Add transitional flag for enabling arm kernel signing

build_kernel_image.sh

 #!/bin/bash
 
 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 # Helper script that generates the signed kernel image
 
 # --- BEGIN COMMON.SH BOILERPLATE ---
 # Load common CrOS utilities.  Inside the chroot this file is installed in
@@ skipping 51 matching lines @@
 DEFINE_integer verity_error_behavior 2 \
   "Verified boot error behavior [0: I/O errors, 1: reboot, 2: nothing] \
 (Default: 2)"
 DEFINE_integer verity_tree_depth 1 \
   "Optional Verified boot hash tree depth. (Default: 1)"
 DEFINE_integer verity_max_ios 1024 \
   "Optional number of outstanding I/O operations. (Default: 1024)"
 DEFINE_string verity_hash_alg "sha1" \
   "Cryptographic hash algorithm used for dm-verity. (Default: sha1)"
 
+# TODO(clchiou): Remove this flag after arm verified boot is stable
+DEFINE_boolean crosbug12352_arm_kernel_signing ${FLAGS_FALSE} \
+  "Sign kernel partition for ARM images (temporary hack)."
+
 # Parse flags
 FLAGS "$@" || exit 1
 eval set -- "${FLAGS_ARGV}"
 
 # Die on error
 set -e
 
 verity_args=
 # Even with a rootfs_image, root= is not changed unless specified.
 if [[ -n "${FLAGS_rootfs_image}" && -n "${FLAGS_rootfs_hash}" ]]; then
@@ skipping 54 matching lines @@
 dm_verity.error_behavior=${FLAGS_verity_error_behavior}
 dm_verity.max_bios=${FLAGS_verity_max_ios}
 dm_verity.dev_wait=${dev_wait}
 ${verity_args}
 ${FLAGS_boot_args}
 EOF
 
 WORK="${WORK} ${FLAGS_working_dir}/boot.config"
 info "Emitted cross-platform boot params to ${FLAGS_working_dir}/boot.config"
 
-# FIXME: At the moment, we're working on signed images for x86 only. ARM will
-# support this before shipping, but at the moment they don't.
 if [[ "${FLAGS_arch}" = "x86" ]]; then
-
   # Legacy BIOS will use the kernel in the rootfs (via syslinux), as will
   # standard EFI BIOS (via grub, from the EFI System Partition). Chrome OS
   # BIOS will use a separate signed kernel partition, which we'll create now.
   # FIXME: remove serial output, debugging messages.
-  mkdir -p ${FLAGS_working_dir}
   cat <<EOF | cat - "${FLAGS_working_dir}/boot.config" \
     > "${FLAGS_working_dir}/config.txt"
 console=tty2
 init=/sbin/init
 add_efi_memmap
 boot=local
 noresume
 noswap
 i915.modeset=1
 cros_secure
 kern_guid=%U
 tpm_tis.force=1
 tpm_tis.interrupts=0
 EOF
   WORK="${WORK} ${FLAGS_working_dir}/config.txt"
 
+  bootloader_path="/lib64/bootstub/bootstub.efi"
+  kernel_image="${FLAGS_vmlinuz}"
+
+  sign_the_kernel=${FLAGS_TRUE}
+elif [[ "${FLAGS_arch}" = "arm" ]]; then
+  cp "${FLAGS_working_dir}/boot.config" "${FLAGS_working_dir}/config.txt"
+  WORK="${WORK} ${FLAGS_working_dir}/config.txt"
+
+  kernel_script="${FLAGS_working_dir}/kernel.scr"
+  kernel_script_img="${FLAGS_working_dir}/kernel.scr.uimg"
+
+  echo -n 'setenv bootargs ${bootargs} ' > "${kernel_script}"
+  tr '\n' ' ' < "${FLAGS_working_dir}/boot.config" >> "${kernel_script}"
+  echo >> "${kernel_script}"
+
+  mkimage -A arm -O linux -T script -C none -a 0 -e 0 \
+    -n kernel_script -d "${kernel_script}" "${kernel_script_img}"
+
+  WORK="${WORK} ${kernel_script} ${kernel_script_img}"
+
+  bootloader_path="${kernel_script_img}"
+  kernel_image="${FLAGS_vmlinuz/vmlinuz/vmlinux.uimg}"
+
+  sign_the_kernel=${FLAGS_crosbug12352_arm_kernel_signing}
+else
+  error "Unknown arch: ${FLAGS_arch}"
+fi
+
+if [[ "${sign_the_kernel}" -eq "${FLAGS_TRUE}" ]]; then
   # We sign the image with the recovery_key, because this is what goes onto the
   # USB key. We can only boot from the USB drive in recovery mode.
   # For dev install shim, we need to use the installer keyblock instead of
   # the recovery keyblock because of the difference in flags.
   if [ ${FLAGS_use_dev_keys} -eq ${FLAGS_TRUE} ]; then
     USB_KEYBLOCK=installer_kernel.keyblock
     info "DEBUG: use dev install signing key"
   else
     USB_KEYBLOCK=recovery_kernel.keyblock
     info "DEBUG: use recovery signing key"
   fi
 
   # Create and sign the kernel blob
   vbutil_kernel \
     --pack "${FLAGS_to}" \
     --keyblock "${FLAGS_keys_dir}/${USB_KEYBLOCK}" \
     --signprivate "${FLAGS_keys_dir}/recovery_kernel_data_key.vbprivk" \
     --version 1 \
     --config "${FLAGS_working_dir}/config.txt" \
-    --bootloader /lib64/bootstub/bootstub.efi \
-    --vmlinuz "${FLAGS_vmlinuz}"
+    --bootloader "${bootloader_path}" \
+    --vmlinuz "${kernel_image}" \
+    --arch "${FLAGS_arch}"
 
   # And verify it.
   vbutil_kernel \
     --verify "${FLAGS_to}" \
     --signpubkey "${FLAGS_keys_dir}/recovery_key.vbpubk"
 
 
   # Now we re-sign the same image using the normal keys. This is the kernel
   # image that is put on the hard disk by the installer. Note: To save space on
   # the USB image, we're only emitting the new verfication block, and the
@@ skipping 12 matching lines @@
   cat "${FLAGS_hd_vblock}" > $tempfile
   dd if="${FLAGS_to}" bs=65536 skip=1 >> $tempfile
 
   vbutil_kernel \
     --verify $tempfile \
     --signpubkey "${FLAGS_keys_dir}/kernel_subkey.vbpubk"
 
   rm -f $tempfile
   trap - EXIT
 
-elif [[ "${FLAGS_arch}" = "arm" ]]; then
-  # FIXME: This stuff is unsigned, and will likely change with vboot_reference
-  # but it doesn't technically have to.
-
-  kernel_script="${FLAGS_working_dir}/kernel.scr"
-  kernel_script_img="${FLAGS_working_dir}/kernel.scr.uimg"
-  # HACK: !! Kernel image construction requires some stuff from portage, not
-  # sure how to get that information here cleanly !!
-  kernel_image="${FLAGS_vmlinuz/vmlinuz/vmlinux.uimg}"
-  WORK="${WORK} ${kernel_script} ${kernel_script_img}"
+else
+  # FIXME: This stuff is unsigned. This part should be removed or made
+  # non-default after ARM verified boot is stable.
 
   kernel_size=$((($(stat -c %s "${kernel_image}") + 511) / 512))
   script_size=16
 
-  # Build boot script image
-  echo -n 'setenv bootargs ${bootargs} ' > "${kernel_script}"
-  tr '\n' ' ' <"${FLAGS_working_dir}/boot.config" >> "${kernel_script}"
-  echo >> "${kernel_script}"
+  # Add more scripts to boot script image for loading kernel image
   printf 'read ${devtype} ${devnum}:${kernelpart} ${loadaddr} %x %x\n' \
     ${script_size} ${kernel_size} >> "${kernel_script}"
   echo 'bootm ${loadaddr}' >> ${kernel_script}
   mkimage -A arm -O linux -T script -C none -a 0 -e 0 \
     -n kernel_script -d "${kernel_script}" "${kernel_script_img}"
 
   if [ $(stat -c %s "${kernel_script_img}") -gt $((512 * ${script_size})) ]
   then
     echo 'Kernel script too large for reserved space.'
     exit 1
   fi
 
   # Assemble image
   rm -f "${FLAGS_to}"
   dd if="${kernel_script_img}" of="${FLAGS_to}" bs=512 count="${script_size}"
   dd if="${kernel_image}" of="${FLAGS_to}" bs=512 seek="${script_size}"
 
   # TODO: HACK: Until the kernel partition contains a signed image, create a
   # phony hd.vblock to keep chromeos-install and cros_generate_update_payload
   # working.
   dd if="${FLAGS_to}" of="${FLAGS_hd_vblock}" bs=64K count=1
-else
-  error "Unknown arch: ${FLAGS_arch}"
 fi
 
 set +e  # cleanup failure is a-ok
 
 if [[ ${FLAGS_keep_work} -eq ${FLAGS_FALSE} ]]; then
   info "Cleaning up temporary files: ${WORK}"
   rm ${WORK}
   rmdir ${FLAGS_working_dir}
 fi
 
 info "Kernel partition image emitted: ${FLAGS_to}"
 
 if [[ -f ${FLAGS_rootfs_hash} ]]; then
   info "Root filesystem hash emitted: ${FLAGS_rootfs_hash}"
 fi