diff options
| author | Gaurav Shah <gauravsh@chromium.org> | 2011-09-23 12:18:16 -0700 |
|---|---|---|
| committer | Gaurav Shah <gauravsh@chromium.org> | 2011-09-23 12:50:45 -0700 |
| commit | 132e6e0c8cfa49a470199374e2331e3bb2ea21d6 (patch) | |
| tree | 3a2400900c3aab55a6997cc5085c87978d3f4c8d | |
| parent | e622f1159557b53bac98d0b7b3a482f2a3cdac8f (diff) | |
| download | vboot-132e6e0c8cfa49a470199374e2331e3bb2ea21d6.tar.gz | |
sign_official_build: Work around different verity arguments across images
Work around the fact that we have 3 different verity kernel arguments depending
on the image being signed (legacy parameters, new key=value parameters, new key=
value parameters with salt).
Since the signer is not branch conscious, expect and use the old verity binary to
be present when legacy kernel arguments are specified. The last 2 types of verity
arguments can be distinguished based on whether a salt is present.
BUG=chromium-os:20640
TEST=manually tested by signing r14, r15 and r16 images and verifying
that kernel parameters are set correctly.
Change-Id: I96ecf6f506a94509a64ef12d7a108e977f94c23c
Reviewed-on: http://gerrit.chromium.org/gerrit/8214
Commit-Ready: Gaurav Shah <gauravsh@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
Reviewed-by: David McMahon <djmm@chromium.org>
Tested-by: David McMahon <djmm@chromium.org>
| -rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 3c026e8f..59e49dfb 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -86,7 +86,7 @@ grab_kernel_config() { # get_verity_arg <commandline> <key> -> <value> get_verity_arg() { - echo "$1" | sed "s/.*\b$2=\([^ \"]*\).*/\1/" + echo "$1" | sed -n "s/.*\b$2=\([^ \"]*\).*/\1/p" } is_old_verity_argv() { @@ -135,6 +135,7 @@ calculate_rootfs_hash() { local verity_algorithm local root_dev local hash_dev + local verity_bin="verity" if is_old_verity_argv "${dm_config}"; then # dm="0 2097152 verity ROOT_DEV HASH_DEV 2097152 1 \ # sha1 63b7ad16cb9db4b70b28593f825aa6b7825fdcf2" @@ -143,6 +144,10 @@ calculate_rootfs_hash() { verity_algorithm=$(echo ${dm_config} | cut -f8 -d' ') root_dev=$(echo ${dm_config} | cut -f4 -d ' ') hash_dev=$(echo ${dm_config} | cut -f5 -d ' ') + # Hack around the fact that the signer needs to use the old version of + # verity to generate legacy verity kernel parameters. If we find it, + # we use it. + type -P "verity-old" &>/dev/null && verity_bin="verity-old" else # Key-value parameters. rootfs_sectors=$(get_verity_arg "${dm_config}" hashstart) @@ -150,14 +155,20 @@ calculate_rootfs_hash() { verity_algorithm=$(get_verity_arg "${dm_config}" alg) root_dev=$(get_verity_arg "${dm_config}" payload) hash_dev=$(get_verity_arg "${dm_config}" hashtree) + salt=$(get_verity_arg "${dm_config}" salt) + fi + + local salt_arg + if [ -n "$salt" ]; then + salt_arg="salt=$salt" fi # Run the verity tool on the rootfs partition. - local table="vroot none ro,"$(sudo verity mode=create \ + local table="vroot none ro,"$(sudo ${verity_bin} mode=create \ alg=${verity_algorithm} \ payload="${rootfs_image}" \ payload_blocks=$((rootfs_sectors / 8)) \ - hashtree="${hash_image}") + hashtree="${hash_image}" ${salt_arg}) # Reconstruct new kernel config command line and replace placeholders. table="$(echo "$table" | sed -s "s|ROOT_DEV|${root_dev}|g;s|HASH_DEV|${hash_dev}|")" |