signing-script: Update COS signing script to support the new dm format.
Updated the cos signing script to support both old and new version.
BUG=b/240174341
BRANCH=None
TEST=presubmit
RELEASE_NOTE=None
Signed-off-by: Meena Shanmugam <meenashanmugam@google.com>
Change-Id: I8a8747e23ed0dd9cac33824dbd48ab0295864937
Reviewed-on: https://cos-review.googlesource.com/c/third_party/platform/vboot_reference/+/36692
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-by: Robert Kolchmeyer <rkolchmeyer@google.com>
diff --git a/scripts/image_signing/sign_official_cos_build.sh b/scripts/image_signing/sign_official_cos_build.sh
index 1e859c9..3b99c0f 100755
--- a/scripts/image_signing/sign_official_cos_build.sh
+++ b/scripts/image_signing/sign_official_cos_build.sh
@@ -98,14 +98,56 @@
# reused. crosbug.com/19543
# get_verity_arg <commandline> <key> -> <value>
+# dm-verity old version(0) has key value pair for all verity args
+# Ex: "dm=1 vroot none ro 1,0 4077568 verity
+# payload=PARTUUID=62878627-9962-574A-9B44-1A231DBFD5B5
+# hashtree=PARTUUID=62878627-9962-574A-9B44-1A231DBFD5B5 hashstart=4077568
+# alg=sha256
+# root_hexdigest=85796f88c1d2eb6c108881054a234afc1b6dad2851324c6f5b1be81aa0ffa14
+# salt=d5582575b3993bbb0d30bd16bd74e0011ccbbbcee58e4757dce2d8ed6c5226e8"
+#
+# dm-verity new version(1) has all arguments as positional arguments.
+# Ex: "dm-mod.create=vroot,,,ro,0 4077568 verity 0
+# PARTUUID=2541852D-1C88-9443-BDB3-81E212A0CED1
+# PARTUUID=2541852D-1C88-9443-BDB3-81E212A0CED1 4096 4096 509696 509696 sha256
+# e68c29018b3b6923282990fbd5ea2c35fb5e4c22c9efe944eb84f2dfb8732daf
+# 7389b4ebde0f5a43c4ea0e54adbc1258765651596df5beee6b4503152aa64684"
get_verity_arg() {
- echo "$1" | sed -n "s/.*\b$2=\([^ \"]*\).*/\1/p"
+ local verity_arg=$1
+ local arg=$2
+ if [[ ${dm_verity_version} -eq 0 ]]
+ then
+ echo "$1" | sed -n "s/.*\b$2=\([^ \"]*\).*/\1/p"
+ elif [[ ${dm_verity_version} -eq 1 ]]
+ then
+ case "$arg" in
+ payload)
+ echo "${verity_arg}" | awk '{print $5}'
+ ;;
+ hashtree)
+ echo "${verity_arg}" | awk '{print $6}'
+ ;;
+ hashstart)
+ hashstart=$(echo "${verity_arg}" | awk '{print $10}')
+ hashstart=$(($hashstart<<3))
+ ;;
+ alg)
+ echo "${verity_arg}" | awk '{print $11}'
+ ;;
+ root_hexdigest)
+ echo "${verity_arg}" | awk '{print $12}'
+ ;;
+ salt)
+ echo "${verity_arg}" | awk '{print $13}'
+ ;;
+ esac
+ fi
}
# Get the dmparams parameters from a kernel config.
get_dmparams_from_config() {
local kernel_config=$1
- echo ${kernel_config} | sed -nre 's/.*dm="([^"]*)".*/\1/p'
+ echo ${kernel_config} | sed -nre "s/.*$dm_str\"([^\"]*)\".*/\1/p"
}
# Get the verity root digest hash from a kernel config command line.
get_hash_from_config() {
@@ -115,13 +157,26 @@
echo $(get_verity_arg "${vroot_dev}" root_hexdigest)
}
+get_alg_from_config() {
+ local kernel_config=$1
+ local dm_config=$(get_dmparams_from_config "${kernel_config}")
+ local vroot_dev=$(get_dm_slave "${dm_config}" vroot)
+ echo $(get_verity_arg "${vroot_dev}" alg)
+}
+
# Get the slave device and its args
# get_dm_ags $dm_config [vboot|vroot]
# Assumes we have only one slave device per device
get_dm_slave() {
local dm=$1
local device=$2
- echo $(echo "${dm}" | sed -nre "s/.*${device}[^,]*,([^,]*).*/\1/p")
+ if [[ $dm_verity_version -eq 0 ]]
+ then
+ echo $(echo "${dm}" | sed -nre "s/.*${device}[^,]*,([^,]*).*/\1/p")
+ elif [[ $dm_verity_version -eq 1 ]]
+ then
+ echo $(echo "${dm}" | awk -F, '{print $NF}')
+ fi
}
# Set the slave device and its args for a device
@@ -174,13 +229,21 @@
alg=${verity_algorithm} \
payload="${rootfs_image}" \
payload_blocks=$((rootfs_sectors / 8)) \
- hashtree="${hash_image}" ${salt_arg})
+ hashtree="${hash_image}" ${salt_arg} version="${dm_verity_version}")
# Reconstruct new kernel config command line and replace placeholders.
slave="$(echo "${slave}" |
sed -s "s|ROOT_DEV|${root_dev}|g;s|HASH_DEV|${hash_dev}|")"
- CALCULATED_DM_ARGS="$(set_dm_slave "${dm_config}" vroot "${slave}")"
- CALCULATED_KERNEL_CONFIG="$(echo "${kernel_config}" |
+ if [[ ${dm_verity_version} -eq 0 ]]
+ then
+ CALCULATED_DM_ARGS="$(set_dm_slave "${dm_config}" vroot "${slave}")"
+ CALCULATED_KERNEL_CONFIG="$(echo "${kernel_config}" |
sed -e 's#\(.*dm="\)\([^"]*\)\(".*\)'"#\1${CALCULATED_DM_ARGS}\3#g")"
+ elif [[ ${dm_verity_version} -eq 1 ]]
+ then
+ CALCULATED_DM_ARGS="vroot,,,ro,""${slave}"
+ CALCULATED_KERNEL_CONFIG="$(echo "${kernel_config}" |
+ sed -e "s#\(.*$dm_str\"\)\([^\"]*\)\(\".*\)""#\1${CALCULATED_DM_ARGS}\3#g")"
+ fi
}
# Re-calculate rootfs hash, update rootfs and kernel command line(s).
@@ -266,7 +329,7 @@
continue
fi
new_kernel_config="$(echo "${new_kernel_config}" |
- sed -e 's#\(.*dm="\)\([^"]*\)\(".*\)'"#\1${dm_args}\3#g")"
+ sed -e "s#\(.*$dm_str\"\)\([^\"]*\)\(\".*\)""#\1${dm_args}\3#g")"
info "New config for kernel partition ${kernelpart} is:"
echo "${new_kernel_config}" | tee "${temp_config}"
# Re-calculate kernel partition signature and command line.
@@ -598,6 +661,7 @@
# If we can't find the dm parameter in the kernel config, bail out now.
local kernel_config=$(sudo dump_kernel_config "${loop_kern}")
local root_hexdigest="$(get_hash_from_config "${kernel_config}")"
+ local alg="$(get_alg_from_config "${kernel_config}")"
if [[ -z "${root_hexdigest}" ]]; then
error "Couldn't grab root_digest from kernel partition ${loop_kern}"
error " (config: ${kernel_config})"
@@ -606,21 +670,43 @@
# Update syslinux configs for legacy BIOS systems.
if [[ -d "${esp_dir}/syslinux" ]]; then
local cfg=("${esp_dir}"/syslinux/*.cfg)
- if ! sudo sed -i -r \
- "s/\broot_hexdigest=[a-z0-9]+/root_hexdigest=${root_hexdigest}/g" \
- "${cfg[@]}"; then
- error "Updating syslinux configs failed: '${cfg[*]}'"
- return 1
+ if [[ $dm_verity_version -eq 0 ]]
+ then
+ if ! sudo sed -i -r \
+ "s/\broot_hexdigest=[a-z0-9]+/root_hexdigest=${root_hexdigest}/g" \
+ "${cfg[@]}"; then
+ error "Updating syslinux configs failed: '${cfg[*]}'"
+ return 1
+ fi
+ elif [[ $dm_verity_version -eq 1 ]]
+ then
+ if ! sudo sed -i -r \
+ "s/${alg} [a-f0-9]+/${alg} ${root_hexdigest}/g" \
+ "${cfg[@]}"; then
+ error "Updating syslinux configs failed: '${cfg[*]}'"
+ return 1
+ fi
fi
fi
# Update grub configs for EFI systems.
local grub_cfg="${esp_dir}/efi/boot/grub.cfg"
if [[ -f "${grub_cfg}" ]]; then
- if ! sudo sed -i -r \
- "s/\broot_hexdigest=[a-z0-9]+/root_hexdigest=${root_hexdigest}/g" \
- "${grub_cfg}"; then
- error "Updating grub config failed: '${grub_cfg}'"
- return 1
+ if [[ $dm_verity_version -eq 0 ]]
+ then
+ if ! sudo sed -i -r \
+ "s/\broot_hexdigest=[a-z0-9]+/root_hexdigest=${root_hexdigest}/g" \
+ "${grub_cfg}"; then
+ error "Updating grub config failed: '${grub_cfg}'"
+ return 1
+ fi
+ elif [[ $dm_verity_version -eq 1 ]]
+ then
+ if ! sudo sed -i -r \
+ "s/${alg} [a-f0-9]+/${alg} ${root_hexdigest}/g" \
+ "${grub_cfg}"; then
+ error "Updating grub config failed: '${grub_cfg}'"
+ return 1
+ fi
fi
fi
}
@@ -662,6 +748,14 @@
# config.
local loop_kerna="${loopdev}p2"
local kerna_config="$(sudo dump_kernel_config "${loop_kerna}")"
+ if echo "${kerna_config}" | grep -q "dm="
+ then
+ dm_str="dm="
+ dm_verity_version=0
+ else
+ dm_str="dm-mod.create="
+ dm_verity_version=1
+ fi
if [[ "${image_type}" != "factory_install" &&
" ${kerna_config} " != *" cros_legacy "* &&
" ${kerna_config} " != *" cros_efi "* ]]; then