[secureboot] Fix some installation behavior for secureboot (#4980)

This commit is contained in:
Samuel Angebault 2020-07-17 15:07:12 -07:00 committed by GitHub
parent 04615ca98c
commit d8a79bc71e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -76,6 +76,7 @@ fi
image_path="$target_path/$image_name"
hook_path="$image_path/platform/hooks"
data_path="$image_path/platform/data"
boot_image_path="$image_path/$boot_image"
installer_image_path="$image_path/$installer_image"
boot_config="$target_path/boot-config"
@ -106,6 +107,7 @@ clean_flash() {
for f in $(ls -A $target_path); do
if [ $f != "${swipath##*/}" ] &&
[ $f != "boot-config" ] &&
[ $f != "preserve-installer" ] &&
[ $f != "$kernel_params" ] &&
[ $f != "aquota.user" ] &&
[ $f != "old_config" ] &&
@ -254,9 +256,47 @@ cleanup_swi_tmpfs() {
clean_tmpfs "$(dirname "$swipath")"
}
extract_image() {
mkdir -p "$image_path"
SWI_ALREADY_INSTALLED=0
SWI_NOT_INSTALLED=1
SWI_VERSION_MISMATCH=2
SWI_OTHER_VARIANT_INSTALLED=3
is_swi_installed() {
local swi_path="$1"
local swi_version="$(unzip -qp "$swi_path" .imagehash)"
local local_version="$(cat $image_path/.imagehash 2>/dev/null || :)"
if [ -z "$local_version" ]; then
# no image installed for this version
return $SWI_NOT_INSTALLED
fi
if [ "$swi_version" != "$local_version" ]; then
warn "Installed image has a different version than $swipath"
return $SWI_VERSION_MISMATCH
fi
if $secureboot; then
if [ -s "$installer_image_path" ]; then
# secureboot image already installed
return $SWI_ALREADY_INSTALLED
else
# regular image of the same version already installed
return $SWI_OTHER_VARIANT_INSTALLED
fi
else
if [ -s "$boot_image_path" ]; then
# regular image already installed
return $SWI_ALREADY_INSTALLED
else
# secureboot image of the same version already installed
return $SWI_OTHER_VARIANT_INSTALLED
fi
fi
}
extract_image() {
info "Moving swi to a tmpfs"
## Avoid problematic flash usage spike on older systems, also improves I/O
swipath="$(move_swi_to_tmpfs "$swipath")"
@ -308,7 +348,6 @@ extract_image() {
extract_image_secureboot() {
info "Extracting necessary swi content"
mkdir "$image_path"
unzip -oq "$swipath" platform/firsttime .imagehash -d "$image_path"
info "Installing image as $installer_image_path"
@ -608,15 +647,20 @@ run_kexec() {
secureboot_install() {
if [ -e "$image_path" ]; then
warn "Image folder $image_path already exist, wiping..."
rm -rf "$image_path"
warn "Image folder $image_path already exist (likely regular install)"
fi
mkdir -p "$image_path"
info "Installing image as $installer_image_path"
extract_image_secureboot
}
regular_install() {
if [ -e "$image_path" ]; then
warn "Image folder $image_path already exist (likely secureboot install)"
fi
mkdir -p $image_path
info "Generating boot-config, machine.conf and cmdline"
@ -670,6 +714,9 @@ elif [ ! -z "$kexec" ]; then
do_clean=false
fi
# Make sure boot-config exists to avoid noise
touch "$boot_config"
# Verbosity can be defined by the caller, default to false otherwise
verbose=${verbose:-false}
debug=${debug:-false}
@ -693,7 +740,12 @@ if [ -z "$secureboot" ]; then
fi
fi
# preserve original installer during regular install when set
preserve_installer=false
if [ -f "$target_path/preserve-installer" ] ||
[ "$(get_boot_config PRESERVE_INSTALLER)" = "1" ]; then
preserve_installer=true
fi
# enable shell debug mode to get the most verbosity
if $verbose; then
@ -702,21 +754,23 @@ fi
# install the image if newer
if $do_install; then
if ! unzip -l "$swipath" 2>&1 > /dev/null; then
if ! unzip -ql "$swipath" 2>&1 > /dev/null; then
err "The swipath= environment variable does not point to a valid SWI"
exit 1
fi
# check the hash file in the image, and determine to install or just skip
GIT_REVISION="$(unzip -p "$swipath" .imagehash)"
LOCAL_IMAGEHASH="$(cat $image_path/.imagehash 2>/dev/null || true)"
swi_installed=0
is_swi_installed "$swipath" || swi_installed=$?
if [ "$GIT_REVISION" != "$LOCAL_IMAGEHASH" ] || [ ! -z "$force" ]; then
if $do_clean; then
if [ "$swi_installed" -ne $SWI_ALREADY_INSTALLED ] || [ -n "$force" ]; then
if [ "$swi_installed" -eq $SWI_VERSION_MISMATCH ] || [ -n "$force" ]; then
warn "Removing existing installation folder $image_path"
rm -rf $image_path
fi
if [ "$swi_installed" -ne $SWI_OTHER_VARIANT_INSTALLED ] && $do_clean; then
info "Cleaning flash content $target_path"
clean_flash
fi
if $secureboot; then
secureboot_install
else