mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-09-22 06:01:41 +02:00
Code Issues Packages Projects Releases Wiki Activity

Revert "Added enable_bootcache option to scripts"

Browse Source 
This reverts commit acff37652582e2abcba4295515d99d5869e34826

This broke the signing process due to changed kernel params.
Please update ensure_secure_kernelparams.config under the
cros-signing/ tree before relanding this.

Change-Id: I3be62e16299eb69bbfef9f1530d92200a2e309d7
Reviewed-on: https://gerrit.chromium.org/gerrit/34320
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
This commit is contained in:
Mike Frysinger 2012-09-28 18:22:54 -07:00 committed by Gerrit
parent 7b6f377c58
commit 8b82f358ed
4 changed files with 7 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
bin/cros_make_image_bootable
View File

@ -97,12 +97,8 @@ DEFINE_integer rootfs_hash_pad 8 \
DEFINE_string rootfs_hash "/tmp/rootfs.hash" \ DEFINE_string rootfs_hash "/tmp/rootfs.hash" \
"Path where the rootfs hash should be stored." "Path where the rootfs hash should be stored."
# TODO(taysom): when we turn on boot cache, both verification and
# bootcache should have their default be FLAGS_TRUE.
DEFINE_boolean enable_rootfs_verification ${FLAGS_FALSE} \ DEFINE_boolean enable_rootfs_verification ${FLAGS_FALSE} \
"Default all bootloaders to NOT use kernel-based root fs integrity checking." "Default all bootloaders to use kernel-based root fs integrity checking."
DEFINE_boolean enable_bootcache ${FLAGS_FALSE} \
"Default all bootloaders to NOT use bootcache."
DEFINE_integer verity_error_behavior 3 \ DEFINE_integer verity_error_behavior 3 \
"Kernel verified boot error behavior (0: I/O errors, 1: reboot, 2: nothing)" "Kernel verified boot error behavior (0: I/O errors, 1: reboot, 2: nothing)"
DEFINE_integer verity_max_ios -1 \ DEFINE_integer verity_max_ios -1 \
@ -175,10 +171,6 @@ make_image_bootable() {
if [[ ${FLAGS_enable_rootfs_verification} -eq ${FLAGS_TRUE} ]]; then if [[ ${FLAGS_enable_rootfs_verification} -eq ${FLAGS_TRUE} ]]; then
enable_rootfs_verification_flag=--enable_rootfs_verification enable_rootfs_verification_flag=--enable_rootfs_verification
fi fi
local enable_bootcache_flag=--noenable_bootcache
if [[ ${FLAGS_enable_bootcache} -eq ${FLAGS_TRUE} ]]; then
enable_bootcache_flag=--enable_bootcache
fi
trap "mount_gpt_cleanup" EXIT trap "mount_gpt_cleanup" EXIT
"${SCRIPTS_DIR}/mount_gpt_image.sh" --from "$(dirname "${image}")" \ "${SCRIPTS_DIR}/mount_gpt_image.sh" --from "$(dirname "${image}")" \
@ -239,7 +231,6 @@ make_image_bootable() {
--verity_salt=${FLAGS_verity_salt} \ --verity_salt=${FLAGS_verity_salt} \
--keys_dir="${FLAGS_keys_dir}" \ --keys_dir="${FLAGS_keys_dir}" \
${enable_rootfs_verification_flag} \ ${enable_rootfs_verification_flag} \
${enable_bootcache_flag} \
${use_dev_keys} ${use_dev_keys}
# Check the size of kernel image and issue warning when image size is # Check the size of kernel image and issue warning when image size is

2
build_image
View File

@ -17,8 +17,6 @@ DEFINE_string board "${DEFAULT_BOARD}" \
"The board to build an image for." "The board to build an image for."
DEFINE_string boot_args "noinitrd" \ DEFINE_string boot_args "noinitrd" \
"Additional boot arguments to pass to the commandline" "Additional boot arguments to pass to the commandline"
DEFINE_boolean enable_bootcache ${FLAGS_FALSE} \
"Default all bootloaders to NOT use boot cache."
DEFINE_boolean enable_rootfs_verification ${FLAGS_TRUE} \ DEFINE_boolean enable_rootfs_verification ${FLAGS_TRUE} \
"Default all bootloaders to use kernel-based root fs integrity checking." "Default all bootloaders to use kernel-based root fs integrity checking."
DEFINE_string output_root "${DEFAULT_BUILD_ROOT}/images" \ DEFINE_string output_root "${DEFAULT_BUILD_ROOT}/images" \

64
build_kernel_image.sh
View File

@ -47,8 +47,6 @@ DEFINE_string verity_salt "" \
"Salt to use for rootfs hash (Default: \"\")" "Salt to use for rootfs hash (Default: \"\")"
DEFINE_boolean enable_rootfs_verification ${FLAGS_TRUE} \ DEFINE_boolean enable_rootfs_verification ${FLAGS_TRUE} \
"Enable kernel-based root fs integrity checking. (Default: true)" "Enable kernel-based root fs integrity checking. (Default: true)"
DEFINE_boolean enable_bootcache ${FLAGS_FALSE} \
"Enable boot cache to accelerate booting. (Default: false)"
# Parse flags # Parse flags
FLAGS "$@" || exit 1 FLAGS "$@" || exit 1
@ -57,31 +55,7 @@ eval set -- "${FLAGS_ARGV}"
# Die on error # Die on error
switch_to_strict_mode switch_to_strict_mode
rootdigest() { verity_args=
local digest
digest=${table#*root_hexdigest=}
echo ${digest% salt*}
}
salt() {
local salt
salt=${table#*salt=}
echo ${salt%}
}
hashstart() {
local hash
hash=${table#*hashstart=}
echo ${hash% alg*}
}
# Estimate of sectors used by verity
# (num blocks) * 32 (bytes per hash) * 2 (overhead) / 512 (bytes per sector)
veritysize() {
echo $((root_fs_blocks * 32 * 2 / 512))
}
device_mapper_args=
# Even with a rootfs_image, root= is not changed unless specified. # Even with a rootfs_image, root= is not changed unless specified.
if [[ -n "${FLAGS_rootfs_image}" && -n "${FLAGS_rootfs_hash}" ]]; then if [[ -n "${FLAGS_rootfs_image}" && -n "${FLAGS_rootfs_hash}" ]]; then
# Gets the number of blocks. 4096 byte blocks _are_ expected. # Gets the number of blocks. 4096 byte blocks _are_ expected.
@ -120,29 +94,12 @@ if [[ -n "${FLAGS_rootfs_image}" && -n "${FLAGS_rootfs_hash}" ]]; then
# Don't claim the root device unless verity is enabled. # Don't claim the root device unless verity is enabled.
# Doing so will claim /dev/sdDP out from under the system. # Doing so will claim /dev/sdDP out from under the system.
if [[ ${FLAGS_enable_rootfs_verification} -eq ${FLAGS_TRUE} ]]; then if [[ ${FLAGS_enable_rootfs_verification} -eq ${FLAGS_TRUE} ]]; then
if [[ ${FLAGS_enable_bootcache} -eq ${FLAGS_TRUE} ]]; then base_root='%U+1' # kern_guid + 1
base_root='254:0' # major:minor numbers for /dev/dm-0
else
base_root='%U+1' # kern_guid + 1
fi
table=${table//HASH_DEV/${base_root}} table=${table//HASH_DEV/${base_root}}
table=${table//ROOT_DEV/${base_root}} table=${table//ROOT_DEV/${base_root}}
fi fi
verity_dev="vroot none ro 1,${table}" verity_args="dm=\"vroot none ro,${table}\""
if [[ ${FLAGS_enable_bootcache} -eq ${FLAGS_TRUE} ]]; then info "dm-verity configuration: ${verity_args}"
signature=$(rootdigest)
cachestart=$(($(hashstart) + $(veritysize)))
size_limit=512
max_trace=20000
max_pages=100000
bootcache_args="%U+1 ${cachestart} ${signature} ${size_limit}"
bootcache_args="${bootcache_args} ${max_trace} ${max_pages}"
bootcache_dev="vboot none ro 1, 0 ${cachestart} bootcache ${bootcache_args}"
device_mapper_args="dm=\"2 ${bootcache_dev}, ${verity_dev}\""
else
device_mapper_args="dm=\"1 ${verity_dev}\""
fi
info "device mapper configuration: ${device_mapper_args}"
fi fi
mkdir -p "${FLAGS_working_dir}" mkdir -p "${FLAGS_working_dir}"
@ -154,17 +111,8 @@ mkdir -p "${FLAGS_working_dir}"
dev_wait=0 dev_wait=0
root_dev="PARTUUID=%U/PARTNROFF=1" root_dev="PARTUUID=%U/PARTNROFF=1"
if [[ ${FLAGS_enable_rootfs_verification} -eq ${FLAGS_TRUE} ]]; then if [[ ${FLAGS_enable_rootfs_verification} -eq ${FLAGS_TRUE} ]]; then
root_dev=/dev/dm-0
dev_wait=1 dev_wait=1
if [[ ${FLAGS_enable_bootcache} -eq ${FLAGS_TRUE} ]]; then
root_dev=/dev/dm-1
else
root_dev=/dev/dm-0
fi
else
if [[ ${FLAGS_enable_bootcache} -eq ${FLAGS_TRUE} ]]; then
echo "Having bootcache without verity is not supported"
exit 2
fi
fi fi
cat <<EOF > "${FLAGS_working_dir}/boot.config" cat <<EOF > "${FLAGS_working_dir}/boot.config"
@ -174,7 +122,7 @@ ro
dm_verity.error_behavior=${FLAGS_verity_error_behavior} dm_verity.error_behavior=${FLAGS_verity_error_behavior}
dm_verity.max_bios=${FLAGS_verity_max_ios} dm_verity.max_bios=${FLAGS_verity_max_ios}
dm_verity.dev_wait=${dev_wait} dm_verity.dev_wait=${dev_wait}
${device_mapper_args} ${verity_args}
${FLAGS_boot_args} ${FLAGS_boot_args}
vt.global_cursor_default=0 vt.global_cursor_default=0
kern_guid=%U kern_guid=%U

5
build_library/build_image_util.sh
View File

@ -121,10 +121,6 @@ create_boot_desc() {
if [[ ${FLAGS_enable_rootfs_verification} -eq ${FLAGS_TRUE} ]]; then if [[ ${FLAGS_enable_rootfs_verification} -eq ${FLAGS_TRUE} ]]; then
enable_rootfs_verification_flag="--enable_rootfs_verification" enable_rootfs_verification_flag="--enable_rootfs_verification"
fi fi
local enable_bootcache_flag=""
if [[ ${FLAGS_enable_bootcache} -eq ${FLAGS_TRUE} ]]; then
enable_bootcache_flag=--enable_bootcache
fi
[ -z "${FLAGS_verity_salt}" ] && FLAGS_verity_salt=$(make_salt) [ -z "${FLAGS_verity_salt}" ] && FLAGS_verity_salt=$(make_salt)
cat <<EOF > ${BUILD_DIR}/boot.desc cat <<EOF > ${BUILD_DIR}/boot.desc
@ -137,7 +133,6 @@ create_boot_desc() {
--nocleanup_dirs --nocleanup_dirs
--verity_algorithm=sha1 --verity_algorithm=sha1
${enable_rootfs_verification_flag} ${enable_rootfs_verification_flag}
${enable_bootcache_flag}
EOF EOF
} }