starlingx/root
Code Issues Proposed changes

Uprev grub2 and shim

Browse Source 
Uprev grub and shim packages to new versions.  The packages (grub
in particullar) went through a major restructuring, including
name change in output binary packages.  This commit updates
build tools and files to be aware of new names and handle the
new packages

Change-Id: I89636218bdb8e97d39e69e764ae376b643657f50
Depends-On: https://review.openstack.org/#/c/578440
This commit is contained in:
jmckenna 2018-04-06 10:41:53 -04:00
parent 8c847caa3c
commit 3a37c7feed
9 changed files with 56 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
build-tools/build-iso
View File

@ -296,8 +296,6 @@ function init_output_dir {
perl -p -i -e "s/device=sda/device=${DEVICE}/g" $OUTPUT_DIST_DIR/isolinux/isolinux.cfg perl -p -i -e "s/device=sda/device=${DEVICE}/g" $OUTPUT_DIST_DIR/isolinux/isolinux.cfg
fi fi
# Copy UEFI files # Copy UEFI files
\cp -L -ru $DISTRO_REPO_DIR/EFI/* $OUTPUT_DIST_DIR/isolinux/EFI/ \cp -L -ru $DISTRO_REPO_DIR/EFI/* $OUTPUT_DIST_DIR/isolinux/EFI/
\cp -L $INTERNAL_REPO_ROOT/addons/wr-cgcs/layers/cgcs/mwa-beas/bsp-files/grub.cfg $OUTPUT_DIST_DIR/isolinux/EFI/BOOT/grub.cfg \cp -L $INTERNAL_REPO_ROOT/addons/wr-cgcs/layers/cgcs/mwa-beas/bsp-files/grub.cfg $OUTPUT_DIST_DIR/isolinux/EFI/BOOT/grub.cfg
@ -357,7 +355,7 @@ function init_output_dir {
if [ -f "$OUTPUT_DIR/efiboot.img" ]; then if [ -f "$OUTPUT_DIR/efiboot.img" ]; then
# The script update-efiboot-image was run outside the build-iso script, do nothing. # The script update-efiboot-image was run outside the build-iso script, do nothing.
printf " The image file $OUTPUT_DIR/efiboot.img already exist\n" printf " The image file $OUTPUT_DIR/efiboot.img already exists\n"
else else
printf " The image file $OUTPUT_DIR/efiboot.img does not exist \n" printf " The image file $OUTPUT_DIR/efiboot.img does not exist \n"
if [ ! -f "$INTERNAL_REPO_ROOT/build-tools/update-efiboot-image" ]; then if [ ! -f "$INTERNAL_REPO_ROOT/build-tools/update-efiboot-image" ]; then
@ -526,12 +524,13 @@ EOM
\cd $WORKDIR \cd $WORKDIR
extract_pkg_from_local_repo ${CGCS_REPO_DIR} pxe-network-installer extract_pkg_from_local_repo ${CGCS_REPO_DIR} pxe-network-installer
extract_pkg_from_local_repo ${CGCS_REPO_DIR} grub2-efi-pxeboot extract_pkg_from_local_repo ${CGCS_REPO_DIR} grub2-efi-x64-pxeboot
extract_pkg_from_local_repo ${CGCS_REPO_DIR} grub2-efi-x64-modules
\mkdir -p $OUTPUT_DIST_DIR/isolinux/pxeboot/EFI/centos/x86_64-efi \mkdir -p $OUTPUT_DIST_DIR/isolinux/pxeboot/EFI/centos/x86_64-efi
\cp --preserve=all pxeboot/pxelinux.0 pxeboot/menu.c32 pxeboot/chain.c32 $OUTPUT_DIST_DIR/isolinux/pxeboot && \cp --preserve=all pxeboot/pxelinux.0 pxeboot/menu.c32 pxeboot/chain.c32 $OUTPUT_DIST_DIR/isolinux/pxeboot &&
\cp --preserve=all pxeboot/EFI/centos/x86_64-efi/* $OUTPUT_DIST_DIR/isolinux/pxeboot/EFI/centos/x86_64-efi/ && \cp --preserve=all usr/lib/grub/x86_64-efi/* $OUTPUT_DIST_DIR/isolinux/pxeboot/EFI/centos/x86_64-efi/ &&
\cp --preserve=all pxeboot/EFI/grubx64.efi $OUTPUT_DIST_DIR/isolinux/pxeboot/EFI/ \cp --preserve=all pxeboot/EFI/grubx64.efi $OUTPUT_DIST_DIR/isolinux/pxeboot/EFI/
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "Error: Could not copy all files from installer" echo "Error: Could not copy all files from installer"

8
build-tools/build-rpms-parallel
View File

@ -54,6 +54,9 @@ SRPM_TO_RPM_MAP_FILE="$DEPENDANCY_DIR/srpm-to-rpm"
UNBUILT_PATTERN_FILE="$MY_REPO/build-data/unbuilt_rpm_patterns" UNBUILT_PATTERN_FILE="$MY_REPO/build-data/unbuilt_rpm_patterns"
IMAGE_INC_FILE="$MY_REPO/build-tools/build_iso/image.inc" IMAGE_INC_FILE="$MY_REPO/build-tools/build_iso/image.inc"
SIGN_SECURE_BOOT="sign-secure-boot"
SIGN_SECURE_BOOT_LOG="sign-secure-boot.log"
export MOCK=/usr/bin/mock export MOCK=/usr/bin/mock
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
@ -261,6 +264,7 @@ recreate_repodata () {
\mv repodata/*comps*xml comps.xml \mv repodata/*comps*xml comps.xml
fi fi
\rm -rf repodata \rm -rf repodata
\rm -rf .repodata
if [ -f comps.xml ]; then if [ -f comps.xml ]; then
$CREATEREPO -g comps.xml --workers $(number_of_cpus) $(pwd) $CREATEREPO -g comps.xml --workers $(number_of_cpus) $(pwd)
else else
@ -2331,9 +2335,9 @@ if [ 0$FORMAL_BUILD -eq 1 ] && [ "$USER" == "jenkins" ]; then
echo "We are jenkins, and we are trying to do a formal build -- calling signing server" echo "We are jenkins, and we are trying to do a formal build -- calling signing server"
echo " to sign boot RPMs with secure boot keys" echo " to sign boot RPMs with secure boot keys"
MY_WORKSPACE=$MY_WORKSPACE_TOP sign-build > $MY_WORKSPACE_TOP/export/sign-build.log 2>&1 MY_WORKSPACE=$MY_WORKSPACE_TOP ${SIGN_SECURE_BOOT} > $MY_WORKSPACE_TOP/export/${SIGN_SECURE_BOOT_LOG} 2>&1
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "Signing of packages failed -- see $MY_WORKSPACE_TOP/export/sign-build.log" echo "Signing of packages failed -- see $MY_WORKSPACE_TOP/export/${SIGN_SECURE_BOOT_LOG}"
exit 1 exit 1
fi fi
fi fi

8
build-tools/build-rpms-serial
View File

@ -23,6 +23,9 @@ SRPM_TO_RPM_MAP_FILE="$DEPENDANCY_DIR/srpm-to-rpm"
UNBUILT_PATTERN_FILE="$MY_REPO/build-data/unbuilt_rpm_patterns" UNBUILT_PATTERN_FILE="$MY_REPO/build-data/unbuilt_rpm_patterns"
IMAGE_INC_FILE="$MY_REPO/build-tools/build_iso/image.inc" IMAGE_INC_FILE="$MY_REPO/build-tools/build_iso/image.inc"
SIGN_SECURE_BOOT="sign-secure-boot"
SIGN_SECURE_BOOT_LOG="sign-secure-boot.log"
export MOCK=/usr/bin/mock export MOCK=/usr/bin/mock
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
@ -56,6 +59,7 @@ recreate_repodata () {
\mv repodata/*comps*xml comps.xml \mv repodata/*comps*xml comps.xml
fi fi
\rm -rf repodata \rm -rf repodata
\rm -rf .repodata
if [ -f comps.xml ]; then if [ -f comps.xml ]; then
$CREATEREPO -g comps.xml --workers $(number_of_cpus) $(pwd) $CREATEREPO -g comps.xml --workers $(number_of_cpus) $(pwd)
else else
@ -1316,9 +1320,9 @@ if [ 0$FORMAL_BUILD -eq 1 ] && [ "$USER" == "jenkins" ]; then
echo "We are jenkins, and we are trying to do a formal build -- calling signing server" echo "We are jenkins, and we are trying to do a formal build -- calling signing server"
echo " to sign boot RPMs with secure boot keys" echo " to sign boot RPMs with secure boot keys"
MY_WORKSPACE=$MY_WORKSPACE_TOP sign-build > $MY_WORKSPACE_TOP/export/sign-build.log 2>&1 MY_WORKSPACE=$MY_WORKSPACE_TOP ${SIGN_SECURE_BOOT} > $MY_WORKSPACE_TOP/export/${SIGN_SECURE_BOOT_LOG} 2>&1
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "Signing of packages failed -- see $MY_WORKSPACE_TOP/export/sign-build.log" echo "Signing of packages failed -- see $MY_WORKSPACE_TOP/export/${SIGN_SECURE_BOOT_LOG}.log"
exit 1 exit 1
fi fi
fi fi

4
build-tools/build_iso/image.inc
View File

@ -21,9 +21,7 @@ dpkg
filesystem-scripts filesystem-scripts
fm-api fm-api
gdb gdb
grub2 grub2-efi-x64-modules
grub2-efi
grub2-efi-modules
grub2-tools grub2-tools
haproxy haproxy
io-monitor io-monitor

5
build-tools/build_iso/minimal_rpm_list.txt
View File

@ -74,7 +74,7 @@ gpgme
grep grep
groff-base groff-base
grub2 grub2
grub2-efi grub2-efi-x64
grub2-tools grub2-tools
grubby grubby
gsettings-desktop-schemas gsettings-desktop-schemas
@ -229,8 +229,7 @@ rpm-libs
rpm-python rpm-python
sed sed
shared-mime-info shared-mime-info
shim shim-x64
shim-unsigned
slang slang
snappy snappy
sqlite sqlite

2
build-tools/mk/_sign_pkgs.mk
View File

@ -9,7 +9,7 @@ PKGS_LIST := $(wildcard *.rpm)
# we need to skip the signature of some packages that # we need to skip the signature of some packages that
# might be installed in file systems that do not support extended attributes # might be installed in file systems that do not support extended attributes
# in the case of shim- and grub2-efi-, the UEFI configuration installs them in a VFAT file system # in the case of shim- and grub2-efi-, the UEFI configuration installs them in a VFAT file system
PKGS_TO_SKIP := $(wildcard grub2-efi-[0-9]*.x86_64.rpm shim-[0-9]*.x86_64.rpm) PKGS_TO_SKIP := $(wildcard grub2-efi-[0-9]*.x86_64.rpm grub2-efi-x64-[0-9]*.x86_64.rpm shim-[0-9]*.x86_64.rpm shim-x64-[0-9]*.x86_64.rpm shim-ia32-[0-9]*.x86_64)
PKGS_TO_SIGN = $(filter-out $(PKGS_TO_SKIP),$(PKGS_LIST)) PKGS_TO_SIGN = $(filter-out $(PKGS_TO_SKIP),$(PKGS_LIST))

4
build-tools/patch-iso
View File

@ -259,13 +259,13 @@ fi
\mkdir extract \mkdir extract
\cd extract \cd extract
extract_pkg_from_patch_repo grub2-efi-pxeboot extract_pkg_from_patch_repo grub2-x64-efi-pxeboot
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
# Replace files # Replace files
\rm -f ${BUILDDIR}/pxeboot/EFI/grubx64.efi && \rm -f ${BUILDDIR}/pxeboot/EFI/grubx64.efi &&
\cp --preserve=all pxeboot/EFI/grubx64.efi ${BUILDDIR}/pxeboot/EFI/ \cp --preserve=all pxeboot/EFI/grubx64.efi ${BUILDDIR}/pxeboot/EFI/
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "Error: Failed to copy grub2-efi-pxeboot files" echo "Error: Failed to copy grub2-x64-efi-pxeboot files"
exit 1 exit 1
fi fi
fi fi

22
build-tools/sign-build → build-tools/sign-secure-boot
View File

@ -165,12 +165,19 @@ function update_repo
return $RETCODE return $RETCODE
} }
# sign_shims - find and sign any shim package that we need to # sign_shims - find and sign any shim package that we need
# Note that shim might produce a "shim-unsigned-[verison-release]
# package (old shim) or shim-unsigned-x64-[v-r] &
# shim-unsigned-ia32 package (new shim). In the case of new shim,
# we must do x64 only, and not ia32.
# #
function sign_shims function sign_shims
{ {
SHIM=`find $MY_WORKSPACE/std/rpmbuild/RPMS -name "shim-unsigned-*.$ARCH.rpm" | grep -v debuginfo` SHIM=`find $MY_WORKSPACE/std/rpmbuild/RPMS -name "shim-unsigned-x64-*.$ARCH.rpm" | grep -v debuginfo`
if [ "x${SHIM}" == "x" ]; then if [ -z "$SHIM" ]; then
SHIM=`find $MY_WORKSPACE/std/rpmbuild/RPMS -name "shim-unsigned-*.$ARCH.rpm" | grep -v debuginfo`
fi
if [ -z "${SHIM}" ]; then
echo "Warning -- cannot find shim package to sign" echo "Warning -- cannot find shim package to sign"
return 0 return 0
fi fi
@ -186,8 +193,8 @@ function sign_shims
# #
function sign_grubs function sign_grubs
{ {
GRUB=`find $MY_WORKSPACE/std/rpmbuild/RPMS -name "grub2-efi-[1-9]*.$ARCH.rpm"` GRUB=`find $MY_WORKSPACE/std/rpmbuild/RPMS -name "grub2-efi-x64-[1-9]*.$ARCH.rpm"`
UNSIGNED_GRUB=`find $MY_WORKSPACE/std/rpmbuild/RPMS -name "grub2-efi-unsigned*.$ARCH.rpm"` UNSIGNED_GRUB=`find $MY_WORKSPACE/std/rpmbuild/RPMS -name "grub2-efi-x64-unsigned*.$ARCH.rpm"`
if [ "x${GRUB}" == "x" ]; then if [ "x${GRUB}" == "x" ]; then
echo "Warning -- cannot find GRUB package to sign" echo "Warning -- cannot find GRUB package to sign"
return 0 return 0
@ -324,7 +331,8 @@ function sign
fi fi
# upload the unsigned package (if specified) # upload the unsigned package (if specified)
if [ "x$UNSIGNED" != "x" ]; then if [ "x$UNSIGNED" != "x" ]; then
echo "Uploading unsigned: $UNSIGNED"
scp -q $UNSIGNED $SIGNING_USER@$SIGNING_SERVER:$UPLOAD_PATH scp -q $UNSIGNED $SIGNING_USER@$SIGNING_SERVER:$UPLOAD_PATH
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "Failed to upload file $UNSIGNED" echo "Failed to upload file $UNSIGNED"
@ -356,7 +364,7 @@ function sign
# and examine them later without them being overwriten. File paths are # and examine them later without them being overwriten. File paths are
# typically of the form # typically of the form
# #
# /export/signed_images/XXXXXXX_grub2-efi-2.02-0.44.el7.centos.tis.3.x86_64.rpm # /export/signed_images/XXXXXXX_grub2-efi-64-2.02-0.44.el7.centos.tis.3.x86_64.rpm
# #
# Extract the output name, and copy the RPM back into our system # Extract the output name, and copy the RPM back into our system
# (Note that we overwrite our original version of the RPM) # (Note that we overwrite our original version of the RPM)

21
build-tools/update-efiboot-image
View File

@ -62,6 +62,8 @@ function setup_env_vars {
fi fi
} }
printf " Calling $0\n"
setup_env_vars setup_env_vars
printf " Calling $(basename $0)\n" printf " Calling $(basename $0)\n"
@ -136,8 +138,23 @@ ${SUDOPREFIX} cp $INTERNAL_REPO_ROOT/addons/wr-cgcs/layers/cgcs/mwa-beas/bsp-fil
# To do this, we extract the RPMS, grab the two executables we need, and replace # To do this, we extract the RPMS, grab the two executables we need, and replace
# the ones in the current filesystem # the ones in the current filesystem
TMPDIR=`mktemp -d` TMPDIR=`mktemp -d`
SHIMPKG=`find $MY_WORKSPACE/std/rpmbuild/RPMS/shim-[0-9]*.x86_64.rpm` SHIMPKG=`find $MY_WORKSPACE/std/rpmbuild/RPMS/shim-x64-[0-9]*.x86_64.rpm`
GRUBPKG=`find $MY_WORKSPACE/std/rpmbuild/RPMS/grub2-efi-[0-9]*.x86_64.rpm` if [ -z "$SHIMPKG" ]; then
SHIMPKG=`find $MY_WORKSPACE/std/rpmbuild/RPMS/shim-[0-9]*.x86_64.rpm`
fi
if [ -z "$SHIMPKG" ]; then
printf " Error -- could not locate shim binary package"
exit 1
fi
GRUBPKG=`find $MY_WORKSPACE/std/rpmbuild/RPMS/grub2-efi-x64-[0-9]*.x86_64.rpm`
if [ -z "$GRUBPKG" ]; then
GRUBPKG=`find $MY_WORKSPACE/std/rpmbuild/RPMS/grub2-efi-[0-9]*.x86_64.rpm`
fi
if [ -z "$GRUBPKG" ]; then
printf " Error -- could not locate grub binary package"
exit 1
fi
pushd $TMPDIR >/dev/null pushd $TMPDIR >/dev/null
rpm2cpio $SHIMPKG | cpio -id --quiet rpm2cpio $SHIMPKG | cpio -id --quiet