diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh index c11a2e9fde..1e19fcb792 100755 --- a/build_library/build_image_util.sh +++ b/build_library/build_image_util.sh @@ -504,7 +504,7 @@ EOF # Our modified GRUB extracts the hash and adds it to the cmdline. printf %s "$(cat ${BUILD_DIR}/${image_name%.bin}_verity.txt)" | \ sudo dd of="${root_fs_dir}/boot/coreos/vmlinuz-a" conv=notrunc \ - seek=${verity_offset} count=64 bs=1 + seek=${verity_offset} count=64 bs=1 status=none fi # Sign the kernel after /usr is in a consistent state and verity is calculated diff --git a/build_library/grub_install.sh b/build_library/grub_install.sh index e70de0f6e7..adf411596a 100755 --- a/build_library/grub_install.sh +++ b/build_library/grub_install.sh @@ -189,7 +189,7 @@ case "${FLAGS_target}" in --directory="${ESP_DIR}/${GRUB_DIR}" "${LOOP_DEV}" # boot.img gets manipulated by grub-bios-setup so it alone isn't # sufficient to restore the MBR boot code if it gets corrupted. - sudo dd bs=448 count=1 if="${LOOP_DEV}" \ + sudo dd bs=448 count=1 status=none if="${LOOP_DEV}" \ of="${ESP_DIR}/${GRUB_DIR}/mbr.bin" ;; x86_64-efi) diff --git a/build_library/vm_image_util.sh b/build_library/vm_image_util.sh index f7f692d151..88b65c5d08 100644 --- a/build_library/vm_image_util.sh +++ b/build_library/vm_image_util.sh @@ -722,8 +722,10 @@ _write_qemu_uefi_conf() { emerge-${BOARD} --nodeps --select -qugKN sys-firmware/edk2-armvirt # this bit of magic comes from http://tech.donghao.org/2014/12/18/running-fedora-21-on-qemu-system-aarch64/ cat "/build/${BOARD}/usr/share/edk2-armvirt/QEMU_EFI.fd" /dev/zero | \ - dd iflag=fullblock bs=1M count=64 of="$(_dst_dir)/${flash_ro}" - dd if=/dev/zero bs=1M count=64 of="$(_dst_dir)/${flash_rw}" + dd iflag=fullblock bs=1M count=64 of="$(_dst_dir)/${flash_ro}" \ + status=none + dd if=/dev/zero bs=1M count=64 of="$(_dst_dir)/${flash_rw}" \ + status=none ;; esac diff --git a/common.sh b/common.sh index 7aeddc3598..aad6e75c25 100644 --- a/common.sh +++ b/common.sh @@ -660,47 +660,6 @@ get_git_id() { git var GIT_COMMITTER_IDENT | sed -e 's/^.*<\(\S\+\)>.*$/\1/' } -# These two helpers clobber the ro compat value in our root filesystem. -# -# When the system is built with --enable_rootfs_verification, bit-precise -# integrity checking is performed. That precision poses a usability issue on -# systems that automount partitions with recognizable filesystems, such as -# ext2/3/4. When the filesystem is mounted 'rw', ext2 metadata will be -# automatically updated even if no other writes are performed to the -# filesystem. In addition, ext2+ does not support a "read-only" flag for a -# given filesystem. That said, forward and backward compatibility of -# filesystem features are supported by tracking if a new feature breaks r/w or -# just write compatibility. We abuse the read-only compatibility flag[1] in -# the filesystem header by setting the high order byte (le) to FF. This tells -# the kernel that features R24-R31 are all enabled. Since those features are -# undefined on all ext-based filesystem, all standard kernels will refuse to -# mount the filesystem as read-write -- only read-only[2]. -# -# [1] 32-bit flag we are modifying: -# http://git.chromium.org/cgi-bin/gitweb.cgi?p=kernel.git;a=blob;f=include/linux/ext2_fs.h#l417 -# [2] Mount behavior is enforced here: -# http://git.chromium.org/cgi-bin/gitweb.cgi?p=kernel.git;a=blob;f=fs/ext2/super.c#l857 -# -# N.B., if the high order feature bits are used in the future, we will need to -# revisit this technique. -disable_rw_mount() { - local rootfs=$1 - local offset="${2-0}" # in bytes - local ro_compat_offset=$((0x464 + 3)) # Set 'highest' byte - printf '\377' | - sudo dd of="${rootfs}" seek=$((offset + ro_compat_offset)) \ - conv=notrunc count=1 bs=1 -} - -enable_rw_mount() { - local rootfs=$1 - local offset="${2-0}" - local ro_compat_offset=$((0x464 + 3)) # Set 'highest' byte - printf '\000' | - sudo dd of="${rootfs}" seek=$((offset + ro_compat_offset)) \ - conv=notrunc count=1 bs=1 -} - # Generate a DIGESTS file, as normally used by Gentoo. # This is an alternative to shash which doesn't know how to report errors. # Usage: make_digests -d file.DIGESTS file1 [file2...]