From 9ca3e4c0fe7d060cf73c720df04497ba995fc6d4 Mon Sep 17 00:00:00 2001 From: Elly Jones Date: Mon, 26 Sep 2011 15:18:19 -0400 Subject: [PATCH] mod_image_for_recovery: reuse salt. This will prevent the recovery kernel from having a different salt from the rootfs it corresponds to. BUG=chromium-os:20766 TESTED_ON=kaen TEST=Adhoc Build a recovery image and do recovery from it. Change-Id: I96f735e527d807247e09e17aac1ed5b51367f0ef Signed-off-by: Elly Jones Reviewed-on: http://gerrit.chromium.org/gerrit/8288 --- bin/cros_make_image_bootable | 6 ++++++ build_image | 2 ++ build_kernel_image.sh | 15 ++++----------- build_library/build_image_util.sh | 10 ++++++++++ 4 files changed, 22 insertions(+), 11 deletions(-) diff --git a/bin/cros_make_image_bootable b/bin/cros_make_image_bootable index 66703311b5..720c22c5d0 100755 --- a/bin/cros_make_image_bootable +++ b/bin/cros_make_image_bootable @@ -34,6 +34,7 @@ assert_inside_chroot # Load functions and constants for chromeos-install . "/usr/lib/installer/chromeos-common.sh" || \ die "Unable to load /usr/lib/installer/chromeos-common.sh" +. "${SCRIPTS_DIR}/build_library/build_image_util.sh" || die "No build_image_util" set -e @@ -101,6 +102,8 @@ DEFINE_integer verity_max_ios 1024 \ "Number of outstanding I/O operations dm-verity caps at." DEFINE_string verity_algorithm "sha1" \ "Cryptographic hash algorithm used for kernel vboot." +DEFINE_string verity_salt "" \ + "Salt for rootfs hash tree." DEFINE_string keys_dir "/usr/share/vboot/devkeys" \ "Directory containing the signing keys." @@ -137,6 +140,8 @@ DEFINE_string squash_sort_file "" \ eval set -- "${BOOT_DESC} ${FLAG_OVERRIDES}" FLAGS "${@}" || exit 1 +[ -z "${FLAGS_verity_salt}" ] && FLAGS_verity_salt=$(make_salt) + # Only now can we die on error. shflags functions leak non-zero error codes, # so will die prematurely if 'set -e' is specified before now. set -e -u @@ -216,6 +221,7 @@ make_image_bootable() { --verity_hash_alg=${FLAGS_verity_algorithm} \ --verity_max_ios=${FLAGS_verity_max_ios} \ --verity_error_behavior=${FLAGS_verity_error_behavior} \ + --verity_salt=${FLAGS_verity_salt} \ --root=${cros_root} \ --keys_dir="${FLAGS_keys_dir}" \ ${use_dev_keys} diff --git a/build_image b/build_image index 9647a4b2c9..ecddc804ac 100755 --- a/build_image +++ b/build_image @@ -62,6 +62,8 @@ DEFINE_integer verity_max_ios -1 \ "Number of outstanding I/O operations dm-verity caps at. Default: -1" DEFINE_string verity_algorithm "sha1" \ "Cryptographic hash algorithm used for kernel vboot. Default : sha1" +DEFINE_string verity_salt "" \ + "Root filesystem salt. Default: randomly generated." DEFINE_boolean standard_backdoor ${FLAGS_TRUE} \ "Install standard backdoor credentials for testing" DEFINE_string symlink "latest" \ diff --git a/build_kernel_image.sh b/build_kernel_image.sh index 370b0ef0e2..66f23b3a46 100755 --- a/build_kernel_image.sh +++ b/build_kernel_image.sh @@ -68,6 +68,8 @@ DEFINE_integer verity_max_ios -1 \ "Optional number of outstanding I/O operations. (Default: -1)" DEFINE_string verity_hash_alg "sha1" \ "Cryptographic hash algorithm used for dm-verity. (Default: sha1)" +DEFINE_string verity_salt "" \ + "Salt to use for rootfs hash (Default: \"\")" # Parse flags FLAGS "$@" || exit 1 @@ -76,14 +78,6 @@ eval set -- "${FLAGS_ARGV}" # Die on error set -e -make_salt() { - # It is not important that the salt be cryptographically strong; it just needs - # to be different for each release. The purpose of the salt is just to ensure - # that if someone collides a block in one release, they can't reuse it in - # future releases. - xxd -l 32 -p -c 32 /dev/urandom -} - verity_args= # Even with a rootfs_image, root= is not changed unless specified. if [[ -n "${FLAGS_rootfs_image}" && -n "${FLAGS_rootfs_hash}" ]]; then @@ -108,8 +102,7 @@ if [[ -n "${FLAGS_rootfs_image}" && -n "${FLAGS_rootfs_hash}" ]]; then error "Root file system blocks are not 4k!" fi - salt=$(make_salt) - info "Generating root fs hash tree (salt $salt)." + info "Generating root fs hash tree (salt '${FLAGS_verity_salt}')." # Runs as sudo in case the image is a block device. # First argument to verity is reserved/unused and MUST be 0 table=$(sudo verity mode=create \ @@ -117,7 +110,7 @@ if [[ -n "${FLAGS_rootfs_image}" && -n "${FLAGS_rootfs_hash}" ]]; then payload=${FLAGS_rootfs_image} \ payload_blocks=${root_fs_blocks} \ hashtree=${FLAGS_rootfs_hash} \ - salt=$salt) + salt=${FLAGS_verity_salt}) if [[ -f "${FLAGS_rootfs_hash}" ]]; then sudo chmod a+r "${FLAGS_rootfs_hash}" fi diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh index 0deac8dd4b..ea6b70c084 100755 --- a/build_library/build_image_util.sh +++ b/build_library/build_image_util.sh @@ -34,6 +34,14 @@ check_blacklist() { info "No blacklisted packages found." } +make_salt() { + # It is not important that the salt be cryptographically strong; it just needs + # to be different for each release. The purpose of the salt is just to ensure + # that if someone collides a block in one release, they can't reuse it in + # future releases. + xxd -l 32 -p -c 32 /dev/urandom +} + # Takes no arguments and populates the configuration for # cros_make_image_bootable. create_boot_desc() { @@ -42,6 +50,7 @@ create_boot_desc() { enable_rootfs_verification_flag="--enable_rootfs_verification" fi + [ -z "${FLAGS_verity_salt}" ] && FLAGS_verity_salt=$(make_salt) cat < ${OUTPUT_DIR}/boot.desc --arch="${ARCH}" --boot_args="${FLAGS_boot_args}" @@ -50,6 +59,7 @@ create_boot_desc() { --verity_error_behavior="${FLAGS_verity_error_behavior}" --verity_max_ios="${FLAGS_verity_max_ios}" --verity_algorithm="${FLAGS_verity_algorithm}" + --verity_salt="${FLAGS_verity_salt}" --keys_dir="${DEVKEYSDIR}" --usb_disk="${FLAGS_usb_disk}" --nocleanup_dirs