diff options
Diffstat (limited to 'scripts/image_signing/sign_official_build.sh')
-rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 72d4f58b..d1c87685 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -695,6 +695,55 @@ update_recovery_kernel_hash() { replace_image_partition ${image_bin} 2 ${updated_kimagea} } +# Update the legacy bootloader templates in EFI partition if available. +# Args: IMAGE_BIN DM_PARTNO +update_legacy_bootloader() { + local image="$1" + local dm_partno="$2" + + local esp_partnum=12 + local esp_offset=$(( $(partoffset "${image}" "${esp_partnum}") * 512 )) + # Check if the image has an ESP partition. + if [[ "${esp_offset}" == "0" ]]; then + info "Not updating legacy bootloader configs: ${image}" + return 0 + fi + + local esp_dir="$(make_temp_dir)" + # We use the 'unsafe' variant because the EFI system partition is vfat type + # and can be mounted in RW mode. + _mount_image_partition_retry "${image}" "${esp_partnum}" "${esp_dir}" + + # If we can't find the dm parameter in the kernel config, bail out now. + local kernel_config=$(grab_kernel_config "${image}" "${dm_partno}") + local root_hexdigest="$(get_hash_from_config "${kernel_config}")" + if [[ -z "${root_hexdigest}" ]]; then + error "Couldn't grab root_digest from kernel partition ${dm_partno}" + error " (config: ${kernel_config})" + return 1 + fi + # Update syslinux configs for legacy BIOS systems. + if [[ -d "${esp_dir}/syslinux" ]]; then + local cfg=("${esp_dir}"/syslinux/*.cfg) + if ! sudo sed -i -r \ + "s/\broot_hexdigest=[a-z0-9]+/root_hexdigest=${root_hexdigest}/g" \ + "${cfg[@]}"; then + error "Updating syslinux configs failed: '${cfg[*]}'" + return 1 + fi + fi + # Update grub configs for EFI systems. + local grub_cfg="${esp_dir}/efi/boot/grub.cfg" + if [[ -f "${grub_cfg}" ]]; then + if ! sudo sed -i -r \ + "s/\broot_hexdigest=[a-z0-9]+/root_hexdigest=${root_hexdigest}/g" \ + "${grub_cfg}"; then + error "Updating grub config failed: '${grub_cfg}'" + return 1 + fi + fi +} + # Sign an image file with proper keys. # Args: IMAGE_TYPE INPUT OUTPUT DM_PARTNO KERN_A_KEYBLOCK KERN_A_PRIVKEY \ # KERN_B_KEYBLOCK KERN_B_PRIVKEY @@ -735,6 +784,10 @@ sign_image_file() { if [[ "${image_type}" == "recovery" ]]; then update_recovery_kernel_hash "${output}" fi + if ! update_legacy_bootloader "${output}" "${dm_partno}"; then + # Error is already logged. + return 1 + fi echo "Signed ${image_type} image output to ${output}" } |