Google Git
Sign in
cos / mirrors / cros / chromiumos / platform / vboot_reference / refs/heads/stabilize-5807.0.B^! / .
commit9fc41a02f5106a318c2e0d02be39b51e45337e77[log] [tgz]
authorHung-Te Lin <hungte@chromium.org>Wed Apr 23 18:09:10 2014 +0800
committerchrome-internal-fetch <chrome-internal-fetch@google.com>Fri Apr 25 01:55:21 2014 +0000
tree263b6c4ae9d1b631aef7613c95e2cc5027d34a7d
parent841126fec6a0c17540f7b5dddb232a36fe4a06f1 [diff]
make_dev_firmware.sh: Correct firmware body size when changing rootkey.

make_dev_firmware.sh calls resign_firmwarefd.sh, which extracts rootkey from
input image for checking VBLOCK firmware body size. As a result, we should
resign firmware before changing rootkey / GBB.

BUG=chromium:365738
TEST=Install Nyan/Peppy PreMP-signed firmware, run make_dev_firmware.sh, and
     then boot in normal mode.
BRANCH=none

Change-Id: I45dbcacb40b7b77bbf89f1ba244bf7fb25f9ae27
Signed-off-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/196521
Reviewed-by: Bill Richardson <wfrichar@chromium.org>

diff --git a/scripts/image_signing/make_dev_firmware.sh b/scripts/image_signing/make_dev_firmware.sh
index 6e69ac7..c44e671 100755
--- a/scripts/image_signing/make_dev_firmware.sh
+++ b/scripts/image_signing/make_dev_firmware.sh

@@ -192,7 +192,34 @@
   # valid so that we know keys and vbutil_firmware are all working fine.
 
   echo "Preparing new firmware image..."
-  debug_msg "Extract current HWID and rootkey"
+
+  debug_msg "Resign the firmware code (A/B) with new keys"
+  # Note resign_firmwarefd.sh needs the original rootkey to determine firmware
+  # body size, so we must resign image before changing GBB rootkey.
+
+  local unsigned_image="$(make_temp_file)"
+  local optional_opts=""
+  if [ -n "$FLAGS_preamble_flags" ]; then
+    # optional_opts: VERSION FLAGS
+    debug_msg "Setting new VERSION=1, FLAGS=$FLAGS_preamble_flags"
+    optional_opts="1 $FLAGS_preamble_flags"
+  fi
+  cp -f "$IMAGE" "$unsigned_image"
+  "$SCRIPT_BASE/resign_firmwarefd.sh" \
+    "$unsigned_image" \
+    "$IMAGE" \
+    "$firmware_prvkey" \
+    "$firmware_keyblock" \
+    "$dev_firmware_prvkey" \
+    "$dev_firmware_keyblock" \
+    "$kernel_sub_pubkey" \
+    $optional_opts >"$EXEC_LOG" 2>&1 ||
+    err_die "Failed to re-sign firmware. (message: $(cat "$EXEC_LOG"))"
+    if is_debug_mode; then
+      cat "$EXEC_LOG"
+    fi
+
+  debug_msg "Extract current HWID"
   local old_hwid
   old_hwid="$(gbb_utility --get --hwid "$IMAGE" 2>"$EXEC_LOG" |
               sed -rne 's/^hardware_id: (.*)$/\1/p')"
@@ -228,30 +255,6 @@
       echo "Warning: GBB flags ($old_gbb_flags -> $new_gbb_flags) can't be set."
   fi
 
-  debug_msg "Resign the firmware code (A/B) with new keys"
-  local unsigned_image="$(make_temp_file)"
-  local optional_opts=""
-  if [ -n "$FLAGS_preamble_flags" ]; then
-    # optional_opts: VERSION FLAGS
-    debug_msg "Setting new VERSION=1, FLAGS=$FLAGS_preamble_flags"
-    optional_opts="1 $FLAGS_preamble_flags"
-  fi
-  cp -f "$IMAGE" "$unsigned_image"
-  # TODO(hungte) derive kernel key and preamble flag from existing firmware
-  "$SCRIPT_BASE/resign_firmwarefd.sh" \
-    "$unsigned_image" \
-    "$IMAGE" \
-    "$firmware_prvkey" \
-    "$firmware_keyblock" \
-    "$dev_firmware_prvkey" \
-    "$dev_firmware_keyblock" \
-    "$kernel_sub_pubkey" \
-    $optional_opts >"$EXEC_LOG" 2>&1 ||
-    err_die "Failed to re-sign firmware. (message: $(cat "$EXEC_LOG"))"
-    if is_debug_mode; then
-      cat "$EXEC_LOG"
-    fi
-
   # TODO(hungte) compare if the image really needs to be changed.
 
   debug_msg "Check if we need to make backup file(s)"