mirror of
https://github.com/flatcar/scripts.git
synced 2025-10-24 13:51:31 +02:00
We invoke zip inside the BUILD_DIR and tell it to output the compressed file somewhere in BUILD_DIR. This works if BUILD_DIR is an absolute path, but breaks when it's relative. Since we already are in BUILD_DIR, tell zip to output the file in the current directory instead. Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
951 lines
37 KiB
Bash
Executable File
951 lines
37 KiB
Bash
Executable File
# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
|
|
# Use of this source code is governed by a BSD-style license that can be
|
|
# found in the LICENSE file.
|
|
|
|
# Shell library for functions and initialization private to
|
|
# build_image, and not specific to any particular kind of image.
|
|
#
|
|
# TODO(jrbarnette): There's nothing holding this code together in
|
|
# one file aside from its lack of anywhere else to go. Probably,
|
|
# this file should get broken up or otherwise reorganized.
|
|
|
|
# Use canonical path since some tools (e.g. mount) do not like symlinks.
|
|
# Append build attempt to output directory.
|
|
if [ -z "${FLAGS_version}" ]; then
|
|
IMAGE_SUBDIR="${FLAGS_group}-${FLATCAR_VERSION}-a${FLAGS_build_attempt}"
|
|
else
|
|
IMAGE_SUBDIR="${FLAGS_group}-${FLAGS_version}"
|
|
fi
|
|
BUILD_DIR="${FLAGS_output_root}/${BOARD}/${IMAGE_SUBDIR}"
|
|
OUTSIDE_OUTPUT_DIR="../build/images/${BOARD}/${IMAGE_SUBDIR}"
|
|
|
|
source "${BUILD_LIBRARY_DIR}/reports_util.sh" || exit 1
|
|
source "${BUILD_LIBRARY_DIR}/sbsign_util.sh" || exit 1
|
|
|
|
set_build_symlinks() {
|
|
local build=$(basename ${BUILD_DIR})
|
|
local link
|
|
for link in "$@"; do
|
|
local path="${FLAGS_output_root}/${BOARD}/${link}"
|
|
ln -sfT "${build}" "${path}"
|
|
done
|
|
}
|
|
|
|
cleanup_mounts() {
|
|
info "Cleaning up mounts"
|
|
"${BUILD_LIBRARY_DIR}/disk_util" umount "$1" || true
|
|
rmdir "${1}" || true
|
|
}
|
|
|
|
delete_prompt() {
|
|
echo "An error occurred in your build so your latest output directory" \
|
|
"is invalid."
|
|
|
|
# Only prompt if both stdin and stdout are a tty. If either is not a tty,
|
|
# then the user may not be present, so we shouldn't bother prompting.
|
|
if [ -t 0 -a -t 1 ]; then
|
|
read -p "Would you like to delete the output directory (y/N)? " SURE
|
|
SURE="${SURE:0:1}" # Get just the first character.
|
|
else
|
|
SURE="y"
|
|
echo "Running in non-interactive mode so deleting output directory."
|
|
fi
|
|
if [ "${SURE}" == "y" ] ; then
|
|
sudo rm -rf "${BUILD_DIR}"
|
|
echo "Deleted ${BUILD_DIR}"
|
|
else
|
|
echo "Not deleting ${BUILD_DIR}."
|
|
fi
|
|
}
|
|
|
|
extract_update() {
|
|
local image_name="$1"
|
|
local disk_layout="$2"
|
|
local update="${BUILD_DIR}/${image_name%_image.bin}_update.bin"
|
|
|
|
"${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${disk_layout}" \
|
|
extract "${BUILD_DIR}/${image_name}" "USR-A" "${update}"
|
|
|
|
# Compress image
|
|
files_to_evaluate+=( "${update}" )
|
|
compress_disk_images files_to_evaluate
|
|
}
|
|
|
|
generate_update() {
|
|
local image_name="$1"
|
|
local disk_layout="$2"
|
|
local image_kernel="${BUILD_DIR}/${image_name%.bin}.vmlinuz"
|
|
local update="${BUILD_DIR}/${image_name%_image.bin}_update.bin"
|
|
local devkey="/usr/share/update_engine/update-payload-key.key.pem"
|
|
|
|
# Extract the partition if it isn't extracted already.
|
|
[[ -s ${update} ]] ||
|
|
"${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${disk_layout}" \
|
|
extract "${BUILD_DIR}/${image_name}" "USR-A" "${update}"
|
|
|
|
echo "Generating update payload, signed with a dev key"
|
|
delta_generator \
|
|
-private_key "${devkey}" \
|
|
-new_image "${update}" \
|
|
-new_kernel "${image_kernel}" \
|
|
-out_file "${BUILD_DIR}/flatcar_test_update.gz"
|
|
}
|
|
|
|
zip_update_tools() {
|
|
# There isn't a 'dev' variant of this zip, so always call it production.
|
|
local update_zip="flatcar_production_update.zip"
|
|
|
|
info "Generating update tools zip"
|
|
# Make sure some vars this script needs are exported
|
|
local -x REPO_MANIFESTS_DIR=${REPO_MANIFESTS_DIR} SCRIPTS_DIR=${SCRIPTS_DIR}
|
|
"${BUILD_LIBRARY_DIR}/generate_au_zip.py" \
|
|
--arch "$(get_sdk_arch)" --output-dir "${BUILD_DIR}" --zip-name "${update_zip}"
|
|
}
|
|
|
|
# ldconfig cannot generate caches for non-native arches.
|
|
# Use qemu & the native ldconfig to work around that.
|
|
# http://code.google.com/p/chromium/issues/detail?id=378377
|
|
run_ldconfig() {
|
|
local root_fs_dir=$1
|
|
case ${ARCH} in
|
|
arm64)
|
|
sudo qemu-aarch64 "${root_fs_dir}"/usr/sbin/ldconfig -r "${root_fs_dir}";;
|
|
x86|amd64)
|
|
sudo ldconfig -r "${root_fs_dir}";;
|
|
*)
|
|
die "Unable to run ldconfig for ARCH ${ARCH}"
|
|
esac
|
|
}
|
|
|
|
run_localedef() {
|
|
local root_fs_dir="$1" loader=()
|
|
case ${ARCH} in
|
|
arm64)
|
|
loader=( qemu-aarch64 -L "${root_fs_dir}" );;
|
|
amd64)
|
|
loader=( "${root_fs_dir}/usr/lib64/ld-linux-x86-64.so.2" \
|
|
--library-path "${root_fs_dir}/usr/lib64" );;
|
|
*)
|
|
die "Unable to run localedef for ARCH ${ARCH}";;
|
|
esac
|
|
info "Generating C.UTF-8 locale..."
|
|
local i18n="${root_fs_dir}/usr/share/i18n"
|
|
# localedef will silently fall back to /usr/share/i18n if missing so
|
|
# check that the paths we want are available first.
|
|
[[ -f "${i18n}/charmaps/UTF-8.gz" ]] || die
|
|
[[ -f "${i18n}/locales/C" ]] || die
|
|
sudo mkdir -p "${root_fs_dir}/usr/lib/locale"
|
|
sudo I18NPATH="${i18n}" "${loader[@]}" "${root_fs_dir}/usr/bin/localedef" \
|
|
--prefix="${root_fs_dir}" --charmap=UTF-8 --inputfile=C C.UTF-8
|
|
}
|
|
|
|
# Basic command to emerge binary packages into the target image.
|
|
# Arguments to this command are passed as addition options/arguments
|
|
# to the basic emerge command.
|
|
emerge_to_image() {
|
|
local root_fs_dir="$1"; shift
|
|
|
|
if [[ ${FLAGS_getbinpkg} -eq ${FLAGS_TRUE} ]]; then
|
|
set -- --getbinpkg "$@"
|
|
fi
|
|
|
|
sudo -E ROOT="${root_fs_dir}" \
|
|
FEATURES="-ebuild-locks" \
|
|
PORTAGE_CONFIGROOT="${BUILD_DIR}"/configroot \
|
|
emerge --usepkgonly --jobs="${NUM_JOBS}" --verbose "$@"
|
|
|
|
# Shortcut if this was just baselayout
|
|
[[ "$*" == *sys-apps/baselayout ]] && return
|
|
|
|
# Make sure profile.env has been generated
|
|
sudo -E ROOT="${root_fs_dir}" env-update --no-ldconfig
|
|
|
|
# TODO(marineam): just call ${BUILD_LIBRARY_DIR}/check_root directly once
|
|
# all tests are fatal, for now let the old function skip soname errors.
|
|
ROOT="${root_fs_dir}" PORTAGE_CONFIGROOT="${BUILD_DIR}"/configroot \
|
|
test_image_content "${root_fs_dir}"
|
|
}
|
|
|
|
# emerge_to_image without a rootfs check; you should use emerge_to_image unless
|
|
# here's a good reason not to.
|
|
emerge_to_image_unchecked() {
|
|
local root_fs_dir="$1"; shift
|
|
|
|
if [[ ${FLAGS_getbinpkg} -eq ${FLAGS_TRUE} ]]; then
|
|
set -- --getbinpkg "$@"
|
|
fi
|
|
|
|
sudo -E ROOT="${root_fs_dir}" \
|
|
PORTAGE_CONFIGROOT="${BUILD_DIR}"/configroot \
|
|
emerge --usepkgonly --jobs="${NUM_JOBS}" --verbose "$@"
|
|
|
|
# Shortcut if this was just baselayout
|
|
[[ "$*" == *sys-apps/baselayout ]] && return
|
|
|
|
# Make sure profile.env has been generated
|
|
sudo -E ROOT="${root_fs_dir}" env-update --no-ldconfig
|
|
}
|
|
|
|
# Switch to the dev or prod sub-profile
|
|
set_image_profile() {
|
|
local suffix="$1"
|
|
local profile="${BUILD_DIR}/configroot/etc/portage/make.profile"
|
|
if [[ ! -d "${profile}/${suffix}" ]]; then
|
|
die "Not a valid profile: ${profile}/${suffix}"
|
|
fi
|
|
local realpath=$(readlink -f "${profile}/${suffix}")
|
|
ln -snf "${realpath}" "${profile}"
|
|
}
|
|
|
|
# Usage: systemd_enable /root default.target something.service
|
|
# Or: systemd_enable /root default.target some@.service some@thing.service
|
|
systemd_enable() {
|
|
local root_fs_dir="$1"
|
|
local target="$2"
|
|
local unit_file="$3"
|
|
local unit_alias="${4:-$3}"
|
|
local wants_dir="${root_fs_dir}/usr/lib/systemd/system/${target}.wants"
|
|
|
|
sudo mkdir -p "${wants_dir}"
|
|
sudo ln -sf "../${unit_file}" "${wants_dir}/${unit_alias}"
|
|
}
|
|
|
|
# "equery list" a potentially uninstalled board package
|
|
query_available_package() {
|
|
local pkg="$1"
|
|
local format="${2:-\$cpv::\$repo}"
|
|
# Ignore masked versions. Assumes that sort --version-sort uses the
|
|
# same ordering as Portage.
|
|
equery-${BOARD} --no-color list -po --format "\$mask|$format" "$pkg" | \
|
|
grep -E '^ +\|' | \
|
|
cut -f2- -d\| | \
|
|
sort --version-sort | \
|
|
tail -n 1
|
|
}
|
|
|
|
# List packages installed directly in portages package database
|
|
image_packages_portage() {
|
|
ROOT="$1" PORTAGE_CONFIGROOT="${BUILD_DIR}"/configroot \
|
|
equery --no-color list --format '$cpv::$repo' '*'
|
|
}
|
|
|
|
# List packages implicitly contained in rootfs, such as in initramfs.
|
|
image_packages_implicit() {
|
|
local profile="${BUILD_DIR}/configroot/etc/portage/profile"
|
|
|
|
# We also want to list packages that only exist in the initramfs.
|
|
# Approximate this by listing build dependencies of coreos-kernel that
|
|
# are specified with the "=" slot operator, excluding those already
|
|
# reported above.
|
|
local kernel_pkg=$(ROOT="$1" PORTAGE_CONFIGROOT="${BUILD_DIR}"/configroot \
|
|
equery --no-color list --format '$cpv' sys-kernel/coreos-kernel)
|
|
# OEM ACIs have no kernel package.
|
|
if [[ -n "${kernel_pkg}" ]]; then
|
|
local depend_path="$1/var/db/pkg/$kernel_pkg/DEPEND"
|
|
local pkg
|
|
for pkg in $(awk 'BEGIN {RS=" "} /=$/ {print}' "$depend_path"); do
|
|
if ! ROOT="$1" PORTAGE_CONFIGROOT="${BUILD_DIR}"/configroot \
|
|
equery -q list "$pkg" >/dev/null ; then
|
|
query_available_package "$pkg"
|
|
fi
|
|
done
|
|
fi
|
|
|
|
# In production images GCC libraries are extracted manually.
|
|
if [[ -f "${profile}/package.provided" ]]; then
|
|
local pkg
|
|
while read pkg; do
|
|
query_available_package "${pkg}"
|
|
done < "${profile}/package.provided"
|
|
fi
|
|
}
|
|
|
|
# Generate a list of packages installed in an image.
|
|
# Usage: image_packages /image/root
|
|
image_packages() {
|
|
image_packages_portage "$1"
|
|
image_packages_implicit "$1"
|
|
}
|
|
|
|
# Generate a list of installed packages in the format:
|
|
# sys-apps/systemd-212-r8::coreos
|
|
write_packages() {
|
|
info "Writing ${2##*/}"
|
|
image_packages "$1" | sort > "$2"
|
|
}
|
|
|
|
# Generate an SPDX SBOM using syft
|
|
write_sbom() {
|
|
info "Writing ${2##*/}"
|
|
sudo syft scan "${1}" -o spdx-json="$2"
|
|
}
|
|
|
|
# Get metadata $key for package $pkg installed under $prefix
|
|
# The metadata is either read from the portage db folder or
|
|
# via a portageq-BOARD invocation. In cases where SRC_URI is
|
|
# not used for the package, fallback mechanisms are used to find
|
|
# the source URL. Mirror names are replaced with the mirror URLs.
|
|
get_metadata() {
|
|
local prefix="$1"
|
|
local pkg="$2"
|
|
local key="$3"
|
|
local path="${prefix}/var/db/pkg/${pkg%%:*}/${key}"
|
|
local val
|
|
if [[ -f "$path" ]]; then
|
|
val="$(< $path)"
|
|
else
|
|
# The package is not installed in $prefix or $key not exposed as file,
|
|
# so get the value from its ebuild
|
|
val=$(portageq-${BOARD} metadata "${BOARD_ROOT}" ebuild \
|
|
"${pkg%%:*}" "${key}" 2>/dev/null ||:)
|
|
fi
|
|
# The value that portageq reports is not a valid URL because it uses a special mirror format.
|
|
# Also the value can be empty and fallback methods have to be used.
|
|
if [ "${key}" = "SRC_URI" ]; then
|
|
local package_name="$(echo "${pkg%%:*}" | cut -d / -f 2)"
|
|
local ebuild_path="${prefix}/var/db/pkg/${pkg%%:*}/${package_name}.ebuild"
|
|
# SRC_URI is empty for the special github.com/flatcar projects
|
|
if [ -z "${val}" ]; then
|
|
# The grep invocation gives errors when the ebuild file is not present.
|
|
# This can happen when the binary packages from ./build_packages are outdated.
|
|
val="$(grep "EGIT_REPO_URI=" "${ebuild_path}" | cut -d '"' -f 2)"
|
|
if [ -n "${val}" ]; then
|
|
# All github.com/flatcar projects specify their commit
|
|
local commit=""
|
|
commit="$(grep "EGIT_COMMIT=" "${ebuild_path}" | cut -d '"' -f 2)"
|
|
if [ -n "${commit}" ]; then
|
|
val="${val%.git}/commit/${commit}"
|
|
fi
|
|
fi
|
|
fi
|
|
# During development "portageq-BOARD metadata ... ebuild ..." may result in the package not being found, fall back to a parameterized URL
|
|
if [ -z "${val}" ]; then
|
|
# Do not attempt to postprocess by resolving ${P} and friends because it does not affect production images
|
|
val="$(cat "${ebuild_path}" | tr '\n' ' ' | grep -P -o 'SRC_URI=".*?"' | cut -d '"' -f 2)"
|
|
fi
|
|
# Some packages use nothing from the above but EGIT_REPO_URI (currently only app-crypt/go-tspi)
|
|
if [ -z "${val}" ]; then
|
|
val="$(grep "EGIT_REPO_URI=" "${ebuild_path}" | cut -d '"' -f 2)"
|
|
fi
|
|
# Replace all mirror://MIRRORNAME/ parts with the actual URL prefix of the mirror
|
|
new_val=""
|
|
for v in ${val}; do
|
|
local mirror="$(echo "${v}" | grep mirror:// | cut -d '/' -f 3)"
|
|
if [ -n "${mirror}" ]; then
|
|
# Take only first mirror, those not working should be removed
|
|
local location="$(grep "^${mirror}"$'\t' /mnt/host/source/src/third_party/portage-stable/profiles/thirdpartymirrors | cut -d $'\t' -f 2- | cut -d ' ' -f 1 | tr -d $'\t')"
|
|
v="$(echo "${v}" | sed "s#mirror://${mirror}/#${location}#g")"
|
|
fi
|
|
new_val+="${v} "
|
|
done
|
|
val="${new_val}"
|
|
fi
|
|
echo "${val}"
|
|
}
|
|
|
|
# Generate a list of packages w/ their licenses in the format:
|
|
# [
|
|
# {
|
|
# "project": "sys-apps/systemd-212-r8::coreos",
|
|
# "licenses": ["GPL-2", "LGPL-2.1", "MIT", "public-domain"],
|
|
# "description": "System and service manager for Linux",
|
|
# "homepage": "https://www.freedesktop.org/wiki/Software/systemd",
|
|
# "source": "https://github.com/systemd/systemd ",
|
|
# "files": "somefile 63a5736879fa647ac5a8d5317e7cb8b0\nsome -> link\n"
|
|
# }
|
|
# ]
|
|
write_licenses() {
|
|
info "Writing ${2##*/}"
|
|
echo -n "[" > "$2"
|
|
|
|
local pkg pkg_sep
|
|
for pkg in $(image_packages "$1" | sort); do
|
|
# Ignore certain categories of packages since they aren't licensed
|
|
case "${pkg%%/*}" in
|
|
'virtual'|'acct-group'|'acct-user')
|
|
continue
|
|
;;
|
|
esac
|
|
|
|
local lic_str="$(get_metadata "$1" "${pkg}" LICENSE)"
|
|
if [[ -z "$lic_str" ]]; then
|
|
warn "No license found for ${pkg}"
|
|
continue
|
|
fi
|
|
|
|
[[ -n $pkg_sep ]] && echo ","
|
|
[[ -z $pkg_sep ]] && echo
|
|
pkg_sep="true"
|
|
|
|
# Build a list of the required licenses vs the one-of licenses
|
|
# For example:
|
|
# GPL-3+ LGPL-3+ || ( GPL-3+ libgcc libstdc++ ) FDL-1.3+
|
|
# required: GPL-3+ LGPL-3+ FDL-1.3+
|
|
# one-of: GPL-3+ libgcc libstdc++
|
|
local req_lics=($(sed 's/|| ([^)]*)//' <<< $lic_str))
|
|
local opt_lics=($(sed 's/.*|| (\([^)]*\)).*/\1/' <<< $lic_str))
|
|
|
|
# Pick one of the one-of licenses, preferring a GPL license. Otherwise,
|
|
# pick the first.
|
|
local opt_lic=""
|
|
local lic
|
|
for lic in ${opt_lics[*]}; do
|
|
if [[ $lic =~ "GPL" ]]; then
|
|
opt_lic=$lic;
|
|
break
|
|
fi;
|
|
done
|
|
if [[ -z $opt_lic ]]; then
|
|
opt_lic=${opt_lics[0]}
|
|
fi
|
|
|
|
# Remove duplicate licenses
|
|
local lics=$(tr ' ' '\n' <<< "${req_lics[*]} ${opt_lic}" | sort --unique | tr '\n' ' ')
|
|
|
|
local homepage="$(get_metadata "$1" "${pkg}" HOMEPAGE)"
|
|
local description="$(get_metadata "$1" "${pkg}" DESCRIPTION)"
|
|
local src_uri="$(get_metadata "$1" "${pkg}" SRC_URI)"
|
|
# Filter out directories, cut type marker, cut timestamp, quote "\", and convert line breaks to "\n"
|
|
# Filter any unicode characters "rev" doesn't handle (currently some ca-certificates files) and
|
|
# replace them with a "?" so that the files can still be opened thanks to shell file name expansion
|
|
local files="$(get_metadata "$1" "${pkg}" CONTENTS | grep -v '^dir ' | \
|
|
cut -d ' ' -f 2- | tr -c '[[:print:][:cntrl:]]' '?' | rev | cut -d ' ' -f 2- | rev | \
|
|
sed 's#\\#\\\\#g' | tr '\n' '*' | sed 's/*/\\n/g')"
|
|
|
|
echo -n " {\"project\": \"${pkg}\", \"licenses\": ["
|
|
|
|
local lic_sep=""
|
|
for lic in ${lics[*]}; do
|
|
[[ -n $lic_sep ]] && echo -n ", "
|
|
lic_sep="true"
|
|
|
|
echo -n "\"${lic}\""
|
|
done
|
|
|
|
echo -n "], \"description\": \"${description}\", \"homepage\": \"${homepage}\", \
|
|
\"source\": \"${src_uri}\", \"files\": \"${files}\"}"
|
|
done >> "$2"
|
|
|
|
echo -e "\n]" >> "$2"
|
|
# Pretty print the JSON file
|
|
mv "$2" "$2".tmp
|
|
jq . "$2".tmp > "$2"
|
|
rm "$2".tmp
|
|
}
|
|
|
|
# Include the license JSON and all licenses in the rootfs with a small INFO file about usage and other URLs.
|
|
insert_licenses() {
|
|
local json_input="$1"
|
|
local root_fs_dir="$2"
|
|
sudo mkdir -p "${root_fs_dir}"/usr/share/licenses/common
|
|
sudo_clobber "${root_fs_dir}"/usr/share/licenses/INFO << "EOF"
|
|
Flatcar Container Linux distributes software from various projects.
|
|
The licenses.json.bz2 file contains the list of projects with their licenses, how to obtain the source code,
|
|
and which binary files in Flatcar Container Linux were created from it.
|
|
You can read it with "less licenses.json.bz2" or convert it to a text format with
|
|
bzcat licenses.json.bz2 | jq -r '.[] | "\(.project):\nDescription: \(.description)\nLicenses: \(.licenses)\nHomepage: \(.homepage)\nSource code: \(.source)\nFiles:\n\(.files)\n"'
|
|
The license texts are available under /usr/share/licenses/common/ and can be read with "less NAME.gz".
|
|
Build system files and patches used to build these projects are located at:
|
|
https://github.com/flatcar/scripts/
|
|
Information on how to build Flatcar Container Linux can be found under:
|
|
https://www.flatcar.org/docs/latest/reference/developer-guides/sdk-modifying-flatcar/
|
|
EOF
|
|
sudo cp "${json_input}" "${root_fs_dir}"/usr/share/licenses/licenses.json
|
|
# Compress the file from 2.1 MB to 0.39 MB
|
|
sudo lbzip2 -9 "${root_fs_dir}"/usr/share/licenses/licenses.json
|
|
# Copy all needed licenses to a "common" subdirectory and compress them
|
|
local license_list # define before assignment because it would mask any error
|
|
license_list="$(jq -r '.[] | "\(.licenses | .[])"' "${json_input}" | sort | uniq)"
|
|
local license_dirs=(
|
|
"/mnt/host/source/src/third_party/coreos-overlay/licenses/"
|
|
"/mnt/host/source/src/third_party/portage-stable/licenses/"
|
|
"none"
|
|
)
|
|
for license_file in ${license_list}; do
|
|
for license_dir in ${license_dirs[*]}; do
|
|
if [ "${license_dir}" = "none" ]; then
|
|
warn "The license file \"${license_file}\" was not found"
|
|
elif [ -f "${license_dir}${license_file}" ]; then
|
|
sudo cp "${license_dir}${license_file}" "${root_fs_dir}"/usr/share/licenses/common/
|
|
break
|
|
fi
|
|
done
|
|
done
|
|
# Compress the licenses just with gzip because there is no big difference as they are single files
|
|
sudo gzip -9 "${root_fs_dir}"/usr/share/licenses/common/*
|
|
}
|
|
|
|
# Add /usr/share/SLSA reports for packages indirectly contained within the rootfs
|
|
# If the package is available in BOARD_ROOT accesses it from there, otherwise
|
|
# needs to download binpkg.
|
|
insert_extra_slsa() {
|
|
info "Inserting additional SLSA file"
|
|
local rootfs="$1"
|
|
for atom in $(image_packages_implicit "$rootfs"); do
|
|
pkg="${atom%::*}"
|
|
pkg="${pkg/\//_}.json.xz"
|
|
if [ -f "${BOARD_ROOT}/usr/share/SLSA/${pkg}" ]; then
|
|
info "Found ${atom} in BOARD_ROOT"
|
|
sudo cp "${BOARD_ROOT}/usr/share/SLSA/${pkg}" "${rootfs}/usr/share/SLSA/"
|
|
continue
|
|
fi
|
|
# let's not die if SLSA information is missing
|
|
pkgversion=$( (get_binary_pkg "=${atom}" 2>/dev/null ) || true)
|
|
binpkg="$(portageq-${BOARD} pkgdir)/${pkgversion}.tbz2"
|
|
if [ -f "${binpkg}" ]; then
|
|
info "Found ${atom} at ${binpkg}"
|
|
qtbz2 -O -t "${binpkg}" | \
|
|
lbzcat -d -c - | \
|
|
sudo tar -C "${rootfs}" -x --wildcards './usr/share/SLSA'
|
|
continue
|
|
fi
|
|
warn "Missing SLSA information for ${atom}"
|
|
done
|
|
}
|
|
|
|
# Add an entry to the image's package.provided
|
|
package_provided() {
|
|
local p profile="${BUILD_DIR}/configroot/etc/portage/profile"
|
|
for p in "$@"; do
|
|
info "Writing $p to package.provided and soname.provided"
|
|
echo "$p" >> "${profile}/package.provided"
|
|
pkg_provides binary "$p" >> "${profile}/soname.provided"
|
|
done
|
|
}
|
|
|
|
assert_image_size() {
|
|
local disk_img="$1"
|
|
local disk_type="$2"
|
|
|
|
local size
|
|
size=$(qemu-img info -f "${disk_type}" --output json "${disk_img}" | \
|
|
jq --raw-output '.["virtual-size"]' ; exit ${PIPESTATUS[0]})
|
|
if [[ $? -ne 0 ]]; then
|
|
die_notrace "assert failed: could not read image size"
|
|
fi
|
|
|
|
MiB=$((1024*1024))
|
|
if [[ $(($size % $MiB)) -ne 0 ]]; then
|
|
die_notrace "assert failed: image must be a multiple of 1 MiB ($size B)"
|
|
fi
|
|
}
|
|
|
|
start_image() {
|
|
local image_name="$1"
|
|
local disk_layout="$2"
|
|
local root_fs_dir="$3"
|
|
local update_group="$4"
|
|
|
|
local disk_img="${BUILD_DIR}/${image_name}"
|
|
|
|
mkdir -p "${BUILD_DIR}"/configroot/etc/portage/profile
|
|
ln -s "${BOARD_ROOT}"/etc/portage/make.* \
|
|
"${BOARD_ROOT}"/etc/portage/package.* \
|
|
"${BOARD_ROOT}"/etc/portage/repos.conf \
|
|
"${BUILD_DIR}"/configroot/etc/portage/
|
|
|
|
info "Using image type ${disk_layout}"
|
|
"${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${disk_layout}" \
|
|
format "${disk_img}"
|
|
|
|
assert_image_size "${disk_img}" raw
|
|
|
|
"${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${disk_layout}" \
|
|
mount --writable_verity "${disk_img}" "${root_fs_dir}"
|
|
trap "cleanup_mounts '${root_fs_dir}' && delete_prompt" EXIT
|
|
|
|
# First thing first, install baselayout to create a working filesystem.
|
|
emerge_to_image "${root_fs_dir}" --nodeps --oneshot sys-apps/baselayout
|
|
|
|
# FIXME(marineam): Work around glibc setting EROOT=$ROOT
|
|
# https://bugs.gentoo.org/show_bug.cgi?id=473728#c12
|
|
sudo mkdir -p "${root_fs_dir}/etc/ld.so.conf.d"
|
|
|
|
# Set /etc/lsb-release on the image.
|
|
"${BUILD_LIBRARY_DIR}/set_lsb_release" \
|
|
--root="${root_fs_dir}" \
|
|
--group="${update_group}" \
|
|
--board="${BOARD}"
|
|
}
|
|
|
|
finish_image() {
|
|
local image_name="$1"
|
|
local disk_layout="$2"
|
|
local root_fs_dir="$3"
|
|
local image_contents="$4"
|
|
local image_contents_wtd="$5"
|
|
local image_kernel="$6"
|
|
local pcr_policy="$7"
|
|
local image_grub="$8"
|
|
local image_shim="$9"
|
|
local image_kconfig="${10}"
|
|
local image_initrd_contents="${11}"
|
|
local image_initrd_contents_wtd="${12}"
|
|
local image_disk_space_usage="${13}"
|
|
|
|
local install_grub=0
|
|
local disk_img="${BUILD_DIR}/${image_name}"
|
|
|
|
# Only enable rootfs verification on prod builds.
|
|
local disable_read_write="${FLAGS_FALSE}"
|
|
if [[ "${IMAGE_BUILD_TYPE}" == "prod" ]]; then
|
|
disable_read_write="${FLAGS_enable_rootfs_verification}"
|
|
fi
|
|
|
|
# Only enable rootfs verification on supported boards.
|
|
case "${FLAGS_board}" in
|
|
amd64-usr) verity_offset=64 ;;
|
|
arm64-usr) verity_offset=512 ;;
|
|
*) disable_read_write=${FLAGS_FALSE} ;;
|
|
esac
|
|
|
|
# Copy kernel to the /boot partition to support dm-verity boots by embedding
|
|
# the hash of the /usr partition into the kernel.
|
|
# Remove the kernel from the /usr partition to save space.
|
|
sudo mkdir -p "${root_fs_dir}/boot/flatcar"
|
|
sudo cp "${root_fs_dir}/usr/boot/vmlinuz" \
|
|
"${root_fs_dir}/boot/flatcar/vmlinuz-a"
|
|
sudo rm "${root_fs_dir}/usr/boot/vmlinuz"*
|
|
|
|
# Forbid dynamic user ID allocation because we want stable IDs
|
|
local found=""
|
|
# We want to forbid "-", "X:-" (.*:-), "-:X" (-:.*), "/X" (/.*)
|
|
found=$({ grep '^[ug]' "${root_fs_dir}"/usr/lib/sysusers.d/*.conf || true ; } | awk '{print $3}' | { grep -x -- "-\|.*:-\|-:.*\|/.*" || true ; })
|
|
if [ "${found}" != "" ]; then
|
|
die "Found dynamic ID allocation instead of hardcoded ID in /usr/lib/sysusers.d/*.conf (third column must not use '-', 'X:-', '-:X', or '/path')"
|
|
fi
|
|
# Run systemd-sysusers once to create users in /etc/passwd so that
|
|
# we can move them to /usr (relying on nss-altfiles to provide them
|
|
# at runtime, but we could use systemd's userdb, too).
|
|
sudo systemd-sysusers --root="${root_fs_dir}"
|
|
for databasefile in passwd group shadow gshadow; do
|
|
newentries=$(comm -23 <(sudo cut -d ":" -f 1 "${root_fs_dir}/etc/${databasefile}" | sort) <(sudo cut -d ":" -f 1 "${root_fs_dir}/usr/share/baselayout/${databasefile}" | sort))
|
|
for newentry in ${newentries}; do
|
|
sudo grep "^${newentry}:" "${root_fs_dir}/etc/${databasefile}" | sudo tee -a "${root_fs_dir}/usr/share/baselayout/${databasefile}"
|
|
done
|
|
sudo rm -f "${root_fs_dir}/etc/${databasefile}" "${root_fs_dir}/etc/${databasefile}-"
|
|
done
|
|
# Record directories installed to the state partition.
|
|
# Explicitly ignore entries covered by existing configs.
|
|
local ignores=() allowed_users=() allowed_groups=()
|
|
mapfile -t ignores < <(awk '/^[dDfFL]/ {print "--ignore=" $2}' \
|
|
"${root_fs_dir}"/usr/lib/tmpfiles.d/*.conf)
|
|
# Also ignore directories owned by users/groups not in /etc/passwd
|
|
# or /etc/group. This is for setting up needed directories in very
|
|
# early boot phase (initrd-setup-root). Our source of truth for
|
|
# allowed users and groups are users and groups copied by the
|
|
# flatcar-tmpfiles script.
|
|
|
|
# The grep, sed and tr below basically turn a line like:
|
|
# COPY_USERS="root|core"
|
|
# into:
|
|
# --allow-user=root
|
|
# --allow-user=core
|
|
mapfile -t allowed_users < <(grep '^COPY_USERS=' "${root_fs_dir}/sbin/flatcar-tmpfiles" | sed -e 's/.*="\([^"]*\)"/\1/' | tr '|' '\n' | sed -e 's/^/--allow-user=/')
|
|
mapfile -t allowed_groups < <(grep '^COPY_GROUPS=' "${root_fs_dir}/sbin/flatcar-tmpfiles" | sed -e 's/.*="\([^"]*\)"/\1/' | tr '|' '\n' | sed -e 's/^/--allow-group=/')
|
|
sudo "${BUILD_LIBRARY_DIR}/gen_tmpfiles.py" --root="${root_fs_dir}" \
|
|
--output="${root_fs_dir}/usr/lib/tmpfiles.d/base_image_var.conf" \
|
|
"${ignores[@]}" "${allowed_users[@]}" "${allowed_groups[@]}" "${root_fs_dir}/var"
|
|
|
|
# Now record the rest of the directories installed to the state
|
|
# partition. We go through tmpfiles again to also ignore the entries
|
|
# from the just generated base_image_var.conf.
|
|
mapfile -t ignores < <(awk '/^[dDfFL]/ {print "--ignore=" $2}' \
|
|
"${root_fs_dir}"/usr/lib/tmpfiles.d/*.conf)
|
|
sudo "${BUILD_LIBRARY_DIR}/gen_tmpfiles.py" --root="${root_fs_dir}" \
|
|
--output="${root_fs_dir}/usr/lib/tmpfiles.d/base_image_var_late.conf" \
|
|
"${ignores[@]}" "${root_fs_dir}/var"
|
|
|
|
# Only configure bootloaders if there is a boot partition
|
|
if mountpoint -q "${root_fs_dir}"/boot; then
|
|
install_grub=1
|
|
${BUILD_LIBRARY_DIR}/configure_bootloaders.sh \
|
|
--boot_dir="${root_fs_dir}"/usr/boot
|
|
|
|
# Create first-boot flag for grub and Ignition
|
|
info "Writing first-boot flag"
|
|
sudo_clobber "${root_fs_dir}/boot/flatcar/first_boot" <<EOF
|
|
If this file exists, Ignition will run and then delete the file.
|
|
EOF
|
|
fi
|
|
|
|
if [[ -n "${FLAGS_developer_data}" ]]; then
|
|
local data_path="/usr/share/flatcar/developer_data"
|
|
local unit_path="usr-share-flatcar-developer_data"
|
|
sudo cp "${FLAGS_developer_data}" "${root_fs_dir}/${data_path}"
|
|
systemd_enable "${root_fs_dir}" system-config.target \
|
|
"system-cloudinit@.service" "system-cloudinit@${unit_path}.service"
|
|
fi
|
|
|
|
if [[ -n "${image_kconfig}" ]]; then
|
|
cp "${root_fs_dir}/usr/boot/config" \
|
|
"${BUILD_DIR}/${image_kconfig}"
|
|
fi
|
|
|
|
# Build the selinux policy
|
|
if pkg_use_enabled coreos-base/coreos selinux; then
|
|
sudo chroot "${root_fs_dir}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp"
|
|
fi
|
|
|
|
# Run tmpfiles once to make sure that /etc has everything in place before
|
|
# we freeze it in /usr/share/flatcar/etc as lowerdir in the overlayfs.
|
|
|
|
# But first, to successfully run tmpfiles, we need to have all users/groups
|
|
# in /etc/passwd, and afterwards we can recreate the files for the dev
|
|
# container with flatcar-tmpfiles (not really needed but maybe nice to have
|
|
# as it also lands as reference in /usr/share/flatcar/etc).
|
|
local dbfile
|
|
for dbfile in passwd shadow group gshadow; do
|
|
sudo cp -f "${root_fs_dir}"/usr/share/baselayout/"${dbfile}" "${root_fs_dir}"/etc/
|
|
done
|
|
sudo systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev --root="${root_fs_dir}"
|
|
for dbfile in passwd shadow group gshadow; do
|
|
sudo rm -f "${root_fs_dir}"/etc/"${dbfile}"
|
|
done
|
|
sudo "${root_fs_dir}"/usr/sbin/flatcar-tmpfiles "${root_fs_dir}"
|
|
# Now that we used the tmpfiles for creating /etc we delete them because
|
|
# the L, d, D, and C entries cause upcopies. Also filter out rules with ! or - but no other modifiers
|
|
# like + or = which explicitly recreate files.
|
|
# But before filtering, first store rules that would recreate missing files
|
|
# to /usr/share/flatcar/etc-no-whiteouts so that we can ensure that
|
|
# no overlayfs whiteouts exist for these files (example: /etc/resolv.conf).
|
|
# These rules are combined with the + modifier in addition.
|
|
# Other rules like w, e, x, do not create files that don't exist.
|
|
# Note: '-' must come first in the modifier pattern.
|
|
grep -Ph '^[fcCdDLvqQpb][-=~^!+]*[ \t]*/etc' "${root_fs_dir}"/usr/lib/tmpfiles.d/* | grep -oP '/etc[^ \t]*' | sudo_clobber "${root_fs_dir}"/usr/share/flatcar/etc-no-whiteouts
|
|
sudo sed -i '/^[CdDL][-=~^!]*[ \t]*\/etc\//d' "${root_fs_dir}"/usr/lib/tmpfiles.d/*
|
|
|
|
# SELinux: Label the root filesystem for using 'file_contexts'.
|
|
# The labeling has to be done before moving /etc to /usr/share/flatcar/etc to prevent wrong labels for these files and as
|
|
# the relabeling on boot would cause upcopies in the overlay.
|
|
if pkg_use_enabled coreos-base/coreos selinux; then
|
|
# TODO: Breaks the system:
|
|
# sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"
|
|
# sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/usr
|
|
# For now we only try it with /etc
|
|
sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/etc
|
|
fi
|
|
|
|
# Backup the /etc contents to /usr/share/flatcar/etc to serve as
|
|
# source for creating missing files. Make sure that the preexisting
|
|
# /usr/share/flatcar/etc does not have any meaningful (non-empty)
|
|
# files, so we remove nothing important. There shouldn't be any
|
|
# symlinks either. Add "! -type d" to exclude directories as "stat"
|
|
# usually returns a size of a directory being 4096 or so.
|
|
if [[ $(sudo find "${root_fs_dir}/usr/share/flatcar/etc" -size +0 ! -type d 2>/dev/null | wc -l) -gt 0 ]]; then
|
|
die "Unexpected non-empty files in ${root_fs_dir}/usr/share/flatcar/etc"
|
|
fi
|
|
sudo rm -rf "${root_fs_dir}/usr/share/flatcar/etc"
|
|
sudo cp -a "${root_fs_dir}/etc" "${root_fs_dir}/usr/share/flatcar/etc"
|
|
|
|
# Remove the rootfs state as it should be recreated through the
|
|
# tmpfiles and may not be present on updating machines. This
|
|
# makes sure our tests cover the case of missing files in the
|
|
# rootfs and don't rely on the new image. Not done for the developer
|
|
# container.
|
|
if [[ -n "${image_kernel}" ]]; then
|
|
local folder
|
|
for folder in "${root_fs_dir}/"*; do
|
|
case "${folder#"${root_fs_dir}"}" in
|
|
/boot|/usr|/oem)
|
|
# Keep those because they are mountpoints, so not really
|
|
# parts of the rootfs state.
|
|
:
|
|
;;
|
|
/lost+found)
|
|
# Keep lost+found because e2fsck expects it.
|
|
:
|
|
;;
|
|
*)
|
|
sudo rm --one-file-system -rf "${folder}"
|
|
;;
|
|
esac
|
|
done
|
|
else
|
|
# For the developer container we still need to remove the resolv.conf symlink to /run
|
|
# because the resolved-managed file is not present there
|
|
sudo rm "${root_fs_dir}/etc/resolv.conf"
|
|
fi
|
|
|
|
# Zero all fs free space to make it more compressible so auto-update
|
|
# payloads become smaller, not fatal since it won't work on linux < 3.2
|
|
sudo fstrim "${root_fs_dir}" || true
|
|
if mountpoint -q "${root_fs_dir}/usr"; then
|
|
sudo fstrim "${root_fs_dir}/usr" || true
|
|
fi
|
|
|
|
# Make the filesystem un-mountable as read-write and setup verity.
|
|
if [[ ${disable_read_write} -eq ${FLAGS_TRUE} ]]; then
|
|
# Unmount /usr partition
|
|
sudo umount --recursive "${root_fs_dir}/usr" || exit 1
|
|
|
|
"${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${disk_layout}" verity \
|
|
--root_hash="${BUILD_DIR}/${image_name%.bin}_verity.txt" \
|
|
"${BUILD_DIR}/${image_name}"
|
|
|
|
# Magic alert! Root hash injection works by writing the hash value to a
|
|
# known unused SHA256-sized location in the kernel image.
|
|
# For amd64 the rdev error message is used.
|
|
# For arm64 an area between the EFI headers and the kernel text is used.
|
|
# Our modified GRUB extracts the hash and adds it to the cmdline.
|
|
printf %s "$(cat ${BUILD_DIR}/${image_name%.bin}_verity.txt)" | \
|
|
sudo dd of="${root_fs_dir}/boot/flatcar/vmlinuz-a" conv=notrunc \
|
|
seek=${verity_offset} count=64 bs=1 status=none
|
|
fi
|
|
|
|
# Sign the kernel after /usr is in a consistent state and verity is
|
|
# calculated. Only for unofficial builds as official builds get signed later.
|
|
if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
|
|
do_sbsign --output "${root_fs_dir}/boot/flatcar/vmlinuz-a"{,}
|
|
cleanup_sbsign_certs
|
|
fi
|
|
|
|
if [[ -n "${image_kernel}" ]]; then
|
|
# copying kernel from vfat so ignore the permissions
|
|
cp --no-preserve=mode \
|
|
"${root_fs_dir}/boot/flatcar/vmlinuz-a" \
|
|
"${BUILD_DIR}/${image_kernel}"
|
|
fi
|
|
|
|
if [[ -n "${pcr_policy}" ]]; then
|
|
mkdir -p "${BUILD_DIR}/pcrs"
|
|
${BUILD_LIBRARY_DIR}/generate_kernel_hash.py \
|
|
"${root_fs_dir}/boot/flatcar/vmlinuz-a" ${FLATCAR_VERSION} \
|
|
>"${BUILD_DIR}/pcrs/kernel.config"
|
|
fi
|
|
|
|
rm -rf "${BUILD_DIR}"/configroot
|
|
cleanup_mounts "${root_fs_dir}"
|
|
trap - EXIT
|
|
|
|
# This script must mount the ESP partition differently, so run it after unmount
|
|
if [[ "${install_grub}" -eq 1 ]]; then
|
|
local target
|
|
local target_list="i386-pc x86_64-efi x86_64-xen"
|
|
if [[ ${BOARD} == "arm64-usr" ]]; then
|
|
target_list="arm64-efi"
|
|
fi
|
|
local grub_args=()
|
|
if [[ ${disable_read_write} -eq ${FLAGS_TRUE} ]]; then
|
|
grub_args+=(--verity)
|
|
else
|
|
grub_args+=(--noverity)
|
|
fi
|
|
if [[ -n "${image_grub}" && -n "${image_shim}" ]]; then
|
|
grub_args+=(
|
|
--copy_efi_grub="${BUILD_DIR}/${image_grub}"
|
|
--copy_shim="${BUILD_DIR}/${image_shim}"
|
|
)
|
|
fi
|
|
for target in ${target_list}; do
|
|
${BUILD_LIBRARY_DIR}/grub_install.sh \
|
|
--board="${BOARD}" \
|
|
--target="${target}" \
|
|
--disk_image="${disk_img}" \
|
|
"${grub_args[@]}"
|
|
done
|
|
fi
|
|
|
|
if [[ -n "${pcr_policy}" ]]; then
|
|
${BUILD_LIBRARY_DIR}/generate_grub_hashes.py \
|
|
"${disk_img}" /usr/lib/grub/ "${BUILD_DIR}/pcrs" ${FLATCAR_VERSION}
|
|
|
|
info "Generating $pcr_policy"
|
|
pushd "${BUILD_DIR}" >/dev/null
|
|
zip --quiet -r -9 "${pcr_policy}" pcrs
|
|
popd >/dev/null
|
|
rm -rf "${BUILD_DIR}/pcrs"
|
|
fi
|
|
|
|
# Mount the final image again, as readonly, to generate some reports.
|
|
"${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${disk_layout}" \
|
|
mount --read_only "${disk_img}" "${root_fs_dir}"
|
|
trap "cleanup_mounts '${root_fs_dir}'" EXIT
|
|
|
|
write_contents "${root_fs_dir}" "${BUILD_DIR}/${image_contents}"
|
|
write_contents_with_technical_details "${root_fs_dir}" "${BUILD_DIR}/${image_contents_wtd}"
|
|
|
|
if [[ -n "${image_initrd_contents}" ]] || [[ -n "${image_initrd_contents_wtd}" ]]; then
|
|
"${BUILD_LIBRARY_DIR}/extract-initramfs-from-vmlinuz.sh" "${root_fs_dir}/boot/flatcar/vmlinuz-a" "${BUILD_DIR}/tmp_initrd_contents"
|
|
if [[ -n "${image_initrd_contents}" ]]; then
|
|
write_contents "${BUILD_DIR}/tmp_initrd_contents" "${BUILD_DIR}/${image_initrd_contents}"
|
|
fi
|
|
|
|
if [[ -n "${image_initrd_contents_wtd}" ]]; then
|
|
write_contents_with_technical_details "${BUILD_DIR}/tmp_initrd_contents" "${BUILD_DIR}/${image_initrd_contents_wtd}"
|
|
fi
|
|
rm -rf "${BUILD_DIR}/tmp_initrd_contents"
|
|
fi
|
|
|
|
if [[ -n "${image_disk_space_usage}" ]]; then
|
|
write_disk_space_usage "${root_fs_dir}" "${BUILD_DIR}/${image_disk_space_usage}"
|
|
fi
|
|
|
|
cleanup_mounts "${root_fs_dir}"
|
|
trap - EXIT
|
|
}
|
|
|
|
sbsign_image() {
|
|
local image_name="$1"
|
|
local disk_layout="$2"
|
|
local root_fs_dir="$3"
|
|
local image_kernel="$4"
|
|
local pcr_policy="$5"
|
|
local image_grub="$6"
|
|
|
|
local disk_img="${BUILD_DIR}/${image_name}"
|
|
local EFI_ARCH
|
|
|
|
case "${BOARD}" in
|
|
amd64-usr) EFI_ARCH="x64" ;;
|
|
arm64-usr) EFI_ARCH="aa64" ;;
|
|
*) die "Unknown board ${BOARD@Q}" ;;
|
|
esac
|
|
|
|
"${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${disk_layout}" \
|
|
mount "${disk_img}" "${root_fs_dir}"
|
|
trap "cleanup_mounts '${root_fs_dir}'; cleanup_sbsign_certs" EXIT
|
|
|
|
# Sign the kernel with the shim-embedded key.
|
|
do_sbsign --output "${root_fs_dir}/boot/flatcar/vmlinuz-a"{,}
|
|
|
|
if [[ -n "${image_kernel}" ]]; then
|
|
# copying kernel from vfat so ignore the permissions
|
|
cp --no-preserve=mode \
|
|
"${root_fs_dir}/boot/flatcar/vmlinuz-a" \
|
|
"${BUILD_DIR}/${image_kernel}"
|
|
fi
|
|
|
|
# Sign GRUB and mokmanager(mm) with the shim-embedded key.
|
|
do_sbsign --output "${root_fs_dir}/boot/EFI/boot/grub${EFI_ARCH}.efi"{,}
|
|
do_sbsign --output "${root_fs_dir}/boot/EFI/boot/mm${EFI_ARCH}.efi"{,}
|
|
|
|
# copying from vfat so ignore permissions
|
|
if [[ -n "${image_grub}" ]]; then
|
|
cp --no-preserve=mode "${root_fs_dir}/boot/EFI/boot/grub${EFI_ARCH}.efi" \
|
|
"${BUILD_DIR}/${image_grub}"
|
|
fi
|
|
|
|
if [[ -n "${pcr_policy}" ]]; then
|
|
mkdir -p "${BUILD_DIR}/pcrs"
|
|
"${BUILD_LIBRARY_DIR}"/generate_kernel_hash.py \
|
|
"${root_fs_dir}/boot/flatcar/vmlinuz-a" "${FLATCAR_VERSION}" \
|
|
>"${BUILD_DIR}/pcrs/kernel.config"
|
|
fi
|
|
|
|
cleanup_mounts "${root_fs_dir}"
|
|
cleanup_sbsign_certs
|
|
trap - EXIT
|
|
|
|
if [[ -n "${pcr_policy}" ]]; then
|
|
"${BUILD_LIBRARY_DIR}"/generate_grub_hashes.py \
|
|
"${disk_img}" /usr/lib/grub/ "${BUILD_DIR}/pcrs" "${FLATCAR_VERSION}"
|
|
|
|
info "Generating $pcr_policy"
|
|
pushd "${BUILD_DIR}" >/dev/null
|
|
zip --quiet -r -9 "${BUILD_DIR}/${pcr_policy}" pcrs
|
|
popd >/dev/null
|
|
rm -rf "${BUILD_DIR}/pcrs"
|
|
fi
|
|
}
|