diff options
author | Mike Frysinger <vapier@chromium.org> | 2017-05-07 02:20:55 -0400 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2017-05-13 11:53:20 -0700 |
commit | 3c8496cc86e60dd2698e17436d435d9b8260ce2f (patch) | |
tree | 421c5a11da2b228908d799b3a576677fcee459a8 | |
parent | ad16cf327e86f46a6d6e9e14e53ac31bf5b49757 (diff) | |
download | vboot-3c8496cc86e60dd2698e17436d435d9b8260ce2f.tar.gz |
image_signing: sign_official_build.sh: convert to info/error helpers
This makes the output easier to follow when multiple scripts are being run.
BRANCH=None
BUG=chromium:714598
TEST=signing images still works
Change-Id: I4097fd58f349dc84c242dd12d6a94e12f387a1f0
Reviewed-on: https://chromium-review.googlesource.com/498232
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: David Riley <davidriley@chromium.org>
-rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 84 |
1 files changed, 39 insertions, 45 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 80774731..b572501b 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -87,7 +87,7 @@ PATH=$PATH:/usr/sbin:/sbin for prereqs in gbb_utility vbutil_kernel cgpt dump_kernel_config verity \ load_kernel_test dumpe2fs sha1sum e2fsck; do type -P "${prereqs}" &>/dev/null || \ - { echo "${prereqs} tool not found."; exit 1; } + die "${prereqs} tool not found." done TYPE=$1 @@ -181,7 +181,7 @@ calculate_rootfs_hash() { local dm_config=$(get_dmparams_from_config "${kernel_config}") if [ -z "${dm_config}" ]; then - echo "WARNING: Couldn't grab dm_config. Aborting rootfs hash calculation." + warn "Couldn't grab dm_config. Aborting rootfs hash calculation." return 1 fi local vroot_dev=$(get_dm_slave "${dm_config}" vroot) @@ -254,14 +254,14 @@ update_rootfs_hash() { # Note even though there are two kernels, there is one place (after rootfs) # for hash data, so we must assume both kernel use same hash algorithm (i.e., # DM config). - echo "Updating rootfs hash and updating config for Kernel partitions" + info "Updating rootfs hash and updating config for Kernel partitions" # If we can't find dm parameters in the kernel config, bail out now. local kernel_config=$(grab_kernel_config "${image}" "${dm_partno}") local dm_config=$(get_dmparams_from_config "${kernel_config}") if [ -z "${dm_config}" ]; then - echo "ERROR: Couldn't grab dm_config from kernel partition ${dm_partno}" - echo " (config: ${kernel_config})" + error "Couldn't grab dm_config from kernel partition ${dm_partno}" + error " (config: ${kernel_config})" return 1 fi @@ -285,8 +285,8 @@ update_rootfs_hash() { if ! calculate_rootfs_hash "${rootfs_image}" "${kernel_config}" \ "${hash_image}"; then - echo "calculate_rootfs_hash failed!" - echo "Aborting rootfs hash update!" + error "calculate_rootfs_hash failed!" + error "Aborting rootfs hash update!" return 1 fi @@ -316,12 +316,12 @@ update_rootfs_hash() { grab_kernel_config "${image}" "${kernelpart}" 2>/dev/null)" && [[ "${kernelpart}" == 4 ]]; then # Legacy images don't have partition 4. - echo "Skipping empty kernel partition 4 (legacy images)." + info "Skipping empty kernel partition 4 (legacy images)." continue fi new_kernel_config="$(echo "${new_kernel_config}" | sed -e 's#\(.*dm="\)\([^"]*\)\(".*\)'"#\1${dm_args}\3#g")" - echo "New config for kernel partition ${kernelpart} is:" + info "New config for kernel partition ${kernelpart} is:" echo "${new_kernel_config}" | tee "${temp_config}" extract_image_partition "${image}" "${kernelpart}" "${temp_kimage}" # Re-calculate kernel partition signature and command line. @@ -354,7 +354,7 @@ update_stateful_partition_vblock() { extract_image_partition "${image}" 4 "${kernb_image}" if [[ "$(dump_kernel_config "${kernb_image}" 2>/dev/null)" == "" ]]; then - echo "Building vmlinuz_hd.vblock from legacy image partition 2." + info "Building vmlinuz_hd.vblock from legacy image partition 2." extract_image_partition "${image}" 2 "${kernb_image}" fi @@ -381,9 +381,9 @@ verify_image_rootfs() { # This flips the read-only compatibility flag, so that e2fsck does not # complain about unknown file system capabilities. enable_rw_mount ${rootfs_image} - echo "Running e2fsck to check root file system for errors" + info "Running e2fsck to check root file system for errors" sudo e2fsck -fn "${rootfs_image}" || - { echo "Root file system has errors!" && exit 1;} + die "Root file system has errors!" } # Extracts a firmware updater bundle (for firmware image binaries) file @@ -450,7 +450,7 @@ sign_firmware() { # public keys in the GBB. "${SCRIPT_DIR}/sign_firmware.sh" "${image}" "${key_dir}" "${image}" \ "${firmware_version}" "${loem_output_dir}" - echo "Signed firmware image output to ${image}" + info "Signed firmware image output to ${image}" } # Sign nvidia lp0 firmware with the given keys. @@ -461,7 +461,7 @@ sign_nv_lp0_firmware() { "${SCRIPT_DIR}/sign_nv_cbootimage.sh" "lp0_firmware" \ "${key_dir%/}/nv_pkc.pem" "${nv_lp0_fw_image}" "tegra210" - echo "Signed nvidia lp0 firmware image output to ${nv_lp0_fw_image}" + info "Signed nvidia lp0 firmware image output to ${nv_lp0_fw_image}" } # Sign a kernel in-place with the given keys. @@ -484,7 +484,7 @@ sign_kernel() { --oldblob "${image}" mv "${temp_kernel}" "${image}" - echo "Signed kernel image output to ${image}" + info "Signed kernel image output to ${image}" } # Sign a recovery kernel in-place with the given keys. @@ -507,7 +507,7 @@ sign_recovery_kernel() { --oldblob "${image}" mv "${temp_kernel}" "${image}" - echo "Signed recovery_kernel image output to ${image}" + info "Signed recovery_kernel image output to ${image}" } # Sign a delta update payload (usually created by paygen). @@ -543,7 +543,7 @@ resign_firmware_payload() { local image=$1 if [ -n "${NO_FWUPDATE}" ]; then - echo "Skipping firmware update." + info "Skipping firmware update." return fi @@ -557,10 +557,10 @@ resign_firmware_payload() { if ! extract_firmware_bundle "${firmware_bundle}" "${shellball_dir}"; then # Unmount now to prevent changes. sudo umount "${rootfs_dir}" - echo "Didn't find a firmware update. Not signing firmware." + info "Didn't find a firmware update. Not signing firmware." return fi - echo "Found a valid firmware update shellball." + info "Found a valid firmware update shellball." local image_file sign_args=() loem_sfx loem_output_dir for image_file in "${shellball_dir}"/bios*.bin; do @@ -578,7 +578,7 @@ resign_firmware_payload() { local signer_notes="${shellball_dir}/VERSION.signer" echo "" >"$signer_notes" - echo "Signed with keyset in $(readlink -f "${KEY_DIR}") ." >>"$signer_notes" + info "Signed with keyset in $(readlink -f "${KEY_DIR}") ." >>"${signer_notes}" new_shellball=$(make_temp_file) cp -f "${firmware_bundle}" "${new_shellball}" @@ -588,7 +588,7 @@ resign_firmware_payload() { sudo chmod a+rx "${firmware_bundle}" # Unmount now to flush changes. sudo umount "${rootfs_dir}" - echo "Re-signed firmware AU payload in $image" + info "Re-signed firmware AU payload in ${image}" } # Re-sign Android image if exists. @@ -610,7 +610,7 @@ resign_android_image_if_exists() { "${SCRIPT_DIR}/sign_android_image.sh" "${rootfs_dir}" "${KEY_DIR}/android" sudo umount "${rootfs_dir}" - echo "Re-signed Android image" + info "Re-signed Android image" } # Sign an oci container with the given keys. @@ -629,7 +629,7 @@ verify_image() { local rootfs_image=$(make_temp_file) extract_image_partition ${INPUT_IMAGE} 3 ${rootfs_image} - echo "Verifying RootFS hash..." + info "Verifying RootFS hash..." # What we get from image. local kernel_config # What we calculate from the rootfs. @@ -638,12 +638,12 @@ verify_image() { # exist in either kernel partition 2 or kernel partition 4 local partnum for partnum in 2 4; do - echo "Considering Kernel partition $partnum" + info "Considering Kernel partition ${partnum}" kernel_config=$(grab_kernel_config ${INPUT_IMAGE} $partnum) local hash_image=$(make_temp_file) if ! calculate_rootfs_hash "${rootfs_image}" "${kernel_config}" \ "${hash_image}"; then - echo "Trying next kernel partition." + info "Trying next kernel partition." continue fi new_kernel_config="$CALCULATED_KERNEL_CONFIG" @@ -656,8 +656,7 @@ verify_image() { got_hash=$(get_hash_from_config "${kernel_config}") if [ -z "${expected_hash}" ] || [ -z "${got_hash}" ]; then - echo "FAILURE: Couldn't verify RootFS hash on the image." - exit 1 + die "Couldn't verify RootFS hash on the image." fi if [ ! "${got_hash}" = "${expected_hash}" ]; then @@ -668,13 +667,13 @@ Got: ${got_hash} EOF exit 1 else - echo "PASS: RootFS hash is correct (${expected_hash})" + info "PASS: RootFS hash is correct (${expected_hash})" fi # Now try and verify kernel partition signature. set +e local try_key=${KEY_DIR}/recovery_key.vbpubk - echo "Testing key verification..." + info "Testing key verification..." # The recovery key is only used in the recovery mode. echo -n "With Recovery Key (Recovery Mode ON, Dev Mode OFF): " && \ { load_kernel_test "${INPUT_IMAGE}" "${try_key}" -b 2 >/dev/null 2>&1 && \ @@ -713,7 +712,7 @@ update_recovery_kernel_hash() { echo "$old_kerna_config" | sed -e "s#\(kern_b_hash=\)[a-z0-9]*#\1${new_kernb_hash}#" \ > ${new_kerna_config} - echo "New config for kernel partition 2 is" + info "New config for kernel partition 2 is" cat ${new_kerna_config} local temp_kimagea=$(make_temp_file) @@ -803,7 +802,7 @@ sign_image_file() { local kernA_privkey="$6" local kernB_keyblock="$7" local kernB_privkey="$8" - echo "Preparing ${image_type} image..." + info "Preparing ${image_type} image..." cp --sparse=always "${input}" "${output}" resign_firmware_payload "${output}" resign_android_image_if_exists "${output}" @@ -831,7 +830,7 @@ sign_image_file() { # Error is already logged. return 1 fi - echo "Signed ${image_type} image output to ${output}" + info "Signed ${image_type} image output to ${output}" } # Verification @@ -839,7 +838,7 @@ case ${TYPE} in dump_config) check_argc $# 2 for partnum in 2 4; do - echo "kernel config in partition number ${partnum}:" + info "kernel config in partition number ${partnum}:" grab_kernel_config "${INPUT_IMAGE}" ${partnum} echo done @@ -866,8 +865,8 @@ if [ -n "${VERSION_FILE}" ]; then FIRMWARE_VERSION=$(sed -n 's#^firmware_version=\(.*\)#\1#pg' ${VERSION_FILE}) KERNEL_VERSION=$(sed -n 's#^kernel_version=\(.*\)#\1#pg' ${VERSION_FILE}) fi -echo "Using firmware version: ${FIRMWARE_VERSION}" -echo "Using kernel version: ${KERNEL_VERSION}" +info "Using firmware version: ${FIRMWARE_VERSION}" +info "Using kernel version: ${KERNEL_VERSION}" # Make all modifications on output copy. if [[ "${TYPE}" == "ssd" || "${TYPE}" == "base" ]]; then @@ -894,29 +893,25 @@ elif [[ "${TYPE}" == "factory" ]] || [[ "${TYPE}" == "install" ]]; then "${KEY_DIR}/kernel_data_key.vbprivk" elif [[ "${TYPE}" == "firmware" ]]; then if [[ -e "${KEY_DIR}/loem.ini" ]]; then - echo "LOEM signing not implemented yet for firmware images" - exit 1 + die "LOEM signing not implemented yet for firmware images" fi cp ${INPUT_IMAGE} ${OUTPUT_IMAGE} sign_firmware ${OUTPUT_IMAGE} ${KEY_DIR} ${FIRMWARE_VERSION} elif [[ "${TYPE}" == "nv_lp0_firmware" ]]; then if [[ -e "${KEY_DIR}/loem.ini" ]]; then - echo "LOEM signing not implemented yet for nv_lp0_firmware images" - exit 1 + die "LOEM signing not implemented yet for nv_lp0_firmware images" fi cp "${INPUT_IMAGE}" "${OUTPUT_IMAGE}" sign_nv_lp0_firmware "${OUTPUT_IMAGE}" "${KEY_DIR}" elif [[ "${TYPE}" == "kernel" ]]; then if [[ -e "${KEY_DIR}/loem.ini" ]]; then - echo "LOEM signing not implemented yet for kernel images" - exit 1 + die "LOEM signing not implemented yet for kernel images" fi cp "${INPUT_IMAGE}" "${OUTPUT_IMAGE}" sign_kernel "${OUTPUT_IMAGE}" "${KEY_DIR}" "${KERNEL_VERSION}" elif [[ "${TYPE}" == "recovery_kernel" ]]; then if [[ -e "${KEY_DIR}/loem.ini" ]]; then - echo "LOEM signing not implemented yet for recovery_kernel images" - exit 1 + die "LOEM signing not implemented yet for recovery_kernel images" fi cp "${INPUT_IMAGE}" "${OUTPUT_IMAGE}" sign_recovery_kernel "${OUTPUT_IMAGE}" "${KEY_DIR}" "${KERNEL_VERSION}" @@ -939,6 +934,5 @@ elif [[ "${TYPE}" == "accessory_rwsig" ]]; then elif [[ "${TYPE}" == "oci-container" ]]; then sign_oci_container "${INPUT_IMAGE}" "${KEY_DIR}" "${OUTPUT_IMAGE}" else - echo "Invalid type ${TYPE}" - exit 1 + die "Invalid type ${TYPE}" fi |