make_dev_firmware.sh should use key.versions file

The 'key.versions' file is used by the image signing scripts to
ensure that newly generated keys and re-signed buildbot images
have the correct version numbers to avoid rollback in
officially-signed Chrome OS images.

If a skilled user is re-keying her Chromebook to use personal
keys in normal mode (which requires disabling WP and changing the
GBB and VBLOCK_A/B), she can avoid clearing the TPM rollback
counters if make_dev_firmware.sh will obtain the firmware_version
from the key.versions file in her personal key directory.

BUG=none
BRANCH=none
TEST=make runtests, manual tests

Extract an MP-signed BIOS from a Chromebook Peppy.

  flashrom -p host -r peppy.bin

Resign it without this CL:

  make_dev_firmware.sh -f peppy.bin -k tests/devkeys -t dev_peppy.bin

Resign it with this CL:

  make_dev_firmware.sh -f peppy.bin -k tests/devkeys -t dev_peppy_new.bin

Confirm no difference:

  cmp dev_peppy.bin dev_peppy_new.bin

Temporarily edit tests/devkeys/key.versions to contain

  firmware_key_version=2
  firmware_version=3
  kernel_key_version=4
  kernel_version=5

Resign again:

  make_dev_firmware.sh -f peppy.bin -k tests/devkeys -t dev_peppy_new2.bin

Confirm that the only difference is the firmware version in VBLOCK_A/B:

  futility show dev_peppy_new*.bin

Change-Id: I133f1b58fb969eaeb239a44a4800750c4eee1d5f
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/383887
Reviewed-by: Mike Frysinger <vapier@chromium.org>

scripts/image_signing/common_minimal.sh

@@ -338,6 +338,15 @@ rw_mount_disabled() {
 # Misc functions
 # ----------------------------------------------------------------------------
 
+# Parses the version file containing key=value lines
+# Args: key file
+# Returns: value
+get_version() {
+  local key="$1"
+  local file="$2"
+  awk -F= -vkey="${key}" '$1 == key { print $NF }' "${file}"
+}
+
 # Returns true if all files in parameters exist.
 # Args: List of files
 ensure_files_exist() {

scripts/image_signing/make_dev_firmware.sh

@@ -122,6 +122,8 @@ main() {
   local dev_firmware_keyblock="$FLAGS_keys/dev_firmware.keyblock"
   local dev_firmware_prvkey="$FLAGS_keys/dev_firmware_data_key.vbprivk"
   local kernel_sub_pubkey="$FLAGS_keys/kernel_subkey.vbpubk"
+  local version_file="$FLAGS_keys/key.versions"
+  local firmware_version=
   local is_from_live=0
   local backup_image=
 
@@ -140,6 +142,11 @@ main() {
     ensure_files_exist "$FLAGS_from" || exit 1
   fi
 
+  if [ -e "$version_file" ]; then
+    firmware_version=$(get_version "firmware_version" "$version_file")
+  fi
+  : ${firmware_version:=1}
+
   debug_msg "Checking software write protection status"
   disable_write_protection ||
     if is_debug_mode; then
@@ -200,9 +207,8 @@ main() {
   local unsigned_image="$(make_temp_file)"
   local optional_opts=""
   if [ -n "$FLAGS_preamble_flags" ]; then
-    # optional_opts: VERSION FLAGS
+    debug_msg "Setting FLAGS=$FLAGS_preamble_flags"
-    debug_msg "Setting new VERSION=1, FLAGS=$FLAGS_preamble_flags"
+    optional_opts="$FLAGS_preamble_flags"
-    optional_opts="1 $FLAGS_preamble_flags"
   fi
   cp -f "$IMAGE" "$unsigned_image"
   "$SCRIPT_BASE/resign_firmwarefd.sh" \
@@ -213,6 +219,7 @@ main() {
     "$dev_firmware_prvkey" \
     "$dev_firmware_keyblock" \
     "$kernel_sub_pubkey" \
+    "$firmware_version" \
     $optional_opts >"$EXEC_LOG" 2>&1 ||
     err_die "Failed to re-sign firmware. (message: $(cat "$EXEC_LOG"))"
     if is_debug_mode; then