mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-10 14:36:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

build_image: always enable verity when /usr is read-only

Browse Source 
Consolidates two very similar flags into one and fix an issue where
verity could get enabled in the GRUB config when rootfs verification was
turned off (e.g. on arm64 which cannot use verity yet).
This commit is contained in:
Michael Marineau 2016-09-30 14:29:09 -07:00
parent 386341878f
commit 533b1b9b02
2 changed files with 13 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_image
View File

@ -28,8 +28,6 @@ DEFINE_string getbinpkgver "" \
"Use binary packages from a specific version." "Use binary packages from a specific version."
DEFINE_boolean enable_rootfs_verification ${FLAGS_TRUE} \ DEFINE_boolean enable_rootfs_verification ${FLAGS_TRUE} \
"Default all bootloaders to use kernel-based root fs integrity checking." "Default all bootloaders to use kernel-based root fs integrity checking."
DEFINE_boolean enable_verity ${FLAGS_TRUE} \
"Default GRUB to use dm-verity-enabled boot arguments"
DEFINE_string base_pkg "coreos-base/coreos" \ DEFINE_string base_pkg "coreos-base/coreos" \
"The base portage package to base the build off of (only applies to prod images)" "The base portage package to base the build off of (only applies to prod images)"
DEFINE_string base_dev_pkg "coreos-base/coreos-dev" \ DEFINE_string base_dev_pkg "coreos-base/coreos-dev" \

16
build_library/build_image_util.sh
View File

@ -292,6 +292,11 @@ finish_image() {
local install_grub=0 local install_grub=0
local disk_img="${BUILD_DIR}/${image_name}" local disk_img="${BUILD_DIR}/${image_name}"
local disable_read_write="${FLAGS_FALSE}"
if [[ "${IMAGE_BUILD_TYPE}" == "prod" ]]; then
disable_read_write="${FLAGS_enable_rootfs_verification}"
fi
# Copy kernel to support dm-verity boots # Copy kernel to support dm-verity boots
sudo mkdir -p "${root_fs_dir}/boot/coreos" sudo mkdir -p "${root_fs_dir}/boot/coreos"
sudo cp "${root_fs_dir}/usr/boot/vmlinuz" \ sudo cp "${root_fs_dir}/usr/boot/vmlinuz" \
@ -337,15 +342,11 @@ finish_image() {
sudo chroot "${root_fs_dir}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp" sudo chroot "${root_fs_dir}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp"
fi fi
# We only need to disable rw and apply dm-verity in prod with a /usr partition # Make the filesystem un-mountable as read-write and setup verity.
if [ "${IMAGE_BUILD_TYPE}" = "prod" ] && mountpoint -q "${root_fs_dir}/usr"; then if [[ ${disable_read_write} -eq ${FLAGS_TRUE} ]]; then
local disable_read_write=${FLAGS_enable_rootfs_verification}
# Unmount /usr partition # Unmount /usr partition
sudo umount --recursive "${root_fs_dir}/usr" || exit 1 sudo umount --recursive "${root_fs_dir}/usr" || exit 1
# Make the filesystem un-mountable as read-write and setup verity.
if [[ ${disable_read_write} -eq ${FLAGS_TRUE} ]]; then
"${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${disk_layout}" verity \ "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${disk_layout}" verity \
--root_hash="${BUILD_DIR}/${image_name%.bin}_verity.txt" \ --root_hash="${BUILD_DIR}/${image_name%.bin}_verity.txt" \
"${BUILD_DIR}/${image_name}" "${BUILD_DIR}/${image_name}"
@ -356,7 +357,6 @@ finish_image() {
printf %s "$(cat ${BUILD_DIR}/${image_name%.bin}_verity.txt)" | \ printf %s "$(cat ${BUILD_DIR}/${image_name%.bin}_verity.txt)" | \
sudo dd of="${root_fs_dir}/boot/coreos/vmlinuz-a" conv=notrunc seek=64 count=64 bs=1 sudo dd of="${root_fs_dir}/boot/coreos/vmlinuz-a" conv=notrunc seek=64 count=64 bs=1
fi fi
fi
# Sign the kernel after /usr is in a consistent state and verity is calculated # Sign the kernel after /usr is in a consistent state and verity is calculated
if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
@ -393,7 +393,7 @@ finish_image() {
target_list="arm64-efi" target_list="arm64-efi"
fi fi
for target in ${target_list}; do for target in ${target_list}; do
if [[ "${IMAGE_BUILD_TYPE}" = "prod" && ${FLAGS_enable_verity} -eq ${FLAGS_TRUE} ]]; then if [[ ${disable_read_write} -eq ${FLAGS_TRUE} ]]; then
${BUILD_LIBRARY_DIR}/grub_install.sh \ ${BUILD_LIBRARY_DIR}/grub_install.sh \
--board="${BOARD}" \ --board="${BOARD}" \
--target="${target}" \ --target="${target}" \