Merge pull request #586 from marineam/kernel

Include kernel in update payloads

build_library/build_image_util.sh

@@ -80,6 +80,7 @@ zip_update_tools() {
 generate_update() {
   local image_name="$1"
   local disk_layout="$2"
+  local image_kernel="${BUILD_DIR}/${image_name%.bin}.vmlinuz"
   local update_prefix="${image_name%_image.bin}_update"
   local update="${BUILD_DIR}/${update_prefix}"
   local devkey="/usr/share/update_engine/update-payload-key.key.pem"
@@ -87,8 +88,11 @@ generate_update() {
   echo "Generating update payload, signed with a dev key"
   "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${disk_layout}" \
     extract "${BUILD_DIR}/${image_name}" "USR-A" "${update}.bin"
-  delta_generator -private_key "${devkey}" \
-    -new_image "${update}.bin" -out_file "${update}.gz"
+  delta_generator \
+      -private_key "${devkey}" \
+      -new_image "${update}.bin" \
+      -new_kernel "${image_kernel}" \
+      -out_file "${update}.gz"
 
   upload_image -d "${update}.DIGESTS" "${update}".{bin,gz,zip}
 }
@@ -282,12 +286,11 @@ finish_image() {
   local disk_layout="$2"
   local root_fs_dir="$3"
   local image_contents="$4"
-  local install_grub=0
+  local image_kernel="$5"
+  local pcr_policy="$6"
 
+  local install_grub=0
   local disk_img="${BUILD_DIR}/${image_name}"
-  local pcr_policy="${image_name%.bin}_pcr_policy.zip"
-  local pcr_dir="${BUILD_DIR}/pcrs"
-  mkdir -p "${pcr_dir}"
 
   # Copy kernel to support dm-verity boots
   sudo mkdir -p "${root_fs_dir}/boot/coreos"
@@ -364,7 +367,20 @@ finish_image() {
 	   "${root_fs_dir}/boot/coreos/vmlinuz-a"
   fi
 
-  ${BUILD_LIBRARY_DIR}/generate_kernel_hash.sh "${root_fs_dir}/boot/coreos/vmlinuz-a" ${COREOS_VERSION} >${pcr_dir}/kernel.config
+  if [[ -n "${image_kernel}" ]]; then
+    # copying kernel from vfat so ignore the permissions
+    cp --no-preserve=mode \
+        "${root_fs_dir}/boot/coreos/vmlinuz-a" \
+        "${BUILD_DIR}/${image_kernel}"
+  fi
+
+  if [[ -n "${pcr_policy}" ]]; then
+    mkdir -p "${BUILD_DIR}/pcrs"
+    ${BUILD_LIBRARY_DIR}/generate_kernel_hash.sh \
+        "${root_fs_dir}/boot/coreos/vmlinuz-a" ${COREOS_VERSION} \
+        >"${BUILD_DIR}/pcrs/kernel.config"
+  fi
+
   rm -rf "${BUILD_DIR}"/configroot
   cleanup_mounts "${root_fs_dir}"
   trap - EXIT
@@ -391,9 +407,15 @@ finish_image() {
             --noverity
       fi
     done
-    ${BUILD_LIBRARY_DIR}/generate_grub_hashes.py ${disk_img} /usr/lib/grub/ ${pcr_dir} ${COREOS_VERSION}
   fi
-  pushd ${BUILD_DIR}
-  zip -r -9 $pcr_policy pcrs
-  popd
+
+  if [[ -n "${pcr_policy}" ]]; then
+    ${BUILD_LIBRARY_DIR}/generate_grub_hashes.py \
+        "${disk_img}" /usr/lib/grub/ "${BUILD_DIR}/pcrs" ${COREOS_VERSION}
+
+    info "Generating $pcr_policy"
+    pushd "${BUILD_DIR}" >/dev/null
+    zip --quiet -r -9 "${BUILD_DIR}/${pcr_policy}" pcrs
+    popd >/dev/null
+  fi
 }

build_library/prod_image_util.sh

@@ -66,6 +66,7 @@ create_prod_image() {
   local image_contents="${image_name%.bin}_contents.txt"
   local image_packages="${image_name%.bin}_packages.txt"
   local image_licenses="${image_name%.bin}_licenses.txt"
+  local image_kernel="${image_name%.bin}.vmlinuz"
   local image_pcr_policy="${image_name%.bin}_pcr_policy.zip"
 
   start_image "${image_name}" "${disk_layout}" "${root_fs_dir}" "${update_group}"
@@ -112,11 +113,18 @@ EOF
   sudo mv -n ${root_fs_dir}/etc/pam.d/* ${root_fs_dir}/usr/lib/pam.d/
   sudo rmdir ${root_fs_dir}/etc/pam.d
 
-  finish_image "${image_name}" "${disk_layout}" "${root_fs_dir}" "${image_contents}"
+  finish_image \
+      "${image_name}" \
+      "${disk_layout}" \
+      "${root_fs_dir}" \
+      "${image_contents}" \
+      "${image_kernel}" \
+      "${image_pcr_policy}"
 
   upload_image -d "${BUILD_DIR}/${image_name}.bz2.DIGESTS" \
       "${BUILD_DIR}/${image_contents}" \
       "${BUILD_DIR}/${image_packages}" \
       "${BUILD_DIR}/${image_name}" \
+      "${BUILD_DIR}/${image_kernel}" \
       "${BUILD_DIR}/${image_pcr_policy}"
 }

core_sign_update

@@ -15,7 +15,8 @@ SCRIPT_ROOT=$(dirname $(readlink -f "$0"))
 export GCLIENT_ROOT=$(readlink -f "${SCRIPT_ROOT}/../../")
 . "${SCRIPT_ROOT}/common.sh" || exit 1
 
-DEFINE_string image "" "The image that should be sent to clients."
+DEFINE_string image "" "The filesystem image of /usr"
+DEFINE_string kernel "" "The kernel image"
 DEFINE_string output "" "Output file"
 DEFINE_string private_keys "" "Path to private key in .pem format."
 DEFINE_string public_keys "" "Path to public key in .pem format."
@@ -39,6 +40,7 @@ trap cleanup INT TERM EXIT
 
 delta_generator \
     -new_image "$FLAGS_image" \
+    -new_kernel "$FLAGS_kernel" \
     -out_file update
 
 IFS=: read -a private_keys <<< "$FLAGS_private_keys"

offline_signing/download.sh

@@ -7,10 +7,13 @@ GS="gs://builds.release.core-os.net/stable/boards/amd64-usr/$VERSION"
 cd "${2:-.}"
 
 gsutil cp \
+    "${GS}/coreos_production_image.vmlinuz.bz2" \
+    "${GS}/coreos_production_image.vmlinuz.bz2.sig" \
     "${GS}/coreos_production_update.bin.bz2" \
     "${GS}/coreos_production_update.bin.bz2.sig" \
     "${GS}/coreos_production_update.zip" \
     "${GS}/coreos_production_update.zip.sig" ./
 
+gpg --verify "coreos_production_image.vmlinuz.bz2.sig"
 gpg --verify "coreos_production_update.bin.bz2.sig"
 gpg --verify "coreos_production_update.zip.sig"

offline_signing/sign.sh

@@ -5,8 +5,10 @@ DATA_DIR="$(readlink -f "$1")"
 KEYS_DIR="$(readlink -f "$(dirname "$0")")"
 
 gpg2 --verify "${DATA_DIR}/coreos_production_update.bin.bz2.sig"
+gpg2 --verify "${DATA_DIR}/coreos_production_image.vmlinuz.bz2.sig"
 gpg2 --verify "${DATA_DIR}/coreos_production_update.zip.sig"
 bunzip2 --keep "${DATA_DIR}/coreos_production_update.bin.bz2"
+bunzip2 --keep "${DATA_DIR}/coreos_production_image.vmlinuz.bz2"
 unzip "${DATA_DIR}/coreos_production_update.zip" -d "${DATA_DIR}"
 
 export PATH="${DATA_DIR}:${PATH}"
@@ -14,6 +16,7 @@ export PATH="${DATA_DIR}:${PATH}"
 cd "${DATA_DIR}"
 ./core_sign_update \
     --image "${DATA_DIR}/coreos_production_update.bin" \
+    --kernel "${DATA_DIR}/coreos_production_image.vmlinuz" \
     --output "${DATA_DIR}/coreos_production_update.gz" \
     --private_keys "${KEYS_DIR}/devel.key.pem:${KEYS_DIR}/prod-2.key.pem" \
     --public_keys  "${KEYS_DIR}/devel.pub.pem:${KEYS_DIR}/prod-2.pub.pem"