image_signing: drop support for signing nvidia lp0_firmware
This was only used by smaug which went EOL a while ago and we've
already deleted supporting logic.
BUG=None
TEST=CQ passes
BRANCH=None
Change-Id: Ia639c7da3c70c62ee102f11d510ffaa928ab244a
Signed-off-by: Mike Frysinger <vapier@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2309221
Reviewed-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-by: Joel Kitching <kitching@chromium.org>
diff --git a/scripts/image_signing/sign_firmware.sh b/scripts/image_signing/sign_firmware.sh
index 54c3a4d..0e7ac7c 100755
--- a/scripts/image_signing/sign_firmware.sh
+++ b/scripts/image_signing/sign_firmware.sh
@@ -128,16 +128,6 @@
sign_one
gbb_update "${temp_fw}" "${key_dir}" "${out_firmware}" \
"${key_dir}/root_key.vbpubk"
-
- # Additional signing step for nVidia T210 SoC.
- # Currently, cbootimage is unable to handle path with double slash.
- if [[ -e ${key_dir}/nv_pkc.pem ]]; then
- "${SCRIPT_DIR}/sign_nv_cbootimage.sh" \
- "bootloader" \
- "${key_dir%/}/nv_pkc.pem" \
- "${out_firmware}" \
- tegra210
- fi
fi
}
main "$@"
diff --git a/scripts/image_signing/sign_nv_cbootimage.sh b/scripts/image_signing/sign_nv_cbootimage.sh
deleted file mode 100755
index da978e8..0000000
--- a/scripts/image_signing/sign_nv_cbootimage.sh
+++ /dev/null
@@ -1,262 +0,0 @@
-#!/bin/bash
-# Copyright 2015 The Chromium OS Authors. All rights reserved.
-# Use of this source code is governed by a BSD-style license that can be
-# found in the LICENSE file.
-
-# Wrapper script for signing firmware image using cbootimage.
-
-# Determine script directory.
-SCRIPT_DIR=$(dirname "$0")
-
-# Load common constants and variables.
-. "${SCRIPT_DIR}/common_minimal.sh"
-
-# Abort on error.
-set -e
-
-usage() {
- cat<<EOF
-Usage: $0 <type> <pkc_key> <firmware_image> <soc>
-
-Signs <firmware_image> of <type> with <pkc_key> using cbootimage for <soc>.
-where type is one of
- bootloader = sign bootloader image
- lp0_firmware = sign lp0 firmware
-EOF
- exit 1
-}
-
-# Signs bootloader image using pkc_key provided for given soc
-# Args: TYPE=bootloader PKC_KEY FIRMWARE_IMAGE SOC
-sign_bootloader() {
- local type=$1
- local pkc_key="$(readlink -f "$2")"
- local firmware_image="$(readlink -f "$3")"
- local soc=$4
-
- local work_dir=$(make_temp_dir)
- local config_file=$(make_temp_file)
- local signed_fw=$(make_temp_file)
-
- pushd "${work_dir}" >/dev/null
-
- # Get bootloader length.
- #
- # Example:
- # $ bct_dump image.fastboot.bin
- # Version = 0x00210001;
- # BlockSize = 0x00008000;
- # ...
- # ...
- # # Bootloader[0].Length = 69324;
- # ...
- # ...
- #
- # then, bl_length=69324 (size of bootloader that needs to be signed)
- local bl_length=$(bct_dump "${firmware_image}" | \
- sed -n '/Bootloader\[0\].Length/{ s/.*=\s*//; s/;//; p; q}')
-
- # Extract bootloader to sign.
- dd \
- if="${firmware_image}" \
- of="${signed_fw}.bl.tosig" \
- count="${bl_length}" \
- ibs=1 \
- skip=32768 >/dev/null 2>&1
-
- # Calculate rsa signature for bootloader.
- openssl \
- dgst -sha256 \
- -sigopt rsa_padding_mode:pss \
- -sigopt rsa_pss_saltlen:-1 \
- -sign "${pkc_key}" \
- -out "${signed_fw}.bl.sig" \
- "${signed_fw}.bl.tosig"
-
- # Update bootloader's rsa signature, aes hash and bct's aes hash.
- echo "RsaPssSigBlFile = ${signed_fw}.bl.sig;" > "${config_file}"
- echo "RehashBl;" >> "${config_file}"
- cbootimage \
- -s "${soc}" \
- -u "${config_file}" \
- "${firmware_image}" \
- "${signed_fw}.tmp" >/dev/null
-
- # Extract the part of bct which needs to be rsa signed.
- dd \
- if="${signed_fw}.tmp" \
- of="${signed_fw}.bct.tosig" \
- count=8944 \
- ibs=1 \
- skip=1296 >/dev/null 2>&1
-
- # Calculate rsa signature for bct.
- openssl \
- dgst -sha256 \
- -sigopt rsa_padding_mode:pss \
- -sigopt rsa_pss_saltlen:-1 \
- -sign "${pkc_key}" \
- -out "${signed_fw}.bct.sig" \
- "${signed_fw}.bct.tosig"
-
- # Create public key modulus from key file.
- openssl \
- rsa -in "${pkc_key}" \
- -noout \
- -modulus \
- -out "${signed_fw}.key.mod"
-
- # Remove prefix.
- cut \
- -d= \
- -f2 "${signed_fw}.key.mod" > "${signed_fw}.key.mod.tmp1"
- dd \
- if="${signed_fw}.key.mod.tmp1" \
- of="${signed_fw}.key.mod.tmp" \
- count=512 \
- ibs=1 >/dev/null 2>&1
-
- # Convert from hexdecimal to binary.
- perl -pe 's/([0-9a-f]{2})/chr hex $1/gie' \
- < "${signed_fw}.key.mod.tmp" \
- > "${signed_fw}.key.mod.bin"
-
- # Update bct's rsa signature and modulus.
- echo "RsaPssSigBctFile = ${signed_fw}.bct.sig;" > "${config_file}"
- echo "RsaKeyModulusFile = ${signed_fw}.key.mod.bin;" >> "${config_file}"
- cbootimage \
- -s "${soc}" \
- -u "${config_file}" \
- "${signed_fw}.tmp" \
- "${signed_fw}" >/dev/null
-
- # Calculate hash of public key modulus.
- objcopy \
- -I binary \
- --reverse-bytes=256 \
- "${signed_fw}.key.mod.bin" \
- "${signed_fw}.key.mod.bin.rev"
- openssl \
- dgst -sha256 \
- -binary \
- -out "${signed_fw}.key.sha" \
- "${signed_fw}.key.mod.bin.rev"
-
- popd >/dev/null
-
- # Copy signed firmware image and public key hash to current directory..
- mv "${signed_fw}" "${firmware_image}"
- mv "${signed_fw}.key.sha" "${firmware_image}.pubkey.sha"
-}
-
-# Signs lp0 firmware image using pkc_key provided for given soc
-# Args: TYPE=lp0_firmware PKC_KEY FIRMWARE_IMAGE SOC
-sign_lp0_firmware() {
- local type=$1
- local pkc_key="$(readlink -f "$2")"
- local firmware_image="$(readlink -f "$3")"
- local soc=$4
-
- local work_dir=$(make_temp_dir)
- local signed_fw=$(make_temp_file)
-
- pushd "${work_dir}" >/dev/null
-
- cp "${firmware_image}" "${signed_fw}"
-
- # Extract the part of the binary which needs to be signed.
- dd \
- if="${firmware_image}" \
- of="${signed_fw}.tosig" \
- ibs=1 \
- skip=544 >/dev/null 2>&1
-
- # Calculate rsa-pss signature.
- openssl \
- dgst -sha256 \
- -sigopt rsa_padding_mode:pss \
- -sigopt rsa_pss_saltlen:-1 \
- -sign "${pkc_key}" \
- -out "${signed_fw}.rsa.sig" \
- "${signed_fw}.tosig"
-
- # Reverse rsa signature to meet tegra soc ordering requirement.
- objcopy \
- -I binary \
- --reverse-bytes=256 \
- "${signed_fw}.rsa.sig" \
- "${signed_fw}.rsa.sig.rev"
-
- # Inject rsa-pss signature into the binary image's header.
- dd \
- if="${signed_fw}.rsa.sig.rev" \
- of="${signed_fw}" \
- count=256 \
- obs=1 \
- seek=288 \
- conv=notrunc >/dev/null 2>&1
-
- # Generate public key modulus from key file.
- openssl \
- rsa -in "${pkc_key}" \
- -noout \
- -modulus \
- -out "${signed_fw}.key.mod"
-
- # Remove prefix.
- cut \
- -d= \
- -f2 "${signed_fw}.key.mod" > "${signed_fw}.key.mod.tmp1"
-
- dd \
- if="${signed_fw}.key.mod.tmp1" \
- of="${signed_fw}.key.mod.tmp" \
- count=512 \
- ibs=1 >/dev/null 2>&1
-
- # Convert from hexdecimal to binary.
- perl -pe 's/([0-9a-f]{2})/chr hex $1/gie' \
- < "${signed_fw}.key.mod.tmp" \
- > "${signed_fw}.key.mod.bin"
-
- # Reverse byte order.
- objcopy \
- -I binary \
- --reverse-bytes=256 \
- "${signed_fw}.key.mod.bin" \
- "${signed_fw}.key.mod.bin.rev"
-
- # Inject public key modulus into the binary image's header.
- dd \
- if="${signed_fw}.key.mod.bin.rev" \
- of="${signed_fw}" \
- count=256 \
- obs=1 \
- seek=16 \
- conv=notrunc >/dev/null 2>&1
-
- popd >/dev/null
- mv "${signed_fw}" "${firmware_image}"
-}
-
-main() {
- if [[ $# -ne 4 ]]; then
- usage
- fi
-
- local type=$1
-
- case ${type} in
- bootloader)
- sign_bootloader "$@"
- ;;
- lp0_firmware)
- sign_lp0_firmware "$@"
- ;;
- *)
- usage
- ;;
- esac
-}
-
-main "$@"
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index 3777032..0d02fe3 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -37,7 +37,6 @@
firmware (sign a firmware image)
usb (sign an image to boot directly from USB)
verify (verify an image including rootfs hashes)
- nv_lp0_firmware (sign nvidia lp0 firmware)
accessory_usbpd (sign USB-PD accessory firmware)
accessory_rwsig (sign accessory RW firmware)
cr50_firmware (sign a cr50 firmware image)
@@ -403,17 +402,6 @@
info "Signed firmware image output to ${image}"
}
-# Sign nvidia lp0 firmware with the given keys.
-# Args: NV_LP0_FIRMWARE_IMAGE KEY_DIR
-sign_nv_lp0_firmware() {
- local nv_lp0_fw_image=$1
- local key_dir=$2
-
- "${SCRIPT_DIR}/sign_nv_cbootimage.sh" "lp0_firmware" \
- "${key_dir%/}/nv_pkc.pem" "${nv_lp0_fw_image}" "tegra210"
- info "Signed nvidia lp0 firmware image output to ${nv_lp0_fw_image}"
-}
-
# Sign a kernel in-place with the given keys.
# Args: KERNEL_IMAGE KEY_DIR KERNEL_VERSION
sign_kernel() {
@@ -1108,12 +1096,6 @@
fi
cp ${INPUT_IMAGE} ${OUTPUT_IMAGE}
sign_firmware ${OUTPUT_IMAGE} ${KEY_DIR} ${FIRMWARE_VERSION}
-elif [[ "${TYPE}" == "nv_lp0_firmware" ]]; then
- if [[ -e "${KEY_DIR}/loem.ini" ]]; then
- die "LOEM signing not implemented yet for nv_lp0_firmware images"
- fi
- cp "${INPUT_IMAGE}" "${OUTPUT_IMAGE}"
- sign_nv_lp0_firmware "${OUTPUT_IMAGE}" "${KEY_DIR}"
elif [[ "${TYPE}" == "kernel" ]]; then
if [[ -e "${KEY_DIR}/loem.ini" ]]; then
die "LOEM signing not implemented yet for kernel images"
