commit 010630f18c8880b80e564fc6a0bcf8e5eb7f9de6
author Hung-Te Lin <hungte@chromium.org> Wed Aug 10 12:00:13 2011 +0800
committer Hung-Te Lin <hungte@chromium.org> Wed Aug 10 18:17:29 2011 -0700
tree 3814dc2fe2a675d1d09e460844e1cf3bedf6fe59
parent 7f503e40641a2d8b62dd38497e277fe553a23ca1

make_dev_firmware: handle developer firmware keyblock correctly

We should detect keyblock from existing firmware and decide if a developer
firmware keyblock should be used.

BUG=chromium-os:18946
TEST=./make_dev_firmware.sh -f zgb.bin -t zgb_dev.bin
      # seeing Using keyblocks (developer, normal)...
      ./make_dev_firmware.sh -f mario.bin -t mario_dev.bin
      # seeing Using keyblocks (normal, normal)...
      ./make_dev_firmware.sh -f arm.bin -t arm_dev.bin
      # seeing Using keyblocks (normal, normal)...

Change-Id: I74fa0db980e26a6a19a4393303e8c5b3260c84c7
Reviewed-on: http://gerrit.chromium.org/gerrit/5623
Tested-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Hung-Te Lin <hungte@chromium.org>

scripts/image_signing/make_dev_firmware.sh

diff --git a/scripts/image_signing/make_dev_firmware.sh b/scripts/image_signing/make_dev_firmware.sh
index b2fa4fc..db2a83e 100755
--- a/scripts/image_signing/make_dev_firmware.sh
+++ b/scripts/image_signing/make_dev_firmware.sh
@@ -39,6 +39,7 @@
 
 # the image we are (temporary) working with
 IMAGE="$(make_temp_file)"
+IMAGE="$(readlink -f "$IMAGE")"
 
 # a log file to keep the output results of executed command
 EXEC_LOG="$(make_temp_file)"
@@ -194,6 +195,34 @@
     cp -f "$IMAGE" "$backup_image"
   fi
 
+  debug_msg "Detecting developer firmware keyblock"
+  local expanded_firmware_dir="$(make_temp_dir)"
+  local use_devfw_keyblock="$FLAGS_FALSE"
+  (cd "$expanded_firmware_dir"; dump_fmap -x "$IMAGE" >/dev/null 2>&1) ||
+    err_die "Failed to extract firmware image."
+  if [ -f "$expanded_firmware_dir/VBLOCK_A" ]; then
+    local has_dev=$FLAGS_TRUE has_norm=$FLAGS_TRUE
+    # In output of vbutil_keyblock, "!DEV" means "bootable on normal mode" and
+    # "DEV" means "bootable on developer mode". Here we try to match the pattern
+    # in output of vbutil_block, and disable the flags (has_dev, has_norm) if
+    # the pattern was not found.
+    vbutil_keyblock --unpack "$expanded_firmware_dir/VBLOCK_A" |
+      grep -qw '!DEV' || has_norm=$FLAGS_FALSE
+    vbutil_keyblock --unpack "$expanded_firmware_dir/VBLOCK_A" |
+      grep -qw '[^!]DEV' || has_dev=$FLAGS_FALSE
+    if [ "$has_norm" = "$FLAGS_FALSE" -a "$has_dev" = "$FLAGS_TRUE" ]; then
+      use_devfw_keyblock=$FLAGS_TRUE
+    fi
+  fi
+
+  if [ "$use_devfw_keyblock" = "$FLAGS_TRUE" ]; then
+    echo "Using keyblocks (developer, normal)..."
+  else
+    echo "Using keyblocks (normal, normal)..."
+    dev_firmware_prvkey="$firmware_prvkey"
+    dev_firmware_keyblock="$firmware_keyblock"
+  fi
+
   # TODO(hungte) We can use vbutil_firmware to check if the current firmware is
   # valid so that we know keys and vbutil_firmware are all working fine.