Permalink
Browse files

HBSD: Teach hbsd-update-build to cross-build

This allows us to support non-amd64 architectures with hbsd-update. Of
main interest is arm64, which can use the same kernel config for all
devices.

While testing this work, I came across the inability to create unsigned
updates due to strong post-build sanity checking. Fix unsigned builds.
Unsigned builds should only be done in the case of testing and should
not be used in production (as was the case here).

Signed-off-by:	Shawn Webb <shawn.webb@hardenedbsd.org>
github-issue:	#224
MFC-to:		10-STABLE
MFC-to:		11-STABLE
  • Loading branch information...
lattera committed Dec 23, 2016
1 parent 18c3f5c commit d9664605c173dcb9816d388252408661f49c248d
Showing with 63 additions and 12 deletions.
  1. +63 −12 usr.sbin/hbsd-update/hbsd-update-build
@@ -63,6 +63,8 @@ setup_environment() {
INTEGRIFORCE=1
BUILDSRCSET=1
VERBOSE=0
TARGET=$(uname -m)
TARGET_ARCH=$(uname -p)
}
cleanup_chroot() {
@@ -185,7 +187,41 @@ create_src_conf() {
fi
}
install_binutils() {
local res
debug_print "[*] Cross-build detected. Installing ${TARGET_ARCH}-binutils."
if [ -f /etc/resolv.conf ]; then
cp /etc/resolv.conf ${CHROOTDIR}/etc/resolv.conf
fi
chroot ${CHROOTDIR} \
env ASSUME_ALWAYS_YES=yes \
pkg bootstrap -y
res=${?}
if [ ${res} -gt 0 ]; then
return ${res}
fi
chroot ${CHROOTDIR} \
env ASSUME_ALWAYS_YES=yes \
pkg update
res=${?}
if [ ${res} -gt 0 ]; then
return ${res}
fi
chroot ${CHROOTDIR} \
env ASSUME_ALWAYS_YES=yes \
pkg install -y ${TARGET_ARCH}-binutils
return ${?}
}
prep_release() {
local res
chroot ${CHROOTDIR} \
make -s \
-C /usr/src/release \
@@ -511,9 +547,11 @@ sanity_check_archive() {
return 1
fi
if [ ! -f ${STAGEDIR}/base.txz.sig ]; then
debug_print "[-] Could not find ${STAGEDIR}/base.txz.sig"
return 1
if [ ${UNSIGNED} -eq 0 ]; then
if [ ! -f ${STAGEDIR}/base.txz.sig ]; then
debug_print "[-] Could not find ${STAGEDIR}/base.txz.sig"
return 1
fi
fi
for kernel in ${KERNELS}; do
@@ -522,9 +560,11 @@ sanity_check_archive() {
return 1
fi
if [ ! -f ${STAGEDIR}/kernel-${kernel}.txz.sig ]; then
debug_print "[-] Could not find ${STAGEDIR}/kernel-${kernel}.txz.sig"
return 1
if [ ${UNSIGNED} -eq 0 ]; then
if [ ! -f ${STAGEDIR}/kernel-${kernel}.txz.sig ]; then
debug_print "[-] Could not find ${STAGEDIR}/kernel-${kernel}.txz.sig"
return 1
fi
fi
done
@@ -533,19 +573,23 @@ sanity_check_archive() {
return 1
fi
if [ ! -f ${STAGEDIR}/etcupdate.tbz.sig ]; then
debug_print "[-] Could not find ${STAGEDIR}/etcupdate.tbz.sig"
return 1
if [ ${UNSIGNED} -eq 0 ]; then
if [ ! -f ${STAGEDIR}/etcupdate.tbz.sig ]; then
debug_print "[-] Could not find ${STAGEDIR}/etcupdate.tbz.sig"
return 1
fi
fi
if [ ! -f ${STAGEDIR}/skip.txt ]; then
debug_print "[-] Could not find ${STAGEDIR}/skip.txt"
return 1
fi
if [ ! -f ${STAGEDIR}/skip.txt.sig ]; then
debug_print "[-] Could not find ${STAGEDIR}/skip.txt.sig"
return 1
if [ ${UNSIGNED} -eq 0 ]; then
if [ ! -f ${STAGEDIR}/skip.txt.sig ]; then
debug_print "[-] Could not find ${STAGEDIR}/skip.txt.sig"
return 1
fi
fi
return 0
@@ -595,8 +639,15 @@ main() {
if [ ${USE_EXISTING} -eq 0 ]; then
cleanup_chroot || exit 1
setup_chroot || exit 1
if [ ! $(uname -m) = "${TARGET}" ]; then
install_binutils || exit 1
fi
clone_source || exit 1
create_src_conf || exit 1
export TARGET
export TARGET_ARCH
build_source || exit 1
prep_release || exit 1

0 comments on commit d966460

Please sign in to comment.