diff options
author | Vadim Bendebury <vbendeb@chromium.org> | 2017-01-31 09:32:31 -0800 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2017-02-22 03:29:27 -0800 |
commit | 70b1752c313513f03ac94b695297f51afec4edb2 (patch) | |
tree | 9d5123212290f79ff19808b54663c49ecb5c992e | |
parent | 551e56ea061afe5c65db1413fa3abfdd05b43564 (diff) | |
download | chrome-ec-70b1752c313513f03ac94b695297f51afec4edb2.tar.gz |
g: use H1_DEVIDS as a trigger to use the fob for signing
Presently the CR50_DEV make variable is loaded: it enables debug
extensions in the produced cr50 image AND requires that the image is
signed with the key from the signing fob.
In fact these are two independent requirements: it is possible to use
an image built with CR50_DEV set for a dev H1 which does not require
fob signing.
A proper indication of the need to use the signing fob would be the
fact that H1_DEVIDS is defined, as it means a that node locked image
is being produced.
Images built without H1_DEVIDS set can be used on H1s which run with
the dev RO and as such do not need to be node locked, they are
signed with a well known key from util/signer/loader-testkey-A.pem.
This patch also tweaks passing the H1_DEVIDS variable to the shell
when altering the manifest. Without this tweak H1_DEVIDS definition as
make command line argument (as opposed to environment variable) was
not making it into the subshell invoked by make.
BRANCH=none
BUG=chrome-os-partner:62457
TEST=ran the following:
- built cr50 images with H1_DEVIDS defined in the environment and
in the command line, observed that the properly signed prod
image is produced (boots on a prod H1 in node locked mode).
- verified that adding CR50_DEV=1 to H1_DEVIDS in either
environment or the command line produces a properly signed
DEV image.
- verified that specifying CR50_DEV=1 alone in either environment
of command line produces a DEV image which does not require fob
signing.
Change-Id: Ied65a0bc50926aa5b6fa65e51805c2368522dcf2
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/434926
Reviewed-by: Randall Spangler <rspangler@chromium.org>
-rw-r--r-- | chip/g/build.mk | 20 |
1 files changed, 8 insertions, 12 deletions
diff --git a/chip/g/build.mk b/chip/g/build.mk index ffaf21e5ab..10415d1507 100644 --- a/chip/g/build.mk +++ b/chip/g/build.mk @@ -115,19 +115,22 @@ $(out)/$(PROJECT).obj: $(out)/RW/ec.RW_B.flat $(out)/RW/ec.RW_B.flat: $(out)/util/signer endif +ifneq ($(CR50_DEV),) +CPPFLAGS += -DCR50_DEV=1 +endif + CR50_RO_KEY ?= rom-testkey-A.pem -ifeq ($(CR50_DEV),) +ifeq ($(H1_DEVIDS),) CR50_RW_KEY = loader-testkey-A.pem SIGNER = $(out)/util/signer SIGNER_EXTRAS = +SIGNER_MANIFEST := util/signer/ec_RW-manifest-dev.json else -CPPFLAGS += -DCR50_DEV=1 SIGNER = $(HOME)/bin/codesigner CR50_RW_KEY = cr50_rom0-dev-blsign.pem.pub RW_SIGNER_EXTRAS = -x util/signer/fuses.xml ifneq ($(CHIP_MK_INCLUDED_ONCE),) -ifneq ($(H1_DEVIDS),) # # When building a node locked cr50 image for an H1 device with prod RO, the # manifest needs to be modifed to include the device ID of the chip the image @@ -141,23 +144,16 @@ ifneq ($(H1_DEVIDS),) # # H1_DEVIDS='<num 1> <num 2>' make ... # - SIGNER_MANIFEST := $(shell mktemp /tmp/h1.signer.XXXXXX) DUMMY := $(shell /bin/cp util/signer/ec_RW-manifest-dev.json $(SIGNER_MANIFEST)) REPLACEMENT := $(shell printf \ - '\\n \\"DEV_ID0\\": %d,\\n \\"DEV_ID1\\": %d,' $${H1_DEVIDS}) + '\\n \\"DEV_ID0\\": %d,\\n \\"DEV_ID1\\": %d,' $(H1_DEVIDS)) NODE_JSON := $(shell sed -i \ "s/\"fuses\": {/\"fuses\": {$(REPLACEMENT)/" $(SIGNER_MANIFEST)) -else # H1_DEVIDS ^^^^^ nonempty vvvvvv empty - -SIGNER_MANIFEST := util/signer/ec_RW-manifest-dev.json - -endif # H1_DEVIDS ^^^^^ empty - RW_SIGNER_EXTRAS += -j $(SIGNER_MANIFEST) endif # CHIP_MK_INCLUDED_ONCE defined -endif # CR50_DEV defined +endif # H1_DEVIDS defined # This file is included twice by the Makefile, once to determine the CHIP info |