diff --git a/build_image b/build_image index a1356b03f0..a9e6bcdaf8 100755 --- a/build_image +++ b/build_image @@ -41,10 +41,10 @@ DEFINE_string disk_layout "" \ "The disk layout type to use for this image." DEFINE_string group "${DEFAULT_GROUP}" \ "The update group." -DEFINE_boolean generate_update "${FLAGS_FALSE}" \ - "Generate update payload. (prod only)" DEFINE_boolean extract_update "${FLAGS_TRUE}" \ - "Extract the /usr partition for generating updates." + "Extract the /usr partition for generating updates. Only valid for the prod image." +DEFINE_boolean generate_update "${FLAGS_TRUE}" \ + "Generate update payload for testing. The update is signed with a dev key. The kernel is signed with a dev key (unofficial builds) or not at all (official builds). Only valid for the prod image. Implies --extract_update." DEFINE_string developer_data "" \ "Insert a custom cloudinit file into the image." DEFINE_string devcontainer_binhost "${DEFAULT_DEVCONTAINER_BINHOST}" \ @@ -139,6 +139,11 @@ fi # Create the output directory and temporary mount points. mkdir -p "${BUILD_DIR}" +# --generate_update implies --extract_update. +if [[ ${FLAGS_generate_update} -eq ${FLAGS_TRUE} ]]; then + FLAGS_extract_update=${FLAGS_TRUE} +fi + DISK_LAYOUT="${FLAGS_disk_layout:-base}" CONTAINER_LAYOUT="${FLAGS_disk_layout:-container}" @@ -169,11 +174,12 @@ fi if [[ "${PROD_IMAGE}" -eq 1 ]]; then IMAGE_BUILD_TYPE="prod" create_prod_image ${FLATCAR_PRODUCTION_IMAGE_NAME} ${DISK_LAYOUT} ${FLAGS_group} ${FLAGS_base_pkg} ${FLAGS_base_sysexts} - if [[ ${FLAGS_generate_update} -eq ${FLAGS_TRUE} ]]; then - generate_update "${FLATCAR_PRODUCTION_IMAGE_NAME}" ${DISK_LAYOUT} - elif [[ ${FLAGS_extract_update} -eq ${FLAGS_TRUE} ]]; then + if [[ ${FLAGS_extract_update} -eq ${FLAGS_TRUE} ]]; then extract_update "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}" fi + if [[ ${FLAGS_generate_update} -eq ${FLAGS_TRUE} ]]; then + generate_update "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}" + fi if [[ "${PROD_TAR}" -eq 1 ]]; then create_prod_tar ${FLATCAR_PRODUCTION_IMAGE_NAME} fi @@ -182,9 +188,7 @@ if [[ "${SYSEXT}" -eq 1 ]]; then create_prod_sysexts "${FLATCAR_PRODUCTION_IMAGE_NAME}" fi -if [[ ${FLAGS_generate_update} -eq ${FLAGS_TRUE} ]] || \ - [[ ${FLAGS_extract_update} -eq ${FLAGS_TRUE} ]] -then +if [[ ${FLAGS_extract_update} -eq ${FLAGS_TRUE} ]]; then zip_update_tools fi diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh index 921e8ea8f3..0d94c49bcb 100755 --- a/build_library/build_image_util.sh +++ b/build_library/build_image_util.sh @@ -61,23 +61,32 @@ delete_prompt() { extract_update() { local image_name="$1" local disk_layout="$2" - local update_path="${BUILD_DIR}/${image_name%_image.bin}_update.bin" + local update="${BUILD_DIR}/${image_name%_image.bin}_update.bin" "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${disk_layout}" \ - extract "${BUILD_DIR}/${image_name}" "USR-A" "${update_path}" + extract "${BUILD_DIR}/${image_name}" "USR-A" "${update}" # Compress image - files_to_evaluate+=( "${update_path}" ) + files_to_evaluate+=( "${update}" ) compress_disk_images files_to_evaluate +} - # For production as well as dev builds we generate a dev-key-signed update - # payload for running tests (the signature won't be accepted by production systems). - local update_test="${BUILD_DIR}/flatcar_test_update.gz" +generate_update() { + local image_name="$1" + local disk_layout="$2" + local image_kernel="${BUILD_DIR}/${image_name%.bin}.vmlinuz" + local update="${BUILD_DIR}/${image_name%_image.bin}_update.bin" + local devkey="/usr/share/update_engine/update-payload-key.key.pem" + + # Extract the partition if it isn't extracted already. + [[ -s ${update} ]] || extract_update "${image_name}" "${disk_layout}" + + echo "Generating update payload, signed with a dev key" delta_generator \ - -private_key "/usr/share/update_engine/update-payload-key.key.pem" \ - -new_image "${update_path}" \ - -new_kernel "${BUILD_DIR}/${image_name%.bin}.vmlinuz" \ - -out_file "${update_test}" + -private_key "${devkey}" \ + -new_image "${update}" \ + -new_kernel "${image_kernel}" \ + -out_file "${BUILD_DIR}/flatcar_test_update.gz" } zip_update_tools() { @@ -86,34 +95,11 @@ zip_update_tools() { info "Generating update tools zip" # Make sure some vars this script needs are exported - export REPO_MANIFESTS_DIR SCRIPTS_DIR + local -x REPO_MANIFESTS_DIR SCRIPTS_DIR "${BUILD_LIBRARY_DIR}/generate_au_zip.py" \ --arch "$(get_sdk_arch)" --output-dir "${BUILD_DIR}" --zip-name "${update_zip}" } -generate_update() { - local image_name="$1" - local disk_layout="$2" - local image_kernel="${BUILD_DIR}/${image_name%.bin}.vmlinuz" - local update_prefix="${image_name%_image.bin}_update" - local update="${BUILD_DIR}/${update_prefix}" - local devkey="/usr/share/update_engine/update-payload-key.key.pem" - - echo "Generating update payload, signed with a dev key" - "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${disk_layout}" \ - extract "${BUILD_DIR}/${image_name}" "USR-A" "${update}.bin" - delta_generator \ - -private_key "${devkey}" \ - -new_image "${update}.bin" \ - -new_kernel "${image_kernel}" \ - -out_file "${update}.gz" - - # Compress image - declare -a files_to_evaluate - files_to_evaluate+=( "${update}.bin" ) - compress_disk_images files_to_evaluate -} - # ldconfig cannot generate caches for non-native arches. # Use qemu & the native ldconfig to work around that. # http://code.google.com/p/chromium/issues/detail?id=378377 @@ -805,10 +791,12 @@ EOF seek=${verity_offset} count=64 bs=1 status=none fi - # Sign the kernel after /usr is in a consistent state and verity is calculated - [[ ${COREOS_OFFICIAL:-0} -ne 1 ]] && \ - do_sbsign --output "${root_fs_dir}/boot/flatcar/vmlinuz-a"{,} - cleanup_sbsign_certs + # Sign the kernel after /usr is in a consistent state and verity is + # calculated. Only for unofficial builds as official builds get signed later. + if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then + do_sbsign --output "${root_fs_dir}/boot/flatcar/vmlinuz-a"{,} + cleanup_sbsign_certs + fi if [[ -n "${image_kernel}" ]]; then # copying kernel from vfat so ignore the permissions @@ -894,3 +882,67 @@ EOF cleanup_mounts "${root_fs_dir}" trap - EXIT } + +sbsign_image() { + local image_name="$1" + local disk_layout="$2" + local root_fs_dir="$3" + local image_kernel="$4" + local pcr_policy="$5" + local image_grub="$6" + + local disk_img="${BUILD_DIR}/${image_name}" + local EFI_ARCH + + case "${BOARD}" in + amd64-usr) EFI_ARCH="x64" ;; + arm64-usr) EFI_ARCH="aa64" ;; + *) die "Unknown board ${BOARD@Q}" ;; + esac + + "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${disk_layout}" \ + mount "${disk_img}" "${root_fs_dir}" + trap "cleanup_mounts '${root_fs_dir}'; cleanup_sbsign_certs" EXIT + + # Sign the kernel with the shim-embedded key. + do_sbsign --output "${root_fs_dir}/boot/flatcar/vmlinuz-a"{,} + + if [[ -n "${image_kernel}" ]]; then + # copying kernel from vfat so ignore the permissions + cp --no-preserve=mode \ + "${root_fs_dir}/boot/flatcar/vmlinuz-a" \ + "${BUILD_DIR}/${image_kernel}" + fi + + # Sign GRUB and mokmanager(mm) with the shim-embedded key. + do_sbsign --output "${root_fs_dir}/boot/EFI/boot/grub${EFI_ARCH}.efi"{,} + do_sbsign --output "${root_fs_dir}/boot/EFI/boot/mm${EFI_ARCH}.efi"{,} + + # copying from vfat so ignore permissions + if [[ -n "${image_grub}" ]]; then + cp --no-preserve=mode "${root_fs_dir}/boot/EFI/boot/grub${EFI_ARCH}.efi" \ + "${BUILD_DIR}/${image_grub}" + fi + + if [[ -n "${pcr_policy}" ]]; then + mkdir -p "${BUILD_DIR}/pcrs" + "${BUILD_LIBRARY_DIR}"/generate_kernel_hash.py \ + "${root_fs_dir}/boot/flatcar/vmlinuz-a" "${FLATCAR_VERSION}" \ + >"${BUILD_DIR}/pcrs/kernel.config" + fi + + cleanup_mounts "${root_fs_dir}" + cleanup_sbsign_certs + trap - EXIT + + if [[ -n "${pcr_policy}" ]]; then + "${BUILD_LIBRARY_DIR}"/generate_grub_hashes.py \ + "${disk_img}" /usr/lib/grub/ "${BUILD_DIR}/pcrs" "${FLATCAR_VERSION}" + + info "Generating $pcr_policy" + pushd "${BUILD_DIR}" >/dev/null + zip --quiet -r -9 "${BUILD_DIR}/${pcr_policy}" pcrs + popd >/dev/null + rm -rf "${BUILD_DIR}/pcrs" + fi +} diff --git a/build_library/grub_install.sh b/build_library/grub_install.sh index 840dbdd029..43dfd606e7 100755 --- a/build_library/grub_install.sh +++ b/build_library/grub_install.sh @@ -205,7 +205,7 @@ case "${FLAGS_target}" in --output "${ESP_DIR}/EFI/boot/boot${EFI_ARCH}.efi" \ "${BOARD_ROOT}/usr/lib/shim/shim${EFI_ARCH}.efi" else - # Official build: Copy the unsigned files. + # Official build: Copy signed shim and mm for signing later. sudo cp "${BOARD_ROOT}/usr/lib/shim/mm${EFI_ARCH}.efi" \ "${ESP_DIR}/EFI/boot/mm${EFI_ARCH}.efi" sudo cp "${BOARD_ROOT}/usr/lib/shim/shim${EFI_ARCH}.efi" \ diff --git a/build_library/modify_image_util.sh b/build_library/modify_image_util.sh deleted file mode 100755 index 9099b02e10..0000000000 --- a/build_library/modify_image_util.sh +++ /dev/null @@ -1,100 +0,0 @@ -#!/bin/bash - -# Copyright (c) 2014 The CoreOS Authors. All rights reserved. -# Use of this source code is governed by a BSD-style license that can be -# found in the LICENSE file. - -# Shell library for modifying an image built with build_image. - -start_modify_image() { - # Default to the most recent image - if [[ -z "${FLAGS_from}" ]] ; then - FLAGS_from="$(${SCRIPT_ROOT}/get_latest_image.sh --board=${FLAGS_board})" - else - FLAGS_from="$(readlink -f "${FLAGS_from}")" - fi - - local src_image="${FLAGS_from}/${FLATCAR_PRODUCTION_IMAGE_NAME}" - if [[ ! -f "${src_image}" ]]; then - die_notrace "Source image does not exist: ${src_image}" - fi - - # Source should include version.txt, switch to its version information - if [[ ! -f "${FLAGS_from}/version.txt" ]]; then - die_notrace "Source version info does not exist: ${FLAGS_from}/version.txt" - fi - source "${FLAGS_from}/version.txt" - FLATCAR_VERSION_STRING="${FLATCAR_VERSION}" - - # Load after version.txt to set the correct output paths - . "${BUILD_LIBRARY_DIR}/toolchain_util.sh" - . "${BUILD_LIBRARY_DIR}/board_options.sh" - . "${BUILD_LIBRARY_DIR}/build_image_util.sh" - - # Handle existing directory. - if [[ -e "${BUILD_DIR}" ]]; then - if [[ ${FLAGS_replace} -eq ${FLAGS_TRUE} ]]; then - sudo rm -rf "${BUILD_DIR}" - else - error "Directory ${BUILD_DIR} already exists." - error "Use --build_attempt option to specify an unused attempt." - error "Or use --replace if you want to overwrite this directory." - die "Unwilling to overwrite ${BUILD_DIR}." - fi - fi - - # Create the output directory and temporary mount points. - DST_IMAGE="${BUILD_DIR}/${FLATCAR_PRODUCTION_IMAGE_NAME}" - ROOT_FS_DIR="${BUILD_DIR}/rootfs" - mkdir -p "${ROOT_FS_DIR}" - - info "Copying from ${FLAGS_from}" - cp "${src_image}" "${DST_IMAGE}" - - # Copy all extra useful things, these do not need to be modified. - local update_prefix="${FLATCAR_PRODUCTION_IMAGE_NAME%_image.bin}_update" - local production_prefix="${FLATCAR_PRODUCTION_IMAGE_NAME%.bin}" - local container_prefix="${FLATCAR_DEVELOPER_CONTAINER_NAME%.bin}" - local pcr_data="${FLATCAR_PRODUCTION_IMAGE_NAME%.bin}_pcr_policy.zip" - EXTRA_FILES=( - "version.txt" - "${update_prefix}.bin" - "${update_prefix}.zip" - "${pcr_data}" - "${production_prefix}_contents.txt" - "${production_prefix}_packages.txt" - "${production_prefix}_kernel_config.txt" - "${FLATCAR_DEVELOPER_CONTAINER_NAME}" - "${container_prefix}_contents.txt" - "${container_prefix}_packages.txt" - ) - for filename in "${EXTRA_FILES[@]}"; do - if [[ -e "${FLAGS_from}/${filename}" ]]; then - cp "${FLAGS_from}/${filename}" "${BUILD_DIR}/${filename}" - fi - done - - "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${FLAGS_disk_layout}" \ - mount "${DST_IMAGE}" "${ROOT_FS_DIR}" - trap "cleanup_mounts '${ROOT_FS_DIR}'" EXIT -} - -finish_modify_image() { - cleanup_mounts "${ROOT_FS_DIR}" - trap - EXIT - - - declare -a files_to_evaluate - files_to_evaluate+=( "${DST_IMAGE}" ) - compress_disk_images files_to_evaluate - - set_build_symlinks "${FLAGS_group}-latest" - - info "Done. Updated image is in ${BUILD_DIR}" - cat << EOF -To convert it to a virtual machine image, use: - ./image_to_vm.sh --from=${OUTSIDE_OUTPUT_DIR} --board=${BOARD} - -The default type is qemu, see ./image_to_vm.sh --help for other options. -EOF -} diff --git a/build_library/prod_image_util.sh b/build_library/prod_image_util.sh index 561766aa21..291795ee8c 100755 --- a/build_library/prod_image_util.sh +++ b/build_library/prod_image_util.sh @@ -180,6 +180,15 @@ EOF "${image_initrd_contents_wtd}" \ "${image_disk_usage}" + # Official builds will sign and upload these files later, so remove them to + # prevent them from being uploaded now. + if [[ ${COREOS_OFFICIAL:-0} -eq 1 ]]; then + rm -v \ + "${BUILD_DIR}/${image_kernel}" \ + "${BUILD_DIR}/${image_pcr_policy}" \ + "${BUILD_DIR}/${image_grub}" + fi + local files_to_evaluate=( "${BUILD_DIR}/${image_name}" ) compress_disk_images files_to_evaluate } @@ -225,3 +234,26 @@ create_prod_sysexts() { -out_file "${BUILD_DIR}/flatcar_test_update-${name}.gz" done } + +sbsign_prod_image() { + local image_name="$1" + local disk_layout="$2" + + info "Signing production image ${image_name} for Secure Boot" + local root_fs_dir="${BUILD_DIR}/rootfs" + local image_prefix="${image_name%.bin}" + local image_kernel="${image_prefix}.vmlinuz" + local image_pcr_policy="${image_prefix}_pcr_policy.zip" + local image_grub="${image_prefix}.grub" + + sbsign_image \ + "${image_name}" \ + "${disk_layout}" \ + "${root_fs_dir}" \ + "${image_kernel}" \ + "${image_pcr_policy}" \ + "${image_grub}" + + local files_to_evaluate=( "${BUILD_DIR}/${image_name}" ) + compress_disk_images files_to_evaluate +} diff --git a/ci-automation/sbsign_image.sh b/ci-automation/sbsign_image.sh new file mode 100644 index 0000000000..fe3053e7fd --- /dev/null +++ b/ci-automation/sbsign_image.sh @@ -0,0 +1,97 @@ +#!/bin/bash +# +# Copyright (c) 2024 The Flatcar Maintainers. +# Use of this source code is governed by the Apache 2.0 license. + +# >>> This file is supposed to be SOURCED from the repository ROOT. <<< +# +# sbsign_image() should be called w/ the positional INPUT parameters below. + +# Secure Boot image signing build automation stub. +# This script will sign an existing OS image for Secure Boot. +# +# PREREQUISITES: +# +# 1. SDK version and OS image version are recorded in sdk_container/.repo/manifests/version.txt +# 2. Scripts repo version tag of OS image version to be built is available and checked out. +# 3. The generic Flatcar image must be present in build cache server. +# +# INPUT: +# +# 1. Architecture (ARCH) of the TARGET vm images ("arm64", "amd64"). +# +# OPTIONAL INPUT: +# +# 1. SIGNER. Environment variable. Name of the owner of the artifact signing key. +# Defaults to nothing if not set - in such case, artifacts will not be signed. +# If provided, SIGNING_KEY environment variable should also be provided, otherwise this environment variable will be ignored. +# +# 2. SIGNING_KEY. Environment variable. The artifact signing key. +# Defaults to nothing if not set - in such case, artifacts will not be signed. +# If provided, SIGNER environment variable should also be provided, otherwise this environment variable will be ignored. +# +# 3. A file ../scripts.patch to apply with "git am -3" for the scripts repo. +# +# OUTPUT: +# +# 1. OS image and related artifacts signed for Secure Boot pushed to buildcache. +# 2. If signer key was passed, signatures of artifacts from point 1, pushed along to buildcache. +# 3. DIGESTS of the artifacts from point 1, pushed to buildcache. If signer key was passed, armored ASCII files of the generated DIGESTS files too, pushed to buildcache. + +function sbsign_image() { + # Run a subshell, so the traps, environment changes and global + # variables are not spilled into the caller. + ( + set -euo pipefail + + _sbsign_image_impl "${@}" + ) +} +# -- + +function _sbsign_image_impl() { + local arch="$1" + + source sdk_lib/sdk_container_common.sh + local channel="" + channel="$(get_git_channel)" + source ci-automation/ci_automation_common.sh + source ci-automation/gpg_setup.sh + source sdk_container/.repo/manifests/version.txt + + if is_official "${FLATCAR_VERSION}"; then + export COREOS_OFFICIAL=1 + else + export COREOS_OFFICIAL=0 + fi + + apply_local_patches + + local images_remote="images/${arch}/${FLATCAR_VERSION}" + local images_local="__build__/images/images/${arch}-usr/${channel}-${FLATCAR_VERSION}" + + copy_from_buildcache "${images_remote}/flatcar_production_image.bin.bz2" "${images_local}" + lbunzip2 --force "${images_local}/flatcar_production_image.bin.bz2" + + # Get SDK from either the registry or import from build cache + # This is a NOP if the image is present locally. + local sdk_name="flatcar-sdk-${arch}" + local docker_sdk_vernum="$(vernum_to_docker_image_version "${FLATCAR_SDK_VERSION}")" + + docker_image_from_registry_or_buildcache "${sdk_name}" "${docker_sdk_vernum}" + local sdk_image="$(docker_image_fullname "${sdk_name}" "${docker_sdk_vernum}")" + echo "docker image rm -f '${sdk_image}'" >> ./ci-cleanup.sh + + ./run_sdk_container -x ./ci-cleanup.sh -v "${FLATCAR_VERSION}" -U -C "${sdk_image}" \ + ./sbsign_image --board="${arch}-usr" \ + --group="${channel}" --version="${FLATCAR_VERSION}" \ + --output_root="${CONTAINER_IMAGE_ROOT}" \ + --only_store_compressed + + # Delete uncompressed generic image before signing and upload + rm "${images_local}/flatcar_production_image.bin" + create_digests "${SIGNER}" "${images_local}"/* + sign_artifacts "${SIGNER}" "${images_local}"/* + copy_to_buildcache "${images_remote}"/ "${images_local}"/* +} +# -- diff --git a/image_inject_bootchain b/image_inject_bootchain deleted file mode 100755 index 45f115aba3..0000000000 --- a/image_inject_bootchain +++ /dev/null @@ -1,99 +0,0 @@ -#!/bin/bash - -# Copyright (c) 2014 The CoreOS Authors. All rights reserved. -# Use of this source code is governed by a BSD-style license that can be -# found in the LICENSE file. - -SCRIPT_ROOT=$(dirname "$(readlink -f "$0")") -. "${SCRIPT_ROOT}/common.sh" || exit 1 - -# Script must run inside the chroot -assert_inside_chroot - -assert_not_root_user - -DEFAULT_GROUP=developer - -# Flags -DEFINE_string kernel_path "" \ - "Path to the kernel to inject." -DEFINE_string efi_grub_path "" \ - "Path to the EFI GRUB image to inject." -DEFINE_string shim_path "" \ - "Path to the shim image to inject." -DEFINE_string group "${DEFAULT_GROUP}" \ - "The update group." -DEFINE_string board "${DEFAULT_BOARD}" \ - "Board for which the image was built" -DEFINE_string disk_layout "base" \ - "The disk layout type to use for this image." -DEFINE_string from "" \ - "Directory containing ${FLATCAR_PRODUCTION_IMAGE_NAME}" -DEFINE_string output_root "${DEFAULT_BUILD_ROOT}/images" \ - "Directory in which to place image result directories (named by version)" -DEFINE_boolean replace ${FLAGS_FALSE} \ - "Overwrite existing output, if any." - -# include upload options -. "${BUILD_LIBRARY_DIR}/release_util.sh" || exit 1 - -show_help_if_requested "$@" - -# Usually unneeded, so just leave this option hidden. -DEFINE_integer build_attempt 1 \ - "The build attempt for this image build." - -# Parse command line -FLAGS "$@" || exit 1 -eval set -- "${FLAGS_ARGV}" - -# Die on any errors. -switch_to_strict_mode - -if [[ -z "${FLAGS_kernel_path}" && -z "${FLAGS_efi_grub_path}" && - -z "${FLAGS_shim_path}" ]]; then - die_notrace "Specify at least one of --kernel_path, --efi_grub_path, --shim_path" -fi - -. "${BUILD_LIBRARY_DIR}/modify_image_util.sh" - -do_copy() { - local src="$1" - local dst="$2" - - if [[ ! -f "${ROOT_FS_DIR}/${dst}" ]]; then - # We should only be overwriting existing files. - die "${dst} doesn't exist in image; refusing to create it" - fi - info "Replacing ${dst}" - sudo cp "${src}" "${ROOT_FS_DIR}/${dst}" -} - -start_modify_image - -if [[ -n "${FLAGS_kernel_path}" ]]; then - do_copy "${FLAGS_kernel_path}" "/boot/flatcar/vmlinuz-a" -fi - -# FIXME(bgilbert): no shim on arm64 -if [[ -n "${FLAGS_efi_grub_path}" ]]; then - case "${BOARD}" in - amd64-usr) image_name="grub.efi" ;; - arm64-usr) image_name="bootaa64.efi" ;; - *) die "GRUB filename not known for this board" ;; - esac - - do_copy "${FLAGS_efi_grub_path}" "/boot/EFI/boot/${image_name}" -fi - -if [[ -n "${FLAGS_shim_path}" ]]; then - case "${BOARD}" in - amd64-usr) image_name="bootx64.efi" ;; - *) die "Shim filename not known for this board" ;; - esac - - do_copy "${FLAGS_shim_path}" "/boot/EFI/boot/${image_name}" -fi - -finish_modify_image -command_completed diff --git a/image_set_group b/image_set_group deleted file mode 100755 index a034167b11..0000000000 --- a/image_set_group +++ /dev/null @@ -1,64 +0,0 @@ -#!/bin/bash - -# Copyright (c) 2014 The CoreOS Authors. All rights reserved. -# Use of this source code is governed by a BSD-style license that can be -# found in the LICENSE file. - -SCRIPT_ROOT=$(dirname "$(readlink -f "$0")") -. "${SCRIPT_ROOT}/common.sh" || exit 1 - -# Script must run inside the chroot -assert_inside_chroot - -assert_not_root_user - -# Flags -DEFINE_string group "" \ - "The update group, required." -DEFINE_string board "${DEFAULT_BOARD}" \ - "Board for which the image was built" -DEFINE_string disk_layout "base" \ - "The disk layout type to use for this image." -DEFINE_string from "" \ - "Directory containing ${FLATCAR_PRODUCTION_IMAGE_NAME}" -DEFINE_string output_root "${DEFAULT_BUILD_ROOT}/images" \ - "Directory in which to place image result directories (named by version)" -DEFINE_boolean replace ${FLAGS_FALSE} \ - "Overwrite existing output, if any." - -# include upload options -. "${BUILD_LIBRARY_DIR}/release_util.sh" || exit 1 - -show_help_if_requested "$@" - -# Usually unneded, so just leave this option hidden. -DEFINE_integer build_attempt 1 \ - "The build attempt for this image build." - -# Parse command line -FLAGS "$@" || exit 1 -eval set -- "${FLAGS_ARGV}" - -# Die on any errors. -switch_to_strict_mode - -if [[ -z "${FLAGS_board}" ]] ; then - die_notrace "--board is required." -fi - -if [[ -z "${FLAGS_group}" ]] ; then - die_notrace "--group is required." -fi - -. "${BUILD_LIBRARY_DIR}/modify_image_util.sh" - -start_modify_image - -info "Replacing /etc/flatcar/update.conf" -sudo mkdir -p "${ROOT_FS_DIR}/etc/flatcar" -sudo_clobber "${ROOT_FS_DIR}/etc/flatcar/update.conf" <