From 71bff41d6f0ff9912b9c56d14ba2ea0dd0331a9c Mon Sep 17 00:00:00 2001
From: Gaurav Shah <gauravsh@chromium.org>
Date: Thu, 9 Sep 2010 21:18:03 -0700
Subject: [PATCH] If found, sign the packaged firmware autoupdate.

Previously this was hidden behind an environment variable. With this change, the signing script will always try to sign the firmware update if found. If not, it will still perform the remaining steps (rootfs calculation, kernel partition signature etc.).

Also fixed a few minor bugs with the firmware update code.

BUG=chrome-os-partner:925, chrome-os:3496
TEST=created a ToT semi-official build, and ran the signing script on the image. Verified that the firmware got correctly updated (by running chromeos-firmwareupdate on the device). Also tested on images without the packaged firmware update.

Change-Id: I0921ce36a880e18167a8e3a2b63d8f246693d488

Review URL: http://codereview.chromium.org/3292016
---
 scripts/image_signing/sign_official_build.sh | 52 +++++++++++++-------
 1 file changed, 33 insertions(+), 19 deletions(-)

diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index 8bf6d6cc4b..6d66ce9216 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -162,8 +162,12 @@ update_rootfs_hash() {
 get_firmwarebin_from_shellball() {
   local input=$1
   local output_dir=$2
-  uudecode -o - ${input} | tar -C ${output_dir} -zxf - 2>/dev/null || \
-    echo "Extracting firmware autoupdate failed." && exit 1
+  if [ -s "${input}" ]; then
+    uudecode -o - ${input} | tar -C ${output_dir} -zxf - 2>/dev/null || \
+      { echo "Extracting firmware autoupdate failed." && exit 1; }
+  else
+    return 1
+  fi
 }
 
 # Re-sign the firmware AU payload inside the image rootfs with a new keys.
@@ -176,19 +180,32 @@ resign_firmware_payload() {
   mount_image_partition ${image} 3 ${rootfs_dir}
 
   local shellball_dir=$(make_temp_dir)
+  # get_firmwarebin_from_shellball can fail if the image has no 
+  # firmware update.
   get_firmwarebin_from_shellball \
-    ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate ${shellball_dir}
+    ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate ${shellball_dir} || \
+    { echo "Didn't find a firmware update. Not signing firmware."
+    return; }
+  echo "Found a valid firmware update shellball."
 
   temp_outfd=$(make_temp_file)
   # Replace the root key in the GBB
   # TODO(gauravsh): Remove when we lock down the R/O portion of firmware.
-  gbb_utility -s \
-    --rootkey=${KEY_DIR}/root_key.vbpubk \
-    --recoverykey=${KEY_DIR}/recovery_key.vbpubk \
-    ${shellball_dir}/bios.bin ${temp_outfd}
-
+  if [ -e "${KEY_DIR}/hwid" ]; then
+    # Only update the hwid if we see one in the key directory.
+    gbb_utility -s \
+      --rootkey=${KEY_DIR}/root_key.vbpubk \
+      --recoverykey=${KEY_DIR}/recovery_key.vbpubk \
+      --hwid="$(cat ${KEY_DIR}/hwid)" \
+      ${shellball_dir}/bios.bin ${temp_outfd}
+  else
+        gbb_utility -s \
+      --rootkey=${KEY_DIR}/root_key.vbpubk \
+      --recoverykey=${KEY_DIR}/recovery_key.vbpubk \
+      ${shellball_dir}/bios.bin ${temp_outfd}
+  fi
   # Resign the firmware with new keys
-  ${SCRIPT_DIR}/resign_firmwarefd.sh ${temp_outfd} ${temp_dir}/bios.bin \
+  ${SCRIPT_DIR}/resign_firmwarefd.sh ${temp_outfd} ${shellball_dir}/bios.bin \
     ${KEY_DIR}/firmware_data_key.vbprivk \
     ${KEY_DIR}/firmware.keyblock \
     ${KEY_DIR}/kernel_subkey.vbpubk
@@ -271,7 +288,7 @@ sign_for_ssd() {
   ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \
     ${KEY_DIR}/kernel_data_key.vbprivk \
     ${KEY_DIR}/kernel.keyblock
-  echo "Output signed SSD image to ${OUTPUT_IMAGE}"
+  echo "Signed SSD image output to ${OUTPUT_IMAGE}"
 }
 
 # Generate the USB (recovery + install) image
@@ -293,7 +310,7 @@ sign_for_recovery() {
   mount_image_partition ${OUTPUT_IMAGE} 1 ${stateful_dir}
   sudo cp ${temp_out_vb} ${stateful_dir}/vmlinuz_hd.vblock
 
-  echo "Output signed recovery image to ${OUTPUT_IMAGE}"
+  echo "Signed recovery image output to ${OUTPUT_IMAGE}"
 }
 
 # Generate the factory install image.
@@ -301,39 +318,36 @@ sign_for_factory_install() {
   ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \
     ${KEY_DIR}/recovery_kernel_data_key.vbprivk \
     ${KEY_DIR}/installer_kernel.keyblock
-  echo "Output signed factory install image to ${OUTPUT_IMAGE}"
+  echo "Signed factory install image output to ${OUTPUT_IMAGE}"
 }
 
-# Firmware payload signing hidden behind a flag until it actually makes
-# it into the image.
-if [ "${FW_UPDATE}" == "1" ]; then
-  resign_firmware_payload ${INPUT_IMAGE}
-fi
-
 # Verification
 if [ "${TYPE}" == "verify" ]; then
   verify_image
   exit 1
 fi
 
-
 # Signing requires an output image name
 if [ -z "${OUTPUT_IMAGE}" ]; then
   usage
   exit 1
 fi
 
+
 if [ "${TYPE}" == "ssd" ]; then
+  resign_firmware_payload ${INPUT_IMAGE}
   update_rootfs_hash ${INPUT_IMAGE} \
     ${KEY_DIR}/kernel.keyblock \
     ${KEY_DIR}/kernel_data_key.vbprivk
   sign_for_ssd
 elif [ "${TYPE}" == "recovery" ]; then
+  resign_firmware_payload ${INPUT_IMAGE}
   update_rootfs_hash ${INPUT_IMAGE} \
     ${KEY_DIR}/recovery_kernel.keyblock \
     ${KEY_DIR}/recovery_kernel_data_key.vbprivk
   sign_for_recovery
 elif [ "${TYPE}" == "install" ]; then
+  resign_firmware_payload ${INPUT_IMAGE}
   update_rootfs_hash ${INPUT_IMAGE} \
     ${KEY_DIR}/installer_kernel.keyblock \
     ${KEY_DIR}/recovery_kernel_data_key.vbprivk