sign_official_build: Don't sign miniOS kernels in factory shims

Factory shims contain miniOS kernels, but they are not used, so don't
sign them. They will remain in the image signed with dev keys.

BRANCH=None
BUG=None
TEST=Run sign_official_build.sh on factory shim. Logs show miniOS
kernels are not signed, and shim still boots.

Change-Id: I4a1b72726edb7d780a3f2c2fe783f568a012ee77
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4321706
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4381007
Reviewed-by: Cheng Yueh <cyueh@chromium.org>
Commit-Queue: Cheng Yueh <cyueh@chromium.org>
Auto-Submit: Phoebe Wang <phoebewang@chromium.org>
Tested-by: Phoebe Wang <phoebewang@chromium.org>

1 files changed, 7 insertions, 5 deletions

diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index de73504a..896f2b13 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -1203,9 +1203,11 @@ sign_image_file() {
         "${kernC_privkey}"
     fi
   fi
-  if ! resign_minios_kernels "${loopdev}" "${minios_keyblock}" \
-      "${minios_privkey}"; then
-    return 1
+  if [[ -n "${minios_keyblock}" ]]; then
+    if ! resign_minios_kernels "${loopdev}" "${minios_keyblock}" \
+        "${minios_privkey}"; then
+      return 1
+    fi
   fi
   if ! update_legacy_bootloader "${loopdev}" "${loop_kern}"; then
     # Error is already logged.
@@ -1280,8 +1282,8 @@ elif [[ "${TYPE}" == "factory" ]]; then
     "${KEY_DIR}/installer_kernel_data_key.vbprivk" \
     "" \
     "" \
-    "${KEY_DIR}/minios_kernel.keyblock" \
-    "${KEY_DIR}/minios_kernel_data_key.vbprivk"
+    "" \
+    ""
 elif [[ "${TYPE}" == "firmware" ]]; then
   if [[ -e "${KEY_DIR}/loem.ini" ]]; then
     die "LOEM signing not implemented yet for firmware images"