diff options
author | Reka Norman <rekanorman@google.com> | 2023-04-20 15:50:06 +1000 |
---|---|---|
committer | Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2023-04-21 10:41:09 +0000 |
commit | 350498f03a000e43a2a39100c7722997ba0db074 (patch) | |
tree | 73c6e0d28201a6130815c93e1ed71651f6eb4d99 | |
parent | 0b0a37ea56a90c0ff396f476adf3fd814af789cc (diff) | |
download | vboot-350498f03a000e43a2a39100c7722997ba0db074.tar.gz |
sign_official_build: Add support for a second miniOS key
For recovery images, if minios_kernel.v1.keyblock exists, sign
- MINIOS-A with minios_kernel.v1.keyblock
- MINIOS-B with minios_kernel.keyblock
Otherwise, sign both with minios_kernel.keyblock.
BRANCH=None
BUG=b:266502803
TEST=- Run replace_recovery_key.sh in devkeys directory to get test keys
- Run sign_official_build.sh on a nissa recovery image
- Set recovery_key.v1.vbpubk in GBB and run recovery. After recovery
completes, check NBR still works.
- Repeat with recovery_key.vbpubk.
Change-Id: I2336e5261ef24114c5fee302ed95b4dfa1f67c11
Signed-off-by: Reka Norman <rekanorman@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4452079
Tested-by: Reka Norman <rekanorman@chromium.org>
Commit-Queue: Reka Norman <rekanorman@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
-rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 40 |
1 files changed, 33 insertions, 7 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index fbc844ce..102cb3b9 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -997,11 +997,12 @@ update_recovery_kernel_hash() { } # Re-sign miniOS kernels with new keys. -# Args: LOOPDEV KEYBLOCK PRIVKEY +# Args: LOOPDEV MINIOS_A_KEYBLOCK MINIOS_B_KEYBLOCK PRIVKEY resign_minios_kernels() { local loopdev="$1" - local keyblock="$2" - local priv_key="$3" + local minios_a_keyblock="$2" + local minios_b_keyblock="$3" + local priv_key="$4" info "Searching for miniOS kernels to resign..." @@ -1013,6 +1014,16 @@ resign_minios_kernels() { continue fi + local keyblock + if [[ "${loop_minios}" == "${loopdev}p9" ]]; then + keyblock="${minios_a_keyblock}" + elif [[ "${loop_minios}" == "${loopdev}p10" ]]; then + keyblock="${minios_b_keyblock}" + else + error "Unexpected miniOS partition ${loop_minios}" + return 1 + fi + # Skip miniOS partitions which are empty. This happens when miniOS # kernels aren't written to the partitions because the feature is not # enabled. @@ -1098,7 +1109,7 @@ update_legacy_bootloader() { # Sign an image file with proper keys. # Args: IMAGE_TYPE INPUT OUTPUT DM_PARTNO KERN_A_KEYBLOCK KERN_A_PRIVKEY \ # KERN_B_KEYBLOCK KERN_B_PRIVKEY KERN_C_KEYBLOCK KERN_C_PRIVKEY \ -# MINIOS_KEYBLOCK MINIOS_PRIVKEY +# MINIOS_KEYBLOCK MINIOS_KEYBLOCK_V1 MINIOS_PRIVKEY # # A ChromiumOS image file (INPUT) always contains 2 partitions (kernel A & B). # This function will rebuild hash data by DM_PARTNO, resign kernel partitions by @@ -1120,7 +1131,8 @@ sign_image_file() { local kernC_keyblock="$9" local kernC_privkey="${10}" local minios_keyblock="${11}" - local minios_privkey="${12}" + local minios_keyblock_v1="${12}" + local minios_privkey="${13}" info "Preparing ${image_type} image..." cp --sparse=always "${input}" "${output}" @@ -1206,12 +1218,23 @@ sign_image_file() { "${kernC_privkey}" fi fi + if [[ -n "${minios_keyblock}" ]]; then - if ! resign_minios_kernels "${loopdev}" "${minios_keyblock}" \ - "${minios_privkey}"; then + # b/266502803: If it's a recovery image and minios_kernel.v1.keyblock + # exists, sign MINIOS-A with minios_kernel.v1.keyblock and MINIOS-B with + # minios_kernel.keyblock. Otherwise, sign both with minios_kernel.keyblock. + local miniosA_keyblock="${minios_keyblock}" + local miniosB_keyblock="${minios_keyblock}" + if [[ -f "${minios_keyblock_v1}" ]]; then + miniosA_keyblock="${minios_keyblock_v1}" + fi + + if ! resign_minios_kernels "${loopdev}" "${miniosA_keyblock}" \ + "${miniosB_keyblock}" "${minios_privkey}"; then return 1 fi fi + if ! update_legacy_bootloader "${loopdev}" "${loop_kern}"; then # Error is already logged. return 1 @@ -1266,6 +1289,7 @@ if [[ "${TYPE}" == "base" ]]; then "" \ "" \ "${KEY_DIR}/minios_kernel.keyblock" \ + "" \ "${KEY_DIR}/minios_kernel_data_key.vbprivk" elif [[ "${TYPE}" == "recovery" ]]; then sign_image_file "recovery" "${INPUT_IMAGE}" "${OUTPUT_IMAGE}" 4 \ @@ -1276,6 +1300,7 @@ elif [[ "${TYPE}" == "recovery" ]]; then "${KEY_DIR}/recovery_kernel.v1.keyblock" \ "${KEY_DIR}/recovery_kernel_data_key.vbprivk" \ "${KEY_DIR}/minios_kernel.keyblock" \ + "${KEY_DIR}/minios_kernel.v1.keyblock" \ "${KEY_DIR}/minios_kernel_data_key.vbprivk" elif [[ "${TYPE}" == "factory" ]]; then sign_image_file "factory_install" "${INPUT_IMAGE}" "${OUTPUT_IMAGE}" 2 \ @@ -1286,6 +1311,7 @@ elif [[ "${TYPE}" == "factory" ]]; then "" \ "" \ "" \ + "" \ "" elif [[ "${TYPE}" == "firmware" ]]; then if [[ -e "${KEY_DIR}/loem.ini" ]]; then |