From b795deba76dd80ba0d496180c9d4706d016c9ea5 Mon Sep 17 00:00:00 2001
From: Nick Sanders <nsanders@chromium.org>
Date: Fri, 20 May 2011 17:11:53 -0700
Subject: [PATCH] Cherry-pick: ARM: enable kernel signing by default

This commit is a part of transition to enable ARM kernel signing. It is
at first an option that is enabled manually, and then (in this commit)
enabled by default. After more tests, the scripts that generate unsigned
ARM kernel partition will probably be removed.

BUG=chromium-os:12352
TEST=./build_image && load_kernel_test -b 2 /path/to/chromiumos_image.bin /usr/share/vboot/devkeys/recovery_key.vbpubk

Change-Id: I7d4ecc566f9c5cc0106a7af59255fc63fdfe017a
Tested-by: Che-Liang Chiou <clchiou@chromium.org>
Reviewed-by: Tom Wai-Hong Tam <waihong@chromium.org>
Reviewed-by: Che-Liang Chiou <clchiou@chromium.org>
Reviewed-by: Rong Chang <rongchang@chromium.org>
Tested-by: Tom Wai-Hong Tam <waihong@chromium.org>
Reviewed-on: http://gerrit.chromium.org/gerrit/1319
Tested-by: Nick Sanders <nsanders@chromium.org>
---
 bin/cros_make_image_bootable |  2 +-
 build_image                  |  2 +-
 build_kernel_image.sh        |  2 +-
 mod_image_for_recovery.sh    |  2 +-
 mod_image_for_test.sh        | 13 ++++++++++++-
 5 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/bin/cros_make_image_bootable b/bin/cros_make_image_bootable
index d4eb9c81db..ef58dba8c8 100755
--- a/bin/cros_make_image_bootable
+++ b/bin/cros_make_image_bootable
@@ -116,7 +116,7 @@ DEFINE_boolean use_dev_keys ${FLAGS_FALSE} \
   "Use developer keys for signing. (Default: false)"
 
 # TODO(clchiou): Remove this flag after arm verified boot is stable
-DEFINE_boolean crosbug12352_arm_kernel_signing ${FLAGS_FALSE} \
+DEFINE_boolean crosbug12352_arm_kernel_signing ${FLAGS_TRUE} \
   "Sign kernel partition for ARM images (temporary hack)."
 
 # TODO(sosa):  Remove once known images no longer use this in their config.
diff --git a/build_image b/build_image
index 22422898f5..01fbf507ef 100755
--- a/build_image
+++ b/build_image
@@ -91,7 +91,7 @@ DEFINE_string usb_disk /dev/sdb3 \
   "Path syslinux should use to do a usb boot. Default: /dev/sdb3"
 
 # TODO(clchiou): Remove this flag after arm verified boot is stable
-DEFINE_boolean crosbug12352_arm_kernel_signing ${FLAGS_FALSE} \
+DEFINE_boolean crosbug12352_arm_kernel_signing ${FLAGS_TRUE} \
   "Sign kernel partition for ARM images (temporary hack)."
 
 DEFINE_boolean enable_rootfs_verification ${FLAGS_TRUE} \
diff --git a/build_kernel_image.sh b/build_kernel_image.sh
index 736d72a8b6..691906dce8 100755
--- a/build_kernel_image.sh
+++ b/build_kernel_image.sh
@@ -70,7 +70,7 @@ DEFINE_string verity_hash_alg "sha1" \
   "Cryptographic hash algorithm used for dm-verity. (Default: sha1)"
 
 # TODO(clchiou): Remove this flag after arm verified boot is stable
-DEFINE_boolean crosbug12352_arm_kernel_signing ${FLAGS_FALSE} \
+DEFINE_boolean crosbug12352_arm_kernel_signing ${FLAGS_TRUE} \
   "Sign kernel partition for ARM images (temporary hack)."
 
 # Parse flags
diff --git a/mod_image_for_recovery.sh b/mod_image_for_recovery.sh
index b08695ce76..3fb0e119f3 100755
--- a/mod_image_for_recovery.sh
+++ b/mod_image_for_recovery.sh
@@ -82,7 +82,7 @@ DEFINE_string keys_dir "/usr/share/vboot/devkeys" \
   "Directory containing the signing keys."
 
 # TODO(clchiou): Remove this flag after arm verified boot is stable
-DEFINE_boolean crosbug12352_arm_kernel_signing ${FLAGS_FALSE} \
+DEFINE_boolean crosbug12352_arm_kernel_signing ${FLAGS_TRUE} \
   "Sign kernel partition for ARM images (temporary hack)."
 
 # Parse command line
diff --git a/mod_image_for_test.sh b/mod_image_for_test.sh
index 954b6580b4..a73cc86715 100755
--- a/mod_image_for_test.sh
+++ b/mod_image_for_test.sh
@@ -56,6 +56,9 @@ Otherwise the image will be copied to $CHROMEOS_TEST_IMAGE_NAME \
 modified there"
 DEFINE_boolean force_copy $FLAGS_FALSE \
     "Always rebuild test image if --noinplace"
+# TODO(clchiou): Remove this flag after arm verified boot is stable
+DEFINE_boolean crosbug12352_arm_kernel_signing ${FLAGS_TRUE} \
+  "Sign kernel partition for ARM images (temporary hack)."
 
 # Parse command line
 FLAGS "$@" || exit 1
@@ -105,6 +108,12 @@ case "$TC_ARCH" in
     exit 1
 esac
 
+if [[ ${FLAGS_crosbug12352_arm_kernel_signing} -eq ${FLAGS_TRUE} ]]; then
+  crosbug12352_flag="--crosbug12352_arm_kernel_signing"
+else
+  crosbug12352_flag="--nocrosbug12352_arm_kernel_signing"
+fi
+
 # Make sure anything mounted in the rootfs/stateful is cleaned up ok on exit.
 cleanup_mounts() {
   # Occasionally there are some daemons left hanging around that have our
@@ -260,7 +269,9 @@ cleanup
 
 # Now make it bootable with the flags from build_image
 "$SCRIPTS_DIR/bin/cros_make_image_bootable" "$(dirname "$FLAGS_image")" \
-                                            "$(basename "$FLAGS_image")"
+                                            "$(basename "$FLAGS_image")" \
+                                            ${crosbug12352_flag}
+
 
 print_time_elapsed