From 73dfb006998bfca6410411c698ac52595264bb9c Mon Sep 17 00:00:00 2001 From: Boris Kolpackov Date: Wed, 29 Mar 2017 15:06:55 +0200 Subject: Add buildos.toolchain_trust= parameter --- buildos | 9 +++++++++ doc/manual.cli | 14 ++++++++++---- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/buildos b/buildos index c91c554..872a5a0 100755 --- a/buildos +++ b/buildos @@ -101,6 +101,15 @@ else tc_root="/build/tftp" tc_path="$tc_root/$tc_file" tc_ver= + + # If buildos.toolchain_trust was not specified, set it to "no" so that + # we don't prompt if the repository happens to be signed. + # + if [ -n "$toolchain_trust" ]; then + tc_trust="$toolchain_trust" + else + tc_trust="no" + fi fi # Calculate the file checksum using the shaNNNsum utility. diff --git a/doc/manual.cli b/doc/manual.cli index e61caa2..b7aca34 100644 --- a/doc/manual.cli +++ b/doc/manual.cli @@ -126,13 +126,14 @@ label buildos menu label buildos kernel /buildos/buildos-image initrd /buildos/buildos-initrd - append buildos.smtp_relay=example.org buildos.admin_email=admin@example.org buildos.buildid_url=tftp:///buildos/buildos-buildid buildos.toolchain_url=https:///toolchain.sha256 + append buildos.smtp_relay=example.org buildos.admin_email=admin@example.org buildos.buildid_url=tftp:///buildos/buildos-buildid buildos.toolchain_url=https:///toolchain.sha256 buildos.toolchain_trust= EOF \ Where \c{} is the address of the TFTP server (the same address as -returned by the DHCP server to PXE clients) and \c{} is the -host that serves the toolchain archives. Note that all the parameters in +returned by the DHCP server to PXE clients), \c{} is the host +that serves the toolchain archives, and \c{} is the toolchain +repository certificate fingerprint to trust. Note that all the parameters in \c{append} must be specified on a single line.| \li|You can test the setup using QEMU/KVM, for example: @@ -295,7 +296,12 @@ buildos.ssh_key=\"ssh-rsa AAA...OA0DB user@host\" The first step performed by the Build OS monitor is to bootstrap the \c{build2} toolchain. The location of the toolchain packages is specified with the \c{buildos.toolchain_url} kernel command line parameter. This URL should -point to the \i{toolchain checksums file}. +point to the \i{toolchain checksums file}. You will also normally need to pass +the \c{buildos.toolchain_trust} parameter which is the toolchain repository +certificate fingerprint that the monitor should trust. Note also that the +bootstrap process (both on the build host and inside build machines) uses the +default toolchain repository location embedded into the build scripts in the +\c{build2-toolchain} package. Each line in the checksums file is the output of the \c{shaNNNsum(1)} utility, that is, the SHANNN sum following by space, an asterisk (\c{*}) which signals -- cgit v1.1