diff options
-rwxr-xr-x | buildos | 9 | ||||
-rw-r--r-- | doc/manual.cli | 14 |
2 files changed, 19 insertions, 4 deletions
@@ -101,6 +101,15 @@ else tc_root="/build/tftp" tc_path="$tc_root/$tc_file" tc_ver= + + # If buildos.toolchain_trust was not specified, set it to "no" so that + # we don't prompt if the repository happens to be signed. + # + if [ -n "$toolchain_trust" ]; then + tc_trust="$toolchain_trust" + else + tc_trust="no" + fi fi # Calculate the file checksum using the shaNNNsum utility. diff --git a/doc/manual.cli b/doc/manual.cli index e61caa2..b7aca34 100644 --- a/doc/manual.cli +++ b/doc/manual.cli @@ -126,13 +126,14 @@ label buildos menu label buildos kernel /buildos/buildos-image initrd /buildos/buildos-initrd - append buildos.smtp_relay=example.org buildos.admin_email=admin@example.org buildos.buildid_url=tftp://<os-host>/buildos/buildos-buildid buildos.toolchain_url=https://<toolchain-host>/toolchain.sha256 + append buildos.smtp_relay=example.org buildos.admin_email=admin@example.org buildos.buildid_url=tftp://<os-host>/buildos/buildos-buildid buildos.toolchain_url=https://<toolchain-host>/toolchain.sha256 buildos.toolchain_trust=<repo-fp> EOF \ Where \c{<os-host>} is the address of the TFTP server (the same address as -returned by the DHCP server to PXE clients) and \c{<toolchain-host>} is the -host that serves the toolchain archives. Note that all the parameters in +returned by the DHCP server to PXE clients), \c{<toolchain-host>} is the host +that serves the toolchain archives, and \c{<repo-fp>} is the toolchain +repository certificate fingerprint to trust. Note that all the parameters in \c{append} must be specified on a single line.| \li|You can test the setup using QEMU/KVM, for example: @@ -295,7 +296,12 @@ buildos.ssh_key=\"ssh-rsa AAA...OA0DB user@host\" The first step performed by the Build OS monitor is to bootstrap the \c{build2} toolchain. The location of the toolchain packages is specified with the \c{buildos.toolchain_url} kernel command line parameter. This URL should -point to the \i{toolchain checksums file}. +point to the \i{toolchain checksums file}. You will also normally need to pass +the \c{buildos.toolchain_trust} parameter which is the toolchain repository +certificate fingerprint that the monitor should trust. Note also that the +bootstrap process (both on the build host and inside build machines) uses the +default toolchain repository location embedded into the build scripts in the +\c{build2-toolchain} package. Each line in the checksums file is the output of the \c{shaNNNsum(1)} utility, that is, the SHANNN sum following by space, an asterisk (\c{*}) which signals |