[coreboot-gerrit] New patch to review for coreboot: chromeos: Sign FW_MAIN_A and FW_MAIN_B

Patrick Georgi (pgeorgi@google.com) just uploaded a new patch set to gerrit, which you can find at https://review.coreboot.org/13560

-gerrit

commit 18156b2b0944cb503bef0ad6037905bc64b327cc Author: Patrick Georgi pgeorgi@chromium.org Date: Tue Feb 2 17:52:09 2016 +0100

chromeos: Sign FW_MAIN_A and FW_MAIN_B

This requires payload integration somewhere to be useful, because without that, adding it will (hopefully) break the signature.

Change-Id: I67b8267e5040e26353df02d258e92a0610e19a52 Signed-off-by: Patrick Georgi pgeorgi@chromium.org --- src/vendorcode/google/chromeos/Makefile.inc | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+)

diff --git a/src/vendorcode/google/chromeos/Makefile.inc b/src/vendorcode/google/chromeos/Makefile.inc index d686a08..fff5948 100644 --- a/src/vendorcode/google/chromeos/Makefile.inc +++ b/src/vendorcode/google/chromeos/Makefile.inc @@ -54,6 +54,9 @@ subdirs-$(CONFIG_VBOOT_VERIFY_FIRMWARE) += vboot2

CONFIG_GBB_HWID := $(call strip_quotes,$(CONFIG_GBB_HWID)) CONFIG_GBB_BMPFV_FILE := $(call strip_quotes,$(CONFIG_GBB_BMPFV_FILE)) +CONFIG_VBOOT_KEYBLOCK := $(call strip_quotes,$(CONFIG_VBOOT_KEYBLOCK)) +CONFIG_VBOOT_FIRMWARE_PRIVKEY := $(call strip_quotes,$(CONFIG_VBOOT_FIRMWARE_PRIVKEY)) +CONFIG_VBOOT_KERNEL_KEY := $(call strip_quotes,$(CONFIG_VBOOT_KERNEL_KEY))

# bool-to-mask(var, value) # return "value" if var is "y", 0 otherwise @@ -103,3 +106,23 @@ $(obj)/gbb.region: $(obj)/gbb.stub build_complete:: $(obj)/gbb.region @printf " WRITE GBB\n" $(CBFSTOOL) $(obj)/coreboot.rom write -u -r GBB -f $< + +$(obj)/fw-main-a.bin: $(obj)/coreboot.rom + $(CBFSTOOL) $< read -r FW_MAIN_A -f $@ + +$(obj)/fw-main-b.bin: $(obj)/coreboot.rom + $(CBFSTOOL) $< read -r FW_MAIN_B -f $@ + +$(obj)/vblock-%.bin: $(obj)/fw-main-%.bin $(FUTILITY) + $(FUTILITY) vbutil_firmware \ + --vblock $@ \ + --keyblock "$(CONFIG_VBOOT_KEYBLOCK)" \ + --signprivate "$(CONFIG_VBOOT_FIRMWARE_PRIVKEY)" \ + --version $(CONFIG_VBOOT_KEYBLOCK_VERSION) \ + --fv $< \ + --kernelkey "$(CONFIG_VBOOT_KERNEL_KEY)" \ + --flags $(CONFIG_VBOOT_KEYBLOCK_PREAMBLE_FLAGS) + +files_added:: $(obj)/vblock-a.bin $(obj)/vblock-b.bin + $(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_A -f $(obj)/vblock-a.bin + $(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_B -f $(obj)/vblock-b.bin