From 26b1d8ae64e8354c445f687adad718cb00a7bc8a Mon Sep 17 00:00:00 2001 From: Vadim Bendebury Date: Tue, 6 Dec 2016 10:37:28 -0800 Subject: cr50: add image signing script This is a 'semi official' utility script which re-signs previously generated CR50 RW images. By default the script uses ec.RW.elf and ec.RW_B.elf in build/cr50/RW as inputs and util/signer/ec_RW-manifest-dev.json as the manifest, and places the newly signed images into build/cr50/ec.bin. The only outside dependency of this script is the signing utility itself, which is expected to be available as $HOME/bin/codesighner. The following command line options are accepted: b1 - generate signature for the b1 version of the H1 chip elves - sign the supplied elf files instead of the default ones. Handy if the builder generated files need to be signed help - print this message hex - generate hex output instead of binary prod - sign with prod key (no debug image will be signed) When invoked with 'hex' as a command line parameter, the script just re-signs the supplied elf files and places them in 0.signed.hex and 1.signed.hex in the current directory. This script also allows to sign dev images for running on prod RO. To do that invoke this script as follows: H1_DEVIDS=' " ${progname} [other options, if any] where are values reported by sysinfo command in the DEV_ID: line when ran on the CR50 for which the image is built. BRANCH=none BUG=chrome-os-partner:57956 TEST=manual tried signing dev and prod images, including sighing a dev image to run on a prod device. All cases succeeded. Change-Id: I879c4a08503a19a0c440b141aa1fd6b29cc70bf7 Signed-off-by: Vadim Bendebury Reviewed-on: https://chromium-review.googlesource.com/417221 Reviewed-by: Bill Richardson --- util/signer/bs | 166 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 166 insertions(+) create mode 100755 util/signer/bs (limited to 'util/signer') diff --git a/util/signer/bs b/util/signer/bs new file mode 100755 index 0000000000..b97f26036a --- /dev/null +++ b/util/signer/bs @@ -0,0 +1,166 @@ +#!/bin/bash + +# +# Copyright 2016 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. +# +# This script is a utility which allows to create differently signed CR50 +# images from different sources. +# +set -e +set -u + +progname=$(basename $0) + +tmpf="/tmp/bs_manifest.$$" +trap "{ rm -rf [01].flat ${tmpf} ; }" EXIT + +usage() { + local rv="${1}" + cat < - sign the supplied elf files instead of the default + ones. Handy if the builder generated files need to be signed + help - print this message + hex - generate hex output instead of binary (place in 0.signed.hex and + 1.signed.hex in the local directory) + prod - sign with prod key (no debug image will be signed) + +This script also allows to sign dev images for running on prod RO. To do that +invoke this script as follows: + + H1_DEVIDS=' ' ${progname} [other options, if any] + +where are values reported by sysinfo command in the +DEV_ID: line when run on the CR50 for which the image is built. + +The same values can be obtained in the lsusb command output: + + lsusb -vd 18d1:5014 | grep -i serial + +note that the lsusb reported values are in hex and need to be prefixed with +0x. + +EOF + exit "${rv}" +} + +# This is the suggested location of the codesigner utility. +BIN_ROOT="${HOME}/bin" + +# This is where the new signed image will be pasted into. +RESULT_FILE="build/cr50/ec.bin" + +if [ -z "${CROS_WORKON_SRCROOT}" ]; then + echo "$(basename $0): This script must run inside Chrome OS chroot" >&2 + exit 1 +fi + +H1_DEVIDS=${H1_DEVIDS:=} +EC_ROOT="${CROS_WORKON_SRCROOT}/src/platform/ec" +EC_BIN_ROOT="${EC_ROOT}/util/signer" + +do_hex= +do_b1= +do_prod= + +# Prepare the default manifest. +cp "${EC_BIN_ROOT}/ec_RW-manifest-dev.json" "${tmpf}" + +elves=( build/cr50/RW/ec.RW.elf build/cr50/RW/ec.RW_B.elf ) +cd "${EC_ROOT}" +while (( "$#" )); do + param="${1}" + case $param in + (hex) do_hex='true';; + (b1) + do_b1='true' + sed -i 's/\(.*FW_DEFINED_DATA_BLK0.*\): 2/\1: 0/' "${tmpf}" + ;; + (elves) + if [ -z "${2}" -o -z "${3}" ]; then + echo "two elf file names are required" 2>&1 + exit 1 + fi + elves=( $2 $3 ) + shift + shift + ;; + (prod) + do_prod='true' + ;; + (help) + usage 0 + ;; + (*) + usage 1 + ;; + esac + shift +done + +if [ -z "${do_hex}" -a ! -f "${RESULT_FILE}" ]; then + echo "${RESULT_FILE} not found. Run 'make BOARD=cr50' first" >& 2 + exit 1 +fi + +if [ -n "${do_prod}" -a -n "${do_b1}" ]; then + echo "can not build prod images for B1, sorry..." + exit 1 +fi + +signer_command_params='' +signer_command_params=" -x ${EC_BIN_ROOT}/fuses.xml" +if [ -z "${do_prod}" ]; then + signer_command_params+=" -k ${EC_BIN_ROOT}/cr50_rom0-dev-blsign.pem.pub" +else + cp "${EC_BIN_ROOT}/ec_RW-manifest-prod.json" "${tmpf}" + signer_command_params+=" -k ${EC_BIN_ROOT}/cr50_RW-prod.pem.pub" +fi +signer_command_params+=" -j ${tmpf}" + +if [ -n "${do_hex}" ]; then + dst_suffix='signed.hex' +else + signer_command_params+=' --format=bin' + dst_suffix='flat' +fi + +if [ -z "${do_prod}" -a -n "${H1_DEVIDS}" ]; then + echo "creating a customized DEV image for DEV IDS ${H1_DEVIDS}" + sub=$(printf "\\\n \"DEV_ID0\": %d,\\\n \"DEV_ID1\": %d," ${H1_DEVIDS}) + sed -i "s/\"fuses\": {/\"fuses\": {${sub}/" "${tmpf}" +fi + +count=0 +for elf in ${elves[@]}; do + if [ -n "${do_prod}" ]; then + if grep -q "DEV/cr50" "${elf}"; then + echo "Will not sign debug image with prod keys" >&2 + exit 1 + fi + fi + sudo ${BIN_ROOT}/codesigner ${signer_command_params} \ + -i ${elf} -o "${count}.${dst_suffix}" + count=$(( count + 1 )) +done + +if [ -n "${do_hex}" ]; then + exit 0 # Hex RW images generated. +fi + +# Now paste the newly signed blobs into the output image. +dd if="0.flat" of="${RESULT_FILE}" seek=16384 bs=1 conv=notrunc +dd if="1.flat" of="${RESULT_FILE}" seek=278528 bs=1 conv=notrunc +sudo rm [01].flat -- cgit v1.2.1