sign_official_build: Use sign_firmware.sh for in-place firmware signing.
We recently fixed a bug in the sign_firmware.sh script to perform
root key replacement after signing FWA and FWB to allow
resign_firmwarefd.sh to correctly determine the preamble flag to use.
As it turns out, the sign_official_build.sh script used by the signer
for in-place firmware re-signing was using a different code path (by
directly calling resign_firmwarefd.sh).
This change makes sign_official_build script call sign_firmware.sh instead.
BUG=chrome-os-partner:6874
TEST=tried signing a vanilla lumpy image with and without the fix, and
observed the value of preamble flag used.
Change-Id: Icffb1d86fbe44f69e444da51fe251ad3427635c6
Reviewed-on: https://gerrit.chromium.org/gerrit/12471
Reviewed-by: Duncan Laurie <dlaurie@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index 2ab0579..cc3d6af 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -325,29 +325,15 @@
echo "Found a valid firmware update shellball."
temp_outfd=$(make_temp_file)
- # Replace the root key in the GBB.
- # TODO(gauravsh): Remove when we lock down the R/O portion of firmware.
- if [ -e "${KEY_DIR}/hwid" ]; then
- # Only update the hwid if we see one in the key directory.
- gbb_utility -s \
- --rootkey=${KEY_DIR}/root_key.vbpubk \
- --recoverykey=${KEY_DIR}/recovery_key.vbpubk \
- --hwid="$(cat ${KEY_DIR}/hwid)" \
- ${shellball_dir}/bios.bin ${temp_outfd}
- else
- gbb_utility -s \
- --rootkey=${KEY_DIR}/root_key.vbpubk \
- --recoverykey=${KEY_DIR}/recovery_key.vbpubk \
- ${shellball_dir}/bios.bin ${temp_outfd}
- fi
- # Resign the firmware with new keys.
- ${SCRIPT_DIR}/resign_firmwarefd.sh ${temp_outfd} ${shellball_dir}/bios.bin \
- ${KEY_DIR}/firmware_data_key.vbprivk \
- ${KEY_DIR}/firmware.keyblock \
- ${KEY_DIR}/dev_firmware_data_key.vbprivk \
- ${KEY_DIR}/dev_firmware.keyblock \
- ${KEY_DIR}/kernel_subkey.vbpubk \
- ${FIRMWARE_VERSION}
+ # Resign the firmware with new keys, also replacing the root and recovery
+ # public keys in the GBB.
+ ${SCRIPT_DIR}/sign_firmware.sh ${shellball_dir}/bios.bin ${KEY_DIR} \
+ ${temp_outfd}
+ # Note: Although sign_firmware.sh may correctly handle specifying the same
+ # output file as the input file, we do not want to rely on it correctly
+ # handing that. Hence, the use of a temporary file.
+ cp ${temp_outfd} ${shellball_dir}/bios.bin
+
local signer_notes="${shellball_dir}/VERSION.signer"
echo "" >"$signer_notes"
echo "Signed with keyset in $(readlink -f "${KEY_DIR}") ." >>"$signer_notes"
