diff options
author | Sergey Frolov <sfrolov@google.com> | 2021-07-22 00:44:10 +0000 |
---|---|---|
committer | Sergey Frolov <sfrolov@google.com> | 2021-07-22 00:58:29 +0000 |
commit | 2755840d372bf9b8ddbfe12ab7e34891cc129846 (patch) | |
tree | 8a21654baac268d15211fb3e8b9fc517f5eaac6f | |
parent | e355c9ea7e30775dc9698646339a4d9fe5fe3ee1 (diff) | |
download | vboot-2755840d372bf9b8ddbfe12ab7e34891cc129846.tar.gz |
Revert "vboot/sign_official_build: re-sign miniOS partitions"stabilize-14106.B
This reverts commit 43325cb9b2568c4a03c849f3474fcee8de3ae893.
Reason for revert: b/194293181 suspect
Original change's description:
> vboot/sign_official_build: re-sign miniOS partitions
>
> sign_official_build.sh needs to be taught how to re-sign miniOS
> partitions, depending on whether the particular image at hand
> contains them or not.
>
> BUG=b:188121855
> TEST=make clean && make runtests
> BRANCH=none
>
> Cq-Depend: chromium:3027786
> Signed-off-by: Joel Kitching <kitching@google.com>
> Change-Id: Iaf847e14588011dd0fea6b59405091ae36ef038f
> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2989640
> Tested-by: Joel Kitching <kitching@chromium.org>
> Reviewed-by: Mike Frysinger <vapier@chromium.org>
> Commit-Queue: Joel Kitching <kitching@chromium.org>
Bug: b:188121855
Change-Id: Ieb936a21d5ae09ed84eb65c9a3a3198a5b5b22a5
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3044633
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Sergey Frolov <sfrolov@google.com>
-rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 65 |
1 files changed, 3 insertions, 62 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 88c58d8d..92c9a3f3 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -15,8 +15,6 @@ # e2fsck # sha1sum -MINIOS_KERNEL_GUID="09845860-705f-4bb5-b16c-8a8a099caf52" - # Load common constants and variables. . "$(dirname "$0")/common.sh" @@ -887,49 +885,6 @@ update_recovery_kernel_hash() { --config ${new_kerna_config} } -# Re-sign miniOS kernels with new keys. -# Args: LOOPDEV KEYBLOCK PRIVKEY -resign_minios_kernels() { - local loopdev="$1" - local keyblock="$2" - local priv_key="$3" - - info "Searching for miniOS kernels to resign..." - - local loop_kern - for loop_kern in "${loopdev}p"*; do - local part_type_guid=$(sudo lsblk -rnb -o PARTTYPE "${loop_kern}") - if [[ "${part_type_guid}" != "${MINIOS_KERNEL_GUID}" ]]; then - continue - fi - - # Delay checking that keyblock and private key exist until we are certain - # of a valid miniOS partition. Images that don't support miniOS might not - # provide these. (This check is repeated twice, but that's okay.) - if [[ ! -e "${keyblock}" ]]; then - error "Resign miniOS: keyblock doesn't exist: ${keyblock}" - return 1 - fi - if [[ ! -e "${priv_key}" ]]; then - error "Resign miniOS: private key doesn't exist: ${priv_key}" - return 1 - fi - - # Assume this is a miniOS kernel. - local minios_kernel_version=$((KERNEL_VERSION >> 24)) - if sudo ${FUTILITY} vbutil_kernel --repack "${loop_kern}" \ - --keyblock "${keyblock}" \ - --signprivate "${priv_key}" \ - --version "${minios_kernel_version}" \ - --oldblob "${loop_kern}"; then - info "Resign miniOS ${loop_kern}: done" - else - error "Resign miniOS ${loop_kern}: failed" - return 1 - fi - done -} - # Update the legacy bootloader templates in EFI partition if available. # Args: LOOPDEV KERNEL update_legacy_bootloader() { @@ -977,7 +932,7 @@ update_legacy_bootloader() { # Sign an image file with proper keys. # Args: IMAGE_TYPE INPUT OUTPUT DM_PARTNO KERN_A_KEYBLOCK KERN_A_PRIVKEY \ -# KERN_B_KEYBLOCK KERN_B_PRIVKEY MINIOS_KEYBLOCK MINIOS_PRIVKEY +# KERN_B_KEYBLOCK KERN_B_PRIVKEY # # A ChromiumOS image file (INPUT) always contains 2 partitions (kernel A & B). # This function will rebuild hash data by DM_PARTNO, resign kernel partitions by @@ -994,8 +949,6 @@ sign_image_file() { local kernA_privkey="$6" local kernB_keyblock="$7" local kernB_privkey="$8" - local minios_keyblock="$9" - local minios_privkey="${10}" info "Preparing ${image_type} image..." cp --sparse=always "${input}" "${output}" @@ -1029,10 +982,6 @@ sign_image_file() { if [[ "${image_type}" == "recovery" ]]; then update_recovery_kernel_hash "${loopdev}" fi - if ! resign_minios_kernels "${loopdev}" "${minios_keyblock}" \ - "${minios_privkey}"; then - return 1 - fi if ! update_legacy_bootloader "${loopdev}" "${loop_kern}"; then # Error is already logged. return 1 @@ -1079,28 +1028,20 @@ info "Using kernel version: ${KERNEL_VERSION}" # Make all modifications on output copy. if [[ "${TYPE}" == "base" ]]; then sign_image_file "base" "${INPUT_IMAGE}" "${OUTPUT_IMAGE}" 2 \ - "${KEY_DIR}/kernel.keyblock" \ - "${KEY_DIR}/kernel_data_key.vbprivk" \ - "${KEY_DIR}/kernel.keyblock" \ - "${KEY_DIR}/kernel_data_key.vbprivk" \ - "${KEY_DIR}/minios_kernel.keyblock" \ - "${KEY_DIR}/minios_kernel_data_key.vbprivk" + "${KEY_DIR}/kernel.keyblock" "${KEY_DIR}/kernel_data_key.vbprivk" \ + "${KEY_DIR}/kernel.keyblock" "${KEY_DIR}/kernel_data_key.vbprivk" elif [[ "${TYPE}" == "recovery" ]]; then sign_image_file "recovery" "${INPUT_IMAGE}" "${OUTPUT_IMAGE}" 4 \ "${KEY_DIR}/recovery_kernel.keyblock" \ "${KEY_DIR}/recovery_kernel_data_key.vbprivk" \ "${KEY_DIR}/kernel.keyblock" \ "${KEY_DIR}/kernel_data_key.vbprivk" - "${KEY_DIR}/minios_kernel.keyblock" \ - "${KEY_DIR}/minios_kernel_data_key.vbprivk" elif [[ "${TYPE}" == "factory" ]]; then sign_image_file "factory_install" "${INPUT_IMAGE}" "${OUTPUT_IMAGE}" 2 \ "${KEY_DIR}/installer_kernel.keyblock" \ "${KEY_DIR}/installer_kernel_data_key.vbprivk" \ "${KEY_DIR}/kernel.keyblock" \ "${KEY_DIR}/kernel_data_key.vbprivk" - "${KEY_DIR}/minios_kernel.keyblock" \ - "${KEY_DIR}/minios_kernel_data_key.vbprivk" elif [[ "${TYPE}" == "firmware" ]]; then if [[ -e "${KEY_DIR}/loem.ini" ]]; then die "LOEM signing not implemented yet for firmware images" |