From 451f36e4a8635672cc3c6e555806a895def52608 Mon Sep 17 00:00:00 2001 From: Che-Liang Chiou Date: Thu, 21 Jul 2011 19:53:37 +0800 Subject: [PATCH] Revert "obsolete --crosbug12352_arm_kernel_signing flag" This reverts commit 2d2e82524790ecece31780b8e596f0c92c51fad2. Change-Id: I62d68c063aeab6beca4393ed51a4e754c8d9cc6a Reviewed-on: http://gerrit.chromium.org/gerrit/4487 Reviewed-by: Che-Liang Chiou Tested-by: Che-Liang Chiou --- bin/cros_make_image_bootable | 11 +++ build_image | 37 ++++++--- build_kernel_image.sh | 142 ++++++++++++++++++++++------------- mod_image_for_recovery.sh | 11 +++ mod_image_for_test.sh | 10 +++ 5 files changed, 151 insertions(+), 60 deletions(-) diff --git a/bin/cros_make_image_bootable b/bin/cros_make_image_bootable index a39d1c15bd..185be73c9b 100755 --- a/bin/cros_make_image_bootable +++ b/bin/cros_make_image_bootable @@ -118,6 +118,10 @@ DEFINE_boolean use_dev_keys ${FLAGS_FALSE} \ DEFINE_boolean fsck_rootfs ${FLAGS_FALSE} \ "Check integrity of the rootfs on the modified image." +# TODO(clchiou): Remove this flag after arm verified boot is stable +DEFINE_boolean crosbug12352_arm_kernel_signing ${FLAGS_TRUE} \ + "Sign kernel partition for ARM images (temporary hack)." + # TODO(sosa): Remove once known images no longer use this in their config. DEFINE_string arm_extra_bootargs "" "DEPRECATED FLAG. Do not use." @@ -132,6 +136,12 @@ FLAGS "${@}" || exit 1 # so will die prematurely if 'set -e' is specified before now. set -e -u +if [[ ${FLAGS_crosbug12352_arm_kernel_signing} -eq ${FLAGS_TRUE} ]]; then + crosbug12352_flag="--crosbug12352_arm_kernel_signing" +else + crosbug12352_flag="--nocrosbug12352_arm_kernel_signing" +fi + # $1 - Directory where developer rootfs is mounted. # $2 - Directory where developer stateful_partition is mounted. # $3 - Directory where the ESP partition is mounted. @@ -198,6 +208,7 @@ make_image_bootable() { --verity_error_behavior=${FLAGS_verity_error_behavior} \ --root=${cros_root} \ --keys_dir="${FLAGS_keys_dir}" \ + ${crosbug12352_flag} \ ${use_dev_keys} local rootfs_hash_size=$(stat -c '%s' ${FLAGS_rootfs_hash}) diff --git a/build_image b/build_image index 70a06ecefb..12e57a0843 100755 --- a/build_image +++ b/build_image @@ -93,6 +93,10 @@ DEFINE_string boot_args "noinitrd" \ DEFINE_string usb_disk /dev/sdb3 \ "Path syslinux should use to do a usb boot. Default: /dev/sdb3" +# TODO(clchiou): Remove this flag after arm verified boot is stable +DEFINE_boolean crosbug12352_arm_kernel_signing ${FLAGS_TRUE} \ + "Sign kernel partition for ARM images (temporary hack)." + DEFINE_boolean enable_rootfs_verification ${FLAGS_TRUE} \ "Default all bootloaders to use kernel-based root fs integrity checking." DEFINE_integer verity_error_behavior 3 \ @@ -322,6 +326,11 @@ if [ ${FLAGS_jobs} -ne -1 ]; then EMERGE_JOBS="--jobs=${FLAGS_jobs}" fi +if [[ ${FLAGS_crosbug12352_arm_kernel_signing} -eq ${FLAGS_TRUE} ]]; then + crosbug12352_flag="--crosbug12352_arm_kernel_signing" +else + crosbug12352_flag="--nocrosbug12352_arm_kernel_signing" +fi if [[ ${FLAGS_enable_rootfs_verification} -eq ${FLAGS_TRUE} ]]; then enable_rootfs_verification_flag="--enable_rootfs_verification" fi @@ -435,6 +444,7 @@ create_boot_desc() { --keys_dir="${DEVKEYSDIR}" --usb_disk="${FLAGS_usb_disk}" --nocleanup_dirs + ${crosbug12352_flag} ${enable_rootfs_verification_flag} EOF } @@ -859,6 +869,7 @@ mod_image_for_test () { # Now make it bootable with the flags from build_image "${SCRIPTS_DIR}/bin/cros_make_image_bootable" "${image_dir}" "${image_name}" \ + ${crosbug12352_flag} \ --force_developer_mode print_time_elapsed @@ -907,18 +918,25 @@ fi # Place flags before positional args ${SCRIPTS_DIR}/bin/cros_make_image_bootable "${OUTPUT_DIR}" \ "${PRISTINE_IMAGE_NAME}" \ - ${USE_DEV_KEYS} + ${USE_DEV_KEYS} \ + ${crosbug12352_flag} -BOOT_FLAG= -if [ ${FLAGS_factory_install} -eq ${FLAGS_TRUE} ]; then - BOOT_FLAG="-b 1" # BOOT_FLAG_DEVELOPER value defined in load_kernel_fw.h - info "--factory_install set, pass BOOT_FLAG_DEVELOPER flag to \ +# FIXME Test x86 image, and test arm image if enabled; +# should unconditionally test an image after crosbug12352 is fixed +if [[ "${ARCH}" = "x86" ]] || + [[ "${ARCH}" = "arm" && + ${FLAGS_crosbug12352_arm_kernel_signing} -eq ${FLAGS_TRUE} ]]; then + BOOT_FLAG= + if [ ${FLAGS_factory_install} -eq ${FLAGS_TRUE} ]; then + BOOT_FLAG="-b 1" # BOOT_FLAG_DEVELOPER value defined in load_kernel_fw.h + info "--factory_install set, pass BOOT_FLAG_DEVELOPER flag to \ load_kernel_test" -fi + fi -# Verify the final image. -load_kernel_test "${OUTPUT_DIR}/${PRISTINE_IMAGE_NAME}" \ - "${DEVKEYSDIR}/recovery_key.vbpubk" ${BOOT_FLAG} + # Verify the final image. + load_kernel_test "${OUTPUT_DIR}/${PRISTINE_IMAGE_NAME}" \ + "${DEVKEYSDIR}/recovery_key.vbpubk" ${BOOT_FLAG} +fi # Create a developer image based on the chromium os base image. if [ ${FLAGS_withdev} -eq ${FLAGS_TRUE} ] ; then @@ -930,6 +948,7 @@ if [ ${FLAGS_withdev} -eq ${FLAGS_TRUE} ] ; then update_dev_packages ${DEVELOPER_IMAGE_NAME} ${SCRIPTS_DIR}/bin/cros_make_image_bootable "${OUTPUT_DIR}" \ "${DEVELOPER_IMAGE_NAME}" \ + ${crosbug12352_flag} \ --force_developer_mode fi diff --git a/build_kernel_image.sh b/build_kernel_image.sh index 9cbb62aef4..073649540a 100755 --- a/build_kernel_image.sh +++ b/build_kernel_image.sh @@ -69,6 +69,10 @@ DEFINE_integer verity_max_ios -1 \ DEFINE_string verity_hash_alg "sha1" \ "Cryptographic hash algorithm used for dm-verity. (Default: sha1)" +# TODO(clchiou): Remove this flag after arm verified boot is stable +DEFINE_boolean crosbug12352_arm_kernel_signing ${FLAGS_TRUE} \ + "Sign kernel partition for ARM images (temporary hack)." + # Parse flags FLAGS "$@" || exit 1 eval set -- "${FLAGS_ARGV}" @@ -164,6 +168,8 @@ EOF bootloader_path="/lib64/bootstub/bootstub.efi" kernel_image="${FLAGS_vmlinuz}" + + sign_the_kernel=${FLAGS_TRUE} elif [[ "${FLAGS_arch}" = "arm" ]]; then cat < "${FLAGS_working_dir}/config.txt" @@ -178,64 +184,98 @@ EOF bootloader_path="${FLAGS_working_dir}/bootloader.bin" kernel_image="${FLAGS_vmlinuz/vmlinuz/vmlinux.uimg}" + + sign_the_kernel=${FLAGS_crosbug12352_arm_kernel_signing} else error "Unknown arch: ${FLAGS_arch}" fi -# We sign the image with the recovery_key, because this is what goes onto the -# USB key. We can only boot from the USB drive in recovery mode. -# For dev install shim, we need to use the installer keyblock instead of -# the recovery keyblock because of the difference in flags. -if [ ${FLAGS_use_dev_keys} -eq ${FLAGS_TRUE} ]; then - USB_KEYBLOCK=installer_kernel.keyblock - info "DEBUG: use dev install signing key" +if [[ "${sign_the_kernel}" -eq "${FLAGS_TRUE}" ]]; then + # We sign the image with the recovery_key, because this is what goes onto the + # USB key. We can only boot from the USB drive in recovery mode. + # For dev install shim, we need to use the installer keyblock instead of + # the recovery keyblock because of the difference in flags. + if [ ${FLAGS_use_dev_keys} -eq ${FLAGS_TRUE} ]; then + USB_KEYBLOCK=installer_kernel.keyblock + info "DEBUG: use dev install signing key" + else + USB_KEYBLOCK=recovery_kernel.keyblock + info "DEBUG: use recovery signing key" + fi + + # Create and sign the kernel blob + vbutil_kernel \ + --pack "${FLAGS_to}" \ + --keyblock "${FLAGS_keys_dir}/${USB_KEYBLOCK}" \ + --signprivate "${FLAGS_keys_dir}/recovery_kernel_data_key.vbprivk" \ + --version 1 \ + --config "${FLAGS_working_dir}/config.txt" \ + --bootloader "${bootloader_path}" \ + --vmlinuz "${kernel_image}" \ + --arch "${FLAGS_arch}" + + # And verify it. + vbutil_kernel \ + --verify "${FLAGS_to}" \ + --signpubkey "${FLAGS_keys_dir}/recovery_key.vbpubk" + + + # Now we re-sign the same image using the normal keys. This is the kernel + # image that is put on the hard disk by the installer. Note: To save space on + # the USB image, we're only emitting the new verfication block, and the + # installer just replaces that part of the hard disk's kernel partition. + vbutil_kernel \ + --repack "${FLAGS_hd_vblock}" \ + --vblockonly \ + --keyblock "${FLAGS_keys_dir}/kernel.keyblock" \ + --signprivate "${FLAGS_keys_dir}/kernel_data_key.vbprivk" \ + --oldblob "${FLAGS_to}" + + + # To verify it, we have to replace the vblock from the original image. + tempfile=$(mktemp) + trap "rm -f $tempfile" EXIT + cat "${FLAGS_hd_vblock}" > $tempfile + dd if="${FLAGS_to}" bs=65536 skip=1 >> $tempfile + + vbutil_kernel \ + --verify $tempfile \ + --signpubkey "${FLAGS_keys_dir}/kernel_subkey.vbpubk" + + rm -f $tempfile + trap - EXIT + else - USB_KEYBLOCK=recovery_kernel.keyblock - info "DEBUG: use recovery signing key" + # FIXME: This stuff is unsigned. This part should be removed or made + # non-default after ARM verified boot is stable. + + kernel_size=$((($(stat -c %s "${kernel_image}") + 511) / 512)) + script_size=16 + + # Add more scripts to boot script image for loading kernel image + printf 'read ${devtype} ${devnum}:${kernelpart} ${loadaddr} %x %x\n' \ + ${script_size} ${kernel_size} >> "${kernel_script}" + echo 'bootm ${loadaddr}' >> ${kernel_script} + mkimage -A arm -O linux -T script -C none -a 0 -e 0 \ + -n kernel_script -d "${kernel_script}" "${kernel_script_img}" + + if [ $(stat -c %s "${kernel_script_img}") -gt $((512 * ${script_size})) ] + then + echo 'Kernel script too large for reserved space.' + exit 1 + fi + + # Assemble image + rm -f "${FLAGS_to}" + dd if="${kernel_script_img}" of="${FLAGS_to}" bs=512 count="${script_size}" + dd if="${kernel_image}" of="${FLAGS_to}" bs=512 seek="${script_size}" + + # TODO: HACK: Until the kernel partition contains a signed image, create a + # phony hd.vblock to keep chromeos-install and cros_generate_update_payload + # working. + dd if="${FLAGS_to}" of="${FLAGS_hd_vblock}" bs=64K count=1 fi -# Create and sign the kernel blob -vbutil_kernel \ - --pack "${FLAGS_to}" \ - --keyblock "${FLAGS_keys_dir}/${USB_KEYBLOCK}" \ - --signprivate "${FLAGS_keys_dir}/recovery_kernel_data_key.vbprivk" \ - --version 1 \ - --config "${FLAGS_working_dir}/config.txt" \ - --bootloader "${bootloader_path}" \ - --vmlinuz "${kernel_image}" \ - --arch "${FLAGS_arch}" - -# And verify it. -vbutil_kernel \ - --verify "${FLAGS_to}" \ - --signpubkey "${FLAGS_keys_dir}/recovery_key.vbpubk" - - -# Now we re-sign the same image using the normal keys. This is the kernel -# image that is put on the hard disk by the installer. Note: To save space on -# the USB image, we're only emitting the new verfication block, and the -# installer just replaces that part of the hard disk's kernel partition. -vbutil_kernel \ - --repack "${FLAGS_hd_vblock}" \ - --vblockonly \ - --keyblock "${FLAGS_keys_dir}/kernel.keyblock" \ - --signprivate "${FLAGS_keys_dir}/kernel_data_key.vbprivk" \ - --oldblob "${FLAGS_to}" - - -# To verify it, we have to replace the vblock from the original image. -tempfile=$(mktemp) -trap "rm -f $tempfile" EXIT -cat "${FLAGS_hd_vblock}" > $tempfile -dd if="${FLAGS_to}" bs=65536 skip=1 >> $tempfile - -vbutil_kernel \ - --verify $tempfile \ - --signpubkey "${FLAGS_keys_dir}/kernel_subkey.vbpubk" - -rm -f $tempfile -trap - EXIT - set +e # cleanup failure is a-ok if [[ ${FLAGS_keep_work} -eq ${FLAGS_FALSE} ]]; then diff --git a/mod_image_for_recovery.sh b/mod_image_for_recovery.sh index 33c178f5e6..8248caa865 100755 --- a/mod_image_for_recovery.sh +++ b/mod_image_for_recovery.sh @@ -81,6 +81,10 @@ DEFINE_boolean verbose $FLAGS_FALSE \ DEFINE_string keys_dir "/usr/share/vboot/devkeys" \ "Directory containing the signing keys." +# TODO(clchiou): Remove this flag after arm verified boot is stable +DEFINE_boolean crosbug12352_arm_kernel_signing ${FLAGS_TRUE} \ + "Sign kernel partition for ARM images (temporary hack)." + # Parse command line FLAGS "$@" || exit 1 eval set -- "${FLAGS_ARGV}" @@ -142,6 +146,12 @@ case "${TC_ARCH}" in exit 1 esac +if [[ ${FLAGS_crosbug12352_arm_kernel_signing} -eq ${FLAGS_TRUE} ]]; then + crosbug12352_flag="--crosbug12352_arm_kernel_signing" +else + crosbug12352_flag="--nocrosbug12352_arm_kernel_signing" +fi + get_install_vblock() { # If it exists, we need to copy the vblock over to stateful # This is the real vblock and not the recovery vblock. @@ -255,6 +265,7 @@ create_recovery_kernel_image() { --root=${cros_root} \ --keys_dir="${FLAGS_keys_dir}" \ --nouse_dev_keys \ + ${crosbug12352_flag} \ ${verity_args} 1>&2 || failboat "build_kernel_image" sudo rm "$FLAGS_rootfs_hash" sudo losetup -d "$root_dev" diff --git a/mod_image_for_test.sh b/mod_image_for_test.sh index d398cfb0d9..cfc8cf0e5b 100755 --- a/mod_image_for_test.sh +++ b/mod_image_for_test.sh @@ -68,6 +68,9 @@ Otherwise the image will be copied to $CHROMEOS_TEST_IMAGE_NAME \ modified there" DEFINE_boolean force_copy $FLAGS_FALSE \ "Always rebuild test image if --noinplace" +# TODO(clchiou): Remove this flag after arm verified boot is stable +DEFINE_boolean crosbug12352_arm_kernel_signing ${FLAGS_TRUE} \ + "Sign kernel partition for ARM images (temporary hack)." DEFINE_boolean standard_backdoor ${FLAGS_TRUE} \ "Install standard backdoor credentials for testing" @@ -119,6 +122,12 @@ case "$TC_ARCH" in exit 1 esac +if [[ ${FLAGS_crosbug12352_arm_kernel_signing} -eq ${FLAGS_TRUE} ]]; then + crosbug12352_flag="--crosbug12352_arm_kernel_signing" +else + crosbug12352_flag="--nocrosbug12352_arm_kernel_signing" +fi + # Make sure anything mounted in the rootfs/stateful is cleaned up ok on exit. cleanup_mounts() { # Occasionally there are some daemons left hanging around that have our @@ -280,6 +289,7 @@ cleanup # Now make it bootable with the flags from build_image "$SCRIPTS_DIR/bin/cros_make_image_bootable" "$(dirname "$FLAGS_image")" \ "$(basename "$FLAGS_image")" \ + ${crosbug12352_flag} \ --force_developer_mode