mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-08 13:36:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

disk_util: Add support for computing verity hashes

Browse Source
This commit is contained in:
Michael Marineau 2014-11-15 18:36:27 -08:00
parent 931610d5bb
commit 3587784bc4
3 changed files with 42 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
build_library/disk_layout.json
View File

@ -27,10 +27,10 @@
"uuid":"7130c94a-213a-4e5a-8e26-6cce9662f132", "uuid":"7130c94a-213a-4e5a-8e26-6cce9662f132",
"type":"coreos-rootfs", "type":"coreos-rootfs",
"blocks":"2097152", "blocks":"2097152",
"fs_blocks":"262144", "fs_blocks":"260094",
"fs_type":"ext2", "fs_type":"ext2",
"mount":"/usr", "mount":"/usr",
"features": ["prioritize"] "features": ["prioritize", "verity"]
}, },
"4":{ "4":{
"label":"USR-B", "label":"USR-B",

42
build_library/disk_util
View File

@ -623,7 +623,7 @@ def Umount(options):
Sudo(['umount', '--recursive', '--detach-loop', options.mount_dir]) Sudo(['umount', '--recursive', '--detach-loop', options.mount_dir])
def Tune2fsReadWrite(options, partition): def Tune2fsReadWrite(options, partition, disable_rw):
"""Enable/Disable read-only hack. """Enable/Disable read-only hack.
From common.sh: From common.sh:
@ -654,9 +654,10 @@ def Tune2fsReadWrite(options, partition):
Args: Args:
options: Flags passed to the script options: Flags passed to the script
partition: Config for partition to manipulate partition: Config for partition to manipulate
disable_rw: Set to true to disable read-write access
""" """
if options.disable2fs_rw: if disable_rw:
print "Disabling read-write mounting of partition %s (%s)" % ( print "Disabling read-write mounting of partition %s (%s)" % (
partition['num'], partition['label']) partition['num'], partition['label'])
else: else:
@ -665,7 +666,7 @@ def Tune2fsReadWrite(options, partition):
# offset of ro_compat, highest order byte (le 32 bit field) # offset of ro_compat, highest order byte (le 32 bit field)
flag_offset = 0x464 + 3 flag_offset = 0x464 + 3
flag_value = 0xff if options.disable2fs_rw else 0x00 flag_value = 0xff if disable_rw else 0x00
with open(options.disk_image, 'r+') as image: with open(options.disk_image, 'r+') as image:
image.seek(partition['first_byte'] + flag_offset) image.seek(partition['first_byte'] + flag_offset)
image.write(chr(flag_value)) image.write(chr(flag_value))
@ -705,11 +706,40 @@ def Tune(options):
if options.disable2fs_rw is not None: if options.disable2fs_rw is not None:
if part.get('fs_type', None) not in ('ext2', 'ext4'): if part.get('fs_type', None) not in ('ext2', 'ext4'):
raise Exception("Partition %s is not a ext2 or ext4" % options.partition) raise Exception("Partition %s is not a ext2 or ext4" % options.partition)
Tune2fsReadWrite(options, part) Tune2fsReadWrite(options, part, options.disable2fs_rw)
else: else:
raise Exception("No options specified!") raise Exception("No options specified!")
def Verity(options):
"""Hash verity protected filesystems.
Args:
options: Flags passed to the script
"""
config, partitions = LoadPartitionConfig(options)
GetPartitionTableFromImage(options, config, partitions)
for part_num, part in partitions.iteritems():
if 'verity' not in part.get('features', []):
continue
if not part['image_compat']:
raise InvalidLayout("Disk layout is incompatible with existing image")
if part.get('fs_type', None) in ('ext2', 'ext4'):
Tune2fsReadWrite(options, part, disable_rw=True)
with PartitionLoop(options, part) as loop_dev:
Sudo(['veritysetup', 'format', '--hash=sha256',
'--data-block-size', part['fs_block_size'],
'--hash-block-size', part['fs_block_size'],
'--data-blocks', part['fs_blocks'],
'--hash-offset', part['fs_bytes'],
loop_dev, loop_dev])
def Extract(options): def Extract(options):
"""Write a single partition out to its own image file. """Write a single partition out to its own image file.
@ -979,6 +1009,10 @@ def main(argv):
a.add_argument('partition', help='number or label of partition to edit') a.add_argument('partition', help='number or label of partition to edit')
a.set_defaults(func=Tune) a.set_defaults(func=Tune)
a = actions.add_parser('verity', help='compute verity hashes')
a.add_argument('disk_image', help='path to disk image file')
a.set_defaults(func=Verity)
a = actions.add_parser('extract', help='extract a single partition') a = actions.add_parser('extract', help='extract a single partition')
a.add_argument('disk_image', help='path to disk image file') a.add_argument('disk_image', help='path to disk image file')
a.add_argument('partition', help='number or label of partition to edit') a.add_argument('partition', help='number or label of partition to edit')

4
build_library/prod_image_util.sh
View File

@ -76,10 +76,10 @@ EOF
finish_image "${image_name}" "${disk_layout}" "${root_fs_dir}" "${image_contents}" finish_image "${image_name}" "${disk_layout}" "${root_fs_dir}" "${image_contents}"
# Make the filesystem un-mountable as read-write. # Make the filesystem un-mountable as read-write and setup verity.
if [[ ${disable_read_write} -eq ${FLAGS_TRUE} ]]; then if [[ ${disable_read_write} -eq ${FLAGS_TRUE} ]]; then
"${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${disk_layout}" \ "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${disk_layout}" \
tune --disable2fs_rw "${BUILD_DIR}/${image_name}" "USR-A" verity "${BUILD_DIR}/${image_name}"
fi fi
upload_image -d "${BUILD_DIR}/${image_name}.bz2.DIGESTS" \ upload_image -d "${BUILD_DIR}/${image_name}.bz2.DIGESTS" \