refs/heads/stabilize-15245.B - chromiumos/platform/vboot_reference

commit: 69d6d85c20910cc1d07752c9468f7822d421339e
[log]
author: Vadim Bendebury <[email protected]>
Sun Nov 13 22:43:23 2022
committer: Chromeos LUCI <[email protected]>
Mon Nov 14 16:26:06 2022
tree: f013e250e059ea82f448adcf9405709462480737
parent: c7ee78b2c297e13ec6a151cd497e931243ef4c16 [diff]

sign_official_build: do not fail if AP RO signing is not needed

Most of AP firmware images do not include the RO_GSCVD section and are
not supposed to be signed for AP RO verification.

The presence of AP RO verification keys (files prefixed with arv_...)
can be considered an indicator of the need to sign the RO_GSCVD
section.

This patch adds logic to skip signing of AP RO in case the appropriate
signing keys are not present.

BRANCH=none
BUG=b:247645824, cros:1382709
TEST=ran sign_official_build.sh to re-sign a Nissa test tarball,
      observed successful completion with log messages confirming
      RO_GSCVD signing.

      then removed tests/devkeys/arv_root.vbpubk and ran the script
      again, observed successful completion and log messages
      confirming skipping AP RO verification signing.

Signed-off-by: Vadim Bendebury <[email protected]>
Change-Id: Iee5a2adcceb7ecc86f48d7c56755cc10405e5eed
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4024432
Commit-Queue: Yu-Ping Wu <[email protected]>
Reviewed-by: Yu-Ping Wu <[email protected]>

scripts/image_signing/sign_official_build.sh[diff]

1 file changed

tree: f013e250e059ea82f448adcf9405709462480737