From 2d160adf72cf5425c9142b602206f0ac2a675055 Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vapier@chromium.org>
Date: Tue, 9 May 2017 01:48:58 -0400
Subject: [PATCH] image_signing: sign_official_build.sh: switch verification to
 loopbacks

Rather than copy out the rootfs to a temp file and perform checks on that,
run the checks directly on the image.  This saves us from having to copy
many GB worth of data which can be expensive on the VMs (slow disk I/O).

BRANCH=None
BUG=chromium:714598
TEST=signing images still works

Change-Id: Ie7d1c432aacb69e57b6c5fd9ab810b8d0b054860
Reviewed-on: https://chromium-review.googlesource.com/505476
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: David Riley <davidriley@chromium.org>
---
 scripts/image_signing/sign_official_build.sh | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index b572501b2e..8333b0157b 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -375,15 +375,15 @@ update_stateful_partition_vblock() {
 # Do a sanity check on the image's rootfs
 # ARGS: Image
 verify_image_rootfs() {
-  local image=$1
-  local rootfs_image=$(make_temp_file)
-  extract_image_partition ${image} 3 ${rootfs_image}
+  local rootfs=$1
   # This flips the read-only compatibility flag, so that e2fsck does not
   # complain about unknown file system capabilities.
-  enable_rw_mount ${rootfs_image}
+  enable_rw_mount "${rootfs}"
   info "Running e2fsck to check root file system for errors"
-  sudo e2fsck -fn "${rootfs_image}" ||
+  sudo e2fsck -fn "${rootfs}" ||
     die "Root file system has errors!"
+  # Flip the bit back so we don't break hashes.
+  disable_rw_mount "${rootfs}"
 }
 
 # Extracts a firmware updater bundle (for firmware image binaries) file
@@ -626,8 +626,8 @@ sign_oci_container() {
 
 # Verify an image including rootfs hash using the specified keys.
 verify_image() {
-  local rootfs_image=$(make_temp_file)
-  extract_image_partition ${INPUT_IMAGE} 3 ${rootfs_image}
+  local loopdev=$(loopback_partscan "${INPUT_IMAGE}")
+  local loop_rootfs="${loopdev}p3"
 
   info "Verifying RootFS hash..."
   # What we get from image.
@@ -639,9 +639,9 @@ verify_image() {
   local partnum
   for partnum in 2 4; do
     info "Considering Kernel partition ${partnum}"
-    kernel_config=$(grab_kernel_config ${INPUT_IMAGE} $partnum)
+    kernel_config=$(sudo dump_kernel_config "${loopdev}p${partnum}")
     local hash_image=$(make_temp_file)
-    if ! calculate_rootfs_hash "${rootfs_image}" "${kernel_config}" \
+    if ! calculate_rootfs_hash "${loop_rootfs}" "${kernel_config}" \
       "${hash_image}"; then
       info "Trying next kernel partition."
       continue
@@ -692,7 +692,7 @@ EOF
     echo "YES"; } || echo "NO"
   set -e
 
-  verify_image_rootfs "${INPUT_IMAGE}"
+  verify_image_rootfs "${loop_rootfs}"
 
   # TODO(gauravsh): Check embedded firmware AU signatures.
 }