signer: update legacy bootloader templates after image signing

Specifically, this patch updates 'root_hexdigest' in legacy bootloader templates in EFI system partition to match the signed rootfs. BRANCH=None BUG=chromium:512940 TEST=Ran sign_official_build.sh locally and booted the image on kvm (using BIOS). TEST=Ran signing_unittests.py by locally changing vboot_stable_hash to include this patch. $ ./sign_official_build.sh base chromiumos_base_image.bin \ ../../tests/devkeys chromiumos_base_image_signed.bin Change-Id: Ied021c4464b113a64508f5081605069bdcecbc1f Reviewed-on: https://chromium-review.googlesource.com/301742 Commit-Ready: Amey Deshpande <ameyd@google.com> Tested-by: Amey Deshpande <ameyd@google.com> Reviewed-by: Mike Frysinger <vapier@chromium.org>
2025-12-25 17:27:18 +00:00 · 2015-09-16 18:16:42 -07:00
parent 82db93d5fc
commit dabb158ad2
2 changed files with 81 additions and 11 deletions
--- a/scripts/image_signing/common_minimal.sh
+++ b/scripts/image_signing/common_minimal.sh
@@ -162,20 +162,18 @@ is_rootfs_partition() {
 # If the kernel is buggy and is unable to loop+mount quickly,
 # retry the operation a few times.
 # Args: IMAGE PARTNUM MOUNTDIRECTORY [ro]
+#
+# This function does not check whether the partition is allowed to be mounted as
+# RW.  Callers must ensure the partition can be mounted as RW before calling
+# this function without |ro| argument.
 _mount_image_partition_retry() {
  local image=$1
  local partnum=$2
  local mount_dir=$3
  local ro=$4
-  local offset=$(( $(partoffset "$image" "$partnum") * 512 ))
+  local offset=$(( $(partoffset "${image}" "${partnum}") * 512 ))
  local out try

-  if [ "$ro" != "ro" ]; then
-    # Forcibly call enable_rw_mount.  It should fail on unsupported
-    # filesystems and be idempotent on ext*.
-    enable_rw_mount "$image" ${offset} 2> /dev/null
-  fi
-
  set -- sudo LC_ALL=C mount -o loop,offset=${offset},${ro} \
    "${image}" "${mount_dir}"
  try=1
@@ -204,19 +202,38 @@ _mount_image_partition_retry() {
  return 1
 }

+# If called without 'ro', make sure the partition is allowed to be mounted as
+# 'rw' before actually mounting it.
+# Args: IMAGE PARTNUM MOUNTDIRECTORY [ro]
+_mount_image_partition() {
+  local image=$1
+  local partnum=$2
+  local mount_dir=$3
+  local ro=$4
+  local offset=$(( $(partoffset "${image}" "${partnum}") * 512 ))
+
+  if [ "$ro" != "ro" ]; then
+    # Forcibly call enable_rw_mount.  It should fail on unsupported
+    # filesystems and be idempotent on ext*.
+    enable_rw_mount "${image}" ${offset} 2> /dev/null
+  fi
+
+  _mount_image_partition_retry "$@"
+}
+
 # Mount a partition read-only from an image into a local directory
 # Args: IMAGE PARTNUM MOUNTDIRECTORY
 mount_image_partition_ro() {
-  _mount_image_partition_retry "$@" "ro"
+  _mount_image_partition "$@" "ro"
 }

 # Mount a partition from an image into a local directory
 # Args: IMAGE PARTNUM MOUNTDIRECTORY
 mount_image_partition() {
  local mount_dir=$3
-  _mount_image_partition_retry "$@"
-  if is_rootfs_partition "$mount_dir"; then
-    tag_as_needs_to_be_resigned "$mount_dir"
+  _mount_image_partition "$@"
+  if is_rootfs_partition "${mount_dir}"; then
+    tag_as_needs_to_be_resigned "${mount_dir}"
  fi
 }