mod_image_for_recovery: add flag to decrypt stateful

When building the recovery image, add a flag file for triggering the decryption of the stateful partition. BUG=chromium-os:34199 TEST=parrot recovery Change-Id: I43c6a8469d7fad1b9d5b85aae9aaf525b1588ed5 Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-on: https://gerrit.chromium.org/gerrit/32597 Reviewed-by: Will Drewry <wad@chromium.org> Commit-Ready: Will Drewry <wad@chromium.org>
2025-08-10 06:26:57 +02:00 · 2012-09-07 13:15:55 -07:00 · 2012-09-07 13:15:55 -07:00 · 0f2cfe6b9d
commit 0f2cfe6b9d
parent 5b2c7e934c
1 changed files with 18 additions and 0 deletions
--- a/mod_image_for_recovery.sh
+++ b/mod_image_for_recovery.sh
@ -45,6 +45,8 @@ DEFINE_string keys_dir "/usr/share/vboot/devkeys" \
  "directory containing the signing keys"
 DEFINE_boolean verbose $FLAGS_FALSE \
  "log all commands to stdout" v
+DEFINE_boolean decrypt_stateful $FLAGS_FALSE \
+  "request a decryption of the stateful partition (implies --nominimize_image)"

 # Parse command line
 FLAGS "$@" || exit 1
@ -59,6 +61,12 @@ if [ $FLAGS_verbose -eq $FLAGS_TRUE ]; then
  set -x
 fi

+# We need space for copying decrypted files to the recovery image, so force
+# --nominimize_image when using --decrypt_stateful.
+if [ $FLAGS_decrypt_stateful -eq $FLAGS_TRUE ]; then
+  FLAGS_minimize_image=$FLAGS_FALSE
+fi
+
 # Load board options.
 . "${BUILD_LIBRARY_DIR}/board_options.sh" || exit 1
 EMERGE_BOARD_CMD="emerge-$BOARD"
@ -422,6 +430,16 @@ trap cleanup EXIT

 maybe_resize_stateful  # Also copies the image if needed.

+if [ $FLAGS_decrypt_stateful -eq $FLAGS_TRUE ]; then
+  stateful_mnt=$(mktemp -d)
+  offset=$(partoffset "${RECOVERY_IMAGE}" 1)
+  sudo mount -o loop,offset=$(( offset * 512 )) \
+    "${RECOVERY_IMAGE}" "${stateful_mnt}"
+  echo -n "1" | sudo tee "${stateful_mnt}"/decrypt_stateful >/dev/null
+  sudo umount "$stateful_mnt"
+  rmdir "$stateful_mnt"
+fi
+
 install_recovery_kernel

 okboat