scottk/OpenCellular
1
0
Fork 0
mirror of https://github.com/Telecominfraproject/OpenCellular.git synced 2025-12-02 14:14:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
33c44fc14f6981601d0f0743d0705587d5f11c56
OpenCellular/scripts/image_signing/resign_image.sh
Gaurav Shah 0c4c9bac3c Make signing script re-sign Firmware AU payload, and update rootfs hash. 
The build signing script will now re-sign the chrome os AU payload in the image rootfs using the new keys. In addition, it will recalculate and update the RootFS hash (in the kernel partition) before re-signing the whole image using the new "official" keys.

BUG=3496, 5264
TEST=manual

>>>>>For testing rootfs hash updates

1) Ensure that image was build with the --enable_rootfs_verification flag
2) Mount the root file fs on the input image, and make a minor change to the root fs (e.g. adding a file)
3) Now boot from this image, drop into the shell and look for logs related to dm-bht in the dmesg output.
4) You should see dm-bht complaining about block hash mismatches
    $ dmesg | grep dm
      ..... <dm-bht errors>.......
      <errors of the form "dm-bht: Block hash match failed">

4) Now re-sign the modified image using the sign_official_build script. This will re-calculate and update the rootfs hash.
5) Boot from the re-signed image. Look at dmesg output.
6) You should see NO dm-bht errors.

>>>>>For testing re-signing of firmware payload

Grab the firmware autoupdate shellball from /usr/sbin/chromeos-firmwareupdate in the output image's rootfs partition (number 3). Extract the shellball (--sb_extract flag), and grab the firmware bios.bin from the temporary directory.
   $ unpack_firmwarefd.sh bios.bin
   $ vbutil_firmware --verify firmwareA.vblock --signpubkey KEY_DIR/firmware.vbpubk --fv firmwareA.data
    [Verification should succeed]
   $ gbb_utility -g bios.bin --rootkey=rootkey --recoverykey=recoverykey
   "rootkey" should be the same as KEY_DIR/root_key.vbpubk
   "recoverykey" should be the same as KEY_DIR/recovery_key.vbpubk

KEY_DIR: Directory containing the keys used to generate the output image.

Review URL: http://codereview.chromium.org/3083025
2010-08-16 13:29:00 -07:00

61 lines
1.7 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
# Standalone version of cros_resign_image.sh script from
# chromeos/src/scripts/bin/ for use on signing servers.
# Both the cgpt tool and vbutil_kernel should be in the system path.
# Load common constants and variables.
. "$(dirname "$0")/common.sh"
# Abort on error
set -e
# Check arguments
if [ $# -ne 4 ] ; then
echo "usage: $0 src_bin dst_bin kernel_datakey kernel_keyblock"
exit 1
fi
# Make sure the tools we need are available.
type -P cgpt &>/dev/null || \
{ echo "cgpt tool not found."; exit 1; }
type -P vbutil_kernel &>/dev/null || \
{ echo "vbutil_kernel tool not found."; exit 1; }
sector_size=512 # sector size in bytes
num_sectors_vb=128 # number of sectors in kernel verification blob
src_bin=$1
dst_bin=$2
kernel_datakey=$3
kernel_keyblock=$4
koffset="$(cgpt show -b -i 2 $1)"
ksize="$(cgpt show -s -i 2 $1)"
echo "Re-signing image ${src_bin} and outputting ${dst_bin}"
temp_kimage=$(make_temp_file)
temp_out_vb=$(make_temp_file)
# Grab the kernel image in preparation for resigning
dd if="${src_bin}" of="${temp_kimage}" skip=$koffset bs=$sector_size \
count=$ksize
vbutil_kernel \
--repack "${temp_out_vb}" \
--vblockonly \
--keyblock "${kernel_keyblock}" \
--signprivate "${kernel_datakey}" \
--oldblob "${temp_kimage}"
# Create a copy of the input image and put in the new vblock
cp "${src_bin}" "${dst_bin}"
dd if="${temp_out_vb}" of="${dst_bin}" seek=$koffset bs=$sector_size \
count=$num_sectors_vb conv=notrunc
echo "New signed image was output to ${dst_bin}"
Reference in New Issue View Git Blame Copy Permalink