sign_official_build: Add support for a second miniOS key

For recovery images, if minios_kernel.v1.keyblock exists, sign - MINIOS-A with minios_kernel.v1.keyblock - MINIOS-B with minios_kernel.keyblock Otherwise, sign both with minios_kernel.keyblock. BRANCH=None BUG=b:266502803 TEST=- Run replace_recovery_key.sh in devkeys directory to get test keys - Run sign_official_build.sh on a nissa recovery image - Set recovery_key.v1.vbpubk in GBB and run recovery. After recovery completes, check NBR still works. - Repeat with recovery_key.vbpubk. Change-Id: I2336e5261ef24114c5fee302ed95b4dfa1f67c11 Signed-off-by: Reka Norman <rekanorman@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4452079 Tested-by: Reka Norman <rekanorman@chromium.org> Commit-Queue: Reka Norman <rekanorman@chromium.org> Reviewed-by: Julius Werner <jwerner@chromium.org>
author: Reka Norman <rekanorman@google.com> 2023-04-20 15:50:06 +1000
committer: Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> 2023-04-21 10:41:09 +0000
commit: 350498f03a000e43a2a39100c7722997ba0db074 (patch)
tree: 73c6e0d28201a6130815c93e1ed71651f6eb4d99
parent: 0b0a37ea56a90c0ff396f476adf3fd814af789cc (diff)
download: vboot-350498f03a000e43a2a39100c7722997ba0db074.tar.gz
1 files changed, 33 insertions, 7 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index fbc844ce..102cb3b9 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -997,11 +997,12 @@ update_recovery_kernel_hash() {
 }
 
 # Re-sign miniOS kernels with new keys.
-# Args: LOOPDEV KEYBLOCK PRIVKEY
+# Args: LOOPDEV MINIOS_A_KEYBLOCK MINIOS_B_KEYBLOCK PRIVKEY
 resign_minios_kernels() {
   local loopdev="$1"
-  local keyblock="$2"
-  local priv_key="$3"
+  local minios_a_keyblock="$2"
+  local minios_b_keyblock="$3"
+  local priv_key="$4"
 
   info "Searching for miniOS kernels to resign..."
 
@@ -1013,6 +1014,16 @@ resign_minios_kernels() {
       continue
     fi
 
+    local keyblock
+    if [[ "${loop_minios}" == "${loopdev}p9" ]]; then
+      keyblock="${minios_a_keyblock}"
+    elif [[ "${loop_minios}" == "${loopdev}p10" ]]; then
+      keyblock="${minios_b_keyblock}"
+    else
+      error "Unexpected miniOS partition ${loop_minios}"
+      return 1
+    fi
+
     # Skip miniOS partitions which are empty. This happens when miniOS
     # kernels aren't written to the partitions because the feature is not
     # enabled.
@@ -1098,7 +1109,7 @@ update_legacy_bootloader() {
 # Sign an image file with proper keys.
 # Args: IMAGE_TYPE INPUT OUTPUT DM_PARTNO KERN_A_KEYBLOCK KERN_A_PRIVKEY \
 #       KERN_B_KEYBLOCK KERN_B_PRIVKEY KERN_C_KEYBLOCK KERN_C_PRIVKEY \
-#       MINIOS_KEYBLOCK MINIOS_PRIVKEY
+#       MINIOS_KEYBLOCK MINIOS_KEYBLOCK_V1 MINIOS_PRIVKEY
 #
 # A ChromiumOS image file (INPUT) always contains 2 partitions (kernel A & B).
 # This function will rebuild hash data by DM_PARTNO, resign kernel partitions by
@@ -1120,7 +1131,8 @@ sign_image_file() {
   local kernC_keyblock="$9"
   local kernC_privkey="${10}"
   local minios_keyblock="${11}"
-  local minios_privkey="${12}"
+  local minios_keyblock_v1="${12}"
+  local minios_privkey="${13}"
 
   info "Preparing ${image_type} image..."
   cp --sparse=always "${input}" "${output}"
@@ -1206,12 +1218,23 @@ sign_image_file() {
         "${kernC_privkey}"
     fi
   fi
+
   if [[ -n "${minios_keyblock}" ]]; then
-    if ! resign_minios_kernels "${loopdev}" "${minios_keyblock}" \
-        "${minios_privkey}"; then
+    # b/266502803: If it's a recovery image and minios_kernel.v1.keyblock
+    # exists, sign MINIOS-A with minios_kernel.v1.keyblock and MINIOS-B with
+    # minios_kernel.keyblock. Otherwise, sign both with minios_kernel.keyblock.
+    local miniosA_keyblock="${minios_keyblock}"
+    local miniosB_keyblock="${minios_keyblock}"
+    if [[ -f "${minios_keyblock_v1}" ]]; then
+      miniosA_keyblock="${minios_keyblock_v1}"
+    fi
+
+    if ! resign_minios_kernels "${loopdev}" "${miniosA_keyblock}" \
+        "${miniosB_keyblock}" "${minios_privkey}"; then
       return 1
     fi
   fi
+
   if ! update_legacy_bootloader "${loopdev}" "${loop_kern}"; then
     # Error is already logged.
     return 1
@@ -1266,6 +1289,7 @@ if [[ "${TYPE}" == "base" ]]; then
     "" \
     "" \
     "${KEY_DIR}/minios_kernel.keyblock" \
+    "" \
     "${KEY_DIR}/minios_kernel_data_key.vbprivk"
 elif [[ "${TYPE}" == "recovery" ]]; then
   sign_image_file "recovery" "${INPUT_IMAGE}" "${OUTPUT_IMAGE}" 4 \
@@ -1276,6 +1300,7 @@ elif [[ "${TYPE}" == "recovery" ]]; then
     "${KEY_DIR}/recovery_kernel.v1.keyblock" \
     "${KEY_DIR}/recovery_kernel_data_key.vbprivk" \
     "${KEY_DIR}/minios_kernel.keyblock" \
+    "${KEY_DIR}/minios_kernel.v1.keyblock" \
     "${KEY_DIR}/minios_kernel_data_key.vbprivk"
 elif [[ "${TYPE}" == "factory" ]]; then
   sign_image_file "factory_install" "${INPUT_IMAGE}" "${OUTPUT_IMAGE}" 2 \
@@ -1286,6 +1311,7 @@ elif [[ "${TYPE}" == "factory" ]]; then
     "" \
     "" \
     "" \
+    "" \
     ""
 elif [[ "${TYPE}" == "firmware" ]]; then
   if [[ -e "${KEY_DIR}/loem.ini" ]]; then
author	Reka Norman <rekanorman@google.com>	2023-04-20 15:50:06 +1000
committer	Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com>	2023-04-21 10:41:09 +0000
commit	350498f03a000e43a2a39100c7722997ba0db074 (patch)
tree	73c6e0d28201a6130815c93e1ed71651f6eb4d99
parent	0b0a37ea56a90c0ff396f476adf3fd814af789cc (diff)
download	vboot-350498f03a000e43a2a39100c7722997ba0db074.tar.gz