OLD | NEW |
1 #!/bin/bash | 1 #!/bin/bash |
2 | 2 |
3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | 3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
6 | 6 |
7 # Sign the final build image using the "official" keys. | 7 # Sign the final build image using the "official" keys. |
8 # | 8 # |
9 # Prerequisite tools needed in the system path: | 9 # Prerequisite tools needed in the system path: |
10 # | 10 # |
(...skipping 27 matching lines...) Expand all Loading... |
38 if [ $# -ne 3 ] && [ $# -ne 4 ]; then | 38 if [ $# -ne 3 ] && [ $# -ne 4 ]; then |
39 usage | 39 usage |
40 exit 1 | 40 exit 1 |
41 fi | 41 fi |
42 | 42 |
43 # Abort on errors. | 43 # Abort on errors. |
44 set -e | 44 set -e |
45 | 45 |
46 # Make sure the tools we need are available. | 46 # Make sure the tools we need are available. |
47 for prereqs in gbb_utility vbutil_kernel cgpt dump_kernel_config verity \ | 47 for prereqs in gbb_utility vbutil_kernel cgpt dump_kernel_config verity \ |
48 load_kernel_test dumpe2fs sha1sum; | 48 load_kernel_test dumpe2fs sha1sum e2fsck; |
49 do | 49 do |
50 type -P "${prereqs}" &>/dev/null || \ | 50 type -P "${prereqs}" &>/dev/null || \ |
51 { echo "${prereqs} tool not found."; exit 1; } | 51 { echo "${prereqs} tool not found."; exit 1; } |
52 done | 52 done |
53 | 53 |
54 TYPE=$1 | 54 TYPE=$1 |
55 INPUT_IMAGE=$2 | 55 INPUT_IMAGE=$2 |
56 KEY_DIR=$3 | 56 KEY_DIR=$3 |
57 OUTPUT_IMAGE=$4 | 57 OUTPUT_IMAGE=$4 |
58 | 58 |
(...skipping 112 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
171 vbutil_kernel --repack ${updated_kimage} \ | 171 vbutil_kernel --repack ${updated_kimage} \ |
172 --keyblock ${keyblock} \ | 172 --keyblock ${keyblock} \ |
173 --signprivate ${signprivate} \ | 173 --signprivate ${signprivate} \ |
174 --oldblob ${temp_kimage} \ | 174 --oldblob ${temp_kimage} \ |
175 --config ${temp_config} | 175 --config ${temp_config} |
176 | 176 |
177 replace_image_partition ${image} ${kernelpart} ${updated_kimage} | 177 replace_image_partition ${image} ${kernelpart} ${updated_kimage} |
178 replace_image_partition ${image} 3 ${rootfs_image} | 178 replace_image_partition ${image} 3 ${rootfs_image} |
179 } | 179 } |
180 | 180 |
| 181 # Do a sanity check on the image's rootfs |
| 182 # ARGS: Image |
| 183 verify_image_rootfs() { |
| 184 local image=$1 |
| 185 local rootfs_image=$(make_temp_file) |
| 186 extract_image_partition ${image} 3 ${rootfs_image} |
| 187 # This flips the read-only compatibility flag, so that e2fsck does not |
| 188 # complain about unknown file system capabilities. |
| 189 enable_rw_mount ${rootfs_image} |
| 190 echo "Running e2fsck to check root file system for errors" |
| 191 sudo e2fsck -fn "${rootfs_image}" || |
| 192 { echo "Root file system has errors!" && exit 1;} |
| 193 } |
| 194 |
181 # Extracts the firmware update binaries from the a firmware update | 195 # Extracts the firmware update binaries from the a firmware update |
182 # shell ball (generated by src/platform/firmware/pack_firmware.sh) | 196 # shell ball (generated by src/platform/firmware/pack_firmware.sh) |
183 # Args: INPUT_SCRIPT OUTPUT_DIR | 197 # Args: INPUT_SCRIPT OUTPUT_DIR |
184 get_firmwarebin_from_shellball() { | 198 get_firmwarebin_from_shellball() { |
185 local input=$1 | 199 local input=$1 |
186 local output_dir=$2 | 200 local output_dir=$2 |
187 if [ -s "${input}" ]; then | 201 if [ -s "${input}" ]; then |
188 uudecode -o - ${input} | tar -C ${output_dir} -zxf - 2>/dev/null || \ | 202 uudecode -o - ${input} | tar -C ${output_dir} -zxf - 2>/dev/null || \ |
189 { echo "Extracting firmware autoupdate failed." && exit 1; } | 203 { echo "Extracting firmware autoupdate failed." && exit 1; } |
190 else | 204 else |
(...skipping 108 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
299 try_key=${KEY_DIR}/kernel_subkey.vbpubk | 313 try_key=${KEY_DIR}/kernel_subkey.vbpubk |
300 # The SSD key is only used in non-recovery mode. | 314 # The SSD key is only used in non-recovery mode. |
301 echo -n "With SSD Key (Recovery Mode OFF, Dev Mode OFF): " && \ | 315 echo -n "With SSD Key (Recovery Mode OFF, Dev Mode OFF): " && \ |
302 { load_kernel_test "${INPUT_IMAGE}" "${try_key}" -b 0 >/dev/null 2>&1 && \ | 316 { load_kernel_test "${INPUT_IMAGE}" "${try_key}" -b 0 >/dev/null 2>&1 && \ |
303 echo "YES"; } || echo "NO" | 317 echo "YES"; } || echo "NO" |
304 echo -n "With SSD Key (Recovery Mode OFF, Dev Mode ON): " && \ | 318 echo -n "With SSD Key (Recovery Mode OFF, Dev Mode ON): " && \ |
305 { load_kernel_test "${INPUT_IMAGE}" "${try_key}" -b 1 >/dev/null 2>&1 && \ | 319 { load_kernel_test "${INPUT_IMAGE}" "${try_key}" -b 1 >/dev/null 2>&1 && \ |
306 echo "YES"; } || echo "NO" | 320 echo "YES"; } || echo "NO" |
307 set -e | 321 set -e |
308 | 322 |
| 323 verify_image_rootfs "${INPUT_IMAGE}" |
| 324 |
309 # TODO(gauravsh): Check embedded firmware AU signatures. | 325 # TODO(gauravsh): Check embedded firmware AU signatures. |
310 } | 326 } |
311 | 327 |
312 # Generate the SSD image | 328 # Generate the SSD image |
313 sign_for_ssd() { | 329 sign_for_ssd() { |
314 ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \ | 330 ${SCRIPT_DIR}/resign_image.sh ${INPUT_IMAGE} ${OUTPUT_IMAGE} \ |
315 ${KEY_DIR}/kernel_data_key.vbprivk \ | 331 ${KEY_DIR}/kernel_data_key.vbprivk \ |
316 ${KEY_DIR}/kernel.keyblock | 332 ${KEY_DIR}/kernel.keyblock |
317 echo "Signed SSD image output to ${OUTPUT_IMAGE}" | 333 echo "Signed SSD image output to ${OUTPUT_IMAGE}" |
318 } | 334 } |
(...skipping 119 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
438 resign_firmware_payload ${INPUT_IMAGE} | 454 resign_firmware_payload ${INPUT_IMAGE} |
439 update_rootfs_hash ${INPUT_IMAGE} \ | 455 update_rootfs_hash ${INPUT_IMAGE} \ |
440 ${KEY_DIR}/installer_kernel.keyblock \ | 456 ${KEY_DIR}/installer_kernel.keyblock \ |
441 ${KEY_DIR}/installer_kernel_data_key.vbprivk \ | 457 ${KEY_DIR}/installer_kernel_data_key.vbprivk \ |
442 2 | 458 2 |
443 sign_for_factory_install | 459 sign_for_factory_install |
444 else | 460 else |
445 echo "Invalid type ${TYPE}" | 461 echo "Invalid type ${TYPE}" |
446 exit 1 | 462 exit 1 |
447 fi | 463 fi |
OLD | NEW |