make_dev_firmware: handle developer firmware keyblock correctly

We should detect keyblock from existing firmware and decide if a developer firmware keyblock should be used. BUG=chromium-os:18946 TEST=./make_dev_firmware.sh -f zgb.bin -t zgb_dev.bin # seeing Using keyblocks (developer, normal)... ./make_dev_firmware.sh -f mario.bin -t mario_dev.bin # seeing Using keyblocks (normal, normal)... ./make_dev_firmware.sh -f arm.bin -t arm_dev.bin # seeing Using keyblocks (normal, normal)... Change-Id: I74fa0db980e26a6a19a4393303e8c5b3260c84c7 Reviewed-on: http://gerrit.chromium.org/gerrit/5623 Tested-by: Hung-Te Lin <hungte@chromium.org> Reviewed-by: Hung-Te Lin <hungte@chromium.org>
2025-11-24 10:14:55 +00:00 · 2011-08-10 12:00:13 +08:00
parent 7f503e4064
commit 010630f18c
1 changed files with 29 additions and 0 deletions
--- a/scripts/image_signing/make_dev_firmware.sh
+++ b/scripts/image_signing/make_dev_firmware.sh
@@ -39,6 +39,7 @@ set -e

 # the image we are (temporary) working with
 IMAGE="$(make_temp_file)"
+IMAGE="$(readlink -f "$IMAGE")"

 # a log file to keep the output results of executed command
 EXEC_LOG="$(make_temp_file)"
@@ -194,6 +195,34 @@ main() {
    cp -f "$IMAGE" "$backup_image"
  fi

+  debug_msg "Detecting developer firmware keyblock"
+  local expanded_firmware_dir="$(make_temp_dir)"
+  local use_devfw_keyblock="$FLAGS_FALSE"
+  (cd "$expanded_firmware_dir"; dump_fmap -x "$IMAGE" >/dev/null 2>&1) ||
+    err_die "Failed to extract firmware image."
+  if [ -f "$expanded_firmware_dir/VBLOCK_A" ]; then
+    local has_dev=$FLAGS_TRUE has_norm=$FLAGS_TRUE
+    # In output of vbutil_keyblock, "!DEV" means "bootable on normal mode" and
+    # "DEV" means "bootable on developer mode". Here we try to match the pattern
+    # in output of vbutil_block, and disable the flags (has_dev, has_norm) if
+    # the pattern was not found.
+    vbutil_keyblock --unpack "$expanded_firmware_dir/VBLOCK_A" |
+      grep -qw '!DEV' || has_norm=$FLAGS_FALSE
+    vbutil_keyblock --unpack "$expanded_firmware_dir/VBLOCK_A" |
+      grep -qw '[^!]DEV' || has_dev=$FLAGS_FALSE
+    if [ "$has_norm" = "$FLAGS_FALSE" -a "$has_dev" = "$FLAGS_TRUE" ]; then
+      use_devfw_keyblock=$FLAGS_TRUE
+    fi
+  fi
+
+  if [ "$use_devfw_keyblock" = "$FLAGS_TRUE" ]; then
+    echo "Using keyblocks (developer, normal)..."
+  else
+    echo "Using keyblocks (normal, normal)..."
+    dev_firmware_prvkey="$firmware_prvkey"
+    dev_firmware_keyblock="$firmware_keyblock"
+  fi
+
  # TODO(hungte) We can use vbutil_firmware to check if the current firmware is
  # valid so that we know keys and vbutil_firmware are all working fine.