diff options
| author | John Ogness <john.ogness@linutronix.de> | 2018-04-20 17:04:38 +0200 |
|---|---|---|
| committer | John Ogness <john.ogness@linutronix.de> | 2018-04-20 17:04:38 +0200 |
| commit | b4a7273e62d0e9e8acc7f4a56239e34a4b8eda2c (patch) | |
| tree | 49fcd2d3aa338d21c5a4435deb76a6808a1be100 | |
| parent | 27605a4b4aa3ec0a50391d6367b2ea0a9de17b91 (diff) | |
secureboot: add make_lxtrainer_secureboot.sh script
Eventually the lx-trainer image will come with secure boot
automatically. But for now, we have to manually adjust the image.
Here is a script to do that.
Also update the README.
Signed-off-by: John Ogness <john.ogness@linutronix.de>
| -rw-r--r-- | lx-trainer-vm/README | 43 | ||||
| -rwxr-xr-x | lx-trainer-vm/make_lxtrainer_secureboot.sh | 60 |
2 files changed, 94 insertions, 9 deletions
diff --git a/lx-trainer-vm/README b/lx-trainer-vm/README index cff2cc9..80dd422 100644 --- a/lx-trainer-vm/README +++ b/lx-trainer-vm/README @@ -1,21 +1,30 @@ lx-trainer ========== -v2017-12-19 +v2018-04-20 John Ogness <john.ogness@linutronix.de> + +lx-trainer-vm.xml +~~~~~~~~~~~~~~~~~ + lx-trainer is our disk image for all trainings. -To build the image, elbe 2.1 or higher is needed. It is recommended to run -elbe from nereus.lab.linutronix.de because toolchain and eclipse software -are readily available via http mirror. +To build the image, git devel/elbe-3.0 is needed. It is recommended to run +elbe from nereus.lab.linutronix.de because the toolchain and eclipse +software are readily available via http mirror. + +elbe generates the complete root filesystem on one partition (16GB in +size). The generated image is fully functional and has enough space for +most trainings as is. -elbe generates all data on 1 partition (16GB in size). This image is fully -functional and has enough space for most trainings. + +dd-multi.sh +~~~~~~~~~~~ The "dd-multi.sh" script will copy the generated training image in parallel to multiple devices. It will also: - - create and format a 2nd partition + - create and format a 2nd partition filling the rest of the disk - move /home/* to the new partition - adjust /etc/fstab to mount the 2nd partition to /home - unpack any provided layer tarballs @@ -27,5 +36,21 @@ The script can be run like this: --layer=./stuff1.tar --layer=./stuff2.tar \ /dev/sde /dev/sdf /dev/sdg -Layer tarballs are unpacked from within the chroot'd trainer system as -root but using the --numeric-owner option. +Layer tarballs are unpacked using --numeric-owner to avoid any accidental +incorrect username/uid and group/gid mappings. For the trainer image, the +"devel" user has uid/gid 1000/1000. So for files intended for devel's home +it is recommend to create the layer tarball using: + + tar cvf mylayer.tar --owner=1000 --group=1000 --numeric-owner mydir + + +make_lxtrainer_secureboot.sh +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The "make_lxtrainer_secureboot.sh" script will convert the generated +image to use secure boot. This should be run on the generated image +*before* it is copied to the devices. The script assumes lx-trainer.img +is located in the current working directory and it will modify this +file in place. + +At some point this script will not be needed. But until then... diff --git a/lx-trainer-vm/make_lxtrainer_secureboot.sh b/lx-trainer-vm/make_lxtrainer_secureboot.sh new file mode 100755 index 0000000..1b77bc9 --- /dev/null +++ b/lx-trainer-vm/make_lxtrainer_secureboot.sh @@ -0,0 +1,60 @@ +#!/bin/sh +set -e + +MAIN="http://de.archive.ubuntu.com/ubuntu/pool/main" + +if [ ! -f "lx-trainer.img" ]; then + echo "error: lx-trainer.img missing" + exit 1 +fi + +if [ `id -u` -ne 0 ]; then + echo "sorry, must run as root" + exit 1 +fi + +# prepare temp space +TMPD="/tmp/tmp-lxtrainer-uefi" +rm -rf $TMPD +mkdir -p $TMPD + +# download signed uefi packages from ubuntu +wget --continue $MAIN/g/grub2/grub-common_2.02~beta3-4ubuntu7_amd64.deb -O $TMPD/1.deb +wget --continue $MAIN/g/grub2-signed/grub-efi-amd64-signed_1.85+2.02~beta3-4ubuntu7_amd64.deb -O $TMPD/2.deb +wget --continue $MAIN/s/shim-signed/shim-signed_1.32+0.9+1474479173.6c180c6-1ubuntu1_amd64.deb -O $TMPD/3.deb + +# unpack packages +dpkg -x $TMPD/1.deb $TMPD/1 +dpkg -x $TMPD/2.deb $TMPD/2 +dpkg -x $TMPD/3.deb $TMPD/3 + +# setup loop device for image +DEV=`sudo losetup --show -P -f lx-trainer.img` + +# extract grub.cfg from image +sudo mount ${DEV}p3 /mnt +cp /mnt/boot/grub/grub.cfg $TMPD/ +sudo umount /mnt + +# setup uefi partition +sudo mount ${DEV}p2 /mnt +if [ -d "/mnt/EFI/BOOT" ]; then + sudo mkdir -p /mnt/EFI/ubuntu + sudo mkdir -p /mnt/EFI/ubuntu/fonts + if [ -f "/mnt/EFI/BOOT/BOOTX64.EFI" ]; then + sudo mv /mnt/EFI/BOOT/BOOTX64.EFI /mnt/EFI/BOOT/BOOTX64.EFI.debian + fi + sudo cp $TMPD/1/usr/share/grub/unicode.pf2 /mnt/EFI/ubuntu/fonts/ + sudo cp $TMPD/2/usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed /mnt/EFI/BOOT/grubx64.efi + sudo cp $TMPD/3/usr/lib/shim/shimx64.efi.signed /mnt/EFI/BOOT/BOOTX64.EFI + sudo cp $TMPD/grub.cfg /mnt/EFI/ubuntu/ +else + echo "error: no UEFI found on lx-trainer.img" +fi +sudo umount /mnt + +# cleanup loop device +sudo losetup -d $DEV + +# cleanup temp space +rm -rf $TMPD |