Always ship kernel/initramfs in zip files

We now ship the kernel/initramfs in zip files only.
This reduces duplication for when images get signed, and it allows
us to ship a simplified olpc.fth.

This implements the plan here:
http://lists.laptop.org/pipermail/devel/2012-March/034439.html

This didn't work on first attempt because we hit a firmware bug
on XO-1.75 (#12107). Now that we have a fix, and a workaround for
old firmware versions, give this change another spin.

4 files changed, 73 insertions, 51 deletions

diff --git a/modules/base/kspost.50.zip_bootfiles.nochroot.inc b/modules/base/kspost.50.zip_bootfiles.nochroot.inc
new file mode 100644
index 0000000..8477ae2
--- /dev/null
+++ b/modules/base/kspost.50.zip_bootfiles.nochroot.inc
@@ -0,0 +1,46 @@
+# Put the unsigned kernel/initramfs in zip files and remove the originals
+# This avoids duplication for signed builds (where these zips will be signed
+# later), where otherwise we would be shipped both signed and unsigned kernels
+# and losing some disk space.
+
+# Create zip files
+create_unsigned_zip() {
+	local infile=$1
+	local tgt=$2
+
+	cd $INSTALL_ROOT/boot
+	[ -e $1 ] || return
+
+	cp $1 data.img
+	zip -j -n .img ${tgt}.zip data.img
+	rm -f data.img
+}
+
+create_unsigned_zip vmlinuz runos
+create_unsigned_zip initrd.img runrd
+create_unsigned_zip actrd.img actrd
+
+# Remove original copies
+remove_original() {
+	local name=$1
+
+	cd $INSTALL_ROOT/boot
+	[ -e "$name" ] || return
+
+	if [ -L "$name" ]; then
+		dest=$(readlink $name)
+		rm -rf "$dest"
+	fi
+
+	rm -f $name
+}
+
+remove_original vmlinuz
+remove_original actrd.img
+remove_original initrd.img
+
+# symlink actXX to runXX (or the other way) if any of them are missing
+[ -e $INSTALL_ROOT/boot/actos.zip ] || ln -s runos.zip $INSTALL_ROOT/boot/actos.zip
+[ -e $INSTALL_ROOT/boot/actrd.zip ] || ln -s runrd.zip $INSTALL_ROOT/boot/actrd.zip
+[ -e $INSTALL_ROOT/boot/runos.zip ] || ln -s actos.zip $INSTALL_ROOT/boot/runos.zip
+[ -e $INSTALL_ROOT/boot/runrd.zip ] || ln -s actrd.zip $INSTALL_ROOT/boot/runrd.zip
diff --git a/modules/signing/preimage.10.extract.sh b/modules/signing/preimage.10.extract.sh
index 5a7a471..489f8b4 100644
--- a/modules/signing/preimage.10.extract.sh
+++ b/modules/signing/preimage.10.extract.sh
@@ -14,31 +14,20 @@ mkdir -p $tgt
 
 found=0
 echo "Extracting content for signing..."
-if [ -e "$fsmount/boot/bootfw.zip" ]; then
-	cp $fsmount/boot/bootfw.zip $tgt
-	found=1
-fi
 
-if [ -e "$fsmount/boot/vmlinuz" ]; then
-	cp $fsmount/boot/vmlinuz $tgt/data.img
-	zip -j -n .img $tgt/runos.zip $tgt/data.img
-	rm -f $tgt/data.img
+copy_out_file() {
+	local name=$1
+	local path="$fsmount"/boot/${1}.zip
+	[ -f "$path"] || return
+	cp $path $tgt
 	found=1
-fi
-
-if [ -e "$fsmount/boot/initrd.img" ]; then
-	cp $fsmount/boot/initrd.img $tgt/data.img
-	zip -j -n .img $tgt/runrd.zip $tgt/data.img
-	rm -f $tgt/data.img
-	found=1
-elif [ -e "$fsmount/boot/olpcrd.img" ]; then
-	cp $fsmount/boot/olpcrd.img $tgt/data.img
-	zip -j -n .img $tgt/runrd.zip $tgt/data.img
-	rm -f $tgt/data.img
-	found=1
-fi
+}
 
+copy_out bootfw
+copy_out runos
+copy_out runrd
+copy_out actos
+copy_out actrd
 [ "$found" == "1" ] || exit 0
 
 zip -j $outzip $tgt/*
-
diff --git a/modules/signing/preimage.40.sign-os.sh b/modules/signing/preimage.40.sign-os.sh
index 19ddc3b..6756eb6 100644
--- a/modules/signing/preimage.40.sign-os.sh
+++ b/modules/signing/preimage.40.sign-os.sh
@@ -8,29 +8,23 @@ okey=$(read_config signing okey)
 bios_crypto=$(read_config signing bios_crypto_path)
 [ -n "$bios_crypto" -a -d "$bios_crypto" ] || exit 0
 
-if [ -e "$fsmount/boot/vmlinuz" ]; then
-	echo "Signing kernel..."
-	pushd $bios_crypto/build
-	./sign-os.sh $okey $fsmount/boot/vmlinuz $fsmount/boot/runos.zip
-	popd
-	[ -e $fsmount/boot/actos.zip ] || ln -s runos.zip $fsmount/boot/actos.zip
-fi
+sign_os() {
+	local path="$fsmount"/boot/$1.zip
+	[ -f "$path" ] || return
 
-if [ -e "$fsmount/boot/initrd.img" ]; then
-	echo "Signing initramfs..."
 	pushd $bios_crypto/build
-	./sign-os.sh $okey $fsmount/boot/initrd.img $fsmount/boot/runrd.zip
-	popd
-fi
+	unzip "$path"
+	mv data.img tmp.img
 
-if [ -e "$fsmount/boot/actrd.img" ]; then
-	echo "Signing activation initramfs..."
-	pushd $bios_crypto/build
-	$bios_crypto/build/sign-os.sh $okey $fsmount/boot/actrd.img $fsmount/boot/actrd.zip
-	popd
-fi
+	rm -f $path
+	./sign-os.sh $okey tmp.img $path
 
-# If no separate activation initramfs was provided, assume that the regular
-# initramfs also handles activation.
-[ -e $fsmount/boot/actrd.zip ] || ln -s runrd.zip $fsmount/boot/actrd.zip
+	rm -f tmp.img
+	popd
+}
 
+echo "Signing initramfs/kernel..."
+sign_os runos
+sign_os actos
+sign_os runrd
+sign_os actrd
diff --git a/modules/signing/preimage.50.addsignedcontent.sh b/modules/signing/preimage.50.addsignedcontent.sh
index c110329..3ad5f19 100644
--- a/modules/signing/preimage.50.addsignedcontent.sh
+++ b/modules/signing/preimage.50.addsignedcontent.sh
@@ -12,14 +12,7 @@ rm -rf $signdir
 mkdir -p $signdir
 unzip $content -d $signdir
 for sfile in bootfw.zip runos.zip runrd.zip actos.zip actrd.zip; do
-	[ -e $signdir/$sfile ] && cp $signdir/$sfile $fsmount/boot/$sfile
+	[ -e $signdir/$sfile ] && cp --remove-destination $signdir/$sfile $fsmount/boot/$sfile
 done
 
 rm -rf $signdir
-
-# symlink actXX to runXX (or the other way) if any of them are missing
-[ -e $fsmount/boot/actos.zip ] || ln -s runos.zip $fsmount/boot/actos.zip
-[ -e $fsmount/boot/actrd.zip ] || ln -s runrd.zip $fsmount/boot/actrd.zip
-[ -e $fsmount/boot/runos.zip ] || ln -s actos.zip $fsmount/boot/runos.zip
-[ -e $fsmount/boot/runrd.zip ] || ln -s actrd.zip $fsmount/boot/runrd.zip
-