harald/VerityBook
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

use single image for squashfs and dmverity

Browse source
This commit is contained in:
Harald Hoyer 2018-09-11 16:47:20 +02:00
parent 7e93df54b4
commit 1dc7a0fae6
11 changed files with 149 additions and 88 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
10verity/module-setup.sh Executable file
View file

@ -0,0 +1,13 @@
#!/bin/bash
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
depends() {
echo systemd dm
}
install() {
inst_multiple veritysetup systemd-escape
inst_simple "$moddir/verity-generator" \
"$systemdutildir/system-generators/verity-generator"
}

78
10verity/verity-generator Executable file
View file

@ -0,0 +1,78 @@
#!/bin/bash
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
# This script generates a service that manages a dm-verity device for the chosen ROOT partition
set -e
cmdline=( $(</proc/cmdline) )
# Usage: cmdline_arg name default_value
cmdline_arg() {
local name="$1" value="$2"
for arg in "${cmdline[@]}"; do
if [[ "${arg%%=*}" == "${name}" ]]; then
value="${arg#*=}"
fi
done
echo "${value}"
}
UNIT_DIR="${1:-/tmp}"
root=$(cmdline_arg verity.root)
roothash=$(cmdline_arg verity.roothash)
hashoffset=$(cmdline_arg verity.hashoffset)
case "${root}" in
LABEL=*)
root="$(echo $root | sed 's,/,\\x2f,g')"
root="/dev/disk/by-label/${root#LABEL=}"
;;
UUID=*)
root="${root#UUID=}"
root="/dev/disk/by-uuid/${root,,}"
;;
PARTUUID=*)
root="${root#PARTUUID=}"
root="/dev/disk/by-partuuid/${root,,}"
;;
PARTLABEL=*)
root="/dev/disk/by-partlabel/${root#PARTLABEL=}"
;;
esac
# Only proceed if the source is a path.
if [[ "${root}" != /* ]]; then
exit 0
fi
# Only generate the service if we have sufficient parameters.
if [[ -n "${root}" && -n "${roothash}" ]]; then
device=$(systemd-escape --suffix=device --path "${root}")
cat >"${UNIT_DIR}/verity-setup.service" <<-EOF
# Automatically generated by verity-generator
[Unit]
Description=Verity Setup for /dev/mapper/root
SourcePath=/proc/cmdline
DefaultDependencies=no
IgnoreOnIsolate=true
BindsTo=dev-mapper-root.device
BindsTo=${device}
After=${device}
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/sh -c '/sbin/veritysetup create root ${hashoffset:+--hash-offset="${hashoffset}"} "${root}" "${root}" "${roothash}"'
ExecStop=/sbin/veritysetup remove root
EOF
requires_dir="${UNIT_DIR}/dev-mapper-root.device.requires"
mkdir -p "${requires_dir}"
ln -sf "../verity-setup.service" "${requires_dir}/verity-setup.service"
fi

14
clonedisk.sh
View file

@ -116,9 +116,7 @@ if ! [[ $UPDATE ]]; then
sfdisk -W always -w always "$OUT" << EOF sfdisk -W always -w always "$OUT" << EOF
label: gpt label: gpt
size=512MiB, type=c12a7328-f81f-11d2-ba4b-00a0c93ec93b, name="ESP System Partition" size=512MiB, type=c12a7328-f81f-11d2-ba4b-00a0c93ec93b, name="ESP System Partition"
size=64M, type=2c7357ed-ebd2-46d9-aec1-23d437ec2bf5, name="ver1", uuid=$(blkid -o value -s PARTUUID ${IN}2)
size=4GiB, type=4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709, name="root1", uuid=$(blkid -o value -s PARTUUID ${IN}3) size=4GiB, type=4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709, name="root1", uuid=$(blkid -o value -s PARTUUID ${IN}3)
size=64M, type=2c7357ed-ebd2-46d9-aec1-23d437ec2bf5, name="ver2"
size=4GiB, type=4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709, name="root2" size=4GiB, type=4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709, name="root2"
size=${mem}GiB, type=0657fd6d-a4ab-43c4-84e5-0933c84b4f4e, name="swap" size=${mem}GiB, type=0657fd6d-a4ab-43c4-84e5-0933c84b4f4e, name="swap"
type=3b8f8425-20e0-4f3b-907f-1a25a76f98e9, name="data" type=3b8f8425-20e0-4f3b-907f-1a25a76f98e9, name="data"
@ -135,7 +133,7 @@ if [[ ${OUT#/dev/nvme} != $OUT ]]; then
OUT="${OUT}p" OUT="${OUT}p"
fi fi
for i in 1 2 3; do for i in 1 2; do
dd if=${IN}${i} of=${OUT}${i} status=progress dd if=${IN}${i} of=${OUT}${i} status=progress
sfdisk --part-uuid ${OUT_DEV} $i $(blkid -o value -s PARTUUID ${IN}${i}) sfdisk --part-uuid ${OUT_DEV} $i $(blkid -o value -s PARTUUID ${IN}${i})
done done
@ -145,15 +143,15 @@ if ! [[ $UPDATE ]]; then
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# swap # swap
echo -n "zero key" \ echo -n "zero key" \
| cryptsetup luksFormat --type luks2 ${OUT}6 /dev/stdin | cryptsetup luksFormat --type luks2 ${OUT}4 /dev/stdin
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# data # data
echo -n "zero key" \ echo -n "zero key" \
| cryptsetup luksFormat --type luks2 ${OUT}7 /dev/stdin | cryptsetup luksFormat --type luks2 ${OUT}5 /dev/stdin
else else
mkswap ${OUT}6 mkswap ${OUT}4
mkfs.xfs -L data ${OUT}7 mkfs.xfs -L data ${OUT}5
fi fi
fi fi

15
mkimage.sh
View file

@ -106,8 +106,6 @@ trap 'exit 1;' SIGINT
ROOT_HASH=$(<"$SOURCE"/root-hash.txt) ROOT_HASH=$(<"$SOURCE"/root-hash.txt)
ROOT_UUID=${ROOT_HASH:32:8}-${ROOT_HASH:40:4}-${ROOT_HASH:44:4}-${ROOT_HASH:48:4}-${ROOT_HASH:52:12} ROOT_UUID=${ROOT_HASH:32:8}-${ROOT_HASH:40:4}-${ROOT_HASH:44:4}-${ROOT_HASH:48:4}-${ROOT_HASH:52:12}
HASH_UUID=${ROOT_HASH:0:8}-${ROOT_HASH:8:4}-${ROOT_HASH:12:4}-${ROOT_HASH:16:4}-${ROOT_HASH:20:12}
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# Testdisk # Testdisk
@ -137,18 +135,16 @@ if ! [[ $UPDATE ]]; then
sfdisk "${DEV}" << EOF sfdisk "${DEV}" << EOF
label: gpt label: gpt
size=512MiB, type=c12a7328-f81f-11d2-ba4b-00a0c93ec93b, name="ESP System Partition" size=512MiB, type=c12a7328-f81f-11d2-ba4b-00a0c93ec93b, name="ESP System Partition"
size=64MiB, type=2c7357ed-ebd2-46d9-aec1-23d437ec2bf5, name="ver1", uuid=$HASH_UUID
size=4GiB, type=4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709, name="root1", uuid=$ROOT_UUID size=4GiB, type=4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709, name="root1", uuid=$ROOT_UUID
type=3b8f8425-20e0-4f3b-907f-1a25a76f98e9, name="data" type=3b8f8425-20e0-4f3b-907f-1a25a76f98e9, name="data"
EOF EOF
udevadm settle udevadm settle
for i in 1 2 3 4; do for i in 1 2 3; do
wipefs --force --all ${DEV_PART}${i} wipefs --force --all ${DEV_PART}${i}
done done
udevadm settle udevadm settle
else else
sfdisk --part-uuid ${DEV} 2 ${HASH_UUID}
sfdisk --part-uuid ${DEV} 3 ${ROOT_UUID} sfdisk --part-uuid ${DEV} 3 ${ROOT_UUID}
fi fi
@ -164,18 +160,14 @@ mkdir -p "$MY_TMPDIR"/boot/EFI/Boot
cp "$SOURCE"/bootx64.efi "$MY_TMPDIR"/boot/EFI/Boot/bootx64.efi cp "$SOURCE"/bootx64.efi "$MY_TMPDIR"/boot/EFI/Boot/bootx64.efi
umount "$MY_TMPDIR"/boot umount "$MY_TMPDIR"/boot
# ------------------------------------------------------------------------------
# ver1
dd if="$SOURCE"/root.verity.img of=${DEV_PART}2 status=progress
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# root1 # root1
dd if="$SOURCE"/root.squashfs.img of=${DEV_PART}3 status=progress dd if="$SOURCE"/root.img of=${DEV_PART}2 status=progress
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# data # data
if ! [[ $UPDATE ]]; then if ! [[ $UPDATE ]]; then
mkfs.xfs -L data ${DEV_PART}4 mkfs.xfs -L data ${DEV_PART}3
fi fi
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# DONE # DONE
@ -184,4 +176,3 @@ sync
losetup -d $DEV || : losetup -d $DEV || :
eject "$DEV" || : eject "$DEV" || :
sync sync

1
mkrelease.sh
View file

@ -2,7 +2,6 @@
JSON="$(realpath -e $1)" JSON="$(realpath -e $1)"
BASEDIR="${JSON%/*}" BASEDIR="${JSON%/*}"
IMAGE="${BASEDIR}/$(jq -r '.name' ${JSON})-$(jq -r '.version' ${JSON})" IMAGE="${BASEDIR}/$(jq -r '.name' ${JSON})-$(jq -r '.version' ${JSON})"
( (

5
pkglist.txt
View file

@ -76,6 +76,9 @@ libvirt-daemon-config-network
libvirt-daemon-kvm libvirt-daemon-kvm
squashfs-tools squashfs-tools
mc mc
veritysetup
rsync rsync
pesign pesign
nss-tools
gnu-efi-devel
sbsigntools

59
pre-pivot.sh
View file

@ -1,46 +1,27 @@
#!/bin/bash #!/bin/bash
root=$(getarg systemd.verity_root_hash) bootdisk() {
UUID=$({ read -r -n 1 -d '' _; read -n 72 uuid; echo -n ${uuid,,}; } < /sys/firmware/efi/efivars/LoaderDevicePartUUID-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f)
case "$root" in [[ $UUID ]] || return 1
block:LABEL=*|LABEL=*) echo "/dev/disk/by-partuuid/$UUID"
root="${root#block:}" return 0
root="$(echo $root | sed 's,/,\\x2f,g')" }
root="/dev/disk/by-label/${root#LABEL=}"
rootok=1 ;; get_disk() {
block:UUID=*|UUID=*) for dev in /dev/disk/by-path/*; do
root="${root#block:}" [[ $dev -ef $1 ]] || continue
root="${root#UUID=}" echo ${dev%-part*}
root="$(echo $root | tr "[:upper:]" "[:lower:]")" return 0
root="/dev/disk/by-uuid/${root#UUID=}" done
rootok=1 ;; return 1
block:PARTUUID=*|PARTUUID=*) }
root="${root#block:}"
root="${root#PARTUUID=}" BOOTDISK=$(get_disk $(bootdisk))
root="$(echo $root | tr "[:upper:]" "[:lower:]")" [[ $BOOTDISK ]] || die "No boot disk found"
root="/dev/disk/by-partuuid/${root}"
rootok=1 ;;
block:PARTLABEL=*|PARTLABEL=*)
root="${root#block:}"
root="/dev/disk/by-partlabel/${root#PARTLABEL=}"
rootok=1 ;;
/dev/*)
rootok=1 ;;
esac
unset FOUND unset FOUND
for d in /dev/disk/by-path/*; do for swapdev in $BOOTDISK-part*; do
[[ $d -ef $root ]] || continue
FOUND=1
break
done
[[ $FOUND ]] || die "No boot disk found"
disk=${d%-part*}
unset FOUND
for swapdev in $disk*; do
[[ $(blkid -o value -s PARTLABEL "$swapdev") == "swap" ]] || continue [[ $(blkid -o value -s PARTLABEL "$swapdev") == "swap" ]] || continue
FOUND=1 FOUND=1
break break
@ -83,7 +64,7 @@ fi
unset FOUND unset FOUND
for datadev in $disk*; do for datadev in $BOOTDISK-part*; do
[[ $(blkid -o value -s PARTLABEL "$datadev") == "data" ]] || continue [[ $(blkid -o value -s PARTLABEL "$datadev") == "data" ]] || continue
FOUND=1 FOUND=1
break break

24
prepare-root.sh
View file

@ -219,6 +219,7 @@ dnf -v --nogpgcheck \
efibootmgr \ efibootmgr \
jq \ jq \
gnupg2 \ gnupg2 \
veritysetup \
$PKGLIST $PKGLIST
for i in passwd shadow group gshadow subuid subgid; do for i in passwd shadow group gshadow subuid subgid; do
@ -251,6 +252,7 @@ rpm --root "$sysroot" -qa | sort > "$sysroot"/usr/rpm-list.txt
mkdir -p "$sysroot"/overlay/efi mkdir -p "$sysroot"/overlay/efi
cp "${BASEDIR}"/pre-pivot.sh "$sysroot"/pre-pivot.sh cp "${BASEDIR}"/pre-pivot.sh "$sysroot"/pre-pivot.sh
cp -avr "${BASEDIR}"/10verity "$sysroot"/usr/lib/dracut/modules.d/
chmod 0755 "$sysroot"/pre-pivot.sh chmod 0755 "$sysroot"/pre-pivot.sh
KVER=$(cd "$sysroot"/lib/modules/; ls -1d ??* | tail -1) KVER=$(cd "$sysroot"/lib/modules/; ls -1d ??* | tail -1)
@ -265,9 +267,7 @@ chroot "$sysroot" \
dracut -N --kver $KVER --force \ dracut -N --kver $KVER --force \
--filesystems "squashfs vfat xfs" \ --filesystems "squashfs vfat xfs" \
--add-drivers "=drivers/char/tpm" \ --add-drivers "=drivers/char/tpm" \
-m "bash systemd systemd-initrd modsign crypt dm kernel-modules qemu rootfs-block udev-rules dracut-systemd base fs-lib shutdown terminfo resume" \ -m "bash systemd systemd-initrd modsign crypt dm kernel-modules qemu rootfs-block udev-rules dracut-systemd base fs-lib shutdown terminfo resume verity" \
--install /usr/lib/systemd/systemd-veritysetup \
--install /usr/lib/systemd/system-generators/systemd-veritysetup-generator \
--install "clonedisk wipefs sfdisk dd mkfs.xfs mkswap chroot mountpoint mkdir stat openssl" \ --install "clonedisk wipefs sfdisk dd mkfs.xfs mkswap chroot mountpoint mkdir stat openssl" \
--install "clevis clevis-luks-bind jose clevis-encrypt-tpm2 clevis-decrypt clevis-luks-unlock clevis-decrypt-tpm2" \ --install "clevis clevis-luks-bind jose clevis-encrypt-tpm2 clevis-decrypt clevis-luks-unlock clevis-decrypt-tpm2" \
--install "cryptsetup tail sort pwmake mktemp swapon" \ --install "cryptsetup tail sort pwmake mktemp swapon" \
@ -303,7 +303,7 @@ fi
. "${BASEDIR}"/quirks/nss.sh . "${BASEDIR}"/quirks/nss.sh
for q in "${QUIRKS[@]}"; do for q in "${QUIRKS[@]}"; do
. "${BASEDIR}"/quirks/"$q".sh . "${BASEDIR}"/quirks/"$q".sh
done done
@ -469,7 +469,7 @@ mv -v "$sysroot"/lib/modules/*/vmlinuz "$MY_TMPDIR"/linux
rm -fr "$sysroot"/{boot,root} rm -fr "$sysroot"/{boot,root}
ln -sfnr "$sysroot"/data/root "$sysroot"/root ln -sfnr "$sysroot"/data/root "$sysroot"/root
mkdir -p "$sysroot"/usr/etc mkdir -p "$sysroot"/usr/etc
mv "$sysroot"/etc/yum.repos.d "$sysroot"/usr/etc/yum.repos.d mv "$sysroot"/etc/yum.repos.d "$sysroot"/usr/etc/yum.repos.d
mkdir "$sysroot"/efi mkdir "$sysroot"/efi
rm -fr "$sysroot"/var/* rm -fr "$sysroot"/var/*
rm -fr "$sysroot"/home/* rm -fr "$sysroot"/home/*
@ -493,11 +493,15 @@ ROOT_HASH=$(veritysetup format "$MY_TMPDIR"/root.squashfs.img "$MY_TMPDIR"/root.
echo "$ROOT_HASH" > "$MY_TMPDIR"/root-hash.txt echo "$ROOT_HASH" > "$MY_TMPDIR"/root-hash.txt
ROOT_UUID=${ROOT_HASH:32:8}-${ROOT_HASH:40:4}-${ROOT_HASH:44:4}-${ROOT_HASH:48:4}-${ROOT_HASH:52:12} ROOT_UUID=${ROOT_HASH:32:8}-${ROOT_HASH:40:4}-${ROOT_HASH:44:4}-${ROOT_HASH:48:4}-${ROOT_HASH:52:12}
HASH_UUID=${ROOT_HASH:0:8}-${ROOT_HASH:8:4}-${ROOT_HASH:12:4}-${ROOT_HASH:16:4}-${ROOT_HASH:20:12} ROOT_SIZE=$(stat --printf '%s' "$MY_TMPDIR"/root.squashfs.img)
HASH_SIZE=$(stat --printf '%s' "$MY_TMPDIR"/root.verity.img)
cat "$MY_TMPDIR"/root.verity.img >> "$MY_TMPDIR"/root.squashfs.img
mv "$MY_TMPDIR"/root.squashfs.img "$MY_TMPDIR"/root.img
IMAGE_SIZE=$(stat --printf '%s' "$MY_TMPDIR"/root.img)
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# make bootx64.efi # make bootx64.efi
echo -n "rd.shell=0 quiet video=efifb:nobgrt audit=0 selinux=0 roothash=$ROOT_HASH systemd.verity_root_data=PARTUUID=$ROOT_UUID systemd.verity_root_hash=PARTUUID=$HASH_UUID raid=noautodetect" > "$MY_TMPDIR"/options.txt echo -n "quiet rd.shell=0 video=efifb:nobgrt audit=0 selinux=0 verity.imagesize=$IMAGE_SIZE verity.roothash=$ROOT_HASH verity.root=PARTUUID=$ROOT_UUID verity.hashoffset=$ROOT_SIZE raid=noautodetect root=/dev/mapper/root" > "$MY_TMPDIR"/options.txt
echo -n "${NAME}-${VERSION_ID}" > "$MY_TMPDIR"/release.txt echo -n "${NAME}-${VERSION_ID}" > "$MY_TMPDIR"/release.txt
objcopy \ objcopy \
--add-section .release="$MY_TMPDIR"/release.txt --change-section-vma .release=0x20000 \ --add-section .release="$MY_TMPDIR"/release.txt --change-section-vma .release=0x20000 \
@ -511,8 +515,7 @@ objcopy \
mkdir -p "$OUTDIR" mkdir -p "$OUTDIR"
mv "$MY_TMPDIR"/root-hash.txt \ mv "$MY_TMPDIR"/root-hash.txt \
"$MY_TMPDIR"/bootx64.efi \ "$MY_TMPDIR"/bootx64.efi \
"$MY_TMPDIR"/root.squashfs.img \ "$MY_TMPDIR"/root.img \
"$MY_TMPDIR"/root.verity.img \
"$MY_TMPDIR"/release.txt \ "$MY_TMPDIR"/release.txt \
"$MY_TMPDIR"/options.txt \ "$MY_TMPDIR"/options.txt \
"$MY_TMPDIR"/linux \ "$MY_TMPDIR"/linux \
@ -524,7 +527,8 @@ chown -R "$USER" "$OUTDIR"
cat > "${OUTDIR%/*}/${NAME}-latest.json" <<EOF cat > "${OUTDIR%/*}/${NAME}-latest.json" <<EOF
{ {
"roothash": "$ROOT_HASH", "roothash": "$ROOT_HASH",
"name" : "${NAME}", "rootsize": "$ROOT_SIZE",
"name" : "${NAME}",
"version" : "${VERSION_ID}" "version" : "${VERSION_ID}"
} }
EOF EOF

4
quirks/nss.sh
View file

@ -39,9 +39,11 @@ sed -i -e 's#/etc/.pwdXXXXXX#/var/.pwdXXXXXX#g' "$sysroot"/usr/lib64/security/pa
sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/shadow#/var/shadow#g;s#/etc/gshadow#/var/gshadow#g;s#/etc/group#/var/group#g;s#/etc/subuid#/var/subuid#g;s#/etc/subgid#/var/subgid#g' "$sysroot"/usr/sbin/user{add,mod,del} "$sysroot"/usr/sbin/group{add,mod,del} sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/shadow#/var/shadow#g;s#/etc/gshadow#/var/gshadow#g;s#/etc/group#/var/group#g;s#/etc/subuid#/var/subuid#g;s#/etc/subgid#/var/subgid#g' "$sysroot"/usr/sbin/user{add,mod,del} "$sysroot"/usr/sbin/group{add,mod,del}
sed -i -e 's#/etc/.pwd.lock#/var/.pwd.lock#g' \ sed -i -e 's#/etc/.pwd.lock#/var/.pwd.lock#g' \
"$sysroot"/lib*/libc.so.* \ "$sysroot"/lib*/libc.so.* \
"$sysroot"/usr/lib*/librpmostree-1.so.1 \
"$sysroot"/usr/lib/systemd/libsystemd-shared*.so "$sysroot"/usr/lib/systemd/libsystemd-shared*.so
[[ -e "$sysroot"/usr/lib*/librpmostree-1.so.1 ]] \
&& sed -i -e 's#/etc/.pwd.lock#/var/.pwd.lock#g' \
"$sysroot"/usr/lib*/librpmostree-1.so.1
mkdir -p "$sysroot"/usr/share/factory/home mkdir -p "$sysroot"/usr/share/factory/home
cp -avxr "$sysroot"/etc/skel "$sysroot"/usr/share/factory/home/admin cp -avxr "$sysroot"/etc/skel "$sysroot"/usr/share/factory/home/admin

4
squashfs-size.sh
View file

@ -31,7 +31,9 @@ getuint () {
squashfs_size() { squashfs_size() {
size=$(for i in {1..20}; do getword >/dev/null; done; getuint) size=$(for i in {1..20}; do getword >/dev/null; done; getuint)
echo $(((size+4095)/4096*4096)) # super block is 96 bytes
# pad to 4096
echo $(((size+96+4095)/4096*4096))
} }
squashfs_size squashfs_size

20
update.sh
View file

@ -68,15 +68,12 @@ CURRENT_ROOT_HASH=${CURRENT_ROOT_HASH#*roothash=}
CURRENT_ROOT_HASH=${CURRENT_ROOT_HASH%% *} CURRENT_ROOT_HASH=${CURRENT_ROOT_HASH%% *}
CURRENT_ROOT_UUID=${CURRENT_ROOT_HASH:32:8}-${CURRENT_ROOT_HASH:40:4}-${CURRENT_ROOT_HASH:44:4}-${CURRENT_ROOT_HASH:48:4}-${CURRENT_ROOT_HASH:52:12} CURRENT_ROOT_UUID=${CURRENT_ROOT_HASH:32:8}-${CURRENT_ROOT_HASH:40:4}-${CURRENT_ROOT_HASH:44:4}-${CURRENT_ROOT_HASH:48:4}-${CURRENT_ROOT_HASH:52:12}
CURRENT_HASH_UUID=${CURRENT_ROOT_HASH:0:8}-${CURRENT_ROOT_HASH:8:4}-${CURRENT_ROOT_HASH:12:4}-${CURRENT_ROOT_HASH:16:4}-${CURRENT_ROOT_HASH:20:12}
[[ /dev/disk/by-partlabel/root1 -ef /dev/disk/by-partuuid/${CURRENT_ROOT_UUID} ]] \ [[ /dev/disk/by-partlabel/root1 -ef /dev/disk/by-partuuid/${CURRENT_ROOT_UUID} ]] \
&& [[ /dev/disk/by-partlabel/ver1 -ef /dev/disk/by-partuuid/${CURRENT_HASH_UUID} ]] \
&& NEW_ROOT_NUM=2 && OLD_ROOT_NUM=1 && NEW_ROOT_NUM=2 && OLD_ROOT_NUM=1
[[ /dev/disk/by-partlabel/root2 -ef /dev/disk/by-partuuid/${CURRENT_ROOT_UUID} ]] \ [[ /dev/disk/by-partlabel/root2 -ef /dev/disk/by-partuuid/${CURRENT_ROOT_UUID} ]] \
&& [[ /dev/disk/by-partlabel/ver2 -ef /dev/disk/by-partuuid/${CURRENT_HASH_UUID} ]] \ && NEW_ROOT_NUM=1 && OLD_ROOT_NUM=2
&& NEW_ROOT_NUM=1 && OLD_ROOT_NUM=2
if ! [[ $NEW_ROOT_NUM ]]; then if ! [[ $NEW_ROOT_NUM ]]; then
echo "Current partitions booted from not found!" echo "Current partitions booted from not found!"
@ -85,18 +82,14 @@ fi
## find base device and partition number ## find base device and partition number
for dev in /dev/disk/by-path/*; do for dev in /dev/disk/by-path/*; do
if ! [[ $VER_PARTNO ]] && [[ /dev/disk/by-partlabel/ver${NEW_ROOT_NUM} -ef $dev ]]; then
VER_PARTNO=${dev##*-part}
ROOT_DEV=${dev%-part*}
fi
if ! [[ $ROOT_PARTNO ]] && [[ /dev/disk/by-partlabel/root${NEW_ROOT_NUM} -ef $dev ]]; then if ! [[ $ROOT_PARTNO ]] && [[ /dev/disk/by-partlabel/root${NEW_ROOT_NUM} -ef $dev ]]; then
ROOT_PARTNO=${dev##*-part} ROOT_PARTNO=${dev##*-part}
ROOT_DEV=${dev%-part*} ROOT_DEV=${dev%-part*}
fi fi
[[ $ROOT_PARTNO ]] && [[ $VER_PARTNO ]] && break [[ $ROOT_PARTNO ]] && break
done done
if ! [[ $ROOT_PARTNO ]] || ! [[ $VER_PARTNO ]] || ! [[ $ROOT_DEV ]]; then if ! [[ $ROOT_PARTNO ]] || ! [[ $ROOT_DEV ]]; then
echo "Couldn't find partition numbers" echo "Couldn't find partition numbers"
exit 1 exit 1
fi fi
@ -136,14 +129,11 @@ if ! [[ $NO_CHECK ]]; then
sha512sum -c sha512sum.txt sha512sum -c sha512sum.txt
fi fi
dd status=progress if=root.verity.img of=/dev/disk/by-partlabel/ver${NEW_ROOT_NUM} dd status=progress if=root.img of=/dev/disk/by-partlabel/root${NEW_ROOT_NUM}
dd status=progress if=root.squashfs.img of=/dev/disk/by-partlabel/root${NEW_ROOT_NUM}
# set the new partition uuids # set the new partition uuids
ROOT_UUID=${ROOT_HASH:32:8}-${ROOT_HASH:40:4}-${ROOT_HASH:44:4}-${ROOT_HASH:48:4}-${ROOT_HASH:52:12} ROOT_UUID=${ROOT_HASH:32:8}-${ROOT_HASH:40:4}-${ROOT_HASH:44:4}-${ROOT_HASH:48:4}-${ROOT_HASH:52:12}
HASH_UUID=${ROOT_HASH:0:8}-${ROOT_HASH:8:4}-${ROOT_HASH:12:4}-${ROOT_HASH:16:4}-${ROOT_HASH:20:12}
sfdisk --part-uuid ${ROOT_DEV} ${VER_PARTNO} ${HASH_UUID}
sfdisk --part-uuid ${ROOT_DEV} ${ROOT_PARTNO} ${ROOT_UUID} sfdisk --part-uuid ${ROOT_DEV} ${ROOT_PARTNO} ${ROOT_UUID}
# install to /efi # install to /efi