mod_image_for_recovery: add flag to decrypt stateful

When building the recovery image, add a flag file for triggering the
decryption of the stateful partition.

BUG=chromium-os:34199
TEST=parrot recovery

Change-Id: I43c6a8469d7fad1b9d5b85aae9aaf525b1588ed5
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/32597
Reviewed-by: Will Drewry <wad@chromium.org>
Commit-Ready: Will Drewry <wad@chromium.org>

mod_image_for_recovery.sh

@@ -45,6 +45,8 @@ DEFINE_string keys_dir "/usr/share/vboot/devkeys" \
   "directory containing the signing keys"
 DEFINE_boolean verbose $FLAGS_FALSE \
   "log all commands to stdout" v
+DEFINE_boolean decrypt_stateful $FLAGS_FALSE \
+  "request a decryption of the stateful partition (implies --nominimize_image)"
 
 # Parse command line
 FLAGS "$@" || exit 1
@@ -59,6 +61,12 @@ if [ $FLAGS_verbose -eq $FLAGS_TRUE ]; then
   set -x
 fi
 
+# We need space for copying decrypted files to the recovery image, so force
+# --nominimize_image when using --decrypt_stateful.
+if [ $FLAGS_decrypt_stateful -eq $FLAGS_TRUE ]; then
+  FLAGS_minimize_image=$FLAGS_FALSE
+fi
+
 # Load board options.
 . "${BUILD_LIBRARY_DIR}/board_options.sh" || exit 1
 EMERGE_BOARD_CMD="emerge-$BOARD"
@@ -422,6 +430,16 @@ trap cleanup EXIT
 
 maybe_resize_stateful  # Also copies the image if needed.
 
+if [ $FLAGS_decrypt_stateful -eq $FLAGS_TRUE ]; then
+  stateful_mnt=$(mktemp -d)
+  offset=$(partoffset "${RECOVERY_IMAGE}" 1)
+  sudo mount -o loop,offset=$(( offset * 512 )) \
+    "${RECOVERY_IMAGE}" "${stateful_mnt}"
+  echo -n "1" | sudo tee "${stateful_mnt}"/decrypt_stateful >/dev/null
+  sudo umount "$stateful_mnt"
+  rmdir "$stateful_mnt"
+fi
+
 install_recovery_kernel
 
 okboat