Add transitional flag for enabling arm kernel signing

build_kernel_image.sh

Index: build_kernel_image.sh
diff --git a/build_kernel_image.sh b/build_kernel_image.sh
index f54bc3b8ec8a9b44358e5f3ed153628a8c0f08ea..53d09dd710f6b1968aebebeb627cc5b0a7ecb6c5 100755
--- a/build_kernel_image.sh
+++ b/build_kernel_image.sh
@@ -69,6 +69,10 @@ DEFINE_integer verity_max_ios 1024 \
 DEFINE_string verity_hash_alg "sha1" \
   "Cryptographic hash algorithm used for dm-verity. (Default: sha1)"
 
+# TODO(clchiou): Change default to FLAGS_TRUE once ARM verify boot is stable?
+DEFINE_boolean enable_kernel_signing ${FLAGS_FALSE} \

[Will Drewry, 2011/02/17 16:54:09]

This flag, at best, should be called something like

--crosbug111222333_temporary_hack_for_arm :)

[Che-Liang Chiou, 2011/02/21 11:08:39]

Done.

+  "Sign kernel partition for ARM images."
+
 # Parse flags
 FLAGS "$@" || exit 1
 eval set -- "${FLAGS_ARGV}"
@@ -143,17 +147,19 @@ EOF
 WORK="${WORK} ${FLAGS_working_dir}/boot.config"
 info "Emitted cross-platform boot params to ${FLAGS_working_dir}/boot.config"
 
-# FIXME: At the moment, we're working on signed images for x86 only. ARM will
-# support this before shipping, but at the moment they don't.
-if [[ "${FLAGS_arch}" = "x86" ]]; then
+# FIXME: At the moment, we're working on signed images for x86 only, and
+# signed images for ARM if enabled.
+if [[ "${FLAGS_arch}" = "x86" ||
+      ${FLAGS_enable_kernel_signing} -eq ${FLAGS_TRUE} ]]; then

[Will Drewry, 2011/02/17 16:54:09]

This is making things pretty complex.

Why can't we just enable this all normally, then let the behavior be controlled
with --enable_rootfs_verification like it is for x86.  That was never meant to
be an x86 specific flag.

If not, can we at least not nest the different behaviors for each platform? 
E.g., if you want to disable kernel signing, that should standalone, shred code
should follow, then it should check for x86/arm specific tweaks.  Instead we end
up with extra x86 conditionals and two separate areas for the arm boot path. 

[Che-Liang Chiou, 2011/02/21 11:08:39]

I rewrote this part of logic. I hope I did not misunderstand your suggestion.

 
   # Legacy BIOS will use the kernel in the rootfs (via syslinux), as will
   # standard EFI BIOS (via grub, from the EFI System Partition). Chrome OS
   # BIOS will use a separate signed kernel partition, which we'll create now.
   # FIXME: remove serial output, debugging messages.
   mkdir -p ${FLAGS_working_dir}
-  cat <<EOF | cat - "${FLAGS_working_dir}/boot.config" \
-    > "${FLAGS_working_dir}/config.txt"
+  if [[ "${FLAGS_arch}" = "x86" ]]; then
+    cat <<EOF | cat - "${FLAGS_working_dir}/boot.config" \
+      > "${FLAGS_working_dir}/config.txt"
 console=tty2
 init=/sbin/init
 add_efi_memmap
@@ -166,6 +172,29 @@ kern_guid=%U
 tpm_tis.force=1
 tpm_tis.interrupts=0
 EOF
+
+    bootloader_path="/lib64/bootstub/bootstub.efi"
+    notx86=""
+    kernel_image="${FLAGS_vmlinuz}"
+  elif [[ "${FLAGS_arch}" = "arm" ]]; then
+    cp "${FLAGS_working_dir}/boot.config" "${FLAGS_working_dir}/config.txt"
+
+    # FIXME: Build boot script image as bootloader. Remove this.
+    kernel_script="${FLAGS_working_dir}/kernel.scr"
+    kernel_script_img="${FLAGS_working_dir}/kernel.scr.uimg"
+    WORK="${WORK} ${kernel_script} ${kernel_script_img}"
+    echo -n 'setenv bootargs ${bootargs} ' > "${kernel_script}"
+    tr '\n' ' ' <"${FLAGS_working_dir}/boot.config" >> "${kernel_script}"
+    mkimage -A arm -O linux -T script -C none -a 0 -e 0 \
+      -n kernel_script -d "${kernel_script}" "${kernel_script_img}"
+
+    bootloader_path="${kernel_script_img}"
+    notx86="--notx86"

[Will Drewry, 2011/02/17 16:54:09]

? Why isn't this an --arch arm flag?

[Che-Liang Chiou, 2011/02/21 11:08:39]

Because it was meant to turn-off x86-only operation. I will rename it to --arch.

+    # FIXME: Change from uImage to zImage
+    kernel_image="${FLAGS_vmlinuz/vmlinuz/vmlinux.uimg}"
+  else
+    error "Unknown arch: ${FLAGS_arch}"
+  fi
   WORK="${WORK} ${FLAGS_working_dir}/config.txt"
 
   # We sign the image with the recovery_key, because this is what goes onto the
@@ -187,8 +216,9 @@ EOF
     --signprivate "${FLAGS_keys_dir}/recovery_kernel_data_key.vbprivk" \
     --version 1 \
     --config "${FLAGS_working_dir}/config.txt" \
-    --bootloader /lib64/bootstub/bootstub.efi \
-    --vmlinuz "${FLAGS_vmlinuz}"
+    --bootloader "${bootloader_path}" \
+    --vmlinuz "${kernel_image}" \
+    ${notx86}

[Will Drewry, 2011/02/17 16:54:09]

If this just used the arch, then you wouldn't need extra autodetection.

[Che-Liang Chiou, 2011/02/21 11:08:39]

Done.

 
   # And verify it.
   vbutil_kernel \
@@ -221,9 +251,10 @@ EOF
   rm -f $tempfile
   trap - EXIT
 
-elif [[ "${FLAGS_arch}" = "arm" ]]; then
-  # FIXME: This stuff is unsigned, and will likely change with vboot_reference
-  # but it doesn't technically have to.
+elif [[ "${FLAGS_arch}" = "arm" && \
+        ${FLAGS_enable_kernel_signing} -eq ${FLAGS_FALSE} ]]; then
+  # FIXME: This stuff is unsigned. This part should be removed or made
+  # non-default after ARM verified boot is stable.
 
   kernel_script="${FLAGS_working_dir}/kernel.scr"
   kernel_script_img="${FLAGS_working_dir}/kernel.scr.uimg"