Package containers so they can be mounted with imageloader |
|||||
Issue descriptionUse the ImageLoader DBus interface to mount container images prior to running them. Have crosh tell image loader to mount a pacakage and run the container from the returned mount point. Image loader will need to know about the key used to sign the containers.
,
Mar 17 2017
,
Mar 29 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform/imageloader/+/08deaaac268bfa4569294ea252bbc93ddbd30067 commit 08deaaac268bfa4569294ea252bbc93ddbd30067 Author: Eric Caruso <ejcaruso@chromium.org> Date: Wed Mar 29 00:16:57 2017 imageloader: allow Component to search for other keys This allows us to look for manifest signatures verified with keys other than the prod key simply by widening the name pattern for the manifest signature file. BUG= chromium:697645 TEST=unit tests, platform_ImageLoaderServer, inspect container with imageloader.sig.2 and expanded pattern and ensure it parses the right key number and finds the signature file Change-Id: Ie5f635523ac7a81d3bc851b8ae9dfbb2542ba5e1 Reviewed-on: https://chromium-review.googlesource.com/457801 Commit-Ready: Eric Caruso <ejcaruso@chromium.org> Tested-by: Eric Caruso <ejcaruso@chromium.org> Reviewed-by: Greg Kerr <kerrnel@chromium.org> [modify] https://crrev.com/08deaaac268bfa4569294ea252bbc93ddbd30067/component.h [modify] https://crrev.com/08deaaac268bfa4569294ea252bbc93ddbd30067/component_unittest.cc [modify] https://crrev.com/08deaaac268bfa4569294ea252bbc93ddbd30067/component.cc
,
Apr 5 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform/crosutils/+/d343fe595683e16ece6cd58ccf27f53dd0f035cb commit d343fe595683e16ece6cd58ccf27f53dd0f035cb Author: Eric Caruso <ejcaruso@chromium.org> Date: Wed Apr 05 01:12:55 2017 package_to_container: set up for imageloader This changes the package setup so that we store the directory structure expected by run_oci entirely in the squashfs image, and then set up the rest of the container to be mounted with imageloader. Since the rootfs is now contained in the squashfs image instead of mounting the squashfs image into the rootfs directory, we also get rid of the root mount point entry in the config.json template for run_oci. BUG= chromium:697645 TEST=package adb container, mount with imageloader using dev keys, run_oci --unsigned the resulting mount point (or using command introduced in CL:362122) Change-Id: I9eb40c4865a462e702dbbd9e48ea64dbcb822aa0 Reviewed-on: https://chromium-review.googlesource.com/456924 Commit-Ready: Eric Caruso <ejcaruso@chromium.org> Tested-by: Eric Caruso <ejcaruso@chromium.org> Reviewed-by: Dylan Reid <dgreid@chromium.org> [modify] https://crrev.com/d343fe595683e16ece6cd58ccf27f53dd0f035cb/package_to_container [modify] https://crrev.com/d343fe595683e16ece6cd58ccf27f53dd0f035cb/generic_container_files/config.json
,
Apr 25 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform/imageloader/+/f7f138f402f90702ba35c481e6f6a900db59cde7 commit f7f138f402f90702ba35c481e6f6a900db59cde7 Author: Eric Caruso <ejcaruso@chromium.org> Date: Tue Apr 25 21:04:01 2017 imageloader: pass multiple keys around Component, when loaded, checks which key number it is supposed to use. It now uses this key number to index into the different keys supplied to the imageloader config in order to pick the right one for verifying the component. BUG= chromium:697645 TEST=unit tests, platform_ImageLoader, add dev key from public_keys as key #2 and use it to successfully mount a PepperFlashPlayer image from testdata Change-Id: I0be1c4705da426bed495a757944d4ef4e8ae25b8 Reviewed-on: https://chromium-review.googlesource.com/457802 Commit-Ready: Eric Caruso <ejcaruso@chromium.org> Tested-by: Eric Caruso <ejcaruso@chromium.org> Reviewed-by: Greg Kerr <kerrnel@chromium.org> [modify] https://crrev.com/f7f138f402f90702ba35c481e6f6a900db59cde7/component.h [add] https://crrev.com/f7f138f402f90702ba35c481e6f6a900db59cde7/testdata/adb/image.squash [add] https://crrev.com/f7f138f402f90702ba35c481e6f6a900db59cde7/public_keys/oci_dev_public.der [add] https://crrev.com/f7f138f402f90702ba35c481e6f6a900db59cde7/testdata/adb/imageloader.sig.2 [modify] https://crrev.com/f7f138f402f90702ba35c481e6f6a900db59cde7/imageloader_impl.h [modify] https://crrev.com/f7f138f402f90702ba35c481e6f6a900db59cde7/test_utilities.cc [modify] https://crrev.com/f7f138f402f90702ba35c481e6f6a900db59cde7/component.cc [add] https://crrev.com/f7f138f402f90702ba35c481e6f6a900db59cde7/testdata/adb/table [add] https://crrev.com/f7f138f402f90702ba35c481e6f6a900db59cde7/testdata/adb/imageloader.json [modify] https://crrev.com/f7f138f402f90702ba35c481e6f6a900db59cde7/component_unittest.cc [add] https://crrev.com/f7f138f402f90702ba35c481e6f6a900db59cde7/testdata/adb/manifest.json [modify] https://crrev.com/f7f138f402f90702ba35c481e6f6a900db59cde7/imageloader_main.cc [modify] https://crrev.com/f7f138f402f90702ba35c481e6f6a900db59cde7/imageloader_impl.cc [modify] https://crrev.com/f7f138f402f90702ba35c481e6f6a900db59cde7/test_utilities.h [modify] https://crrev.com/f7f138f402f90702ba35c481e6f6a900db59cde7/imageloader_unittest.cc
,
Apr 26 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform/imageloader/+/3653d2336b22d24822d37e07c88edbf06de3c444 commit 3653d2336b22d24822d37e07c88edbf06de3c444 Author: Eric Caruso <ejcaruso@chromium.org> Date: Wed Apr 26 20:37:04 2017 imageloader: read container key from PEM file This will be stored on the rootfs as a PEM file. We need to read it and then convert it to DER format so the crypto verifier can use it. BUG= chromium:697645 TEST=load a component signed with the container key Change-Id: Ice12072a2406dfe52b294168a37c5ce347a9ff5d Reviewed-on: https://chromium-review.googlesource.com/457803 Commit-Ready: Eric Caruso <ejcaruso@chromium.org> Tested-by: Eric Caruso <ejcaruso@chromium.org> Reviewed-by: Greg Kerr <kerrnel@chromium.org> [modify] https://crrev.com/3653d2336b22d24822d37e07c88edbf06de3c444/imageloader_main.cc [modify] https://crrev.com/3653d2336b22d24822d37e07c88edbf06de3c444/imageloader.gyp
,
Apr 26 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform/vboot_reference/+/1919b169bfb6739db8b31509fd0d6c22427bdadf commit 1919b169bfb6739db8b31509fd0d6c22427bdadf Author: Eric Caruso <ejcaruso@chromium.org> Date: Wed Apr 26 23:19:51 2017 image_signing: change files sign_oci_container looks for Since we're packing containers in a format imageloader understands, we need to consume imageloader's manifest and produce a signature it knows to look for. BRANCH=ToT BUG= chromium:697645 TEST=package adb container, verify imageloader.sig.2 is present Change-Id: Ied9cdacf1d448a094c1b171bc2bf3b2ae54eb517 Reviewed-on: https://chromium-review.googlesource.com/457102 Commit-Ready: Eric Caruso <ejcaruso@chromium.org> Tested-by: Eric Caruso <ejcaruso@chromium.org> Reviewed-by: Stephen Barber <smbarber@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/1919b169bfb6739db8b31509fd0d6c22427bdadf/scripts/image_signing/sign_oci_container.sh
,
Apr 27 2017
Everything should be set up correctly so you can just run package_to_container, put the result in a CRX, load it as an extension, and then mount and run the container with mount_extension_image and run_oci.
,
May 4 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform/vboot_reference/+/febef2af40e1d6ede0567277620aa8a6d8101789 commit febef2af40e1d6ede0567277620aa8a6d8101789 Author: Mike Frysinger <vapier@chromium.org> Date: Thu May 04 13:07:01 2017 image_signing: fix signing of zip/crx files Restore the search logic for manifests in subdirs. BRANCH=None BUG= chromium:697645 TEST=signed adb/fastboot zip archives Change-Id: I07a417216ea463cb00d6ead7cd3b61d6e6fa507d Reviewed-on: https://chromium-review.googlesource.com/494207 Commit-Ready: Hsinyu Chao <hychao@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org> Reviewed-by: Eric Caruso <ejcaruso@chromium.org> [modify] https://crrev.com/febef2af40e1d6ede0567277620aa8a6d8101789/scripts/image_signing/sign_oci_container.sh
,
May 16 2017
The following revision refers to this bug: https://chrome-internal.googlesource.com/chromeos/cros-signing/+/d63d7a40b8b0ec8e6614c6c9b82ceb4596259f03 commit d63d7a40b8b0ec8e6614c6c9b82ceb4596259f03 Author: Mike Frysinger <vapier@chromium.org> Date: Tue May 16 19:12:20 2017
,
Jan 22 2018
,
May 9 2018
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ejcaruso@chromium.org
, Mar 7 2017Summary: Add squashfs mounter and option signature checking to cros-disks (was: USe image loader for containers from crosh.)