From 6fde161e4cb24f5a2659b0c40676eaa5d8f77ca6 Mon Sep 17 00:00:00 2001
From: Nicholas Bishop <nicholasbishop@google.com>
Date: Tue, 21 Mar 2023 18:24:09 -0400
Subject: sign_official_build: Fix is-reven check

The `get_is_reven` function added in https://crrev.com/c/4206907 was too
restrictive. When run by the signer, the board name has been modified
from "reven" to "reven-signed-mp-v2keys". Change the condition to accept
either `reven` or `reven-signed*` (note the glob). Allowing plain
"reven" is not strictly necessary, but useful for local testing.

Tested the updated function by building a reven base image, then making
variants with different CHROMEOS_RELEASE_BOARD values: "reven",
"reven-signed-mp-v2keys", and "revenator". Running
`sign_official_build.sh` on them shows that the first two are identified
as reven, and the last one is not. This can be seen by checking if
boot*.efi is signed or not, since that should not happen for reven.

BRANCH=none
BUG=b:274648121
TEST=See above
TEST=FEATURES=test emerge-reven vboot_reference

Change-Id: I099abf372b71ea3e064e91a57c5e8888de298028
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4358400
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4381012
Tested-by: Phoebe Wang <phoebewang@chromium.org>
Reviewed-by: Cheng Yueh <cyueh@chromium.org>
Auto-Submit: Phoebe Wang <phoebewang@chromium.org>
Commit-Queue: Cheng Yueh <cyueh@chromium.org>
---
 scripts/image_signing/sign_official_build.sh | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index 896f2b13..fbc844ce 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -782,7 +782,10 @@ get_is_reven() {
 
   sudo umount "${rootfs_dir}"
 
-  if [[ "${board}" == "reven" ]]; then
+  # When run by the signer, the board name will look like
+  # "reven-signed-mp-v2keys". Also accept plain "reven" for local
+  # testing.
+  if [[ "${board}" == "reven-signed"* || "${board}" == "reven" ]]; then
     echo "true"
   else
     echo "false"
-- 
cgit v1.2.1