From 04c00e19c6fd1d9ad09d2bf5e06518c249d62b31 Mon Sep 17 00:00:00 2001 From: Hung-Te Lin Date: Thu, 30 Sep 2010 16:18:09 +0800 Subject: [PATCH] Add a utility to tag/stamp image There are several procedures in Chrome OS post-processing before being released: stamping, tagging, mod image for URLs, ... and signing. We need an integrated script to handle all the stamping / tagging. This CL can handle empty tag files like /root/.force_update_firmware or /root/.dev_mode. This CL deprecates http://codereview.chromium.org/3421040 and moved script from crosutils to vboot_reference. In the future we may isolate the non-signing post-processing scripts (set_lsb, tag_image, remove_label, ...) into crosutils. BUG=none TEST=manually: (1) Build a general dev image without firmware updates (default behavior of build_image for x86-generic ToT) (2) Enter chroot and then execute: cd ~/trunk/src/platform/vboot_reference/scripts; ./tag_image.sh \ --from ~/trunk/src/build/images/x86-generic/latest/chromiumos_image.bin Expected: output message: Update Firmware: disabled Developer Mode: Enabled (3) ./tag_image.sh --update_firmware=1 --dev_mode=0 \ --from ~/trunk/src//build/images/x86-generic/latest/chromiumos_image.bin Expected: output message: Update Firmware: disabled => Enabled Developer Mode: Enabled => disabled Manually verify: pushd ../../build/images/x86-generic/latest unpack_partitions.sh chromiumos_image.bin sudo mount -o loop,ro part_3 rootfs ls -l rootfs/root/.force_update_firmware # this file should exist ls -l rootfs/root/.dev_mode # this file should NOT exist (i.e., error) sudo umount rootfs (4) ./tag_image.sh --update_firmware=0 --dev_mod=1 \ --from ~/trunk/src/build/images/x86-generic/latest/chromiumos_image.bin Expected: output message: Update Firmware: Enabled => disabled Developer Mode: disabled => Enabled Manually verify: pushd ../../build/images/x86-generic/latest unpack_partitions.sh chromiumos_image.bin sudo mount -o loop,ro part_3 rootfs ls -l rootfs/root/.force_update_firmware # this file should NOT exist (i.e., error) ls -l rootfs/root/.dev_mode # this file should exist sudo umount rootfs Change-Id: I96af3c7201372bb904426d10cff142467a1fa2e7 Review URL: http://codereview.chromium.org/3604001 --- scripts/image_signing/common.sh | 48 + .../image_signing/lib/shflags/README.chromium | 1 + scripts/image_signing/lib/shflags/shflags | 1009 +++++++++++++++++ scripts/image_signing/sign_official_build.sh | 13 +- scripts/image_signing/tag_image.sh | 158 +++ 5 files changed, 1228 insertions(+), 1 deletion(-) create mode 100644 scripts/image_signing/lib/shflags/README.chromium create mode 100644 scripts/image_signing/lib/shflags/shflags create mode 100755 scripts/image_signing/tag_image.sh diff --git a/scripts/image_signing/common.sh b/scripts/image_signing/common.sh index c4824c61cc..f7ed54137b 100755 --- a/scripts/image_signing/common.sh +++ b/scripts/image_signing/common.sh @@ -9,6 +9,16 @@ SCRIPT_DIR=$(dirname $0) PROG=$(basename $0) GPT=cgpt +# The tag when the rootfs is changed. +TAG_NEEDS_TO_BE_SIGNED="/root/.need_to_be_signed" + +# Load shflags +if [[ -f /usr/lib/shflags ]]; then + . /usr/lib/shflags +else + . "${SCRIPT_DIR}/lib/shflags/shflags" +fi + # List of Temporary files and mount points. TEMP_FILE_LIST=$(mktemp) TEMP_DIR_LIST=$(mktemp) @@ -27,6 +37,38 @@ partsize() { sudo $GPT show -s -i $2 $1 } +# Tags a file system as "needs to be resigned". +# Args: MOUNTDIRECTORY +tag_as_needs_to_be_resigned() { + local mount_dir="$1" + sudo touch "$mount_dir/$TAG_NEEDS_TO_BE_SIGNED" +} + +# Determines if the target file system has the tag for resign +# Args: MOUNTDIRECTORY +# Returns: $FLAGS_TRUE if the tag is there, otherwise $FLAGS_FALSE +has_needs_to_be_resigned_tag() { + local mount_dir="$1" + if [ -f "$mount_dir/$TAG_NEEDS_TO_BE_SIGNED" ]; then + return ${FLAGS_TRUE} + else + return ${FLAGS_FALSE} + fi +} + +# Determines if the target file system is a Chrome OS root fs +# Args: MOUNTDIRECTORY +# Returns: $FLAGS_TRUE if MOUNTDIRECTORY looks like root fs, +# otherwise $FLAGS_FALSE +is_rootfs_partition() { + local mount_dir="$1" + if [ -f "$mount_dir/$(dirname "$TAG_NEEDS_TO_BE_SIGNED")" ]; then + return ${FLAGS_TRUE} + else + return ${FLAGS_FALSE} + fi +} + # Mount a partition read-only from an image into a local directory # Args: IMAGE PARTNUM MOUNTDIRECTORY mount_image_partition_ro() { @@ -45,6 +87,9 @@ mount_image_partition() { local mount_dir=$3 local offset=$(partoffset "$image" "$partnum") sudo mount -o loop,offset=$((offset * 512)) "$image" "$mount_dir" + if is_rootfs_partition "$mount_dir"; then + tag_as_needs_to_be_resigned "$mount_dir" + fi } # Extract a partition to a file @@ -93,6 +138,9 @@ cleanup_temps_and_mounts() { set +e # umount may fail for unmounted directories for i in "$(cat $TEMP_DIR_LIST)"; do if [ -n "$i" ]; then + if has_needs_to_be_resigned_tag "$i"; then + echo "Warning: image may be modified. Please resign image." + fi sudo umount -d $i 2>/dev/null rm -rf $i fi diff --git a/scripts/image_signing/lib/shflags/README.chromium b/scripts/image_signing/lib/shflags/README.chromium new file mode 100644 index 0000000000..3886892364 --- /dev/null +++ b/scripts/image_signing/lib/shflags/README.chromium @@ -0,0 +1 @@ +This is r137 of shflags diff --git a/scripts/image_signing/lib/shflags/shflags b/scripts/image_signing/lib/shflags/shflags new file mode 100644 index 0000000000..773e0f3d83 --- /dev/null +++ b/scripts/image_signing/lib/shflags/shflags @@ -0,0 +1,1009 @@ +# $Id: shflags 133 2009-05-10 18:04:51Z kate.ward@forestent.com $ +# vim:et:ft=sh:sts=2:sw=2 +# +# Copyright 2008 Kate Ward. All Rights Reserved. +# Released under the LGPL (GNU Lesser General Public License) +# +# shFlags -- Advanced command-line flag library for Unix shell scripts. +# http://code.google.com/p/shflags/ +# +# Author: kate.ward@forestent.com (Kate Ward) +# +# This module implements something like the google-gflags library available +# from http://code.google.com/p/google-gflags/. +# +# FLAG TYPES: This is a list of the DEFINE_*'s that you can do. All flags take +# a name, default value, help-string, and optional 'short' name (one-letter +# name). Some flags have other arguments, which are described with the flag. +# +# DEFINE_string: takes any input, and intreprets it as a string. +# +# DEFINE_boolean: typically does not take any argument: say --myflag to set +# FLAGS_myflag to true, or --nomyflag to set FLAGS_myflag to false. +# Alternately, you can say +# --myflag=true or --myflag=t or --myflag=0 or +# --myflag=false or --myflag=f or --myflag=1 +# Passing an option has the same affect as passing the option once. +# +# DEFINE_float: takes an input and intreprets it as a floating point number. As +# shell does not support floats per-se, the input is merely validated as +# being a valid floating point value. +# +# DEFINE_integer: takes an input and intreprets it as an integer. +# +# SPECIAL FLAGS: There are a few flags that have special meaning: +# --help (or -?) prints a list of all the flags in a human-readable fashion +# --flagfile=foo read flags from foo. (not implemented yet) +# -- as in getopt(), terminates flag-processing +# +# EXAMPLE USAGE: +# +# -- begin hello.sh -- +# #! /bin/sh +# . ./shflags +# DEFINE_string name 'world' "somebody's name" n +# FLAGS "$@" || exit $? +# eval set -- "${FLAGS_ARGV}" +# echo "Hello, ${FLAGS_name}." +# -- end hello.sh -- +# +# $ ./hello.sh -n Kate +# Hello, Kate. +# +# NOTE: Not all systems include a getopt version that supports long flags. On +# these systems, only short flags are recognized. + +#============================================================================== +# shFlags +# +# Shared attributes: +# flags_error: last error message +# flags_return: last return value +# +# __flags_longNames: list of long names for all flags +# __flags_shortNames: list of short names for all flags +# __flags_boolNames: list of boolean flag names +# +# __flags_opts: options parsed by getopt +# +# Per-flag attributes: +# FLAGS_: contains value of flag named 'flag_name' +# __flags__default: the default flag value +# __flags__help: the flag help string +# __flags__short: the flag short name +# __flags__type: the flag type +# +# Notes: +# - lists of strings are space separated, and a null value is the '~' char. + +# return if FLAGS already loaded +[ -n "${FLAGS_VERSION:-}" ] && return 0 +FLAGS_VERSION='1.0.3' + +# return values +FLAGS_TRUE=0 +FLAGS_FALSE=1 +FLAGS_ERROR=2 + +# reserved flag names +FLAGS_RESERVED='ARGC ARGV ERROR FALSE HELP PARENT RESERVED TRUE VERSION' + +_flags_debug() { echo "flags:DEBUG $@" >&2; } +_flags_warn() { echo "flags:WARN $@" >&2; } +_flags_error() { echo "flags:ERROR $@" >&2; } +_flags_fatal() { echo "flags:FATAL $@" >&2; } + +# specific shell checks +if [ -n "${ZSH_VERSION:-}" ]; then + setopt |grep "^shwordsplit$" >/dev/null + if [ $? -ne ${FLAGS_TRUE} ]; then + _flags_fatal 'zsh shwordsplit option is required for proper zsh operation' + exit ${FLAGS_ERROR} + fi + if [ -z "${FLAGS_PARENT:-}" ]; then + _flags_fatal "zsh does not pass \$0 through properly. please declare' \ +\"FLAGS_PARENT=\$0\" before calling shFlags" + exit ${FLAGS_ERROR} + fi +fi + +# +# constants +# + +# getopt version +__FLAGS_GETOPT_VERS_STD=0 +__FLAGS_GETOPT_VERS_ENH=1 +__FLAGS_GETOPT_VERS_BSD=2 + +getopt >/dev/null 2>&1 +case $? in + 0) __FLAGS_GETOPT_VERS=${__FLAGS_GETOPT_VERS_STD} ;; # bsd getopt + 2) + # TODO(kward): look into '-T' option to test the internal getopt() version + if [ "`getopt --version`" = '-- ' ]; then + __FLAGS_GETOPT_VERS=${__FLAGS_GETOPT_VERS_STD} + else + __FLAGS_GETOPT_VERS=${__FLAGS_GETOPT_VERS_ENH} + fi + ;; + *) + _flags_fatal 'unable to determine getopt version' + exit ${FLAGS_ERROR} + ;; +esac + +# getopt optstring lengths +__FLAGS_OPTSTR_SHORT=0 +__FLAGS_OPTSTR_LONG=1 + +__FLAGS_NULL='~' + +# flag info strings +__FLAGS_INFO_DEFAULT='default' +__FLAGS_INFO_HELP='help' +__FLAGS_INFO_SHORT='short' +__FLAGS_INFO_TYPE='type' + +# flag lengths +__FLAGS_LEN_SHORT=0 +__FLAGS_LEN_LONG=1 + +# flag types +__FLAGS_TYPE_NONE=0 +__FLAGS_TYPE_BOOLEAN=1 +__FLAGS_TYPE_FLOAT=2 +__FLAGS_TYPE_INTEGER=3 +__FLAGS_TYPE_STRING=4 + +# set the constants readonly +__flags_constants=`set |awk -F= '/^FLAGS_/ || /^__FLAGS_/ {print $1}'` +for __flags_const in ${__flags_constants}; do + # skip certain flags + case ${__flags_const} in + FLAGS_HELP) continue ;; + FLAGS_PARENT) continue ;; + esac + # set flag readonly + if [ -z "${ZSH_VERSION:-}" ]; then + readonly ${__flags_const} + else # handle zsh + case ${ZSH_VERSION} in + [123].*) readonly ${__flags_const} ;; + *) readonly -g ${__flags_const} ;; # declare readonly constants globally + esac + fi +done +unset __flags_const __flags_constants + +# +# internal variables +# + +__flags_boolNames=' ' # space separated list of boolean flag names +__flags_longNames=' ' # space separated list of long flag names +__flags_shortNames=' ' # space separated list of short flag names + +__flags_columns='' # screen width in columns +__flags_opts='' # temporary storage for parsed getopt flags + +#------------------------------------------------------------------------------ +# private functions +# + +# Define a flag. +# +# Calling this function will define the following info variables for the +# specified flag: +# FLAGS_flagname - the name for this flag (based upon the long flag name) +# __flags__default - the default value +# __flags_flagname_help - the help string +# __flags_flagname_short - the single letter alias +# __flags_flagname_type - the type of flag (one of __FLAGS_TYPE_*) +# +# Args: +# _flags__type: integer: internal type of flag (__FLAGS_TYPE_*) +# _flags__name: string: long flag name +# _flags__default: default flag value +# _flags__help: string: help string +# _flags__short: string: (optional) short flag name +# Returns: +# integer: success of operation, or error +_flags_define() +{ + if [ $# -lt 4 ]; then + flags_error='DEFINE error: too few arguments' + flags_return=${FLAGS_ERROR} + _flags_error "${flags_error}" + return ${flags_return} + fi + + _flags_type_=$1 + _flags_name_=$2 + _flags_default_=$3 + _flags_help_=$4 + _flags_short_=${5:-${__FLAGS_NULL}} + + _flags_return_=${FLAGS_TRUE} + + # TODO(kward): check for validity of the flag name (e.g. dashes) + + # check whether the flag name is reserved + echo " ${FLAGS_RESERVED} " |grep " ${_flags_name_} " >/dev/null + if [ $? -eq 0 ]; then + flags_error="flag name (${_flags_name_}) is reserved" + _flags_return_=${FLAGS_ERROR} + fi + + # require short option for getopt that don't support long options + if [ ${_flags_return_} -eq ${FLAGS_TRUE} \ + -a ${__FLAGS_GETOPT_VERS} -ne ${__FLAGS_GETOPT_VERS_ENH} \ + -a "${_flags_short_}" = "${__FLAGS_NULL}" ] + then + flags_error="short flag required for (${_flags_name_}) on this platform" + _flags_return_=${FLAGS_ERROR} + fi + + # check for existing long name definition + if [ ${_flags_return_} -eq ${FLAGS_TRUE} ]; then + if _flags_itemInList "${_flags_name_}" \ + ${__flags_longNames} ${__flags_boolNames} + then + flags_error="flag name ([no]${_flags_name_}) already defined" + _flags_warn "${flags_error}" + _flags_return_=${FLAGS_FALSE} + fi + fi + + # check for existing short name definition + if [ ${_flags_return_} -eq ${FLAGS_TRUE} \ + -a "${_flags_short_}" != "${__FLAGS_NULL}" ] + then + if _flags_itemInList "${_flags_short_}" ${__flags_shortNames}; then + flags_error="flag short name (${_flags_short_}) already defined" + _flags_warn "${flags_error}" + _flags_return_=${FLAGS_FALSE} + fi + fi + + # handle default value. note, on several occasions the 'if' portion of an + # if/then/else contains just a ':' which does nothing. a binary reversal via + # '!' is not done because it does not work on all shells. + if [ ${_flags_return_} -eq ${FLAGS_TRUE} ]; then + case ${_flags_type_} in + ${__FLAGS_TYPE_BOOLEAN}) + if _flags_validateBoolean "${_flags_default_}"; then + case ${_flags_default_} in + true|t|0) _flags_default_=${FLAGS_TRUE} ;; + false|f|1) _flags_default_=${FLAGS_FALSE} ;; + esac + else + flags_error="invalid default flag value '${_flags_default_}'" + _flags_return_=${FLAGS_ERROR} + fi + ;; + + ${__FLAGS_TYPE_FLOAT}) + if _flags_validateFloat "${_flags_default_}"; then + : + else + flags_error="invalid default flag value '${_flags_default_}'" + _flags_return_=${FLAGS_ERROR} + fi + ;; + + ${__FLAGS_TYPE_INTEGER}) + if _flags_validateInteger "${_flags_default_}"; then + : + else + flags_error="invalid default flag value '${_flags_default_}'" + _flags_return_=${FLAGS_ERROR} + fi + ;; + + ${__FLAGS_TYPE_STRING}) ;; # everything in shell is a valid string + + *) + flags_error="unrecognized flag type '${_flags_type_}'" + _flags_return_=${FLAGS_ERROR} + ;; + esac + fi + + if [ ${_flags_return_} -eq ${FLAGS_TRUE} ]; then + # store flag information + eval "FLAGS_${_flags_name_}='${_flags_default_}'" + eval "__flags_${_flags_name_}_${__FLAGS_INFO_TYPE}=${_flags_type_}" + eval "__flags_${_flags_name_}_${__FLAGS_INFO_DEFAULT}=\ +\"${_flags_default_}\"" + eval "__flags_${_flags_name_}_${__FLAGS_INFO_HELP}=\"${_flags_help_}\"" + eval "__flags_${_flags_name_}_${__FLAGS_INFO_SHORT}='${_flags_short_}'" + + # append flag name(s) to list of names + __flags_longNames="${__flags_longNames}${_flags_name_} " + __flags_shortNames="${__flags_shortNames}${_flags_short_} " + [ ${_flags_type_} -eq ${__FLAGS_TYPE_BOOLEAN} ] && \ + __flags_boolNames="${__flags_boolNames}no${_flags_name_} " + fi + + flags_return=${_flags_return_} + unset _flags_default_ _flags_help_ _flags_name_ _flags_return_ _flags_short_ \ + _flags_type_ + [ ${flags_return} -eq ${FLAGS_ERROR} ] && _flags_error "${flags_error}" + return ${flags_return} +} + +# Return valid getopt options using currently defined list of long options. +# +# This function builds a proper getopt option string for short (and long) +# options, using the current list of long options for reference. +# +# Args: +# _flags_optStr: integer: option string type (__FLAGS_OPTSTR_*) +# Output: +# string: generated option string for getopt +# Returns: +# boolean: success of operation (always returns True) +_flags_genOptStr() +{ + _flags_optStrType_=$1 + + _flags_opts_='' + + for _flags_flag_ in ${__flags_longNames}; do + _flags_type_=`_flags_getFlagInfo ${_flags_flag_} ${__FLAGS_INFO_TYPE}` + case ${_flags_optStrType_} in + ${__FLAGS_OPTSTR_SHORT}) + _flags_shortName_=`_flags_getFlagInfo \ + ${_flags_flag_} ${__FLAGS_INFO_SHORT}` + if [ "${_flags_shortName_}" != "${__FLAGS_NULL}" ]; then + _flags_opts_="${_flags_opts_}${_flags_shortName_}" + # getopt needs a trailing ':' to indicate a required argument + [ ${_flags_type_} -ne ${__FLAGS_TYPE_BOOLEAN} ] && \ + _flags_opts_="${_flags_opts_}:" + fi + ;; + + ${__FLAGS_OPTSTR_LONG}) + _flags_opts_="${_flags_opts_:+${_flags_opts_},}${_flags_flag_}" + # getopt needs a trailing ':' to indicate a required argument + [ ${_flags_type_} -ne ${__FLAGS_TYPE_BOOLEAN} ] && \ + _flags_opts_="${_flags_opts_}:" + ;; + esac + done + + echo "${_flags_opts_}" + unset _flags_flag_ _flags_opts_ _flags_optStrType_ _flags_shortName_ \ + _flags_type_ + return ${FLAGS_TRUE} +} + +# Returns flag details based on a flag name and flag info. +# +# Args: +# string: long flag name +# string: flag info (see the _flags_define function for valid info types) +# Output: +# string: value of dereferenced flag variable +# Returns: +# integer: one of FLAGS_{TRUE|FALSE|ERROR} +_flags_getFlagInfo() +{ + _flags_name_=$1 + _flags_info_=$2 + + _flags_nameVar_="__flags_${_flags_name_}_${_flags_info_}" + _flags_strToEval_="_flags_value_=\"\${${_flags_nameVar_}:-}\"" + eval "${_flags_strToEval_}" + if [ -n "${_flags_value_}" ]; then + flags_return=${FLAGS_TRUE} + else + # see if the _flags_name_ variable is a string as strings can be empty... + # note: the DRY principle would say to have this function call itself for + # the next three lines, but doing so results in an infinite loop as an + # invalid _flags_name_ will also not have the associated _type variable. + # Because it doesn't (it will evaluate to an empty string) the logic will + # try to find the _type variable of the _type variable, and so on. Not so + # good ;-) + _flags_typeVar_="__flags_${_flags_name_}_${__FLAGS_INFO_TYPE}" + _flags_strToEval_="_flags_type_=\"\${${_flags_typeVar_}:-}\"" + eval "${_flags_strToEval_}" + if [ "${_flags_type_}" = "${__FLAGS_TYPE_STRING}" ]; then + flags_return=${FLAGS_TRUE} + else + flags_return=${FLAGS_ERROR} + flags_error="invalid flag name (${_flags_nameVar_})" + fi + fi + + echo "${_flags_value_}" + unset _flags_info_ _flags_name_ _flags_strToEval_ _flags_type_ _flags_value_ \ + _flags_nameVar_ _flags_typeVar_ + [ ${flags_return} -eq ${FLAGS_ERROR} ] && _flags_error "${flags_error}" + return ${flags_return} +} + +# check for presense of item in a list. passed a string (e.g. 'abc'), this +# function will determine if the string is present in the list of strings (e.g. +# ' foo bar abc '). +# +# Args: +# _flags__str: string: string to search for in a list of strings +# unnamed: list: list of strings +# Returns: +# boolean: true if item is in the list +_flags_itemInList() +{ + _flags_str_=$1 + shift + + echo " ${*:-} " |grep " ${_flags_str_} " >/dev/null + if [ $? -eq 0 ]; then + flags_return=${FLAGS_TRUE} + else + flags_return=${FLAGS_FALSE} + fi + + unset _flags_str_ + return ${flags_return} +} + +# Returns the width of the current screen. +# +# Output: +# integer: width in columns of the current screen. +_flags_columns() +{ + if [ -z "${__flags_columns}" ]; then + # determine the value and store it + if eval stty size >/dev/null 2>&1; then + # stty size worked :-) + set -- `stty size` + __flags_columns=$2 + elif eval tput cols >/dev/null 2>&1; then + set -- `tput cols` + __flags_columns=$1 + else + __flags_columns=80 # default terminal width + fi + fi + echo ${__flags_columns} +} + +# Validate a boolean. +# +# Args: +# _flags__bool: boolean: value to validate +# Returns: +# bool: true if the value is a valid boolean +_flags_validateBoolean() +{ + _flags_bool_=$1 + + flags_return=${FLAGS_TRUE} + case "${_flags_bool_}" in + true|t|0) ;; + false|f|1) ;; + *) flags_return=${FLAGS_FALSE} ;; + esac + + unset _flags_bool_ + return ${flags_return} +} + +# Validate a float. +# +# Args: +# _flags__float: float: value to validate +# Returns: +# bool: true if the value is a valid float +_flags_validateFloat() +{ + _flags_float_=$1 + + if _flags_validateInteger ${_flags_float_}; then + flags_return=${FLAGS_TRUE} + else + flags_return=${FLAGS_TRUE} + case ${_flags_float_} in + -*) # negative floats + _flags_test_=`expr "${_flags_float_}" : '\(-[0-9][0-9]*\.[0-9][0-9]*\)'` + ;; + *) # positive floats + _flags_test_=`expr "${_flags_float_}" : '\([0-9][0-9]*\.[0-9][0-9]*\)'` + ;; + esac + [ "${_flags_test_}" != "${_flags_float_}" ] && flags_return=${FLAGS_FALSE} + fi + + unset _flags_float_ _flags_test_ + return ${flags_return} +} + +# Validate an integer. +# +# Args: +# _flags__integer: interger: value to validate +# Returns: +# bool: true if the value is a valid integer +_flags_validateInteger() +{ + _flags_int_=$1 + + flags_return=${FLAGS_TRUE} + case ${_flags_int_} in + -*) # negative ints + _flags_test_=`expr "${_flags_int_}" : '\(-[0-9][0-9]*\)'` + ;; + *) # positive ints + _flags_test_=`expr "${_flags_int_}" : '\([0-9][0-9]*\)'` + ;; + esac + [ "${_flags_test_}" != "${_flags_int_}" ] && flags_return=${FLAGS_FALSE} + + unset _flags_int_ _flags_test_ + return ${flags_return} +} + +# Parse command-line options using the standard getopt. +# +# Note: the flag options are passed around in the global __flags_opts so that +# the formatting is not lost due to shell parsing and such. +# +# Args: +# @: varies: command-line options to parse +# Returns: +# integer: a FLAGS success condition +_flags_getoptStandard() +{ + flags_return=${FLAGS_TRUE} + _flags_shortOpts_=`_flags_genOptStr ${__FLAGS_OPTSTR_SHORT}` + + # check for spaces in passed options + for _flags_opt_ in "$@"; do + # note: the silliness with the x's is purely for ksh93 on Ubuntu 6.06 + _flags_match_=`echo "x${_flags_opt_}x" |sed 's/ //g'` + if [ "${_flags_match_}" != "x${_flags_opt_}x" ]; then + flags_error='the available getopt does not support spaces in options' + flags_return=${FLAGS_ERROR} + break + fi + done + + if [ ${flags_return} -eq ${FLAGS_TRUE} ]; then + __flags_opts=`getopt ${_flags_shortOpts_} $@ 2>&1` + _flags_rtrn_=$? + if [ ${_flags_rtrn_} -ne ${FLAGS_TRUE} ]; then + _flags_warn "${__flags_opts}" + flags_error='unable to parse provided options with getopt.' + flags_return=${FLAGS_ERROR} + fi + fi + + unset _flags_match_ _flags_opt_ _flags_rtrn_ _flags_shortOpts_ + return ${flags_return} +} + +# Parse command-line options using the enhanced getopt. +# +# Note: the flag options are passed around in the global __flags_opts so that +# the formatting is not lost due to shell parsing and such. +# +# Args: +# @: varies: command-line options to parse +# Returns: +# integer: a FLAGS success condition +_flags_getoptEnhanced() +{ + flags_return=${FLAGS_TRUE} + _flags_shortOpts_=`_flags_genOptStr ${__FLAGS_OPTSTR_SHORT}` + _flags_boolOpts_=`echo "${__flags_boolNames}" \ + |sed 's/^ *//;s/ *$//;s/ /,/g'` + _flags_longOpts_=`_flags_genOptStr ${__FLAGS_OPTSTR_LONG}` + + __flags_opts=`getopt \ + -o ${_flags_shortOpts_} \ + -l "${_flags_longOpts_},${_flags_boolOpts_}" \ + -- "$@" 2>&1` + _flags_rtrn_=$? + if [ ${_flags_rtrn_} -ne ${FLAGS_TRUE} ]; then + _flags_warn "${__flags_opts}" + flags_error='unable to parse provided options with getopt.' + flags_return=${FLAGS_ERROR} + fi + + unset _flags_boolOpts_ _flags_longOpts_ _flags_rtrn_ _flags_shortOpts_ + return ${flags_return} +} + +# Dynamically parse a getopt result and set appropriate variables. +# +# This function does the actual conversion of getopt output and runs it through +# the standard case structure for parsing. The case structure is actually quite +# dynamic to support any number of flags. +# +# Args: +# argc: int: original command-line argument count +# @: varies: output from getopt parsing +# Returns: +# integer: a FLAGS success condition +_flags_parseGetopt() +{ + _flags_argc_=$1 + shift + + flags_return=${FLAGS_TRUE} + + if [ ${__FLAGS_GETOPT_VERS} -ne ${__FLAGS_GETOPT_VERS_ENH} ]; then + set -- $@ + else + # note the quotes around the `$@' -- they are essential! + eval set -- "$@" + fi + + # provide user with number of arguments to shift by later + # NOTE: the FLAGS_ARGC variable is obsolete as of 1.0.3 because it does not + # properly give user access to non-flag arguments mixed in between flag + # arguments. Its usage was replaced by FLAGS_ARGV, and it is being kept only + # for backwards compatibility reasons. + FLAGS_ARGC=`expr $# - 1 - ${_flags_argc_}` + + # handle options. note options with values must do an additional shift + while true; do + _flags_opt_=$1 + _flags_arg_=${2:-} + _flags_type_=${__FLAGS_TYPE_NONE} + _flags_name_='' + + # determine long flag name + case "${_flags_opt_}" in + --) shift; break ;; # discontinue option parsing + + --*) # long option + _flags_opt_=`expr "${_flags_opt_}" : '--\(.*\)'` + _flags_len_=${__FLAGS_LEN_LONG} + if _flags_itemInList "${_flags_opt_}" ${__flags_longNames}; then + _flags_name_=${_flags_opt_} + else + # check for negated long boolean version + if _flags_itemInList "${_flags_opt_}" ${__flags_boolNames}; then + _flags_name_=`expr "${_flags_opt_}" : 'no\(.*\)'` + _flags_type_=${__FLAGS_TYPE_BOOLEAN} + _flags_arg_=${__FLAGS_NULL} + fi + fi + ;; + + -*) # short option + _flags_opt_=`expr "${_flags_opt_}" : '-\(.*\)'` + _flags_len_=${__FLAGS_LEN_SHORT} + if _flags_itemInList "${_flags_opt_}" ${__flags_shortNames}; then + # yes. match short name to long name. note purposeful off-by-one + # (too high) with awk calculations. + _flags_pos_=`echo "${__flags_shortNames}" \ + |awk 'BEGIN{RS=" ";rn=0}$0==e{rn=NR}END{print rn}' \ + e=${_flags_opt_}` + _flags_name_=`echo "${__flags_longNames}" \ + |awk 'BEGIN{RS=" "}rn==NR{print $0}' rn="${_flags_pos_}"` + fi + ;; + esac + + # die if the flag was unrecognized + if [ -z "${_flags_name_}" ]; then + flags_error="unrecognized option (${_flags_opt_})" + flags_return=${FLAGS_ERROR} + break + fi + + # set new flag value + [ ${_flags_type_} -eq ${__FLAGS_TYPE_NONE} ] && \ + _flags_type_=`_flags_getFlagInfo \ + "${_flags_name_}" ${__FLAGS_INFO_TYPE}` + case ${_flags_type_} in + ${__FLAGS_TYPE_BOOLEAN}) + if [ ${_flags_len_} -eq ${__FLAGS_LEN_LONG} ]; then + if [ "${_flags_arg_}" != "${__FLAGS_NULL}" ]; then + eval "FLAGS_${_flags_name_}=${FLAGS_TRUE}" + else + eval "FLAGS_${_flags_name_}=${FLAGS_FALSE}" + fi + else + _flags_strToEval_="_flags_val_=\ +\${__flags_${_flags_name_}_${__FLAGS_INFO_DEFAULT}}" + eval "${_flags_strToEval_}" + if [ ${_flags_val_} -eq ${FLAGS_FALSE} ]; then + eval "FLAGS_${_flags_name_}=${FLAGS_TRUE}" + else + eval "FLAGS_${_flags_name_}=${FLAGS_FALSE}" + fi + fi + ;; + + ${__FLAGS_TYPE_FLOAT}) + if _flags_validateFloat "${_flags_arg_}"; then + eval "FLAGS_${_flags_name_}='${_flags_arg_}'" + else + flags_error="invalid float value (${_flags_arg_})" + flags_return=${FLAGS_ERROR} + break + fi + ;; + + ${__FLAGS_TYPE_INTEGER}) + if _flags_validateInteger "${_flags_arg_}"; then + eval "FLAGS_${_flags_name_}='${_flags_arg_}'" + else + flags_error="invalid integer value (${_flags_arg_})" + flags_return=${FLAGS_ERROR} + break + fi + ;; + + ${__FLAGS_TYPE_STRING}) + eval "FLAGS_${_flags_name_}='${_flags_arg_}'" + ;; + esac + + # handle special case help flag + if [ "${_flags_name_}" = 'help' ]; then + if [ ${FLAGS_help} -eq ${FLAGS_TRUE} ]; then + flags_help + flags_error='help requested' + flags_return=${FLAGS_FALSE} + break + fi + fi + + # shift the option and non-boolean arguements out. + shift + [ ${_flags_type_} != ${__FLAGS_TYPE_BOOLEAN} ] && shift + done + + # give user back non-flag arguments + FLAGS_ARGV='' + while [ $# -gt 0 ]; do + FLAGS_ARGV="${FLAGS_ARGV:+${FLAGS_ARGV} }'$1'" + shift + done + + unset _flags_arg_ _flags_len_ _flags_name_ _flags_opt_ _flags_pos_ \ + _flags_strToEval_ _flags_type_ _flags_val_ + return ${flags_return} +} + +#------------------------------------------------------------------------------ +# public functions +# + +# A basic boolean flag. Boolean flags do not take any arguments, and their +# value is either 1 (false) or 0 (true). For long flags, the false value is +# specified on the command line by prepending the word 'no'. With short flags, +# the presense of the flag toggles the current value between true and false. +# Specifying a short boolean flag twice on the command results in returning the +# value back to the default value. +# +# A default value is required for boolean flags. +# +# For example, lets say a Boolean flag was created whose long name was 'update' +# and whose short name was 'x', and the default value was 'false'. This flag +# could be explicitly set to 'true' with '--update' or by '-x', and it could be +# explicitly set to 'false' with '--noupdate'. +DEFINE_boolean() { _flags_define ${__FLAGS_TYPE_BOOLEAN} "$@"; } + +# Other basic flags. +DEFINE_float() { _flags_define ${__FLAGS_TYPE_FLOAT} "$@"; } +DEFINE_integer() { _flags_define ${__FLAGS_TYPE_INTEGER} "$@"; } +DEFINE_string() { _flags_define ${__FLAGS_TYPE_STRING} "$@"; } + +# Parse the flags. +# +# Args: +# unnamed: list: command-line flags to parse +# Returns: +# integer: success of operation, or error +FLAGS() +{ + # define a standard 'help' flag if one isn't already defined + [ -z "${__flags_help_type:-}" ] && \ + DEFINE_boolean 'help' false 'show this help' 'h' + + # parse options + if [ $# -gt 0 ]; then + if [ ${__FLAGS_GETOPT_VERS} -ne ${__FLAGS_GETOPT_VERS_ENH} ]; then + _flags_getoptStandard "$@" + else + _flags_getoptEnhanced "$@" + fi + flags_return=$? + else + # nothing passed; won't bother running getopt + __flags_opts='--' + flags_return=${FLAGS_TRUE} + fi + + if [ ${flags_return} -eq ${FLAGS_TRUE} ]; then + _flags_parseGetopt $# "${__flags_opts}" + flags_return=$? + fi + + [ ${flags_return} -eq ${FLAGS_ERROR} ] && _flags_fatal "${flags_error}" + return ${flags_return} +} + +# This is a helper function for determining the `getopt` version for platforms +# where the detection isn't working. It simply outputs debug information that +# can be included in a bug report. +# +# Args: +# none +# Output: +# debug info that can be included in a bug report +# Returns: +# nothing +flags_getoptInfo() +{ + # platform info + _flags_debug "uname -a: `uname -a`" + _flags_debug "PATH: ${PATH}" + + # shell info + if [ -n "${BASH_VERSION:-}" ]; then + _flags_debug 'shell: bash' + _flags_debug "BASH_VERSION: ${BASH_VERSION}" + elif [ -n "${ZSH_VERSION:-}" ]; then + _flags_debug 'shell: zsh' + _flags_debug "ZSH_VERSION: ${ZSH_VERSION}" + fi + + # getopt info + getopt >/dev/null + _flags_getoptReturn=$? + _flags_debug "getopt return: ${_flags_getoptReturn}" + _flags_debug "getopt --version: `getopt --version 2>&1`" + + unset _flags_getoptReturn +} + +# Returns whether the detected getopt version is the enhanced version. +# +# Args: +# none +# Output: +# none +# Returns: +# bool: true if getopt is the enhanced version +flags_getoptIsEnh() +{ + test ${__FLAGS_GETOPT_VERS} -eq ${__FLAGS_GETOPT_VERS_ENH} +} + +# Returns whether the detected getopt version is the standard version. +# +# Args: +# none +# Returns: +# bool: true if getopt is the standard version +flags_getoptIsStd() +{ + test ${__FLAGS_GETOPT_VERS} -eq ${__FLAGS_GETOPT_VERS_STD} +} + +# This is effectively a 'usage()' function. It prints usage information and +# exits the program with ${FLAGS_FALSE} if it is ever found in the command line +# arguments. Note this function can be overridden so other apps can define +# their own --help flag, replacing this one, if they want. +# +# Args: +# none +# Returns: +# integer: success of operation (always returns true) +flags_help() +{ + if [ -n "${FLAGS_HELP:-}" ]; then + echo "${FLAGS_HELP}" >&2 + else + echo "USAGE: ${FLAGS_PARENT:-$0} [flags] args" >&2 + fi + if [ -n "${__flags_longNames}" ]; then + echo 'flags:' >&2 + for flags_name_ in ${__flags_longNames}; do + flags_flagStr_='' + flags_boolStr_='' + + flags_default_=`_flags_getFlagInfo \ + "${flags_name_}" ${__FLAGS_INFO_DEFAULT}` + flags_help_=`_flags_getFlagInfo \ + "${flags_name_}" ${__FLAGS_INFO_HELP}` + flags_short_=`_flags_getFlagInfo \ + "${flags_name_}" ${__FLAGS_INFO_SHORT}` + flags_type_=`_flags_getFlagInfo \ + "${flags_name_}" ${__FLAGS_INFO_TYPE}` + + [ "${flags_short_}" != "${__FLAGS_NULL}" ] \ + && flags_flagStr_="-${flags_short_}" + + if [ ${__FLAGS_GETOPT_VERS} -eq ${__FLAGS_GETOPT_VERS_ENH} ]; then + [ "${flags_short_}" != "${__FLAGS_NULL}" ] \ + && flags_flagStr_="${flags_flagStr_}," + [ ${flags_type_} -eq ${__FLAGS_TYPE_BOOLEAN} ] \ + && flags_boolStr_='[no]' + flags_flagStr_="${flags_flagStr_}--${flags_boolStr_}${flags_name_}:" + fi + + case ${flags_type_} in + ${__FLAGS_TYPE_BOOLEAN}) + if [ ${flags_default_} -eq ${FLAGS_TRUE} ]; then + flags_defaultStr_='true' + else + flags_defaultStr_='false' + fi + ;; + ${__FLAGS_TYPE_FLOAT}|${__FLAGS_TYPE_INTEGER}) + flags_defaultStr_=${flags_default_} ;; + ${__FLAGS_TYPE_STRING}) flags_defaultStr_="'${flags_default_}'" ;; + esac + flags_defaultStr_="(default: ${flags_defaultStr_})" + + flags_helpStr_=" ${flags_flagStr_} ${flags_help_} ${flags_defaultStr_}" + flags_helpStrLen_=`expr "${flags_helpStr_}" : '.*'` + flags_columns_=`_flags_columns` + if [ ${flags_helpStrLen_} -lt ${flags_columns_} ]; then + echo "${flags_helpStr_}" >&2 + else + echo " ${flags_flagStr_} ${flags_help_}" >&2 + # note: the silliness with the x's is purely for ksh93 on Ubuntu 6.06 + # because it doesn't like empty strings when used in this manner. + flags_emptyStr_="`echo \"x${flags_flagStr_}x\" \ + |awk '{printf "%"length($0)-2"s", ""}'`" + flags_helpStr_=" ${flags_emptyStr_} ${flags_defaultStr_}" + flags_helpStrLen_=`expr "${flags_helpStr_}" : '.*'` + if [ ${__FLAGS_GETOPT_VERS} -eq ${__FLAGS_GETOPT_VERS_STD} \ + -o ${flags_helpStrLen_} -lt ${flags_columns_} ]; then + # indented to match help string + echo "${flags_helpStr_}" >&2 + else + # indented four from left to allow for longer defaults as long flag + # names might be used too, making things too long + echo " ${flags_defaultStr_}" >&2 + fi + fi + done + fi + + unset flags_boolStr_ flags_default_ flags_defaultStr_ flags_emptyStr_ \ + flags_flagStr_ flags_help_ flags_helpStr flags_helpStrLen flags_name_ \ + flags_columns_ flags_short_ flags_type_ + return ${FLAGS_TRUE} +} + +# Reset shflags back to an uninitialized state. +# +# Args: +# none +# Returns: +# nothing +flags_reset() +{ + for flags_name_ in ${__flags_longNames}; do + flags_strToEval_="unset FLAGS_${flags_name_}" + for flags_type_ in \ + ${__FLAGS_INFO_DEFAULT} \ + ${__FLAGS_INFO_HELP} \ + ${__FLAGS_INFO_SHORT} \ + ${__FLAGS_INFO_TYPE} + do + flags_strToEval_=\ +"${flags_strToEval_} __flags_${flags_name_}_${flags_type_}" + done + eval ${flags_strToEval_} + done + + # reset internal variables + __flags_boolNames=' ' + __flags_longNames=' ' + __flags_shortNames=' ' + + unset flags_name_ flags_type_ flags_strToEval_ +} diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index e4f6c3d031..8bafcede29 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -122,6 +122,17 @@ update_rootfs_hash() { local keyblock=$2 # Keyblock for re-generating signed kernel partition local signprivate=$3 # Private key to use for signing. + # check and clear need_to_resign tag + local rootfs_dir=$(make_temp_dir) + mount_image_partition_ro "${image}" 3 "${rootfs_dir}" + if has_needs_to_be_resigned_tag "${rootfs_dir}"; then + # remount as RW + sudo umount -d "${rootfs_dir}" + mount_image_partition "${image}" 3 "${rootfs_dir}" + sudo rm -f "${rootfs_dir}/${TAG_NEEDS_TO_BE_SIGNED}" + fi + sudo umount -d "${rootfs_dir}" + local rootfs_image=$(make_temp_file) extract_image_partition ${image} 3 ${rootfs_image} local kernel_config=$(grab_kernel_config "${image}") @@ -180,7 +191,7 @@ resign_firmware_payload() { mount_image_partition ${image} 3 ${rootfs_dir} # Force unmount of the rootfs on function exit as it is needed later. trap "sudo umount -d ${rootfs_dir}" RETURN - + local shellball_dir=$(make_temp_dir) # get_firmwarebin_from_shellball can fail if the image has no # firmware update. diff --git a/scripts/image_signing/tag_image.sh b/scripts/image_signing/tag_image.sh new file mode 100755 index 0000000000..143a221505 --- /dev/null +++ b/scripts/image_signing/tag_image.sh @@ -0,0 +1,158 @@ +#!/bin/bash + +# Copyright (c) 2010 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +# Script to manipulate the tag files in the output of build_image + +# Load common constants. This should be the first executable line. +# The path to common.sh should be relative to your script's location. +. "$(dirname "$0")/common.sh" + +DEFINE_string from "chromiumos_image.bin" \ + "Input file name of Chrome OS image to tag/stamp." +DEFINE_string update_firmware "" \ + "Tag to force updating firmware (1 to enable, 0 to disable)" +DEFINE_string dev_mode "" \ + "Tag for developer mode (1 to enable, 0 to disable)" + +# Parse command line +FLAGS "$@" || exit 1 +eval set -- "${FLAGS_ARGV}" + +# Abort on error +set -e + +if [ -z ${FLAGS_from} ] || [ ! -f ${FLAGS_from} ] ; then + echo "Error: invalid flag --from" + exit 1 +fi + +# Global variable to track if image is modified. +g_modified=${FLAGS_FALSE} + +# Processes (enable, disable, or simply report) a tag file. +# Args: DO_MODIFICATION NAME ROOT TAG_FILE ACTION +# +# When DO_MODIFICATION=${FLAGS_TRUE}, +# Creates (ACTION=1) the TAG_FILE in ROOT, or +# removes (ACTION=0) the TAG_FILE in ROOT, then +# reports the status (and change) to the tag file. +# When DO_MODIFICATION=${FLAGS_FALSE}, +# make a dry-run and only change ${g_modified} +function process_tag() { + local tag_status_text="" + local do_modification="$1" + local name="$2" + local root="$3" + local tag_file_path="$3/$4" + local action="$5" + local do_enable=${FLAGS_FALSE} + local do_disable=${FLAGS_FALSE} + + # only 1, 0, and "" are valid params to action. + case "${action}" in + "1" ) + do_enable=${FLAGS_TRUE} + ;; + "0" ) + do_disable=${FLAGS_TRUE} + ;; + "" ) + ;; + * ) + echo "Error: invalid param to ${name}: ${action} (must be 1 or 0)." + exit 1 + ;; + esac + + if [ -f "${tag_file_path}" ]; then + tag_status_text="ENABLED" + if [ "${do_disable}" = ${FLAGS_TRUE} ]; then + # disable the tag + if [ "${do_modification}" = ${FLAGS_TRUE} ]; then + sudo rm "${tag_file_path}" + fi + g_modified=${FLAGS_TRUE} + tag_status_text="${tag_status_text} => disabled" + elif [ "${do_disable}" != ${FLAGS_FALSE} ]; then + # internal error + echo "Internal error for tag ${name}: need disable param." 1>&2 + exit 1 + fi + else + tag_status_text="disabled" + if [ "${do_enable}" = ${FLAGS_TRUE} ]; then + # enable the tag + if [ "${do_modification}" = ${FLAGS_TRUE} ]; then + sudo touch "${tag_file_path}" + fi + g_modified=${FLAGS_TRUE} + tag_status_text="${tag_status_text} => ENABLED" + elif [ "${do_enable}" != ${FLAGS_FALSE} ]; then + # internal error + echo "Internal error for tag ${name}: need enable param." 1>&2 + exit 1 + fi + fi + + # report tag status + if [ "${do_modification}" != ${FLAGS_TRUE} ]; then + echo "${name}: ${tag_status_text}" + fi +} + +# Iterates all tags to a given partition root. +# Args: ROOTFS DO_MODIFICATION +# +# Check process_tag for the meaning of parameters. +process_all_tags() { + local rootfs="$1" + local do_modification="$2" + + process_tag "${do_modification}" \ + "Update Firmware" \ + "${rootfs}" \ + /root/.force_update_firmware \ + "${FLAGS_update_firmware}" + + process_tag "${do_modification}" \ + "Developer Mode" \ + "${rootfs}" \ + /root/.dev_mode \ + "${FLAGS_dev_mode}" +} + +IMAGE=$(readlink -f "${FLAGS_from}") +if [[ -z "${IMAGE}" || ! -f "${IMAGE}" ]]; then + echo "Missing required argument: --from (image to update)" + usage + exit 1 +fi + +# First round, mount as read-only and check if we read any modification. +rootfs=$(make_temp_dir) +mount_image_partition_ro "${IMAGE}" 3 "${rootfs}" + +# we don't have tags in stateful partition yet... +# stateful_dir=$(make_temp_dir) +# mount_image_partition ${IMAGE} 1 ${stateful_dir} + +process_all_tags "${rootfs}" ${FLAGS_FALSE} + +if [ ${g_modified} = ${FLAGS_TRUE} ]; then + # remount as RW (we can't use mount -o rw,remount because of loop device) + sudo umount -d "${rootfs}" + mount_image_partition "${IMAGE}" 3 "${rootfs}" + + # Second round, apply the modification to image. + process_all_tags "${rootfs}" ${FLAGS_TRUE} + + # this is supposed to be automatically done in mount_image_partition, + # but it's no harm to explicitly make it again here. + tag_as_needs_to_be_resigned "${rootfs}" + echo "IMAGE IS MODIFIED. PLEASE REMEMBER TO RESIGN YOUR IMAGE." +else + echo "Image is not modified." +fi