boot2

verify.sh (4117B)

---

 #!/bin/sh
 ## verify.sh — drive boot0..boot6 off the bundled inputs and compare
 ## the outputs against OUTPUT_MANIFEST.txt.
 ##
 ## This script ships inside a boot2-@ARCH@ release tarball. It
 ## stages the sealed src/ tree at build/@ARCH@/src/ (the layout every
 ## boot/bootN.sh expects), runs the chain end-to-end, then diffs each
 ## per-stage artifact's sha256 against the bundled manifest.
 ##
 ## Usage:
 ##   ./verify.sh                # build + verify (DRIVER=podman default)
 ##   DRIVER=seed ./verify.sh    # re-run inside the boot6-built kernel
 ##                              # (requires one prior DRIVER=podman pass)
 ##   ./verify.sh --check-only   # skip build; just diff existing outputs
 ##
 ## Env passthrough: BOOT3_TIMEOUT, BOOT4_TIMEOUT, BOOT5_TIMEOUT,
 ## BOOT6_TIMEOUT, QEMU_MEM — see boot/boot.sh --help.
 
 set -eu
 
 ARCH=@ARCH@
 KERNEL_NAME=@KERNEL_NAME@
 DRIVER=${DRIVER:-podman}
 
 CHECK_ONLY=0
 case "${1:-}" in
     --check-only) CHECK_ONLY=1 ;;
     -h|--help)
         sed -n '2,18p' "$0" | sed 's/^## \{0,1\}//'
         exit 0
         ;;
     '') ;;
     *) echo "verify.sh: unknown argument '$1' (try --help)" >&2; exit 2 ;;
 esac
 
 case "$DRIVER" in
     podman|seed) ;;
     *) echo "[verify] unknown DRIVER=$DRIVER (expected podman|seed)" >&2; exit 2 ;;
 esac
 
 ROOT=$(cd "$(dirname "$0")" && pwd)
 cd "$ROOT"
 
 # Portable sha256.
 if command -v sha256sum >/dev/null 2>&1; then
     sha256() { sha256sum "$1" | awk '{print $1}'; }
 else
     sha256() { shasum -a 256 "$1" | awk '{print $1}'; }
 fi
 
 # ── (0) macOS/podman preflight ────────────────────────────────────────
 # `podman machine` on macOS only shares /Users/ from the host. Extracting
 # the tarball under /tmp (= /private/tmp) or anywhere outside /Users/
 # makes the bind mounts invisible to the VM and boot0 fails with a
 # cryptic `Error: statfs ... no such file or directory`. Catch it here
 # with a clearer message.
 if [ "$CHECK_ONLY" = 0 ] && [ "$DRIVER" = podman ] && [ "$(uname -s)" = Darwin ]; then
     case "$ROOT" in
         /Users/*) ;;
         *) cat >&2 <<EOF
 [verify] this tarball was extracted to:
 [verify]   $ROOT
 [verify] on macOS, the podman VM only shares /Users/ from the host.
 [verify] Bind mounts under any other path (incl. /tmp, /private/tmp)
 [verify] will fail at runtime. Re-extract somewhere under \$HOME and
 [verify] run ./verify.sh from there.
 EOF
             exit 2 ;;
     esac
 fi
 
 # ── (1) stage sealed src tree into expected layout ────────────────────
 mkdir -p "build/$ARCH"
 if [ ! -d "build/$ARCH/src" ]; then
     echo "[verify] staging src/ -> build/$ARCH/src/"
     cp -R src "build/$ARCH/src"
 fi
 
 # ── (2) drive boot0..boot6 ────────────────────────────────────────────
 if [ "$CHECK_ONLY" = 0 ]; then
     export DRIVER
     for s in 0 1 2 3 4 5 6; do
         echo "[verify] boot$s"
         ./boot/boot$s.sh "$ARCH"
     done
 fi
 
 # ── (3) diff outputs vs OUTPUT_MANIFEST.txt ───────────────────────────
 BUILD_TREE=build/$ARCH/$DRIVER
 echo "[verify] diff $BUILD_TREE vs OUTPUT_MANIFEST.txt"
 fail=0
 ok=0
 miss=0
 while IFS= read -r line; do
     case "$line" in
         ''|\#*) continue ;;
     esac
     want=$(printf '%s' "$line" | awk '{print $1}')
     rel=$(printf '%s' "$line" | awk '{print $2}')
     f=$BUILD_TREE/$rel
     if [ ! -e "$f" ]; then
         printf 'MISSING  %s\n' "$rel"
         miss=$((miss + 1))
         fail=$((fail + 1))
         continue
     fi
     got=$(sha256 "$f")
     if [ "$got" = "$want" ]; then
         printf 'OK       %s\n' "$rel"
         ok=$((ok + 1))
     else
         printf 'DIFFER   %s\n' "$rel"
         printf '         want %s\n' "$want"
         printf '         got  %s\n' "$got"
         fail=$((fail + 1))
     fi
 done < OUTPUT_MANIFEST.txt
 
 echo "[verify] ok=$ok missing=$miss differ=$((fail - miss)) (driver=$DRIVER)"
 if [ "$fail" -gt 0 ]; then
     echo "[verify] FAIL" >&2
     exit 1
 fi
 echo "[verify] PASS"