diff --git a/bin/cros_make_image_bootable b/bin/cros_make_image_bootable deleted file mode 100755 index b5dd669f57..0000000000 --- a/bin/cros_make_image_bootable +++ /dev/null @@ -1,186 +0,0 @@ -#!/bin/bash -# -# Copyright (c) 2010 The Chromium OS Authors. All rights reserved. -# Use of this source code is governed by a BSD-style license that can be -# found in the LICENSE file. -# -# Script which ensures that a given image has an up-to-date -# kernel partition, rootfs integrity hashes, and legacy bootloader configs. - -# --- BEGIN COMMON.SH BOILERPLATE --- -# Load common CrOS utilities. Inside the chroot this file is installed in -# /usr/lib/crosutils. Outside the chroot we find it relative to the script's -# location. -find_common_sh() { - local common_paths=("$(dirname "$(readlink -f "$0")")/.." /usr/lib/crosutils) - local path - - SCRIPT_ROOT="${common_paths[0]}" - for path in "${common_paths[@]}"; do - if [ -r "${path}/common.sh" ]; then - SCRIPT_ROOT="${path}" - break - fi - done -} - -find_common_sh -. "${SCRIPT_ROOT}/common.sh" || exit 1 -# --- END COMMON.SH BOILERPLATE --- - -# Need to be inside the chroot to load chromeos-common.sh -assert_inside_chroot - -# Load functions and constants for chromeos-install -. /usr/lib/installer/chromeos-common.sh || exit 1 -. "${BUILD_LIBRARY_DIR}/toolchain_util.sh" || exit 1 -. "${BUILD_LIBRARY_DIR}/build_image_util.sh" || exit 1 - -switch_to_strict_mode - -if [ $# -lt 2 ]; then - echo "Usage: ${0} /PATH/TO/IMAGE IMAGE.BIN [shflags overrides]" - exit 1 -fi - -IMAGE_DIR="$(readlink -f "${1}")" -BOOT_DESC_FILE="${IMAGE_DIR}/boot.desc" -IMAGE="${IMAGE_DIR}/${2}" -shift -shift -FLAG_OVERRIDES="${@}" - -if [ ! -r "${BOOT_DESC_FILE}" ]; then - warn "${BOOT_DESC_FILE} cannot be read!" - warn "Falling back to command line parsing" - BOOT_DESC="${@}" -else - BOOT_DESC="$(cat ${BOOT_DESC_FILE} | tr -s '\n' ' ')" - info "Boot-time configuration for $(dirname "${IMAGE}"): " - cat ${BOOT_DESC_FILE} | while read line; do - info " ${line}" - done -fi - -if [ ! -r "${IMAGE}" ]; then - die "${IMAGE} cannot be read!" -fi - - -locate_gpt -set +e - -# Now parse the build settings from ${OUTPUT_DIR}/boot.desc -DEFINE_string board "${DEFAULT_BOARD}" \ - "Board we're building for." -DEFINE_string image "coreos_base.img" \ - "Full path to the coreos image to make bootable." -DEFINE_string arch "x86" \ - "Architecture to make bootable for: arm, x86, or amd64" -DEFINE_string disk_layout "base" \ - "The disk layout type to use for this image." -DEFINE_boolean enable_rootfs_verification ${FLAGS_FALSE} \ - "Default all bootloaders to NOT use kernel-based root fs integrity checking." -DEFINE_string au_key "" \ - "Filename of the au_key to install" -DEFINE_string production_track "" \ - "Use production values and a given track for update service." -DEFINE_boolean fsck_rootfs ${FLAGS_FALSE} \ - "Check integrity of the rootfs on the modified image." - - -# Parse the boot.desc and any overrides -eval set -- "${BOOT_DESC} ${FLAG_OVERRIDES}" -FLAGS "${@}" || exit 1 - -. "${BUILD_LIBRARY_DIR}/board_options.sh" || exit 1 - -# Only now can we die on error. shflags functions leak non-zero error codes, -# so will die prematurely if 'switch_to_strict_mode' is specified before now. -switch_to_strict_mode -u - -mount_gpt_cleanup() { - "${BUILD_LIBRARY_DIR}/disk_util" umount "${rootfs_mountpoint}" || true -} - -make_image_bootable() { - local image="$1" - - # Default to non-verified - local enable_rootfs_verification_flag=--noenable_rootfs_verification - if [[ ${FLAGS_enable_rootfs_verification} -eq ${FLAGS_TRUE} ]]; then - enable_rootfs_verification_flag=--enable_rootfs_verification - fi - - "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${FLAGS_disk_layout}" \ - mount "${image}" "${rootfs_mountpoint}" - trap "mount_gpt_cleanup" EXIT - - if [ -n "${FLAGS_production_track}" ]; then - # Replace /etc/lsb-release on the image. - "${BUILD_LIBRARY_DIR}/set_lsb_release" \ - --production_track="${FLAGS_production_track}" \ - --root="${rootfs_mountpoint}" \ - --board="${BOARD}" - fi - - # Install an auto update key on the root before sealing it off - if [ ! -z "${FLAGS_au_key}" ]; then - local key_location=${rootfs_mountpoint}"/usr/share/update_engine/" - sudo mkdir -p "${key_location}" - sudo cp "${FLAGS_au_key}" "$key_location/update-payload-key.pub.pem" - sudo chown root:root "$key_location/update-payload-key.pub.pem" - sudo chmod 644 "$key_location/update-payload-key.pub.pem" - echo "AU verification key was installed. Do not forget to resign the image!" - fi - - # The rootfs should never be mounted rw again after this point without - # re-calling make_image_bootable. - sudo mount -o remount,ro "${rootfs_mountpoint}" - # Newer `mount` will decode the filename backing the loop device, - # so we need to dig deeper and find the answer ourselves. - root_dev=$(awk -v mnt="${rootfs_mountpoint}" \ - '$2 == mnt { print $1 }' /proc/mounts) - - # Make the filesystem un-mountable as read-write. - # TODO(wad) make sure there is parity in the signing scripts. - if [ ${FLAGS_enable_rootfs_verification} -eq ${FLAGS_TRUE} ]; then - # TODO(wad) this would be a good place to reset any other ext2 metadata. - warn "Disabling r/w mount of the root filesystem" - disable_rw_mount "$root_dev" - fi - - trap - EXIT - "${BUILD_LIBRARY_DIR}/disk_util" umount "${rootfs_mountpoint}" -} - -verify_image_rootfs() { - local image=$1 - local rootfs_offset="$(partoffset ${image} 3)" - - local rootfs_tmp_file=$(mktemp) - trap "rm ${rootfs_tmp_file}" EXIT - sudo dd if="${image}" of="${rootfs_tmp_file}" bs=512 skip="${rootfs_offset}" \ - status=none - - # This flips the read-only compatibility flag, so that - # e2fsck does not complain about unknown file system capabilities. - enable_rw_mount "${rootfs_tmp_file}" - info "Running e2fsck to check root file system for errors" - sudo e2fsck -fn "${rootfs_tmp_file}" || - die "Root file system has errors, please ensure boot.desc and/or \ -command line parameters are correct" -} - -# Store output and temporary files next to image. -rootfs_mountpoint="${IMAGE_DIR}/rootfs_dir" - -# Create the directories if they don't exist. -mkdir -p ${rootfs_mountpoint} - -make_image_bootable "${IMAGE}" -if [ ${FLAGS_fsck_rootfs} -eq ${FLAGS_TRUE} ]; then - verify_image_rootfs "${IMAGE}" -fi - -rmdir ${rootfs_mountpoint} diff --git a/build_image b/build_image index a69e5315d0..5b3554056f 100755 --- a/build_image +++ b/build_image @@ -76,6 +76,7 @@ check_gsutil_opts . "${BUILD_LIBRARY_DIR}/disk_layout_util.sh" || exit 1 . "${BUILD_LIBRARY_DIR}/build_image_util.sh" || exit 1 . "${BUILD_LIBRARY_DIR}/base_image_util.sh" || exit 1 +. "${BUILD_LIBRARY_DIR}/prod_image_util.sh" || exit 1 . "${BUILD_LIBRARY_DIR}/dev_image_util.sh" || exit 1 . "${BUILD_LIBRARY_DIR}/test_image_content.sh" || exit 1 @@ -145,12 +146,8 @@ fi if should_build_image ${COREOS_PRODUCTION_IMAGE_NAME}; then copy_image ${CHROMEOS_BASE_IMAGE_NAME} ${COREOS_PRODUCTION_IMAGE_NAME} - ${SCRIPTS_DIR}/bin/cros_make_image_bootable \ - "${BUILD_DIR}" \ - ${COREOS_PRODUCTION_IMAGE_NAME} \ - --production_track="dev-channel" \ - --disk_layout="${FLAGS_disk_layout}" \ - --au_key=${SRC_ROOT}/third_party/coreos-overlay/coreos-base/coreos-au-key/files/update-payload-key.pub.pem + setup_prod_image ${COREOS_PRODUCTION_IMAGE_NAME} "dev-channel" \ + ${SRC_ROOT}/third_party/coreos-overlay/coreos-base/coreos-au-key/files/update-payload-key.pub.pem upload_image "${BUILD_DIR}/${COREOS_PRODUCTION_IMAGE_NAME}" fi diff --git a/build_library/base_image_util.sh b/build_library/base_image_util.sh index 7b9206410b..2d3c27191a 100755 --- a/build_library/base_image_util.sh +++ b/build_library/base_image_util.sh @@ -51,11 +51,6 @@ create_base_image() { --root="${root_fs_dir}" \ --board="${BOARD}" - # Create the boot.desc file which stores the build-time configuration - # information needed for making the image bootable after creation with - # cros_make_image_bootable. - create_boot_desc - ${BUILD_LIBRARY_DIR}/create_legacy_bootloader_templates.sh \ --arch=${ARCH} \ --boot_dir="${root_fs_dir}"/boot \ @@ -75,9 +70,5 @@ create_base_image() { # Emit helpful scripts for testers, etc. emit_gpt_scripts "${BUILD_DIR}/${image_name}" "${BUILD_DIR}" - ${SCRIPTS_DIR}/bin/cros_make_image_bootable "${BUILD_DIR}" \ - "${image_name}" --disk_layout="${disk_layout}" \ - --noenable_rootfs_verification - trap - EXIT } diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh index a3e8746277..517b3b4f0b 100755 --- a/build_library/build_image_util.sh +++ b/build_library/build_image_util.sh @@ -80,19 +80,6 @@ make_salt() { xxd -l 32 -p -c 32 /dev/urandom } -create_boot_desc() { - local enable_rootfs_verification_flag="" - if [[ ${FLAGS_enable_rootfs_verification} -eq ${FLAGS_TRUE} ]]; then - enable_rootfs_verification_flag="--enable_rootfs_verification" - fi - - cat < ${BUILD_DIR}/boot.desc - --board=${BOARD} - --arch="${ARCH}" - ${enable_rootfs_verification_flag} -EOF -} - cleanup_mounts() { echo "Cleaning up mounts" "${BUILD_LIBRARY_DIR}/disk_util" umount "$1" || true diff --git a/build_library/dev_image_util.sh b/build_library/dev_image_util.sh index 574d96047a..ea624f2f59 100755 --- a/build_library/dev_image_util.sh +++ b/build_library/dev_image_util.sh @@ -45,13 +45,5 @@ install_dev_packages() { info "Developer image built and stored at ${image_name}" cleanup_mounts "${root_fs_dir}" - trap "delete_prompt" EXIT - - if should_build_image ${image_name}; then - ${SCRIPTS_DIR}/bin/cros_make_image_bootable "${BUILD_DIR}" \ - "${image_name}" --disk_layout="${disk_layout}" \ - --noenable_rootfs_verification - fi - trap - EXIT } diff --git a/build_library/prod_image_util.sh b/build_library/prod_image_util.sh new file mode 100755 index 0000000000..8129c4309b --- /dev/null +++ b/build_library/prod_image_util.sh @@ -0,0 +1,47 @@ +# Copyright (c) 2010 The Chromium OS Authors. All rights reserved. +# Copyright (c) 2013 The CoreOS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +setup_prod_image() { + local image_name="$1" + local update_track="$2" + local au_key="$3" + + info "Configuring production image ${image_name}" + local disk_layout="${FLAGS_disk_layout:-base}" + local root_fs_dir="${BUILD_DIR}/rootfs" + local enable_rootfs_verification_flag=--noenable_rootfs_verification + if [[ ${FLAGS_enable_rootfs_verification} -eq ${FLAGS_TRUE} ]]; then + enable_rootfs_verification_flag=--enable_rootfs_verification + fi + + "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${disk_layout}" \ + mount "${BUILD_DIR}/${image_name}" "${root_fs_dir}" + trap "cleanup_mounts '${root_fs_dir}' && delete_prompt" EXIT + + # Replace /etc/lsb-release on the image. + "${BUILD_LIBRARY_DIR}/set_lsb_release" \ + --production_track="${update_track}" \ + --root="${root_fs_dir}" \ + --board="${BOARD}" + + # Install an auto update key on the root before sealing it off + local key_location=${root_fs_dir}"/usr/share/update_engine/" + sudo mkdir -p "${key_location}" + sudo cp "${au_key}" "$key_location/update-payload-key.pub.pem" + sudo chown root:root "$key_location/update-payload-key.pub.pem" + sudo chmod 644 "$key_location/update-payload-key.pub.pem" + + # Make the filesystem un-mountable as read-write. + if [ ${FLAGS_enable_rootfs_verification} -eq ${FLAGS_TRUE} ]; then + warn "Disabling r/w mount of the root filesystem" + sudo mount -o remount,ro "${root_fs_dir}" + root_dev=$(awk -v mnt="${root_fs_dir}" \ + '$2 == mnt { print $1 }' /proc/mounts) + disable_rw_mount "$root_dev" + fi + + cleanup_mounts "${root_fs_dir}" + trap - EXIT +}