diff options
| author | Amey Deshpande <ameyd@google.com> | 2015-09-16 18:16:42 -0700 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2015-10-03 16:26:08 -0700 |
| commit | dabb158ad27610661ef16639843e2909f2a3dba5 (patch) | |
| tree | 7f3fc2b412ab31cb7c5cfab8fb357042e0b521a4 /scripts/image_signing/sign_official_build.sh | |
| parent | 82db93d5fc924860e4f1fb4cf24f29b5b335a480 (diff) | |
| download | vboot-release-R47-7520.B.tar.gz | |
signer: update legacy bootloader templates after image signingstabilize-7520.67.Bstabilize-7520.63.Bstabilize-7520.49.Brelease-R47-7520.B
Specifically, this patch updates 'root_hexdigest' in legacy bootloader
templates in EFI system partition to match the signed rootfs.
BRANCH=None
BUG=chromium:512940
TEST=Ran sign_official_build.sh locally and booted the image on kvm
(using BIOS).
TEST=Ran signing_unittests.py by locally changing vboot_stable_hash to
include this patch.
$ ./sign_official_build.sh base chromiumos_base_image.bin \
../../tests/devkeys chromiumos_base_image_signed.bin
Change-Id: Ied021c4464b113a64508f5081605069bdcecbc1f
Reviewed-on: https://chromium-review.googlesource.com/301742
Commit-Ready: Amey Deshpande <ameyd@google.com>
Tested-by: Amey Deshpande <ameyd@google.com>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Diffstat (limited to 'scripts/image_signing/sign_official_build.sh')
| -rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 72d4f58b..d1c87685 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -695,6 +695,55 @@ update_recovery_kernel_hash() { replace_image_partition ${image_bin} 2 ${updated_kimagea} } +# Update the legacy bootloader templates in EFI partition if available. +# Args: IMAGE_BIN DM_PARTNO +update_legacy_bootloader() { + local image="$1" + local dm_partno="$2" + + local esp_partnum=12 + local esp_offset=$(( $(partoffset "${image}" "${esp_partnum}") * 512 )) + # Check if the image has an ESP partition. + if [[ "${esp_offset}" == "0" ]]; then + info "Not updating legacy bootloader configs: ${image}" + return 0 + fi + + local esp_dir="$(make_temp_dir)" + # We use the 'unsafe' variant because the EFI system partition is vfat type + # and can be mounted in RW mode. + _mount_image_partition_retry "${image}" "${esp_partnum}" "${esp_dir}" + + # If we can't find the dm parameter in the kernel config, bail out now. + local kernel_config=$(grab_kernel_config "${image}" "${dm_partno}") + local root_hexdigest="$(get_hash_from_config "${kernel_config}")" + if [[ -z "${root_hexdigest}" ]]; then + error "Couldn't grab root_digest from kernel partition ${dm_partno}" + error " (config: ${kernel_config})" + return 1 + fi + # Update syslinux configs for legacy BIOS systems. + if [[ -d "${esp_dir}/syslinux" ]]; then + local cfg=("${esp_dir}"/syslinux/*.cfg) + if ! sudo sed -i -r \ + "s/\broot_hexdigest=[a-z0-9]+/root_hexdigest=${root_hexdigest}/g" \ + "${cfg[@]}"; then + error "Updating syslinux configs failed: '${cfg[*]}'" + return 1 + fi + fi + # Update grub configs for EFI systems. + local grub_cfg="${esp_dir}/efi/boot/grub.cfg" + if [[ -f "${grub_cfg}" ]]; then + if ! sudo sed -i -r \ + "s/\broot_hexdigest=[a-z0-9]+/root_hexdigest=${root_hexdigest}/g" \ + "${grub_cfg}"; then + error "Updating grub config failed: '${grub_cfg}'" + return 1 + fi + fi +} + # Sign an image file with proper keys. # Args: IMAGE_TYPE INPUT OUTPUT DM_PARTNO KERN_A_KEYBLOCK KERN_A_PRIVKEY \ # KERN_B_KEYBLOCK KERN_B_PRIVKEY @@ -735,6 +784,10 @@ sign_image_file() { if [[ "${image_type}" == "recovery" ]]; then update_recovery_kernel_hash "${output}" fi + if ! update_legacy_bootloader "${output}" "${dm_partno}"; then + # Error is already logged. + return 1 + fi echo "Signed ${image_type} image output to ${output}" } |