diff options
author | Robert Zieba <robertzieba@google.com> | 2022-08-26 10:25:28 -0600 |
---|---|---|
committer | Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2022-09-01 00:07:02 +0000 |
commit | 3ebd8a091dac53aaf7d62779b663dd7beca4f87d (patch) | |
tree | d1ad6ef595b4c1066f29adabcc9ab2b442d9663e /scripts | |
parent | 49820c727819ca566c65efa0525a8022f07cc27e (diff) | |
download | vboot-3ebd8a091dac53aaf7d62779b663dd7beca4f87d.tar.gz |
scripts/image_signing/ensure_amd_psp_flags: Ignore non-AMD images
This commit updates the `ensure_amd_psp_flags` script so that it will
ignore any artifacts that do not contain valid AMD AP images as long as
there are no soft-fuse bitsets present for the given board. This allows
all logic to be contained within this script.
BRANCH=none
BUG=b:202397678
TEST=Verified that script still works on AMD artifacts, tested that
Intel and ARM artifacts are ignored
Change-Id: I17a9414a36fbeb4a0ae9792c2e036deccd089870
Signed-off-by: Robert Zieba <robertzieba@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3860383
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Diffstat (limited to 'scripts')
-rwxr-xr-x | scripts/image_signing/ensure_amd_psp_flags.sh | 37 |
1 files changed, 27 insertions, 10 deletions
diff --git a/scripts/image_signing/ensure_amd_psp_flags.sh b/scripts/image_signing/ensure_amd_psp_flags.sh index c3472a3c..6c4f07e9 100755 --- a/scripts/image_signing/ensure_amd_psp_flags.sh +++ b/scripts/image_signing/ensure_amd_psp_flags.sh @@ -60,6 +60,32 @@ main() { firmware_bundle="${rootfs}/usr/sbin/chromeos-firmwareupdate" shellball_dir="$(make_temp_dir)" + # Extract our firmware. + if ! extract_firmware_bundle "${firmware_bundle}" "${shellball_dir}"; then + die "Failed to extract firmware bundle" + fi + + # Find our images. + declare -a images + readarray -t images < <(find "${shellball_dir}" -iname 'bios-*') + + # Validate that all our AP FW images are AMD images. + local image + for image in "${images[@]}"; do + # With no args, amdfwread will just attempt to validate the FW header. + # On non-AMD FW this will fail, allowing us to skip non-AMD FW images. + if ! amdfwread "${image}" &> /dev/null; then + if [[ ! -v "REQUIRED_BIT_MASKS[${board}]" && + ! -v "FORBIDDEN_BIT_MASKS[${board}]" ]]; then + # If we have an invalid FW image and don't have bitsets for this board + # then this isn't an AMD board, exit successfully. + exit 0 + else + die "Found invalid AMD AP FW image" + fi + fi + done + # Get the board specific bit masks. local required_bit_mask forbidden_bit_mask @@ -74,16 +100,7 @@ main() { required_bit_mask="${REQUIRED_BIT_MASKS[${board}]}" forbidden_bit_mask="${FORBIDDEN_BIT_MASKS[${board}]}" - # Extract our firmware. - if ! extract_firmware_bundle "${firmware_bundle}" "${shellball_dir}"; then - die "Failed to extract firmware bundle" - fi - - # Find our images and check the soft-fuse bits in each. - declare -a images - readarray -t images < <(find "${shellball_dir}" -iname 'bios-*') - - local image + # Check the soft-fuse bits for image in "${images[@]}"; do local soft_fuse soft_fuse_output forbidden_set missing_set if ! soft_fuse_output="$(amdfwread --soft-fuse "${image}")"; then |