mirror of
https://github.com/flatcar/scripts.git
synced 2025-11-28 14:01:43 +01:00
Use the new developer keys to sign things. (submit for Bill)
The original CL is http://codereview.chromium.org/2868044/show Review URL: http://codereview.chromium.org/2818045
This commit is contained in:
Louis Yung-Chieh Lo
parent
25861ee160
commit
3602040b74
18
build_image
18
build_image
@ -292,11 +292,14 @@ make_image_bootable() {
|
||||
sudo mount -o remount,ro "${ROOT_FS_DIR}"
|
||||
root_dev=$(mount | grep -- "${ROOT_FS_DIR}" | cut -f1 -d' ' | tail -1)
|
||||
|
||||
DEVKEYSDIR="${SRC_ROOT}/platform/vboot_reference/tests/devkeys"
|
||||
|
||||
# Builds the kernel partition image. The temporary files are kept around
|
||||
# so that we can perform a load_kernel_test later on the final image.
|
||||
${SCRIPTS_DIR}/build_kernel_image.sh \
|
||||
--arch="${ARCH}" \
|
||||
--to="${OUTPUT_DIR}/vmlinuz.image" \
|
||||
--hd_vblock="${OUTPUT_DIR}/vmlinuz_hd.vblock" \
|
||||
--vmlinuz="${OUTPUT_DIR}/boot/vmlinuz" \
|
||||
--working_dir="${OUTPUT_DIR}" \
|
||||
--keep_work \
|
||||
@ -307,7 +310,7 @@ make_image_bootable() {
|
||||
--vboot_max_ios=${FLAGS_vboot_max_ios} \
|
||||
--vboot_error_behavior=${FLAGS_vboot_behavior} \
|
||||
--root=${cros_root} \
|
||||
--keys_dir="${SRC_ROOT}/platform/vboot_reference/tests/testkeys"
|
||||
--keys_dir="${DEVKEYSDIR}"
|
||||
|
||||
# START_KERN_A is set by the first call to install the gpt.
|
||||
local koffset="$(partoffset ${OUTPUT_DIR}/${image_name} 2)"
|
||||
@ -599,6 +602,10 @@ create_base_image() {
|
||||
# Create an empty esp image to be updated in by update_bootloaders.sh.
|
||||
${SCRIPTS_DIR}/create_esp.sh --to="${ESP_FS_IMG}"
|
||||
|
||||
# Move the verification block needed for the hard disk install to the
|
||||
# stateful partition.
|
||||
sudo cp "${OUTPUT_DIR}/vmlinuz_hd.vblock" "${STATEFUL_FS_DIR}"
|
||||
|
||||
cleanup
|
||||
|
||||
trap delete_prompt EXIT
|
||||
@ -649,7 +656,7 @@ make_image_bootable ${PRISTINE_IMAGE_NAME}
|
||||
if [[ "${ARCH}" = "x86" ]]; then
|
||||
# Verify the final image.
|
||||
load_kernel_test "${OUTPUT_DIR}/${PRISTINE_IMAGE_NAME}" \
|
||||
"${OUTPUT_DIR}/kernel_subkey.vbpubk"
|
||||
"${DEVKEYSDIR}/recovery_key.vbpubk"
|
||||
fi
|
||||
|
||||
# Create a developer image based on the chromium os base image.
|
||||
@ -665,12 +672,7 @@ fi
|
||||
|
||||
# Clean up temporary files.
|
||||
rm -f "${ROOT_FS_IMG}" "${STATEFUL_FS_IMG}" "${OUTPUT_DIR}/vmlinuz.image" \
|
||||
"${ESP_FS_IMG}" "${OUTPUT_DIR}/kernel.keyblock" \
|
||||
"${OUTPUT_DIR}/kernel_subkey.vbpubk" \
|
||||
"${OUTPUT_DIR}/kernel_subkey.vbprivk" \
|
||||
"${OUTPUT_DIR}/kernel_data_key.vbpubk" \
|
||||
"${OUTPUT_DIR}/kernel_data_key.vbprivk" \
|
||||
"${OEM_FS_IMG}"
|
||||
"${ESP_FS_IMG}" "${OEM_FS_IMG}" "${OUTPUT_DIR}/vmlinuz_hd.vblock"
|
||||
rmdir "${ROOT_FS_DIR}" "${STATEFUL_FS_DIR}" "${OEM_FS_DIR}" "${ESP_FS_DIR}"
|
||||
|
||||
echo "Done. Image created in ${OUTPUT_DIR}"
|
||||
|
||||
@ -15,6 +15,8 @@ DEFINE_string arch "x86" \
|
||||
"The boot architecture: arm or x86. (Default: x86)"
|
||||
DEFINE_string to "/tmp/vmlinuz.image" \
|
||||
"The path to the kernel image to be created. (Default: /tmp/vmlinuz.image)"
|
||||
DEFINE_string hd_vblock "/tmp/vmlinuz_hd.vblock" \
|
||||
"The path to the installed kernel's vblock (Default: /tmp/vmlinuz_hd.vblock)"
|
||||
DEFINE_string vmlinuz "vmlinuz" \
|
||||
"The path to the kernel (Default: vmlinuz)"
|
||||
DEFINE_string working_dir "/tmp/vmlinuz.working" \
|
||||
@ -130,64 +132,14 @@ cros_secure
|
||||
EOF
|
||||
WORK="${WORK} ${FLAGS_working_dir}/config.txt"
|
||||
|
||||
|
||||
# FIX: The .vbprivk files are not encrypted, so we shouldn't just leave them
|
||||
# lying around as a general thing.
|
||||
|
||||
# Wrap the kernel data keypair, used for the kernel body
|
||||
vbutil_key \
|
||||
--pack "${FLAGS_working_dir}/kernel_data_key.vbpubk" \
|
||||
--key "${FLAGS_keys_dir}/key_rsa2048.keyb" \
|
||||
--version 1 \
|
||||
--algorithm 4
|
||||
WORK="${WORK} ${FLAGS_working_dir}/kernel_data_key.vbpubk"
|
||||
|
||||
vbutil_key \
|
||||
--pack "${FLAGS_working_dir}/kernel_data_key.vbprivk" \
|
||||
--key "${FLAGS_keys_dir}/key_rsa2048.pem" \
|
||||
--algorithm 4
|
||||
WORK="${WORK} ${FLAGS_working_dir}/kernel_data_key.vbprivk"
|
||||
|
||||
|
||||
# Wrap the kernel subkey pair, used for the kernel's keyblock
|
||||
vbutil_key \
|
||||
--pack "${FLAGS_working_dir}/kernel_subkey.vbpubk" \
|
||||
--key "${FLAGS_keys_dir}/key_rsa4096.keyb" \
|
||||
--version 1 \
|
||||
--algorithm 8
|
||||
WORK="${WORK} ${FLAGS_working_dir}/kernel_subkey.vbpubk"
|
||||
|
||||
vbutil_key \
|
||||
--pack "${FLAGS_working_dir}/kernel_subkey.vbprivk" \
|
||||
--key "${FLAGS_keys_dir}/key_rsa4096.pem" \
|
||||
--algorithm 8
|
||||
WORK="${WORK} ${FLAGS_working_dir}/kernel_subkey.vbprivk"
|
||||
|
||||
|
||||
# Create the kernel keyblock, containing the kernel data key
|
||||
vbutil_keyblock \
|
||||
--pack "${FLAGS_working_dir}/kernel.keyblock" \
|
||||
--datapubkey "${FLAGS_working_dir}/kernel_data_key.vbpubk" \
|
||||
--signprivate "${FLAGS_working_dir}/kernel_subkey.vbprivk" \
|
||||
--flags 15
|
||||
WORK="${WORK} ${FLAGS_working_dir}/kernel.keyblock"
|
||||
|
||||
# Verify the keyblock.
|
||||
vbutil_keyblock \
|
||||
--unpack "${FLAGS_working_dir}/kernel.keyblock" \
|
||||
--signpubkey "${FLAGS_working_dir}/kernel_subkey.vbpubk"
|
||||
|
||||
# TODO: We should sign the kernel blob using the recovery root key and
|
||||
# recovery kernel data key instead (to create the recovery image), and then
|
||||
# re-sign it this way for the install image. But we'll want to keep the
|
||||
# install vblock separate, so we can just copy that part over separately when
|
||||
# we install it instead of the whole kernel blob.
|
||||
# We sign the image with the recovery_key, because this is what goes onto the
|
||||
# USB key. We can only boot from the USB drive in recovery mode.
|
||||
|
||||
# Create and sign the kernel blob
|
||||
vbutil_kernel \
|
||||
--pack "${FLAGS_to}" \
|
||||
--keyblock "${FLAGS_working_dir}/kernel.keyblock" \
|
||||
--signprivate "${FLAGS_working_dir}/kernel_data_key.vbprivk" \
|
||||
--keyblock "${FLAGS_keys_dir}/recovery_kernel.keyblock" \
|
||||
--signprivate "${FLAGS_keys_dir}/recovery_kernel_data_key.vbprivk" \
|
||||
--version 1 \
|
||||
--config "${FLAGS_working_dir}/config.txt" \
|
||||
--bootloader /lib64/bootstub/bootstub.efi \
|
||||
@ -196,7 +148,33 @@ EOF
|
||||
# And verify it.
|
||||
vbutil_kernel \
|
||||
--verify "${FLAGS_to}" \
|
||||
--signpubkey "${FLAGS_working_dir}/kernel_subkey.vbpubk"
|
||||
--signpubkey "${FLAGS_keys_dir}/recovery_key.vbpubk"
|
||||
|
||||
|
||||
# Now we re-sign the same image using the normal keys. This is the kernel
|
||||
# image that is put on the hard disk by the installer. Note: To save space on
|
||||
# the USB image, we're only emitting the new verfication block, and the
|
||||
# installer just replaces that part of the hard disk's kernel partition.
|
||||
vbutil_kernel \
|
||||
--repack "${FLAGS_hd_vblock}" \
|
||||
--vblockonly \
|
||||
--keyblock "${FLAGS_keys_dir}/kernel.keyblock" \
|
||||
--signprivate "${FLAGS_keys_dir}/kernel_data_key.vbprivk" \
|
||||
--oldblob "${FLAGS_to}"
|
||||
|
||||
|
||||
# To verify it, we have to replace the vblock from the original image.
|
||||
tempfile=$(mktemp)
|
||||
trap "rm -f $tempfile" EXIT
|
||||
cat "${FLAGS_hd_vblock}" > $tempfile
|
||||
dd if="${FLAGS_to}" bs=65536 skip=1 >> $tempfile
|
||||
|
||||
vbutil_kernel \
|
||||
--verify $tempfile \
|
||||
--signpubkey "${FLAGS_keys_dir}/kernel_subkey.vbpubk"
|
||||
|
||||
rm -f $tempfile
|
||||
trap - EXIT
|
||||
|
||||
elif [[ "${FLAGS_arch}" = "arm" ]]; then
|
||||
# FIXME: For now, ARM just uses the unsigned kernel by itself.
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user