scottk/OpenCellular
1
0
Fork 0
mirror of https://github.com/Telecominfraproject/OpenCellular.git synced 2025-12-08 00:45:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

image_signing: sign_official_build.sh: switch verification to loopbacks

Browse Source 
Rather than copy out the rootfs to a temp file and perform checks on that,
run the checks directly on the image.  This saves us from having to copy
many GB worth of data which can be expensive on the VMs (slow disk I/O).

BRANCH=None
BUG=chromium:714598
TEST=signing images still works

Change-Id: Ie7d1c432aacb69e57b6c5fd9ab810b8d0b054860
Reviewed-on: https://chromium-review.googlesource.com/505476
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: David Riley <davidriley@chromium.org>
This commit is contained in:
Mike Frysinger
2017-05-09 01:48:58 -04:00
committed by chrome-bot
parent b688d42ad1
commit 2d160adf72
1 changed files with 10 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
scripts/image_signing/sign_official_build.sh
View File

@@ -375,15 +375,15 @@ update_stateful_partition_vblock() {
# Do a sanity check on the image's rootfs
# ARGS: Image
verify_image_rootfs() {
local image=$1
local rootfs_image=$(make_temp_file)
extract_image_partition ${image} 3 ${rootfs_image}
local rootfs=$1
# This flips the read-only compatibility flag, so that e2fsck does not
# complain about unknown file system capabilities.
enable_rw_mount ${rootfs_image}
enable_rw_mount "${rootfs}"
info "Running e2fsck to check root file system for errors"
sudo e2fsck -fn "${rootfs_image}" ||
sudo e2fsck -fn "${rootfs}" ||
die "Root file system has errors!"
# Flip the bit back so we don't break hashes.
disable_rw_mount "${rootfs}"
}
# Extracts a firmware updater bundle (for firmware image binaries) file
@@ -626,8 +626,8 @@ sign_oci_container() {
# Verify an image including rootfs hash using the specified keys.
verify_image() {
local rootfs_image=$(make_temp_file)
extract_image_partition ${INPUT_IMAGE} 3 ${rootfs_image}
local loopdev=$(loopback_partscan "${INPUT_IMAGE}")
local loop_rootfs="${loopdev}p3"
info "Verifying RootFS hash..."
# What we get from image.
@@ -639,9 +639,9 @@ verify_image() {
local partnum
for partnum in 2 4; do
info "Considering Kernel partition ${partnum}"
kernel_config=$(grab_kernel_config ${INPUT_IMAGE} $partnum)
kernel_config=$(sudo dump_kernel_config "${loopdev}p${partnum}")
local hash_image=$(make_temp_file)
if ! calculate_rootfs_hash "${rootfs_image}" "${kernel_config}" \
if ! calculate_rootfs_hash "${loop_rootfs}" "${kernel_config}" \
"${hash_image}"; then
info "Trying next kernel partition."
continue
@@ -692,7 +692,7 @@ EOF
echo "YES"; } || echo "NO"
set -e
verify_image_rootfs "${INPUT_IMAGE}"
verify_image_rootfs "${loop_rootfs}"
# TODO(gauravsh): Check embedded firmware AU signatures.
}