mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-09 22:16:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

build_image: Extract and upload GRUB/shim EFI images for signing

Browse Source 
On arm64, extract only GRUB, since there is no shim.  On dev builds,
extract neither.
This commit is contained in:
Benjamin Gilbert 2017-02-01 17:39:59 -08:00
parent f16226acb5
commit e65d5101cf
3 changed files with 56 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
build_library/build_image_util.sh
View File

@ -315,6 +315,8 @@ finish_image() {
local image_contents="$4" local image_contents="$4"
local image_kernel="$5" local image_kernel="$5"
local pcr_policy="$6" local pcr_policy="$6"
local image_grub="$7"
local image_shim="$8"
local install_grub=0 local install_grub=0
local disk_img="${BUILD_DIR}/${image_name}" local disk_img="${BUILD_DIR}/${image_name}"
@ -430,20 +432,24 @@ finish_image() {
if [[ ${BOARD} == "arm64-usr" ]]; then if [[ ${BOARD} == "arm64-usr" ]]; then
target_list="arm64-efi" target_list="arm64-efi"
fi fi
local grub_args=()
if [[ ${disable_read_write} -eq ${FLAGS_TRUE} ]]; then
grub_args+=(--verity)
else
grub_args+=(--noverity)
fi
if [[ -n "${image_grub}" && -n "${image_shim}" ]]; then
grub_args+=(
--copy_efi_grub="${BUILD_DIR}/${image_grub}"
--copy_shim="${BUILD_DIR}/${image_shim}"
)
fi
for target in ${target_list}; do for target in ${target_list}; do
if [[ ${disable_read_write} -eq ${FLAGS_TRUE} ]]; then ${BUILD_LIBRARY_DIR}/grub_install.sh \
${BUILD_LIBRARY_DIR}/grub_install.sh \ --board="${BOARD}" \
--board="${BOARD}" \ --target="${target}" \
--target="${target}" \ --disk_image="${disk_img}" \
--disk_image="${disk_img}" \ "${grub_args[@]}"
--verity
else
${BUILD_LIBRARY_DIR}/grub_install.sh \
--board="${BOARD}" \
--target="${target}" \
--disk_image="${disk_img}" \
--noverity
fi
done done
fi fi

18
build_library/grub_install.sh
View File

@ -22,6 +22,10 @@ DEFINE_string disk_image "" \
"The disk image containing the EFI System partition." "The disk image containing the EFI System partition."
DEFINE_boolean verity ${FLAGS_FALSE} \ DEFINE_boolean verity ${FLAGS_FALSE} \
"Indicates that boot commands should enable dm-verity." "Indicates that boot commands should enable dm-verity."
DEFINE_string copy_efi_grub "" \
"Copy the EFI GRUB image to the specified path."
DEFINE_string copy_shim "" \
"Copy the shim image to the specified path."
# Parse flags # Parse flags
FLAGS "$@" || exit 1 FLAGS "$@" || exit 1
@ -208,6 +212,15 @@ case "${FLAGS_target}" in
sudo cp "/usr/lib/shim/shim.efi" \ sudo cp "/usr/lib/shim/shim.efi" \
"${ESP_DIR}/EFI/boot/bootx64.efi" "${ESP_DIR}/EFI/boot/bootx64.efi"
fi fi
# copying from vfat so ignore permissions
if [[ -n "${FLAGS_copy_efi_grub}" ]]; then
cp --no-preserve=mode "${ESP_DIR}/EFI/boot/grub.efi" \
"${FLAGS_copy_efi_grub}"
fi
if [[ -n "${FLAGS_copy_shim}" ]]; then
cp --no-preserve=mode "${ESP_DIR}/EFI/boot/bootx64.efi" \
"${FLAGS_copy_shim}"
fi
;; ;;
x86_64-xen) x86_64-xen)
info "Installing default x86_64 Xen bootloader." info "Installing default x86_64 Xen bootloader."
@ -223,6 +236,11 @@ case "${FLAGS_target}" in
#FIXME(andrejro): shim not ported to aarch64 #FIXME(andrejro): shim not ported to aarch64
sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" \ sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" \
"${ESP_DIR}/EFI/boot/bootaa64.efi" "${ESP_DIR}/EFI/boot/bootaa64.efi"
if [[ -n "${FLAGS_copy_efi_grub}" ]]; then
# copying from vfat so ignore permissions
cp --no-preserve=mode "${ESP_DIR}/EFI/boot/bootaa64.efi" \
"${FLAGS_copy_efi_grub}"
fi
;; ;;
esac esac

26
build_library/prod_image_util.sh
View File

@ -68,6 +68,8 @@ create_prod_image() {
local image_licenses="${image_name%.bin}_licenses.txt" local image_licenses="${image_name%.bin}_licenses.txt"
local image_kernel="${image_name%.bin}.vmlinuz" local image_kernel="${image_name%.bin}.vmlinuz"
local image_pcr_policy="${image_name%.bin}_pcr_policy.zip" local image_pcr_policy="${image_name%.bin}_pcr_policy.zip"
local image_grub="${image_name%.bin}.grub"
local image_shim="${image_name%.bin}.shim"
start_image "${image_name}" "${disk_layout}" "${root_fs_dir}" "${update_group}" start_image "${image_name}" "${disk_layout}" "${root_fs_dir}" "${update_group}"
@ -122,12 +124,22 @@ EOF
"${root_fs_dir}" \ "${root_fs_dir}" \
"${image_contents}" \ "${image_contents}" \
"${image_kernel}" \ "${image_kernel}" \
"${image_pcr_policy}" "${image_pcr_policy}" \
"${image_grub}" \
"${image_shim}"
upload_image -d "${BUILD_DIR}/${image_name}.bz2.DIGESTS" \ # Upload
"${BUILD_DIR}/${image_contents}" \ local to_upload=(
"${BUILD_DIR}/${image_packages}" \ "${BUILD_DIR}/${image_contents}"
"${BUILD_DIR}/${image_name}" \ "${BUILD_DIR}/${image_packages}"
"${BUILD_DIR}/${image_kernel}" \ "${BUILD_DIR}/${image_name}"
"${BUILD_DIR}/${image_pcr_policy}" "${BUILD_DIR}/${image_kernel}"
"${BUILD_DIR}/${image_pcr_policy}"
"${BUILD_DIR}/${image_grub}"
)
# FIXME(bgilbert): no shim on arm64
if [[ -f "${BUILD_DIR}/${image_shim}" ]]; then
to_upload+=("${BUILD_DIR}/${image_shim}")
fi
upload_image -d "${BUILD_DIR}/${image_name}.bz2.DIGESTS" "${to_upload[@]}"
} }