diff options
| author | Mike Frysinger <vapier@chromium.org> | 2017-05-09 01:48:58 -0400 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2017-06-15 15:17:17 -0700 |
| commit | 2d160adf72cf5425c9142b602206f0ac2a675055 (patch) | |
| tree | a8af1735c39a481f8d566bec9b17437f799f53b7 | |
| parent | b688d42ad10e99b2afad6fa3ad2d4179cecb19dd (diff) | |
| download | vboot-2d160adf72cf5425c9142b602206f0ac2a675055.tar.gz | |
image_signing: sign_official_build.sh: switch verification to loopbacks
Rather than copy out the rootfs to a temp file and perform checks on that,
run the checks directly on the image. This saves us from having to copy
many GB worth of data which can be expensive on the VMs (slow disk I/O).
BRANCH=None
BUG=chromium:714598
TEST=signing images still works
Change-Id: Ie7d1c432aacb69e57b6c5fd9ab810b8d0b054860
Reviewed-on: https://chromium-review.googlesource.com/505476
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: David Riley <davidriley@chromium.org>
| -rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index b572501b..8333b015 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -375,15 +375,15 @@ update_stateful_partition_vblock() { # Do a sanity check on the image's rootfs # ARGS: Image verify_image_rootfs() { - local image=$1 - local rootfs_image=$(make_temp_file) - extract_image_partition ${image} 3 ${rootfs_image} + local rootfs=$1 # This flips the read-only compatibility flag, so that e2fsck does not # complain about unknown file system capabilities. - enable_rw_mount ${rootfs_image} + enable_rw_mount "${rootfs}" info "Running e2fsck to check root file system for errors" - sudo e2fsck -fn "${rootfs_image}" || + sudo e2fsck -fn "${rootfs}" || die "Root file system has errors!" + # Flip the bit back so we don't break hashes. + disable_rw_mount "${rootfs}" } # Extracts a firmware updater bundle (for firmware image binaries) file @@ -626,8 +626,8 @@ sign_oci_container() { # Verify an image including rootfs hash using the specified keys. verify_image() { - local rootfs_image=$(make_temp_file) - extract_image_partition ${INPUT_IMAGE} 3 ${rootfs_image} + local loopdev=$(loopback_partscan "${INPUT_IMAGE}") + local loop_rootfs="${loopdev}p3" info "Verifying RootFS hash..." # What we get from image. @@ -639,9 +639,9 @@ verify_image() { local partnum for partnum in 2 4; do info "Considering Kernel partition ${partnum}" - kernel_config=$(grab_kernel_config ${INPUT_IMAGE} $partnum) + kernel_config=$(sudo dump_kernel_config "${loopdev}p${partnum}") local hash_image=$(make_temp_file) - if ! calculate_rootfs_hash "${rootfs_image}" "${kernel_config}" \ + if ! calculate_rootfs_hash "${loop_rootfs}" "${kernel_config}" \ "${hash_image}"; then info "Trying next kernel partition." continue @@ -692,7 +692,7 @@ EOF echo "YES"; } || echo "NO" set -e - verify_image_rootfs "${INPUT_IMAGE}" + verify_image_rootfs "${loop_rootfs}" # TODO(gauravsh): Check embedded firmware AU signatures. } |