scottk/OpenCellular
1
0
Fork 0
mirror of https://github.com/Telecominfraproject/OpenCellular.git synced 2025-11-24 18:25:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add a utility to tag/stamp image

Browse Source 
There are several procedures in Chrome OS post-processing before being released:
stamping, tagging, mod image for URLs, ... and signing.
We need an integrated script to handle all the stamping / tagging.

This CL can handle empty tag files like /root/.force_update_firmware
or /root/.dev_mode.

This CL deprecates http://codereview.chromium.org/3421040 and moved script
from crosutils to vboot_reference. In the future we may isolate the non-signing
post-processing scripts (set_lsb, tag_image, remove_label, ...) into crosutils.

BUG=none
TEST=manually:
(1) Build a general dev image without firmware updates (default behavior of build_image for x86-generic ToT)
(2) Enter chroot and then execute:
    cd ~/trunk/src/platform/vboot_reference/scripts;
    ./tag_image.sh \
      --from ~/trunk/src/build/images/x86-generic/latest/chromiumos_image.bin
    Expected: output message:
      Update Firmware: disabled
      Developer Mode: Enabled
(3) ./tag_image.sh --update_firmware=1 --dev_mode=0 \
      --from ~/trunk/src//build/images/x86-generic/latest/chromiumos_image.bin
    Expected: output message:
      Update Firmware: disabled => Enabled
      Developer Mode: Enabled => disabled

    Manually verify:
      pushd ../../build/images/x86-generic/latest
      unpack_partitions.sh chromiumos_image.bin
      sudo mount -o loop,ro part_3 rootfs
      ls -l rootfs/root/.force_update_firmware # this file should exist
      ls -l rootfs/root/.dev_mode # this file should NOT exist (i.e., error)
      sudo umount rootfs

(4) ./tag_image.sh --update_firmware=0 --dev_mod=1 \
      --from ~/trunk/src/build/images/x86-generic/latest/chromiumos_image.bin
    Expected: output message:
      Update Firmware: Enabled => disabled
      Developer Mode: disabled => Enabled

    Manually verify:
      pushd ../../build/images/x86-generic/latest
      unpack_partitions.sh chromiumos_image.bin
      sudo mount -o loop,ro part_3 rootfs
      ls -l rootfs/root/.force_update_firmware # this file should NOT exist (i.e., error)
      ls -l rootfs/root/.dev_mode # this file should exist
      sudo umount rootfs

Change-Id: I96af3c7201372bb904426d10cff142467a1fa2e7

Review URL: http://codereview.chromium.org/3604001
This commit is contained in:
Hung-Te Lin
2010-09-30 16:18:09 +08:00
parent a222fbc00e
commit 04c00e19c6
5 changed files with 1228 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
scripts/image_signing/common.sh
View File

@@ -9,6 +9,16 @@ SCRIPT_DIR=$(dirname $0)
PROG=$(basename $0) PROG=$(basename $0)
GPT=cgpt GPT=cgpt
# The tag when the rootfs is changed.
TAG_NEEDS_TO_BE_SIGNED="/root/.need_to_be_signed"
# Load shflags
if [[ -f /usr/lib/shflags ]]; then
. /usr/lib/shflags
else
. "${SCRIPT_DIR}/lib/shflags/shflags"
fi
# List of Temporary files and mount points. # List of Temporary files and mount points.
TEMP_FILE_LIST=$(mktemp) TEMP_FILE_LIST=$(mktemp)
TEMP_DIR_LIST=$(mktemp) TEMP_DIR_LIST=$(mktemp)
@@ -27,6 +37,38 @@ partsize() {
sudo $GPT show -s -i $2 $1 sudo $GPT show -s -i $2 $1
} }
# Tags a file system as "needs to be resigned".
# Args: MOUNTDIRECTORY
tag_as_needs_to_be_resigned() {
local mount_dir="$1"
sudo touch "$mount_dir/$TAG_NEEDS_TO_BE_SIGNED"
}
# Determines if the target file system has the tag for resign
# Args: MOUNTDIRECTORY
# Returns: $FLAGS_TRUE if the tag is there, otherwise $FLAGS_FALSE
has_needs_to_be_resigned_tag() {
local mount_dir="$1"
if [ -f "$mount_dir/$TAG_NEEDS_TO_BE_SIGNED" ]; then
return ${FLAGS_TRUE}
else
return ${FLAGS_FALSE}
fi
}
# Determines if the target file system is a Chrome OS root fs
# Args: MOUNTDIRECTORY
# Returns: $FLAGS_TRUE if MOUNTDIRECTORY looks like root fs,
# otherwise $FLAGS_FALSE
is_rootfs_partition() {
local mount_dir="$1"
if [ -f "$mount_dir/$(dirname "$TAG_NEEDS_TO_BE_SIGNED")" ]; then
return ${FLAGS_TRUE}
else
return ${FLAGS_FALSE}
fi
}
# Mount a partition read-only from an image into a local directory # Mount a partition read-only from an image into a local directory
# Args: IMAGE PARTNUM MOUNTDIRECTORY # Args: IMAGE PARTNUM MOUNTDIRECTORY
mount_image_partition_ro() { mount_image_partition_ro() {
@@ -45,6 +87,9 @@ mount_image_partition() {
local mount_dir=$3 local mount_dir=$3
local offset=$(partoffset "$image" "$partnum") local offset=$(partoffset "$image" "$partnum")
sudo mount -o loop,offset=$((offset * 512)) "$image" "$mount_dir" sudo mount -o loop,offset=$((offset * 512)) "$image" "$mount_dir"
if is_rootfs_partition "$mount_dir"; then
tag_as_needs_to_be_resigned "$mount_dir"
fi
} }
# Extract a partition to a file # Extract a partition to a file
@@ -93,6 +138,9 @@ cleanup_temps_and_mounts() {
set +e # umount may fail for unmounted directories set +e # umount may fail for unmounted directories
for i in "$(cat $TEMP_DIR_LIST)"; do for i in "$(cat $TEMP_DIR_LIST)"; do
if [ -n "$i" ]; then if [ -n "$i" ]; then
if has_needs_to_be_resigned_tag "$i"; then
echo "Warning: image may be modified. Please resign image."
fi
sudo umount -d $i 2>/dev/null sudo umount -d $i 2>/dev/null
rm -rf $i rm -rf $i
fi fi

1
scripts/image_signing/lib/shflags/README.chromium Normal file
View File

@@ -0,0 +1 @@
This is r137 of shflags

1009
scripts/image_signing/lib/shflags/shflags Normal file
View File

File diff suppressed because it is too large Load Diff

13
scripts/image_signing/sign_official_build.sh
View File

@@ -122,6 +122,17 @@ update_rootfs_hash() {
local keyblock=$2 # Keyblock for re-generating signed kernel partition local keyblock=$2 # Keyblock for re-generating signed kernel partition
local signprivate=$3 # Private key to use for signing. local signprivate=$3 # Private key to use for signing.
# check and clear need_to_resign tag
local rootfs_dir=$(make_temp_dir)
mount_image_partition_ro "${image}" 3 "${rootfs_dir}"
if has_needs_to_be_resigned_tag "${rootfs_dir}"; then
# remount as RW
sudo umount -d "${rootfs_dir}"
mount_image_partition "${image}" 3 "${rootfs_dir}"
sudo rm -f "${rootfs_dir}/${TAG_NEEDS_TO_BE_SIGNED}"
fi
sudo umount -d "${rootfs_dir}"
local rootfs_image=$(make_temp_file) local rootfs_image=$(make_temp_file)
extract_image_partition ${image} 3 ${rootfs_image} extract_image_partition ${image} 3 ${rootfs_image}
local kernel_config=$(grab_kernel_config "${image}") local kernel_config=$(grab_kernel_config "${image}")
@@ -180,7 +191,7 @@ resign_firmware_payload() {
mount_image_partition ${image} 3 ${rootfs_dir} mount_image_partition ${image} 3 ${rootfs_dir}
# Force unmount of the rootfs on function exit as it is needed later. # Force unmount of the rootfs on function exit as it is needed later.
trap "sudo umount -d ${rootfs_dir}" RETURN trap "sudo umount -d ${rootfs_dir}" RETURN
local shellball_dir=$(make_temp_dir) local shellball_dir=$(make_temp_dir)
# get_firmwarebin_from_shellball can fail if the image has no # get_firmwarebin_from_shellball can fail if the image has no
# firmware update. # firmware update.

158
scripts/image_signing/tag_image.sh Executable file
View File

@@ -0,0 +1,158 @@
#!/bin/bash
# Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
# Script to manipulate the tag files in the output of build_image
# Load common constants. This should be the first executable line.
# The path to common.sh should be relative to your script's location.
. "$(dirname "$0")/common.sh"
DEFINE_string from "chromiumos_image.bin" \
"Input file name of Chrome OS image to tag/stamp."
DEFINE_string update_firmware "" \
"Tag to force updating firmware (1 to enable, 0 to disable)"
DEFINE_string dev_mode "" \
"Tag for developer mode (1 to enable, 0 to disable)"
# Parse command line
FLAGS "$@" || exit 1
eval set -- "${FLAGS_ARGV}"
# Abort on error
set -e
if [ -z ${FLAGS_from} ] || [ ! -f ${FLAGS_from} ] ; then
echo "Error: invalid flag --from"
exit 1
fi
# Global variable to track if image is modified.
g_modified=${FLAGS_FALSE}
# Processes (enable, disable, or simply report) a tag file.
# Args: DO_MODIFICATION NAME ROOT TAG_FILE ACTION
#
# When DO_MODIFICATION=${FLAGS_TRUE},
# Creates (ACTION=1) the TAG_FILE in ROOT, or
# removes (ACTION=0) the TAG_FILE in ROOT, then
# reports the status (and change) to the tag file.
# When DO_MODIFICATION=${FLAGS_FALSE},
# make a dry-run and only change ${g_modified}
function process_tag() {
local tag_status_text=""
local do_modification="$1"
local name="$2"
local root="$3"
local tag_file_path="$3/$4"
local action="$5"
local do_enable=${FLAGS_FALSE}
local do_disable=${FLAGS_FALSE}
# only 1, 0, and "" are valid params to action.
case "${action}" in
"1" )
do_enable=${FLAGS_TRUE}
;;
"0" )
do_disable=${FLAGS_TRUE}
;;
"" )
;;
* )
echo "Error: invalid param to ${name}: ${action} (must be 1 or 0)."
exit 1
;;
esac
if [ -f "${tag_file_path}" ]; then
tag_status_text="ENABLED"
if [ "${do_disable}" = ${FLAGS_TRUE} ]; then
# disable the tag
if [ "${do_modification}" = ${FLAGS_TRUE} ]; then
sudo rm "${tag_file_path}"
fi
g_modified=${FLAGS_TRUE}
tag_status_text="${tag_status_text} => disabled"
elif [ "${do_disable}" != ${FLAGS_FALSE} ]; then
# internal error
echo "Internal error for tag ${name}: need disable param." 1>&2
exit 1
fi
else
tag_status_text="disabled"
if [ "${do_enable}" = ${FLAGS_TRUE} ]; then
# enable the tag
if [ "${do_modification}" = ${FLAGS_TRUE} ]; then
sudo touch "${tag_file_path}"
fi
g_modified=${FLAGS_TRUE}
tag_status_text="${tag_status_text} => ENABLED"
elif [ "${do_enable}" != ${FLAGS_FALSE} ]; then
# internal error
echo "Internal error for tag ${name}: need enable param." 1>&2
exit 1
fi
fi
# report tag status
if [ "${do_modification}" != ${FLAGS_TRUE} ]; then
echo "${name}: ${tag_status_text}"
fi
}
# Iterates all tags to a given partition root.
# Args: ROOTFS DO_MODIFICATION
#
# Check process_tag for the meaning of parameters.
process_all_tags() {
local rootfs="$1"
local do_modification="$2"
process_tag "${do_modification}" \
"Update Firmware" \
"${rootfs}" \
/root/.force_update_firmware \
"${FLAGS_update_firmware}"
process_tag "${do_modification}" \
"Developer Mode" \
"${rootfs}" \
/root/.dev_mode \
"${FLAGS_dev_mode}"
}
IMAGE=$(readlink -f "${FLAGS_from}")
if [[ -z "${IMAGE}" || ! -f "${IMAGE}" ]]; then
echo "Missing required argument: --from (image to update)"
usage
exit 1
fi
# First round, mount as read-only and check if we read any modification.
rootfs=$(make_temp_dir)
mount_image_partition_ro "${IMAGE}" 3 "${rootfs}"
# we don't have tags in stateful partition yet...
# stateful_dir=$(make_temp_dir)
# mount_image_partition ${IMAGE} 1 ${stateful_dir}
process_all_tags "${rootfs}" ${FLAGS_FALSE}
if [ ${g_modified} = ${FLAGS_TRUE} ]; then
# remount as RW (we can't use mount -o rw,remount because of loop device)
sudo umount -d "${rootfs}"
mount_image_partition "${IMAGE}" 3 "${rootfs}"
# Second round, apply the modification to image.
process_all_tags "${rootfs}" ${FLAGS_TRUE}
# this is supposed to be automatically done in mount_image_partition,
# but it's no harm to explicitly make it again here.
tag_as_needs_to_be_resigned "${rootfs}"
echo "IMAGE IS MODIFIED. PLEASE REMEMBER TO RESIGN YOUR IMAGE."
else
echo "Image is not modified."
fi