO/%.smap $(call quiet,elf_to_hex,OBJCOPY) else $(out)/RO/%.flat: $(out)/RO/%.elf $(out)/RO/%.smap - $(call quiet,elf_to_signed,RO_SIGN,rom-testkey-A) + $(call quiet,elf_to_signed,RO_SIGN,$(CR50_RO_KEY)) $(out)/RW/%.flat: $(out)/RW/%.elf $(out)/RW/%.smap - $(call quiet,elf_to_signed,RW_SIGN,loader-testkey-A) + $(call quiet,elf_to_signed,RW_SIGN,loader-testkey-A.pem) $(out)/RO/%.hex: $(out)/RO/%.flat $(call quiet,bin_to_hex,OBJCOPY) diff --git a/chip/g/build.mk b/chip/g/build.mk index 11246a7fed..6db09c1307 100644 --- a/chip/g/build.mk +++ b/chip/g/build.mk @@ -78,3 +78,5 @@ ifneq ($(CONFIG_RW_B),) $(out)/$(PROJECT).obj: $(out)/RW/ec.RW_B.flat $(out)/RW/ec.RW_B.flat: $(out)/util/signer endif + +CR50_RO_KEY ?= rom-testkey-A.pem |