@hungte, could you give me some hint about obtaining key type (dev/premp/mp) from the release image partition?

Looks like we can get the key type by looking "VERSION.signer", which we can get by extracting the "chromeos-firmwareupdate" file.

You can try to grab a latest signed recovery build and see the contents of output from "chromeos-firmwareupdate -V", which should contain some info.

Also, as you've mentioned, VERSION.signer should tell some info as well.

If you need some better way, feel free to revise firmware updater.

For verifying if the release image is signed by mp keys, we can do following steps:
1. Mount the release image.
2. Extract the firmware by the command
   $ <release_rootfs>/usr/sbin/chromeos-firmwareupdate --sb_extract /tmp/tmpfolder
3. Grep if there's a string "Signed by.*<BoardName>MpKeys" inside "/tmp/tmpfolder/VERSION.signer"

Not sure if above steps are strong enough or not.


Also, for uni-build, we might also have to check if the signer name is correct or not.

I think checking VERSION.signer is good enough.

and we should log the hash of keys we've found as well.
also, it's even better if we can also check if the key hash is DEV (we do have hash for DEV keys), no matter what is filled in the VERSION.signer.

Do you mean checking if the ro firmware key hash is DEV or not?  We do check if the ro firmware key hash is DEV or not in Gooftool.VerifyKeys method.

I was thinking to check if the firmware has VERSION.signer as MP but it's actually modified with a DEV-signed image. Partner may do this unexpectedly when they receive instruction like 'let's change firmware to XXXX'.

But well, if VerifyKeys will catch DEV keys then I'm fine.

I has introduced a CL to put hash of loem keys into VERSION.signer as well. For whitelabel and uni-build, I think we can also verify that whether the rootkey in current firmware is the same with one noted in VERSION.signer based on model or loem name. In this case we can prevent firmware from been re-keyed to wrong one.

On the other hand, hwid database-builder might also support to read hash of rootkey from VERSION.signer so partner don't need to spend time on probing it from a real device after flashing firmware.