Google Git
Sign in
cos/third_party/platform/crosutils/refs/heads/release-R125^!/.
commit
5116ff5590f193efcd9c73e1c7f612b9fc2447ea
[log]
author
Robert Kolchmeyer <rkolchmeyer@google.com>
Thu Apr 09 11:20:27 2026 -0700
committer
Robert Kolchmeyer <rkolchmeyer@google.com>
Fri Apr 10 16:20:04 2026 -0700
tree
aba229ec033f6e38ccfe7077fd6b3e502153c664
parent
2129e5c081e10376ac9ee20a021addfa31d496fb [diff]
scripts: add new scripts for configuring UKI

reset_uki_cmdline.sh empties the compiled-in command line. This is
necessary for the grub boot path to work, and the grub boot path is
configured by default. It will be used for unsigned images in vmtests.

set_uki_boot.sh configures the image to use a no-grub boot path. This
has to be run after signing occurs, because signing changes the kernel
command line and assumes that grub.cfg will work.

BUG=b/465210631
TEST=Local run on cchostdebug-amd64-gcp, result image booted
RELEASE_NOTE=None

Change-Id: Ia154ea68cde59e468677e80ac85e54847d51bebe
Reviewed-on: https://cos-review.googlesource.com/c/third_party/platform/crosutils/+/143644
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-by: He Gao <hegao@google.com>

diff --git a/reset_uki_cmdline.sh b/reset_uki_cmdline.sh
new file mode 100755
index 0000000..e5fe01e
--- /dev/null
+++ b/reset_uki_cmdline.sh

@@ -0,0 +1,98 @@
+#!/bin/bash
+#
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+SCRIPT_ROOT="$(dirname "$(readlink -f "$0")")"
+# shellcheck source=build_library/build_common.sh
+. "${SCRIPT_ROOT}/build_library/build_common.sh" || exit 1
+
+DEFINE_string image_path "" \
+  "Path to image to reset UKI cmdline on"
+DEFINE_string board "${DEFAULT_BOARD}" \
+  "Board of the input image"
+
+FLAGS "$@" || exit 1
+
+eval set -- "${FLAGS_ARGV}"
+
+switch_to_strict_mode
+
+# N.B.  Ordering matters for some of the libraries below, because
+# some of the files contain initialization used by later files.
+# shellcheck source=build_library/board_options.sh
+. "${BUILD_LIBRARY_DIR}/board_options.sh" || exit 1
+# shellcheck source=build_library/disk_layout_util.sh
+. "${BUILD_LIBRARY_DIR}/disk_layout_util.sh" || exit 1
+# shellcheck source=build_library/mount_gpt_util.sh
+. "${BUILD_LIBRARY_DIR}/mount_gpt_util.sh" || exit 1
+# shellcheck source=build_library/build_image_util.sh
+. "${BUILD_LIBRARY_DIR}/build_image_util.sh" || exit 1
+# shellcheck source=build_library/base_image_util.sh
+. "${BUILD_LIBRARY_DIR}/base_image_util.sh" || exit 1
+# shellcheck source=build_library/dev_image_util.sh
+. "${BUILD_LIBRARY_DIR}/dev_image_util.sh" || exit 1
+# shellcheck source=build_library/test_image_util.sh
+. "${BUILD_LIBRARY_DIR}/test_image_util.sh" || exit 1
+# shellcheck source=build_library/selinux_util.sh
+. "${BUILD_LIBRARY_DIR}/selinux_util.sh" || exit 1
+
+reset_cmdline() {
+  local image=$1
+  local kernel=$2
+  local tmpdir="$(mktemp -d)"
+  local root_fs_dir="${tmpdir}/rootfs"
+  local stateful_fs_dir="${tmpdir}/stateful"
+  local esp_fs_dir="${tmpdir}/esp"
+  local vmlinux="/build/${BOARD}/usr/src/linux/build/vmlinux"
+
+  trap "check_full_disk ; unmount_image ; rm -r ${tmpdir}" EXIT
+  mount_image "${image}" "${root_fs_dir}" "${stateful_fs_dir}" \
+    "${esp_fs_dir}" --safe
+
+  sudo mv "${esp_fs_dir}/${kernel}" "${esp_fs_dir}/efi/boot/bootx64.efi"
+
+  unmount_image
+  trap - EXIT
+
+  PATH=$PATH:/sbin cos_kernel_args --vmlinux "${vmlinux}" \
+    sed --command "s|.*||g" "${image}"
+
+  trap "check_full_disk ; unmount_image ; rm -r ${tmpdir}" EXIT
+  mount_image "${image}" "${root_fs_dir}" "${stateful_fs_dir}" \
+    "${esp_fs_dir}" --safe
+
+  sudo mv "${esp_fs_dir}/efi/boot/bootx64.efi" "${esp_fs_dir}/${kernel}"
+  sudo cp "${esp_fs_dir}/efi/boot/shimx64.efi" \
+    "${esp_fs_dir}/efi/boot/bootx64.efi"
+
+  unmount_image
+  trap - EXIT
+}
+
+main() {
+  local image="${FLAGS_image_path}"
+  if [[ -z "${image}" ]]; then
+    error "Must set --image_path flag"
+    exit 1
+  fi
+
+  info "Entering reset_uki_cmdline.sh $*"
+
+  reset_cmdline "${image}" "/syslinux/vmlinuz.A"
+  reset_cmdline "${image}" "/syslinux/vmlinuz.B"
+}
+
+main "$@"

diff --git a/set_uki_boot.sh b/set_uki_boot.sh
new file mode 100755
index 0000000..2e87dc7
--- /dev/null
+++ b/set_uki_boot.sh

@@ -0,0 +1,95 @@
+#!/bin/bash
+#
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+SCRIPT_ROOT="$(dirname "$(readlink -f "$0")")"
+# shellcheck source=build_library/build_common.sh
+. "${SCRIPT_ROOT}/build_library/build_common.sh" || exit 1
+
+DEFINE_string image_path "" \
+  "Path to image to set UKI boot on"
+DEFINE_string board "${DEFAULT_BOARD}" \
+  "Board of the input image"
+
+FLAGS "$@" || exit 1
+
+eval set -- "${FLAGS_ARGV}"
+
+switch_to_strict_mode
+
+# N.B.  Ordering matters for some of the libraries below, because
+# some of the files contain initialization used by later files.
+# shellcheck source=build_library/board_options.sh
+. "${BUILD_LIBRARY_DIR}/board_options.sh" || exit 1
+# shellcheck source=build_library/disk_layout_util.sh
+. "${BUILD_LIBRARY_DIR}/disk_layout_util.sh" || exit 1
+# shellcheck source=build_library/mount_gpt_util.sh
+. "${BUILD_LIBRARY_DIR}/mount_gpt_util.sh" || exit 1
+# shellcheck source=build_library/build_image_util.sh
+. "${BUILD_LIBRARY_DIR}/build_image_util.sh" || exit 1
+# shellcheck source=build_library/base_image_util.sh
+. "${BUILD_LIBRARY_DIR}/base_image_util.sh" || exit 1
+# shellcheck source=build_library/dev_image_util.sh
+. "${BUILD_LIBRARY_DIR}/dev_image_util.sh" || exit 1
+# shellcheck source=build_library/test_image_util.sh
+. "${BUILD_LIBRARY_DIR}/test_image_util.sh" || exit 1
+# shellcheck source=build_library/selinux_util.sh
+. "${BUILD_LIBRARY_DIR}/selinux_util.sh" || exit 1
+
+main() {
+  local image="${FLAGS_image_path}"
+  if [[ -z "${image}" ]]; then
+    error "Must set --image_path flag"
+    exit 1
+  fi
+
+  info "Entering set_uki_boot $*"
+
+  local vmlinux="/build/${BOARD}/usr/src/linux/build/vmlinux"
+  local cmdline
+  cmdline="$(PATH=$PATH:/sbin cos_kernel_args \
+    --vmlinux $vmlinux show "${image}")"
+  local tmpdir="$(mktemp -d)"
+  local root_fs_dir="${tmpdir}/rootfs"
+  local stateful_fs_dir="${tmpdir}/stateful"
+  local esp_fs_dir="${tmpdir}/esp"
+
+  trap "check_full_disk ; unmount_image ; rm -r ${tmpdir}" EXIT
+  mount_image "${image}" "${root_fs_dir}" "${stateful_fs_dir}" \
+    "${esp_fs_dir}" --safe
+
+  if [[ ! -f "${esp_fs_dir}/syslinux/vmlinuz.A" ]]; then
+    info "This image appears to have already been processed by this script; not taking action"
+    exit 0
+  fi
+
+  sudo rm -f "${esp_fs_dir}/efi/boot/bootx64.efi"
+  sudo mv "${esp_fs_dir}/syslinux/vmlinuz.A" \
+    "${esp_fs_dir}/efi/boot/bootx64.efi"
+  sudo rm -rf "${esp_fs_dir}/boot"
+  sudo rm -f "${esp_fs_dir}/efi/boot/grub.cfg"
+  sudo rm -f "${esp_fs_dir}/efi/boot/grub-lakitu.efi"
+  sudo rm -f "${esp_fs_dir}/efi/boot/shimx64.efi"
+
+  unmount_image
+  rm -r "${tmpdir}"
+  trap - EXIT
+
+  sudo cos_kernel_args --vmlinux $vmlinux \
+    sed --command "s|.*|${cmdline}|g" "${image}"
+}
+
+main "$@"