build_image: default to using verified rootfs for x86

build_image

 #!/bin/bash
 
 # Copyright (c) 2009 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 # Script to build a bootable keyfob-based chromeos system image from within
 # a chromiumos setup. This assumes that all needed packages have been built into
 # the given target's root with binary packages turned on. This script will
 # build the Chrome OS image using only pre-built binary packages.
@@ skipping 49 matching lines @@
   "stateful filesystem size in MiBs."
 DEFINE_boolean preserve ${FLAGS_FALSE} \
   "Attempt to preserve the previous build image if one can be found (unstable, \
 kernel/firmware not updated)"
 DEFINE_boolean fast ${DEFAULT_FAST} \
   "Call many emerges in parallel"
 
 DEFINE_string usb_disk /dev/sdb3 \
   "Path syslinux should use to do a usb boot. Default: /dev/sdb3"
 
-DEFINE_boolean enable_rootfs_verification ${FLAGS_FALSE} \
+DEFINE_boolean enable_rootfs_verification ${FLAGS_TRUE} \
   "Default all bootloaders to use kernel-based root fs integrity checking."
 DEFINE_integer verity_error_behavior 2 \
   "Kernel verified boot error behavior (0: I/O errors, 1: reboot, 2: nothing) \
 Default: 2"
 DEFINE_integer verity_depth 1 \
   "Kernel verified boot hash tree depth. Default: 1"
 DEFINE_integer verity_max_ios 1024 \
   "Number of outstanding I/O operations dm-verity caps at. Default: 1024"
 DEFINE_string verity_algorithm "sha1" \
   "Cryptographic hash algorithm used for kernel vboot. Default : sha1"
@@ skipping 113 matching lines @@
 # TODO: Build a separated ebuild for the factory install shim to reduce size.
 if [ ${FLAGS_factory_install} -eq ${FLAGS_TRUE} ] ||
    [ ${FLAGS_dev_install} -eq ${FLAGS_TRUE} ] ; then
   INSTALL_MASK="${INSTALL_MASK} ${FACTORY_INSTALL_MASK}"
 fi
 
 if [[ ${FLAGS_jobs} -ne -1 ]]; then
   EMERGE_JOBS="--jobs=${FLAGS_jobs}"
 fi
 
-if [[ ${FLAGS_enable_rootfs_verification} -eq ${FLAGS_TRUE} ]]; then
-  enable_rootfs_verification_flag="--enable_rootfs_verification"
-fi
-
 # Figure out ARCH from the given toolchain.
 # TODO: Move to common.sh as a function after scripts are switched over.
 TC_ARCH=$(echo "${CHOST}" | awk -F'-' '{ print $1 }')
 case "${TC_ARCH}" in
   arm*)
     ARCH="arm"
     ;;
   *86)
     ARCH="x86"
     ;;
   *)
     error "Unable to determine ARCH from toolchain: ${CHOST}"
     exit 1
 esac
 
+if [[ ${FLAGS_enable_rootfs_verification} -eq ${FLAGS_TRUE} ]]; then
+  enable_rootfs_verification_flag="--enable_rootfs_verification"
+  # Comment out this section if you need to start testing vboot on arm.
+  if [[ "${ARCH}" = "arm" ]]; then
+    warn "ARM does not yet support --enable_rootfs_verification"
+    warn "Root filesystem verification has been disabled."
+    enable_rootfs_verification_flag=
+    FLAGS_enable_rootfs_verification_flag=${FLAGS_FALSE}
+  fi
+fi
+
 # Hack to fix bug where x86_64 CHOST line gets incorrectly added.
 # ToDo(msb): remove this hack.
 PACKAGES_FILE="${BOARD_ROOT}/packages/Packages"
 sudo sed -e "s/CHOST: x86_64-pc-linux-gnu//" -i "${PACKAGES_FILE}"
 
 # Handle existing directory.
 if [[ -e "${OUTPUT_DIR}" ]]; then
   if [[ ${FLAGS_replace} -eq ${FLAGS_TRUE} ]]; then
     sudo rm -rf "${OUTPUT_DIR}"
   else
@@ skipping 483 matching lines @@
   echo "Developer image created as ${DEVELOPER_IMAGE_NAME}"
 fi
 
 print_time_elapsed
 
 echo "To copy to USB keyfob, OUTSIDE the chroot, do something like:"
 echo "  ./image_to_usb.sh --from=${OUTSIDE_OUTPUT_DIR} --to=/dev/sdX"
 echo "To convert to VMWare image, INSIDE the chroot, do something like:"
 echo "  ./image_to_vm.sh --from=${OUTSIDE_OUTPUT_DIR}"
 echo "from the scripts directory where you entered the chroot."