mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-09-23 06:31:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

Moved knowledge of rootdev to one place

Browse Source 
This CL centralizes the setting of which root device to use
in a single place. A boolean flag, --verity_is_enabled, indicates
if the the verity device should be used.

This is the first of about a half-dozen CLs to fix all the references
to dm-0.

BUG=chromium-os:25441
TEST=built images with and without verity enabled.
     cbuildbot --remote -g Id6c6e766 amd64-generic-paladin daisy-paladin

Change-Id: Id6c6e766bfde3651266323f7bc94c0e1f87cea38
Reviewed-on: https://gerrit.chromium.org/gerrit/32239
Reviewed-by: David James <davidjames@chromium.org>
Commit-Ready: Paul Taysom <taysom@chromium.org>
Tested-by: Paul Taysom <taysom@chromium.org>
This commit is contained in:
Paul Taysom 2012-09-05 10:13:03 -07:00 committed by Gerrit
parent 264f64d70b
commit 5b2c7e934c
3 changed files with 18 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
bin/cros_make_image_bootable
View File

@ -161,9 +161,9 @@ make_image_bootable() {
local use_dev_keys= local use_dev_keys=
# Default to non-verified # Default to non-verified
cros_root="PARTUUID=%U/PARTNROFF=1" local enable_rootfs_verification_flag=--noenable_rootfs_verification
if [[ ${FLAGS_enable_rootfs_verification} -eq ${FLAGS_TRUE} ]]; then if [[ ${FLAGS_enable_rootfs_verification} -eq ${FLAGS_TRUE} ]]; then
cros_root=/dev/dm-0 enable_rootfs_verification_flag=--enable_rootfs_verification
fi fi
trap "mount_gpt_cleanup" EXIT trap "mount_gpt_cleanup" EXIT
@ -223,8 +223,8 @@ make_image_bootable() {
--verity_max_ios=${FLAGS_verity_max_ios} \ --verity_max_ios=${FLAGS_verity_max_ios} \
--verity_error_behavior=${FLAGS_verity_error_behavior} \ --verity_error_behavior=${FLAGS_verity_error_behavior} \
--verity_salt=${FLAGS_verity_salt} \ --verity_salt=${FLAGS_verity_salt} \
--root=${cros_root} \
--keys_dir="${FLAGS_keys_dir}" \ --keys_dir="${FLAGS_keys_dir}" \
${enable_rootfs_verification_flag} \
${use_dev_keys} ${use_dev_keys}
# Check the size of kernel image and issue warning when image size is # Check the size of kernel image and issue warning when image size is

23
build_kernel_image.sh
View File

@ -31,11 +31,6 @@ DEFINE_boolean use_dev_keys ${FLAGS_FALSE} \
# --root=/dev/dm-0 # --root=/dev/dm-0
DEFINE_string boot_args "noinitrd" \ DEFINE_string boot_args "noinitrd" \
"Additional boot arguments to pass to the commandline (Default: noinitrd)" "Additional boot arguments to pass to the commandline (Default: noinitrd)"
# By default, we use a firmware enumerated value, but it isn't reliable for
# production use. If +%d can be added upstream, then we can use:
# root=PARTUID=uuid+1
DEFINE_string root "PARTUUID=%U/PARTNROFF=1" \
"Expected device root partition"
# If provided, will automatically add verified boot arguments. # If provided, will automatically add verified boot arguments.
DEFINE_string rootfs_image "" \ DEFINE_string rootfs_image "" \
"Optional path to the rootfs device or image.(Default: \"\")" "Optional path to the rootfs device or image.(Default: \"\")"
@ -50,6 +45,8 @@ DEFINE_string verity_hash_alg "sha1" \
"Cryptographic hash algorithm used for dm-verity. (Default: sha1)" "Cryptographic hash algorithm used for dm-verity. (Default: sha1)"
DEFINE_string verity_salt "" \ DEFINE_string verity_salt "" \
"Salt to use for rootfs hash (Default: \"\")" "Salt to use for rootfs hash (Default: \"\")"
DEFINE_boolean enable_rootfs_verification ${FLAGS_TRUE} \
"Enable kernel-based root fs integrity checking. (Default: true)"
# Parse flags # Parse flags
FLAGS "$@" || exit 1 FLAGS "$@" || exit 1
@ -94,10 +91,9 @@ if [[ -n "${FLAGS_rootfs_image}" && -n "${FLAGS_rootfs_hash}" ]]; then
if [[ -f "${FLAGS_rootfs_hash}" ]]; then if [[ -f "${FLAGS_rootfs_hash}" ]]; then
sudo chmod a+r "${FLAGS_rootfs_hash}" sudo chmod a+r "${FLAGS_rootfs_hash}"
fi fi
# Don't claim the root device unless the root= flag is pointed to # Don't claim the root device unless verity is enabled.
# the verified boot device. Doing so will claim /dev/sdDP out from # Doing so will claim /dev/sdDP out from under the system.
# under the system. if [[ ${FLAGS_enable_rootfs_verification} -eq ${FLAGS_TRUE} ]]; then
if [[ ${FLAGS_root} = "/dev/dm-0" ]]; then
base_root='%U+1' # kern_guid + 1 base_root='%U+1' # kern_guid + 1
table=${table//HASH_DEV/${base_root}} table=${table//HASH_DEV/${base_root}}
table=${table//ROOT_DEV/${base_root}} table=${table//ROOT_DEV/${base_root}}
@ -109,13 +105,18 @@ fi
mkdir -p "${FLAGS_working_dir}" mkdir -p "${FLAGS_working_dir}"
# Only let dm-verity block if rootfs verification is configured. # Only let dm-verity block if rootfs verification is configured.
# By default, we use a firmware enumerated value, but it isn't reliable for
# production use. If +%d can be added upstream, then we can use:
# root_dev=PARTUID=uuid+1
dev_wait=0 dev_wait=0
if [[ ${FLAGS_root} = "/dev/dm-0" ]]; then root_dev="PARTUUID=%U/PARTNROFF=1"
if [[ ${FLAGS_enable_rootfs_verification} -eq ${FLAGS_TRUE} ]]; then
root_dev=/dev/dm-0
dev_wait=1 dev_wait=1
fi fi
cat <<EOF > "${FLAGS_working_dir}/boot.config" cat <<EOF > "${FLAGS_working_dir}/boot.config"
root=${FLAGS_root} root=${root_dev}
rootwait rootwait
ro ro
dm_verity.error_behavior=${FLAGS_verity_error_behavior} dm_verity.error_behavior=${FLAGS_verity_error_behavior}

6
mod_image_for_recovery.sh
View File

@ -121,9 +121,9 @@ create_recovery_kernel_image() {
local root_offset=$(partoffset "$FLAGS_image" 3) local root_offset=$(partoffset "$FLAGS_image" 3)
local root_size=$(partsize "$FLAGS_image" 3) local root_size=$(partsize "$FLAGS_image" 3)
cros_root="PARTUUID=%U/PARTNROFF=1" # only used for non-verified images local enable_rootfs_verification_flag=--noenable_rootfs_verification
if grep -q enable_rootfs_verification "${IMAGE_DIR}/boot.desc"; then if grep -q enable_rootfs_verification "${IMAGE_DIR}/boot.desc"; then
cros_root=/dev/dm-0 enable_rootfs_verification_flag=--enable_rootfs_verification
fi fi
# Tie the installed recovery kernel to the final kernel. If we don't # Tie the installed recovery kernel to the final kernel. If we don't
@ -159,8 +159,8 @@ create_recovery_kernel_image() {
--working_dir="${IMAGE_DIR}" \ --working_dir="${IMAGE_DIR}" \
--boot_args="noinitrd panic=60 cros_recovery kern_b_hash=$kern_hash" \ --boot_args="noinitrd panic=60 cros_recovery kern_b_hash=$kern_hash" \
--keep_work \ --keep_work \
--root=${cros_root} \
--keys_dir="${FLAGS_keys_dir}" \ --keys_dir="${FLAGS_keys_dir}" \
${enable_rootfs_verification_flag} \
--nouse_dev_keys 1>&2 || failboat "build_kernel_image" --nouse_dev_keys 1>&2 || failboat "build_kernel_image"
sudo mount | sed 's/^/16651 /' sudo mount | sed 's/^/16651 /'
sudo losetup -a | sed 's/^/16651 /' sudo losetup -a | sed 's/^/16651 /'