sign_official_build: Support old images without kernel in partition 4.

Old images don't put kernel on partition 4 and rely on vblock for installation.
The signer script has to support both old and new images, by testing if kernel
partition has valid data.

BRANCH=signer
BUG=chromium:449450
TEST=(get old image without kernel blob on partition 4)
     sign_official_build.sh usb image.bin ../../tests/devkeys signed.bin \
     ../../tests/devkeys/key.versions

Change-Id: I92542ffb162660d86c30d9598fe1ca59ff69afe4
Signed-off-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/243874
Reviewed-by: Mike Frysinger <vapier@chromium.org>

scripts/image_signing/sign_official_build.sh

@@ -302,10 +302,18 @@ update_rootfs_hash() {
   local kernelpart=
   local keyblock=
   local priv_key=
+  local new_kernel_config=
 
   for kernelpart in 2 4; do
-    local new_kernel_config="$(grab_kernel_config "${image}" "${kernelpart}" |
-        sed -e 's#\(.*dm="\)\([^"]*\)\(".*\)'"#\1${dm_args}\3#g")"
+    if ! new_kernel_config="$(
+         grab_kernel_config "${image}" "${kernelpart}" 2>/dev/null)" &&
+       [[ "${kernelpart}" == 4 ]]; then
+      # Legacy images don't have partition 4.
+      echo "Skipping empty kernel partition 4 (legacy images)."
+      continue
+    fi
+    new_kernel_config="$(echo "${new_kernel_config}" |
+      sed -e 's#\(.*dm="\)\([^"]*\)\(".*\)'"#\1${dm_args}\3#g")"
     echo "New config for kernel partition ${kernelpart} is:"
     echo "${new_kernel_config}" | tee "${temp_config}"
     extract_image_partition "${image}" "${kernelpart}" "${temp_kimage}"
@@ -329,15 +337,26 @@ update_rootfs_hash() {
 
 # Update the SSD install-able vblock file on stateful partition.
 # ARGS: Image
-# This is deprecated because all new images should have a SSD boot-able kernel in
-# partition 4.
-# TODO(hungte) crbug.com/403031: Remove this when no one is still using it.
+# This is deprecated because all new images should have a SSD boot-able kernel
+# in partition 4. However, the signer needs to be able to sign new & old images
+# (crbug.com/449450#c13) so we will probably never remove this.
 update_stateful_partition_vblock() {
   local image="$1"
   local kernb_image="$(make_temp_file)"
   local temp_out_vb="$(make_temp_file)"
+
   extract_image_partition "${image}" 4 "${kernb_image}"
-  vbutil_kernel --verify "${kernb_image}" --keyblock "${temp_out_vb}"
+  if [[ "$(dump_kernel_config "${kernb_image}" 2>/dev/null)" == "" ]]; then
+    echo "Building vmlinuz_hd.vblock from legacy image partition 2."
+    extract_image_partition "${image}" 2 "${kernb_image}"
+  fi
+
+  # vblock should always use kernel keyblock.
+  vbutil_kernel --repack "${temp_out_vb}" \
+    --keyblock "${KEY_DIR}/kernel.keyblock" \
+    --signprivate "${KEY_DIR}/kernel_data_key.vbprivk" \
+    --oldblob "${kernb_image}" \
+    --vblockonly
 
   # Copy the installer vblock to the stateful partition.
   local stateful_dir=$(make_temp_dir)