sign_official_build: add AP RO signing
When signing AP RO images, in cases when signer_config.csv manifest
includes the brand code column add a futility invocation to sign the
RO_GSCVD section of the image. If the <path to unpacked>/keyset
directory is found, save the gscvd.<model> blob in that directory.
BRANCH=none
BUG=b:247652363
TEST=built ChromeOS test image for Nissa, then invoked
$ scripts/image_signing/sign_official_build.sh \
base \
~/trunk/src/build/images/nissa/latest/chromiumos_test_image.bin \
tests/devkeys \
/tmp/signed.bin
and observed 'futility gscvd' invocation in the log.
Cq-Depend: 3954963
Cq-Depend: 4063101
Change-Id: I55cec75794560662ed2cfb2dac7f44d972a8571f
Signed-off-by: Vadim Bendebury <vbendeb@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3935034
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Auto-Submit: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
(cherry picked from commit befd35f018be4ff6465b15f7bc1bc64c8e65426d)
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4063103
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Knox Chiou <knoxchiou@chromium.org>
Commit-Queue: Knox Chiou <knoxchiou@chromium.org>
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index d1c95c9..49ac33b 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -456,7 +456,7 @@
info "See go/cros-unibuild-signing for details"
{
read # Burn the first line (header line)
- while IFS="," read -r output_name bios_image key_id ec_image
+ while IFS="," read -r output_name bios_image key_id ec_image brand_code
do
local key_suffix=''
local extra_args=()
@@ -574,6 +574,34 @@
echo "After setting GBB on ${bios_path}: md5 =" \
$(md5sum ${bios_path} | awk '{print $1}')
+ if [[ -n ${brand_code} ]]; then
+ # Resign the RO_GSCVD FMAP area.
+ if [[ -z ${shellball_keyset_dir} ]]; then
+ extra_args=()
+ else
+ extra_args=( --gscvd_out
+ "${shellball_keyset_dir}/gscvd.${output_name}" )
+ fi
+ echo "Setting RO_GSCVD with: ${FUTILITY} gscvd" \
+ --keyblock "${KEY_DIR}/arv_platform.keyblock" \
+ --platform_priv "${KEY_DIR}/arv_platform.vbprivk" \
+ --board_id "${brand_code}" \
+ --root_pub_key "${KEY_DIR}/arv_root.vbpubk" \
+ "${extra_args[@]}" \
+ "${bios_path}"
+ ${FUTILITY} gscvd \
+ --keyblock "${KEY_DIR}/arv_platform.keyblock" \
+ --platform_priv "${KEY_DIR}/arv_platform.vbprivk" \
+ --board_id "${brand_code}" \
+ --root_pub_key "${KEY_DIR}/arv_root.vbpubk" \
+ "${extra_args[@]}" \
+ "${bios_path}"
+
+ echo "After signing RO_GSCVD on ${bios_path}: md5 =" \
+ "$(md5sum "${bios_path}" | awk '{print $1}')"
+ else
+ warn "No brand code for ${bios_path} in signer_config.csv"
+ fi
info "Signed firmware image output to ${bios_path}"
done
unset IFS
