Introduce ability to change the kernel command line.

Introduce ability to change the kernel command line.

After this change vbutil_kernel allows to repack an existing
signed ChromeOS kernel such that the kernel command line is
changed on operator's request. 

The new command line parameter is --verbose which causes
--verify to print out current contents of the kernel
command line.

Some refactoring and cleaning were also done:
 - provide a macro to access command line buffer inside
   a kernel blob
 - ReadConfigFile() a new wrapper to preprocess the
   config file.
 - keep the key_block and preamble in the blob when
   unpacking an existing signed kernel for --repack and
   --verify.
 - make --pack expect at least one of the two:
   --config or --keyblock, thus allowing to change the
   command line without replacing anything else in the
   signed kernel image.
 - refactor Verify() to use OldBlob() to preprocess the
   image.

The top level Makefile was changed to allow compiling for debugging.

Build with DEBUG=1
in the make command line to enable gdb debugging and debug printouts. Build with DISABLE_NDEBUG=1
in the make command line to enable cryptolib debug outputs.
 
BUG=http://code.google.com/p/chromium-os/issues/detail?id=4814

TEST=see below

1. Observe that all unit tests still pass by running

(vboot_reference $) RUNTESTS=1 make

2. On a working DVT system copy the running kernel into a
file using

dd if=/dev/sda2 of=/tmp/dev.kernel

and transfer the file to the host into /tmp/try/dev.kernel

Then create the new config file in /tmp/try/new.conf.txt and run the following commands:
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
(vboot_reference $) ./build/utility/vbutil_kernel  --verify /tmp/try/dev.kernel  --signpubkey tests/devkeys/kernel_subkey.vbpubk --verbose
Key block:
  Size:                0x4b8
  Data key algorithm:  4 RSA2048 SHA256
  Data key version:    1
  Flags:               7
Preamble:
  Size:                0xfb48
  Header version:      2.0
  Kernel version:      1
  Body load address:   0x100000
  Body size:           0x302000
  Bootloader address:  0x3fe000
  Bootloader size:     0x4000
Body verification succeeded.
Config:
earlyprintk=serial,ttyS0,115200 console=ttyS0,115200 init=/sbin/init add_efi_memmap boot=local rootwait ro noresume noswap i915.modeset=1 loglevel=7 cros_secure root=/dev/sd%D%P dm_verity.error_behavior=2 dm_verity.max_bios=1024 dm="0 2097152 verity ROOT_DEV HASH_DEV 2097152 1 sha1 a7fbd641ba25488509987959d5756d802790ef8f" noinitrd 

(vboot_reference $)   ./build/utility/vbutil_kernel  --repack /tmp/try/dev.kernel.repacked  --signprivate tests/devkeys/kernel_data_key.vbprivk  --oldblob /tmp/try/dev.kernel --config /tmp/try/new.conf.txt 
(vboot_reference $)  ./build/utility/vbutil_kernel  --verify /tmp/try/dev.kernel.repacked  --signpubkey tests/devkeys/kernel_subkey.vbpubk --verbose
Key block:
  Size:                0x4b8
  Data key algorithm:  4 RSA2048 SHA256
  Data key version:    1
  Flags:               7
Preamble:
  Size:                0xfb48
  Header version:      2.0
  Kernel version:      1
  Body load address:   0x100000
  Body size:           0x302000
  Bootloader address:  0x3fe000
  Bootloader size:     0x4000
Body verification succeeded.
Config:
console=tty2 init=/sbin/init add_efi_memmap boot=local rootwait ro noresume noswap i915.modeset=1 loglevel=7 cros_secure root=/dev/sd%D%P dm_verity.error_behavior=2 dm_verity.max_bios=1024 dm="0 2097152 verity ROOT_DEV HASH_DEV 2097152 1 sha1 ff06384015a7726baff719ee68eab312b1d45570" noinitrd 
(vboot_reference $)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Observe the chanegd command line printed by --verify --verbose. Then transfer the new kernel image back to the DVT system, dd it into /dev/sda2 and restart the DVT system.

Observe kernel startup messages dumped on the screen (due to the changed kernel command line). 

Then examine /proc/cmdline to verify that the command line indeed matches the contents of /tmp/try/new.conf.txt on the host.

3. Build the code with 

(vboot_reference$) DEBUG=1
make

 observe that debug information is visible by gdb.

  Build the code with

(vboot_reference$) DISABLE_DEBUG=1
make

and observe that  -DNDEBUG is dropped from the compiler invocation line.

[Randall Spangler, 2010-07-15 01:04:14]

http://codereview.chromium.org/3004001/diff/10001/11001
File Makefile (right):

http://codereview.chromium.org/3004001/diff/10001/11001#newcode7
Makefile:7: export CFLAGS = -Wall -DNDEBUG -Werror -DCHROMEOS_ENVIRONMENT
Should -DNDEBUG be gated by $(DEBUG) as well?

http://codereview.chromium.org/3004001/diff/10001/11002
File utility/vbutil_kernel.c (right):

http://codereview.chromium.org/3004001/diff/10001/11002#newcode180
utility/vbutil_kernel.c:180: #define BP_CMD_LINE_LOCATION(bp) ((char*)          
                        \
Coding style: prefer functions to macros.

[vb, 2010-07-15 01:45:47]

http://codereview.chromium.org/3004001/diff/10001/11001
File Makefile (right):

http://codereview.chromium.org/3004001/diff/10001/11001#newcode7
Makefile:7: export CFLAGS = -Wall -DNDEBUG -Werror -DCHROMEOS_ENVIRONMENT
On 2010/07/15 01:04:14, Randall Spangler wrote:
> Should -DNDEBUG be gated by $(DEBUG) as well?

sure, makes sense.

http://codereview.chromium.org/3004001/diff/10001/11002
File utility/vbutil_kernel.c (right):

http://codereview.chromium.org/3004001/diff/10001/11002#newcode180
utility/vbutil_kernel.c:180: #define BP_CMD_LINE_LOCATION(bp) ((char*)          
                        \
On 2010/07/15 01:04:14, Randall Spangler wrote:
> Coding style: prefer functions to macros.

Done.

[gauravsh, 2010-07-15 01:47:56]

http://codereview.chromium.org/3004001/diff/10001/11001
File Makefile (right):

http://codereview.chromium.org/3004001/diff/10001/11001#newcode7
Makefile:7: export CFLAGS = -Wall -DNDEBUG -Werror -DCHROMEOS_ENVIRONMENT
On 2010/07/15 01:04:14, Randall Spangler wrote:
> Should -DNDEBUG be gated by $(DEBUG) as well?

NDEBUG can be gated but you would most likely want it to stay in the current
state. It's used by a bunch of crypto lib functions and the error logs are just
too verbose. :)

[vb, 2010-07-15 02:11:23]

Sure, I can move it back. I'll wait for the rest of your comments guys, if any.

cheers,
/v


On Wed, Jul 14, 2010 at 6:47 PM,  <gauravsh@chromium.org> wrote:
>
> http://codereview.chromium.org/3004001/diff/10001/11001
> File Makefile (right):
>
> http://codereview.chromium.org/3004001/diff/10001/11001#newcode7
> Makefile:7: export CFLAGS = -Wall -DNDEBUG -Werror
> -DCHROMEOS_ENVIRONMENT
> On 2010/07/15 01:04:14, Randall Spangler wrote:
>>
>> Should -DNDEBUG be gated by $(DEBUG) as well?
>
> NDEBUG can be gated but you would most likely want it to stay in the
> current state. It's used by a bunch of crypto lib functions and the
> error logs are just too verbose. :)
>
> http://codereview.chromium.org/3004001/show
>

[gauravsh, 2010-07-15 02:12:25]

lgtm

On Wed, Jul 14, 2010 at 7:10 PM, Vadim Bendebury <vbendeb@chromium.org> wrote:
> Sure, I can move it back. I'll wait for the rest of your comments guys, if
any.
>
> cheers,
> /v
>
>
> On Wed, Jul 14, 2010 at 6:47 PM,  <gauravsh@chromium.org> wrote:
>>
>> http://codereview.chromium.org/3004001/diff/10001/11001
>> File Makefile (right):
>>
>> http://codereview.chromium.org/3004001/diff/10001/11001#newcode7
>> Makefile:7: export CFLAGS = -Wall -DNDEBUG -Werror
>> -DCHROMEOS_ENVIRONMENT
>> On 2010/07/15 01:04:14, Randall Spangler wrote:
>>>
>>> Should -DNDEBUG be gated by $(DEBUG) as well?
>>
>> NDEBUG can be gated but you would most likely want it to stay in the
>> current state. It's used by a bunch of crypto lib functions and the
>> error logs are just too verbose. :)
>>
>> http://codereview.chromium.org/3004001/show
>>
>



-- 
-g

[Randall Spangler, 2010-07-15 16:55:19]

agree with Gaurav that NDEBUG should be there all the time if cryptolib spams
the debug output.

LGTM with that change

[vb, 2010-07-15 17:17:56]

Ok, I separated handling -DNDEBUG into its own makefile logic and retested.

Am about to submit the change.