From 8543190e64a1c2cc17ed03a20c01da642cd59151 Mon Sep 17 00:00:00 2001 From: Mike Frysinger Date: Mon, 30 Apr 2018 03:14:13 -0400 Subject: sign_official_build: switch kernel/firmware signing to loopdevs Newer versions of util-linux/mount don't like when you create overlapping loopback files. Since we always create a loopback of the entire image, this means every mount fails. We can change the few users in here over to using the existing loopback partitions rather than continuing to create their own from scratch. This makes the code a bit simpler. However, we currently duplicate some of the mount image helpers so that one version works off of a disk image while the other uses loopbacks. Cleaning this up requires a number of changes in other files which we'll want to do eventually, just not right now (to minimize risk). BUG=chromium:714598 TEST=image signing works on newer gLinux installs BRANCH=None Change-Id: I31b35636b3b271e97070d283f8cb74d3183d8ec8 Reviewed-on: https://chromium-review.googlesource.com/1034435 Commit-Ready: Mike Frysinger Tested-by: Mike Frysinger Reviewed-by: Jason Clinton --- scripts/image_signing/common_minimal.sh | 47 +++++++++++++++++++++++----- scripts/image_signing/sign_official_build.sh | 44 +++++++++++++------------- 2 files changed, 62 insertions(+), 29 deletions(-) (limited to 'scripts') diff --git a/scripts/image_signing/common_minimal.sh b/scripts/image_signing/common_minimal.sh index 3a0dccf9..c57fc90d 100644 --- a/scripts/image_signing/common_minimal.sh +++ b/scripts/image_signing/common_minimal.sh @@ -236,12 +236,37 @@ _mount_image_partition() { _mount_image_partition_retry "$@" } +# If called without 'ro', make sure the partition is allowed to be mounted as +# 'rw' before actually mounting it. +# Args: LOOPDEV PARTNUM MOUNTDIRECTORY [ro] +_mount_loop_image_partition() { + local loopdev=$1 + local partnum=$2 + local mount_dir=$3 + local ro=$4 + local loop_rootfs="${loopdev}p${partnum}" + + if [ "$ro" != "ro" ]; then + # Forcibly call enable_rw_mount. It should fail on unsupported + # filesystems and be idempotent on ext*. + enable_rw_mount "${loop_rootfs}" 2>/dev/null + fi + + sudo mount -o "${ro}" "${loop_rootfs}" "${mount_dir}" +} + # Mount a partition read-only from an image into a local directory # Args: IMAGE PARTNUM MOUNTDIRECTORY mount_image_partition_ro() { _mount_image_partition "$@" "ro" } +# Mount a partition read-only from an image into a local directory +# Args: LOOPDEV PARTNUM MOUNTDIRECTORY +mount_loop_image_partition_ro() { + _mount_loop_image_partition "$@" "ro" +} + # Mount a partition from an image into a local directory # Args: IMAGE PARTNUM MOUNTDIRECTORY mount_image_partition() { @@ -252,27 +277,35 @@ mount_image_partition() { fi } +# Mount a partition from an image into a local directory +# Args: LOOPDEV PARTNUM MOUNTDIRECTORY +mount_loop_image_partition() { + local mount_dir=$3 + _mount_loop_image_partition "$@" + if is_rootfs_partition "${mount_dir}"; then + tag_as_needs_to_be_resigned "${mount_dir}" + fi +} + # Mount the image's ESP (EFI System Partition) on a newly created temporary # directory. # Prints out the newly created temporary directory path if succeeded. # If the image doens't have an ESP partition, returns 0 without print anything. -# Args: IMAGE +# Args: LOOPDEV # Returns: 0 if succeeded, 1 otherwise. mount_image_esp() { - local image="$1" + local loopdev="$1" local ESP_PARTNUM=12 + local loop_esp="${loopdev}p${ESP_PARTNUM}" - local esp_offset=$(( $(partoffset "${image}" "${ESP_PARTNUM}") )) + local esp_offset=$(( $(partoffset "${loopdev}" "${ESP_PARTNUM}") )) # Check if the image has an ESP partition. if [[ "${esp_offset}" == "0" ]]; then return 0 fi local esp_dir="$(make_temp_dir)" - # We use the 'unsafe' variant because the EFI system partition is vfat type - # and can be mounted in RW mode. - if ! _mount_image_partition_retry "${image}" "${ESP_PARTNUM}" \ - "${esp_dir}" >/dev/null; then + if ! sudo mount -o "${ro}" "${loop_esp}" "${esp_dir}"; then return 1 fi diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 5f8fd7e2..1c4a2958 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -522,9 +522,9 @@ sign_update_payload() { } # Re-sign the firmware AU payload inside the image rootfs with a new keys. -# Args: IMAGE +# Args: LOOPDEV resign_firmware_payload() { - local image=$1 + local loopdev="$1" if [ -n "${NO_FWUPDATE}" ]; then info "Skipping firmware update." @@ -533,7 +533,7 @@ resign_firmware_payload() { # Grab firmware image from the autoupdate bundle (shellball). local rootfs_dir=$(make_temp_dir) - mount_image_partition ${image} 3 ${rootfs_dir} + mount_loop_image_partition "${loopdev}" 3 "${rootfs_dir}" local firmware_bundle="${rootfs_dir}/usr/sbin/chromeos-firmwareupdate" local shellball_dir=$(make_temp_dir) @@ -742,15 +742,15 @@ resign_firmware_payload() { sudo chmod a+rx "${firmware_bundle}" # Unmount now to flush changes. sudo umount "${rootfs_dir}" - info "Re-signed firmware AU payload in ${image}" + info "Re-signed firmware AU payload in ${loopdev}" } # Re-sign Android image if exists. resign_android_image_if_exists() { - local image=$1 + local loopdev="$1" local rootfs_dir=$(make_temp_dir) - mount_image_partition "${image}" 3 "${rootfs_dir}" + mount_loop_image_partition "${loopdev}" 3 "${rootfs_dir}" local system_img="${rootfs_dir}/opt/google/containers/android/system.raw.img" local arc_version=$(grep CHROMEOS_ARC_VERSION= \ @@ -769,16 +769,16 @@ resign_android_image_if_exists() { } # Sign UEFI binaries, if possible. -# Args: IMAGE +# Args: LOOPDEV sign_uefi_binaries() { - local image="$1" + local loopdev="$1" if [[ ! -d "${KEY_DIR}/uefi" ]]; then return 0 fi local esp_dir - if ! esp_dir="$(mount_image_esp "${image}")"; then + if ! esp_dir="$(mount_image_esp "${loopdev}")"; then error "Could not mount EFI partition for signing UEFI binaries" return 1 elif [[ -z "${esp_dir}" ]]; then @@ -789,7 +789,7 @@ sign_uefi_binaries() { sudo umount "${esp_dir}" local rootfs_dir="$(make_temp_dir)" - mount_image_partition "${image}" 3 "${rootfs_dir}" + mount_loop_image_partition "${loopdev}" 3 "${rootfs_dir}" "${SCRIPT_DIR}/sign_uefi.sh" "${rootfs_dir}/boot" "${KEY_DIR}/uefi" sudo umount "${rootfs_dir}" @@ -798,9 +798,9 @@ sign_uefi_binaries() { } # Verify the signatures of UEFI binaries. -# Args: IMAGE +# Args: LOOPDEV verify_uefi_signatures() { - local image="$1" + local loopdev="$1" local succeeded=1 if [[ ! -d "${KEY_DIR}/uefi" ]]; then @@ -808,7 +808,7 @@ verify_uefi_signatures() { fi local esp_dir - if ! esp_dir="$(mount_image_esp "${image}")"; then + if ! esp_dir="$(mount_image_esp "${loopdev}")"; then error "Could not mount EFI partition for verifying UEFI signatures" return 1 elif [[ -z "${esp_dir}" ]]; then @@ -818,7 +818,7 @@ verify_uefi_signatures() { "${KEY_DIR}/uefi" || succeeded=0 local rootfs_dir="$(make_temp_dir)" - mount_image_partition_ro "${image}" 3 "${rootfs_dir}" + mount_loop_image_partition_ro "${loopdev}" 3 "${rootfs_dir}" "${SCRIPT_DIR}/verify_uefi.sh" "${rootfs_dir}/boot" "${esp_dir}" \ "${KEY_DIR}/uefi" || succeeded=0 sudo umount "${rootfs_dir}" @@ -944,17 +944,17 @@ update_recovery_kernel_hash() { } # Update the legacy bootloader templates in EFI partition if available. -# Args: IMAGE_BIN KERNEL +# Args: LOOPDEV KERNEL update_legacy_bootloader() { - local image="$1" + local loopdev="$1" local loop_kern="$2" local esp_dir - if ! esp_dir="$(mount_image_esp "${image}")"; then + if ! esp_dir="$(mount_image_esp "${loopdev}")"; then error "Could not mount EFI partition for updating legacy bootloader cfg." return 1 elif [[ -z "${esp_dir}" ]]; then - info "Not updating legacy bootloader configs: ${image}" + info "Not updating legacy bootloader configs: ${loopdev}" return 0 fi @@ -1014,9 +1014,9 @@ sign_image_file() { local loopdev=$(loopback_partscan "${output}") local loop_kern="${loopdev}p${dm_partno}" - resign_firmware_payload "${output}" - resign_android_image_if_exists "${output}" - sign_uefi_binaries "${output}" + resign_firmware_payload "${loopdev}" + resign_android_image_if_exists "${loopdev}" + sign_uefi_binaries "${loopdev}" # We do NOT strip /boot for factory installer, since some devices need it to # boot EFI. crbug.com/260512 would obsolete this requirement. # @@ -1038,7 +1038,7 @@ sign_image_file() { if [[ "${image_type}" == "recovery" ]]; then update_recovery_kernel_hash "${loopdev}" fi - if ! update_legacy_bootloader "${output}" "${loop_kern}"; then + if ! update_legacy_bootloader "${loopdev}" "${loop_kern}"; then # Error is already logged. return 1 fi -- cgit v1.2.1