From 14eb89a5dc8faf825e988d95010664618f446302 Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Tue, 6 Sep 2016 16:09:48 -0700 Subject: [PATCH 1/4] build_image: publish kernel along with base image for generating updates --- build_library/build_image_util.sh | 8 ++++++++ build_library/prod_image_util.sh | 4 +++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh index 242099dfa8..9321388933 100755 --- a/build_library/build_image_util.sh +++ b/build_library/build_image_util.sh @@ -282,6 +282,7 @@ finish_image() { local disk_layout="$2" local root_fs_dir="$3" local image_contents="$4" + local image_kernel="$5" local install_grub=0 local disk_img="${BUILD_DIR}/${image_name}" @@ -364,6 +365,13 @@ finish_image() { "${root_fs_dir}/boot/coreos/vmlinuz-a" fi + if [[ -n "${image_kernel}" ]]; then + # copying kernel from vfat so ignore the permissions + cp --no-preserve=mode \ + "${root_fs_dir}/boot/coreos/vmlinuz-a" \ + "${BUILD_DIR}/${image_kernel}" + fi + ${BUILD_LIBRARY_DIR}/generate_kernel_hash.sh "${root_fs_dir}/boot/coreos/vmlinuz-a" ${COREOS_VERSION} >${pcr_dir}/kernel.config rm -rf "${BUILD_DIR}"/configroot cleanup_mounts "${root_fs_dir}" diff --git a/build_library/prod_image_util.sh b/build_library/prod_image_util.sh index 2d617d703e..082447e348 100755 --- a/build_library/prod_image_util.sh +++ b/build_library/prod_image_util.sh @@ -66,6 +66,7 @@ create_prod_image() { local image_contents="${image_name%.bin}_contents.txt" local image_packages="${image_name%.bin}_packages.txt" local image_licenses="${image_name%.bin}_licenses.txt" + local image_kernel="${image_name%.bin}.vmlinuz" local image_pcr_policy="${image_name%.bin}_pcr_policy.zip" start_image "${image_name}" "${disk_layout}" "${root_fs_dir}" "${update_group}" @@ -112,11 +113,12 @@ EOF sudo mv -n ${root_fs_dir}/etc/pam.d/* ${root_fs_dir}/usr/lib/pam.d/ sudo rmdir ${root_fs_dir}/etc/pam.d - finish_image "${image_name}" "${disk_layout}" "${root_fs_dir}" "${image_contents}" + finish_image "${image_name}" "${disk_layout}" "${root_fs_dir}" "${image_contents}" "${image_kernel}" upload_image -d "${BUILD_DIR}/${image_name}.bz2.DIGESTS" \ "${BUILD_DIR}/${image_contents}" \ "${BUILD_DIR}/${image_packages}" \ "${BUILD_DIR}/${image_name}" \ + "${BUILD_DIR}/${image_kernel}" \ "${BUILD_DIR}/${image_pcr_policy}" } From 300722d7cb1f7d35dae321585cea2e53dd3fcb7a Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Tue, 6 Sep 2016 16:09:48 -0700 Subject: [PATCH 2/4] build_image: include kernel in --generate_update payloads --- build_library/build_image_util.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh index 9321388933..dad0d6d424 100755 --- a/build_library/build_image_util.sh +++ b/build_library/build_image_util.sh @@ -80,6 +80,7 @@ zip_update_tools() { generate_update() { local image_name="$1" local disk_layout="$2" + local image_kernel="${BUILD_DIR}/${image_name%.bin}.vmlinuz" local update_prefix="${image_name%_image.bin}_update" local update="${BUILD_DIR}/${update_prefix}" local devkey="/usr/share/update_engine/update-payload-key.key.pem" @@ -87,8 +88,11 @@ generate_update() { echo "Generating update payload, signed with a dev key" "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${disk_layout}" \ extract "${BUILD_DIR}/${image_name}" "USR-A" "${update}.bin" - delta_generator -private_key "${devkey}" \ - -new_image "${update}.bin" -out_file "${update}.gz" + delta_generator \ + -private_key "${devkey}" \ + -new_image "${update}.bin" \ + -new_kernel "${image_kernel}" \ + -out_file "${update}.gz" upload_image -d "${update}.DIGESTS" "${update}".{bin,gz,zip} } From 1092afd240a0d4aa59a9e449bdb5c90b4b5cca65 Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Mon, 19 Sep 2016 12:09:27 -0700 Subject: [PATCH 3/4] build_image: clean up PCR policy generation Pass as an argument to finish_image like most other things. --- build_library/build_image_util.sh | 28 +++++++++++++++++++--------- build_library/prod_image_util.sh | 8 +++++++- 2 files changed, 26 insertions(+), 10 deletions(-) diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh index dad0d6d424..ee76ad0654 100755 --- a/build_library/build_image_util.sh +++ b/build_library/build_image_util.sh @@ -287,12 +287,10 @@ finish_image() { local root_fs_dir="$3" local image_contents="$4" local image_kernel="$5" - local install_grub=0 + local pcr_policy="$6" + local install_grub=0 local disk_img="${BUILD_DIR}/${image_name}" - local pcr_policy="${image_name%.bin}_pcr_policy.zip" - local pcr_dir="${BUILD_DIR}/pcrs" - mkdir -p "${pcr_dir}" # Copy kernel to support dm-verity boots sudo mkdir -p "${root_fs_dir}/boot/coreos" @@ -376,7 +374,13 @@ finish_image() { "${BUILD_DIR}/${image_kernel}" fi - ${BUILD_LIBRARY_DIR}/generate_kernel_hash.sh "${root_fs_dir}/boot/coreos/vmlinuz-a" ${COREOS_VERSION} >${pcr_dir}/kernel.config + if [[ -n "${pcr_policy}" ]]; then + mkdir -p "${BUILD_DIR}/pcrs" + ${BUILD_LIBRARY_DIR}/generate_kernel_hash.sh \ + "${root_fs_dir}/boot/coreos/vmlinuz-a" ${COREOS_VERSION} \ + >"${BUILD_DIR}/pcrs/kernel.config" + fi + rm -rf "${BUILD_DIR}"/configroot cleanup_mounts "${root_fs_dir}" trap - EXIT @@ -403,9 +407,15 @@ finish_image() { --noverity fi done - ${BUILD_LIBRARY_DIR}/generate_grub_hashes.py ${disk_img} /usr/lib/grub/ ${pcr_dir} ${COREOS_VERSION} fi - pushd ${BUILD_DIR} - zip -r -9 $pcr_policy pcrs - popd + + if [[ -n "${pcr_policy}" ]]; then + ${BUILD_LIBRARY_DIR}/generate_grub_hashes.py \ + "${disk_img}" /usr/lib/grub/ "${BUILD_DIR}/pcrs" ${COREOS_VERSION} + + info "Generating $pcr_policy" + pushd "${BUILD_DIR}" >/dev/null + zip --quiet -r -9 "${BUILD_DIR}/${pcr_policy}" pcrs + popd >/dev/null + fi } diff --git a/build_library/prod_image_util.sh b/build_library/prod_image_util.sh index 082447e348..1c0611fdbf 100755 --- a/build_library/prod_image_util.sh +++ b/build_library/prod_image_util.sh @@ -113,7 +113,13 @@ EOF sudo mv -n ${root_fs_dir}/etc/pam.d/* ${root_fs_dir}/usr/lib/pam.d/ sudo rmdir ${root_fs_dir}/etc/pam.d - finish_image "${image_name}" "${disk_layout}" "${root_fs_dir}" "${image_contents}" "${image_kernel}" + finish_image \ + "${image_name}" \ + "${disk_layout}" \ + "${root_fs_dir}" \ + "${image_contents}" \ + "${image_kernel}" \ + "${image_pcr_policy}" upload_image -d "${BUILD_DIR}/${image_name}.bz2.DIGESTS" \ "${BUILD_DIR}/${image_contents}" \ From 5da26fa912f263a534aeb0f44fb3661f9780674f Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Mon, 19 Sep 2016 12:14:24 -0700 Subject: [PATCH 4/4] offline_signing: include kernel in official updates --- core_sign_update | 4 +++- offline_signing/download.sh | 3 +++ offline_signing/sign.sh | 3 +++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/core_sign_update b/core_sign_update index f327fb7660..a658206a2e 100755 --- a/core_sign_update +++ b/core_sign_update @@ -15,7 +15,8 @@ SCRIPT_ROOT=$(dirname $(readlink -f "$0")) export GCLIENT_ROOT=$(readlink -f "${SCRIPT_ROOT}/../../") . "${SCRIPT_ROOT}/common.sh" || exit 1 -DEFINE_string image "" "The image that should be sent to clients." +DEFINE_string image "" "The filesystem image of /usr" +DEFINE_string kernel "" "The kernel image" DEFINE_string output "" "Output file" DEFINE_string private_keys "" "Path to private key in .pem format." DEFINE_string public_keys "" "Path to public key in .pem format." @@ -39,6 +40,7 @@ trap cleanup INT TERM EXIT delta_generator \ -new_image "$FLAGS_image" \ + -new_kernel "$FLAGS_kernel" \ -out_file update IFS=: read -a private_keys <<< "$FLAGS_private_keys" diff --git a/offline_signing/download.sh b/offline_signing/download.sh index 2b94fc1be0..3a94cb11a8 100755 --- a/offline_signing/download.sh +++ b/offline_signing/download.sh @@ -7,10 +7,13 @@ GS="gs://builds.release.core-os.net/stable/boards/amd64-usr/$VERSION" cd "${2:-.}" gsutil cp \ + "${GS}/coreos_production_image.vmlinuz.bz2" \ + "${GS}/coreos_production_image.vmlinuz.bz2.sig" \ "${GS}/coreos_production_update.bin.bz2" \ "${GS}/coreos_production_update.bin.bz2.sig" \ "${GS}/coreos_production_update.zip" \ "${GS}/coreos_production_update.zip.sig" ./ +gpg --verify "coreos_production_image.vmlinuz.bz2.sig" gpg --verify "coreos_production_update.bin.bz2.sig" gpg --verify "coreos_production_update.zip.sig" diff --git a/offline_signing/sign.sh b/offline_signing/sign.sh index e27b3c9625..9521869488 100755 --- a/offline_signing/sign.sh +++ b/offline_signing/sign.sh @@ -5,8 +5,10 @@ DATA_DIR="$(readlink -f "$1")" KEYS_DIR="$(readlink -f "$(dirname "$0")")" gpg2 --verify "${DATA_DIR}/coreos_production_update.bin.bz2.sig" +gpg2 --verify "${DATA_DIR}/coreos_production_image.vmlinuz.bz2.sig" gpg2 --verify "${DATA_DIR}/coreos_production_update.zip.sig" bunzip2 --keep "${DATA_DIR}/coreos_production_update.bin.bz2" +bunzip2 --keep "${DATA_DIR}/coreos_production_image.vmlinuz.bz2" unzip "${DATA_DIR}/coreos_production_update.zip" -d "${DATA_DIR}" export PATH="${DATA_DIR}:${PATH}" @@ -14,6 +16,7 @@ export PATH="${DATA_DIR}:${PATH}" cd "${DATA_DIR}" ./core_sign_update \ --image "${DATA_DIR}/coreos_production_update.bin" \ + --kernel "${DATA_DIR}/coreos_production_image.vmlinuz" \ --output "${DATA_DIR}/coreos_production_update.gz" \ --private_keys "${KEYS_DIR}/devel.key.pem:${KEYS_DIR}/prod-2.key.pem" \ --public_keys "${KEYS_DIR}/devel.pub.pem:${KEYS_DIR}/prod-2.pub.pem"