kernel build: use %U+1 for dm-verity booting

build_kernel_image.sh

 #!/bin/bash
 
 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 # Helper script that generates the signed kernel image
 
 # --- BEGIN COMMON.SH BOILERPLATE ---
 # Load common CrOS utilities.  Inside the chroot this file is installed in
@@ skipping 29 matching lines @@
   "The path to the kernel (Default: vmlinuz)"
 DEFINE_string working_dir "/tmp/vmlinuz.working" \
   "Working directory for in-progress files. (Default: /tmp/vmlinuz.working)"
 DEFINE_boolean keep_work ${FLAGS_FALSE} \
   "Keep temporary files (*.keyblock, *.vbpubk). (Default: false)"
 DEFINE_string keys_dir "${SRC_ROOT}/platform/vboot_reference/tests/testkeys" \
   "Directory with the RSA signing keys. (Defaults to test keys)"
 DEFINE_boolean use_dev_keys ${FLAGS_FALSE} \
   "Use developer keys for signing. (Default: false)"
 # Note, to enable verified boot, the caller would manually pass:
-# --boot_args='dm="... /dev/sd%D%P /dev/sd%D%P ..." \
+# --boot_args='dm="... %U+1 %U+1 ..." \
 # --root=/dev/dm-0
 DEFINE_string boot_args "noinitrd" \
   "Additional boot arguments to pass to the commandline (Default: noinitrd)"
+# By default, we use a firmware enumerated value, but it isn't reliable for
+# production use.  If +%d can be added upstream, then we can use:
+#   root=PARTUID=uuid+1
 DEFINE_string root "/dev/sd%D%P" \
-  "Expected device root (Default: root=/dev/sd%D%P)"
-
+  "Expected device root partition"
 # If provided, will automatically add verified boot arguments.
 DEFINE_string rootfs_image "" \
   "Optional path to the rootfs device or image.(Default: \"\")"
 DEFINE_string rootfs_hash "" \
   "Optional path to output the rootfs hash to. (Default: \"\")"
 DEFINE_integer verity_error_behavior 2 \
   "Verified boot error behavior [0: I/O errors, 1: reboot, 2: nothing] \
 (Default: 2)"
 DEFINE_integer verity_tree_depth 1 \
   "Optional Verified boot hash tree depth. (Default: 1)"
-DEFINE_integer verity_max_ios 1024 \
-  "Optional number of outstanding I/O operations. (Default: 1024)"
+DEFINE_integer verity_max_ios -1 \
+  "Optional number of outstanding I/O operations. (Default: -1)"
 DEFINE_string verity_hash_alg "sha1" \
   "Cryptographic hash algorithm used for dm-verity. (Default: sha1)"
 
 # Parse flags
 FLAGS "$@" || exit 1
 eval set -- "${FLAGS_ARGV}"
 
 # Die on error
 set -e
 
@@ skipping 22 matching lines @@
                         ${root_fs_blocks} \
                         ${FLAGS_rootfs_hash})
   if [[ -f "${FLAGS_rootfs_hash}" ]]; then
     sudo chmod a+r "${FLAGS_rootfs_hash}"
   fi
   # Don't claim the root device unless the root= flag is pointed to
   # the verified boot device.  Doing so will claim /dev/sdDP out from
   # under the system.
   if [[ ${FLAGS_root} = "/dev/dm-0" ]]; then
     if [[ "${FLAGS_arch}" = "x86" ]]; then
-      base_root='/dev/sd%D%P'
+      base_root='%U+1'  # kern_guid + 1
     elif [[ "${FLAGS_arch}" = "arm" ]]; then
       base_root='/dev/${devname}${rootpart}'
     fi
     table=${table//HASH_DEV/${base_root}}
     table=${table//ROOT_DEV/${base_root}}
   fi
   verity_args="dm=\"vroot none ro,${table}\""
   info "dm-verity configuration: ${verity_args}"
 fi
 
@@ skipping 148 matching lines @@
   info "Cleaning up temporary files: ${WORK}"
   rm ${WORK}
   rmdir ${FLAGS_working_dir}
 fi
 
 info "Kernel partition image emitted: ${FLAGS_to}"
 
 if [[ -f ${FLAGS_rootfs_hash} ]]; then
   info "Root filesystem hash emitted: ${FLAGS_rootfs_hash}"
 fi