#!/bin/bash # Copyright (c) 2011 The Chromium OS Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. # Wrapper script for re-signing a firmware image. # Determine script directory. SCRIPT_DIR=$(dirname "$0") # Load common constants and variables. . "${SCRIPT_DIR}/common_minimal.sh" # Abort on error. set -e usage() { cat<<EOF Usage: $0 <input_firmware> <key_dir> <output_firmware> [firmware_version] \ [loem_output_dir] Signs <input_firmware> with keys in <key_dir>, setting firmware version to <firmware_version>. Outputs signed firmware to <output_firmware>. If no firmware version is specified, it is set as 1. EOF exit 1 } gbb_update() { local in_firmware="$1" local key_dir="$2" local out_firmware="$3" local rootkey="$4" # Replace the root and recovery key in the Google Binary Block of the # firmware. Note: This needs to happen after calling resign_firmwarefd.sh # since it needs to be able to verify the firmware using the root key to # determine the preamble flags. gbb_utility \ -s \ --recoverykey="${key_dir}/recovery_key.vbpubk" \ --rootkey="${rootkey}" \ "${in_firmware}" \ "${out_firmware}" } # Sign a single firmware image. # ARGS: [loem_key] [loemid] sign_one() { local loem_key="$1" local loemid="$2" # Resign the firmware with new keys. "${SCRIPT_DIR}/resign_firmwarefd.sh" \ "${in_firmware}" \ "${temp_fw}" \ "${key_dir}/firmware_data_key${loem_key}.vbprivk" \ "${key_dir}/firmware${loem_key}.keyblock" \ "${key_dir}/dev_firmware_data_key${loem_key}.vbprivk" \ "${key_dir}/dev_firmware${loem_key}.keyblock" \ "${key_dir}/kernel_subkey.vbpubk" \ "${firmware_version}" \ "" \ "${loem_output_dir}" \ "${loemid}" } # Process all the keysets in the loem.ini file. sign_loems() { local line loem_section=false loem_index loemid local rootkey rm -f "${out_firmware}" while read line; do # Find the [loem] section. if ! ${loem_section}; then if grep -q "^ *\[loem\] *$" <<<"${line}"; then loem_section=true fi continue # Abort when we hit the next section. elif [[ ${line} == *"["* ]]; then break fi # Strip comments/whitespace. line=$(sed -e 's:#.*::' -e 's:^ *::' -e 's: *$::' <<<"${line}") loem_index=$(cut -d= -f1 <<<"${line}" | sed 's: *$::') loemid=$(cut -d= -f2 <<<"${line}" | sed 's:^ *::') echo "### Processing LOEM ${loem_index} ${loemid}" sign_one ".loem${loem_index}" "${loemid}" rootkey="${key_dir}/root_key.loem${loem_index}.vbpubk" cp "${rootkey}" "${loem_output_dir}/rootkey.${loemid}" if [[ ! -e ${out_firmware} ]]; then gbb_update "${temp_fw}" "${key_dir}" "${out_firmware}" "${rootkey}" fi echo done <"${key_dir}/loem.ini" } main() { if [[ $# -lt 3 || $# -gt 5 ]]; then usage fi local in_firmware=$1 local key_dir=$2 local out_firmware=$3 local firmware_version=${4:-1} local loem_output_dir=${5:-} local temp_fw=$(make_temp_file) if [[ -e ${key_dir}/loem.ini ]]; then if [[ -z ${loem_output_dir} ]]; then err_die "need loem_output_dir w/loem keysets" fi sign_loems else sign_one gbb_update "${temp_fw}" "${key_dir}" "${out_firmware}" \ "${key_dir}/root_key.vbpubk" fi } main "$@"