0c4c9bac3c390445066f08010a753ce76ccb4a5e |
|
16-Aug-2010 |
Gaurav Shah <gauravsh@chromium.org> |
Make signing script re-sign Firmware AU payload, and update rootfs hash. The build signing script will now re-sign the chrome os AU payload in the image rootfs using the new keys. In addition, it will recalculate and update the RootFS hash (in the kernel partition) before re-signing the whole image using the new "official" keys. BUG=3496, 5264 TEST=manual >>>>>For testing rootfs hash updates 1) Ensure that image was build with the --enable_rootfs_verification flag 2) Mount the root file fs on the input image, and make a minor change to the root fs (e.g. adding a file) 3) Now boot from this image, drop into the shell and look for logs related to dm-bht in the dmesg output. 4) You should see dm-bht complaining about block hash mismatches $ dmesg | grep dm ..... <dm-bht errors>....... <errors of the form "dm-bht: Block hash match failed"> 4) Now re-sign the modified image using the sign_official_build script. This will re-calculate and update the rootfs hash. 5) Boot from the re-signed image. Look at dmesg output. 6) You should see NO dm-bht errors. >>>>>For testing re-signing of firmware payload Grab the firmware autoupdate shellball from /usr/sbin/chromeos-firmwareupdate in the output image's rootfs partition (number 3). Extract the shellball (--sb_extract flag), and grab the firmware bios.bin from the temporary directory. $ unpack_firmwarefd.sh bios.bin $ vbutil_firmware --verify firmwareA.vblock --signpubkey KEY_DIR/firmware.vbpubk --fv firmwareA.data [Verification should succeed] $ gbb_utility -g bios.bin --rootkey=rootkey --recoverykey=recoverykey "rootkey" should be the same as KEY_DIR/root_key.vbpubk "recoverykey" should be the same as KEY_DIR/recovery_key.vbpubk KEY_DIR: Directory containing the keys used to generate the output image. Review URL: http://codereview.chromium.org/3083025
/external/vboot_reference/scripts/image_signing/resign_image.sh
|