fgblanch · March 6, 2017 17:45 · May 18, 2015
diff --git a/custom.cmdline b/custom.cmdline
@@ -0,0 +1,39 @@
+cros_secure
+console=
+loglevel=7
+init=/sbin/init
+oops=panic
+panic=-1
+root=PARTUUID=%U/PARTNROFF=1
+rootwait
+rw
+dm_verity.error_behavior=3
+dm_verity.max_bios=-1
+dm_verity.dev_wait=0
+dm="1
+vroot
+none
+ro
+1,0
+2506752
+verity
+payload=ROOT_DEV
+hashtree=HASH_DEV
+hashstart=2506752
+alg=sha1
+root_hexdigest=9dcc2a24d40e47f80a2304699901f35dc6454164
+salt=08e5ee74521ce834393c402fde8266511fe8786e269ef5adc283da23ad14c629"
+noinitrd
+vt.global_cursor_default=0
+kern_guid=ef8580f8-11ee-4645-9424-c28102b018b8
+add_efi_memmap
+boot=local
+noresume
+noswap
+i915.modeset=1
+tpm_tis.force=1
+tpm_tis.interrupts=0
+nmi_watchdog=panic,lapic
+i915.enable_psr=1
+lsm.module_locking=0
+disablevmx=off
diff --git a/custom.config b/custom.config
diff --git a/fix-cmdline.sh b/fix-cmdline.sh
@@ -0,0 +1,60 @@
+#!/bin/sh
+## https://github.com/dnschneid/crouton/wiki/Repack-kernel-to-Enable-VT_x-for-Virtualbox
+set -e
+
+main() {
+        local part=$1
+        assert matches_rx $part '^[24]$'
+
+        check_crossystem
+        sudo dd if=/dev/sda$part of=$tmp/old_kernel
+        cmdline=$($hack/chromeos-files/futility vbutil_kernel --verify $tmp/old_kernel | tail -1)
+        new_cmdline="$cmdline"
+        echo $new_cmdline | egrep -q " rootwait rw " || {
+                new_cmdline=$(echo $new_cmdline | sed 's/ rootwait ro / rootwait rw /')
+        }
+        echo $new_cmdline | egrep -q "disable_vmx" || {
+                new_cmdline="$new_cmdline disable_vmx=off"
+        }
+        echo $new_cmdline | egrep -q "lsm.module_locking" || {
+                new_cmdline="$new_cmdline lsm.module_locking=0"
+        }
+        if [ "$cmdline" = "$new_cmdline" ]; then
+                fatal "no changes to apply to current cmdline: $cmdline"
+        else
+                echo $new_cmdline > $tmp/new_cmdline
+                $hack/chromeos-files/futility vbutil_kernel \
+                        --repack $tmp/new_kernel \
+                        --signprivate $hack/chromeos-files/kernel_data_key.vbprivk \
+                        --keyblock $hack/chromeos-files/kernel.keyblock \
+                        --oldblob $tmp/old_kernel \
+                        --config $tmp/new_cmdline
+                $hack/chromeos-files/futility vbutil_kernel \
+                        --verify $tmp/new_kernel \
+                        --verbose | \
+                        grep -q "Body verification succeeded" || {
+                                fatal "new kernel verification failed"
+                        }
+                log "saving kernel with new cmdline"
+                $dry_run sudo dd if=$tmp/new_kernel of=/dev/sda$part bs=512 notrunc
+        fi
+}
+
+####
+hack=$(readlink -f $(dirname $0))
+. $hack/functions.sh
+tmp=/tmp/$(basename $0).$$
+mkdir $tmp
+
+if [ "x$1" = x-f ]; then
+        shift
+else
+        log "dry-run mode"
+        dry_run=echo
+fi
+
+ [ "$1" != 2 -a "$1" != 4 ] && {
+        log "Usage: $0 [24]"
+        exit 2
+}
+main $1
diff --git a/functions.sh b/functions.sh
@@ -0,0 +1,27 @@
+log() {
+        echo "$@" 1>&2
+}
+fatal() {
+        log "$0: $@"
+        exit 1
+}
+in_chromeos() {
+        [ -f /usr/sbin/chromeos-postinst ]
+}
+in_chroot() {
+        [ ! -f /usr/sbin/chromeos-postinst ]
+}
+assert() {
+        eval "$@" || fatal "failed assertion: $@"
+}
+# Usage: matches_rx <string> <rx>
+matches_rx() {
+        local value="$1"
+        local rx="$2"
+        echo $value | egrep -q "$rx"
+}
+check_crossystem() {
+        $dry_run sudo $hack/chromeos-files/crossystem dev_boot_signed_only=0
+        [ "$(sudo $hack/chromeos-files/crossystem dev_boot_signed_only)" = 0 ] || \
+                fatal "WARNING - dev_boot_signed_only is set, danger, FIX BEFORE REBOOT!"
+}
diff --git a/install.sh b/install.sh
@@ -0,0 +1,137 @@
+#!/bin/bash
+exec &> >(tee -a "$0.log") 2>&1
+#exec >> install.sh.log 2>&1
+echo "`date`: $0 $@"
+
+kernel_version=3.14.0
+
+## Retrieve some Chrome OS binaries, and the dev keys for signing the kernel.
+get_chromeos_files() {
+        ## Mounts a rootfs to get our files from.
+        sudo mkdir -p /mnt/chromeos-root
+        (sudo mount -o ro /dev/sda3 /mnt/chromeos-root || sudo mount -o ro /dev/sda5 /mnt/chromeos-root) 2> /dev/null
+
+        local files="/usr/bin/crossystem
+                /usr/bin/cgpt
+                /usr/bin/futility
+                /usr/share/vboot/devkeys/kernel_data_key.vbprivk
+                /usr/share/vboot/devkeys/kernel.keyblock"
+        for file in $files; do
+                cp -f /mnt/chromeos-root$file $hack/chromeos-files/
+        done
+}
+
+make_kernel_image() {
+        cp $hack/custom.cmdline /tmp/custom.cmdline
+        echo hfd_time=`date +%F-%H_%M` >>  /tmp/custom.cmdline
+        $hack/chromeos-files/futility vbutil_kernel \
+          --pack $hack/.custom.kernel \
+          --keyblock $hack/chromeos-files/kernel.keyblock \
+          --signprivate $hack/chromeos-files/kernel_data_key.vbprivk \
+          --version 1 \
+          --config /tmp/custom.cmdline \
+          --bootloader $hack/bootstub.efi-x86_64 \
+          --vmlinuz $base/arch/x86/boot/bzImage
+}
+
+cmdline_boot() {
+        ## The cmdline will point to the boot partition with parameters "root" if we are
+        ## running an earlier custom kernel, or with "payload" if we are running normal
+        ## Chrome Os.
+        local current_root_uuid=$(cat /proc/cmdline | \
+                sed 's/.* \(root\|payload\)=PARTUUID=\([0-9a-fA-F-]\+\).*/\2/')
+        #log current_root_uuid: $current_root_uuid
+
+        sudo $hack/chromeos-files/cgpt show /dev/sda | \
+                grep -iB2 "$current_root_uuid" | \
+                head -1 | \
+                awk '{print $3}'
+}
+
+## If we booted from 2 then echo 4, from 4 then echo 2.
+get_next_kern() {
+        set $(sudo $hack/chromeos-files/cgpt show /dev/sda | \
+                egrep ' priority=.* successful=' | \
+                sed 's/.* priority=\([0-9]\+\).*/\1/'| \
+                head -2)
+        local kern_a_priority=$1
+        local kern_b_priority=$2
+        local current_kern
+        if [ $kern_a_priority -gt $kern_b_priority ]; then
+                current_kern=2
+        else
+                current_kern=4
+        fi
+        log current_kern: $current_kern
+        assert matches_rx $current_kern '^[24]$'
+
+        local cmdline_boot=$(cmdline_boot)
+        log cmdline_boot: $cmdline_boot
+        assert matches_rx $cmdline_boot '^[24]$'
+
+        [ $cmdline_boot -eq $current_kern ] || \
+                fatal "/proc/cmdline and cgpt outputs inconsistent, did I already run cgpt to set the next root? Or did a ChromeOS update download?"
+        echo $current_kern | tr 24 42
+}
+
+## Writes kernel to target partition.
+install_kernel() {
+        local part=$1
+        assert matches_rx $part '^[24]$'
+        assert [ -f $base/hack/.custom.kernel ]
+        $dry_run sudo dd if=$base/hack/.custom.kernel of=/dev/sda$part
+}
+
+## Installs modules to /lib/modules in the chroot.
+install_modules() {
+        assert [ -d $base/mod-inst/lib/modules ]
+        assert [ -d /lib/modules/$kernel_version ]
+        local backup=/lib/modules/$kernel_version-$(date +%F-%H_%M)
+        $dry_run cp -r /lib/modules/$kernel_version $backup
+        $dry_run sudo rm -rf /lib/modules/$kernel_version
+        $dry_run sudo cp -r $base/mod-inst/lib/modules/$kernel_version /lib/modules/$kernel_version
+}
+
+## Make sure our kernel is run at next boot.
+prioritise_kernel() {
+        assert matches_rx $1 '^[24]$'
+        $dry_run sudo $hack/chromeos-files/cgpt add -i $1 -S 0 -T 1 -P 15 /dev/sda
+}
+#install_modules_to_rootfs() {
+        #assert matches_rx $1 '^[35]$'
+        #assert [ -d $base/mod-inst/lib/modules ]
+        #sudo mkdir -p /mnt/alt-root
+        #$dry_run sudo mount /dev/sda$1 /mnt/alt-root
+        #$dry_run sudo rm -rf /mnt/alt-root/lib/modules/*
+        #$dry_run sudo cp -r $base/mod-inst/lib/modules /mnt/alt-root/lib/modules/
+        #$dry_run sudo umount /mnt/alt-root
+#}
+
+main() {
+        get_chromeos_files
+        make_kernel_image
+        local next_kern=$(get_next_kern)
+        log "next_kern: $next_kern"
+        if [ ! -z $next_kern ]; then
+                log "Enter to install, Ctrl-C to cancel..."; read
+                install_kernel $next_kern
+                prioritise_kernel $next_kern
+                install_modules
+        fi
+}
+
+####
+set -e
+base=$(readlink -f $(dirname $0)/..)
+hack=$base/hack
+. $hack/functions.sh
+
+if [ "x$1" = x-f ]; then
+        shift
+else
+        log "dry-run mode, for applying changes run: $0 -f $@"
+        dry_run=echo
+fi
+
+trap "(sudo umount /mnt/chromeos-root; sudo rmdir /mnt/chromeos-root) 2> /dev/null; exit" SIGHUP SIGINT SIGTERM EXIT
+main
diff --git a/make.sh b/make.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+set -ex
+
+cd $(dirname $0)/..
+rm -rf mod-inst
+mkdir mod-inst
+./chromeos/scripts/prepareconfig chromeos-intel-pineview
+cp -v hack/custom.config .config
+#yes "" | make oldconfig
+#export WIFIVERSION="-3.8"
+#make WIFIVERSION="-3.8" oldconfig
+time make WIFIVERSION="-3.8" -j4 bzImage modules
+time make WIFIVERSION="-3.8" INSTALL_MOD_PATH=mod-inst -j4 modules_install