From f73cbac8db9b056690cb89cfe522dc8dd7f29635 Mon Sep 17 00:00:00 2001 From: Brandon Philips Date: Sat, 20 Jul 2013 16:24:13 -0700 Subject: [PATCH 1/2] feat(build_image): install the au-key Install the developer au key on production images. This will need to change when we have the production key. --- bin/cros_make_image_bootable | 13 +++++++++++++ build_image | 8 ++++++-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/bin/cros_make_image_bootable b/bin/cros_make_image_bootable index 70d42c4c8f..bde3c549d4 100755 --- a/bin/cros_make_image_bootable +++ b/bin/cros_make_image_bootable @@ -107,6 +107,9 @@ DEFINE_string verity_salt "" \ DEFINE_string keys_dir "/usr/share/vboot/devkeys" \ "Directory containing the signing keys." +DEFINE_string au_key "" \ + "Filename of the au_key to install" + DEFINE_string rootfs_mountpoint "/tmp/rootfs" \ "Path where the rootfs can be safely mounted" DEFINE_string statefulfs_mountpoint "/tmp/statefulfs" \ @@ -182,6 +185,16 @@ make_image_bootable() { legacy_offset_size_export ${image} + + # Install an auto update key on the root before sealing it off + if [ ! -z "${FLAGS_au_key}" ]; then + local key_location=${FLAGS_rootfs_mountpoint}"/usr/share/update_engine/" + sudo cp "${FLAGS_au_key}" "$key_location/update-payload-key.pub.pem" + sudo chown root:root "$key_location/update-payload-key.pub.pem" + sudo chmod 644 "$key_location/update-payload-key.pub.pem" + echo "AU verification key was installed. Do not forget to resign the image!" + fi + # The rootfs should never be mounted rw again after this point without # re-calling make_image_bootable. sudo mount -o remount,ro "${FLAGS_rootfs_mountpoint}" diff --git a/build_image b/build_image index 88b03d0b2b..9e340410fe 100755 --- a/build_image +++ b/build_image @@ -168,8 +168,12 @@ fi if should_build_image ${COREOS_PRODUCTION_IMAGE_NAME}; then copy_image ${CHROMEOS_BASE_IMAGE_NAME} ${COREOS_PRODUCTION_IMAGE_NAME} - ${SCRIPTS_DIR}/bin/cros_make_image_bootable "${BUILD_DIR}" \ - ${COREOS_PRODUCTION_IMAGE_NAME} + + ${SCRIPTS_DIR}/bin/cros_make_image_bootable \ + "${BUILD_DIR}" \ + ${COREOS_PRODUCTION_IMAGE_NAME} \ + --au_key=${SRC_ROOT}/third_party/coreos-overlay/coreos-base/coreos-au-key/files/update-payload-key.pub.pem + upload_image "${BUILD_DIR}/${COREOS_PRODUCTION_IMAGE_NAME}" fi From 33e9017478ebe3181ca5d882ad44ef779a6ef563 Mon Sep 17 00:00:00 2001 From: Brandon Philips Date: Sat, 20 Jul 2013 16:25:01 -0700 Subject: [PATCH 2/2] fix(cros_make_image_bootable): no more bootkernel the bootkernel is going away and we will just have a single kernel for all of the things. This is because of the kxec on xen problem. --- bin/cros_make_image_bootable | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/bin/cros_make_image_bootable b/bin/cros_make_image_bootable index bde3c549d4..386ef38604 100755 --- a/bin/cros_make_image_bootable +++ b/bin/cros_make_image_bootable @@ -240,12 +240,13 @@ make_image_bootable() { esp_size=$((esp_size * 512)) # sectors to bytes local bootloader_to_flags="--to_offset=${esp_offset} --to_size=${esp_size}" - # Update partition 12 + # Update ESP partition + # NOTE: Boot kernel is identical to regular kernel for now ${SCRIPTS_DIR}/update_bootloaders.sh \ --arch=${FLAGS_arch} \ --to="${bootloader_to}" \ --from="${FLAGS_rootfs_mountpoint}"/boot \ - --vmlinuz_boot_kernel="${FLAGS_rootfs_mountpoint}"/boot/vmlinuz-boot_kernel \ + --vmlinuz_boot_kernel="${FLAGS_rootfs_mountpoint}"/boot/vmlinuz \ --vmlinuz="${FLAGS_rootfs_mountpoint}"/boot/vmlinuz \ ${bootloader_to_flags}