signer: syncronize image packing to what we have in build image phase.
This follows steps we have in build image phase to have parity in image
packing.
* Discard reapply selinex context. This looks not needed once
re-signing should not change selinux context. Instead we could do
similar to build image, pass file context to mksquashfs
* Apply mksquashfs params based on image type, container/vm. This
fixes proper block size and image compression algorithm
* Remove old image before packing to prevent mksquashfs merge attempt
BUG=b:170400225
BUG=b:170220295
BUG=b:170219920
BRANCH=none
TEST=locally signed vm (kohaku) and container (hana): arc.Optin*,
arc.Preopt*. Also checked final image size. With this CL it is
reduced to 150Mb(vm) and very close to original image size
(delta is less than 0.1%)
Signed-off-by: Yury Khmel <khmel@chromium.org>
Change-Id: I7037bea68fc2969345a8fabc3c6a9b9b690f02d1
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2462005
Reviewed-by: Yusuke Sato <yusukes@chromium.org>
Reviewed-by: George Engelbrecht <engeg@google.com>
Tested-by: Yury Khmel <khmel@google.com>
Auto-Submit: Yury Khmel <khmel@google.com>
Commit-Queue: Yury Khmel <khmel@google.com>
diff --git a/scripts/image_signing/sign_android_image.sh b/scripts/image_signing/sign_android_image.sh
index b9b1082..28534fc 100755
--- a/scripts/image_signing/sign_android_image.sh
+++ b/scripts/image_signing/sign_android_image.sh
@@ -228,26 +228,6 @@
popd > /dev/null
}
-# Restore SELinux context. This has to run after all file changes, before
-# creating the new squashfs image.
-reapply_file_security_context() {
- local system_mnt=$1
- local root_fs_dir=$2
-
- info "Reapplying file security context"
-
- local selinux_dir="${root_fs_dir}/etc/selinux"
- local file_contexts="${selinux_dir}/arc/contexts/files/android_file_contexts"
- if [[ ! -f "${file_contexts}" ]]; then
- file_contexts="${file_contexts}_vm"
- if [[ ! -f "${file_contexts}" ]]; then
- die "Can't find Android's file contexts"
- fi
- fi
-
- sudo /sbin/setfiles -v -r "${system_mnt}" "${file_contexts}" "${system_mnt}"
-}
-
# Snapshot file properties in a directory recursively.
snapshot_file_properties() {
local dir=$1
@@ -257,6 +237,29 @@
main() {
local root_fs_dir=$1
local key_dir=$2
+
+ # Detect vm/container type and set environment correspondingly.
+ # Keep this aligned with
+ # src/private-overlays/project-cheets-private/scripts/board_specific_setup.sh
+ local system_image=""
+ local compression_flags=""
+ local selinux_dir="${root_fs_dir}/etc/selinux"
+ local file_contexts=""
+ local vm_candidate="${root_fs_dir}/opt/google/vms/android/system.raw.img"
+ local container_candidate=(
+ "${root_fs_dir}/opt/google/containers/android/system.raw.img")
+ if [[ -f "${vm_candidate}" ]]; then
+ system_image="${vm_candidate}"
+ compression_flags="-comp lz4 -Xhc -b 256K"
+ file_contexts="${selinux_dir}/arc/contexts/files/android_file_contexts_vm"
+ elif [[ -f "${container_candidate}" ]]; then
+ system_image="${container_candidate}"
+ compression_flags="-comp gzip"
+ file_contexts="${selinux_dir}/arc/contexts/files/android_file_contexts"
+ else
+ die "System image does not exist"
+ fi
+
local android_system_image="$(echo \
"${root_fs_dir}"/opt/google/*/android/system.raw.img)"
local android_dir=$(dirname "${android_system_image}")
@@ -284,8 +287,6 @@
local working_dir=$(make_temp_dir)
local system_mnt="${working_dir}/mnt"
- local compression_method=$(sudo unsquashfs -s "${system_img}" | \
- awk '$1 == "Compression" { print $2 }')
info "Unpacking squashfs system image to ${system_mnt}"
sudo "${unsquashfs}" -x -f -no-progress -d "${system_mnt}" "${system_img}"
@@ -295,7 +296,6 @@
sign_framework_apks "${system_mnt}" "${key_dir}"
update_sepolicy "${system_mnt}" "${key_dir}"
replace_ota_cert "${system_mnt}" "${key_dir}/releasekey.x509.pem"
- reapply_file_security_context "${system_mnt}" "${root_fs_dir}"
# Validity check.
snapshot_file_properties "${system_mnt}" > "${working_dir}/properties.new"
@@ -348,9 +348,13 @@
info "Repacking squashfs image"
local old_size=$(stat -c '%s' "${system_img}")
- # Overwrite the original image.
- sudo "${mksquashfs}" "${system_mnt}" "${system_img}" \
- -no-progress -comp "${compression_method}" -noappend
+ # Remove old system image to prevent mksquashfs tries to merge both images.
+ sudo rm -rf "${system_img}"
+ # Note, compression_flags is a combination of flags. Keep this aligned with
+ # src/private-overlays/project-cheets-private/scripts/board_specific_setup.sh
+ sudo mksquashfs "${system_mnt}" "${system_img}" \
+ ${compression_flags} -context-file "${file_contexts}" -mount-point "/" \
+ -no-progress
local new_size=$(stat -c '%s' "${system_img}")
info "Android system image size change: ${old_size} -> ${new_size}"
}
