HOW.optimus: Allow to select signing keys
A suffix can be specified to select signing keys different from the
default one. The corresponding public keys are included in the bootloader
images and the images ares signed with the selected keys.
Google-Bug-Id: 23395370
Change-Id: I1dfe8e54348ffa7d930b23bb78511667add67926
diff --git a/HOW.optimus b/HOW.optimus
index 86274ac..f7f54bd 100644
--- a/HOW.optimus
+++ b/HOW.optimus
@@ -1,5 +1,12 @@
set -e
+mod_config() {
+ if [ "$target" = "spacecast" -a "$key_suffix" = "pvt" ]; then
+ sed -i "s/^CONFIG_RSA_KEY_SET_DEFAULT=.*/# CONFIG_RSA_KEY_SET_DEFAULT is not set/" .config
+ sed -i "s/^# CONFIG_RSA_KEY_SET_SPACECAST_PVT.*/CONFIG_RSA_KEY_SET_SPACECAST_PVT=y/" .config
+ fi
+}
+
target="$1"
if [ "$target" == "optimus" ]; then
@@ -9,10 +16,17 @@
barebox_config="spacecast_defconfig"
keystore_id="SPACECAST"
else
- echo "Usage: $0 [optimus|spacecast]" >&2
+ echo "Usage: $0 optimus|spacecast [key-suffix]" >&2
exit 1
fi
+key_suffix=""
+bin_subdir=""
+if [ -n "$2" ]; then
+ key_suffix="$2"
+ bin_subdir="$key_suffix/"
+fi
+
binaries=$(pwd)/out
if [ -d $binaries ]; then
rm -rf $binaries.old
@@ -22,22 +36,29 @@
make distclean
make optimus_uloader_defconfig ARCH=arm
+mod_config
+make oldconfig
make -j 16
cp uloader.bin $binaries/uloader_unsigned_release.bin
make distclean
make optimus_mfg_defconfig ARCH=arm
+mod_config
+make oldconfig
make -j 16
cp barebox.bin $binaries/barebox_unsigned_mfg.bin
make distclean
make $barebox_config ARCH=arm
+mod_config
+make oldconfig
make -j 16
cp barebox.bin $binaries/barebox_unsigned_release.bin
make distclean
make $barebox_config ARCH=arm
echo CONFIG_DEVELOPER_BAREBOX=y >> .config
+mod_config
make oldconfig
make -j 16
cp barebox.bin $binaries/barebox_unsigned_unlocked.bin
@@ -49,20 +70,22 @@
for n in $binaries/uloader_unsigned_*.bin; do
signed=$(echo $n | sed -e 's/_unsigned_/_signed_/')
blaze run -- //isp/fiber/drm:code_sign_tool sign-image $n \
- --image_type=$type --outfile=$signed --keystore_config_id=$keystore_id
+ --image_type=$type --outfile=$signed --keystore_config_id=$keystore_id \
+ --key_suffix=$key_suffix
done
type=barebox
for n in $binaries/barebox_unsigned_*.bin; do
if [[ "$n" == *"_release"* ]] || [ "$target" != "spacecast" ]; then
signed=$(echo $n | sed -e 's/_unsigned_/_signed_/')
blaze run -- //isp/fiber/drm:code_sign_tool sign-image $n \
- --image_type=$type --outfile=$signed --keystore_config_id=$keystore_id
+ --image_type=$type --outfile=$signed --keystore_config_id=$keystore_id \
+ --key_suffix=$key_suffix
fi
done
blaze --batch run //isp/fiber/drm:drm_keystore_client -- \
--key_type signing_private_key --output $binaries/gfiber_private.pem \
- --keystore_config_id=$keystore_id
+ --keystore_config_id=$keystore_id --key_suffix=$key_suffix
)
for n in $binaries/*.bin; do
@@ -76,8 +99,8 @@
######################################################################
Done
If all looks good and tests well, check in with the following
-cp out/*.bin out/*.sig ../../loader-bin/mindspeed/$target/
-cd ../../loader-bin/mindspeed/$target/
+cp out/*.bin out/*.sig ../../loader-bin/mindspeed/$target/$bin_subdir
+cd ../../loader-bin/mindspeed/$target/$bin_subdir
git add *.bin *.sig
git commit
git push gfiber-internal HEAD:refs/for/master