Replace root and recovery keys in the GBB after firmware sections have been re-signed

resign_firmwarefd.sh needs a verifiable copy of the firmware (and associated root key) to determine the preamble flag value to use. BUG=chrome-os-partner:6874 TEST=manually tested resigning a firmware .bin using sign_firmware.sh. Verified correct preamble flag determination. Change-Id: Ifb132f54f4891dec4fa7250d3a00e7b4feda24c1 Reviewed-on: https://gerrit.chromium.org/gerrit/11776 Reviewed-by: Duncan Laurie <dlaurie@chromium.org> Commit-Ready: Gaurav Shah <gauravsh@chromium.org> Tested-by: Gaurav Shah <gauravsh@chromium.org>
2025-11-25 18:55:24 +00:00 · 2011-11-16 10:35:53 -08:00
parent 0d11efb0dc
commit 4c1f3c8e54
1 changed files with 11 additions and 7 deletions
--- a/scripts/image_signing/sign_firmware.sh
+++ b/scripts/image_signing/sign_firmware.sh
@@ -31,17 +31,21 @@ OUT_FIRMWARE=$3
 temp_fw=$(mktemp)
 trap "rm ${temp_fw}" EXIT

-# Replace the root and recovery key in the Google Binary Block of the firmware.
-gbb_utility -s \
-  --rootkey=${KEY_DIR}/root_key.vbpubk \
-  --recoverykey=${KEY_DIR}/recovery_key.vbpubk \
-  ${IN_FIRMWARE} ${temp_fw}
-
 # Resign the firmware with new keys
-${SCRIPT_DIR}/resign_firmwarefd.sh ${temp_fw} ${OUT_FIRMWARE} \
+${SCRIPT_DIR}/resign_firmwarefd.sh ${IN_FIRMWARE} ${temp_fw} \
  ${KEY_DIR}/firmware_data_key.vbprivk \
  ${KEY_DIR}/firmware.keyblock \
  ${KEY_DIR}/dev_firmware_data_key.vbprivk \
  ${KEY_DIR}/dev_firmware.keyblock \
  ${KEY_DIR}/kernel_subkey.vbpubk \
  ${FIRMWARE_VERSION}
+
+# Replace the root and recovery key in the Google Binary Block of the firmware.
+# Note: This needs to happen after calling resign_firmwarefd.sh since it needs
+# to be able to verify the firmware using the root key to determine the preamble
+# flags.
+gbb_utility -s \
+  --rootkey=${KEY_DIR}/root_key.vbpubk \
+  --recoverykey=${KEY_DIR}/recovery_key.vbpubk \
+  ${temp_fw} ${OUT_FIRMWARE}
+