Chromium Code Reviews Chromium Code Reviews
Issue 6538014:
Add transitional flag for enabling arm kernel signing (Closed)
Base URL: ssh://git@gitrw.chromium.org:9222/crosutils.git@master| OLD | NEW |
|---|---|
| 1 #!/bin/bash | 1 #!/bin/bash |
| 2 | 2 |
| 3 # Copyright (c) 2009 The Chromium OS Authors. All rights reserved. | 3 # Copyright (c) 2009 The Chromium OS Authors. All rights reserved. |
| 4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
| 5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
| 6 | 6 |
| 7 # Script to build a bootable keyfob-based chromeos system image from within | 7 # Script to build a bootable keyfob-based chromeos system image from within |
| 8 # a chromiumos setup. This assumes that all needed packages have been built into | 8 # a chromiumos setup. This assumes that all needed packages have been built into |
| 9 # the given target's root with binary packages turned on. This script will | 9 # the given target's root with binary packages turned on. This script will |
| 10 # build the Chrome OS image using only pre-built binary packages. | 10 # build the Chrome OS image using only pre-built binary packages. |
| (...skipping 74 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 85 "Attempt to preserve the previous build image if one can be found (unstable, \ | 85 "Attempt to preserve the previous build image if one can be found (unstable, \ |
| 86 kernel/firmware not updated)" | 86 kernel/firmware not updated)" |
| 87 DEFINE_boolean fast ${DEFAULT_FAST} \ | 87 DEFINE_boolean fast ${DEFAULT_FAST} \ |
| 88 "Call many emerges in parallel" | 88 "Call many emerges in parallel" |
| 89 DEFINE_string boot_args "noinitrd" \ | 89 DEFINE_string boot_args "noinitrd" \ |
| 90 "Additional boot arguments to pass to the commandline" | 90 "Additional boot arguments to pass to the commandline" |
| 91 | 91 |
| 92 DEFINE_string usb_disk /dev/sdb3 \ | 92 DEFINE_string usb_disk /dev/sdb3 \ |
| 93 "Path syslinux should use to do a usb boot. Default: /dev/sdb3" | 93 "Path syslinux should use to do a usb boot. Default: /dev/sdb3" |
| 94 | 94 |
| 95 # TODO(clchiou): Change default to FLAGS_TRUE once ARM verify boot is stable? | |
| 96 DEFINE_boolean enable_kernel_signing ${FLAGS_FALSE} \ | |
|
Will Drewry
2011/02/17 16:54:09
This flag is way too broad. It is meant as a tran
Che-Liang Chiou
2011/02/21 11:08:39
Done.
| |
| 97 "Sign kernel partition for ARM images." | |
| 98 | |
| 95 DEFINE_boolean enable_rootfs_verification ${FLAGS_TRUE} \ | 99 DEFINE_boolean enable_rootfs_verification ${FLAGS_TRUE} \ |
| 96 "Default all bootloaders to use kernel-based root fs integrity checking." | 100 "Default all bootloaders to use kernel-based root fs integrity checking." |
| 97 DEFINE_integer verity_error_behavior 3 \ | 101 DEFINE_integer verity_error_behavior 3 \ |
| 98 "Kernel verified boot error behavior (0: I/O errors, 1: panic, 2: nothing, \ | 102 "Kernel verified boot error behavior (0: I/O errors, 1: panic, 2: nothing, \ |
| 99 3: cros) Default: 3" | 103 3: cros) Default: 3" |
| 100 DEFINE_integer verity_depth 1 \ | 104 DEFINE_integer verity_depth 1 \ |
| 101 "Kernel verified boot hash tree depth. Default: 1" | 105 "Kernel verified boot hash tree depth. Default: 1" |
| 102 DEFINE_integer verity_max_ios -1 \ | 106 DEFINE_integer verity_max_ios -1 \ |
| 103 "Number of outstanding I/O operations dm-verity caps at. Default: -1" | 107 "Number of outstanding I/O operations dm-verity caps at. Default: -1" |
| 104 DEFINE_string verity_algorithm "sha1" \ | 108 DEFINE_string verity_algorithm "sha1" \ |
| (...skipping 170 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 275 ARCH="arm" | 279 ARCH="arm" |
| 276 ;; | 280 ;; |
| 277 *86) | 281 *86) |
| 278 ARCH="x86" | 282 ARCH="x86" |
| 279 ;; | 283 ;; |
| 280 *) | 284 *) |
| 281 error "Unable to determine ARCH from toolchain: ${CHOST}" | 285 error "Unable to determine ARCH from toolchain: ${CHOST}" |
| 282 exit 1 | 286 exit 1 |
| 283 esac | 287 esac |
| 284 | 288 |
| 289 if [[ ${FLAGS_enable_kernel_signing} -eq ${FLAGS_TRUE} ]]; then | |
| 290 enable_kernel_signing_flag="--enable_kernel_signing" | |
| 291 else | |
| 292 enable_kernel_signing_flag="--noenable_kernel_signing" | |
| 293 fi | |
| 285 if [[ ${FLAGS_enable_rootfs_verification} -eq ${FLAGS_TRUE} ]]; then | 294 if [[ ${FLAGS_enable_rootfs_verification} -eq ${FLAGS_TRUE} ]]; then |
| 286 enable_rootfs_verification_flag="--enable_rootfs_verification" | 295 enable_rootfs_verification_flag="--enable_rootfs_verification" |
| 287 fi | 296 fi |
| 288 | 297 |
| 289 # Hack to fix bug where x86_64 CHOST line gets incorrectly added. | 298 # Hack to fix bug where x86_64 CHOST line gets incorrectly added. |
| 290 # ToDo(msb): remove this hack. | 299 # ToDo(msb): remove this hack. |
| 291 PACKAGES_FILE="${BOARD_ROOT}/packages/Packages" | 300 PACKAGES_FILE="${BOARD_ROOT}/packages/Packages" |
| 292 sudo sed -e "s/CHOST: x86_64-pc-linux-gnu//" -i "${PACKAGES_FILE}" | 301 sudo sed -e "s/CHOST: x86_64-pc-linux-gnu//" -i "${PACKAGES_FILE}" |
| 293 | 302 |
| 294 # Handle existing directory. | 303 # Handle existing directory. |
| (...skipping 103 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 398 --rootfs_mountpoint="${ROOT_FS_DIR}" | 407 --rootfs_mountpoint="${ROOT_FS_DIR}" |
| 399 --statefulfs_mountpoint="${STATEFUL_FS_DIR}" | 408 --statefulfs_mountpoint="${STATEFUL_FS_DIR}" |
| 400 --espfs_mountpoint="${ESP_FS_DIR}" | 409 --espfs_mountpoint="${ESP_FS_DIR}" |
| 401 --verity_error_behavior="${FLAGS_verity_error_behavior}" | 410 --verity_error_behavior="${FLAGS_verity_error_behavior}" |
| 402 --verity_depth="${FLAGS_verity_depth}" | 411 --verity_depth="${FLAGS_verity_depth}" |
| 403 --verity_max_ios="${FLAGS_verity_max_ios}" | 412 --verity_max_ios="${FLAGS_verity_max_ios}" |
| 404 --verity_algorithm="${FLAGS_verity_algorithm}" | 413 --verity_algorithm="${FLAGS_verity_algorithm}" |
| 405 --keys_dir="${DEVKEYSDIR}" | 414 --keys_dir="${DEVKEYSDIR}" |
| 406 --usb_disk="${FLAGS_usb_disk}" | 415 --usb_disk="${FLAGS_usb_disk}" |
| 407 --nocleanup_dirs | 416 --nocleanup_dirs |
| 417 ${enable_kernel_signing_flag} | |
| 408 ${enable_rootfs_verification_flag} | 418 ${enable_rootfs_verification_flag} |
| 409 EOF | 419 EOF |
| 410 } | 420 } |
| 411 | 421 |
| 412 # Modifies an existing image to add development packages | 422 # Modifies an existing image to add development packages |
| 413 update_dev_packages() { | 423 update_dev_packages() { |
| 414 local image_name=$1 | 424 local image_name=$1 |
| 415 | 425 |
| 416 echo "Adding developer packages to ${image_name}" | 426 echo "Adding developer packages to ${image_name}" |
| 417 | 427 |
| (...skipping 369 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 787 | 797 |
| 788 USE_DEV_KEYS= | 798 USE_DEV_KEYS= |
| 789 if [ "${FLAGS_dev_install}" -eq "${FLAGS_TRUE}" ] || \ | 799 if [ "${FLAGS_dev_install}" -eq "${FLAGS_TRUE}" ] || \ |
| 790 [ "${FLAGS_factory_install}" -eq "${FLAGS_TRUE}" ]; then | 800 [ "${FLAGS_factory_install}" -eq "${FLAGS_TRUE}" ]; then |
| 791 USE_DEV_KEYS="--use_dev_keys" | 801 USE_DEV_KEYS="--use_dev_keys" |
| 792 fi | 802 fi |
| 793 | 803 |
| 794 # Place flags before positional args | 804 # Place flags before positional args |
| 795 ${SCRIPTS_DIR}/bin/cros_make_image_bootable "${OUTPUT_DIR}" \ | 805 ${SCRIPTS_DIR}/bin/cros_make_image_bootable "${OUTPUT_DIR}" \ |
| 796 "${PRISTINE_IMAGE_NAME}" \ | 806 "${PRISTINE_IMAGE_NAME}" \ |
| 797 ${USE_DEV_KEYS} | 807 ${USE_DEV_KEYS} \ |
| 808 ${enable_kernel_signing_flag} | |
| 798 | 809 |
| 799 # FIXME: only signing things for x86 right now. | 810 # FIXME: only signing things for x86 right now. |
| 800 if [[ "${ARCH}" = "x86" ]]; then | 811 # FIXME: signing things for x86, and for ARM if enabled. |
| 812 if [[ "${FLAGS_enable_kernel_signing}" -eq "${FLAGS_TRUE}" || \ | |
| 813 "${ARCH}" = "x86" ]]; then | |
| 801 BOOT_FLAG= | 814 BOOT_FLAG= |
| 802 if [ "${FLAGS_dev_install}" -eq "${FLAGS_TRUE}" ] || | 815 if [ "${FLAGS_dev_install}" -eq "${FLAGS_TRUE}" ] || |
| 803 [ "${FLAGS_factory_install}" -eq "${FLAGS_TRUE}" ]; then | 816 [ "${FLAGS_factory_install}" -eq "${FLAGS_TRUE}" ]; then |
| 804 BOOT_FLAG="-b 1" # BOOT_FLAG_DEVELOPER value defined in load_kernel_fw.h | 817 BOOT_FLAG="-b 1" # BOOT_FLAG_DEVELOPER value defined in load_kernel_fw.h |
| 805 info "--dev_install set, pass BOOT_FLAG_DEVELOPER flag to load_kernel_test" | 818 info "--dev_install set, pass BOOT_FLAG_DEVELOPER flag to load_kernel_test" |
| 806 fi | 819 fi |
| 807 | 820 |
| 808 # Verify the final image. | 821 # Verify the final image. |
| 809 load_kernel_test "${OUTPUT_DIR}/${PRISTINE_IMAGE_NAME}" \ | 822 load_kernel_test "${OUTPUT_DIR}/${PRISTINE_IMAGE_NAME}" \ |
| 810 "${DEVKEYSDIR}/recovery_key.vbpubk" ${BOOT_FLAG} | 823 "${DEVKEYSDIR}/recovery_key.vbpubk" ${BOOT_FLAG} |
| 811 fi | 824 fi |
| 812 | 825 |
| 813 # Create a developer image based on the chromium os base image. | 826 # Create a developer image based on the chromium os base image. |
| 814 if [ "${FLAGS_withdev}" -eq "${FLAGS_TRUE}" ] ; then | 827 if [ "${FLAGS_withdev}" -eq "${FLAGS_TRUE}" ] ; then |
| 815 if [[ ! -f ${DEVELOPER_IMG} ]] ; then | 828 if [[ ! -f ${DEVELOPER_IMG} ]] ; then |
| 816 echo "Creating developer image from base image ${PRISTINE_IMAGE_NAME}" | 829 echo "Creating developer image from base image ${PRISTINE_IMAGE_NAME}" |
| 817 cp ${PRISTINE_IMG} ${DEVELOPER_IMG} | 830 cp ${PRISTINE_IMG} ${DEVELOPER_IMG} |
| 818 fi | 831 fi |
| 819 | 832 |
| 820 update_dev_packages ${DEVELOPER_IMAGE_NAME} | 833 update_dev_packages ${DEVELOPER_IMAGE_NAME} |
| 821 ${SCRIPTS_DIR}/bin/cros_make_image_bootable "${OUTPUT_DIR}" \ | 834 ${SCRIPTS_DIR}/bin/cros_make_image_bootable "${OUTPUT_DIR}" \ |
| 822 "${DEVELOPER_IMAGE_NAME}" | 835 "${DEVELOPER_IMAGE_NAME}" \ |
| 836 ${enable_kernel_signing_flag} | |
| 823 fi | 837 fi |
| 824 | 838 |
| 825 # Clean up temporary files. | 839 # Clean up temporary files. |
| 826 rm -f "${ROOT_FS_IMG}" "${STATEFUL_FS_IMG}" "${OUTPUT_DIR}/vmlinuz.image" \ | 840 rm -f "${ROOT_FS_IMG}" "${STATEFUL_FS_IMG}" "${OUTPUT_DIR}/vmlinuz.image" \ |
| 827 "${ESP_FS_IMG}" "${OEM_FS_IMG}" "${OUTPUT_DIR}/vmlinuz_hd.vblock" | 841 "${ESP_FS_IMG}" "${OEM_FS_IMG}" "${OUTPUT_DIR}/vmlinuz_hd.vblock" |
| 828 rmdir "${ROOT_FS_DIR}" "${STATEFUL_FS_DIR}" "${OEM_FS_DIR}" "${ESP_FS_DIR}" | 842 rmdir "${ROOT_FS_DIR}" "${STATEFUL_FS_DIR}" "${OEM_FS_DIR}" "${ESP_FS_DIR}" |
| 829 | 843 |
| 830 # Generating AU generator zip file to run outside chroot | 844 # Generating AU generator zip file to run outside chroot |
| 831 generate_au_zip || echo "Failed generating AU zip file - ignoring Error..." | 845 generate_au_zip || echo "Failed generating AU zip file - ignoring Error..." |
| 832 # Create a 'latest' link | 846 # Create a 'latest' link |
| 833 rm -f ${FLAGS_output_root}/${FLAGS_board}/latest | 847 rm -f ${FLAGS_output_root}/${FLAGS_board}/latest |
| 834 ln -s $(basename ${OUTPUT_DIR}) ${FLAGS_output_root}/${FLAGS_board}/latest | 848 ln -s $(basename ${OUTPUT_DIR}) ${FLAGS_output_root}/${FLAGS_board}/latest |
| 835 | 849 |
| 836 echo "Done. Image created in ${OUTPUT_DIR}" | 850 echo "Done. Image created in ${OUTPUT_DIR}" |
| 837 echo "Chromium OS image created as ${PRISTINE_IMAGE_NAME}" | 851 echo "Chromium OS image created as ${PRISTINE_IMAGE_NAME}" |
| 838 if [ "${FLAGS_withdev}" -eq "${FLAGS_TRUE}" ]; then | 852 if [ "${FLAGS_withdev}" -eq "${FLAGS_TRUE}" ]; then |
| 839 echo "Developer image created as ${DEVELOPER_IMAGE_NAME}" | 853 echo "Developer image created as ${DEVELOPER_IMAGE_NAME}" |
| 840 fi | 854 fi |
| 841 | 855 |
| 842 print_time_elapsed | 856 print_time_elapsed |
| 843 | 857 |
| 844 echo "To copy to USB keyfob, do something like:" | 858 echo "To copy to USB keyfob, do something like:" |
| 845 echo " ./image_to_usb.sh --from=${OUTSIDE_OUTPUT_DIR} --to=/dev/sdX" | 859 echo " ./image_to_usb.sh --from=${OUTSIDE_OUTPUT_DIR} --to=/dev/sdX" |
| 846 echo "To convert to VMWare image, INSIDE the chroot, do something like:" | 860 echo "To convert to VMWare image, INSIDE the chroot, do something like:" |
| 847 echo " ./image_to_vm.sh --from=${OUTSIDE_OUTPUT_DIR} --board=${BOARD}" | 861 echo " ./image_to_vm.sh --from=${OUTSIDE_OUTPUT_DIR} --board=${BOARD}" |
| 848 echo "from the scripts directory where you entered the chroot." | 862 echo "from the scripts directory where you entered the chroot." |
| OLD | NEW |
