diff options
| author | Mike Frysinger <vapier@chromium.org> | 2018-04-30 03:14:13 -0400 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2018-05-09 01:11:05 -0700 |
| commit | 8543190e64a1c2cc17ed03a20c01da642cd59151 (patch) | |
| tree | f51c8ab6f8d0921366f117fa38baad5c907cecce | |
| parent | 41d0e327910507c73ead5f88d0ed3db524353062 (diff) | |
| download | vboot-8543190e64a1c2cc17ed03a20c01da642cd59151.tar.gz | |
sign_official_build: switch kernel/firmware signing to loopdevs
Newer versions of util-linux/mount don't like when you create overlapping
loopback files. Since we always create a loopback of the entire image,
this means every mount fails.
We can change the few users in here over to using the existing loopback
partitions rather than continuing to create their own from scratch. This
makes the code a bit simpler.
However, we currently duplicate some of the mount image helpers so that
one version works off of a disk image while the other uses loopbacks.
Cleaning this up requires a number of changes in other files which we'll
want to do eventually, just not right now (to minimize risk).
BUG=chromium:714598
TEST=image signing works on newer gLinux installs
BRANCH=None
Change-Id: I31b35636b3b271e97070d283f8cb74d3183d8ec8
Reviewed-on: https://chromium-review.googlesource.com/1034435
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Jason Clinton <jclinton@chromium.org>
| -rw-r--r-- | scripts/image_signing/common_minimal.sh | 47 | ||||
| -rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 44 |
2 files changed, 62 insertions, 29 deletions
diff --git a/scripts/image_signing/common_minimal.sh b/scripts/image_signing/common_minimal.sh index 3a0dccf9..c57fc90d 100644 --- a/scripts/image_signing/common_minimal.sh +++ b/scripts/image_signing/common_minimal.sh @@ -236,12 +236,37 @@ _mount_image_partition() { _mount_image_partition_retry "$@" } +# If called without 'ro', make sure the partition is allowed to be mounted as +# 'rw' before actually mounting it. +# Args: LOOPDEV PARTNUM MOUNTDIRECTORY [ro] +_mount_loop_image_partition() { + local loopdev=$1 + local partnum=$2 + local mount_dir=$3 + local ro=$4 + local loop_rootfs="${loopdev}p${partnum}" + + if [ "$ro" != "ro" ]; then + # Forcibly call enable_rw_mount. It should fail on unsupported + # filesystems and be idempotent on ext*. + enable_rw_mount "${loop_rootfs}" 2>/dev/null + fi + + sudo mount -o "${ro}" "${loop_rootfs}" "${mount_dir}" +} + # Mount a partition read-only from an image into a local directory # Args: IMAGE PARTNUM MOUNTDIRECTORY mount_image_partition_ro() { _mount_image_partition "$@" "ro" } +# Mount a partition read-only from an image into a local directory +# Args: LOOPDEV PARTNUM MOUNTDIRECTORY +mount_loop_image_partition_ro() { + _mount_loop_image_partition "$@" "ro" +} + # Mount a partition from an image into a local directory # Args: IMAGE PARTNUM MOUNTDIRECTORY mount_image_partition() { @@ -252,27 +277,35 @@ mount_image_partition() { fi } +# Mount a partition from an image into a local directory +# Args: LOOPDEV PARTNUM MOUNTDIRECTORY +mount_loop_image_partition() { + local mount_dir=$3 + _mount_loop_image_partition "$@" + if is_rootfs_partition "${mount_dir}"; then + tag_as_needs_to_be_resigned "${mount_dir}" + fi +} + # Mount the image's ESP (EFI System Partition) on a newly created temporary # directory. # Prints out the newly created temporary directory path if succeeded. # If the image doens't have an ESP partition, returns 0 without print anything. -# Args: IMAGE +# Args: LOOPDEV # Returns: 0 if succeeded, 1 otherwise. mount_image_esp() { - local image="$1" + local loopdev="$1" local ESP_PARTNUM=12 + local loop_esp="${loopdev}p${ESP_PARTNUM}" - local esp_offset=$(( $(partoffset "${image}" "${ESP_PARTNUM}") )) + local esp_offset=$(( $(partoffset "${loopdev}" "${ESP_PARTNUM}") )) # Check if the image has an ESP partition. if [[ "${esp_offset}" == "0" ]]; then return 0 fi local esp_dir="$(make_temp_dir)" - # We use the 'unsafe' variant because the EFI system partition is vfat type - # and can be mounted in RW mode. - if ! _mount_image_partition_retry "${image}" "${ESP_PARTNUM}" \ - "${esp_dir}" >/dev/null; then + if ! sudo mount -o "${ro}" "${loop_esp}" "${esp_dir}"; then return 1 fi diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 5f8fd7e2..1c4a2958 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -522,9 +522,9 @@ sign_update_payload() { } # Re-sign the firmware AU payload inside the image rootfs with a new keys. -# Args: IMAGE +# Args: LOOPDEV resign_firmware_payload() { - local image=$1 + local loopdev="$1" if [ -n "${NO_FWUPDATE}" ]; then info "Skipping firmware update." @@ -533,7 +533,7 @@ resign_firmware_payload() { # Grab firmware image from the autoupdate bundle (shellball). local rootfs_dir=$(make_temp_dir) - mount_image_partition ${image} 3 ${rootfs_dir} + mount_loop_image_partition "${loopdev}" 3 "${rootfs_dir}" local firmware_bundle="${rootfs_dir}/usr/sbin/chromeos-firmwareupdate" local shellball_dir=$(make_temp_dir) @@ -742,15 +742,15 @@ resign_firmware_payload() { sudo chmod a+rx "${firmware_bundle}" # Unmount now to flush changes. sudo umount "${rootfs_dir}" - info "Re-signed firmware AU payload in ${image}" + info "Re-signed firmware AU payload in ${loopdev}" } # Re-sign Android image if exists. resign_android_image_if_exists() { - local image=$1 + local loopdev="$1" local rootfs_dir=$(make_temp_dir) - mount_image_partition "${image}" 3 "${rootfs_dir}" + mount_loop_image_partition "${loopdev}" 3 "${rootfs_dir}" local system_img="${rootfs_dir}/opt/google/containers/android/system.raw.img" local arc_version=$(grep CHROMEOS_ARC_VERSION= \ @@ -769,16 +769,16 @@ resign_android_image_if_exists() { } # Sign UEFI binaries, if possible. -# Args: IMAGE +# Args: LOOPDEV sign_uefi_binaries() { - local image="$1" + local loopdev="$1" if [[ ! -d "${KEY_DIR}/uefi" ]]; then return 0 fi local esp_dir - if ! esp_dir="$(mount_image_esp "${image}")"; then + if ! esp_dir="$(mount_image_esp "${loopdev}")"; then error "Could not mount EFI partition for signing UEFI binaries" return 1 elif [[ -z "${esp_dir}" ]]; then @@ -789,7 +789,7 @@ sign_uefi_binaries() { sudo umount "${esp_dir}" local rootfs_dir="$(make_temp_dir)" - mount_image_partition "${image}" 3 "${rootfs_dir}" + mount_loop_image_partition "${loopdev}" 3 "${rootfs_dir}" "${SCRIPT_DIR}/sign_uefi.sh" "${rootfs_dir}/boot" "${KEY_DIR}/uefi" sudo umount "${rootfs_dir}" @@ -798,9 +798,9 @@ sign_uefi_binaries() { } # Verify the signatures of UEFI binaries. -# Args: IMAGE +# Args: LOOPDEV verify_uefi_signatures() { - local image="$1" + local loopdev="$1" local succeeded=1 if [[ ! -d "${KEY_DIR}/uefi" ]]; then @@ -808,7 +808,7 @@ verify_uefi_signatures() { fi local esp_dir - if ! esp_dir="$(mount_image_esp "${image}")"; then + if ! esp_dir="$(mount_image_esp "${loopdev}")"; then error "Could not mount EFI partition for verifying UEFI signatures" return 1 elif [[ -z "${esp_dir}" ]]; then @@ -818,7 +818,7 @@ verify_uefi_signatures() { "${KEY_DIR}/uefi" || succeeded=0 local rootfs_dir="$(make_temp_dir)" - mount_image_partition_ro "${image}" 3 "${rootfs_dir}" + mount_loop_image_partition_ro "${loopdev}" 3 "${rootfs_dir}" "${SCRIPT_DIR}/verify_uefi.sh" "${rootfs_dir}/boot" "${esp_dir}" \ "${KEY_DIR}/uefi" || succeeded=0 sudo umount "${rootfs_dir}" @@ -944,17 +944,17 @@ update_recovery_kernel_hash() { } # Update the legacy bootloader templates in EFI partition if available. -# Args: IMAGE_BIN KERNEL +# Args: LOOPDEV KERNEL update_legacy_bootloader() { - local image="$1" + local loopdev="$1" local loop_kern="$2" local esp_dir - if ! esp_dir="$(mount_image_esp "${image}")"; then + if ! esp_dir="$(mount_image_esp "${loopdev}")"; then error "Could not mount EFI partition for updating legacy bootloader cfg." return 1 elif [[ -z "${esp_dir}" ]]; then - info "Not updating legacy bootloader configs: ${image}" + info "Not updating legacy bootloader configs: ${loopdev}" return 0 fi @@ -1014,9 +1014,9 @@ sign_image_file() { local loopdev=$(loopback_partscan "${output}") local loop_kern="${loopdev}p${dm_partno}" - resign_firmware_payload "${output}" - resign_android_image_if_exists "${output}" - sign_uefi_binaries "${output}" + resign_firmware_payload "${loopdev}" + resign_android_image_if_exists "${loopdev}" + sign_uefi_binaries "${loopdev}" # We do NOT strip /boot for factory installer, since some devices need it to # boot EFI. crbug.com/260512 would obsolete this requirement. # @@ -1038,7 +1038,7 @@ sign_image_file() { if [[ "${image_type}" == "recovery" ]]; then update_recovery_kernel_hash "${loopdev}" fi - if ! update_legacy_bootloader "${output}" "${loop_kern}"; then + if ! update_legacy_bootloader "${loopdev}" "${loop_kern}"; then # Error is already logged. return 1 fi |