scripts/image_signing/sign_official_build.sh

37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shah#!/bin/bash
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shah
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shah# Use of this source code is governed by a BSD-style license that can be
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shah# found in the LICENSE file.
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shah
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shah# Sign the final build image using the "official" keys.
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah#
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah# Prerequisite tools needed in the system path:
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah#
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah#  gbb_utility (from src/platform/vboot_reference)
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah#  vbutil_kernel (from src/platform/vboot_reference)
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah#  cgpt (from src/platform/vboot_reference)
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah#  dump_kernel_config (from src/platform/vboot_reference)
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah#  verity (from src/platform/verity)
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah#  load_kernel_test (from src/platform/vboot_reference)
1a2e6fc765a13b636d3dd75dc7cae709e9e8d218Gaurav Shah#  dumpe2fs
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah#  sha1sum
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shah
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shah# Load common constants and variables.
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shah. "$(dirname "$0")/common.sh"
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shah
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah# Print usage string
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shahusage() {
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shah  cat <<EOF
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav ShahUsage: $PROG <type> input_image /path/to/keys/dir [output_image] [version_file]
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shahwhere <type> is one of:
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shah             ssd  (sign an SSD image)
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah             recovery (sign a USB recovery image)
22bd8b0c29b485ccdaa4f63e6fdac9f097b60aabMike Frysinger             factory (sign a factory install image)
22bd8b0c29b485ccdaa4f63e6fdac9f097b60aabMike Frysinger             install (old alias to "factory")
283cbf89a9893f3a024809eb7d6c84ed353df6b4Mike Frysinger             update_payload (sign a delta update hash)
9c783ce3c132491e28efe84751b20d82fc571560Gaurav Shah             firmware (sign a firmware image)
64bd77e1d8b16f6f182184092114a0d8779bdf52Bill Richardson             usb  (sign an image to boot directly from USB)
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah             verify (verify an image including rootfs hashes)
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav Shahoutput_image: File name of the signed output image
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav Shahversion_file: File name of where to read the kernel and firmware versions.
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav Shah
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav ShahIf you are signing an image, you must specify an [output_image] and
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav Shahoptionally, a [version_file].
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav Shah
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav ShahEOF
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger  if [[ $# -gt 0 ]]; then
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger    error "$*"
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger    exit 1
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger  fi
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger  exit 0
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah}
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger# Verify we have as many arguments as we expect, else show usage & quit.
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger# Usage:
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger#  check_argc <number args> <exact number>
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger#  check_argc <number args> <lower bound> <upper bound>
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysingercheck_argc() {
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger  case $# in
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger  2)
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger    if [[ $1 -ne $2 ]]; then
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger      usage "command takes exactly $2 args"
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger    fi
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger    ;;
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger  3)
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger    if [[ $1 -lt $2 || $1 -gt $3 ]]; then
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger      usage "command takes $2 to $3 args"
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger    fi
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger    ;;
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger  *)
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger    die "check_argc: incorrect number of arguments"
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger  esac
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger}
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shah
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shah# Abort on errors.
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shahset -e
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shah
9dc90d36f8f2e2029adbfece0831c1a840e899caGaurav Shah# Add to the path since some tools reside here and may not be in the non-root
9dc90d36f8f2e2029adbfece0831c1a840e899caGaurav Shah# system path.
9dc90d36f8f2e2029adbfece0831c1a840e899caGaurav ShahPATH=$PATH:/usr/sbin:/sbin
9dc90d36f8f2e2029adbfece0831c1a840e899caGaurav Shah
0500524edda44c770690bb942e916522f1eca5cdGaurav Shah# Make sure the tools we need are available.
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shahfor prereqs in gbb_utility vbutil_kernel cgpt dump_kernel_config verity \
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah  load_kernel_test dumpe2fs sha1sum e2fsck; do
0500524edda44c770690bb942e916522f1eca5cdGaurav Shah  type -P "${prereqs}" &>/dev/null || \
0500524edda44c770690bb942e916522f1eca5cdGaurav Shah    { echo "${prereqs} tool not found."; exit 1; }
0500524edda44c770690bb942e916522f1eca5cdGaurav Shahdone
0500524edda44c770690bb942e916522f1eca5cdGaurav Shah
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav ShahTYPE=$1
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav ShahINPUT_IMAGE=$2
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav ShahKEY_DIR=$3
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav ShahOUTPUT_IMAGE=$4
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav ShahVERSION_FILE=$5
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav Shah
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav ShahFIRMWARE_VERSION=1
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav ShahKERNEL_VERSION=1
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shah
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah# Get current rootfs hash and kernel command line
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah# ARGS: IMAGE KERNELPART
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shahgrab_kernel_config() {
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  local image=$1
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah  local kernelpart=$2  # Kernel partition number to grab.
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  # Grab the existing kernel partition and get the kernel config.
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah  temp_kimage=$(make_temp_file)
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah  extract_image_partition ${image} ${kernelpart} ${temp_kimage}
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  dump_kernel_config ${temp_kimage}
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah}
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah
69b88dc99b0c3ed12ad66f8df7b65ecc3682204fGaurav Shah# TODO(gauravsh): These are duplicated from chromeos-setimage. We need
69b88dc99b0c3ed12ad66f8df7b65ecc3682204fGaurav Shah# to move all signing and rootfs code to one single place where it can be
69b88dc99b0c3ed12ad66f8df7b65ecc3682204fGaurav Shah# reused. crosbug.com/19543
69b88dc99b0c3ed12ad66f8df7b65ecc3682204fGaurav Shah
69b88dc99b0c3ed12ad66f8df7b65ecc3682204fGaurav Shah# get_verity_arg <commandline> <key> -> <value>
69b88dc99b0c3ed12ad66f8df7b65ecc3682204fGaurav Shahget_verity_arg() {
132e6e0c8cfa49a470199374e2331e3bb2ea21d6Gaurav Shah  echo "$1" | sed -n "s/.*\b$2=\([^ \"]*\).*/\1/p"
69b88dc99b0c3ed12ad66f8df7b65ecc3682204fGaurav Shah}
69b88dc99b0c3ed12ad66f8df7b65ecc3682204fGaurav Shah
69b88dc99b0c3ed12ad66f8df7b65ecc3682204fGaurav Shahis_old_verity_argv() {
69b88dc99b0c3ed12ad66f8df7b65ecc3682204fGaurav Shah  local depth=$(echo "$1" | cut -f7 -d' ')
69b88dc99b0c3ed12ad66f8df7b65ecc3682204fGaurav Shah  if [ "$depth" = "0" ]; then
69b88dc99b0c3ed12ad66f8df7b65ecc3682204fGaurav Shah    return 0
69b88dc99b0c3ed12ad66f8df7b65ecc3682204fGaurav Shah  fi
69b88dc99b0c3ed12ad66f8df7b65ecc3682204fGaurav Shah  return 1
69b88dc99b0c3ed12ad66f8df7b65ecc3682204fGaurav Shah}
69b88dc99b0c3ed12ad66f8df7b65ecc3682204fGaurav Shah
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah# Get the dmparams parameters from a kernel config.
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shahget_dmparams_from_config() {
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah  local kernel_config=$1
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom  echo ${kernel_config} | sed -nre 's/.*dm="([^"]*)".*/\1/p'
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah}
c0911e27b93eae772088ed09d7a41561b7a5b0b6Gaurav Shah# Get the verity root digest hash from a kernel config command line.
c0911e27b93eae772088ed09d7a41561b7a5b0b6Gaurav Shahget_hash_from_config() {
c0911e27b93eae772088ed09d7a41561b7a5b0b6Gaurav Shah  local kernel_config=$1
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah  local dm_config=$(get_dmparams_from_config "${kernel_config}")
c8c8dfd90992808a91ce85110218cf1f78fd7f92Paul Taysom  local vroot_dev=$(get_dm_slave "${dm_config}" vroot)
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom  if is_old_verity_argv "${vroot_dev}"; then
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom    echo ${vroot_dev} | cut -f9 -d ' '
c0911e27b93eae772088ed09d7a41561b7a5b0b6Gaurav Shah  else
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom    echo $(get_verity_arg "${vroot_dev}" root_hexdigest)
c0911e27b93eae772088ed09d7a41561b7a5b0b6Gaurav Shah  fi
c0911e27b93eae772088ed09d7a41561b7a5b0b6Gaurav Shah}
c0911e27b93eae772088ed09d7a41561b7a5b0b6Gaurav Shah
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom# Get the slave device and its args
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom# get_dm_ags $dm_config [vboot|vroot]
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom# Assumes we have only one slave device per device
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysomget_dm_slave() {
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom  local dm=$1
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom  local device=$2
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom  echo $(echo "${dm}" | sed -nre "s/.*${device}[^,]*,([^,]*).*/\1/p")
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom}
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom# Set the slave device and its args for a device
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom# get_dm_ags $dm_config [vboot|vroot] args
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom# Assumes we have only one slave device per device
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysomset_dm_slave() {
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom  local dm=$1
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom  local device=$2
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom  local slave=$3
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom  echo $(echo "${dm}" |
f5c62bd7dc1ef3d76d6e5f9119ad73ec95a926d7Paul Taysom    sed -nre "s#(.*${device}[^,]*,)([^,]*)(.*)#\1${slave}\3#p")
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom}
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav ShahCALCULATED_KERNEL_CONFIG=
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah# Calculate rootfs hash of an image
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah# Args: ROOTFS_IMAGE KERNEL_CONFIG HASH_IMAGE
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah#
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah# rootfs calculation parameters are grabbed from KERNEL_CONFIG
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah#
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah# Updated kernel config command line with the new hash is stored in
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah# $CALCULATED_KERNEL_CONFIG and the new hash image is written to the file
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah# HASH_IMAGE.
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shahcalculate_rootfs_hash() {
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  local rootfs_image=$1
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  local kernel_config=$2
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  local hash_image=$3
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah  local dm_config=$(get_dmparams_from_config "${kernel_config}")
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah
33c44fc14f6981601d0f0743d0705587d5f11c56Gaurav Shah  if [ -z "${dm_config}" ]; then
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah    echo "WARNING: Couldn't grab dm_config. Aborting rootfs hash calculation."
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah    return 1
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah  fi
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom  local vroot_dev=$(get_dm_slave "${dm_config}" vroot)
69b88dc99b0c3ed12ad66f8df7b65ecc3682204fGaurav Shah
69b88dc99b0c3ed12ad66f8df7b65ecc3682204fGaurav Shah  local rootfs_sectors
69b88dc99b0c3ed12ad66f8df7b65ecc3682204fGaurav Shah  local verity_depth
69b88dc99b0c3ed12ad66f8df7b65ecc3682204fGaurav Shah  local verity_algorithm
69b88dc99b0c3ed12ad66f8df7b65ecc3682204fGaurav Shah  local root_dev
69b88dc99b0c3ed12ad66f8df7b65ecc3682204fGaurav Shah  local hash_dev
132e6e0c8cfa49a470199374e2331e3bb2ea21d6Gaurav Shah  local verity_bin="verity"
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom  if is_old_verity_argv "${vroot_dev}"; then
69b88dc99b0c3ed12ad66f8df7b65ecc3682204fGaurav Shah    # dm="0 2097152 verity ROOT_DEV HASH_DEV 2097152 1 \
69b88dc99b0c3ed12ad66f8df7b65ecc3682204fGaurav Shah    # sha1 63b7ad16cb9db4b70b28593f825aa6b7825fdcf2"
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom    rootfs_sectors=$(echo ${vroot_dev} | cut -f2 -d' ')
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom    verity_depth=$(echo ${vroot_dev} | cut -f7 -d' ')
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom    verity_algorithm=$(echo ${vroot_dev} | cut -f8 -d' ')
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom    root_dev=$(echo ${vroot_dev} | cut -f4 -d ' ')
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom    hash_dev=$(echo ${vroot_dev} | cut -f5 -d ' ')
132e6e0c8cfa49a470199374e2331e3bb2ea21d6Gaurav Shah    # Hack around the fact that the signer needs to use the old version of
132e6e0c8cfa49a470199374e2331e3bb2ea21d6Gaurav Shah    # verity to generate legacy verity kernel parameters. If we find it,
132e6e0c8cfa49a470199374e2331e3bb2ea21d6Gaurav Shah    # we use it.
132e6e0c8cfa49a470199374e2331e3bb2ea21d6Gaurav Shah    type -P "verity-old" &>/dev/null && verity_bin="verity-old"
69b88dc99b0c3ed12ad66f8df7b65ecc3682204fGaurav Shah  else
69b88dc99b0c3ed12ad66f8df7b65ecc3682204fGaurav Shah    # Key-value parameters.
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom    rootfs_sectors=$(get_verity_arg "${vroot_dev}" hashstart)
69b88dc99b0c3ed12ad66f8df7b65ecc3682204fGaurav Shah    verity_depth=0
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom    verity_algorithm=$(get_verity_arg "${vroot_dev}" alg)
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom    root_dev=$(get_verity_arg "${vroot_dev}" payload)
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom    hash_dev=$(get_verity_arg "${vroot_dev}" hashtree)
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom    salt=$(get_verity_arg "${vroot_dev}" salt)
132e6e0c8cfa49a470199374e2331e3bb2ea21d6Gaurav Shah  fi
132e6e0c8cfa49a470199374e2331e3bb2ea21d6Gaurav Shah
132e6e0c8cfa49a470199374e2331e3bb2ea21d6Gaurav Shah  local salt_arg
132e6e0c8cfa49a470199374e2331e3bb2ea21d6Gaurav Shah  if [ -n "$salt" ]; then
132e6e0c8cfa49a470199374e2331e3bb2ea21d6Gaurav Shah    salt_arg="salt=$salt"
69b88dc99b0c3ed12ad66f8df7b65ecc3682204fGaurav Shah  fi
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  # Run the verity tool on the rootfs partition.
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom  local slave=$(sudo ${verity_bin} mode=create \
cba0e83d91b33c3ef9c71fc7dc24c1370e7f3e9aGaurav Shah    alg=${verity_algorithm} \
cba0e83d91b33c3ef9c71fc7dc24c1370e7f3e9aGaurav Shah    payload="${rootfs_image}" \
cba0e83d91b33c3ef9c71fc7dc24c1370e7f3e9aGaurav Shah    payload_blocks=$((rootfs_sectors / 8)) \
132e6e0c8cfa49a470199374e2331e3bb2ea21d6Gaurav Shah    hashtree="${hash_image}" ${salt_arg})
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah  # Reconstruct new kernel config command line and replace placeholders.
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom  slave="$(echo "${slave}" |
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah    sed -s "s|ROOT_DEV|${root_dev}|g;s|HASH_DEV|${hash_dev}|")"
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom  local dm_args=$(set_dm_slave "${dm_config}" vroot "${slave}")
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah  CALCULATED_KERNEL_CONFIG=$(echo ${kernel_config} |
96d16de52ebb6785f7d34dcecc030d1b4e3f9c09Paul Taysom    sed -e 's#\(.*dm="\)\([^"]*\)\(".*\)'"#\1${dm_args}\3#g")
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah}
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah# Re-calculate rootfs hash, update rootfs and kernel command line.
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah# Args: IMAGE KEYBLOCK PRIVATEKEY KERNELPART
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shahupdate_rootfs_hash() {
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  local image=$1  # Input image.
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  local keyblock=$2  # Keyblock for re-generating signed kernel partition
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  local signprivate=$3  # Private key to use for signing.
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah  local kernelpart=$4  # Kernel partition number to update (usually 2 or 4)
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav Shah  echo "Updating rootfs hash and updating config for Kernel partition" \
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah    "$kernelpart"
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah  # If we can't find dm parameters in the kernel config, bail out now.
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah  local kernel_config=$(grab_kernel_config "${image}" ${kernelpart})
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah  local dm_config=$(get_dmparams_from_config "${kernel_config}")
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah  if [ -z "${dm_config}" ]; then
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah    echo "WARNING: Couldn't grab dm_config from kernel partition ${kernelpart}"
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah    echo "WARNING: Not performing rootfs hash update!"
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah    return
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah  fi
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah
04c00e19c6fd1d9ad09d2bf5e06518c249d62b31Hung-Te Lin  # check and clear need_to_resign tag
04c00e19c6fd1d9ad09d2bf5e06518c249d62b31Hung-Te Lin  local rootfs_dir=$(make_temp_dir)
04c00e19c6fd1d9ad09d2bf5e06518c249d62b31Hung-Te Lin  mount_image_partition_ro "${image}" 3 "${rootfs_dir}"
04c00e19c6fd1d9ad09d2bf5e06518c249d62b31Hung-Te Lin  if has_needs_to_be_resigned_tag "${rootfs_dir}"; then
04c00e19c6fd1d9ad09d2bf5e06518c249d62b31Hung-Te Lin    # remount as RW
d170a9d542dd4770c25d5ed82429a55391d88218Gaurav Shah    sudo umount "${rootfs_dir}"
04c00e19c6fd1d9ad09d2bf5e06518c249d62b31Hung-Te Lin    mount_image_partition "${image}" 3 "${rootfs_dir}"
04c00e19c6fd1d9ad09d2bf5e06518c249d62b31Hung-Te Lin    sudo rm -f "${rootfs_dir}/${TAG_NEEDS_TO_BE_SIGNED}"
04c00e19c6fd1d9ad09d2bf5e06518c249d62b31Hung-Te Lin  fi
d170a9d542dd4770c25d5ed82429a55391d88218Gaurav Shah  sudo umount "${rootfs_dir}"
04c00e19c6fd1d9ad09d2bf5e06518c249d62b31Hung-Te Lin
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  local rootfs_image=$(make_temp_file)
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  extract_image_partition ${image} 3 ${rootfs_image}
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  local hash_image=$(make_temp_file)
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah
aaae959412acc95ba2f4a0b5af44d67186c7a3d2Will Drewry  # Disable rw mount support prior to hashing.
aaae959412acc95ba2f4a0b5af44d67186c7a3d2Will Drewry  disable_rw_mount "${rootfs_image}"
aaae959412acc95ba2f4a0b5af44d67186c7a3d2Will Drewry
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah  if ! calculate_rootfs_hash "${rootfs_image}"  "${kernel_config}" \
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah    "${hash_image}"; then
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah    echo "calculate_rootfs_hash failed!"
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah    echo "Aborting rootfs hash update!"
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah    return
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah  fi
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah  local new_kernel_config=$CALCULATED_KERNEL_CONFIG
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah  echo "New config for kernel partition $kernelpart is:"
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah  echo $new_kernel_config
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah  echo
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah
1a2e6fc765a13b636d3dd75dc7cae709e9e8d218Gaurav Shah  local rootfs_blocks=$(sudo dumpe2fs "${rootfs_image}" 2> /dev/null |
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah    grep "Block count" |
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah    tr -d ' ' |
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah    cut -f2 -d:)
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  local rootfs_sectors=$((rootfs_blocks * 8))
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah  # Overwrite the appended hashes in the rootfs
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah  local temp_config=$(make_temp_file)
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  echo ${new_kernel_config} >${temp_config}
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  dd if=${hash_image} of=${rootfs_image} bs=512 \
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah    seek=${rootfs_sectors} conv=notrunc 2>/dev/null
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  local temp_kimage=$(make_temp_file)
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah  extract_image_partition ${image} ${kernelpart} ${temp_kimage}
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah  # Re-calculate kernel partition signature and command line.
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah  local updated_kimage=$(make_temp_file)
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah  vbutil_kernel --repack ${updated_kimage} \
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah    --keyblock ${keyblock} \
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah    --signprivate ${signprivate} \
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav Shah    --version "${KERNEL_VERSION}" \
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah    --oldblob ${temp_kimage} \
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah    --config ${temp_config}
33c44fc14f6981601d0f0743d0705587d5f11c56Gaurav Shah
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah  replace_image_partition ${image} ${kernelpart} ${updated_kimage}
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  replace_image_partition ${image} 3 ${rootfs_image}
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah}
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah
5f500b19ba0cdc174a47a68e40f939a4ed69861cGaurav Shah# Do a sanity check on the image's rootfs
5f500b19ba0cdc174a47a68e40f939a4ed69861cGaurav Shah# ARGS: Image
5f500b19ba0cdc174a47a68e40f939a4ed69861cGaurav Shahverify_image_rootfs() {
5f500b19ba0cdc174a47a68e40f939a4ed69861cGaurav Shah  local image=$1
5f500b19ba0cdc174a47a68e40f939a4ed69861cGaurav Shah  local rootfs_image=$(make_temp_file)
5f500b19ba0cdc174a47a68e40f939a4ed69861cGaurav Shah  extract_image_partition ${image} 3 ${rootfs_image}
5f500b19ba0cdc174a47a68e40f939a4ed69861cGaurav Shah  # This flips the read-only compatibility flag, so that e2fsck does not
5f500b19ba0cdc174a47a68e40f939a4ed69861cGaurav Shah  # complain about unknown file system capabilities.
5f500b19ba0cdc174a47a68e40f939a4ed69861cGaurav Shah  enable_rw_mount ${rootfs_image}
5f500b19ba0cdc174a47a68e40f939a4ed69861cGaurav Shah  echo "Running e2fsck to check root file system for errors"
5f500b19ba0cdc174a47a68e40f939a4ed69861cGaurav Shah  sudo e2fsck -fn "${rootfs_image}" ||
5f500b19ba0cdc174a47a68e40f939a4ed69861cGaurav Shah    { echo "Root file system has errors!" && exit 1;}
5f500b19ba0cdc174a47a68e40f939a4ed69861cGaurav Shah}
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav Shah
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin# Extracts a firmware updater bundle (for firmware image binaries) file
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin# (generated by src/platform/firmware/pack_firmware.sh).
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin# Args: INPUT_FILE OUTPUT_DIR
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Linextract_firmware_bundle() {
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin  local input="$(readlink -f "$1")"
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin  local output_dir="$2"
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin  if [ ! -s "${input}" ]; then
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin    return 1
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin  elif grep -q '^##CUTHERE##' "${input}"; then
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin    # Bundle supports self-extraction.
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin    "$input" --sb_extract "${output_dir}" ||
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin      die "Extracting firmware autoupdate (--sb_extract) failed."
71bff41d6f0ff9912b9c56d14ba2ea0dd0331a9cGaurav Shah  else
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin    # Legacy bundle - try uudecode.
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin    uudecode -o - ${input} | tar -C ${output_dir} -zxf - 2>/dev/null ||
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin      die "Extracting firmware autoupdate failed."
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin  fi
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin}
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin# Repacks firmware updater bundle content from given folder.
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin# Args: INPUT_DIR TARGET_SCRIPT
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Linrepack_firmware_bundle() {
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin  local input_dir="$1"
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin  local target="$(readlink -f "$2")"
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin  if [ ! -s "${target}" ]; then
71bff41d6f0ff9912b9c56d14ba2ea0dd0331a9cGaurav Shah    return 1
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin  elif grep -q '^##CUTHERE##' "${target}"; then
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin    # Bundle supports repacking.
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin    "$target" --sb_repack "${input_dir}" ||
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin      die "Updating firmware autoupdate (--sb_repack) failed."
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin  else
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin    # Legacy bundle using uuencode + tar.gz.
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin    # Replace MD5 checksum in the firmware update payload.
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin    local newfd_checksum="$(md5sum ${input_dir}/bios.bin | cut -f 1 -d ' ')"
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin    local temp_version="$(make_temp_file)"
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin    cat ${input_dir}/VERSION |
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin    sed -e "s#\(.*\)\ \(.*bios.bin.*\)#${newfd_checksum}\ \2#" > ${temp_version}
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin    mv ${temp_version} ${input_dir}/VERSION
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin    # Re-generate firmware_update.tgz and copy over encoded archive in
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin    # the original shell ball.
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin    sed -ine '/^begin .*firmware_package/,/end/D' "$target"
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin    tar zcf - -C "${input_dir}" . |
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin      uuencode firmware_package.tgz >>"${target}"
71bff41d6f0ff9912b9c56d14ba2ea0dd0331a9cGaurav Shah  fi
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah}
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah
9c783ce3c132491e28efe84751b20d82fc571560Gaurav Shah# Sign a firmware in-place with the given keys.
aa888463b860c2852f3fcb17baf8de395fcca294Mike Frysinger# Args: FIRMWARE_IMAGE KEY_DIR FIRMWARE_VERSION [LOEM_OUTPUT_DIR]
9c783ce3c132491e28efe84751b20d82fc571560Gaurav Shahsign_firmware() {
9c783ce3c132491e28efe84751b20d82fc571560Gaurav Shah  local image=$1
9c783ce3c132491e28efe84751b20d82fc571560Gaurav Shah  local key_dir=$2
9c783ce3c132491e28efe84751b20d82fc571560Gaurav Shah  local firmware_version=$3
aa888463b860c2852f3fcb17baf8de395fcca294Mike Frysinger  local loem_output_dir=${4:-}
9c783ce3c132491e28efe84751b20d82fc571560Gaurav Shah
9c783ce3c132491e28efe84751b20d82fc571560Gaurav Shah  local temp_firmware=$(make_temp_file)
9c783ce3c132491e28efe84751b20d82fc571560Gaurav Shah  # Resign the firmware with new keys, also replacing the root and recovery
9c783ce3c132491e28efe84751b20d82fc571560Gaurav Shah  # public keys in the GBB.
aa888463b860c2852f3fcb17baf8de395fcca294Mike Frysinger  "${SCRIPT_DIR}/sign_firmware.sh" "${image}" "${key_dir}" "${temp_firmware}" \
aa888463b860c2852f3fcb17baf8de395fcca294Mike Frysinger    "${firmware_version}" "${loem_output_dir}"
9c783ce3c132491e28efe84751b20d82fc571560Gaurav Shah  # Note: Although sign_firmware.sh may correctly handle specifying the same
9c783ce3c132491e28efe84751b20d82fc571560Gaurav Shah  # output file as the input file, we do not want to rely on it correctly
9c783ce3c132491e28efe84751b20d82fc571560Gaurav Shah  # handing that. Hence, the use of a temporary file.
9c783ce3c132491e28efe84751b20d82fc571560Gaurav Shah  mv ${temp_firmware} ${image}
9c783ce3c132491e28efe84751b20d82fc571560Gaurav Shah  echo "Signed firmware image output to ${image}"
9c783ce3c132491e28efe84751b20d82fc571560Gaurav Shah}
9c783ce3c132491e28efe84751b20d82fc571560Gaurav Shah
283cbf89a9893f3a024809eb7d6c84ed353df6b4Mike Frysinger# Sign a delta update payload (usually created by paygen).
283cbf89a9893f3a024809eb7d6c84ed353df6b4Mike Frysinger# Args: INPUT_IMAGE KEY_DIR OUTPUT_IMAGE
283cbf89a9893f3a024809eb7d6c84ed353df6b4Mike Frysingersign_update_payload() {
283cbf89a9893f3a024809eb7d6c84ed353df6b4Mike Frysinger  local image=$1
283cbf89a9893f3a024809eb7d6c84ed353df6b4Mike Frysinger  local key_dir=$2
283cbf89a9893f3a024809eb7d6c84ed353df6b4Mike Frysinger  local output=$3
283cbf89a9893f3a024809eb7d6c84ed353df6b4Mike Frysinger  local key_size key_file="${key_dir}/update_key.pem"
283cbf89a9893f3a024809eb7d6c84ed353df6b4Mike Frysinger  local algo algos=(
283cbf89a9893f3a024809eb7d6c84ed353df6b4Mike Frysinger    # Maps key size to verified boot's algorithm id (for pad_digest_utility).
283cbf89a9893f3a024809eb7d6c84ed353df6b4Mike Frysinger    # Hashing algorithm is always SHA-256.
283cbf89a9893f3a024809eb7d6c84ed353df6b4Mike Frysinger    [1024]=1
283cbf89a9893f3a024809eb7d6c84ed353df6b4Mike Frysinger    [2048]=4
283cbf89a9893f3a024809eb7d6c84ed353df6b4Mike Frysinger    [4096]=7
283cbf89a9893f3a024809eb7d6c84ed353df6b4Mike Frysinger    [8192]=10
283cbf89a9893f3a024809eb7d6c84ed353df6b4Mike Frysinger  )
283cbf89a9893f3a024809eb7d6c84ed353df6b4Mike Frysinger
283cbf89a9893f3a024809eb7d6c84ed353df6b4Mike Frysinger  key_size=$(openssl rsa -text -noout -in "${key_file}" | \
283cbf89a9893f3a024809eb7d6c84ed353df6b4Mike Frysinger    sed -n -r '1{s/Private-Key: \(([0-9]*) bit\)/\1/p}')
283cbf89a9893f3a024809eb7d6c84ed353df6b4Mike Frysinger  algo=${algos[${key_size}]}
283cbf89a9893f3a024809eb7d6c84ed353df6b4Mike Frysinger  if [[ -z ${algo} ]]; then
283cbf89a9893f3a024809eb7d6c84ed353df6b4Mike Frysinger    die "Unknown algorithm specified by key_size=${key_size}"
283cbf89a9893f3a024809eb7d6c84ed353df6b4Mike Frysinger  fi
283cbf89a9893f3a024809eb7d6c84ed353df6b4Mike Frysinger
283cbf89a9893f3a024809eb7d6c84ed353df6b4Mike Frysinger  pad_digest_utility ${algo} "${image}" | \
283cbf89a9893f3a024809eb7d6c84ed353df6b4Mike Frysinger    openssl rsautl -sign -pkcs -inkey "${key_file}" -out "${output}"
283cbf89a9893f3a024809eb7d6c84ed353df6b4Mike Frysinger}
283cbf89a9893f3a024809eb7d6c84ed353df6b4Mike Frysinger
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah# Re-sign the firmware AU payload inside the image rootfs with a new keys.
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah# Args: IMAGE
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shahresign_firmware_payload() {
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah  local image=$1
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah
815193daeeef8913dce878e36c6608adb1c56bb5Gaurav Shah  if [ -n "${NO_FWUPDATE}" ]; then
815193daeeef8913dce878e36c6608adb1c56bb5Gaurav Shah    echo "Skipping firmware update."
815193daeeef8913dce878e36c6608adb1c56bb5Gaurav Shah    return
815193daeeef8913dce878e36c6608adb1c56bb5Gaurav Shah  fi
815193daeeef8913dce878e36c6608adb1c56bb5Gaurav Shah
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin  # Grab firmware image from the autoupdate bundle (shellball).
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah  local rootfs_dir=$(make_temp_dir)
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah  mount_image_partition ${image} 3 ${rootfs_dir}
14805f555173cf430902ab415cef9d0d83182578Gaurav Shah  # Force unmount of the rootfs on function exit as it is needed later.
d170a9d542dd4770c25d5ed82429a55391d88218Gaurav Shah  trap "sudo umount ${rootfs_dir}" RETURN
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin  local firmware_bundle="${rootfs_dir}/usr/sbin/chromeos-firmwareupdate"
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah  local shellball_dir=$(make_temp_dir)
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin  # extract_firmware_bundle can fail if the image has no firmware update.
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin  extract_firmware_bundle "${firmware_bundle}" "${shellball_dir}" ||
71bff41d6f0ff9912b9c56d14ba2ea0dd0331a9cGaurav Shah    { echo "Didn't find a firmware update. Not signing firmware."
71bff41d6f0ff9912b9c56d14ba2ea0dd0331a9cGaurav Shah    return; }
71bff41d6f0ff9912b9c56d14ba2ea0dd0331a9cGaurav Shah  echo "Found a valid firmware update shellball."
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah
aa888463b860c2852f3fcb17baf8de395fcca294Mike Frysinger  local image_file sign_args=() loem_sfx loem_output_dir
ca8c372e60d249cc49ecaf1d33ace2d53caadfaeHung-Te Lin  for image_file in "${shellball_dir}"/bios*.bin; do
aa888463b860c2852f3fcb17baf8de395fcca294Mike Frysinger    if [[ -e "${KEY_DIR}/loem.ini" ]]; then
aa888463b860c2852f3fcb17baf8de395fcca294Mike Frysinger      # Extract the extended details from "bios.bin" and use that in the
aa888463b860c2852f3fcb17baf8de395fcca294Mike Frysinger      # subdir for the keyset.
aa888463b860c2852f3fcb17baf8de395fcca294Mike Frysinger      loem_sfx=$(sed -r 's:.*/bios([^/]*)[.]bin$:\1:' <<<"${image_file}")
aa888463b860c2852f3fcb17baf8de395fcca294Mike Frysinger      loem_output_dir="${shellball_dir}/keyset${loem_sfx}"
aa888463b860c2852f3fcb17baf8de395fcca294Mike Frysinger      sign_args=( "${loem_output_dir}" )
aa888463b860c2852f3fcb17baf8de395fcca294Mike Frysinger      mkdir -p "${loem_output_dir}"
aa888463b860c2852f3fcb17baf8de395fcca294Mike Frysinger    fi
aa888463b860c2852f3fcb17baf8de395fcca294Mike Frysinger    sign_firmware "${image_file}" "${KEY_DIR}" "${FIRMWARE_VERSION}" \
aa888463b860c2852f3fcb17baf8de395fcca294Mike Frysinger      "${sign_args[@]}"
ca8c372e60d249cc49ecaf1d33ace2d53caadfaeHung-Te Lin  done
42d23c664dbd1334c82b48b504b7d8499955963dGaurav Shah
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin  local signer_notes="${shellball_dir}/VERSION.signer"
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin  echo "" >"$signer_notes"
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin  echo "Signed with keyset in $(readlink -f "${KEY_DIR}") ." >>"$signer_notes"
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah  new_shellball=$(make_temp_file)
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin  cp -f "${firmware_bundle}" "${new_shellball}"
bd3dad01b0c2d934462d70eeabb31abcd0310b3fHung-Te Lin  chmod a+rx "${new_shellball}"
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin  repack_firmware_bundle "${shellball_dir}" "${new_shellball}"
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin  sudo cp -f "${new_shellball}" "${firmware_bundle}"
9137e8df481906c7de15d92f639a6129adedd892Hung-Te Lin  sudo chmod a+rx "${firmware_bundle}"
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah  echo "Re-signed firmware AU payload in $image"
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah}
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shah
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah# Verify an image including rootfs hash using the specified keys.
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shahverify_image() {
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  local rootfs_image=$(make_temp_file)
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  extract_image_partition ${INPUT_IMAGE} 3 ${rootfs_image}
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  echo "Verifying RootFS hash..."
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah  # What we get from image.
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah  local kernel_config
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah  # What we calculate from the rootfs.
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah  local new_kernel_config
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah  # Depending on the type of image, the verity parameters may
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah  # exist in either kernel partition 2 or kernel partition 4
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah  local partnum
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah  for partnum in 2 4; do
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah    echo "Considering Kernel partition $partnum"
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah    kernel_config=$(grab_kernel_config ${INPUT_IMAGE} $partnum)
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah    local hash_image=$(make_temp_file)
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah    if ! calculate_rootfs_hash "${rootfs_image}" "${kernel_config}" \
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah      "${hash_image}"; then
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah      echo "Trying next kernel partition."
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah      continue
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah    fi
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah    new_kernel_config="$CALCULATED_KERNEL_CONFIG"
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah    break
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah  done
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah  # Note: If calculate_rootfs_hash succeeded above, these should
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah  # be non-empty.
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah  expected_hash=$(get_hash_from_config "${new_kernel_config}")
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah  got_hash=$(get_hash_from_config "${kernel_config}")
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah  if [ -z "${expected_hash}" ] || [ -z "${got_hash}" ]; then
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah    echo "FAILURE: Couldn't verify RootFS hash on the image."
c3fe59f72c95597a2d5becc8511e9d5eaf97c391Gaurav Shah    exit 1
c3fe59f72c95597a2d5becc8511e9d5eaf97c391Gaurav Shah  fi
ce6649250583a8f3a7aeac78ee3a00679cf6223dGaurav Shah
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  if [ ! "${got_hash}" = "${expected_hash}" ]; then
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah    cat <<EOF
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav ShahFAILED: RootFS hash is incorrect.
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav ShahExpected: ${expected_hash}
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav ShahGot: ${got_hash}
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav ShahEOF
c3fe59f72c95597a2d5becc8511e9d5eaf97c391Gaurav Shah    exit 1
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  else
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah    echo "PASS: RootFS hash is correct (${expected_hash})"
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  fi
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  # Now try and verify kernel partition signature.
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  set +e
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  local try_key=${KEY_DIR}/recovery_key.vbpubk
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  echo "Testing key verification..."
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  # The recovery key is only used in the recovery mode.
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  echo -n "With Recovery Key (Recovery Mode ON, Dev Mode OFF): " && \
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  { load_kernel_test "${INPUT_IMAGE}" "${try_key}" -b 2 >/dev/null 2>&1 && \
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah    echo "YES"; } || echo "NO"
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  echo -n "With Recovery Key (Recovery Mode ON, Dev Mode ON): " && \
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  { load_kernel_test "${INPUT_IMAGE}" "${try_key}" -b 3 >/dev/null 2>&1 && \
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah    echo "YES"; } || echo "NO"
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  try_key=${KEY_DIR}/kernel_subkey.vbpubk
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  # The SSD key is only used in non-recovery mode.
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  echo -n "With SSD Key (Recovery Mode OFF, Dev Mode OFF): " && \
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  { load_kernel_test "${INPUT_IMAGE}" "${try_key}" -b 0 >/dev/null 2>&1  && \
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah    echo "YES"; } || echo "NO"
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  echo -n "With SSD Key (Recovery Mode OFF, Dev Mode ON): " && \
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  { load_kernel_test "${INPUT_IMAGE}" "${try_key}" -b 1 >/dev/null 2>&1 && \
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah    echo "YES"; } || echo "NO"
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  set -e
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah
5f500b19ba0cdc174a47a68e40f939a4ed69861cGaurav Shah  verify_image_rootfs "${INPUT_IMAGE}"
5f500b19ba0cdc174a47a68e40f939a4ed69861cGaurav Shah
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  # TODO(gauravsh): Check embedded firmware AU signatures.
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah}
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah# Sign the kernel partition on an image using the given keys. Modifications are
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah# made in-place.
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah# Args: src_bin kernel_datakey kernel_keyblock kernel_version
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shahsign_image_inplace() {
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  src_bin=$1
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  kernel_datakey=$2
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  kernel_keyblock=$3
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  kernel_version=$4
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  temp_kimage=$(make_temp_file)
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  extract_image_partition ${src_bin} 2 ${temp_kimage}
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  updated_kimage=$(make_temp_file)
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  vbutil_kernel --repack "${updated_kimage}" \
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  --keyblock "${kernel_keyblock}" \
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  --signprivate "${kernel_datakey}" \
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  --version "${kernel_version}" \
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  --oldblob "${temp_kimage}"
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  replace_image_partition ${src_bin} 2 ${updated_kimage}
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah}
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shah# Generate the SSD image
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah# Args: image_bin
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shahsign_for_ssd() {
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  image_bin=$1
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  sign_image_inplace ${image_bin} ${KEY_DIR}/kernel_data_key.vbprivk \
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav Shah    ${KEY_DIR}/kernel.keyblock \
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav Shah    "${KERNEL_VERSION}"
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  echo "Signed SSD image output to ${image_bin}"
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shah}
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shah
64bd77e1d8b16f6f182184092114a0d8779bdf52Bill Richardson# Generate the USB image (direct boot)
64bd77e1d8b16f6f182184092114a0d8779bdf52Bill Richardsonsign_for_usb() {
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  image_bin=$1
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  sign_image_inplace ${image_bin} ${KEY_DIR}/recovery_kernel_data_key.vbprivk \
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav Shah    ${KEY_DIR}/recovery_kernel.keyblock \
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav Shah    "${KERNEL_VERSION}"
4b86514d8581315fafc196d47d4412677f193750Bill Richardson
4b86514d8581315fafc196d47d4412677f193750Bill Richardson  # Now generate the installer vblock with the SSD keys.
4b86514d8581315fafc196d47d4412677f193750Bill Richardson  # The installer vblock is for KERN-A on direct boot images.
4b86514d8581315fafc196d47d4412677f193750Bill Richardson  temp_kimagea=$(make_temp_file)
4b86514d8581315fafc196d47d4412677f193750Bill Richardson  temp_out_vb=$(make_temp_file)
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  extract_image_partition ${image_bin} 2 ${temp_kimagea}
4b86514d8581315fafc196d47d4412677f193750Bill Richardson  ${SCRIPT_DIR}/resign_kernel_partition.sh ${temp_kimagea} ${temp_out_vb} \
4b86514d8581315fafc196d47d4412677f193750Bill Richardson    ${KEY_DIR}/kernel_data_key.vbprivk \
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav Shah    ${KEY_DIR}/kernel.keyblock \
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav Shah    "${KERNEL_VERSION}"
4b86514d8581315fafc196d47d4412677f193750Bill Richardson
4b86514d8581315fafc196d47d4412677f193750Bill Richardson  # Copy the installer vblock to the stateful partition.
4b86514d8581315fafc196d47d4412677f193750Bill Richardson  local stateful_dir=$(make_temp_dir)
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  mount_image_partition ${image_bin} 1 ${stateful_dir}
4b86514d8581315fafc196d47d4412677f193750Bill Richardson  sudo cp ${temp_out_vb} ${stateful_dir}/vmlinuz_hd.vblock
4b86514d8581315fafc196d47d4412677f193750Bill Richardson
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  echo "Signed USB image output to ${image_bin}"
64bd77e1d8b16f6f182184092114a0d8779bdf52Bill Richardson}
64bd77e1d8b16f6f182184092114a0d8779bdf52Bill Richardson
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shah# Generate the USB (recovery + install) image
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah# Args: image_bin
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shahsign_for_recovery() {
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  image_bin=$1
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah  # Sign the install kernel with SSD keys.
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah  local temp_kimageb=$(make_temp_file)
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  extract_image_partition ${image_bin} 4 ${temp_kimageb}
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah  local updated_kimageb=$(make_temp_file)
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah  vbutil_kernel --repack ${updated_kimageb} \
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah    --keyblock ${KEY_DIR}/kernel.keyblock \
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah    --signprivate ${KEY_DIR}/kernel_data_key.vbprivk \
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah    --version "${KERNEL_VERSION}" \
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah    --oldblob ${temp_kimageb}
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah  replace_image_partition ${image_bin} 4 ${updated_kimageb}
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah  # Copy the SSD kernel vblock to the stateful partition.
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah  # TODO(gauravsh): Get rid of this once --skip_vblock is nuked from
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah  # orbit everywhere. crosbug.com/8378
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah  local temp_out_vb=$(make_temp_file)
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah  ${SCRIPT_DIR}/resign_kernel_partition.sh ${temp_kimageb} ${temp_out_vb} \
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah    ${KEY_DIR}/kernel_data_key.vbprivk \
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah    ${KEY_DIR}/kernel.keyblock \
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah    "${KERNEL_VERSION}"
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah  local stateful_dir=$(make_temp_dir)
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah  mount_image_partition ${image_bin} 1 ${stateful_dir}
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah  sudo cp ${temp_out_vb} ${stateful_dir}/vmlinuz_hd.vblock
d170a9d542dd4770c25d5ed82429a55391d88218Gaurav Shah  sudo umount "${stateful_dir}"
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah  # Update the Kernel B hash in Kernel A command line
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah  local old_kerna_config=$(grab_kernel_config "${image_bin}" 2)
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah  local new_kernb=$(make_temp_file)
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah  # Can't use updated_kimageb since the hash is calculated on the
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah  # whole partition including the null padding at the end.
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah  extract_image_partition ${image_bin} 4 ${new_kernb}
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah  local new_kernb_hash=$(sha1sum ${new_kernb} | cut -f1 -d' ')
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah  new_kerna_config=$(make_temp_file)
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah  echo "$old_kerna_config" |
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah    sed -e "s#\(kern_b_hash=\)[a-z0-9]*#\1${new_kernb_hash}#" \
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah      > ${new_kerna_config}
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah  echo "New config for kernel partition 2 is"
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah  cat ${new_kerna_config}
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah  local temp_kimagea=$(make_temp_file)
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  extract_image_partition ${image_bin} 2 ${temp_kimagea}
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah  # Re-calculate kernel partition signature and command line.
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah  local updated_kimagea=$(make_temp_file)
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah  vbutil_kernel --repack ${updated_kimagea} \
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah    --keyblock ${KEY_DIR}/recovery_kernel.keyblock \
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah    --signprivate ${KEY_DIR}/recovery_kernel_data_key.vbprivk \
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav Shah    --version "${KERNEL_VERSION}" \
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah    --oldblob ${temp_kimagea} \
6bd03d4a88fa049bd72cf18fec701cec1dfc042bGaurav Shah    --config ${new_kerna_config}
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav Shah
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  replace_image_partition ${image_bin} 2 ${updated_kimagea}
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  echo "Signed recovery image output to ${image_bin}"
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shah}
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shah
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shah# Generate the factory install image.
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah# Args: image_bin
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shahsign_for_factory_install() {
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  image_bin=$1
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  sign_image_inplace ${image_bin} ${KEY_DIR}/installer_kernel_data_key.vbprivk \
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav Shah    ${KEY_DIR}/installer_kernel.keyblock \
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav Shah    "${KERNEL_VERSION}"
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  echo "Signed factory install image output to ${image_bin}"
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shah}
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shah
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah# Verification
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysingercase ${TYPE} in
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysingerdump_config)
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger  check_argc $# 2
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger  for partnum in 2 4; do
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger    echo "kernel config in partition number ${partnum}:"
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger    grab_kernel_config "${INPUT_IMAGE}" ${partnum}
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger    echo
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger  done
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger  exit 0
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger  ;;
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysingerverify)
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger  check_argc $# 2
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah  verify_image
527612e3565be00030a082c262204a0562bc0d4aGaurav Shah  exit 0
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger  ;;
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger*)
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger  # All other signing commands take 4 to 5 args.
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger  if [ -z "${OUTPUT_IMAGE}" ]; then
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger    # Friendlier message.
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger    usage "Missing output image name"
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger  fi
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger  check_argc $# 4 5
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysinger  ;;
b55c538fca8939e58d20c127a9f42ce4eba7282cMike Frysingeresac
1cd4cdbbae7cd51d0c0ab247aab53ebc6a8cc8a9Gaurav Shah
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav Shah# If a version file was specified, read the firmware and kernel
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav Shah# versions from there.
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav Shahif [ -n "${VERSION_FILE}" ]; then
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav Shah  FIRMWARE_VERSION=$(sed -n 's#^firmware_version=\(.*\)#\1#pg' ${VERSION_FILE})
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav Shah  KERNEL_VERSION=$(sed -n 's#^kernel_version=\(.*\)#\1#pg' ${VERSION_FILE})
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav Shahfi
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav Shahecho "Using firmware version: ${FIRMWARE_VERSION}"
8ae7b0e41a1252f98e6662a298efb97624431c44Gaurav Shahecho "Using kernel version: ${KERNEL_VERSION}"
71bff41d6f0ff9912b9c56d14ba2ea0dd0331a9cGaurav Shah
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah# Make all modifications on output copy.
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shahif [ "${TYPE}" == "ssd" ]; then
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  cp ${INPUT_IMAGE} ${OUTPUT_IMAGE}
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  resign_firmware_payload ${OUTPUT_IMAGE}
7a3a4676672525231c38612e6c8a820305d99de5Don Garrett  "${SCRIPT_DIR}/strip_boot_from_image.sh" --image "${OUTPUT_IMAGE}"
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  update_rootfs_hash ${OUTPUT_IMAGE} \
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah    ${KEY_DIR}/kernel.keyblock \
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah    ${KEY_DIR}/kernel_data_key.vbprivk \
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah    2
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  sign_for_ssd ${OUTPUT_IMAGE}
64bd77e1d8b16f6f182184092114a0d8779bdf52Bill Richardsonelif [ "${TYPE}" == "usb" ]; then
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  cp ${INPUT_IMAGE} ${OUTPUT_IMAGE}
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  resign_firmware_payload ${OUTPUT_IMAGE}
7a3a4676672525231c38612e6c8a820305d99de5Don Garrett  "${SCRIPT_DIR}/strip_boot_from_image.sh" --image "${OUTPUT_IMAGE}"
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  update_rootfs_hash ${OUTPUT_IMAGE} \
64bd77e1d8b16f6f182184092114a0d8779bdf52Bill Richardson    ${KEY_DIR}/recovery_kernel.keyblock \
64bd77e1d8b16f6f182184092114a0d8779bdf52Bill Richardson    ${KEY_DIR}/recovery_kernel_data_key.vbprivk \
64bd77e1d8b16f6f182184092114a0d8779bdf52Bill Richardson    2
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  sign_for_usb ${OUTPUT_IMAGE}
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shahelif [ "${TYPE}" == "recovery" ]; then
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  cp ${INPUT_IMAGE} ${OUTPUT_IMAGE}
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  resign_firmware_payload ${OUTPUT_IMAGE}
7a3a4676672525231c38612e6c8a820305d99de5Don Garrett  "${SCRIPT_DIR}/strip_boot_from_image.sh" --image "${OUTPUT_IMAGE}"
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah  # Both kernel command lines must have the correct rootfs hash
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  update_rootfs_hash ${OUTPUT_IMAGE} \
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah    ${KEY_DIR}/recovery_kernel.keyblock \
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah    ${KEY_DIR}/recovery_kernel_data_key.vbprivk \
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah    4
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  update_rootfs_hash ${OUTPUT_IMAGE} \
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah    ${KEY_DIR}/recovery_kernel.keyblock \
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah    ${KEY_DIR}/recovery_kernel_data_key.vbprivk \
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah    2
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  sign_for_recovery ${OUTPUT_IMAGE}
22bd8b0c29b485ccdaa4f63e6fdac9f097b60aabMike Frysingerelif [ "${TYPE}" == "factory" ] || [ "${TYPE}" == "install" ]; then
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  cp ${INPUT_IMAGE} ${OUTPUT_IMAGE}
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  resign_firmware_payload ${OUTPUT_IMAGE}
7a3a4676672525231c38612e6c8a820305d99de5Don Garrett  # We do NOT strip /boot for factory, since some factory images need it
7a3a4676672525231c38612e6c8a820305d99de5Don Garrett  # to boot EFI. crosbug.com/260512 would obsolete this requirement.
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  update_rootfs_hash ${OUTPUT_IMAGE} \
0c4c9bac3c390445066f08010a753ce76ccb4a5eGaurav Shah    ${KEY_DIR}/installer_kernel.keyblock \
baa09de3a426936de697895b95641254ebf2c01fGaurav Shah    ${KEY_DIR}/installer_kernel_data_key.vbprivk \
d7947a197edc905d3f0a14a661de83573dd6c650Gaurav Shah    2
276f846a142a3c2c7c2c575d4403c71eca18a92aGaurav Shah  sign_for_factory_install ${OUTPUT_IMAGE}
9c783ce3c132491e28efe84751b20d82fc571560Gaurav Shahelif [ "${TYPE}" == "firmware" ]; then
aa888463b860c2852f3fcb17baf8de395fcca294Mike Frysinger  if [[ -e "${KEY_DIR}/loem.ini" ]]; then
aa888463b860c2852f3fcb17baf8de395fcca294Mike Frysinger    echo "LOEM signing not implemented yet for firmware images"
aa888463b860c2852f3fcb17baf8de395fcca294Mike Frysinger    exit 1
aa888463b860c2852f3fcb17baf8de395fcca294Mike Frysinger  fi
9c783ce3c132491e28efe84751b20d82fc571560Gaurav Shah  cp ${INPUT_IMAGE} ${OUTPUT_IMAGE}
9c783ce3c132491e28efe84751b20d82fc571560Gaurav Shah  sign_firmware ${OUTPUT_IMAGE} ${KEY_DIR} ${FIRMWARE_VERSION}
283cbf89a9893f3a024809eb7d6c84ed353df6b4Mike Frysingerelif [ "${TYPE}" == "update_payload" ]; then
283cbf89a9893f3a024809eb7d6c84ed353df6b4Mike Frysinger  sign_update_payload ${INPUT_IMAGE} ${KEY_DIR} ${OUTPUT_IMAGE}
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shahelse
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shah  echo "Invalid type ${TYPE}"
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shah  exit 1
37522c9c0ccf48e63e0ab6c2b35b50948d15a003Gaurav Shahfi