From 4c1f3c8e540beab8f44e48877611a01e98fd9a40 Mon Sep 17 00:00:00 2001 From: Gaurav Shah Date: Wed, 16 Nov 2011 10:35:53 -0800 Subject: [PATCH] Replace root and recovery keys in the GBB after firmware sections have been re-signed resign_firmwarefd.sh needs a verifiable copy of the firmware (and associated root key) to determine the preamble flag value to use. BUG=chrome-os-partner:6874 TEST=manually tested resigning a firmware .bin using sign_firmware.sh. Verified correct preamble flag determination. Change-Id: Ifb132f54f4891dec4fa7250d3a00e7b4feda24c1 Reviewed-on: https://gerrit.chromium.org/gerrit/11776 Reviewed-by: Duncan Laurie Commit-Ready: Gaurav Shah Tested-by: Gaurav Shah --- scripts/image_signing/sign_firmware.sh | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/scripts/image_signing/sign_firmware.sh b/scripts/image_signing/sign_firmware.sh index 1d20e10cf0..364a8c7570 100755 --- a/scripts/image_signing/sign_firmware.sh +++ b/scripts/image_signing/sign_firmware.sh @@ -31,17 +31,21 @@ OUT_FIRMWARE=$3 temp_fw=$(mktemp) trap "rm ${temp_fw}" EXIT -# Replace the root and recovery key in the Google Binary Block of the firmware. -gbb_utility -s \ - --rootkey=${KEY_DIR}/root_key.vbpubk \ - --recoverykey=${KEY_DIR}/recovery_key.vbpubk \ - ${IN_FIRMWARE} ${temp_fw} - # Resign the firmware with new keys -${SCRIPT_DIR}/resign_firmwarefd.sh ${temp_fw} ${OUT_FIRMWARE} \ +${SCRIPT_DIR}/resign_firmwarefd.sh ${IN_FIRMWARE} ${temp_fw} \ ${KEY_DIR}/firmware_data_key.vbprivk \ ${KEY_DIR}/firmware.keyblock \ ${KEY_DIR}/dev_firmware_data_key.vbprivk \ ${KEY_DIR}/dev_firmware.keyblock \ ${KEY_DIR}/kernel_subkey.vbpubk \ ${FIRMWARE_VERSION} + +# Replace the root and recovery key in the Google Binary Block of the firmware. +# Note: This needs to happen after calling resign_firmwarefd.sh since it needs +# to be able to verify the firmware using the root key to determine the preamble +# flags. +gbb_utility -s \ + --rootkey=${KEY_DIR}/root_key.vbpubk \ + --recoverykey=${KEY_DIR}/recovery_key.vbpubk \ + ${temp_fw} ${OUT_FIRMWARE} +