mod_image_for_recovery: reuse salt.

This will prevent the recovery kernel from having a different salt from the rootfs it corresponds to. BUG=chromium-os:20766 TESTED_ON=kaen TEST=Adhoc Build a recovery image and do recovery from it. Change-Id: I96f735e527d807247e09e17aac1ed5b51367f0ef Signed-off-by: Elly Jones <ellyjones@chromium.org> Reviewed-on: http://gerrit.chromium.org/gerrit/8288
2025-08-10 06:26:57 +02:00 · 2011-09-26 15:18:19 -04:00 · 2011-09-26 15:18:19 -04:00 · 9ca3e4c0fe
commit 9ca3e4c0fe
parent 53eb7a03b8
4 changed files with 22 additions and 11 deletions
--- a/bin/cros_make_image_bootable
+++ b/bin/cros_make_image_bootable
@ -34,6 +34,7 @@ assert_inside_chroot
 # Load functions and constants for chromeos-install
 . "/usr/lib/installer/chromeos-common.sh" || \
  die "Unable to load /usr/lib/installer/chromeos-common.sh"
+. "${SCRIPTS_DIR}/build_library/build_image_util.sh" || die "No build_image_util"

 set -e

@ -101,6 +102,8 @@ DEFINE_integer verity_max_ios 1024 \
  "Number of outstanding I/O operations dm-verity caps at."
 DEFINE_string verity_algorithm "sha1" \
  "Cryptographic hash algorithm used for kernel vboot."
+DEFINE_string verity_salt "" \
+  "Salt for rootfs hash tree."

 DEFINE_string keys_dir "/usr/share/vboot/devkeys" \
  "Directory containing the signing keys."
@ -137,6 +140,8 @@ DEFINE_string squash_sort_file "" \
 eval set -- "${BOOT_DESC} ${FLAG_OVERRIDES}"
 FLAGS "${@}" || exit 1

+[ -z "${FLAGS_verity_salt}" ] && FLAGS_verity_salt=$(make_salt)
+
 # Only now can we die on error.  shflags functions leak non-zero error codes,
 # so will die prematurely if 'set -e' is specified before now.
 set -e -u
@ -216,6 +221,7 @@ make_image_bootable() {
    --verity_hash_alg=${FLAGS_verity_algorithm} \
    --verity_max_ios=${FLAGS_verity_max_ios} \
    --verity_error_behavior=${FLAGS_verity_error_behavior} \
+    --verity_salt=${FLAGS_verity_salt} \
    --root=${cros_root} \
    --keys_dir="${FLAGS_keys_dir}" \
    ${use_dev_keys}
--- a/2
+++ b/2
@ -62,6 +62,8 @@ DEFINE_integer verity_max_ios -1 \
  "Number of outstanding I/O operations dm-verity caps at. Default: -1"
 DEFINE_string verity_algorithm "sha1" \
  "Cryptographic hash algorithm used for kernel vboot. Default : sha1"
+DEFINE_string verity_salt "" \
+  "Root filesystem salt. Default: randomly generated."
 DEFINE_boolean standard_backdoor ${FLAGS_TRUE} \
  "Install standard backdoor credentials for testing"
 DEFINE_string symlink "latest" \
--- a/build_kernel_image.sh
+++ b/build_kernel_image.sh
@ -68,6 +68,8 @@ DEFINE_integer verity_max_ios -1 \
  "Optional number of outstanding I/O operations. (Default: -1)"
 DEFINE_string verity_hash_alg "sha1" \
  "Cryptographic hash algorithm used for dm-verity. (Default: sha1)"
+DEFINE_string verity_salt "" \
+  "Salt to use for rootfs hash (Default: \"\")"

 # Parse flags
 FLAGS "$@" || exit 1
@ -76,14 +78,6 @@ eval set -- "${FLAGS_ARGV}"
 # Die on error
 set -e

-make_salt() {
-  # It is not important that the salt be cryptographically strong; it just needs
-  # to be different for each release. The purpose of the salt is just to ensure
-  # that if someone collides a block in one release, they can't reuse it in
-  # future releases.
-  xxd -l 32 -p -c 32 /dev/urandom
-}
-
 verity_args=
 # Even with a rootfs_image, root= is not changed unless specified.
 if [[ -n "${FLAGS_rootfs_image}" && -n "${FLAGS_rootfs_hash}" ]]; then
@ -108,8 +102,7 @@ if [[ -n "${FLAGS_rootfs_image}" && -n "${FLAGS_rootfs_hash}" ]]; then
    error "Root file system blocks are not 4k!"
  fi

-  salt=$(make_salt)
-  info "Generating root fs hash tree (salt $salt)."
+  info "Generating root fs hash tree (salt '${FLAGS_verity_salt}')."
  # Runs as sudo in case the image is a block device.
  # First argument to verity is reserved/unused and MUST be 0
  table=$(sudo verity mode=create \
@ -117,7 +110,7 @@ if [[ -n "${FLAGS_rootfs_image}" && -n "${FLAGS_rootfs_hash}" ]]; then
                      payload=${FLAGS_rootfs_image} \
                      payload_blocks=${root_fs_blocks} \
                      hashtree=${FLAGS_rootfs_hash} \
-                      salt=$salt)
+                      salt=${FLAGS_verity_salt})
  if [[ -f "${FLAGS_rootfs_hash}" ]]; then
    sudo chmod a+r "${FLAGS_rootfs_hash}"
  fi
--- a/build_library/build_image_util.sh
+++ b/build_library/build_image_util.sh
@ -34,6 +34,14 @@ check_blacklist() {
  info "No blacklisted packages found."
 }

+make_salt() {
+  # It is not important that the salt be cryptographically strong; it just needs
+  # to be different for each release. The purpose of the salt is just to ensure
+  # that if someone collides a block in one release, they can't reuse it in
+  # future releases.
+  xxd -l 32 -p -c 32 /dev/urandom
+}
+
 # Takes no arguments and populates the configuration for
 # cros_make_image_bootable.
 create_boot_desc() {
@ -42,6 +50,7 @@ create_boot_desc() {
    enable_rootfs_verification_flag="--enable_rootfs_verification"
  fi

+  [ -z "${FLAGS_verity_salt}" ] && FLAGS_verity_salt=$(make_salt)
  cat <<EOF > ${OUTPUT_DIR}/boot.desc
  --arch="${ARCH}"
  --boot_args="${FLAGS_boot_args}"
@ -50,6 +59,7 @@ create_boot_desc() {
  --verity_error_behavior="${FLAGS_verity_error_behavior}"
  --verity_max_ios="${FLAGS_verity_max_ios}"
  --verity_algorithm="${FLAGS_verity_algorithm}"
+  --verity_salt="${FLAGS_verity_salt}"
  --keys_dir="${DEVKEYSDIR}"
  --usb_disk="${FLAGS_usb_disk}"
  --nocleanup_dirs