| commit | 993ef3126919613ef9c69dfdcfda782332b6de8b | [log] [tgz] |
|---|---|---|
| author | Benjamin Shai <[email protected]> | Thu Jan 16 10:30:06 2025 -0800 |
| committer | Chromeos LUCI <[email protected]> | Thu Jan 16 15:47:55 2025 -0800 |
| tree | 618ab52b49004528722c24cd52fa67bac64491cc | |
| parent | 7fdca50ac14f2358aae760d21c07adfb3285020a [diff] |
uefi: only check for key existence in local key mode When the key is a pkcs11 key, we shouldn't check for the existence of the private key on disk. BUG=b:372702794 TEST=Manual Change-Id: Icf0097c9dfd7b36a40581f19c6066f2a3c0309a8 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/6180557 Tested-by: Benjamin Shai <[email protected]> Commit-Queue: Benjamin Shai <[email protected]> Reviewed-by: Madeleine Hardt <[email protected]> Reviewed-by: Nicholas Bishop <[email protected]>
diff --git a/scripts/image_signing/sign_uefi.py b/scripts/image_signing/sign_uefi.py index 6d4549f..e387fe7 100755 --- a/scripts/image_signing/sign_uefi.py +++ b/scripts/image_signing/sign_uefi.py
@@ -235,9 +235,12 @@ for efi_file in sorted(bootloader_dir.glob("crdyboot*.efi")): # This key is required to create the detached signature. - ensure_file_exists( - keys.crdyshim_private_key, "No crdyshim private key" - ) + # Only check the private keys if they are local paths rather than a + # PKCS#11 URI. + if not is_pkcs11_key_path(keys.crdyshim_private_key): + ensure_file_exists( + keys.crdyshim_private_key, "No crdyshim private key" + ) if efi_file.is_file(): inject_vbpubk(efi_file, keys)