From d2ee3ca7c190879d5262b6b00aa77fb93786b292 Mon Sep 17 00:00:00 2001
From: C Shapiro <shapiroc@chromium.org>
Date: Tue, 29 Aug 2017 11:36:03 -0600
Subject: [PATCH] image_signing: Don't create empty keyset subdir

updater4.sh uses the /keyset subdir from the firmware updater shellball
to indicate if it should use model specific keys or not.  This won't
work for any case where the signers haven't been updated with model
specific keys yet.

Changed the output for unibuilds to be consistent with non-uni builds
where the /keyset subdir won't be created if loem.ini doesn't exist on
the signer.

BUG=b:65128657
TEST=crrev.com/c/626718 and crrev.com/c/636344 test cases, which cover
both the shared and non-shared key use cases
BRANCH=None

Change-Id: I38db1385fa99ac4a9843a750c336c58b74b127b4
Reviewed-on: https://chromium-review.googlesource.com/642031
Commit-Ready: Simon Glass <sjg@chromium.org>
Tested-by: Simon Glass <sjg@chromium.org>
Tested-by: C Shapiro <shapiroc@google.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Jason Clinton <jclinton@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
---
 scripts/image_signing/sign_official_build.sh | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index d56c15690f..e4426af17f 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -574,12 +574,15 @@ resign_firmware_payload() {
       while IFS="," read -r model_name image key_id
       do
         local key_suffix=''
+        local extra_args=()
 
         # If there are OEM specific keys available, we're going to use them.
         # Otherwise, we're going to ignore key_id from the config file and
         # just use the common keys present in the keyset.
-        # Regardless, a model specific vblock will be generated, which the
-        # updater script will be looking for.
+        #
+        # The presence of the /keyset subdir in the shellball will indicate
+        # whether model specific keyblocks are available or not.
+        # This is what updater4.sh currently uses to make the decision.
         if [[ -e "${KEY_DIR}/loem.ini" ]]; then
           # loem.ini has the format KEY_ID_VALUE = KEY_INDEX
           local match="$(grep -E "[0-9]+ = ${key_id}" "${KEY_DIR}/loem.ini")"
@@ -590,6 +593,11 @@ resign_firmware_payload() {
               "${model_name}"
           fi
           key_suffix=".loem${key_index}"
+          mkdir -p "${shellball_dir}/keyset"
+          extra_args+=(
+            --loemdir "${shellball_dir}/keyset"
+            --loemid "${model_name}"
+          )
         fi
 
         info "Signing firmware image ${image} for model ${model_name} " \
@@ -608,7 +616,6 @@ resign_firmware_payload() {
           devkeyblock="${keyblock}"
         fi
 
-        mkdir -p "${shellball_dir}/keyset"
         local image_path="${shellball_dir}/${image}"
         ${FUTILITY} sign \
           --signprivate "${signprivate}" \
@@ -617,8 +624,7 @@ resign_firmware_payload() {
           --devkeyblock "${devkeyblock}" \
           --kernelkey "${KEY_DIR}/kernel_subkey.vbpubk" \
           --version "${FIRMWARE_VERSION}" \
-          --loemdir "${shellball_dir}/keyset" \
-          --loemid "${model_name}" \
+          "${extra_args[@]}" \
           ${image_path} \
           ${temp_fw}