sign_official_build: switch kernel/firmware signing to loopdevs

Newer versions of util-linux/mount don't like when you create overlapping
loopback files.  Since we always create a loopback of the entire image,
this means every mount fails.

We can change the few users in here over to using the existing loopback
partitions rather than continuing to create their own from scratch.  This
makes the code a bit simpler.

However, we currently duplicate some of the mount image helpers so that
one version works off of a disk image while the other uses loopbacks.
Cleaning this up requires a number of changes in other files which we'll
want to do eventually, just not right now (to minimize risk).

BUG=chromium:714598
TEST=image signing works on newer gLinux installs
BRANCH=None

Change-Id: I31b35636b3b271e97070d283f8cb74d3183d8ec8
Reviewed-on: https://chromium-review.googlesource.com/1034435
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Jason Clinton <jclinton@chromium.org>

1 files changed, 40 insertions, 7 deletions

diff --git a/scripts/image_signing/common_minimal.sh b/scripts/image_signing/common_minimal.sh
index 3a0dccf9..c57fc90d 100644
--- a/scripts/image_signing/common_minimal.sh
+++ b/scripts/image_signing/common_minimal.sh
@@ -236,12 +236,37 @@ _mount_image_partition() {
   _mount_image_partition_retry "$@"
 }
 
+# If called without 'ro', make sure the partition is allowed to be mounted as
+# 'rw' before actually mounting it.
+# Args: LOOPDEV PARTNUM MOUNTDIRECTORY [ro]
+_mount_loop_image_partition() {
+  local loopdev=$1
+  local partnum=$2
+  local mount_dir=$3
+  local ro=$4
+  local loop_rootfs="${loopdev}p${partnum}"
+
+  if [ "$ro" != "ro" ]; then
+    # Forcibly call enable_rw_mount.  It should fail on unsupported
+    # filesystems and be idempotent on ext*.
+    enable_rw_mount "${loop_rootfs}" 2>/dev/null
+  fi
+
+  sudo mount -o "${ro}" "${loop_rootfs}" "${mount_dir}"
+}
+
 # Mount a partition read-only from an image into a local directory
 # Args: IMAGE PARTNUM MOUNTDIRECTORY
 mount_image_partition_ro() {
   _mount_image_partition "$@" "ro"
 }
 
+# Mount a partition read-only from an image into a local directory
+# Args: LOOPDEV PARTNUM MOUNTDIRECTORY
+mount_loop_image_partition_ro() {
+  _mount_loop_image_partition "$@" "ro"
+}
+
 # Mount a partition from an image into a local directory
 # Args: IMAGE PARTNUM MOUNTDIRECTORY
 mount_image_partition() {
@@ -252,27 +277,35 @@ mount_image_partition() {
   fi
 }
 
+# Mount a partition from an image into a local directory
+# Args: LOOPDEV PARTNUM MOUNTDIRECTORY
+mount_loop_image_partition() {
+  local mount_dir=$3
+  _mount_loop_image_partition "$@"
+  if is_rootfs_partition "${mount_dir}"; then
+    tag_as_needs_to_be_resigned "${mount_dir}"
+  fi
+}
+
 # Mount the image's ESP (EFI System Partition) on a newly created temporary
 # directory.
 # Prints out the newly created temporary directory path if succeeded.
 # If the image doens't have an ESP partition, returns 0 without print anything.
-# Args: IMAGE
+# Args: LOOPDEV
 # Returns: 0 if succeeded, 1 otherwise.
 mount_image_esp() {
-  local image="$1"
+  local loopdev="$1"
   local ESP_PARTNUM=12
+  local loop_esp="${loopdev}p${ESP_PARTNUM}"
 
-  local esp_offset=$(( $(partoffset "${image}" "${ESP_PARTNUM}") ))
+  local esp_offset=$(( $(partoffset "${loopdev}" "${ESP_PARTNUM}") ))
   # Check if the image has an ESP partition.
   if [[ "${esp_offset}" == "0" ]]; then
     return 0
   fi
 
   local esp_dir="$(make_temp_dir)"
-  # We use the 'unsafe' variant because the EFI system partition is vfat type
-  # and can be mounted in RW mode.
-  if ! _mount_image_partition_retry "${image}" "${ESP_PARTNUM}" \
-                                    "${esp_dir}" >/dev/null; then
+  if ! sudo mount -o "${ro}" "${loop_esp}" "${esp_dir}"; then
     return 1
   fi