HOW.optimus: Re-enable signing of unlocked Barebox images for SpaceCast
The manufacturing team encountered that adapting their procedures to a
locked Barebox would involve significantly more work than initially
expected. Therefore SpaceCast development builds will be distributed
with signed unlocked Barebox images. To protect user data the PCR
registers of the TPM are extended with different values in the locked
and the unlocked case.
Change-Id: I1c12dbfb069686357212896391adfd07dabd6893
diff --git a/HOW.optimus b/HOW.optimus
index f7f54bd..733105f 100644
--- a/HOW.optimus
+++ b/HOW.optimus
@@ -75,12 +75,10 @@
done
type=barebox
for n in $binaries/barebox_unsigned_*.bin; do
- if [[ "$n" == *"_release"* ]] || [ "$target" != "spacecast" ]; then
- signed=$(echo $n | sed -e 's/_unsigned_/_signed_/')
- blaze run -- //isp/fiber/drm:code_sign_tool sign-image $n \
- --image_type=$type --outfile=$signed --keystore_config_id=$keystore_id \
- --key_suffix=$key_suffix
- fi
+ signed=$(echo $n | sed -e 's/_unsigned_/_signed_/')
+ blaze run -- //isp/fiber/drm:code_sign_tool sign-image $n \
+ --image_type=$type --outfile=$signed --keystore_config_id=$keystore_id \
+ --key_suffix=$key_suffix
done
blaze --batch run //isp/fiber/drm:drm_keystore_client -- \