From 9f20418922d04bc6fe30b2aa1fb5daaabddf4101 Mon Sep 17 00:00:00 2001 From: Daniel Drake Date: Mon, 10 Sep 2012 20:22:55 +0000 Subject: Always ship kernel/initramfs in zip files We now ship the kernel/initramfs in zip files only. This reduces duplication for when images get signed, and it allows us to ship a simplified olpc.fth. This implements the plan here: http://lists.laptop.org/pipermail/devel/2012-March/034439.html This didn't work on first attempt because we hit a firmware bug on XO-1.75 (#12107). Now that we have a fix, and a workaround for old firmware versions, give this change another spin. --- diff --git a/modules/base/kspost.50.zip_bootfiles.nochroot.inc b/modules/base/kspost.50.zip_bootfiles.nochroot.inc new file mode 100644 index 0000000..8477ae2 --- /dev/null +++ b/modules/base/kspost.50.zip_bootfiles.nochroot.inc @@ -0,0 +1,46 @@ +# Put the unsigned kernel/initramfs in zip files and remove the originals +# This avoids duplication for signed builds (where these zips will be signed +# later), where otherwise we would be shipped both signed and unsigned kernels +# and losing some disk space. + +# Create zip files +create_unsigned_zip() { + local infile=$1 + local tgt=$2 + + cd $INSTALL_ROOT/boot + [ -e $1 ] || return + + cp $1 data.img + zip -j -n .img ${tgt}.zip data.img + rm -f data.img +} + +create_unsigned_zip vmlinuz runos +create_unsigned_zip initrd.img runrd +create_unsigned_zip actrd.img actrd + +# Remove original copies +remove_original() { + local name=$1 + + cd $INSTALL_ROOT/boot + [ -e "$name" ] || return + + if [ -L "$name" ]; then + dest=$(readlink $name) + rm -rf "$dest" + fi + + rm -f $name +} + +remove_original vmlinuz +remove_original actrd.img +remove_original initrd.img + +# symlink actXX to runXX (or the other way) if any of them are missing +[ -e $INSTALL_ROOT/boot/actos.zip ] || ln -s runos.zip $INSTALL_ROOT/boot/actos.zip +[ -e $INSTALL_ROOT/boot/actrd.zip ] || ln -s runrd.zip $INSTALL_ROOT/boot/actrd.zip +[ -e $INSTALL_ROOT/boot/runos.zip ] || ln -s actos.zip $INSTALL_ROOT/boot/runos.zip +[ -e $INSTALL_ROOT/boot/runrd.zip ] || ln -s actrd.zip $INSTALL_ROOT/boot/runrd.zip diff --git a/modules/signing/preimage.10.extract.sh b/modules/signing/preimage.10.extract.sh index 5a7a471..489f8b4 100644 --- a/modules/signing/preimage.10.extract.sh +++ b/modules/signing/preimage.10.extract.sh @@ -14,31 +14,20 @@ mkdir -p $tgt found=0 echo "Extracting content for signing..." -if [ -e "$fsmount/boot/bootfw.zip" ]; then - cp $fsmount/boot/bootfw.zip $tgt - found=1 -fi -if [ -e "$fsmount/boot/vmlinuz" ]; then - cp $fsmount/boot/vmlinuz $tgt/data.img - zip -j -n .img $tgt/runos.zip $tgt/data.img - rm -f $tgt/data.img +copy_out_file() { + local name=$1 + local path="$fsmount"/boot/${1}.zip + [ -f "$path"] || return + cp $path $tgt found=1 -fi - -if [ -e "$fsmount/boot/initrd.img" ]; then - cp $fsmount/boot/initrd.img $tgt/data.img - zip -j -n .img $tgt/runrd.zip $tgt/data.img - rm -f $tgt/data.img - found=1 -elif [ -e "$fsmount/boot/olpcrd.img" ]; then - cp $fsmount/boot/olpcrd.img $tgt/data.img - zip -j -n .img $tgt/runrd.zip $tgt/data.img - rm -f $tgt/data.img - found=1 -fi +} +copy_out bootfw +copy_out runos +copy_out runrd +copy_out actos +copy_out actrd [ "$found" == "1" ] || exit 0 zip -j $outzip $tgt/* - diff --git a/modules/signing/preimage.40.sign-os.sh b/modules/signing/preimage.40.sign-os.sh index 19ddc3b..6756eb6 100644 --- a/modules/signing/preimage.40.sign-os.sh +++ b/modules/signing/preimage.40.sign-os.sh @@ -8,29 +8,23 @@ okey=$(read_config signing okey) bios_crypto=$(read_config signing bios_crypto_path) [ -n "$bios_crypto" -a -d "$bios_crypto" ] || exit 0 -if [ -e "$fsmount/boot/vmlinuz" ]; then - echo "Signing kernel..." - pushd $bios_crypto/build - ./sign-os.sh $okey $fsmount/boot/vmlinuz $fsmount/boot/runos.zip - popd - [ -e $fsmount/boot/actos.zip ] || ln -s runos.zip $fsmount/boot/actos.zip -fi +sign_os() { + local path="$fsmount"/boot/$1.zip + [ -f "$path" ] || return -if [ -e "$fsmount/boot/initrd.img" ]; then - echo "Signing initramfs..." pushd $bios_crypto/build - ./sign-os.sh $okey $fsmount/boot/initrd.img $fsmount/boot/runrd.zip - popd -fi + unzip "$path" + mv data.img tmp.img -if [ -e "$fsmount/boot/actrd.img" ]; then - echo "Signing activation initramfs..." - pushd $bios_crypto/build - $bios_crypto/build/sign-os.sh $okey $fsmount/boot/actrd.img $fsmount/boot/actrd.zip - popd -fi + rm -f $path + ./sign-os.sh $okey tmp.img $path -# If no separate activation initramfs was provided, assume that the regular -# initramfs also handles activation. -[ -e $fsmount/boot/actrd.zip ] || ln -s runrd.zip $fsmount/boot/actrd.zip + rm -f tmp.img + popd +} +echo "Signing initramfs/kernel..." +sign_os runos +sign_os actos +sign_os runrd +sign_os actrd diff --git a/modules/signing/preimage.50.addsignedcontent.sh b/modules/signing/preimage.50.addsignedcontent.sh index c110329..3ad5f19 100644 --- a/modules/signing/preimage.50.addsignedcontent.sh +++ b/modules/signing/preimage.50.addsignedcontent.sh @@ -12,14 +12,7 @@ rm -rf $signdir mkdir -p $signdir unzip $content -d $signdir for sfile in bootfw.zip runos.zip runrd.zip actos.zip actrd.zip; do - [ -e $signdir/$sfile ] && cp $signdir/$sfile $fsmount/boot/$sfile + [ -e $signdir/$sfile ] && cp --remove-destination $signdir/$sfile $fsmount/boot/$sfile done rm -rf $signdir - -# symlink actXX to runXX (or the other way) if any of them are missing -[ -e $fsmount/boot/actos.zip ] || ln -s runos.zip $fsmount/boot/actos.zip -[ -e $fsmount/boot/actrd.zip ] || ln -s runrd.zip $fsmount/boot/actrd.zip -[ -e $fsmount/boot/runos.zip ] || ln -s actos.zip $fsmount/boot/runos.zip -[ -e $fsmount/boot/runrd.zip ] || ln -s actrd.zip $fsmount/boot/runrd.zip - -- cgit v0.9.1