mirror of
https://github.com/flatcar/scripts.git
synced 2025-11-28 14:01:43 +01:00
Issue 5183: Create a developer shim for release builds
Change-Id: I14cd9dc365093c0450210d7853ad5f67ffa0ddd0 BUG=chromium-os:5183 TEST=1) manually built a dev install shim and verified it's only bootable when dev switch is ON Review URL: http://codereview.chromium.org/3153001
This commit is contained in:
Tan Gao
parent
e122814469
commit
843b70acf4
@ -19,10 +19,6 @@ fi
|
||||
set -e
|
||||
. "$(dirname "$0")/../chromeos-common.sh" # for partoffset and partsize
|
||||
|
||||
if [ ${#} -ne 2 ]; then
|
||||
die "Usage: $0 /path/to/image/dir image_name"
|
||||
fi
|
||||
|
||||
BOOT_DESC_FILE="${1}/boot.desc"
|
||||
IMAGE="${1}/${2}"
|
||||
|
||||
@ -93,10 +89,16 @@ DEFINE_string statefulfs_mountpoint "/tmp/statefulfs" \
|
||||
DEFINE_string espfs_mountpoint "/tmp/espfs" \
|
||||
"Path where the espfs can be safely mounted"
|
||||
|
||||
DEFINE_boolean use_dev_keys ${FLAGS_FALSE} \
|
||||
"Use developer keys for signing. (Default: false)"
|
||||
|
||||
# Parse command-line flags present after positional args, if any. This needs
|
||||
# to happen before we parse boot.desc (otherwise the flags would be lost)
|
||||
FLAGS "${@}" || exit 1
|
||||
|
||||
# Parse the boot.desc
|
||||
eval set -- "${BOOT_DESC}"
|
||||
FLAGS "${@}" || exit 1
|
||||
eval set -- "${FLAGS_ARGV}"
|
||||
|
||||
# Only now can we die on error. shflags functions leak non-zero error codes,
|
||||
# so will die prematurely if 'set -e' is specified before now.
|
||||
@ -115,6 +117,7 @@ mount_gpt_cleanup() {
|
||||
|
||||
make_image_bootable() {
|
||||
local image="$1"
|
||||
local use_dev_keys=
|
||||
|
||||
cros_root=/dev/sd%D%P
|
||||
if [[ "${FLAGS_arch}" = "arm" ]]; then
|
||||
@ -136,6 +139,10 @@ make_image_bootable() {
|
||||
root_dev=$(mount | grep -- "on ${FLAGS_rootfs_mountpoint} type" |
|
||||
cut -f1 -d' ' | tail -1)
|
||||
|
||||
if [ ${FLAGS_use_dev_keys} -eq ${FLAGS_TRUE} ]; then
|
||||
use_dev_keys="--use_dev_keys"
|
||||
fi
|
||||
|
||||
# Builds the kernel partition image. The temporary files are kept around
|
||||
# so that we can perform a load_kernel_test later on the final image.
|
||||
${SCRIPTS_DIR}/build_kernel_image.sh \
|
||||
@ -152,7 +159,8 @@ make_image_bootable() {
|
||||
--verity_max_ios=${FLAGS_verity_max_ios} \
|
||||
--verity_error_behavior=${FLAGS_verity_error_behavior} \
|
||||
--root=${cros_root} \
|
||||
--keys_dir="${FLAGS_keys_dir}"
|
||||
--keys_dir="${FLAGS_keys_dir}" \
|
||||
${use_dev_keys}
|
||||
|
||||
local rootfs_hash_size=$(stat -c '%s' ${FLAGS_rootfs_hash})
|
||||
info "Appending rootfs.hash (${rootfs_hash_size} bytes) to the root fs"
|
||||
|
||||
62
build_image
62
build_image
@ -45,6 +45,8 @@ DEFINE_string to "" \
|
||||
DEFINE_boolean factory_install ${FLAGS_FALSE} \
|
||||
"Build a smaller image to overlay the factory install shim on; this argument \
|
||||
is also required in image_to_usb."
|
||||
DEFINE_boolean dev_install ${FLAGS_FALSE} \
|
||||
"Build a smaller image to overlay the dev recovery install shim on"
|
||||
DEFINE_string arm_extra_bootargs "" \
|
||||
"Additional command line options to pass to the ARM kernel."
|
||||
DEFINE_integer rootfs_partition_size 1024 \
|
||||
@ -100,6 +102,24 @@ bigger than partition (${FLAGS_rootfs_partition_size} MB)."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Verify user didn't specify incompatible flags for dev install shim
|
||||
if [ ${FLAGS_factory_install} -eq ${FLAGS_TRUE} ] &&
|
||||
[ ${FLAGS_dev_install} -eq ${FLAGS_TRUE} ] ; then
|
||||
error "Incompatible flags: --factory_install and --dev_install cannot be \
|
||||
both set to True. Please specify one or none."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Disable --withdev flag when --dev_install is set to True. Otherwise, the
|
||||
# dev image produced will be based on dev install shim, rather than a pristine
|
||||
# image
|
||||
if [ ${FLAGS_withdev} -eq ${FLAGS_TRUE} ] &&
|
||||
[ ${FLAGS_dev_install} -eq ${FLAGS_TRUE} ] ; then
|
||||
info "Incompatible flags: --withdev and --dev_install cannot be both set to \
|
||||
True. Reset --withdev to False."
|
||||
FLAGS_withdev=${FLAGS_FALSE}
|
||||
fi
|
||||
|
||||
EMERGE_BOARD_CMD="emerge-${FLAGS_board}"
|
||||
if [ "${FLAGS_fast}" -eq "${FLAGS_TRUE}" ]; then
|
||||
echo "Using alternate emerge"
|
||||
@ -125,6 +145,11 @@ if [ "${FLAGS_withdev}" -eq "${FLAGS_TRUE}" ]; then
|
||||
DEVELOPER_IMAGE_NAME=chromiumos_image.bin
|
||||
fi
|
||||
|
||||
# Rename pristine image for dev install shim
|
||||
if [ "${FLAGS_dev_install}" -eq "${FLAGS_TRUE}" ]; then
|
||||
PRISTINE_IMAGE_NAME=dev_install_shim.bin
|
||||
fi
|
||||
|
||||
PRISTINE_IMG="${OUTPUT_DIR}/${PRISTINE_IMAGE_NAME}"
|
||||
DEVELOPER_IMG="${OUTPUT_DIR}/${DEVELOPER_IMAGE_NAME}"
|
||||
|
||||
@ -167,7 +192,8 @@ fi
|
||||
|
||||
# Reduce the size of factory install shim.
|
||||
# TODO: Build a separated ebuild for the factory install shim to reduce size.
|
||||
if [[ ${FLAGS_factory_install} -eq ${FLAGS_TRUE} ]] ; then
|
||||
if [ ${FLAGS_factory_install} -eq ${FLAGS_TRUE} ] ||
|
||||
[ ${FLAGS_dev_install} -eq ${FLAGS_TRUE} ] ; then
|
||||
INSTALL_MASK="${INSTALL_MASK} ${FACTORY_INSTALL_MASK}"
|
||||
fi
|
||||
|
||||
@ -368,9 +394,10 @@ update_dev_packages() {
|
||||
fi
|
||||
|
||||
# Check that the image has been correctly created. Only do it if not
|
||||
# building a factory install image, as the INSTALL_MASK for it will
|
||||
# make test_image fail.
|
||||
if [[ ${FLAGS_factory_install} -eq ${FLAGS_FALSE} ]] ; then
|
||||
# building a factory install image and not a dev install shim, as the
|
||||
# INSTALL_MASK for it will make test_image fail.
|
||||
if [ ${FLAGS_factory_install} -eq ${FLAGS_FALSE} ] &&
|
||||
[ ${FLAGS_dev_install} -eq ${FLAGS_FALSE} ] ; then
|
||||
"${SCRIPTS_DIR}/test_image" \
|
||||
--root="${ROOT_FS_DIR}" \
|
||||
--target="${ARCH}"
|
||||
@ -428,7 +455,9 @@ create_base_image() {
|
||||
|
||||
# Create root file system disk image to fit on a 1GB memory stick.
|
||||
# 1 GB in hard-drive-manufacturer-speak is 10^9, not 2^30. 950MB < 10^9 bytes.
|
||||
if [[ ${FLAGS_factory_install} -eq ${FLAGS_TRUE} ]] ; then
|
||||
# Minimize rootfs size for dev install shim and factory installer
|
||||
if [ ${FLAGS_factory_install} -eq ${FLAGS_TRUE} ] ||
|
||||
[ ${FLAGS_dev_install} -eq ${FLAGS_TRUE} ] ; then
|
||||
ROOT_SIZE_BYTES=$((1024 * 1024 * 300))
|
||||
else
|
||||
ROOT_SIZE_BYTES=$((1024 * 1024 * ${FLAGS_rootfs_size}))
|
||||
@ -565,8 +594,9 @@ create_base_image() {
|
||||
--install \
|
||||
${enable_rootfs_verification}
|
||||
|
||||
# Don't test the factory install shim.
|
||||
if [[ ${FLAGS_factory_install} -eq ${FLAGS_FALSE} ]] ; then
|
||||
# Don't test the factory install shim or the dev install shim
|
||||
if [ ${FLAGS_factory_install} -eq ${FLAGS_FALSE} ] &&
|
||||
[ ${FLAGS_dev_install} -eq ${FLAGS_FALSE} ]; then
|
||||
# Check that the image has been correctly created.
|
||||
"${SCRIPTS_DIR}/test_image" \
|
||||
--root="${ROOT_FS_DIR}" \
|
||||
@ -635,14 +665,28 @@ if [[ -f ${PRISTINE_IMG} ]] ; then
|
||||
else
|
||||
create_base_image ${PRISTINE_IMAGE_NAME}
|
||||
fi
|
||||
|
||||
USE_DEV_KEYS=
|
||||
if [ "${FLAGS_dev_install}" -eq "${FLAGS_TRUE}" ]; then
|
||||
USE_DEV_KEYS="--use_dev_keys"
|
||||
fi
|
||||
|
||||
# Place flags before positional args
|
||||
${SCRIPTS_DIR}/bin/cros_make_image_bootable "${OUTPUT_DIR}" \
|
||||
"${PRISTINE_IMAGE_NAME}"
|
||||
"${PRISTINE_IMAGE_NAME}" \
|
||||
${USE_DEV_KEYS}
|
||||
|
||||
# FIXME: only signing things for x86 right now.
|
||||
if [[ "${ARCH}" = "x86" ]]; then
|
||||
BOOT_FLAG=
|
||||
if [ "${FLAGS_dev_install}" -eq "${FLAGS_TRUE}" ] ; then
|
||||
BOOT_FLAG="-b 1" # BOOT_FLAG_DEVELOPER value defined in load_kernel_fw.h
|
||||
info "--dev_install set, pass BOOT_FLAG_DEVELOPER flag to load_kernel_test"
|
||||
fi
|
||||
|
||||
# Verify the final image.
|
||||
load_kernel_test "${OUTPUT_DIR}/${PRISTINE_IMAGE_NAME}" \
|
||||
"${DEVKEYSDIR}/recovery_key.vbpubk"
|
||||
"${DEVKEYSDIR}/recovery_key.vbpubk" ${BOOT_FLAG}
|
||||
fi
|
||||
|
||||
# Create a developer image based on the chromium os base image.
|
||||
|
||||
@ -25,6 +25,8 @@ DEFINE_boolean keep_work ${FLAGS_FALSE} \
|
||||
"Keep temporary files (*.keyblock, *.vbpubk). (Default: false)"
|
||||
DEFINE_string keys_dir "${SRC_ROOT}/platform/vboot_reference/tests/testkeys" \
|
||||
"Directory with the RSA signing keys. (Defaults to test keys)"
|
||||
DEFINE_boolean use_dev_keys ${FLAGS_FALSE} \
|
||||
"Use developer keys for signing. (Default: false)"
|
||||
# Note, to enable verified boot, the caller would manually pass:
|
||||
# --boot_args='dm="... /dev/sd%D%P /dev/sd%D%P ..." \
|
||||
# --root=/dev/dm-0
|
||||
@ -134,11 +136,20 @@ EOF
|
||||
|
||||
# We sign the image with the recovery_key, because this is what goes onto the
|
||||
# USB key. We can only boot from the USB drive in recovery mode.
|
||||
# For dev install shim, we need to use the installer keyblock instead of
|
||||
# the recovery keyblock because of the difference in flags.
|
||||
if [ ${FLAGS_use_dev_keys} -eq ${FLAGS_TRUE} ]; then
|
||||
USB_KEYBLOCK=installer_kernel.keyblock
|
||||
info "DEBUG: use dev install signing key"
|
||||
else
|
||||
USB_KEYBLOCK=recovery_kernel.keyblock
|
||||
info "DEBUG: use recovery signing key"
|
||||
fi
|
||||
|
||||
# Create and sign the kernel blob
|
||||
vbutil_kernel \
|
||||
--pack "${FLAGS_to}" \
|
||||
--keyblock "${FLAGS_keys_dir}/recovery_kernel.keyblock" \
|
||||
--keyblock "${FLAGS_keys_dir}/${USB_KEYBLOCK}" \
|
||||
--signprivate "${FLAGS_keys_dir}/recovery_kernel_data_key.vbprivk" \
|
||||
--version 1 \
|
||||
--config "${FLAGS_working_dir}/config.txt" \
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user