mirror of
https://github.com/Telecominfraproject/OpenCellular.git
synced 2026-01-16 10:01:27 +00:00
sign_official_build: switch kernel/firmware signing to loopdevs
Newer versions of util-linux/mount don't like when you create overlapping loopback files. Since we always create a loopback of the entire image, this means every mount fails. We can change the few users in here over to using the existing loopback partitions rather than continuing to create their own from scratch. This makes the code a bit simpler. However, we currently duplicate some of the mount image helpers so that one version works off of a disk image while the other uses loopbacks. Cleaning this up requires a number of changes in other files which we'll want to do eventually, just not right now (to minimize risk). BUG=chromium:714598 TEST=image signing works on newer gLinux installs BRANCH=None Change-Id: I31b35636b3b271e97070d283f8cb74d3183d8ec8 Reviewed-on: https://chromium-review.googlesource.com/1034435 Commit-Ready: Mike Frysinger <vapier@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org> Reviewed-by: Jason Clinton <jclinton@chromium.org>
This commit is contained in:
Mike Frysinger
committed by
chrome-bot
chrome-bot
parent
41d0e32791
commit
8543190e64
@@ -236,12 +236,37 @@ _mount_image_partition() {
|
||||
_mount_image_partition_retry "$@"
|
||||
}
|
||||
|
||||
# If called without 'ro', make sure the partition is allowed to be mounted as
|
||||
# 'rw' before actually mounting it.
|
||||
# Args: LOOPDEV PARTNUM MOUNTDIRECTORY [ro]
|
||||
_mount_loop_image_partition() {
|
||||
local loopdev=$1
|
||||
local partnum=$2
|
||||
local mount_dir=$3
|
||||
local ro=$4
|
||||
local loop_rootfs="${loopdev}p${partnum}"
|
||||
|
||||
if [ "$ro" != "ro" ]; then
|
||||
# Forcibly call enable_rw_mount. It should fail on unsupported
|
||||
# filesystems and be idempotent on ext*.
|
||||
enable_rw_mount "${loop_rootfs}" 2>/dev/null
|
||||
fi
|
||||
|
||||
sudo mount -o "${ro}" "${loop_rootfs}" "${mount_dir}"
|
||||
}
|
||||
|
||||
# Mount a partition read-only from an image into a local directory
|
||||
# Args: IMAGE PARTNUM MOUNTDIRECTORY
|
||||
mount_image_partition_ro() {
|
||||
_mount_image_partition "$@" "ro"
|
||||
}
|
||||
|
||||
# Mount a partition read-only from an image into a local directory
|
||||
# Args: LOOPDEV PARTNUM MOUNTDIRECTORY
|
||||
mount_loop_image_partition_ro() {
|
||||
_mount_loop_image_partition "$@" "ro"
|
||||
}
|
||||
|
||||
# Mount a partition from an image into a local directory
|
||||
# Args: IMAGE PARTNUM MOUNTDIRECTORY
|
||||
mount_image_partition() {
|
||||
@@ -252,27 +277,35 @@ mount_image_partition() {
|
||||
fi
|
||||
}
|
||||
|
||||
# Mount a partition from an image into a local directory
|
||||
# Args: LOOPDEV PARTNUM MOUNTDIRECTORY
|
||||
mount_loop_image_partition() {
|
||||
local mount_dir=$3
|
||||
_mount_loop_image_partition "$@"
|
||||
if is_rootfs_partition "${mount_dir}"; then
|
||||
tag_as_needs_to_be_resigned "${mount_dir}"
|
||||
fi
|
||||
}
|
||||
|
||||
# Mount the image's ESP (EFI System Partition) on a newly created temporary
|
||||
# directory.
|
||||
# Prints out the newly created temporary directory path if succeeded.
|
||||
# If the image doens't have an ESP partition, returns 0 without print anything.
|
||||
# Args: IMAGE
|
||||
# Args: LOOPDEV
|
||||
# Returns: 0 if succeeded, 1 otherwise.
|
||||
mount_image_esp() {
|
||||
local image="$1"
|
||||
local loopdev="$1"
|
||||
local ESP_PARTNUM=12
|
||||
local loop_esp="${loopdev}p${ESP_PARTNUM}"
|
||||
|
||||
local esp_offset=$(( $(partoffset "${image}" "${ESP_PARTNUM}") ))
|
||||
local esp_offset=$(( $(partoffset "${loopdev}" "${ESP_PARTNUM}") ))
|
||||
# Check if the image has an ESP partition.
|
||||
if [[ "${esp_offset}" == "0" ]]; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
local esp_dir="$(make_temp_dir)"
|
||||
# We use the 'unsafe' variant because the EFI system partition is vfat type
|
||||
# and can be mounted in RW mode.
|
||||
if ! _mount_image_partition_retry "${image}" "${ESP_PARTNUM}" \
|
||||
"${esp_dir}" >/dev/null; then
|
||||
if ! sudo mount -o "${ro}" "${loop_esp}" "${esp_dir}"; then
|
||||
return 1
|
||||
fi
|
||||
|
||||
|
||||
@@ -522,9 +522,9 @@ sign_update_payload() {
|
||||
}
|
||||
|
||||
# Re-sign the firmware AU payload inside the image rootfs with a new keys.
|
||||
# Args: IMAGE
|
||||
# Args: LOOPDEV
|
||||
resign_firmware_payload() {
|
||||
local image=$1
|
||||
local loopdev="$1"
|
||||
|
||||
if [ -n "${NO_FWUPDATE}" ]; then
|
||||
info "Skipping firmware update."
|
||||
@@ -533,7 +533,7 @@ resign_firmware_payload() {
|
||||
|
||||
# Grab firmware image from the autoupdate bundle (shellball).
|
||||
local rootfs_dir=$(make_temp_dir)
|
||||
mount_image_partition ${image} 3 ${rootfs_dir}
|
||||
mount_loop_image_partition "${loopdev}" 3 "${rootfs_dir}"
|
||||
local firmware_bundle="${rootfs_dir}/usr/sbin/chromeos-firmwareupdate"
|
||||
local shellball_dir=$(make_temp_dir)
|
||||
|
||||
@@ -742,15 +742,15 @@ resign_firmware_payload() {
|
||||
sudo chmod a+rx "${firmware_bundle}"
|
||||
# Unmount now to flush changes.
|
||||
sudo umount "${rootfs_dir}"
|
||||
info "Re-signed firmware AU payload in ${image}"
|
||||
info "Re-signed firmware AU payload in ${loopdev}"
|
||||
}
|
||||
|
||||
# Re-sign Android image if exists.
|
||||
resign_android_image_if_exists() {
|
||||
local image=$1
|
||||
local loopdev="$1"
|
||||
|
||||
local rootfs_dir=$(make_temp_dir)
|
||||
mount_image_partition "${image}" 3 "${rootfs_dir}"
|
||||
mount_loop_image_partition "${loopdev}" 3 "${rootfs_dir}"
|
||||
|
||||
local system_img="${rootfs_dir}/opt/google/containers/android/system.raw.img"
|
||||
local arc_version=$(grep CHROMEOS_ARC_VERSION= \
|
||||
@@ -769,16 +769,16 @@ resign_android_image_if_exists() {
|
||||
}
|
||||
|
||||
# Sign UEFI binaries, if possible.
|
||||
# Args: IMAGE
|
||||
# Args: LOOPDEV
|
||||
sign_uefi_binaries() {
|
||||
local image="$1"
|
||||
local loopdev="$1"
|
||||
|
||||
if [[ ! -d "${KEY_DIR}/uefi" ]]; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
local esp_dir
|
||||
if ! esp_dir="$(mount_image_esp "${image}")"; then
|
||||
if ! esp_dir="$(mount_image_esp "${loopdev}")"; then
|
||||
error "Could not mount EFI partition for signing UEFI binaries"
|
||||
return 1
|
||||
elif [[ -z "${esp_dir}" ]]; then
|
||||
@@ -789,7 +789,7 @@ sign_uefi_binaries() {
|
||||
sudo umount "${esp_dir}"
|
||||
|
||||
local rootfs_dir="$(make_temp_dir)"
|
||||
mount_image_partition "${image}" 3 "${rootfs_dir}"
|
||||
mount_loop_image_partition "${loopdev}" 3 "${rootfs_dir}"
|
||||
"${SCRIPT_DIR}/sign_uefi.sh" "${rootfs_dir}/boot" "${KEY_DIR}/uefi"
|
||||
sudo umount "${rootfs_dir}"
|
||||
|
||||
@@ -798,9 +798,9 @@ sign_uefi_binaries() {
|
||||
}
|
||||
|
||||
# Verify the signatures of UEFI binaries.
|
||||
# Args: IMAGE
|
||||
# Args: LOOPDEV
|
||||
verify_uefi_signatures() {
|
||||
local image="$1"
|
||||
local loopdev="$1"
|
||||
local succeeded=1
|
||||
|
||||
if [[ ! -d "${KEY_DIR}/uefi" ]]; then
|
||||
@@ -808,7 +808,7 @@ verify_uefi_signatures() {
|
||||
fi
|
||||
|
||||
local esp_dir
|
||||
if ! esp_dir="$(mount_image_esp "${image}")"; then
|
||||
if ! esp_dir="$(mount_image_esp "${loopdev}")"; then
|
||||
error "Could not mount EFI partition for verifying UEFI signatures"
|
||||
return 1
|
||||
elif [[ -z "${esp_dir}" ]]; then
|
||||
@@ -818,7 +818,7 @@ verify_uefi_signatures() {
|
||||
"${KEY_DIR}/uefi" || succeeded=0
|
||||
|
||||
local rootfs_dir="$(make_temp_dir)"
|
||||
mount_image_partition_ro "${image}" 3 "${rootfs_dir}"
|
||||
mount_loop_image_partition_ro "${loopdev}" 3 "${rootfs_dir}"
|
||||
"${SCRIPT_DIR}/verify_uefi.sh" "${rootfs_dir}/boot" "${esp_dir}" \
|
||||
"${KEY_DIR}/uefi" || succeeded=0
|
||||
sudo umount "${rootfs_dir}"
|
||||
@@ -944,17 +944,17 @@ update_recovery_kernel_hash() {
|
||||
}
|
||||
|
||||
# Update the legacy bootloader templates in EFI partition if available.
|
||||
# Args: IMAGE_BIN KERNEL
|
||||
# Args: LOOPDEV KERNEL
|
||||
update_legacy_bootloader() {
|
||||
local image="$1"
|
||||
local loopdev="$1"
|
||||
local loop_kern="$2"
|
||||
|
||||
local esp_dir
|
||||
if ! esp_dir="$(mount_image_esp "${image}")"; then
|
||||
if ! esp_dir="$(mount_image_esp "${loopdev}")"; then
|
||||
error "Could not mount EFI partition for updating legacy bootloader cfg."
|
||||
return 1
|
||||
elif [[ -z "${esp_dir}" ]]; then
|
||||
info "Not updating legacy bootloader configs: ${image}"
|
||||
info "Not updating legacy bootloader configs: ${loopdev}"
|
||||
return 0
|
||||
fi
|
||||
|
||||
@@ -1014,9 +1014,9 @@ sign_image_file() {
|
||||
local loopdev=$(loopback_partscan "${output}")
|
||||
local loop_kern="${loopdev}p${dm_partno}"
|
||||
|
||||
resign_firmware_payload "${output}"
|
||||
resign_android_image_if_exists "${output}"
|
||||
sign_uefi_binaries "${output}"
|
||||
resign_firmware_payload "${loopdev}"
|
||||
resign_android_image_if_exists "${loopdev}"
|
||||
sign_uefi_binaries "${loopdev}"
|
||||
# We do NOT strip /boot for factory installer, since some devices need it to
|
||||
# boot EFI. crbug.com/260512 would obsolete this requirement.
|
||||
#
|
||||
@@ -1038,7 +1038,7 @@ sign_image_file() {
|
||||
if [[ "${image_type}" == "recovery" ]]; then
|
||||
update_recovery_kernel_hash "${loopdev}"
|
||||
fi
|
||||
if ! update_legacy_bootloader "${output}" "${loop_kern}"; then
|
||||
if ! update_legacy_bootloader "${loopdev}" "${loop_kern}"; then
|
||||
# Error is already logged.
|
||||
return 1
|
||||
fi
|
||||
|
||||
Reference in New Issue
Block a user