min
/
lanzaboote
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

lanzatool: skip existing files in esp

This commit is contained in:
nikstur 2022-12-03 13:16:46 +01:00
parent d35ca2d7d3
commit 49a8ae8aec
1 changed files with 28 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
rust/lanzatool/src/install.rs
View File

@ -65,14 +65,10 @@ impl Installer {
} }
fn install_generation(&self, generation: &Generation) -> Result<()> { fn install_generation(&self, generation: &Generation) -> Result<()> {
println!("Reading bootspec...");
let bootspec = &generation.bootspec; let bootspec = &generation.bootspec;
let esp_paths = EspPaths::new(&self.esp, generation)?; let esp_paths = EspPaths::new(&self.esp, generation)?;
println!("Assembling lanzaboote image...");
let kernel_cmdline = let kernel_cmdline =
assemble_kernel_cmdline(&bootspec.init, bootspec.kernel_params.clone()); assemble_kernel_cmdline(&bootspec.init, bootspec.kernel_params.clone());
@ -84,7 +80,7 @@ impl Installer {
// TODO(Raito): prove to niksnur this is actually acceptable. // TODO(Raito): prove to niksnur this is actually acceptable.
let secure_temp_dir = tempdir()?; let secure_temp_dir = tempdir()?;
println!("Wrapping initrd into a PE binary..."); println!("Appending secrets to initrd...");
let initrd_location = secure_temp_dir.path().join("initrd"); let initrd_location = secure_temp_dir.path().join("initrd");
copy(&bootspec.initrd, &initrd_location)?; copy(&bootspec.initrd, &initrd_location)?;
@ -92,8 +88,6 @@ impl Installer {
append_initrd_secrets(initrd_secrets_script, &initrd_location)?; append_initrd_secrets(initrd_secrets_script, &initrd_location)?;
} }
println!("Sign and copy files to EFI system partition...");
let systemd_boot = bootspec let systemd_boot = bootspec
.toplevel .toplevel
.join("systemd/lib/systemd/boot/efi/systemd-bootx64.efi"); .join("systemd/lib/systemd/boot/efi/systemd-bootx64.efi");
@ -107,9 +101,9 @@ impl Installer {
.try_for_each(|(from, to)| install_signed(&self.key_pair, from, to))?; .try_for_each(|(from, to)| install_signed(&self.key_pair, from, to))?;
// The initrd doesn't need to be signed. Lanzaboote has its // The initrd doesn't need to be signed. Lanzaboote has its
// hash embedded and will refuse loading it when the has // hash embedded and will refuse loading it when the hash
// mismatches. // mismatches.
copy(&initrd_location, &esp_paths.initrd).context("Failed to copy initrd to ESP")?; install(&initrd_location, &esp_paths.initrd).context("Failed to install initrd to ESP")?;
let lanzaboote_image = pe::lanzaboote_image( let lanzaboote_image = pe::lanzaboote_image(
&secure_temp_dir, &secure_temp_dir,
@ -144,13 +138,33 @@ impl Installer {
} }
/// Install a PE file. The PE gets signed in the process. /// Install a PE file. The PE gets signed in the process.
///
/// The file is only signed and copied if it doesn't exist at the destination
fn install_signed(key_pair: &KeyPair, from: &Path, to: &Path) -> Result<()> { fn install_signed(key_pair: &KeyPair, from: &Path, to: &Path) -> Result<()> {
println!("Signing {}...", to.display()); if to.exists() {
println!("{} already exists, skipping...", to.display());
} else {
println!("Signing and installing {}...", to.display());
ensure_parent_dir(to);
key_pair
.sign_and_copy(from, to)
.with_context(|| format!("Failed to copy and sign file from {:?} to {:?}", from, to))?;
}
ensure_parent_dir(to); Ok(())
key_pair }
.sign_and_copy(from, to)
.with_context(|| format!("Failed to copy and sign file from {:?} to {:?}", from, to))?; /// Install an arbitrary file
///
/// The file is only copied if it doesn't exist at the destination
fn install(from: &Path, to: &Path) -> Result<()> {
if to.exists() {
println!("{} already exists, skipping...", to.display());
} else {
println!("Installing {}...", to.display());
ensure_parent_dir(to);
copy(from, to)?;
}
Ok(()) Ok(())
} }