If found, sign the packaged firmware autoupdate.
Previously this was hidden behind an environment variable. With this change, the signing script will always try to sign the firmware update if found. If not, it will still perform the remaining steps (rootfs calculation, kernel partition signature etc.).
Also fixed a few minor bugs with the firmware update code.
BUG=chrome-os-partner:925, chrome-os:3496
TEST=created a ToT semi-official build, and ran the signing script on the image. Verified that the firmware got correctly updated (by running chromeos-firmwareupdate on the device). Also tested on images without the packaged firmware update.
Change-Id: I0921ce36a880e18167a8e3a2b63d8f246693d488
Review URL: http://codereview.chromium.org/3292016
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index 8bf6d6c..6d66ce9 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -162,8 +162,12 @@
get_firmwarebin_from_shellball() {
local input=$1
local output_dir=$2
- uudecode -o - ${input} | tar -C ${output_dir} -zxf - 2>/dev/null || \
- echo "Extracting firmware autoupdate failed." && exit 1
+ if [ -s "${input}" ]; then
+ uudecode -o - ${input} | tar -C ${output_dir} -zxf - 2>/dev/null || \
+ { echo "Extracting firmware autoupdate failed." && exit 1; }
+ else
+ return 1
+ fi
}
# Re-sign the firmware AU payload inside the image rootfs with a new keys.
@@ -176,19 +180,32 @@
mount_image_partition ${image} 3 ${rootfs_dir}
local shellball_dir=$(make_temp_dir)
+ # get_firmwarebin_from_shellball can fail if the image has no
+ # firmware update.
get_firmwarebin_from_shellball \
- ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate ${shellball_dir}
+ ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate ${shellball_dir} || \
+ { echo "Didn't find a firmware update. Not signing firmware."
+ return; }
+ echo "Found a valid firmware update shellball."
temp_outfd=$(make_temp_file)
# Replace the root key in the GBB
# TODO(gauravsh): Remove when we lock down the R/O portion of firmware.
- gbb_utility -s \
- --rootkey=${KEY_DIR}/root_key.vbpubk \
- --recoverykey=${KEY_DIR}/recovery_key.vbpubk \
- ${shellball_dir}/bios.bin ${temp_outfd}
-
+ if [ -e "${KEY_DIR}/hwid" ]; then
+ # Only update the hwid if we see one in the key directory.
+ gbb_utility -s \
+ --rootkey=${KEY_DIR}/root_key.vbpubk \
+ --recoverykey=${KEY_DIR}/recovery_key.vbpubk \
+ --hwid="$(cat ${KEY_DIR}/hwid)" \
+ ${shellball_dir}/bios.bin ${temp_outfd}
+ else
+ gbb_utility -s \
+ --rootkey=${KEY_DIR}/root_key.vbpubk \
+ --recoverykey=${KEY_DIR}/recovery_key.vbpubk \
+ ${shellball_dir}/bios.bin ${temp_outfd}
+ fi
# Resign the firmware with new keys
- ${SCRIPT_DIR}/resign_firmwarefd.sh ${temp_outfd} ${temp_dir}/bios.bin \
+ ${SCRIPT_DIR}/resign_firmwarefd.sh ${temp_outfd} ${shellball_dir}/bios.bin \
${KEY_DIR}/firmware_data_key.vbprivk \
${KEY_DIR}/firmware.keyblock \
${KEY_DIR}/kernel_subkey.vbpubk
@@ -271,7 +288,7 @@
${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \
${KEY_DIR}/kernel_data_key.vbprivk \
${KEY_DIR}/kernel.keyblock
- echo "Output signed SSD image to ${OUTPUT_IMAGE}"
+ echo "Signed SSD image output to ${OUTPUT_IMAGE}"
}
# Generate the USB (recovery + install) image
@@ -293,7 +310,7 @@
mount_image_partition ${OUTPUT_IMAGE} 1 ${stateful_dir}
sudo cp ${temp_out_vb} ${stateful_dir}/vmlinuz_hd.vblock
- echo "Output signed recovery image to ${OUTPUT_IMAGE}"
+ echo "Signed recovery image output to ${OUTPUT_IMAGE}"
}
# Generate the factory install image.
@@ -301,39 +318,36 @@
${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \
${KEY_DIR}/recovery_kernel_data_key.vbprivk \
${KEY_DIR}/installer_kernel.keyblock
- echo "Output signed factory install image to ${OUTPUT_IMAGE}"
+ echo "Signed factory install image output to ${OUTPUT_IMAGE}"
}
-# Firmware payload signing hidden behind a flag until it actually makes
-# it into the image.
-if [ "${FW_UPDATE}" == "1" ]; then
- resign_firmware_payload ${INPUT_IMAGE}
-fi
-
# Verification
if [ "${TYPE}" == "verify" ]; then
verify_image
exit 1
fi
-
# Signing requires an output image name
if [ -z "${OUTPUT_IMAGE}" ]; then
usage
exit 1
fi
+
if [ "${TYPE}" == "ssd" ]; then
+ resign_firmware_payload ${INPUT_IMAGE}
update_rootfs_hash ${INPUT_IMAGE} \
${KEY_DIR}/kernel.keyblock \
${KEY_DIR}/kernel_data_key.vbprivk
sign_for_ssd
elif [ "${TYPE}" == "recovery" ]; then
+ resign_firmware_payload ${INPUT_IMAGE}
update_rootfs_hash ${INPUT_IMAGE} \
${KEY_DIR}/recovery_kernel.keyblock \
${KEY_DIR}/recovery_kernel_data_key.vbprivk
sign_for_recovery
elif [ "${TYPE}" == "install" ]; then
+ resign_firmware_payload ${INPUT_IMAGE}
update_rootfs_hash ${INPUT_IMAGE} \
${KEY_DIR}/installer_kernel.keyblock \
${KEY_DIR}/recovery_kernel_data_key.vbprivk