Chromium Code Reviews Chromium Code Reviews
Issue 5567003:
Add --save_config and --set_config options to make_dev_ssd.sh (Closed)
Base URL: ssh://git@gitrw.chromium.org:9222/vboot_reference.git@master| OLD | NEW |
|---|---|
| 1 #!/bin/sh | 1 #!/bin/sh |
| 2 # | 2 # |
| 3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | 3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
| 4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
| 5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
| 6 # | 6 # |
| 7 # This script can change key (usually developer keys) and kernel config | 7 # This script can change key (usually developer keys) and kernel config |
| 8 # of a kernels on SSD. | 8 # of a kernels on SSD. |
| 9 | 9 |
| 10 SCRIPT_BASE="$(dirname "$0")" | 10 SCRIPT_BASE="$(dirname "$0")" |
| 11 . "$SCRIPT_BASE/common.sh" | 11 . "$SCRIPT_BASE/common.sh" |
| 12 load_shflags || exit 1 | 12 load_shflags || exit 1 |
| 13 | 13 |
| 14 # Constants used by DEFINE_* | 14 # Constants used by DEFINE_* |
| 15 VBOOT_BASE='/usr/share/vboot' | 15 VBOOT_BASE='/usr/share/vboot' |
| 16 DEFAULT_KEYS_FOLDER="$VBOOT_BASE/devkeys" | 16 DEFAULT_KEYS_FOLDER="$VBOOT_BASE/devkeys" |
| 17 DEFAULT_BACKUP_FOLDER='/mnt/stateful_partition/backups' | 17 DEFAULT_BACKUP_FOLDER='/mnt/stateful_partition/backups' |
| 18 | 18 |
| 19 # DEFINE_string name default_value description flag | 19 # DEFINE_string name default_value description flag |
| 20 DEFINE_string image "/dev/sda" "Path to device or image file" "i" | 20 DEFINE_string image "/dev/sda" "Path to device or image file" "i" |
| 21 DEFINE_string keys "$DEFAULT_KEYS_FOLDER" "Path to folder of dev keys" "k" | 21 DEFINE_string keys "$DEFAULT_KEYS_FOLDER" "Path to folder of dev keys" "k" |
| 22 DEFINE_boolean remove_rootfs_verification \ | 22 DEFINE_boolean remove_rootfs_verification \ |
| 23 $FLAGS_FALSE "Modify kernel boot config to disable rootfs verification" "" | 23 $FLAGS_FALSE "Modify kernel boot config to disable rootfs verification" "" |
| 24 DEFINE_string backup_dir \ | 24 DEFINE_string backup_dir \ |
| 25 "$DEFAULT_BACKUP_FOLDER" "Path of directory to store kernel backups" "" | 25 "$DEFAULT_BACKUP_FOLDER" "Path of directory to store kernel backups" "" |
| 26 DEFINE_boolean debug $FLAGS_FALSE "Provide debug messages" "d" | 26 DEFINE_boolean debug $FLAGS_FALSE "Provide debug messages" "d" |
| 27 DEFINE_string save_config "" \ | |
| 28 "Base filename to store kernel configs to, instead of resigning." "" | |
| 29 DEFINE_string set_config "" \ | |
| 30 "Base filename to load kernel configs from" "" | |
| 27 | 31 |
| 28 # Parse command line | 32 # Parse command line |
| 29 FLAGS "$@" || exit 1 | 33 FLAGS "$@" || exit 1 |
| 30 eval set -- "$FLAGS_ARGV" | 34 eval set -- "$FLAGS_ARGV" |
| 31 | 35 |
| 32 # Globals | 36 # Globals |
| 33 # ---------------------------------------------------------------------------- | 37 # ---------------------------------------------------------------------------- |
| 34 set -e | 38 set -e |
| 35 | 39 |
| 36 # a log file to keep the output results of executed command | 40 # a log file to keep the output results of executed command |
| (...skipping 84 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 121 fi | 125 fi |
| 122 if [ ! $size -le $max_kernel_size ]; then | 126 if [ ! $size -le $max_kernel_size ]; then |
| 123 echo "INFO: $name seems too large ($size), ignored." | 127 echo "INFO: $name seems too large ($size), ignored." |
| 124 continue | 128 continue |
| 125 fi | 129 fi |
| 126 | 130 |
| 127 debug_msg "Reading $name from partition $kernel_index" | 131 debug_msg "Reading $name from partition $kernel_index" |
| 128 mydd if="$ssd_device" of="$old_blob" bs=$bs skip=$offset count=$size | 132 mydd if="$ssd_device" of="$old_blob" bs=$bs skip=$offset count=$size |
| 129 | 133 |
| 130 debug_msg "Checking if $name is valid" | 134 debug_msg "Checking if $name is valid" |
| 131 local old_kernel_config | 135 local kernel_config |
| 132 if ! old_kernel_config="$(dump_kernel_config "$old_blob" 2>"$EXEC_LOG")" | 136 if ! kernel_config="$(dump_kernel_config "$old_blob" 2>"$EXEC_LOG")" |
| 133 then | 137 then |
|
Bill Richardson
2010/12/03 16:16:40
Style nit: use "if blahblah; then" on one line.
| |
| 134 debug_msg "dump_kernel_config error message: $(cat "$EXEC_LOG")" | 138 debug_msg "dump_kernel_config error message: $(cat "$EXEC_LOG")" |
| 135 echo "INFO: $name: no kernel boot information, ignored." | 139 echo "INFO: $name: no kernel boot information, ignored." |
| 136 continue | 140 continue |
| 137 fi | 141 fi |
| 138 | 142 |
| 143 if [ -n "${FLAGS_save_config}" ]; then | |
| 144 # Save current kernel config | |
| 145 local old_config_file | |
| 146 old_config_file="${FLAGS_save_config}.$kernel_index" | |
| 147 echo "Saving $name config to $old_config_file" | |
| 148 echo "$kernel_config" > "$old_config_file" | |
| 149 # Just save; don't resign | |
| 150 continue | |
| 151 fi | |
| 152 | |
| 153 if [ -n "${FLAGS_set_config}" ]; then | |
| 154 # Set new kernel config from file | |
| 155 local new_config_file | |
| 156 new_config_file="${FLAGS_set_config}.$kernel_index" | |
| 157 kernel_config="$(cat "$new_config_file")" || | |
| 158 err_die "Failed to read new kernel config from $new_config_file" | |
| 159 debug_msg "New kernel config: $kernel_config)" | |
| 160 echo "$name: Replaced config from $new_config_file" | |
| 161 fi | |
| 162 | |
| 163 if [ ${FLAGS_remove_rootfs_verification} = $FLAGS_FALSE ]; then | |
| 164 debug_msg "Bypassing rootfs verification check" | |
| 165 elif ! is_rootfs_verification_enabled "$kernel_config"; then | |
| 166 echo "INFO: $name: rootfs verification was not enabled." | |
| 167 else | |
| 168 debug_msg "Changing boot parameter to remove rootfs verification" | |
| 169 kernel_config="$(remove_rootfs_verification "$kernel_config")" | |
| 170 debug_msg "New kernel config: $kernel_config" | |
| 171 echo "$name: Disabled rootfs verification." | |
| 172 fi | |
| 173 | |
| 174 local new_kernel_config_file="$(make_temp_file)" | |
| 175 echo "$kernel_config" >"$new_kernel_config_file" | |
| 176 | |
| 139 debug_msg "Re-signing $name from $old_blob to $new_blob" | 177 debug_msg "Re-signing $name from $old_blob to $new_blob" |
| 140 debug_msg "Using key: $KERNEL_DATAKEY" | 178 debug_msg "Using key: $KERNEL_DATAKEY" |
| 141 | |
| 142 vbutil_kernel \ | 179 vbutil_kernel \ |
| 143 --repack "$new_blob" \ | 180 --repack "$new_blob" \ |
| 144 --vblockonly --keyblock "$KERNEL_KEYBLOCK" \ | 181 --keyblock "$KERNEL_KEYBLOCK" \ |
| 182 --config "$new_kernel_config_file" \ | |
| 145 --signprivate "$KERNEL_DATAKEY" \ | 183 --signprivate "$KERNEL_DATAKEY" \ |
| 146 --oldblob "$old_blob" >"$EXEC_LOG" 2>&1 || | 184 --oldblob "$old_blob" >"$EXEC_LOG" 2>&1 || |
| 147 err_die "Failed to resign $name. Message: $(cat "$EXEC_LOG")" | 185 err_die "Failed to resign $name. Message: $(cat "$EXEC_LOG")" |
| 148 | 186 |
| 149 debug_msg "Creating new kernel image (vboot+code+config)" | 187 debug_msg "Creating new kernel image (vboot+code+config)" |
| 150 local new_kern="$(make_temp_file)" | 188 local new_kern="$(make_temp_file)" |
| 151 cp "$old_blob" "$new_kern" | 189 cp "$old_blob" "$new_kern" |
| 152 mydd if="$new_blob" of="$new_kern" conv=notrunc | 190 mydd if="$new_blob" of="$new_kern" conv=notrunc |
| 153 | 191 |
| 154 if [ ${FLAGS_remove_rootfs_verification} = $FLAGS_FALSE ]; then | |
| 155 debug_msg "Bypassing rootfs verification check" | |
| 156 elif ! is_rootfs_verification_enabled "$old_kernel_config"; then | |
| 157 echo "INFO: $name: rootfs verification was not enabled." | |
| 158 else | |
| 159 debug_msg "Changing boot parameter to remove rootfs verification" | |
| 160 local new_kernel_config_file="$(make_temp_file)" | |
| 161 remove_rootfs_verification "$old_kernel_config" >"$new_kernel_config_file" | |
| 162 debug_msg "New kernel config: $(cat $new_kernel_config_file)" | |
| 163 vbutil_kernel \ | |
| 164 --repack "$new_blob" \ | |
| 165 --config "$new_kernel_config_file" \ | |
| 166 --signprivate "$KERNEL_DATAKEY" \ | |
| 167 --oldblob "$new_kern" >"$EXEC_LOG" 2>&1 || | |
| 168 err_die "Failed to resign $name. Message: $(cat "$EXEC_LOG")" | |
| 169 echo "$name: Disabled rootfs verification." | |
| 170 mydd if="$new_blob" of="$new_kern" conv=notrunc | |
| 171 fi | |
| 172 | |
| 173 if is_debug_mode; then | 192 if is_debug_mode; then |
| 174 debug_msg "for debug purposes, check *.dbgbin" | 193 debug_msg "for debug purposes, check *.dbgbin" |
| 175 cp "$old_blob" old_blob.dbgbin | 194 cp "$old_blob" old_blob.dbgbin |
| 176 cp "$new_blob" new_blob.dbgbin | 195 cp "$new_blob" new_blob.dbgbin |
| 177 cp "$new_kern" new_kern.dbgbin | 196 cp "$new_kern" new_kern.dbgbin |
| 178 fi | 197 fi |
| 179 | 198 |
| 180 debug_msg "Verifying new kernel and keys" | 199 debug_msg "Verifying new kernel and keys" |
| 181 vbutil_kernel \ | 200 vbutil_kernel \ |
| 182 --verify "$new_kern" \ | 201 --verify "$new_kern" \ |
| (...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 226 fi | 245 fi |
| 227 fi | 246 fi |
| 228 | 247 |
| 229 # Sometimes doing "dump_kernel_config" or other I/O now (or after return to | 248 # Sometimes doing "dump_kernel_config" or other I/O now (or after return to |
| 230 # shell) will get the data before modification. Not a problem now, but for | 249 # shell) will get the data before modification. Not a problem now, but for |
| 231 # safety, let's try to sync more. | 250 # safety, let's try to sync more. |
| 232 sync; sync; sync | 251 sync; sync; sync |
| 233 | 252 |
| 234 echo "$name: Re-signed with developer keys successfully." | 253 echo "$name: Re-signed with developer keys successfully." |
| 235 done | 254 done |
| 255 | |
| 256 # If we saved the kernel config, exit now so we don't print an error | |
| 257 if [ -n "${FLAGS_save_config}" ]; then | |
| 258 echo "(Kernels have not been resigned.)" | |
| 259 exit 0 | |
| 260 fi | |
| 261 | |
| 236 return $resigned_kernels | 262 return $resigned_kernels |
| 237 } | 263 } |
| 238 | 264 |
| 239 # Main | 265 # Main |
| 240 # ---------------------------------------------------------------------------- | 266 # ---------------------------------------------------------------------------- |
| 241 main() { | 267 main() { |
| 242 local num_signed=0 | 268 local num_signed=0 |
| 243 # Check parameters | 269 # Check parameters |
| 244 KERNEL_KEYBLOCK="$FLAGS_keys/kernel.keyblock" | 270 KERNEL_KEYBLOCK="$FLAGS_keys/kernel.keyblock" |
| 245 KERNEL_DATAKEY="$FLAGS_keys/kernel_data_key.vbprivk" | 271 KERNEL_DATAKEY="$FLAGS_keys/kernel_data_key.vbprivk" |
| (...skipping 12 matching lines...) Expand all Loading... | |
| 258 debug_msg "Complete." | 284 debug_msg "Complete." |
| 259 if [ $num_signed -gt 0 -a $num_signed -le 2 ]; then | 285 if [ $num_signed -gt 0 -a $num_signed -le 2 ]; then |
| 260 # signed 1 or two kernels | 286 # signed 1 or two kernels |
| 261 echo "Successfully re-signed $num_signed kernel(s) on device $FLAGS_image". | 287 echo "Successfully re-signed $num_signed kernel(s) on device $FLAGS_image". |
| 262 else | 288 else |
| 263 err_die "Failed re-signing kernels." | 289 err_die "Failed re-signing kernels." |
| 264 fi | 290 fi |
| 265 } | 291 } |
| 266 | 292 |
| 267 main | 293 main |
| OLD | NEW |
