Add transitional flag for enabling arm kernel signing

build_kernel_image.sh

 #!/bin/bash
 
 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 # Helper script that generates the signed kernel image
 
 # --- BEGIN COMMON.SH BOILERPLATE ---
 # Load common CrOS utilities.  Inside the chroot this file is installed in
@@ skipping 51 matching lines @@
 DEFINE_integer verity_error_behavior 2 \
   "Verified boot error behavior [0: I/O errors, 1: reboot, 2: nothing] \
 (Default: 2)"
 DEFINE_integer verity_tree_depth 1 \
   "Optional Verified boot hash tree depth. (Default: 1)"
 DEFINE_integer verity_max_ios 1024 \
   "Optional number of outstanding I/O operations. (Default: 1024)"
 DEFINE_string verity_hash_alg "sha1" \
   "Cryptographic hash algorithm used for dm-verity. (Default: sha1)"
 
+# TODO(clchiou): Change default to FLAGS_TRUE once ARM verify boot is stable?
+DEFINE_boolean enable_kernel_signing ${FLAGS_FALSE} \

[Will Drewry, 2011/02/17 16:54:09]

This flag, at best, should be called something like

--crosbug111222333_temporary_hack_for_arm :)

[Che-Liang Chiou, 2011/02/21 11:08:39]

Done.

+  "Sign kernel partition for ARM images."
+
 # Parse flags
 FLAGS "$@" || exit 1
 eval set -- "${FLAGS_ARGV}"
 
 # Die on error
 set -e
 
 verity_args=
 # Even with a rootfs_image, root= is not changed unless specified.
 if [[ -n "${FLAGS_rootfs_image}" && -n "${FLAGS_rootfs_hash}" ]]; then
@@ skipping 54 matching lines @@
 dm_verity.error_behavior=${FLAGS_verity_error_behavior}
 dm_verity.max_bios=${FLAGS_verity_max_ios}
 dm_verity.dev_wait=${dev_wait}
 ${verity_args}
 ${FLAGS_boot_args}
 EOF
 
 WORK="${WORK} ${FLAGS_working_dir}/boot.config"
 info "Emitted cross-platform boot params to ${FLAGS_working_dir}/boot.config"
 
-# FIXME: At the moment, we're working on signed images for x86 only. ARM will
-# support this before shipping, but at the moment they don't.
-if [[ "${FLAGS_arch}" = "x86" ]]; then
+# FIXME: At the moment, we're working on signed images for x86 only, and
+# signed images for ARM if enabled.
+if [[ "${FLAGS_arch}" = "x86" ||
+      ${FLAGS_enable_kernel_signing} -eq ${FLAGS_TRUE} ]]; then

[Will Drewry, 2011/02/17 16:54:09]

This is making things pretty complex.

Why can't we just enable this all normally, then let the behavior be controlled
with --enable_rootfs_verification like it is for x86.  That was never meant to
be an x86 specific flag.

If not, can we at least not nest the different behaviors for each platform? 
E.g., if you want to disable kernel signing, that should standalone, shred code
should follow, then it should check for x86/arm specific tweaks.  Instead we end
up with extra x86 conditionals and two separate areas for the arm boot path. 

[Che-Liang Chiou, 2011/02/21 11:08:39]

I rewrote this part of logic. I hope I did not misunderstand your suggestion.

 
   # Legacy BIOS will use the kernel in the rootfs (via syslinux), as will
   # standard EFI BIOS (via grub, from the EFI System Partition). Chrome OS
   # BIOS will use a separate signed kernel partition, which we'll create now.
   # FIXME: remove serial output, debugging messages.
   mkdir -p ${FLAGS_working_dir}
-  cat <<EOF | cat - "${FLAGS_working_dir}/boot.config" \
-    > "${FLAGS_working_dir}/config.txt"
+  if [[ "${FLAGS_arch}" = "x86" ]]; then
+    cat <<EOF | cat - "${FLAGS_working_dir}/boot.config" \
+      > "${FLAGS_working_dir}/config.txt"
 console=tty2
 init=/sbin/init
 add_efi_memmap
 boot=local
 noresume
 noswap
 i915.modeset=1
 cros_secure
 kern_guid=%U
 tpm_tis.force=1
 tpm_tis.interrupts=0
 EOF
+
+    bootloader_path="/lib64/bootstub/bootstub.efi"
+    notx86=""
+    kernel_image="${FLAGS_vmlinuz}"
+  elif [[ "${FLAGS_arch}" = "arm" ]]; then
+    cp "${FLAGS_working_dir}/boot.config" "${FLAGS_working_dir}/config.txt"
+
+    # FIXME: Build boot script image as bootloader. Remove this.
+    kernel_script="${FLAGS_working_dir}/kernel.scr"
+    kernel_script_img="${FLAGS_working_dir}/kernel.scr.uimg"
+    WORK="${WORK} ${kernel_script} ${kernel_script_img}"
+    echo -n 'setenv bootargs ${bootargs} ' > "${kernel_script}"
+    tr '\n' ' ' <"${FLAGS_working_dir}/boot.config" >> "${kernel_script}"
+    mkimage -A arm -O linux -T script -C none -a 0 -e 0 \
+      -n kernel_script -d "${kernel_script}" "${kernel_script_img}"
+
+    bootloader_path="${kernel_script_img}"
+    notx86="--notx86"

[Will Drewry, 2011/02/17 16:54:09]

? Why isn't this an --arch arm flag?

[Che-Liang Chiou, 2011/02/21 11:08:39]

Because it was meant to turn-off x86-only operation. I will rename it to --arch.

+    # FIXME: Change from uImage to zImage
+    kernel_image="${FLAGS_vmlinuz/vmlinuz/vmlinux.uimg}"
+  else
+    error "Unknown arch: ${FLAGS_arch}"
+  fi
   WORK="${WORK} ${FLAGS_working_dir}/config.txt"
 
   # We sign the image with the recovery_key, because this is what goes onto the
   # USB key. We can only boot from the USB drive in recovery mode.
   # For dev install shim, we need to use the installer keyblock instead of
   # the recovery keyblock because of the difference in flags.
   if [ ${FLAGS_use_dev_keys} -eq ${FLAGS_TRUE} ]; then
     USB_KEYBLOCK=installer_kernel.keyblock
     info "DEBUG: use dev install signing key"
   else
     USB_KEYBLOCK=recovery_kernel.keyblock
     info "DEBUG: use recovery signing key"
   fi
 
   # Create and sign the kernel blob
   vbutil_kernel \
     --pack "${FLAGS_to}" \
     --keyblock "${FLAGS_keys_dir}/${USB_KEYBLOCK}" \
     --signprivate "${FLAGS_keys_dir}/recovery_kernel_data_key.vbprivk" \
     --version 1 \
     --config "${FLAGS_working_dir}/config.txt" \
-    --bootloader /lib64/bootstub/bootstub.efi \
-    --vmlinuz "${FLAGS_vmlinuz}"
+    --bootloader "${bootloader_path}" \
+    --vmlinuz "${kernel_image}" \
+    ${notx86}

[Will Drewry, 2011/02/17 16:54:09]

If this just used the arch, then you wouldn't need extra autodetection.

[Che-Liang Chiou, 2011/02/21 11:08:39]

Done.

 
   # And verify it.
   vbutil_kernel \
     --verify "${FLAGS_to}" \
     --signpubkey "${FLAGS_keys_dir}/recovery_key.vbpubk"
 
 
   # Now we re-sign the same image using the normal keys. This is the kernel
   # image that is put on the hard disk by the installer. Note: To save space on
   # the USB image, we're only emitting the new verfication block, and the
@@ skipping 12 matching lines @@
   cat "${FLAGS_hd_vblock}" > $tempfile
   dd if="${FLAGS_to}" bs=65536 skip=1 >> $tempfile
 
   vbutil_kernel \
     --verify $tempfile \
     --signpubkey "${FLAGS_keys_dir}/kernel_subkey.vbpubk"
 
   rm -f $tempfile
   trap - EXIT
 
-elif [[ "${FLAGS_arch}" = "arm" ]]; then
-  # FIXME: This stuff is unsigned, and will likely change with vboot_reference
-  # but it doesn't technically have to.
+elif [[ "${FLAGS_arch}" = "arm" && \
+        ${FLAGS_enable_kernel_signing} -eq ${FLAGS_FALSE} ]]; then
+  # FIXME: This stuff is unsigned. This part should be removed or made
+  # non-default after ARM verified boot is stable.
 
   kernel_script="${FLAGS_working_dir}/kernel.scr"
   kernel_script_img="${FLAGS_working_dir}/kernel.scr.uimg"
   # HACK: !! Kernel image construction requires some stuff from portage, not
   # sure how to get that information here cleanly !!
   kernel_image="${FLAGS_vmlinuz/vmlinuz/vmlinux.uimg}"
   WORK="${WORK} ${kernel_script} ${kernel_script_img}"
 
   kernel_size=$((($(stat -c %s "${kernel_image}") + 511) / 512))
   script_size=16
@@ skipping 33 matching lines @@
   info "Cleaning up temporary files: ${WORK}"
   rm ${WORK}
   rmdir ${FLAGS_working_dir}
 fi
 
 info "Kernel partition image emitted: ${FLAGS_to}"
 
 if [[ -f ${FLAGS_rootfs_hash} ]]; then
   info "Root filesystem hash emitted: ${FLAGS_rootfs_hash}"
 fi