Merge pull request #611 from glevand/for-merge-arm64-verity

scripts: Add arm64 verity support

build_image

@@ -28,8 +28,6 @@ DEFINE_string getbinpkgver "" \
   "Use binary packages from a specific version."
 DEFINE_boolean enable_rootfs_verification ${FLAGS_TRUE} \
   "Default all bootloaders to use kernel-based root fs integrity checking."
-DEFINE_boolean enable_verity ${FLAGS_TRUE} \
-  "Default GRUB to use dm-verity-enabled boot arguments"
 DEFINE_string base_pkg "coreos-base/coreos" \
   "The base portage package to base the build off of (only applies to prod images)"
 DEFINE_string base_dev_pkg "coreos-base/coreos-dev" \
@@ -88,11 +86,6 @@ switch_to_strict_mode
 
 check_gsutil_opts
 
-# Inserting the verity hash into the kernel assumes x86_64
-if [[ "${FLAGS_board}" != amd64-usr ]]; then
-  FLAGS_enable_rootfs_verification=${FLAGS_FALSE}
-fi
-
 # If downloading packages is enabled ensure the board is configured properly.
 if [[ ${FLAGS_getbinpkg} -eq ${FLAGS_TRUE} ]]; then
   "${SRC_ROOT}/scripts/setup_board" --board="${FLAGS_board}" \

build_library/build_image_util.sh

@@ -319,11 +319,18 @@ finish_image() {
   local install_grub=0
   local disk_img="${BUILD_DIR}/${image_name}"
 
-  local disable_read_write="${FLAGS_FALSE}"
-  if [[ "${IMAGE_BUILD_TYPE}" == "prod" ]]; then
-    disable_read_write="${FLAGS_enable_rootfs_verification}"
+  # Only enable rootfs verification on prod builds.
+  if [[ "${IMAGE_BUILD_TYPE}" != "prod" ]]; then
+    FLAGS_enable_rootfs_verification=${FLAGS_FALSE}
   fi
 
+  # Only enable rootfs verification on supported boards.
+  case "${FLAGS_board}" in
+    amd64-usr) verity_offset=64 ;;
+    arm64-usr) verity_offset=512 ;;
+    *) FLAGS_enable_rootfs_verification=${FLAGS_FALSE} ;;
+  esac
+
   # Copy kernel to support dm-verity boots
   sudo mkdir -p "${root_fs_dir}/boot/coreos"
   sudo cp "${root_fs_dir}/usr/boot/vmlinuz" \
@@ -370,7 +377,7 @@ finish_image() {
   fi
 
   # Make the filesystem un-mountable as read-write and setup verity.
-  if [[ ${disable_read_write} -eq ${FLAGS_TRUE} ]]; then
+  if [[ ${FLAGS_enable_rootfs_verification} -eq ${FLAGS_TRUE} ]]; then
     # Unmount /usr partition
     sudo umount --recursive "${root_fs_dir}/usr" || exit 1
 
@@ -378,11 +385,14 @@ finish_image() {
         --root_hash="${BUILD_DIR}/${image_name%.bin}_verity.txt" \
         "${BUILD_DIR}/${image_name}"
 
-    # Magic alert! Root hash injection works by replacing a seldom-used rdev
-    # error message in the uncompressed section of the kernel that happens to
-    # be exactly SHA256-sized. Our modified GRUB extracts it to the cmdline.
+    # Magic alert!  Root hash injection works by writing the hash value to a
+    # known unused SHA256-sized location in the kernel image.
+    # For amd64 the rdev error message is used.
+    # For arm64 an area between the EFI headers and the kernel text is used.
+    # Our modified GRUB extracts the hash and adds it to the cmdline.
     printf %s "$(cat ${BUILD_DIR}/${image_name%.bin}_verity.txt)" | \
-        sudo dd of="${root_fs_dir}/boot/coreos/vmlinuz-a" conv=notrunc seek=64 count=64 bs=1
+        sudo dd of="${root_fs_dir}/boot/coreos/vmlinuz-a" conv=notrunc \
+        seek=${verity_offset} count=64 bs=1
   fi
 
   # Sign the kernel after /usr is in a consistent state and verity is calculated
@@ -420,7 +430,7 @@ finish_image() {
       target_list="arm64-efi"
     fi
     for target in ${target_list}; do
-      if [[ ${disable_read_write} -eq ${FLAGS_TRUE} && ${FLAGS_enable_verity} -eq ${FLAGS_TRUE} ]]; then
+      if [[ ${FLAGS_enable_rootfs_verification} -eq ${FLAGS_TRUE} ]]; then
         ${BUILD_LIBRARY_DIR}/grub_install.sh \
             --board="${BOARD}" \
             --target="${target}" \