Chromium Code Reviews Chromium Code Reviews
Issue 2820012:
Use new kernel-signing tools. (Closed)
Base URL: ssh://git@chromiumos-git//crosutils.git| OLD | NEW |
|---|---|
| 1 #!/bin/bash | 1 #!/bin/bash |
| 2 | 2 |
| 3 # Copyright (c) 2009 The Chromium OS Authors. All rights reserved. | 3 # Copyright (c) 2009 The Chromium OS Authors. All rights reserved. |
| 4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
| 5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
| 6 | 6 |
| 7 # Script to build a bootable keyfob-based chromeos system image from within | 7 # Script to build a bootable keyfob-based chromeos system image from within |
| 8 # a chromiumos setup. This assumes that all needed packages have been built into | 8 # a chromiumos setup. This assumes that all needed packages have been built into |
| 9 # the given target's root with binary packages turned on. This script will | 9 # the given target's root with binary packages turned on. This script will |
| 10 # build the Chrome OS image using only pre-built binary packages. | 10 # build the Chrome OS image using only pre-built binary packages. |
| (...skipping 469 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 480 ro | 480 ro |
| 481 noresume | 481 noresume |
| 482 noswap | 482 noswap |
| 483 i915.modeset=1 | 483 i915.modeset=1 |
| 484 loglevel=7 | 484 loglevel=7 |
| 485 Hi_Mom | 485 Hi_Mom |
| 486 EOF | 486 EOF |
| 487 | 487 |
| 488 # FIXME: We need to specify the real keys and certs here! | 488 # FIXME: We need to specify the real keys and certs here! |
| 489 SIG_DIR="${SRC_ROOT}/platform/vboot_reference/tests/testkeys" | 489 SIG_DIR="${SRC_ROOT}/platform/vboot_reference/tests/testkeys" |
| 490 | |
| 491 # Wrap the public keys with VbPublicKey headers | |
| 492 vbutil_key --pack \ | |
| 493 --in "${SIG_DIR}/key_rsa2048.keyb" \ | |
| 494 --version 1 --algorithm 4 \ | |
| 495 --out "${OUTPUT_DIR}/key_alg4.vbpubk" | |
| 496 | |
| 497 vbutil_key --pack \ | |
| 498 --in "${SIG_DIR}/key_rsa4096.keyb" \ | |
| 499 --version 1 --algorithm 8 \ | |
| 500 --out "${OUTPUT_DIR}/key_alg8.vbpubk" | |
| 501 | |
| 502 vbutil_keyblock --pack "${OUTPUT_DIR}/data4_sign8.keyblock" \ | |
| 503 --datapubkey "${OUTPUT_DIR}/key_alg4.vbpubk" \ | |
| 504 --signprivate "${SIG_DIR}/key_rsa4096.pem" \ | |
| 505 --algorithm 8 --flags 3 | |
| 506 | |
| 507 # Verify the keyblock | |
| 508 vbutil_keyblock --unpack "${OUTPUT_DIR}/data4_sign8.keyblock" \ | |
| 509 --signpubkey "${OUTPUT_DIR}/key_alg8.vbpubk" | |
| 510 | |
| 511 # Sign the kernel: | |
| 512 vbutil_kernel --pack "${OUTPUT_DIR}/vmlinuz.image" \ | |
| 513 --keyblock "${OUTPUT_DIR}/data4_sign8.keyblock" \ | |
| 514 --signprivate "${SIG_DIR}/key_rsa2048.pem" \ | |
| 515 --version 1 \ | |
| 516 --config "${OUTPUT_DIR}/config.txt" \ | |
| 517 --bootloader /lib64/bootstub/bootstub.efi \ | |
| 518 --vmlinuz "${ROOT_FS_DIR}/boot/vmlinuz" | |
| 490 | 519 |
| 491 # Create the kernel partition image. | 520 # And verify it |
| 492 kernel_utility --generate \ | 521 vbutil_kernel --verify "${OUTPUT_DIR}/vmlinuz.image" \ |
| 493 --firmware_key "${SIG_DIR}/key_rsa4096.pem" \ | 522 --signpubkey "${OUTPUT_DIR}/key_alg8.vbpubk" |
| 494 --kernel_key "${SIG_DIR}/key_rsa1024.pem" \ | 523 |
| 495 --kernel_key_pub "${SIG_DIR}/key_rsa1024.keyb" \ | |
| 496 --firmware_sign_algorithm 8 \ | |
| 497 --kernel_sign_algorithm 2 \ | |
| 498 --kernel_key_version 1 \ | |
| 499 --kernel_version 1 \ | |
| 500 --config "${OUTPUT_DIR}/config.txt" \ | |
| 501 --bootloader /lib64/bootstub/bootstub.efi \ | |
| 502 --vmlinuz "${ROOT_FS_DIR}/boot/vmlinuz" \ | |
| 503 --out "${OUTPUT_DIR}/vmlinuz.image" | |
| 504 | |
| 505 else | 524 else |
| 506 # FIXME: For now, ARM just uses the unsigned kernel by itself. | 525 # FIXME: For now, ARM just uses the unsigned kernel by itself. |
| 507 cp -f "${ROOT_FS_DIR}/boot/vmlinuz" "${OUTPUT_DIR}/vmlinuz.image" | 526 cp -f "${ROOT_FS_DIR}/boot/vmlinuz" "${OUTPUT_DIR}/vmlinuz.image" |
| 508 fi | 527 fi |
| 509 | 528 |
| 510 | 529 |
| 511 # Perform any customizations on the root file system that are needed. | 530 # Perform any customizations on the root file system that are needed. |
| 512 "${SCRIPTS_DIR}/customize_rootfs" \ | 531 "${SCRIPTS_DIR}/customize_rootfs" \ |
| 513 --root="$ROOT_FS_DIR" \ | 532 --root="$ROOT_FS_DIR" \ |
| 514 --target="$ARCH" \ | 533 --target="$ARCH" \ |
| (...skipping 25 matching lines...) Expand all Loading... | |
| 540 # Create the GPT-formatted image | 559 # Create the GPT-formatted image |
| 541 ${SCRIPTS_DIR}/build_gpt.sh \ | 560 ${SCRIPTS_DIR}/build_gpt.sh \ |
| 542 --arch=${ARCH} \ | 561 --arch=${ARCH} \ |
| 543 --board=${FLAGS_board} \ | 562 --board=${FLAGS_board} \ |
| 544 --arm_extra_bootargs="${FLAGS_arm_extra_bootargs}" \ | 563 --arm_extra_bootargs="${FLAGS_arm_extra_bootargs}" \ |
| 545 --rootfs_partition_size=${FLAGS_rootfs_partition_size} \ | 564 --rootfs_partition_size=${FLAGS_rootfs_partition_size} \ |
| 546 ${RECOVERY} \ | 565 ${RECOVERY} \ |
| 547 "${OUTPUT_DIR}" \ | 566 "${OUTPUT_DIR}" \ |
| 548 "${OUTPUT_IMG}" | 567 "${OUTPUT_IMG}" |
| 549 | 568 |
| 550 # Clean up temporary files. | |
| 551 rm -f "${ROOT_FS_IMG}" "${STATEFUL_IMG}" "${OUTPUT_DIR}/vmlinuz.image" \ | |
| 552 "${ESP_IMG}" | |
| 553 rmdir "${ROOT_FS_DIR}" "${STATEFUL_DIR}" "${ESP_DIR}" | |
| 554 | |
| 555 OUTSIDE_OUTPUT_DIR="../build/images/${FLAGS_board}/${IMAGE_SUBDIR}" | |
| 556 | |
| 557 # Create a recovery image based on the chromium os base image | 569 # Create a recovery image based on the chromium os base image |
| 558 [ "$FLAGS_recovery" -eq "$FLAGS_TRUE" ] && create_mod_image "recovery" | 570 [ "$FLAGS_recovery" -eq "$FLAGS_TRUE" ] && create_mod_image "recovery" |
| 559 trap - EXIT | 571 trap - EXIT |
| 560 | 572 |
| 561 # Create a developer image based on the chromium os base image | 573 # Create a developer image based on the chromium os base image |
| 562 [ "$FLAGS_withdev" -eq "$FLAGS_TRUE" ] && create_mod_image "dev" | 574 [ "$FLAGS_withdev" -eq "$FLAGS_TRUE" ] && create_mod_image "dev" |
| 563 trap - EXIT | 575 trap - EXIT |
| 564 | 576 |
| 565 # be quiet again | 577 # FIXME: only signing things for x86 right now. |
| 566 set +x | 578 if [[ "$ARCH" = "x86" ]]; then |
| 579 # Verify the final image | |
| 580 load_kernel2_test "${PRISTINE_IMAGE_NAME}" "${OUTPUT_DIR}/key_alg8.vbpubk" | |
|
Randall Spangler
2010/06/16 22:50:45
renamed to load_kernel_test, after my latest cl.
| |
| 581 fi | |
| 582 | |
| 583 # Clean up temporary files. | |
| 584 rm -f "${ROOT_FS_IMG}" "${STATEFUL_IMG}" "${OUTPUT_DIR}/vmlinuz.image" \ | |
| 585 "${ESP_IMG}" "${OUTPUT_DIR}/data4_sign8.keyblock" \ | |
| 586 "${OUTPUT_DIR}/key_alg4.vbpubk" "${OUTPUT_DIR}/key_alg8.vbpubk" | |
| 587 rmdir "${ROOT_FS_DIR}" "${STATEFUL_DIR}" "${ESP_DIR}" | |
| 588 | |
| 589 OUTSIDE_OUTPUT_DIR="../build/images/${FLAGS_board}/${IMAGE_SUBDIR}" | |
| 567 | 590 |
| 568 echo "Done. Image created in ${OUTPUT_DIR}" | 591 echo "Done. Image created in ${OUTPUT_DIR}" |
| 569 echo "Chromium OS image created as $PRISTINE_IMAGE_NAME" | 592 echo "Chromium OS image created as $PRISTINE_IMAGE_NAME" |
| 570 if [ "$FLAGS_recovery" -eq "$FLAGS_TRUE" ]; then | 593 if [ "$FLAGS_recovery" -eq "$FLAGS_TRUE" ]; then |
| 571 echo "Recovery image created as $PRISTINE_IMAGE_NAME" | 594 echo "Recovery image created as $PRISTINE_IMAGE_NAME" |
| 572 fi | 595 fi |
| 573 if [ "$FLAGS_withdev" -eq "$FLAGS_TRUE" ]; then | 596 if [ "$FLAGS_withdev" -eq "$FLAGS_TRUE" ]; then |
| 574 echo "Developer image created as $DEVELOPER_IMAGE_NAME" | 597 echo "Developer image created as $DEVELOPER_IMAGE_NAME" |
| 575 fi | 598 fi |
| 576 | 599 |
| 577 print_time_elapsed | 600 print_time_elapsed |
| 578 | 601 |
| 579 echo "To copy to USB keyfob, OUTSIDE the chroot, do something like:" | 602 echo "To copy to USB keyfob, OUTSIDE the chroot, do something like:" |
| 580 echo " ./image_to_usb.sh --from=${OUTSIDE_OUTPUT_DIR} --to=/dev/sdX" | 603 echo " ./image_to_usb.sh --from=${OUTSIDE_OUTPUT_DIR} --to=/dev/sdX" |
| 581 echo "To convert to VMWare image, OUTSIDE the chroot, do something like:" | 604 echo "To convert to VMWare image, OUTSIDE the chroot, do something like:" |
| 582 echo " ./image_to_vmware.sh --from=${OUTSIDE_OUTPUT_DIR}" | 605 echo " ./image_to_vmware.sh --from=${OUTSIDE_OUTPUT_DIR}" |
| 583 echo "from the scripts directory where you entered the chroot." | 606 echo "from the scripts directory where you entered the chroot." |
| OLD | NEW |
