mirror of
https://github.com/Telecominfraproject/OpenCellular.git
synced 2025-12-07 08:25:35 +00:00
0c4c9bac3c
The build signing script will now re-sign the chrome os AU payload in the image rootfs using the new keys. In addition, it will recalculate and update the RootFS hash (in the kernel partition) before re-signing the whole image using the new "official" keys.
BUG=3496, 5264
TEST=manual
>>>>>For testing rootfs hash updates
1) Ensure that image was build with the --enable_rootfs_verification flag
2) Mount the root file fs on the input image, and make a minor change to the root fs (e.g. adding a file)
3) Now boot from this image, drop into the shell and look for logs related to dm-bht in the dmesg output.
4) You should see dm-bht complaining about block hash mismatches
$ dmesg | grep dm
..... <dm-bht errors>.......
<errors of the form "dm-bht: Block hash match failed">
4) Now re-sign the modified image using the sign_official_build script. This will re-calculate and update the rootfs hash.
5) Boot from the re-signed image. Look at dmesg output.
6) You should see NO dm-bht errors.
>>>>>For testing re-signing of firmware payload
Grab the firmware autoupdate shellball from /usr/sbin/chromeos-firmwareupdate in the output image's rootfs partition (number 3). Extract the shellball (--sb_extract flag), and grab the firmware bios.bin from the temporary directory.
$ unpack_firmwarefd.sh bios.bin
$ vbutil_firmware --verify firmwareA.vblock --signpubkey KEY_DIR/firmware.vbpubk --fv firmwareA.data
[Verification should succeed]
$ gbb_utility -g bios.bin --rootkey=rootkey --recoverykey=recoverykey
"rootkey" should be the same as KEY_DIR/root_key.vbpubk
"recoverykey" should be the same as KEY_DIR/recovery_key.vbpubk
KEY_DIR: Directory containing the keys used to generate the output image.
Review URL: http://codereview.chromium.org/3083025
139 lines
4.8 KiB
Bash
Executable File
139 lines
4.8 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
|
|
# Use of this source code is governed by a BSD-style license that can be
|
|
# found in the LICENSE file.
|
|
|
|
# Script to resign a firmware image using a different set of keys
|
|
# for use on signing servers.
|
|
#
|
|
# arguments: src_fd, dst_fd, firmware_datakey, and firmware_keyblock
|
|
#
|
|
# src_fd: Input firmware image (in .fd format)
|
|
# dst_fd: output firmware image name
|
|
# firmware_datakey: Key used to sign firmware data (in .vbprivk format)
|
|
# firmware_keyblock: Key block for firmware data key (in .keyblock format)
|
|
#
|
|
# Both the fmap_decode tool and vbutil_firmware should be in the system path.
|
|
#
|
|
# This script parses the output of fmap_decode tool from the Flashmap project
|
|
# http://code.google.com/p/flashmap
|
|
#
|
|
# to determine the regions in the image containing "Firmware [A|B] Data" and
|
|
# "Firmware [A|B] Key", which contain firmware data and firmware vblocks
|
|
# respectively. It will then generate new vblocks using the set of keys
|
|
# passed as arguments and output a new firmware image, with this new firmware
|
|
# vblocks the old ones.
|
|
#
|
|
# Here is an example output of fmap_decode:
|
|
#
|
|
# area_offset="0x001c0000" area_size="0x00040000" area_name="Boot Stub" \
|
|
# area_flags_raw="0x01" area_flags="static"
|
|
# area_offset="0x001a0000" area_size="0x00020000" area_name="GBB Area" \
|
|
# area_flags_raw="0x01" area_flags="static"
|
|
# area_offset="0x00008000" area_size="0x00002000" area_name="Firmware A Key" \
|
|
# area_flags_raw="0x01" area_flags="static"
|
|
# area_offset="0x0000a000" area_size="0x0009e000" area_name="Firmware A Data" \
|
|
# area_flags_raw="0x03" area_flags="static,compressed"
|
|
# area_offset="0x000a8000" area_size="0x00002000" area_name="Firmware B Key" \
|
|
# area_flags_raw="0x01" area_flags="static"
|
|
# area_offset="0x000aa000" area_size="0x0002e000" area_name="Firmware B Data" \
|
|
# area_flags_raw="0x03" area_flags="static,compressed"
|
|
# area_offset="0x00005200" area_size="0x00001000" area_name="RW VPD" \
|
|
# area_flags_raw="0x00" area_flags=""
|
|
#
|
|
# This shows that Firmware A Data is at offset 0x0000a0000 in the .fd image
|
|
# and is of size 0x0009e000 bytes. This can be extracted to generate new vblocks
|
|
# which can then replace old vblock for Firmware A ("Firmware A Key" region at
|
|
# offset 0x00008000 and size 0x00002000).
|
|
|
|
# Load common constants and variables.
|
|
. "$(dirname "$0")/common.sh"
|
|
|
|
# Abort on error
|
|
set -e
|
|
|
|
# Check arguments
|
|
if [ $# -ne 5 ] ; then
|
|
echo \
|
|
"Usage: $0 src_fd dst_fd firmware_datakey firmware_keyblock kernel_subkey"
|
|
exit 1
|
|
fi
|
|
|
|
# Make sure the tools we need are available.
|
|
for prog in fmap_decode vbutil_firmware; do
|
|
type -P "${prog}" &>/dev/null || \
|
|
{ echo "${prog} tool not found."; exit 1; }
|
|
done
|
|
|
|
src_fd=$1
|
|
dst_fd=$2
|
|
firmware_datakey=$3
|
|
firmware_keyblock=$4
|
|
kernel_subkey=$5
|
|
|
|
# TODO(gauravsh): Figure out where the version comes from.
|
|
# Do we rev it manually?
|
|
VERSION=1
|
|
|
|
# Parse offsets and size of firmware data and vblocks
|
|
for i in "A" "B"
|
|
do
|
|
match_str="$i Key"
|
|
line=$(fmap_decode $1 | grep "$match_str")
|
|
offset="$(echo $line | sed -e 's/.*area_offset=\"\([a-f0-9x]*\)\".*/\1/')"
|
|
eval let \
|
|
fw${i}_vblock_offset="$offset"
|
|
size="$(echo $line | sed -e 's/.*area_size=\"\([a-f0-9x]*\)\".*/\1/')"
|
|
eval let \
|
|
fw${i}_vblock_size="$size"
|
|
|
|
match_str="$i Data"
|
|
line=$(fmap_decode $1 | grep "$match_str")
|
|
offset="$(echo $line | sed -e 's/.*area_offset=\"\([a-f0-9x]*\)\".*/\1/')"
|
|
eval let \
|
|
fw${i}_offset="$offset"
|
|
size="$(echo $line | sed -e 's/.*area_size=\"\([a-f0-9x]*\)\".*/\1/')"
|
|
eval let \
|
|
fw${i}_size="$size"
|
|
done
|
|
|
|
temp_fwimage=$(make_temp_file)
|
|
temp_out_vb=$(make_temp_file)
|
|
|
|
# Extract out Firmware A data and generate signature using the right keys
|
|
dd if="${src_fd}" of="${temp_fwimage}" skip="${fwA_offset}" bs=1 \
|
|
count="${fwA_size}"
|
|
|
|
echo "Re-calculating Firmware A vblock"
|
|
vbutil_firmware \
|
|
--vblock "${temp_out_vb}" \
|
|
--keyblock "${firmware_keyblock}" \
|
|
--signprivate "${firmware_datakey}" \
|
|
--version "${VERSION}" \
|
|
--fv "${temp_fwimage}" \
|
|
--kernelkey "${kernel_subkey}"
|
|
|
|
# Create a copy of the input image and put in the new vblock for firmware A
|
|
cp "${src_fd}" "${dst_fd}"
|
|
dd if="${temp_out_vb}" of="${dst_fd}" seek="${fwA_vblock_offset}" bs=1 \
|
|
count="${fwA_vblock_size}" conv=notrunc
|
|
|
|
# Repeat for firmware B
|
|
dd if="${src_fd}" of="${temp_fwimage}" skip="${fwB_offset}" bs=1 \
|
|
count="${fwB_size}"
|
|
echo "Re-calculating Firmware B vblock"
|
|
vbutil_firmware \
|
|
--vblock "${temp_out_vb}" \
|
|
--keyblock "${firmware_keyblock}" \
|
|
--signprivate "${firmware_datakey}" \
|
|
--version "${VERSION}" \
|
|
--fv "${temp_fwimage}" \
|
|
--kernelkey "${kernel_subkey}"
|
|
|
|
# Destination image has already been created.
|
|
dd if="${temp_out_vb}" of="${dst_fd}" seek="${fwB_vblock_offset}" bs=1 \
|
|
count="${fwB_vblock_size}" conv=notrunc
|
|
|
|
echo "New signed image was output to ${dst_fd}"
|