120525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin#!/bin/sh 220525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin# 38dde1491e59a750a71c08c3d98f7f4f659b68a05Randall Spangler# Copyright (c) 2012 The Chromium OS Authors. All rights reserved. 420525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin# Use of this source code is governed by a BSD-style license that can be 520525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin# found in the LICENSE file. 620525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin# 720525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin# This script can change key (usually developer keys) and kernel config 8c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin# of kernels on an disk image (usually for SSD but also works for USB). 920525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin 1020525b91644a786e966c9486ac9afdf3d7c5447fHung-Te LinSCRIPT_BASE="$(dirname "$0")" 11605500b88cd99097d482ddcefee4ba04898781aeGaurav Shah. "$SCRIPT_BASE/common_minimal.sh" 1220525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Linload_shflags || exit 1 1320525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin 1420525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin# Constants used by DEFINE_* 1520525b91644a786e966c9486ac9afdf3d7c5447fHung-Te LinVBOOT_BASE='/usr/share/vboot' 1620525b91644a786e966c9486ac9afdf3d7c5447fHung-Te LinDEFAULT_KEYS_FOLDER="$VBOOT_BASE/devkeys" 1720525b91644a786e966c9486ac9afdf3d7c5447fHung-Te LinDEFAULT_BACKUP_FOLDER='/mnt/stateful_partition/backups' 1851b9b8362259f44667117473c2d78f8c9e202286Bill RichardsonDEFAULT_PARTITIONS='2 4' 1920525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin 20c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin# TODO(hungte) The default image selection is no longer a SSD, so the script 21c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin# works more like "make_dev_image". We may change the file name in future. 22c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te LinROOTDEV="$(rootdev -s 2>/dev/null)" 23c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te LinROOTDEV_PARTITION="$(echo $ROOTDEV | sed -n 's/.*\([0-9][0-9]*\)$/\1/p')" 24c3b877d8cb2e413816d34ed685c6a35780e07bc8Hung-Te LinROOTDEV_DISK="$(rootdev -s -d 2>/dev/null)" 25c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te LinROOTDEV_KERNEL="$((ROOTDEV_PARTITION - 1))" 2683728d0aef71945e54b8948107361b86a95118d9Hung-Te Lin 2720525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin# DEFINE_string name default_value description flag 28c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te LinDEFINE_string image "$ROOTDEV_DISK" "Path to device or image file" "i" 2920525b91644a786e966c9486ac9afdf3d7c5447fHung-Te LinDEFINE_string keys "$DEFAULT_KEYS_FOLDER" "Path to folder of dev keys" "k" 3020525b91644a786e966c9486ac9afdf3d7c5447fHung-Te LinDEFINE_boolean remove_rootfs_verification \ 3120525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin $FLAGS_FALSE "Modify kernel boot config to disable rootfs verification" "" 3220525b91644a786e966c9486ac9afdf3d7c5447fHung-Te LinDEFINE_string backup_dir \ 3320525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin "$DEFAULT_BACKUP_FOLDER" "Path of directory to store kernel backups" "" 3438ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall SpanglerDEFINE_string save_config "" \ 3538ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler "Base filename to store kernel configs to, instead of resigning." "" 3638ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall SpanglerDEFINE_string set_config "" \ 3738ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler "Base filename to load kernel configs from" "" 38c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te LinDEFINE_string partitions "" \ 39c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin "List of partitions to examine (default: $DEFAULT_PARTITIONS)" "" 407f37edcf006636c40409dea8be11e4a378440e72Hung-Te LinDEFINE_boolean recovery_key "$FLAGS_FALSE" \ 417f37edcf006636c40409dea8be11e4a378440e72Hung-Te Lin "Use recovery key to sign image (to boot from USB" "" 4283728d0aef71945e54b8948107361b86a95118d9Hung-Te LinDEFINE_boolean force "$FLAGS_FALSE" "Skip sanity checks and make the change" "f" 4320525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin 4420525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin# Parse command line 4520525b91644a786e966c9486ac9afdf3d7c5447fHung-Te LinFLAGS "$@" || exit 1 4683728d0aef71945e54b8948107361b86a95118d9Hung-Te LinORIGINAL_PARAMS="$@" 4720525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lineval set -- "$FLAGS_ARGV" 48c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te LinORIGINAL_PARTITIONS="$FLAGS_partitions" 49c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin: ${FLAGS_partitions:=$DEFAULT_PARTITIONS} 5020525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin 5120525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin# Globals 5220525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin# ---------------------------------------------------------------------------- 5320525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Linset -e 5420525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin 5520525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin# a log file to keep the output results of executed command 5620525b91644a786e966c9486ac9afdf3d7c5447fHung-Te LinEXEC_LOG="$(make_temp_file)" 5720525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin 5820525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin# Functions 5920525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin# ---------------------------------------------------------------------------- 6020525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin 6120525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin# Removes rootfs verification from kernel boot parameter 6220525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Linremove_rootfs_verification() { 63a7a879e0fbada0dd148781dfe325f4c7dc09c31bHung-Te Lin local new_root="PARTUUID=%U/PARTNROFF=1" 6420525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin echo "$*" | sed ' 6542f02139d522cc787630ee95ecf654f4410175e5Hung-Te Lin s| root=/dev/dm-[0-9] | root='"$new_root"' | 668f15d74fd64e4a4d98471221948cc8f1fde127e2Hung-Te Lin s| dm_verity.dev_wait=1 | dm_verity.dev_wait=0 | 678f15d74fd64e4a4d98471221948cc8f1fde127e2Hung-Te Lin s| payload=PARTUUID=%U/PARTNROFF=1 | payload=ROOT_DEV | 688f15d74fd64e4a4d98471221948cc8f1fde127e2Hung-Te Lin s| hashtree=PARTUUID=%U/PARTNROFF=1 | hashtree=HASH_DEV | 69b5c991b3b821017746c24f7f7207e53f691c30b0Hung-Te Lin s| ro | rw |' 70b5c991b3b821017746c24f7f7207e53f691c30b0Hung-Te Lin} 71b5c991b3b821017746c24f7f7207e53f691c30b0Hung-Te Lin 72b5633c6f65ac593769d615970a146717ee4d328cHung-Te Linremove_legacy_boot_rootfs_verification() { 73b5633c6f65ac593769d615970a146717ee4d328cHung-Te Lin # See src/scripts/create_legacy_bootloader_templates 74b5633c6f65ac593769d615970a146717ee4d328cHung-Te Lin local image="$1" 75b5633c6f65ac593769d615970a146717ee4d328cHung-Te Lin local mount_point="$(make_temp_dir)" 76b5633c6f65ac593769d615970a146717ee4d328cHung-Te Lin local config_file 77b5633c6f65ac593769d615970a146717ee4d328cHung-Te Lin debug_msg "Removing rootfs verification for legacy boot configuration." 78b5633c6f65ac593769d615970a146717ee4d328cHung-Te Lin mount_image_partition "$image" 12 "$mount_point" || return $FLAGS_FALSE 79b5633c6f65ac593769d615970a146717ee4d328cHung-Te Lin config_file="$mount_point/efi/boot/grub.cfg" 80b5633c6f65ac593769d615970a146717ee4d328cHung-Te Lin [ ! -f "$config_file" ] || 81b5633c6f65ac593769d615970a146717ee4d328cHung-Te Lin sudo sed -i 's/^ *set default=2 *$/set default=0/g' "$config_file" 82b5633c6f65ac593769d615970a146717ee4d328cHung-Te Lin config_file="$mount_point/syslinux/default.cfg" 83b5633c6f65ac593769d615970a146717ee4d328cHung-Te Lin [ ! -f "$config_file" ] || 84b5633c6f65ac593769d615970a146717ee4d328cHung-Te Lin sudo sed -i 's/-vusb/-usb/g; s/-vhd/-hd/g' "$config_file" 85b5633c6f65ac593769d615970a146717ee4d328cHung-Te Lin sudo umount "$mount_point" 86b5633c6f65ac593769d615970a146717ee4d328cHung-Te Lin} 87b5633c6f65ac593769d615970a146717ee4d328cHung-Te Lin 8820525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin# Wrapped version of dd 8920525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Linmydd() { 9020525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin # oflag=sync is safer, but since we need bs=512, syncing every block would be 9120525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin # very slow. 9220525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin dd "$@" >"$EXEC_LOG" 2>&1 || 9320525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin err_die "Failed in [dd $@], Message: $(cat "$EXEC_LOG")" 9420525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin} 9520525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin 9620525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin# Prints a more friendly name from kernel index number 9720525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lincros_kernel_name() { 9820525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin case $1 in 9920525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin 2) 10020525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin echo "Kernel A" 10120525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin ;; 10220525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin 4) 10320525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin echo "Kernel B" 10420525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin ;; 1051615bbff9a55f3d85e6b9d33fd4829afe8b41ad5Bill Richardson 6) 1061615bbff9a55f3d85e6b9d33fd4829afe8b41ad5Bill Richardson echo "Kernel C" 1071615bbff9a55f3d85e6b9d33fd4829afe8b41ad5Bill Richardson ;; 10820525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin *) 10951b9b8362259f44667117473c2d78f8c9e202286Bill Richardson echo "Partition $1" 11020525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin esac 11120525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin} 11220525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin 113c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Linfind_valid_kernel_partitions() { 114c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin local part_id 115c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin local valid_partitions="" 116c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin for part_id in $*; do 117c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin local name="$(cros_kernel_name $part_id)" 118c3b877d8cb2e413816d34ed685c6a35780e07bc8Hung-Te Lin local kernel_part="$(make_partition_dev "$FLAGS_image" "$part_id")" 119c3b877d8cb2e413816d34ed685c6a35780e07bc8Hung-Te Lin if [ -z "$(dump_kernel_config "$kernel_part" 2>"$EXEC_LOG")" ]; then 120c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin echo "INFO: $name: no kernel boot information, ignored." >&2 121c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin else 122c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin [ -z "$valid_partitions" ] && 123c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin valid_partitions="$part_id" || 124c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin valid_partitions="$valid_partitions $part_id" 125c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin continue 126c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin fi 127c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin done 128c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin debug_msg "find_valid_kernel_partitions: [$*] -> [$valid_partitions]" 129c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin echo "$valid_partitions" 130c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin} 131c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin 13220525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin# Resigns a kernel on SSD or image. 13320525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Linresign_ssd_kernel() { 13420525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin # bs=512 is the fixed block size for dd and cgpt 13520525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin local bs=512 13620525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin local ssd_device="$1" 13720525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin 13820525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin # reasonable size for current kernel partition 13926af0da4f7e0fd5cc9410011ca05ff6539bbf42dHung-Te Lin local min_kernel_size=16000 14020525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin local max_kernel_size=65536 14120525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin local resigned_kernels=0 14220525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin 14351b9b8362259f44667117473c2d78f8c9e202286Bill Richardson for kernel_index in $FLAGS_partitions; do 14420525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin local old_blob="$(make_temp_file)" 14520525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin local new_blob="$(make_temp_file)" 14620525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin local name="$(cros_kernel_name $kernel_index)" 147b5c991b3b821017746c24f7f7207e53f691c30b0Hung-Te Lin local rootfs_index="$(($kernel_index + 1))" 14820525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin 14920525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin debug_msg "Probing $name information" 15020525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin local offset size 15120525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin offset="$(partoffset "$ssd_device" "$kernel_index")" || 15220525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin err_die "Failed to get partition $kernel_index offset from $ssd_device" 15320525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin size="$(partsize "$ssd_device" "$kernel_index")" || 15420525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin err_die "Failed to get partition $kernel_index size from $ssd_device" 15520525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin if [ ! $size -gt $min_kernel_size ]; then 156b5c991b3b821017746c24f7f7207e53f691c30b0Hung-Te Lin echo "INFO: $name seems too small ($size), ignored." 15720525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin continue 15820525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin fi 15920525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin if [ ! $size -le $max_kernel_size ]; then 160b5c991b3b821017746c24f7f7207e53f691c30b0Hung-Te Lin echo "INFO: $name seems too large ($size), ignored." 16120525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin continue 16220525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin fi 16320525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin 16420525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin debug_msg "Reading $name from partition $kernel_index" 16520525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin mydd if="$ssd_device" of="$old_blob" bs=$bs skip=$offset count=$size 16620525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin 16720525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin debug_msg "Checking if $name is valid" 16838ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler local kernel_config 16938ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler if ! kernel_config="$(dump_kernel_config "$old_blob" 2>"$EXEC_LOG")"; then 17020525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin debug_msg "dump_kernel_config error message: $(cat "$EXEC_LOG")" 171b5c991b3b821017746c24f7f7207e53f691c30b0Hung-Te Lin echo "INFO: $name: no kernel boot information, ignored." 17220525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin continue 17320525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin fi 17420525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin 17538ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler if [ -n "${FLAGS_save_config}" ]; then 17638ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler # Save current kernel config 17738ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler local old_config_file 17838ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler old_config_file="${FLAGS_save_config}.$kernel_index" 17938ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler echo "Saving $name config to $old_config_file" 18038ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler echo "$kernel_config" > "$old_config_file" 18138ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler # Just save; don't resign 18238ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler continue 18338ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler fi 18438ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler 18538ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler if [ -n "${FLAGS_set_config}" ]; then 18638ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler # Set new kernel config from file 18738ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler local new_config_file 18838ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler new_config_file="${FLAGS_set_config}.$kernel_index" 18938ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler kernel_config="$(cat "$new_config_file")" || 19038ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler err_die "Failed to read new kernel config from $new_config_file" 19138ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler debug_msg "New kernel config: $kernel_config)" 19238ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler echo "$name: Replaced config from $new_config_file" 19338ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler fi 19438ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler 19538ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler if [ ${FLAGS_remove_rootfs_verification} = $FLAGS_FALSE ]; then 19638ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler debug_msg "Bypassing rootfs verification check" 19738ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler else 19838ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler debug_msg "Changing boot parameter to remove rootfs verification" 19938ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler kernel_config="$(remove_rootfs_verification "$kernel_config")" 20038ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler debug_msg "New kernel config: $kernel_config" 20138ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler echo "$name: Disabled rootfs verification." 202b5633c6f65ac593769d615970a146717ee4d328cHung-Te Lin remove_legacy_boot_rootfs_verification "$ssd_device" 20338ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler fi 20438ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler 20538ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler local new_kernel_config_file="$(make_temp_file)" 206a41b7bae210f34cf012327f32f6fb1a6cf97c101Hung-Te Lin echo -n "$kernel_config" >"$new_kernel_config_file" 20738ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler 20820525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin debug_msg "Re-signing $name from $old_blob to $new_blob" 209b5c991b3b821017746c24f7f7207e53f691c30b0Hung-Te Lin debug_msg "Using key: $KERNEL_DATAKEY" 21020525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin vbutil_kernel \ 21120525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin --repack "$new_blob" \ 21238ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler --keyblock "$KERNEL_KEYBLOCK" \ 21338ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler --config "$new_kernel_config_file" \ 21420525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin --signprivate "$KERNEL_DATAKEY" \ 21520525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin --oldblob "$old_blob" >"$EXEC_LOG" 2>&1 || 21620525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin err_die "Failed to resign $name. Message: $(cat "$EXEC_LOG")" 21720525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin 21820525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin debug_msg "Creating new kernel image (vboot+code+config)" 21920525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin local new_kern="$(make_temp_file)" 22020525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin cp "$old_blob" "$new_kern" 22120525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin mydd if="$new_blob" of="$new_kern" conv=notrunc 22220525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin 22320525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin if is_debug_mode; then 22420525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin debug_msg "for debug purposes, check *.dbgbin" 22520525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin cp "$old_blob" old_blob.dbgbin 22620525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin cp "$new_blob" new_blob.dbgbin 22720525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin cp "$new_kern" new_kern.dbgbin 22820525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin fi 22920525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin 23020525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin debug_msg "Verifying new kernel and keys" 23120525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin vbutil_kernel \ 23220525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin --verify "$new_kern" \ 23320525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin --signpubkey "$KERNEL_PUBKEY" --verbose >"$EXEC_LOG" 2>&1 || 23420525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin err_die "Failed to verify new $name. Message: $(cat "$EXEC_LOG")" 23520525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin 23620525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin debug_msg "Backup old kernel blob" 23720525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin local backup_date_time="$(date +'%Y%m%d_%H%M%S')" 23820525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin local backup_name="$(echo "$name" | sed 's/ /_/g; s/^K/k/')" 23920525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin local backup_file_name="${backup_name}_${backup_date_time}.bin" 24020525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin local backup_file_path="$FLAGS_backup_dir/$backup_file_name" 24120525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin if mkdir -p "$FLAGS_backup_dir" && 24220525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin cp -f "$old_blob" "$backup_file_path"; then 24320525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin echo "Backup of $name is stored in: $backup_file_path" 24420525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin else 24520525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin echo "WARNING: Cannot create file in $FLAGS_backup_dir... Ignore backups." 24620525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin fi 24720525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin 24820525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin debug_msg "Writing $name to partition $kernel_index" 24920525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin mydd \ 25020525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin if="$new_kern" \ 25120525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin of="$ssd_device" \ 25220525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin seek=$offset \ 25320525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin bs=$bs \ 25420525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin count=$size \ 25520525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin conv=notrunc 25620525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin resigned_kernels=$(($resigned_kernels + 1)) 25720525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin 258c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin debug_msg "Make the root file system writable if needed." 259b5c991b3b821017746c24f7f7207e53f691c30b0Hung-Te Lin # TODO(hungte) for safety concern, a more robust way would be to: 260b5c991b3b821017746c24f7f7207e53f691c30b0Hung-Te Lin # (1) change kernel config to ro 261b5c991b3b821017746c24f7f7207e53f691c30b0Hung-Te Lin # (2) check if we can enable rw mount 262b5c991b3b821017746c24f7f7207e53f691c30b0Hung-Te Lin # (3) change kernel config to rw 263b5c991b3b821017746c24f7f7207e53f691c30b0Hung-Te Lin if [ ${FLAGS_remove_rootfs_verification} = $FLAGS_TRUE ]; then 264b5c991b3b821017746c24f7f7207e53f691c30b0Hung-Te Lin local root_offset_sector=$(partoffset "$ssd_device" $rootfs_index) 265b5c991b3b821017746c24f7f7207e53f691c30b0Hung-Te Lin local root_offset_bytes=$((root_offset_sector * 512)) 266b5c991b3b821017746c24f7f7207e53f691c30b0Hung-Te Lin if ! is_ext2 "$ssd_device" "$root_offset_bytes"; then 267b5c991b3b821017746c24f7f7207e53f691c30b0Hung-Te Lin debug_msg "Non-ext2 partition: $ssd_device$rootfs_index, skip." 268b5c991b3b821017746c24f7f7207e53f691c30b0Hung-Te Lin elif ! rw_mount_disabled "$ssd_device" "$root_offset_bytes"; then 269b5c991b3b821017746c24f7f7207e53f691c30b0Hung-Te Lin debug_msg "Root file system is writable. No need to modify." 270b5c991b3b821017746c24f7f7207e53f691c30b0Hung-Te Lin else 271b5c991b3b821017746c24f7f7207e53f691c30b0Hung-Te Lin # disable the RO ext2 hack 272b5c991b3b821017746c24f7f7207e53f691c30b0Hung-Te Lin debug_msg "Disabling rootfs ext2 RO bit hack" 273b5c991b3b821017746c24f7f7207e53f691c30b0Hung-Te Lin enable_rw_mount "$ssd_device" "$root_offset_bytes" >"$EXEC_LOG" 2>&1 || 274b5c991b3b821017746c24f7f7207e53f691c30b0Hung-Te Lin err_die "Failed turning off rootfs RO bit. OS may be corrupted. " \ 275b5c991b3b821017746c24f7f7207e53f691c30b0Hung-Te Lin "Message: $(cat "$EXEC_LOG")" 276b5c991b3b821017746c24f7f7207e53f691c30b0Hung-Te Lin fi 277b5c991b3b821017746c24f7f7207e53f691c30b0Hung-Te Lin fi 278b5c991b3b821017746c24f7f7207e53f691c30b0Hung-Te Lin 27920525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin # Sometimes doing "dump_kernel_config" or other I/O now (or after return to 28020525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin # shell) will get the data before modification. Not a problem now, but for 28120525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin # safety, let's try to sync more. 28220525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin sync; sync; sync 28320525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin 28420525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin echo "$name: Re-signed with developer keys successfully." 28520525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin done 28638ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler 28738ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler # If we saved the kernel config, exit now so we don't print an error 28838ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler if [ -n "${FLAGS_save_config}" ]; then 28938ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler echo "(Kernels have not been resigned.)" 29038ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler exit 0 29138ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler fi 29238ab919c086f5bcdb9feb49f0e2f8adac9972fdaRandall Spangler 29320525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin return $resigned_kernels 29420525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin} 29520525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin 296c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Linsanity_check_live_partitions() { 297c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin debug_msg "Partition sanity check" 298c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin if [ "$FLAGS_partitions" = "$ROOTDEV_KERNEL" ]; then 299c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin debug_msg "only for current active partition - safe." 300c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin return 301c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin fi 302c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin if [ "$ORIGINAL_PARTITIONS" != "" ]; then 303c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin debug_msg "user has assigned partitions - provide more info." 304c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin echo "INFO: Making change to $FLAGS_partitions on $FLAGS_image." 305c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin return 306c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin fi 307c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin echo " 308c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin ERROR: YOU ARE TRYING TO MODIFY THE LIVE SYSTEM IMAGE $FLAGS_image. 309c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin 310c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin The system may become unusable after that change, especially when you have 311c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin some auto updates in progress. To make it safer, we suggest you to only 312c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin change the partition you have booted with. To do that, re-execute this command 313c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin as: 314c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin 315c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin sudo ./make_dev_ssd.sh $ORIGINAL_PARAMS --partitions $ROOTDEV_KERNEL 316c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin 317c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin If you are sure to modify other partition, please invoke the command again and 318c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin explicitly assign only one target partition for each time (--partitions N ) 319c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin " 320c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin return $FLAGS_FALSE 321c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin} 322c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin 323c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Linsanity_check_live_firmware() { 324c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin debug_msg "Firmware compatibility sanity check" 325c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin if [ "$(crossystem mainfw_type)" = "developer" ]; then 326c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin debug_msg "developer type firmware in active." 327c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin return 328c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin fi 329c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin debug_msg "Loading firmware to check root key..." 330c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin local bios_image="$(make_temp_file)" 331c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin local rootkey_file="$(make_temp_file)" 332c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin echo "INFO: checking system firmware..." 333798cc91de11d5a78e379c67731dcafaf2aae01e1Hung-Te Lin sudo flashrom -p host -i GBB -r "$bios_image" >/dev/null 2>&1 334c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin gbb_utility -g --rootkey="$rootkey_file" "$bios_image" >/dev/null 2>&1 335c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin if [ ! -s "$rootkey_file" ]; then 336c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin debug_msg "failed to read root key from system firmware..." 337c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin else 338c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin # The magic 130 is counted by "od dev-rootkey" for the lines until the body 339c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin # of key is reached. Trailing bytes (0x00 or 0xFF - both may appear, and 340c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin # that's why we need to skip them) are started at line 131. 341c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin # TODO(hungte) compare with rootkey in $VBOOT_BASE directly. 342c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin local rootkey_hash="$(od "$rootkey_file" | 343c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin head -130 | md5sum | 344c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin sed 's/ .*$//' )" 345c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin if [ "$rootkey_hash" = "a13642246ef93daaf75bd791446fec9b" ]; then 346c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin debug_msg "detected DEV root key in firmware." 347c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin return 348c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin else 349c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin debug_msg "non-devkey hash: $rootkey_hash" 350c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin fi 351c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin fi 352c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin 353c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin echo " 354c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin ERROR: YOU ARE NOT USING DEVELOPER FIRMWARE, AND RUNNING THIS COMMAND MAY 355c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin THROW YOUR CHROMEOS DEVICE INTO UN-BOOTABLE STATE. 356c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin 357c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin You need to either install developer firmware, or change system root key. 358c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin 359c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin - To install developer firmware: type command 360c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin sudo chromeos-firmwareupdate --mode=todev 361c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin 362c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin - To change system rootkey: disable firmware write protection (a hardware 363c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin switch) and then type command: 364c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin sudo ./make_dev_firmware.sh 365c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin 366c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin If you are sure that you want to make such image without developer 367c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin firmware or you've already changed system root keys, please run this 368c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin command again with --force paramemeter: 369c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin 370c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin sudo ./make_dev_ssd.sh --force $ORIGINAL_PARAMS 371c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin " 372c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin return $FLAGS_FALSE 373c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin} 374c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin 37520525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin# Main 37620525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin# ---------------------------------------------------------------------------- 37720525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Linmain() { 37820525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin local num_signed=0 37951b9b8362259f44667117473c2d78f8c9e202286Bill Richardson local num_given=$(echo "$FLAGS_partitions" | wc -w) 38020525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin # Check parameters 3817f37edcf006636c40409dea8be11e4a378440e72Hung-Te Lin if [ "$FLAGS_recovery_key" = "$FLAGS_TRUE" ]; then 3827f37edcf006636c40409dea8be11e4a378440e72Hung-Te Lin KERNEL_KEYBLOCK="$FLAGS_keys/recovery_kernel.keyblock" 3837f37edcf006636c40409dea8be11e4a378440e72Hung-Te Lin KERNEL_DATAKEY="$FLAGS_keys/recovery_kernel_data_key.vbprivk" 3847f37edcf006636c40409dea8be11e4a378440e72Hung-Te Lin KERNEL_PUBKEY="$FLAGS_keys/recovery_key.vbpubk" 3857f37edcf006636c40409dea8be11e4a378440e72Hung-Te Lin else 3867f37edcf006636c40409dea8be11e4a378440e72Hung-Te Lin KERNEL_KEYBLOCK="$FLAGS_keys/kernel.keyblock" 3877f37edcf006636c40409dea8be11e4a378440e72Hung-Te Lin KERNEL_DATAKEY="$FLAGS_keys/kernel_data_key.vbprivk" 3887f37edcf006636c40409dea8be11e4a378440e72Hung-Te Lin KERNEL_PUBKEY="$FLAGS_keys/kernel_subkey.vbpubk" 3897f37edcf006636c40409dea8be11e4a378440e72Hung-Te Lin fi 39020525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin 39120525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin debug_msg "Prerequisite check" 39220525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin ensure_files_exist \ 39320525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin "$KERNEL_KEYBLOCK" \ 39420525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin "$KERNEL_DATAKEY" \ 39520525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin "$KERNEL_PUBKEY" \ 39620525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin "$FLAGS_image" || 39720525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin exit 1 39820525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin 399c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin # checks for running on a live system image. 400c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin if [ "$FLAGS_image" = "$ROOTDEV_DISK" ]; then 401c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin debug_msg "check valid kernel partitions for live system" 402c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin local valid_partitions="$(find_valid_kernel_partitions $FLAGS_partitions)" 403c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin [ -n "$valid_partitions" ] || 404c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin err_die "No valid kernel partitions on $FLAGS_image ($FLAGS_partitions)." 405c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin FLAGS_partitions="$valid_partitions" 40683728d0aef71945e54b8948107361b86a95118d9Hung-Te Lin 407c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin # Sanity checks 408c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin if [ "$FLAGS_force" = "$FLAGS_TRUE" ]; then 40983728d0aef71945e54b8948107361b86a95118d9Hung-Te Lin echo " 410c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 411c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin ! INFO: ALL SANITY CHECKS WERE BYPASSED. YOU ARE ON YOUR OWN. ! 412c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 413c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin " >&2 414c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin local i 415c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin for i in $(seq 5 -1 1); do 416c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin echo -n "\rStart in $i second(s) (^C to abort)... " >&2 417c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin sleep 1 418c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin done 419c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin echo "" 420c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin elif ! sanity_check_live_firmware || 421c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin ! sanity_check_live_partitions; then 422c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin err_die "IMAGE $FLAGS_image IS NOT MODIFIED." 423c1d8dc8aa7f2e666324e476b10c7e5cfe9c58c04Hung-Te Lin fi 42483728d0aef71945e54b8948107361b86a95118d9Hung-Te Lin fi 42583728d0aef71945e54b8948107361b86a95118d9Hung-Te Lin 42620525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin resign_ssd_kernel "$FLAGS_image" || num_signed=$? 42720525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin 42820525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin debug_msg "Complete." 42951b9b8362259f44667117473c2d78f8c9e202286Bill Richardson if [ $num_signed -gt 0 -a $num_signed -le $num_given ]; then 43051b9b8362259f44667117473c2d78f8c9e202286Bill Richardson # signed something at least 43151b9b8362259f44667117473c2d78f8c9e202286Bill Richardson echo "Successfully re-signed $num_signed of $num_given kernel(s)" \ 43251b9b8362259f44667117473c2d78f8c9e202286Bill Richardson " on device $FLAGS_image". 43320525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin else 43420525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin err_die "Failed re-signing kernels." 43520525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin fi 43620525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin} 43720525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Lin 438b5633c6f65ac593769d615970a146717ee4d328cHung-Te Lin# People using this to process images may forget to add "-i", 439b5633c6f65ac593769d615970a146717ee4d328cHung-Te Lin# so adding parameter check is safer. 440b5633c6f65ac593769d615970a146717ee4d328cHung-Te Linif [ "$#" -gt 0 ]; then 441b5633c6f65ac593769d615970a146717ee4d328cHung-Te Lin flags_help 442b5633c6f65ac593769d615970a146717ee4d328cHung-Te Lin err_die "Unknown parameters: $@" 443b5633c6f65ac593769d615970a146717ee4d328cHung-Te Linfi 444b5633c6f65ac593769d615970a146717ee4d328cHung-Te Lin 44520525b91644a786e966c9486ac9afdf3d7c5447fHung-Te Linmain 446