diff options
author | C Shapiro <shapiroc@chromium.org> | 2017-08-22 11:40:23 -0600 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2017-08-23 08:02:12 -0700 |
commit | 509339ce2b7499ccb90331ab6910b87d0f9889a5 (patch) | |
tree | ae383dbba8fb40b45db2a3dfcf15b0cfabf7ac25 | |
parent | 93f1142d7a7bbee5c1bb551d197ce1e4c2c2ef87 (diff) | |
download | vboot-509339ce2b7499ccb90331ab6910b87d0f9889a5.tar.gz |
[unibuild] Support for unibuild firmware signing
For design context, see go/cros-unibuild-signing
This adds support for multiple, shared firmware images from a unified
build that needs to be signed with different OEM specific keys.
It uses a signer_config.csv file (that is generated by pack_firmware.py)
to determine which images need to be signed with which keys.
BUG=b:64842314
TEST=./build_image --board=coral dev
&& ./mod_image_for_recovery.sh --board=coral
&& ~/trunk/src/platform/vboot_reference/scripts/image_signing/sign_official_build.sh
recovery ../build/images/coral/latest/recovery_image.bin
../platform/vboot_reference/tests/devkeys
BRANCH=None
Change-Id: Id3711bbe73dfe652184bc046b5f642c30b8d1627
Reviewed-on: https://chromium-review.googlesource.com/626718
Commit-Ready: C Shapiro <shapiroc@google.com>
Tested-by: C Shapiro <shapiroc@google.com>
Reviewed-by: C Shapiro <shapiroc@google.com>
-rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 96 |
1 files changed, 95 insertions, 1 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 579c581b..cf0b3345 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -20,6 +20,9 @@ # Load common constants and variables. . "$(dirname "$0")/common.sh" +# Which futility to run? +[ -z "${FUTILITY}" ] && FUTILITY=futility + # Print usage string usage() { cat <<EOF @@ -544,7 +547,98 @@ resign_firmware_payload() { fi info "Found a valid firmware update shellball." - if [[ -d "${shellball_dir}/models" ]]; then + # For context on signing firmware for unified builds, see: + # go/cros-unibuild-signing + # + # This iterates over a signer_config.csv file, which contains the following: + # model_name,image,key_id (header) + # santa,models/santa/bios.bin,SOME_OEM (sample line) + # + # This dictates the keys that should be used for which models and images. + # + # It reuses the LOEM architecture already existing in the signer keysets, + # but this could be revisited at a future date. + # + # Within signer_config.csv, it used the key_id column to match the key + # value in loem.ini (if present) and signs the corresponding firmware + # image using that key. + # + # For output, it uses the model name for the signed vblocks, which is then + # detected/used by the firmware updater script. + local signer_config="${shellball_dir}/signer_config.csv" + if [[ -e "${signer_config}" ]]; then + info "Using signer_config.csv to determine firmware signatures" + info "See go/cros-unibuild-signing for details" + { + read # Burn the first line (header line) + while IFS="," read -r model_name image key_id + do + local key_suffix='' + + # If there are OEM specific keys available, we're going to use them. + # Otherwise, we're going to ignore key_id from the config file and + # just use the common keys present in the keyset. + # Regardless, a model specific vblock will be generated, which the + # updater script will be looking for. + if [[ -e "${KEY_DIR}/loem.ini" ]]; then + # loem.ini has the format KEY_ID_VALUE = KEY_INDEX + local key_index="$(grep '[0-9]\+ = ${key_id}' ${KEY_DIR}/loem.ini " \ + "| cut -d ' ' -f 1)" + if [[ -z "${key_index}" ]]; then + die "Failed to find key_id ${key_id} in loem.ini file for model " \ + "${model_name}" + fi + key_suffix=".loem${key_index}" + fi + + info "Signing firmware image ${image} for model ${model_name} " \ + "with key suffix ${key_suffix}" + + local temp_fw=$(make_temp_file) + + local signprivate="${KEY_DIR}/firmware_data_key${key_suffix}.vbprivk" + local keyblock="${KEY_DIR}/firmware${key_suffix}.keyblock" + local devsign="${KEY_DIR}/dev_firmware_data_key${key_suffix}.vbprivk" + local devkeyblock="${KEY_DIR}/dev_firmware${key_suffix}.keyblock" + + if [ ! -e "${devsign}" ] || [ ! -e "${devkeyblock}" ] ; then + echo "No dev firmware keyblock/datakey found. Reusing normal keys." + devsign="${signprivate}" + devkeyblock="${keyblock}" + fi + + mkdir -p "${shellball_dir}/keyset" + local image_path="${shellball_dir}/${image}" + ${FUTILITY} sign \ + --signprivate "${signprivate}" \ + --keyblock "${keyblock}" \ + --devsign "${devsign}" \ + --devkeyblock "${devkeyblock}" \ + --kernelkey "${KEY_DIR}/kernel_subkey.vbpubk" \ + --version "${FIRMWARE_VERSION}" \ + --loemdir "${shellball_dir}/keyset" \ + --loemid "${model_name}" \ + ${image_path} \ + ${temp_fw} + + rootkey="${KEY_DIR}/root_key${key_suffix}.vbpubk" + + # For development phases, when the GBB can be updated still, set the + # recovery and root keys in the image. + ${FUTILITY} gbb \ + -s \ + --recoverykey="${KEY_DIR}/recovery_key.vbpubk" \ + --rootkey="${rootkey}" \ + "${temp_fw}" \ + "${image_path}" + + info "Signed firmware image output to ${image_path}" + done + unset IFS + } < "${signer_config}" + # TODO(shapiroc): Delete this case once the build is migrated to use + # signer_config.csv + elif [[ -d "${shellball_dir}/models" ]]; then info "Signing firmware for all of the models in the unified build." local model_dir for model_dir in "${shellball_dir}"/models/*; do |