From e826e4c95913d8fc063de2fb7039992f642d3605 Mon Sep 17 00:00:00 2001 From: Reka Norman Date: Fri, 3 Mar 2023 11:39:53 +1100 Subject: sign_official_build: Don't sign miniOS kernels in factory shims Factory shims contain miniOS kernels, but they are not used, so don't sign them. They will remain in the image signed with dev keys. BRANCH=None BUG=None TEST=Run sign_official_build.sh on factory shim. Logs show miniOS kernels are not signed, and shim still boots. Change-Id: I4a1b72726edb7d780a3f2c2fe783f568a012ee77 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4321706 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4381007 Reviewed-by: Cheng Yueh Commit-Queue: Cheng Yueh Auto-Submit: Phoebe Wang Tested-by: Phoebe Wang --- scripts/image_signing/sign_official_build.sh | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index de73504a..896f2b13 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -1203,9 +1203,11 @@ sign_image_file() { "${kernC_privkey}" fi fi - if ! resign_minios_kernels "${loopdev}" "${minios_keyblock}" \ - "${minios_privkey}"; then - return 1 + if [[ -n "${minios_keyblock}" ]]; then + if ! resign_minios_kernels "${loopdev}" "${minios_keyblock}" \ + "${minios_privkey}"; then + return 1 + fi fi if ! update_legacy_bootloader "${loopdev}" "${loop_kern}"; then # Error is already logged. @@ -1280,8 +1282,8 @@ elif [[ "${TYPE}" == "factory" ]]; then "${KEY_DIR}/installer_kernel_data_key.vbprivk" \ "" \ "" \ - "${KEY_DIR}/minios_kernel.keyblock" \ - "${KEY_DIR}/minios_kernel_data_key.vbprivk" + "" \ + "" elif [[ "${TYPE}" == "firmware" ]]; then if [[ -e "${KEY_DIR}/loem.ini" ]]; then die "LOEM signing not implemented yet for firmware images" -- cgit v1.2.1