mirror of
https://github.com/flatcar/scripts.git
synced 2025-09-25 23:51:07 +02:00
[PATCH 2/5] build_kernel_image: add verified boot support
Adds rootfs image hashing to the build. If it is hashed even if the default boot device is not dm-0, the baseline rootfs integrity information will be included (though device setup will fail in the logs during boot). TEST=manually ran without enabling vboot support. BUG=chromium-os:327 Review URL: http://codereview.chromium.org/2808043
This commit is contained in:
Will Drewry
parent
fb48fa3500
commit
bcbf1c4484
@ -23,7 +23,7 @@ DEFINE_boolean keep_work ${FLAGS_FALSE} \
|
||||
"Keep temporary files (*.keyblock, *.vbpubk). (Default: false)"
|
||||
DEFINE_string keys_dir "${SRC_ROOT}/platform/vboot_reference/tests/testkeys" \
|
||||
"Directory with the RSA signing keys. (Defaults to test keys)"
|
||||
# Note, to enable verified boot, the caller would pass:
|
||||
# Note, to enable verified boot, the caller would manually pass:
|
||||
# --boot_args='dm="... /dev/sd%D%P /dev/sd%D%P ..." \
|
||||
# --root=/dev/dm-0
|
||||
DEFINE_string boot_args "noinitrd" \
|
||||
@ -31,6 +31,21 @@ DEFINE_string boot_args "noinitrd" \
|
||||
DEFINE_string root "/dev/sd%D%P" \
|
||||
"Expected device root (Default: root=/dev/sd%D%P)"
|
||||
|
||||
# If provided, will automatically add verified boot arguments.
|
||||
DEFINE_string rootfs_image "" \
|
||||
"Optional path to the rootfs device or image.(Default: \"\")"
|
||||
DEFINE_string rootfs_hash "" \
|
||||
"Optional path to output the rootfs hash to. (Default: \"\")"
|
||||
DEFINE_integer vboot_error_behavior 2 \
|
||||
"Verified boot error behavior [0: I/O errors, 1: reboot, 2: nothing] \
|
||||
(Default: 2)"
|
||||
DEFINE_integer vboot_tree_depth 1 \
|
||||
"Optional Verified boot hash tree depth. (Default: 1)"
|
||||
DEFINE_integer vboot_max_ios 1024 \
|
||||
"Optional number of outstanding I/O operations. (Default: 1024)"
|
||||
DEFINE_string vboot_hash_alg "sha1" \
|
||||
"Cryptographic hash algorithm used for vboot. (Default: sha1)"
|
||||
|
||||
# Parse flags
|
||||
FLAGS "$@" || exit 1
|
||||
eval set -- "${FLAGS_ARGV}"
|
||||
@ -38,112 +53,165 @@ eval set -- "${FLAGS_ARGV}"
|
||||
# Die on error
|
||||
set -e
|
||||
|
||||
vboot_args=
|
||||
# Even with a rootfs_image, root= is not changed unless specified.
|
||||
if [[ -n "${FLAGS_rootfs_image}" && -n "${FLAGS_rootfs_hash}" ]]; then
|
||||
info "Determining root fs block count."
|
||||
# Gets the number of blocks. 4096 byte blocks _are_ expected.
|
||||
root_fs_blocks=$(sudo dumpe2fs "${FLAGS_rootfs_image}" 2> /dev/null |
|
||||
grep "Block count" |
|
||||
tr -d ' ' |
|
||||
cut -f2 -d:)
|
||||
info "Checking root fs block size."
|
||||
root_fs_block_sz=$(sudo dumpe2fs "${FLAGS_rootfs_image}" 2> /dev/null |
|
||||
grep "Block size" |
|
||||
tr -d ' ' |
|
||||
cut -f2 -d:)
|
||||
if [[ ${root_fs_block_sz} -ne 4096 ]]; then
|
||||
error "Root file system blocks are not 4k!"
|
||||
fi
|
||||
|
||||
info "Generating root fs hash tree."
|
||||
# Runs as sudo in case the image is a block device.
|
||||
table=$(sudo verity create ${FLAGS_vboot_tree_depth} \
|
||||
${FLAGS_vboot_hash_alg} \
|
||||
${FLAGS_rootfs_image} \
|
||||
${root_fs_blocks} \
|
||||
${FLAGS_rootfs_hash})
|
||||
# Don't claim the root device unless the root= flag is pointed to
|
||||
# the verified boot device. Doing so will claim /dev/sdDP out from
|
||||
# under the system.
|
||||
if [[ ${FLAGS_root} = "/dev/dm-0" ]]; then
|
||||
table=${table//HASH_DEV/\/dev\/sd%D%P}
|
||||
table=${table//ROOT_DEV/\/dev\/sd%D%P}
|
||||
fi
|
||||
vboot_args="dm=\"${table}\""
|
||||
info "dm-verity configuration: ${vboot_args}"
|
||||
fi
|
||||
|
||||
mkdir -p "${FLAGS_working_dir}"
|
||||
cat <<EOF > "${FLAGS_working_dir}/boot.config"
|
||||
root=${FLAGS_root}
|
||||
dm_verity.error_behavior=${FLAGS_vboot_error_behavior}
|
||||
dm_verity.max_bios=${FLAGS_vboot_max_ios}
|
||||
${vboot_args}
|
||||
${FLAGS_boot_args}
|
||||
EOF
|
||||
|
||||
WORK="${WORK} ${FLAGS_working_dir}/boot.config"
|
||||
info "Emitted cross-platform boot params to ${FLAGS_working_dir}/boot.config"
|
||||
|
||||
# FIXME: At the moment, we're working on signed images for x86 only. ARM will
|
||||
# support this before shipping, but at the moment they don't.
|
||||
if [[ "${FLAGS_arch}" = "x86" ]]; then
|
||||
|
||||
# Legacy BIOS will use the kernel in the rootfs (via syslinux), as will
|
||||
# standard EFI BIOS (via grub, from the EFI System Partition). Chrome OS
|
||||
# BIOS will use a separate signed kernel partition, which we'll create now.
|
||||
# FIXME: remove serial output, debugging messages.
|
||||
mkdir -p ${FLAGS_working_dir}
|
||||
cat <<EOF > "${FLAGS_working_dir}/config.txt"
|
||||
# Legacy BIOS will use the kernel in the rootfs (via syslinux), as will
|
||||
# standard EFI BIOS (via grub, from the EFI System Partition). Chrome OS
|
||||
# BIOS will use a separate signed kernel partition, which we'll create now.
|
||||
# FIXME: remove serial output, debugging messages.
|
||||
mkdir -p ${FLAGS_working_dir}
|
||||
cat <<EOF | cat - "${FLAGS_working_dir}/boot.config" \
|
||||
> "${FLAGS_working_dir}/config.txt"
|
||||
earlyprintk=serial,ttyS0,115200
|
||||
console=ttyS0,115200
|
||||
init=/sbin/init
|
||||
add_efi_memmap
|
||||
boot=local
|
||||
rootwait
|
||||
root=${FLAGS_root}
|
||||
ro
|
||||
noresume
|
||||
noswap
|
||||
i915.modeset=1
|
||||
loglevel=7
|
||||
cros_secure
|
||||
${FLAGS_boot_args}
|
||||
EOF
|
||||
WORK="${FLAGS_working_dir}/config.txt"
|
||||
WORK="${WORK} ${FLAGS_working_dir}/config.txt"
|
||||
|
||||
|
||||
# FIX: The .vbprivk files are not encrypted, so we shouldn't just leave them
|
||||
# lying around as a general thing.
|
||||
# FIX: The .vbprivk files are not encrypted, so we shouldn't just leave them
|
||||
# lying around as a general thing.
|
||||
|
||||
# Wrap the kernel data keypair, used for the kernel body
|
||||
vbutil_key \
|
||||
--pack "${FLAGS_working_dir}/kernel_data_key.vbpubk" \
|
||||
--key "${FLAGS_keys_dir}/key_rsa2048.keyb" \
|
||||
--version 1 \
|
||||
--algorithm 4
|
||||
WORK="${WORK} ${FLAGS_working_dir}/kernel_data_key.vbpubk"
|
||||
# Wrap the kernel data keypair, used for the kernel body
|
||||
vbutil_key \
|
||||
--pack "${FLAGS_working_dir}/kernel_data_key.vbpubk" \
|
||||
--key "${FLAGS_keys_dir}/key_rsa2048.keyb" \
|
||||
--version 1 \
|
||||
--algorithm 4
|
||||
WORK="${WORK} ${FLAGS_working_dir}/kernel_data_key.vbpubk"
|
||||
|
||||
vbutil_key \
|
||||
--pack "${FLAGS_working_dir}/kernel_data_key.vbprivk" \
|
||||
--key "${FLAGS_keys_dir}/key_rsa2048.pem" \
|
||||
--algorithm 4
|
||||
WORK="${WORK} ${FLAGS_working_dir}/kernel_data_key.vbprivk"
|
||||
vbutil_key \
|
||||
--pack "${FLAGS_working_dir}/kernel_data_key.vbprivk" \
|
||||
--key "${FLAGS_keys_dir}/key_rsa2048.pem" \
|
||||
--algorithm 4
|
||||
WORK="${WORK} ${FLAGS_working_dir}/kernel_data_key.vbprivk"
|
||||
|
||||
|
||||
# Wrap the kernel subkey pair, used for the kernel's keyblock
|
||||
vbutil_key \
|
||||
--pack "${FLAGS_working_dir}/kernel_subkey.vbpubk" \
|
||||
--key "${FLAGS_keys_dir}/key_rsa4096.keyb" \
|
||||
--version 1 \
|
||||
--algorithm 8
|
||||
WORK="${WORK} ${FLAGS_working_dir}/kernel_subkey.vbpubk"
|
||||
# Wrap the kernel subkey pair, used for the kernel's keyblock
|
||||
vbutil_key \
|
||||
--pack "${FLAGS_working_dir}/kernel_subkey.vbpubk" \
|
||||
--key "${FLAGS_keys_dir}/key_rsa4096.keyb" \
|
||||
--version 1 \
|
||||
--algorithm 8
|
||||
WORK="${WORK} ${FLAGS_working_dir}/kernel_subkey.vbpubk"
|
||||
|
||||
vbutil_key \
|
||||
--pack "${FLAGS_working_dir}/kernel_subkey.vbprivk" \
|
||||
--key "${FLAGS_keys_dir}/key_rsa4096.pem" \
|
||||
--algorithm 8
|
||||
WORK="${WORK} ${FLAGS_working_dir}/kernel_subkey.vbprivk"
|
||||
vbutil_key \
|
||||
--pack "${FLAGS_working_dir}/kernel_subkey.vbprivk" \
|
||||
--key "${FLAGS_keys_dir}/key_rsa4096.pem" \
|
||||
--algorithm 8
|
||||
WORK="${WORK} ${FLAGS_working_dir}/kernel_subkey.vbprivk"
|
||||
|
||||
|
||||
# Create the kernel keyblock, containing the kernel data key
|
||||
vbutil_keyblock \
|
||||
--pack "${FLAGS_working_dir}/kernel.keyblock" \
|
||||
--datapubkey "${FLAGS_working_dir}/kernel_data_key.vbpubk" \
|
||||
--signprivate "${FLAGS_working_dir}/kernel_subkey.vbprivk" \
|
||||
--flags 15
|
||||
WORK="${WORK} ${FLAGS_working_dir}/kernel.keyblock"
|
||||
# Create the kernel keyblock, containing the kernel data key
|
||||
vbutil_keyblock \
|
||||
--pack "${FLAGS_working_dir}/kernel.keyblock" \
|
||||
--datapubkey "${FLAGS_working_dir}/kernel_data_key.vbpubk" \
|
||||
--signprivate "${FLAGS_working_dir}/kernel_subkey.vbprivk" \
|
||||
--flags 15
|
||||
WORK="${WORK} ${FLAGS_working_dir}/kernel.keyblock"
|
||||
|
||||
# Verify the keyblock.
|
||||
vbutil_keyblock \
|
||||
--unpack "${FLAGS_working_dir}/kernel.keyblock" \
|
||||
--signpubkey "${FLAGS_working_dir}/kernel_subkey.vbpubk"
|
||||
# Verify the keyblock.
|
||||
vbutil_keyblock \
|
||||
--unpack "${FLAGS_working_dir}/kernel.keyblock" \
|
||||
--signpubkey "${FLAGS_working_dir}/kernel_subkey.vbpubk"
|
||||
|
||||
# TODO: We should sign the kernel blob using the recovery root key and recovery
|
||||
# kernel data key instead (to create the recovery image), and then re-sign it
|
||||
# this way for the install image. But we'll want to keep the install vblock
|
||||
# separate, so we can just copy that part over separately when we install it
|
||||
# instead of the whole kernel blob.
|
||||
# TODO: We should sign the kernel blob using the recovery root key and
|
||||
# recovery kernel data key instead (to create the recovery image), and then
|
||||
# re-sign it this way for the install image. But we'll want to keep the
|
||||
# install vblock separate, so we can just copy that part over separately when
|
||||
# we install it instead of the whole kernel blob.
|
||||
|
||||
# Create and sign the kernel blob
|
||||
vbutil_kernel \
|
||||
--pack "${FLAGS_to}" \
|
||||
--keyblock "${FLAGS_working_dir}/kernel.keyblock" \
|
||||
--signprivate "${FLAGS_working_dir}/kernel_data_key.vbprivk" \
|
||||
--version 1 \
|
||||
--config "${FLAGS_working_dir}/config.txt" \
|
||||
--bootloader /lib64/bootstub/bootstub.efi \
|
||||
--vmlinuz "${FLAGS_vmlinuz}"
|
||||
# Create and sign the kernel blob
|
||||
vbutil_kernel \
|
||||
--pack "${FLAGS_to}" \
|
||||
--keyblock "${FLAGS_working_dir}/kernel.keyblock" \
|
||||
--signprivate "${FLAGS_working_dir}/kernel_data_key.vbprivk" \
|
||||
--version 1 \
|
||||
--config "${FLAGS_working_dir}/config.txt" \
|
||||
--bootloader /lib64/bootstub/bootstub.efi \
|
||||
--vmlinuz "${FLAGS_vmlinuz}"
|
||||
|
||||
# And verify it.
|
||||
vbutil_kernel \
|
||||
--verify "${FLAGS_to}" \
|
||||
--signpubkey "${FLAGS_working_dir}/kernel_subkey.vbpubk"
|
||||
# And verify it.
|
||||
vbutil_kernel \
|
||||
--verify "${FLAGS_to}" \
|
||||
--signpubkey "${FLAGS_working_dir}/kernel_subkey.vbpubk"
|
||||
|
||||
else
|
||||
elif [[ "${FLAGS_arch}" = "arm" ]]; then
|
||||
# FIXME: For now, ARM just uses the unsigned kernel by itself.
|
||||
cp -f "${FLAGS_vmlinuz}" "${FLAGS_to}"
|
||||
else
|
||||
error "Unknown arch: ${FLAGS_arch}"
|
||||
fi
|
||||
|
||||
set +e # cleanup failure is a-ok
|
||||
|
||||
if [[ ${FLAGS_keep_work} -eq ${FLAGS_FALSE} ]]; then
|
||||
echo "Cleaning up temporary files: ${WORK}"
|
||||
info "Cleaning up temporary files: ${WORK}"
|
||||
rm ${WORK}
|
||||
rmdir ${FLAGS_working_dir}
|
||||
fi
|
||||
|
||||
echo "Kernel partition image emitted: ${FLAGS_to}"
|
||||
info "Kernel partition image emitted: ${FLAGS_to}"
|
||||
|
||||
if [[ -f ${FLAGS_rootfs_hash} ]]; then
|
||||
info "Root filesystem hash emitted: ${FLAGS_rootfs_hash}"
|
||||
fi
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user