HOW.optimus: Re-enable signing of unlocked Barebox images for SpaceCast The manufacturing team encountered that adapting their procedures to a locked Barebox would involve significantly more work than initially expected. Therefore SpaceCast development builds will be distributed with signed unlocked Barebox images. To protect user data the PCR registers of the TPM are extended with different values in the locked and the unlocked case. Change-Id: I1c12dbfb069686357212896391adfd07dabd6893

commit: 0dbf160dd5dd1994212b96253df66587366290ef [log] [tgz]
author: Matthias Kaehlcke <mka@google.com> Wed Oct 07 18:21:20 2015 -0700
committer: Matthias Kaehlcke <mka@google.com> Tue Oct 13 10:12:43 2015 -0700
tree: 1d54e9e1aa4d25ba510d99ad2da4b64bb1a6fbd9
parent: c671e30432ae9f244eea4b411f6293543fec19e4 [diff]
diff --git a/HOW.optimus b/HOW.optimus
index f7f54bd..733105f 100644
--- a/HOW.optimus
+++ b/HOW.optimus

@@ -75,12 +75,10 @@
 done
 type=barebox
 for n in $binaries/barebox_unsigned_*.bin; do
-	if [[ "$n" == *"_release"* ]] || [ "$target" != "spacecast" ]; then
-		signed=$(echo $n | sed -e 's/_unsigned_/_signed_/')
-		blaze run -- //isp/fiber/drm:code_sign_tool sign-image $n \
-		  --image_type=$type --outfile=$signed --keystore_config_id=$keystore_id \
-		  --key_suffix=$key_suffix
-	fi
+	signed=$(echo $n | sed -e 's/_unsigned_/_signed_/')
+	blaze run -- //isp/fiber/drm:code_sign_tool sign-image $n \
+	  --image_type=$type --outfile=$signed --keystore_config_id=$keystore_id \
+	  --key_suffix=$key_suffix
 done
 
 blaze --batch run //isp/fiber/drm:drm_keystore_client -- \
commit	0dbf160dd5dd1994212b96253df66587366290ef	[log] [tgz]
author	Matthias Kaehlcke <mka@google.com>	Wed Oct 07 18:21:20 2015 -0700
committer	Matthias Kaehlcke <mka@google.com>	Tue Oct 13 10:12:43 2015 -0700
tree	1d54e9e1aa4d25ba510d99ad2da4b64bb1a6fbd9
parent	c671e30432ae9f244eea4b411f6293543fec19e4 [diff]