build_image: Extract and upload GRUB/shim EFI images for signing

On arm64, extract only GRUB, since there is no shim. On dev builds, extract neither.
2025-08-07 04:56:58 +02:00 · 2017-02-01 17:39:59 -08:00 · 2017-02-01 17:39:59 -08:00 · e65d5101cf
commit e65d5101cf
parent f16226acb5
3 changed files with 56 additions and 20 deletions
--- a/build_library/build_image_util.sh
+++ b/build_library/build_image_util.sh
@ -315,6 +315,8 @@ finish_image() {
  local image_contents="$4"
  local image_kernel="$5"
  local pcr_policy="$6"
+  local image_grub="$7"
+  local image_shim="$8"

  local install_grub=0
  local disk_img="${BUILD_DIR}/${image_name}"
@ -430,20 +432,24 @@ finish_image() {
    if [[ ${BOARD} == "arm64-usr" ]]; then
      target_list="arm64-efi"
    fi
+    local grub_args=()
+    if [[ ${disable_read_write} -eq ${FLAGS_TRUE} ]]; then
+      grub_args+=(--verity)
+    else
+      grub_args+=(--noverity)
+    fi
+    if [[ -n "${image_grub}" && -n "${image_shim}" ]]; then
+      grub_args+=(
+        --copy_efi_grub="${BUILD_DIR}/${image_grub}"
+        --copy_shim="${BUILD_DIR}/${image_shim}"
+      )
+    fi
    for target in ${target_list}; do
-      if [[ ${disable_read_write} -eq ${FLAGS_TRUE} ]]; then
-        ${BUILD_LIBRARY_DIR}/grub_install.sh \
-            --board="${BOARD}" \
-            --target="${target}" \
-            --disk_image="${disk_img}" \
-            --verity
-      else
-        ${BUILD_LIBRARY_DIR}/grub_install.sh \
-            --board="${BOARD}" \
-            --target="${target}" \
-            --disk_image="${disk_img}" \
-            --noverity
-      fi
+      ${BUILD_LIBRARY_DIR}/grub_install.sh \
+          --board="${BOARD}" \
+          --target="${target}" \
+          --disk_image="${disk_img}" \
+          "${grub_args[@]}"
    done
  fi

--- a/build_library/grub_install.sh
+++ b/build_library/grub_install.sh
@ -22,6 +22,10 @@ DEFINE_string disk_image "" \
  "The disk image containing the EFI System partition."
 DEFINE_boolean verity ${FLAGS_FALSE} \
  "Indicates that boot commands should enable dm-verity."
+DEFINE_string copy_efi_grub "" \
+  "Copy the EFI GRUB image to the specified path."
+DEFINE_string copy_shim "" \
+  "Copy the shim image to the specified path."

 # Parse flags
 FLAGS "$@" || exit 1
@ -208,6 +212,15 @@ case "${FLAGS_target}" in
            sudo cp "/usr/lib/shim/shim.efi" \
                "${ESP_DIR}/EFI/boot/bootx64.efi"
 	fi
+        # copying from vfat so ignore permissions
+        if [[ -n "${FLAGS_copy_efi_grub}" ]]; then
+            cp --no-preserve=mode "${ESP_DIR}/EFI/boot/grub.efi" \
+                "${FLAGS_copy_efi_grub}"
+        fi
+        if [[ -n "${FLAGS_copy_shim}" ]]; then
+            cp --no-preserve=mode "${ESP_DIR}/EFI/boot/bootx64.efi" \
+                "${FLAGS_copy_shim}"
+        fi
        ;;
    x86_64-xen)
        info "Installing default x86_64 Xen bootloader."
@ -223,6 +236,11 @@ case "${FLAGS_target}" in
        #FIXME(andrejro): shim not ported to aarch64
        sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" \
            "${ESP_DIR}/EFI/boot/bootaa64.efi"
+        if [[ -n "${FLAGS_copy_efi_grub}" ]]; then
+            # copying from vfat so ignore permissions
+            cp --no-preserve=mode "${ESP_DIR}/EFI/boot/bootaa64.efi" \
+                "${FLAGS_copy_efi_grub}"
+        fi
        ;;
 esac

--- a/build_library/prod_image_util.sh
+++ b/build_library/prod_image_util.sh
@ -68,6 +68,8 @@ create_prod_image() {
  local image_licenses="${image_name%.bin}_licenses.txt"
  local image_kernel="${image_name%.bin}.vmlinuz"
  local image_pcr_policy="${image_name%.bin}_pcr_policy.zip"
+  local image_grub="${image_name%.bin}.grub"
+  local image_shim="${image_name%.bin}.shim"

  start_image "${image_name}" "${disk_layout}" "${root_fs_dir}" "${update_group}"

@ -122,12 +124,22 @@ EOF
      "${root_fs_dir}" \
      "${image_contents}" \
      "${image_kernel}" \
-      "${image_pcr_policy}"
+      "${image_pcr_policy}" \
+      "${image_grub}" \
+      "${image_shim}"

-  upload_image -d "${BUILD_DIR}/${image_name}.bz2.DIGESTS" \
-      "${BUILD_DIR}/${image_contents}" \
-      "${BUILD_DIR}/${image_packages}" \
-      "${BUILD_DIR}/${image_name}" \
-      "${BUILD_DIR}/${image_kernel}" \
-      "${BUILD_DIR}/${image_pcr_policy}"
+  # Upload
+  local to_upload=(
+    "${BUILD_DIR}/${image_contents}"
+    "${BUILD_DIR}/${image_packages}"
+    "${BUILD_DIR}/${image_name}"
+    "${BUILD_DIR}/${image_kernel}"
+    "${BUILD_DIR}/${image_pcr_policy}"
+    "${BUILD_DIR}/${image_grub}"
+  )
+  # FIXME(bgilbert): no shim on arm64
+  if [[ -f "${BUILD_DIR}/${image_shim}" ]]; then
+    to_upload+=("${BUILD_DIR}/${image_shim}")
+  fi
+  upload_image -d "${BUILD_DIR}/${image_name}.bz2.DIGESTS" "${to_upload[@]}"
 }