diff options
| author | Yury Khmel <khmel@google.com> | 2020-10-08 21:26:35 +0000 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2020-10-14 19:53:30 +0000 |
| commit | 86f6ce865157a35c3c4e1aab3f75b45aac2c9720 (patch) | |
| tree | 3b3f8bd0d49253692bb02c23a7673d867cbe59bd | |
| parent | 4dacbf92be28c937e07b397ade29e5b8a84cdb7f (diff) | |
| download | vboot-86f6ce865157a35c3c4e1aab3f75b45aac2c9720.tar.gz | |
signer: syncronize image packing to what we have in build image phase.
This follows steps we have in build image phase to have parity in image
packing.
* Discard reapply selinex context. This looks not needed once
re-signing should not change selinux context. Instead we could do
similar to build image, pass file context to mksquashfs
* Apply mksquashfs params based on image type, container/vm. This
fixes proper block size and image compression algorithm
* Remove old image before packing to prevent mksquashfs merge attempt
BUG=b:170400225
BUG=b:170220295
BUG=b:170219920
BRANCH=none
TEST=locally signed vm (kohaku) and container (hana): arc.Optin*,
arc.Preopt*. Also checked final image size. With this CL it is
reduced to 150Mb(vm) and very close to original image size
(delta is less than 0.1%)
Signed-off-by: Yury Khmel <khmel@chromium.org>
Change-Id: I7037bea68fc2969345a8fabc3c6a9b9b690f02d1
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2462005
Reviewed-by: Yusuke Sato <yusukes@chromium.org>
Reviewed-by: George Engelbrecht <engeg@google.com>
Tested-by: Yury Khmel <khmel@google.com>
Auto-Submit: Yury Khmel <khmel@google.com>
Commit-Queue: Yury Khmel <khmel@google.com>
| -rwxr-xr-x | scripts/image_signing/sign_android_image.sh | 56 |
1 files changed, 30 insertions, 26 deletions
diff --git a/scripts/image_signing/sign_android_image.sh b/scripts/image_signing/sign_android_image.sh index b9b10828..28534fca 100755 --- a/scripts/image_signing/sign_android_image.sh +++ b/scripts/image_signing/sign_android_image.sh @@ -228,26 +228,6 @@ replace_ota_cert() { popd > /dev/null } -# Restore SELinux context. This has to run after all file changes, before -# creating the new squashfs image. -reapply_file_security_context() { - local system_mnt=$1 - local root_fs_dir=$2 - - info "Reapplying file security context" - - local selinux_dir="${root_fs_dir}/etc/selinux" - local file_contexts="${selinux_dir}/arc/contexts/files/android_file_contexts" - if [[ ! -f "${file_contexts}" ]]; then - file_contexts="${file_contexts}_vm" - if [[ ! -f "${file_contexts}" ]]; then - die "Can't find Android's file contexts" - fi - fi - - sudo /sbin/setfiles -v -r "${system_mnt}" "${file_contexts}" "${system_mnt}" -} - # Snapshot file properties in a directory recursively. snapshot_file_properties() { local dir=$1 @@ -257,6 +237,29 @@ snapshot_file_properties() { main() { local root_fs_dir=$1 local key_dir=$2 + + # Detect vm/container type and set environment correspondingly. + # Keep this aligned with + # src/private-overlays/project-cheets-private/scripts/board_specific_setup.sh + local system_image="" + local compression_flags="" + local selinux_dir="${root_fs_dir}/etc/selinux" + local file_contexts="" + local vm_candidate="${root_fs_dir}/opt/google/vms/android/system.raw.img" + local container_candidate=( + "${root_fs_dir}/opt/google/containers/android/system.raw.img") + if [[ -f "${vm_candidate}" ]]; then + system_image="${vm_candidate}" + compression_flags="-comp lz4 -Xhc -b 256K" + file_contexts="${selinux_dir}/arc/contexts/files/android_file_contexts_vm" + elif [[ -f "${container_candidate}" ]]; then + system_image="${container_candidate}" + compression_flags="-comp gzip" + file_contexts="${selinux_dir}/arc/contexts/files/android_file_contexts" + else + die "System image does not exist" + fi + local android_system_image="$(echo \ "${root_fs_dir}"/opt/google/*/android/system.raw.img)" local android_dir=$(dirname "${android_system_image}") @@ -284,8 +287,6 @@ main() { local working_dir=$(make_temp_dir) local system_mnt="${working_dir}/mnt" - local compression_method=$(sudo unsquashfs -s "${system_img}" | \ - awk '$1 == "Compression" { print $2 }') info "Unpacking squashfs system image to ${system_mnt}" sudo "${unsquashfs}" -x -f -no-progress -d "${system_mnt}" "${system_img}" @@ -295,7 +296,6 @@ main() { sign_framework_apks "${system_mnt}" "${key_dir}" update_sepolicy "${system_mnt}" "${key_dir}" replace_ota_cert "${system_mnt}" "${key_dir}/releasekey.x509.pem" - reapply_file_security_context "${system_mnt}" "${root_fs_dir}" # Validity check. snapshot_file_properties "${system_mnt}" > "${working_dir}/properties.new" @@ -348,9 +348,13 @@ main() { info "Repacking squashfs image" local old_size=$(stat -c '%s' "${system_img}") - # Overwrite the original image. - sudo "${mksquashfs}" "${system_mnt}" "${system_img}" \ - -no-progress -comp "${compression_method}" -noappend + # Remove old system image to prevent mksquashfs tries to merge both images. + sudo rm -rf "${system_img}" + # Note, compression_flags is a combination of flags. Keep this aligned with + # src/private-overlays/project-cheets-private/scripts/board_specific_setup.sh + sudo mksquashfs "${system_mnt}" "${system_img}" \ + ${compression_flags} -context-file "${file_contexts}" -mount-point "/" \ + -no-progress local new_size=$(stat -c '%s' "${system_img}") info "Android system image size change: ${old_size} -> ${new_size}" } |