From 3fefd2ad799a3254ac85c401485d2e1164c0fd7a Mon Sep 17 00:00:00 2001 From: Bill Richardson Date: Thu, 3 Jun 2010 11:03:27 -0700 Subject: [PATCH] Only sign kernel for x86 for now. Leave ARM unsigned. The signing work is being tested and developed on x86, and ARM isn't ready to use it. Signing the ARM kernel is disruptive. We'll enable it for ARM later. Review URL: http://codereview.chromium.org/2599001 --- build_image | 52 +++++++++++++++++++++++++++++++--------------------- 1 file changed, 31 insertions(+), 21 deletions(-) diff --git a/build_image b/build_image index 63558805f7..e95de61acb 100755 --- a/build_image +++ b/build_image @@ -458,11 +458,15 @@ menuentry "local image B" { EOF -# Legacy BIOS will use the kernel in the rootfs (via syslinux), as will -# standard EFI BIOS (via grub, from the EFI System Partition). Chrome OS BIOS -# will use a separate signed kernel partition, which we'll create now. -# FIXME: remove serial output, debugging messages -cat <<'EOF' > "${OUTPUT_DIR}/config.txt" +# FIXME: At the moment, we're working on signed images for x86 only. ARM will +# support this before shipping, but at the moment they don't. +if [[ "$ARCH" = "x86" ]]; then + + # Legacy BIOS will use the kernel in the rootfs (via syslinux), as will + # standard EFI BIOS (via grub, from the EFI System Partition). Chrome OS BIOS + # will use a separate signed kernel partition, which we'll create now. + # FIXME: remove serial output, debugging messages + cat <<'EOF' > "${OUTPUT_DIR}/config.txt" earlyprintk=serial,ttyS0,115200 console=ttyS0,115200 init=/sbin/init @@ -477,23 +481,29 @@ i915.modeset=1 loglevel=7 Hi_Mom EOF + + # FIXME: We need to specify the real keys and certs here! + SIG_DIR="${SRC_ROOT}/platform/vboot_reference/tests/testkeys" + + # Create the kernel partition image. + kernel_utility --generate \ + --firmware_key "${SIG_DIR}/key_rsa4096.pem" \ + --kernel_key "${SIG_DIR}/key_rsa1024.pem" \ + --kernel_key_pub "${SIG_DIR}/key_rsa1024.keyb" \ + --firmware_sign_algorithm 8 \ + --kernel_sign_algorithm 2 \ + --kernel_key_version 1 \ + --kernel_version 1 \ + --config "${OUTPUT_DIR}/config.txt" \ + --bootloader /lib64/bootstub/bootstub.efi \ + --vmlinuz "${ROOT_FS_DIR}/boot/vmlinuz" \ + --out "${OUTPUT_DIR}/vmlinuz.image" + +else + # FIXME: For now, ARM just uses the unsigned kernel by itself. + cp -f "${ROOT_FS_DIR}/boot/vmlinuz" "${OUTPUT_DIR}/vmlinuz.image" +fi -# FIXME: We need to specify the real keys and certs here! -SIG_DIR="${SRC_ROOT}/platform/vboot_reference/tests/testkeys" - -# Create the kernel partition image. -kernel_utility --generate \ - --firmware_key "${SIG_DIR}/key_rsa4096.pem" \ - --kernel_key "${SIG_DIR}/key_rsa1024.pem" \ - --kernel_key_pub "${SIG_DIR}/key_rsa1024.keyb" \ - --firmware_sign_algorithm 8 \ - --kernel_sign_algorithm 2 \ - --kernel_key_version 1 \ - --kernel_version 1 \ - --config "${OUTPUT_DIR}/config.txt" \ - --bootloader /lib64/bootstub/bootstub.efi \ - --vmlinuz "${ROOT_FS_DIR}/boot/vmlinuz" \ - --out "${OUTPUT_DIR}/vmlinuz.image" # Perform any customizations on the root file system that are needed. "${SCRIPTS_DIR}/customize_rootfs" \