diff options
-rw-r--r-- | scripts/image_signing/common_minimal.sh | 47 | ||||
-rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 44 |
2 files changed, 62 insertions, 29 deletions
diff --git a/scripts/image_signing/common_minimal.sh b/scripts/image_signing/common_minimal.sh index 3a0dccf9..c57fc90d 100644 --- a/scripts/image_signing/common_minimal.sh +++ b/scripts/image_signing/common_minimal.sh @@ -236,12 +236,37 @@ _mount_image_partition() { _mount_image_partition_retry "$@" } +# If called without 'ro', make sure the partition is allowed to be mounted as +# 'rw' before actually mounting it. +# Args: LOOPDEV PARTNUM MOUNTDIRECTORY [ro] +_mount_loop_image_partition() { + local loopdev=$1 + local partnum=$2 + local mount_dir=$3 + local ro=$4 + local loop_rootfs="${loopdev}p${partnum}" + + if [ "$ro" != "ro" ]; then + # Forcibly call enable_rw_mount. It should fail on unsupported + # filesystems and be idempotent on ext*. + enable_rw_mount "${loop_rootfs}" 2>/dev/null + fi + + sudo mount -o "${ro}" "${loop_rootfs}" "${mount_dir}" +} + # Mount a partition read-only from an image into a local directory # Args: IMAGE PARTNUM MOUNTDIRECTORY mount_image_partition_ro() { _mount_image_partition "$@" "ro" } +# Mount a partition read-only from an image into a local directory +# Args: LOOPDEV PARTNUM MOUNTDIRECTORY +mount_loop_image_partition_ro() { + _mount_loop_image_partition "$@" "ro" +} + # Mount a partition from an image into a local directory # Args: IMAGE PARTNUM MOUNTDIRECTORY mount_image_partition() { @@ -252,27 +277,35 @@ mount_image_partition() { fi } +# Mount a partition from an image into a local directory +# Args: LOOPDEV PARTNUM MOUNTDIRECTORY +mount_loop_image_partition() { + local mount_dir=$3 + _mount_loop_image_partition "$@" + if is_rootfs_partition "${mount_dir}"; then + tag_as_needs_to_be_resigned "${mount_dir}" + fi +} + # Mount the image's ESP (EFI System Partition) on a newly created temporary # directory. # Prints out the newly created temporary directory path if succeeded. # If the image doens't have an ESP partition, returns 0 without print anything. -# Args: IMAGE +# Args: LOOPDEV # Returns: 0 if succeeded, 1 otherwise. mount_image_esp() { - local image="$1" + local loopdev="$1" local ESP_PARTNUM=12 + local loop_esp="${loopdev}p${ESP_PARTNUM}" - local esp_offset=$(( $(partoffset "${image}" "${ESP_PARTNUM}") )) + local esp_offset=$(( $(partoffset "${loopdev}" "${ESP_PARTNUM}") )) # Check if the image has an ESP partition. if [[ "${esp_offset}" == "0" ]]; then return 0 fi local esp_dir="$(make_temp_dir)" - # We use the 'unsafe' variant because the EFI system partition is vfat type - # and can be mounted in RW mode. - if ! _mount_image_partition_retry "${image}" "${ESP_PARTNUM}" \ - "${esp_dir}" >/dev/null; then + if ! sudo mount -o "${ro}" "${loop_esp}" "${esp_dir}"; then return 1 fi diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 5f8fd7e2..1c4a2958 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -522,9 +522,9 @@ sign_update_payload() { } # Re-sign the firmware AU payload inside the image rootfs with a new keys. -# Args: IMAGE +# Args: LOOPDEV resign_firmware_payload() { - local image=$1 + local loopdev="$1" if [ -n "${NO_FWUPDATE}" ]; then info "Skipping firmware update." @@ -533,7 +533,7 @@ resign_firmware_payload() { # Grab firmware image from the autoupdate bundle (shellball). local rootfs_dir=$(make_temp_dir) - mount_image_partition ${image} 3 ${rootfs_dir} + mount_loop_image_partition "${loopdev}" 3 "${rootfs_dir}" local firmware_bundle="${rootfs_dir}/usr/sbin/chromeos-firmwareupdate" local shellball_dir=$(make_temp_dir) @@ -742,15 +742,15 @@ resign_firmware_payload() { sudo chmod a+rx "${firmware_bundle}" # Unmount now to flush changes. sudo umount "${rootfs_dir}" - info "Re-signed firmware AU payload in ${image}" + info "Re-signed firmware AU payload in ${loopdev}" } # Re-sign Android image if exists. resign_android_image_if_exists() { - local image=$1 + local loopdev="$1" local rootfs_dir=$(make_temp_dir) - mount_image_partition "${image}" 3 "${rootfs_dir}" + mount_loop_image_partition "${loopdev}" 3 "${rootfs_dir}" local system_img="${rootfs_dir}/opt/google/containers/android/system.raw.img" local arc_version=$(grep CHROMEOS_ARC_VERSION= \ @@ -769,16 +769,16 @@ resign_android_image_if_exists() { } # Sign UEFI binaries, if possible. -# Args: IMAGE +# Args: LOOPDEV sign_uefi_binaries() { - local image="$1" + local loopdev="$1" if [[ ! -d "${KEY_DIR}/uefi" ]]; then return 0 fi local esp_dir - if ! esp_dir="$(mount_image_esp "${image}")"; then + if ! esp_dir="$(mount_image_esp "${loopdev}")"; then error "Could not mount EFI partition for signing UEFI binaries" return 1 elif [[ -z "${esp_dir}" ]]; then @@ -789,7 +789,7 @@ sign_uefi_binaries() { sudo umount "${esp_dir}" local rootfs_dir="$(make_temp_dir)" - mount_image_partition "${image}" 3 "${rootfs_dir}" + mount_loop_image_partition "${loopdev}" 3 "${rootfs_dir}" "${SCRIPT_DIR}/sign_uefi.sh" "${rootfs_dir}/boot" "${KEY_DIR}/uefi" sudo umount "${rootfs_dir}" @@ -798,9 +798,9 @@ sign_uefi_binaries() { } # Verify the signatures of UEFI binaries. -# Args: IMAGE +# Args: LOOPDEV verify_uefi_signatures() { - local image="$1" + local loopdev="$1" local succeeded=1 if [[ ! -d "${KEY_DIR}/uefi" ]]; then @@ -808,7 +808,7 @@ verify_uefi_signatures() { fi local esp_dir - if ! esp_dir="$(mount_image_esp "${image}")"; then + if ! esp_dir="$(mount_image_esp "${loopdev}")"; then error "Could not mount EFI partition for verifying UEFI signatures" return 1 elif [[ -z "${esp_dir}" ]]; then @@ -818,7 +818,7 @@ verify_uefi_signatures() { "${KEY_DIR}/uefi" || succeeded=0 local rootfs_dir="$(make_temp_dir)" - mount_image_partition_ro "${image}" 3 "${rootfs_dir}" + mount_loop_image_partition_ro "${loopdev}" 3 "${rootfs_dir}" "${SCRIPT_DIR}/verify_uefi.sh" "${rootfs_dir}/boot" "${esp_dir}" \ "${KEY_DIR}/uefi" || succeeded=0 sudo umount "${rootfs_dir}" @@ -944,17 +944,17 @@ update_recovery_kernel_hash() { } # Update the legacy bootloader templates in EFI partition if available. -# Args: IMAGE_BIN KERNEL +# Args: LOOPDEV KERNEL update_legacy_bootloader() { - local image="$1" + local loopdev="$1" local loop_kern="$2" local esp_dir - if ! esp_dir="$(mount_image_esp "${image}")"; then + if ! esp_dir="$(mount_image_esp "${loopdev}")"; then error "Could not mount EFI partition for updating legacy bootloader cfg." return 1 elif [[ -z "${esp_dir}" ]]; then - info "Not updating legacy bootloader configs: ${image}" + info "Not updating legacy bootloader configs: ${loopdev}" return 0 fi @@ -1014,9 +1014,9 @@ sign_image_file() { local loopdev=$(loopback_partscan "${output}") local loop_kern="${loopdev}p${dm_partno}" - resign_firmware_payload "${output}" - resign_android_image_if_exists "${output}" - sign_uefi_binaries "${output}" + resign_firmware_payload "${loopdev}" + resign_android_image_if_exists "${loopdev}" + sign_uefi_binaries "${loopdev}" # We do NOT strip /boot for factory installer, since some devices need it to # boot EFI. crbug.com/260512 would obsolete this requirement. # @@ -1038,7 +1038,7 @@ sign_image_file() { if [[ "${image_type}" == "recovery" ]]; then update_recovery_kernel_hash "${loopdev}" fi - if ! update_legacy_bootloader "${output}" "${loop_kern}"; then + if ! update_legacy_bootloader "${loopdev}" "${loop_kern}"; then # Error is already logged. return 1 fi |