From 3587784bc4540d365eeb32e7e17c407debc33efb Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Sat, 15 Nov 2014 18:36:27 -0800 Subject: [PATCH] disk_util: Add support for computing verity hashes --- build_library/disk_layout.json | 4 +-- build_library/disk_util | 42 +++++++++++++++++++++++++++++--- build_library/prod_image_util.sh | 4 +-- 3 files changed, 42 insertions(+), 8 deletions(-) diff --git a/build_library/disk_layout.json b/build_library/disk_layout.json index 2b20e54677..c9ae7274d4 100644 --- a/build_library/disk_layout.json +++ b/build_library/disk_layout.json @@ -27,10 +27,10 @@ "uuid":"7130c94a-213a-4e5a-8e26-6cce9662f132", "type":"coreos-rootfs", "blocks":"2097152", - "fs_blocks":"262144", + "fs_blocks":"260094", "fs_type":"ext2", "mount":"/usr", - "features": ["prioritize"] + "features": ["prioritize", "verity"] }, "4":{ "label":"USR-B", diff --git a/build_library/disk_util b/build_library/disk_util index a561b604e6..36dfd6d4ba 100755 --- a/build_library/disk_util +++ b/build_library/disk_util @@ -623,7 +623,7 @@ def Umount(options): Sudo(['umount', '--recursive', '--detach-loop', options.mount_dir]) -def Tune2fsReadWrite(options, partition): +def Tune2fsReadWrite(options, partition, disable_rw): """Enable/Disable read-only hack. From common.sh: @@ -654,9 +654,10 @@ def Tune2fsReadWrite(options, partition): Args: options: Flags passed to the script partition: Config for partition to manipulate + disable_rw: Set to true to disable read-write access """ - if options.disable2fs_rw: + if disable_rw: print "Disabling read-write mounting of partition %s (%s)" % ( partition['num'], partition['label']) else: @@ -665,7 +666,7 @@ def Tune2fsReadWrite(options, partition): # offset of ro_compat, highest order byte (le 32 bit field) flag_offset = 0x464 + 3 - flag_value = 0xff if options.disable2fs_rw else 0x00 + flag_value = 0xff if disable_rw else 0x00 with open(options.disk_image, 'r+') as image: image.seek(partition['first_byte'] + flag_offset) image.write(chr(flag_value)) @@ -705,11 +706,40 @@ def Tune(options): if options.disable2fs_rw is not None: if part.get('fs_type', None) not in ('ext2', 'ext4'): raise Exception("Partition %s is not a ext2 or ext4" % options.partition) - Tune2fsReadWrite(options, part) + Tune2fsReadWrite(options, part, options.disable2fs_rw) else: raise Exception("No options specified!") +def Verity(options): + """Hash verity protected filesystems. + + Args: + options: Flags passed to the script + """ + + config, partitions = LoadPartitionConfig(options) + GetPartitionTableFromImage(options, config, partitions) + + for part_num, part in partitions.iteritems(): + if 'verity' not in part.get('features', []): + continue + + if not part['image_compat']: + raise InvalidLayout("Disk layout is incompatible with existing image") + + if part.get('fs_type', None) in ('ext2', 'ext4'): + Tune2fsReadWrite(options, part, disable_rw=True) + + with PartitionLoop(options, part) as loop_dev: + Sudo(['veritysetup', 'format', '--hash=sha256', + '--data-block-size', part['fs_block_size'], + '--hash-block-size', part['fs_block_size'], + '--data-blocks', part['fs_blocks'], + '--hash-offset', part['fs_bytes'], + loop_dev, loop_dev]) + + def Extract(options): """Write a single partition out to its own image file. @@ -979,6 +1009,10 @@ def main(argv): a.add_argument('partition', help='number or label of partition to edit') a.set_defaults(func=Tune) + a = actions.add_parser('verity', help='compute verity hashes') + a.add_argument('disk_image', help='path to disk image file') + a.set_defaults(func=Verity) + a = actions.add_parser('extract', help='extract a single partition') a.add_argument('disk_image', help='path to disk image file') a.add_argument('partition', help='number or label of partition to edit') diff --git a/build_library/prod_image_util.sh b/build_library/prod_image_util.sh index 782700dd6f..e712665c8f 100755 --- a/build_library/prod_image_util.sh +++ b/build_library/prod_image_util.sh @@ -76,10 +76,10 @@ EOF finish_image "${image_name}" "${disk_layout}" "${root_fs_dir}" "${image_contents}" - # Make the filesystem un-mountable as read-write. + # Make the filesystem un-mountable as read-write and setup verity. if [[ ${disable_read_write} -eq ${FLAGS_TRUE} ]]; then "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${disk_layout}" \ - tune --disable2fs_rw "${BUILD_DIR}/${image_name}" "USR-A" + verity "${BUILD_DIR}/${image_name}" fi upload_image -d "${BUILD_DIR}/${image_name}.bz2.DIGESTS" \