make_dev_firmware.sh calls resign_firmwarefd.sh, which extracts rootkey from
input image for checking VBLOCK firmware body size. As a result, we should
resign firmware before changing rootkey / GBB.
BUG=chromium:365738
TEST=Install Nyan/Peppy PreMP-signed firmware, run make_dev_firmware.sh, and
then boot in normal mode.
BRANCH=none
Change-Id: I45dbcacb40b7b77bbf89f1ba244bf7fb25f9ae27
Signed-off-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/196521
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Developers testing firmware preamble flags (usually for turn on/off RO-NORMAL
bits) need a easy way to change existing firmware, without hacking FDT source /
looking for complex script.
Also included some minor improvements:
* Always enable FORCE_DEV_BOOT_USB and DISABLE_FW_ROLLBACK_CHECK. These are
flags most developers need when leaving official signed normal firmware.
* --bmpfv is deprecated because our latest firmware now always include
official bitmaps in updater, no more DEV bitmaps.
BUG=none
TEST=./make_dev_firmware.sh -f bios.bin -t new_bios.bin --preamble_flags 0
./make_dev_firmware.sh -f bios.bin -t new_bios.bin --preamble_flags 1
Change-Id: I7ee72d32b4b7fa28f2be635fd8c7bb678852e132
Reviewed-on: https://gerrit.chromium.org/gerrit/28792
Tested-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Commit-Ready: Hung-Te Lin <hungte@chromium.org>
We should detect keyblock from existing firmware and decide if a developer
firmware keyblock should be used.
BUG=chromium-os:18946
TEST=./make_dev_firmware.sh -f zgb.bin -t zgb_dev.bin
# seeing Using keyblocks (developer, normal)...
./make_dev_firmware.sh -f mario.bin -t mario_dev.bin
# seeing Using keyblocks (normal, normal)...
./make_dev_firmware.sh -f arm.bin -t arm_dev.bin
# seeing Using keyblocks (normal, normal)...
Change-Id: I74fa0db980e26a6a19a4393303e8c5b3260c84c7
Reviewed-on: http://gerrit.chromium.org/gerrit/5623
Tested-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
The two-stop firmware relies on the "flag" field which may be useful for the
resign_firmwarefd.sh.
BUG=chrome-os-partner:5095
TEST=./resign_firmwarefd [params] 1
vbutil_firmware --verify ..... # seeing flag = 1
Change-Id: I56b44ee5b610e36384e15e6eb31286f0f838734b
Reviewed-on: http://gerrit.chromium.org/gerrit/4561
Tested-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
The script to resign firmware (resign_firmwarefd.sh) has changed its syntax, due to the new "dev
firmware" design.
BUG=chromium-os:13375
TEST=./make_dev_firmware.sh
# seeing the "changed firmware to Developer Keys" message.
Change-Id: Id553f3ce1641f13e732bd5e208cb2fb00ca9c078
R=rspangler@chromium.org,gauravsh@chromium.org
Review URL: http://codereview.chromium.org/6727019
make_dev_firmware should trust system firmware blobs instead of using its own
prebuilt binaries.
BUG=chromium-os:12400
TEST=1. make a build with .49+ BIOS, and create the firmware updater
2. install the new BIOS, turn on developer switch and reboot
3. an ugly "DEV" screen (in .49) is shown on screen
4. run the new make_dev_firmware.sh
5. reboot. seeing the ugly DEV instead of the prebuilt blue screen
(verified successfully)
Change-Id: If75d2821170649fa869db6a82d879b697f7588e6
Review URL: http://codereview.chromium.org/6614006
Change-Id: I044331dc3558a4f7428b75fe43ef739498d65803
BUG=chromium-os:10836
TEST=scripts that use common.sh seem to work, would appreciate help in testing Chrome OS client scripts!
Review URL: http://codereview.chromium.org/6294002
Complete the missing part of "checking (and disabling) write protection status.
This also helps to prevent erasing RW regions on system with WP enabled and
then causing boot failure.
BUG=chrome-os-partner:1276
TEST=(1) On CR-48 with WP enabled, run make_dev_firmware.sh without turning off WP.
Result: Error message "Write protection is still enabled. Please verify
that hardware write protection is disabled." (as expected)
(2) Disable WP and run again.
Result: firmware has been changed successfully.
Change-Id: Iaf2243cb2cd3c7f83ce4f36543ea3da1e3ca55a1
Review URL: http://codereview.chromium.org/5987010
Also refactor the other scripts to move more common functions (debug output, etc.) to common.sh.
BUG=chrome-os-partner:1903
TEST=manual; ran on a Chrome notebook, verified the right things got copied.
Review URL: http://codereview.chromium.org/5878005
Change-Id: Ib7131356ecb6f88eee3d529a518f23b94756d0c0
Provide more clear instruction on how to use the backup files,
and to try more effort to store backup files
BUG=none
TEST=emerge-x86-generic vboot-reference; executed make_dev_firmware and got correct message
Change-Id: I2062f45dd3019d0e56adc18bdd1861991aafe5ed
Review URL: http://codereview.chromium.org/3785014
The make_dev_ssd.sh is made for devinstall shim to
change SSD kernels to be signed by dev keys.
- Kernel A, B will be resigned with dev keys (ignore if A/B seems not bootable)
- Adding param --remove_rootfs_verification can even disable rootfs hash check
This CL also includes some shared refine/fix to make_dev_firmware.sh
BUG=chrome-os-partner:1276
TEST=sudo ./make_dev_ssd.sh; (seeing Kernel A is resigned and B is ignored)
then reboot without developer mode (OK),
rootdev shows /dev/dm-0, rootdev -s shows /dev/sda3
sudo ./make_dev_ssd.sh --remove_rootfs_verification;
then reboot without developer mode (OK), rootdev shows /dev/sda3
Change-Id: Ic20f734b2af42e50a43c19a565a166a39d57a7fd
Review URL: http://codereview.chromium.org/3772013
The make_dev_firmware.sh is made for devinstall shim to
change firmware rootkey/HWID/BMPFV smoothly.
- HWID will be changed to "$ORIGINAL_FWID DEV" (no change if already postfixed
with DEV)
- rootkey/recoverykey will be changed by keyset from --keys
- FVMAIN/FVMAINB will be resigned by keyset from --keys
- BMPFV will be changed to anything assigned by --bmpfv
If --from and --to are omitted, the system firmware will be changed.
A new ebuild is be created to put all resources (bmpfv and keyset) into devinstall shim (ref: http://codereview.chromium.org/3776003)
BUG=chrome-os-partner:1276
TEST=sudo ./make_dev_firmware.sh --from input_bios.bin --to output_bios.in \
--keys ../../tests/devkeys --bmpfv some_bmpfv.bin
HWID is changed from "XXX MARIO EVT DDDD" to "XXX MARIO EVT DDDD DEV".
System can then boot a USB signed with devkey without developer mode.
Change-Id: Id80126495dcbf4d993a4372af645580cd4b60ca6
Review URL: http://codereview.chromium.org/3822002
