From 6f568e6a94fb7029e110ae2da48816cc0c114cd0 Mon Sep 17 00:00:00 2001 From: Elly Jones Date: Fri, 2 Sep 2011 13:25:04 -0400 Subject: [PATCH] build_kernel_image: use a salt for verity. BUG=chromium-os:12138 TEST=Adhoc TESTED_ON=Kaen Build an image. Look for "Generating root fs hash tree (salt )." in the output. Boot the image, grep for 'salt=' in dmesg. All should be well. Change-Id: If9dbefbd8a875d06ff45cd54704f166c2511c3b7 Signed-off-by: Elly Jones Reviewed-on: http://gerrit.chromium.org/gerrit/7174 --- build_kernel_image.sh | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/build_kernel_image.sh b/build_kernel_image.sh index 6c5c72f7d3..370b0ef0e2 100755 --- a/build_kernel_image.sh +++ b/build_kernel_image.sh @@ -76,6 +76,14 @@ eval set -- "${FLAGS_ARGV}" # Die on error set -e +make_salt() { + # It is not important that the salt be cryptographically strong; it just needs + # to be different for each release. The purpose of the salt is just to ensure + # that if someone collides a block in one release, they can't reuse it in + # future releases. + xxd -l 32 -p -c 32 /dev/urandom +} + verity_args= # Even with a rootfs_image, root= is not changed unless specified. if [[ -n "${FLAGS_rootfs_image}" && -n "${FLAGS_rootfs_hash}" ]]; then @@ -100,14 +108,16 @@ if [[ -n "${FLAGS_rootfs_image}" && -n "${FLAGS_rootfs_hash}" ]]; then error "Root file system blocks are not 4k!" fi - info "Generating root fs hash tree." + salt=$(make_salt) + info "Generating root fs hash tree (salt $salt)." # Runs as sudo in case the image is a block device. # First argument to verity is reserved/unused and MUST be 0 table=$(sudo verity mode=create \ alg=${FLAGS_verity_hash_alg} \ payload=${FLAGS_rootfs_image} \ payload_blocks=${root_fs_blocks} \ - hashtree=${FLAGS_rootfs_hash}) + hashtree=${FLAGS_rootfs_hash} \ + salt=$salt) if [[ -f "${FLAGS_rootfs_hash}" ]]; then sudo chmod a+r "${FLAGS_rootfs_hash}" fi