TEST: dm-verity: Debian media device

Signed-off-by: Enric Balletbo i Serra <enric.balletbo@collabora.com>

TEST: dm-verity: Debian media device
Signed-off-by: Enric Balletbo i Serra <enric.balletbo@collabora.com>
0a9c7fe6 · Enric Balletbo i Serra · 3e989913 · 0a9c7fe6
Commit 0a9c7fe6 authored May 03, 2017 by Enric Balletbo i Serra
Hide whitespace changes
Inline Side-by-side

Showing with 36 additions and 5 deletions

chromebook-setup.sh chromebook-setup.sh +36 -5

No files found.
--- a/chromebook-setup.sh
+++ b/chromebook-setup.sh
@@ -202,8 +202,13 @@ cmd_format_storage()
    # repository.
    sudo sgdisk -A 1:set:48 -A 1:set:56 "$CB_SETUP_STORAGE"

-    # Create and format the root partition
-    sudo sgdisk -n 2:0:0 -t 2:7f01 "$CB_SETUP_STORAGE"
+    # Create the root partition (1G)
+    sudo sgdisk -n 2:0:+1G -t 2:7f01 "$CB_SETUP_STORAGE"
+
+    # Create the root hash partition (16M)
+    sudo sgdisk -n 3:0:+16M -t 3:7f02 "$CB_SETUP_STORAGE"
+
+    # Format the root partition (ext4)
    sudo mkfs.ext4 -L ROOT-A "$CB_SETUP_STORAGE"2

    echo "Done."
@@ -268,7 +273,10 @@ cmd_config_kernel()
    cd kernel

    # Create .config
-    scripts/kconfig/merge_config.sh -m arch/arm/configs/multi_v7_defconfig $CWD/fragments/multi-v7/veyron.cfg
+    scripts/kconfig/merge_config.sh -m arch/arm/configs/multi_v7_defconfig \
+         $CWD/fragments/multi-v7/unset-localversion.cfg \
+         $CWD/fragments/multi-v7/verity.cfg \
+         $CWD/fragments/multi-v7/veyron.cfg \

    make olddefconfig

@@ -331,7 +339,6 @@ cmd_build_kernel()
    };"

    echo "$kernel_its" > kernel.its
-    mkimage -f kernel.its kernel.itb

    # Install the kernel modules on the rootfs
    sudo make modules_install ARCH=arm INSTALL_MOD_PATH=$CWD/ROOT-A
@@ -345,14 +352,37 @@ cmd_build_vboot()
 {
    # TODO: check vboot-utils is installed

+    source header.verity
+
+    local sectors=$(sudo blockdev --getsz "$CB_SETUP_STORAGE"2)
+
+    mkimage -f kernel/kernel.its kernel/kernel.itb
+ 
    # Install it on the boot partition
-    echo "console=ttyS2,115200n8 console=tty1 init=/sbin/init root=PARTUUID=%U/PARTNROFF=1 rootwait rw noinitrd" > boot_params
+    echo "console=ttyS2,115200n8 console=tty1 init=/sbin/init root=/dev/dm-0 rootwait ro dm_verity.dev_wait=1 dm=\"1 vroot none ro 1,0 $sectors verity $hash_type /dev/sda2 /dev/sda3 $data_block_size $hash_block_size $data_blocks 1 $hash_algorithm $root_hash $salt\"" > boot_params
+    #echo "console=ttyS2,115200n8 console=tty1 init=/sbin/init root=PARTUUID=%U/PARTNROFF=1 rootwait rw noinitrd" > boot_params
    local boot="$CB_SETUP_STORAGE"1
    sudo vbutil_kernel --pack "$boot" --keyblock /usr/share/vboot/devkeys/kernel.keyblock --version 1 --signprivate /usr/share/vboot/devkeys/kernel_data_key.vbprivk --bootloader boot_params --config boot_params --vmlinuz kernel/kernel.itb --arch arm

    echo "Done."
 }

+cmd_build_verity()
+{
+    #TODO: check veritysetup is installed
+
+    # Unmount any partitions mounted
+    sudo umount "$CB_SETUP_STORAGE"? || true
+
+    # Create hash on the device (separate partition)
+    sudo veritysetup format "$CB_SETUP_STORAGE"2 "$CB_SETUP_STORAGE"3 > header.verity
+    # Convert header.verity to a configuration file with verity variables
+    sed -i -e '1d' header.verity
+    sed -i -e 's/./\L&/g' header.verity
+    sed -i -e 's/[[:space:]]\+/_/g' header.verity
+    sed -i -e "s/:_/=/g" header.verity
+}
+
 cmd_do_everything()
 {
    cmd_format_storage
@@ -361,6 +391,7 @@ cmd_do_everything()
    cmd_get_kernel
    cmd_config_kernel
    cmd_build_kernel
+    cmd_build_verity
    cmd_build_vboot

    echo "Ejecting storage device..."