diff options
| author | Don Garrett <dgarrett@google.com> | 2013-07-02 17:17:51 -0700 |
|---|---|---|
| committer | ChromeBot <chrome-bot@google.com> | 2013-08-05 19:16:24 -0700 |
| commit | 7a3a4676672525231c38612e6c8a820305d99de5 (patch) | |
| tree | 9aa0b4386de05dcaea9b8bde96181050340f3549 | |
| parent | 494646dbadedae88776d6fced396e3ee8af38e54 (diff) | |
| download | vboot-stabilize-4512.B.tar.gz | |
Add a script to remove /boot and its contents from an image.stabilize-4512.B
This is a helper script intended for the signing servers to use to strip
out the /boot directory from images just before signing.
BUG=chromium:210352
TEST=Manually used to strip and image and validated the results.
BRANCH=None
Change-Id: I814522284143d8f90651e13000d428718aeca1e4
Reviewed-on: https://gerrit.chromium.org/gerrit/60828
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: Don Garrett <dgarrett@chromium.org>
Tested-by: Don Garrett <dgarrett@chromium.org>
| -rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 5 | ||||
| -rwxr-xr-x | scripts/image_signing/strip_boot_from_image.sh | 65 |
2 files changed, 70 insertions, 0 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 53b94832..d7bc4d02 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -692,6 +692,7 @@ echo "Using kernel version: ${KERNEL_VERSION}" if [ "${TYPE}" == "ssd" ]; then cp ${INPUT_IMAGE} ${OUTPUT_IMAGE} resign_firmware_payload ${OUTPUT_IMAGE} + "${SCRIPT_DIR}/strip_boot_from_image.sh" --image "${OUTPUT_IMAGE}" update_rootfs_hash ${OUTPUT_IMAGE} \ ${KEY_DIR}/kernel.keyblock \ ${KEY_DIR}/kernel_data_key.vbprivk \ @@ -700,6 +701,7 @@ if [ "${TYPE}" == "ssd" ]; then elif [ "${TYPE}" == "usb" ]; then cp ${INPUT_IMAGE} ${OUTPUT_IMAGE} resign_firmware_payload ${OUTPUT_IMAGE} + "${SCRIPT_DIR}/strip_boot_from_image.sh" --image "${OUTPUT_IMAGE}" update_rootfs_hash ${OUTPUT_IMAGE} \ ${KEY_DIR}/recovery_kernel.keyblock \ ${KEY_DIR}/recovery_kernel_data_key.vbprivk \ @@ -708,6 +710,7 @@ elif [ "${TYPE}" == "usb" ]; then elif [ "${TYPE}" == "recovery" ]; then cp ${INPUT_IMAGE} ${OUTPUT_IMAGE} resign_firmware_payload ${OUTPUT_IMAGE} + "${SCRIPT_DIR}/strip_boot_from_image.sh" --image "${OUTPUT_IMAGE}" # Both kernel command lines must have the correct rootfs hash update_rootfs_hash ${OUTPUT_IMAGE} \ ${KEY_DIR}/recovery_kernel.keyblock \ @@ -721,6 +724,8 @@ elif [ "${TYPE}" == "recovery" ]; then elif [ "${TYPE}" == "factory" ] || [ "${TYPE}" == "install" ]; then cp ${INPUT_IMAGE} ${OUTPUT_IMAGE} resign_firmware_payload ${OUTPUT_IMAGE} + # We do NOT strip /boot for factory, since some factory images need it + # to boot EFI. crosbug.com/260512 would obsolete this requirement. update_rootfs_hash ${OUTPUT_IMAGE} \ ${KEY_DIR}/installer_kernel.keyblock \ ${KEY_DIR}/installer_kernel_data_key.vbprivk \ diff --git a/scripts/image_signing/strip_boot_from_image.sh b/scripts/image_signing/strip_boot_from_image.sh new file mode 100755 index 00000000..dcbdf05d --- /dev/null +++ b/scripts/image_signing/strip_boot_from_image.sh @@ -0,0 +1,65 @@ +#!/bin/bash + +# Copyright (c) 2013 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +# Script to remove /boot directory from an image. + +# Load common constants. This should be the first executable line. +# The path to common.sh should be relative to your script's location. +. "$(dirname "$0")/common.sh" + +load_shflags + +DEFINE_string image "chromiumos_image.bin" \ + "Input file name of Chrome OS image to strip /boot from." + +# Parse command line. +FLAGS "$@" || exit 1 +eval set -- "${FLAGS_ARGV}" + +# Abort on error. +set -e + +if [ -z "${FLAGS_image}" ] || [ ! -s "${FLAGS_image}" ] ; then + die "Error: need a valid file by --image" +fi + +# Swiped/modifed from $SRC/src/scripts/base_library/base_image_util.sh. +zero_free_space() { + local rootfs="$1" + + echo "Zeroing freespace in ${rootfs}" + # dd is a silly thing and will produce a "No space left on device" message + # that cannot be turned off and is confusing to unsuspecting victims. + ( sudo dd if=/dev/zero of="${rootfs}/filler" bs=4096 conv=fdatasync \ + status=noxfer || true ) 2>&1 | grep -v "No space left on device" + sudo rm "${rootfs}/filler" +} + + +strip_boot() { + local image=$1 + + # Mount image so we can modify it. + local rootfs_dir=$(make_temp_dir) + mount_image_partition ${image} 3 ${rootfs_dir} + + sudo rm -rf "${rootfs_dir}/boot" && + echo "/boot directory was removed." + + # To prevent the files we just removed from the FS from remaining as non- + # zero trash blocks that bloat payload sizes, need to zero them. This was + # done when the image was built, but needs to be repeated now that we've + # modified it in a non-trivial way. + zero_free_space "${rootfs_dir}" +} + + +IMAGE=$(readlink -f "${FLAGS_image}") +if [[ -z "${IMAGE}" || ! -f "${IMAGE}" ]]; then + die "Missing required argument: --from (image to update)" +fi + +strip_boot "${IMAGE}" |