Leah Rowe has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/51144 )
Change subject: util/chromeos: Use the same inventory each time and verify checksums ......................................................................
util/chromeos: Use the same inventory each time and verify checksums
Coreboot wasn't doing any integrity checks. Furthermore, the latest inventory file from Google was always being used, which meant that it was not certain which version would be used.
This commit uses a version of the inventory from archive.org, verifies its checksum and then, using sha1 checksums defined inside the inventory file, verifies the checksums of recovery images.
This is obviously a huge boon to security and reliability.
Change-Id: If0166518d252a36d8f9a9c17d375fbdd9e3116f6 --- M util/chromeos/crosfirmware.sh 1 file changed, 50 insertions(+), 22 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/44/51144/1
diff --git a/util/chromeos/crosfirmware.sh b/util/chromeos/crosfirmware.sh index 25c88fa..b1ce94d 100755 --- a/util/chromeos/crosfirmware.sh +++ b/util/chromeos/crosfirmware.sh @@ -31,7 +31,7 @@ get_inventory() { _conf=$1 - _url=https://dl.google.com/dl/edgedl/chromeos/recovery/recovery.conf + _url="http://web.archive.org/web/20210211071412/https://dl.google.com/dl/edgedl/ch..."
echo "Downloading recovery image inventory..."
@@ -42,12 +42,26 @@ { _url=$1 _file=$2 + _cfgfile=$3
echo "Downloading recovery image" curl "$_url" > "$_file.zip" - echo "Decompressing recovery image" - unzip -q "$_file.zip" - rm "$_file.zip" + + _file_sha1="$(sha1sum ${_file}.zip)" + sha1_list="$(grep sha1 ${_cfgfile} | sed 's/sha1=//g')" + + echo "Verifying sha1sum of recovery image from inventory..." + for _sha1 in ${sha1_list}; do + if [ "${_sha1} ${_file}.zip" = "${_file_sha1}" ]; then + unzip -q "${_file}.zip" + rm "${_file}.zip" + echo "...correct sha1sum found. File downloaded and extracted." + return 0 + fi + done + rm "${_file}.zip" + echo "...sha1sum not found in the inventory. Recovery image deleted." + return 1 }
extract_partition() @@ -98,14 +112,19 @@ _board=$1 _url=$2 _file=$3 + _cfgfile=$4 # for searching sha1sums when verifying images
- download_image $_url $_file + download_image $_url $_file $_cfgfile
- extract_partition ROOT-A $_file root-a.ext2 - extract_shellball root-a.ext2 chromeos-firmwareupdate-$_board - rm $_file root-a.ext2 + if [ -f "${_file}" ]; then + extract_partition ROOT-A $_file root-a.ext2 + extract_shellball root-a.ext2 chromeos-firmwareupdate-$_board + rm $_file root-a.ext2
- extract_coreboot chromeos-firmwareupdate-$_board + extract_coreboot chromeos-firmwareupdate-$_board + else + echo "${_file}.zip was not downloaded. Skipping extraction." + fi }
# @@ -116,32 +135,41 @@
exit_if_dependencies_are_missing
-if [ "$BOARD" == "all" ]; then - CONF=$( mktemp ) - get_inventory $CONF +CONF="$( mktemp )" +CONF_SHA1_FILE="$( mktemp )"
+get_inventory "${CONF}" +echo "acaf7450481136e72a1ee6c4fe3a2dea992d028f ${CONF}" > "${CONF_SHA1_FILE}" + +echo "Verifying checksum of downloaded Inventory file" +if ! sha1sum -c "${CONF_SHA1_FILE}" >/dev/null 2>&1; then + echo "$(cat $CONF_SHA1_FILE)" + echo "$(sha1sum $CONF)" + echo "Checksum verification failed. Nothing will be downloaded" + rm -f "${CONF}" "${CONF_SHA1_FILE}" + exit 1 +fi +echo "Checksum verified. Further checks will be performed on recovery images." + +if [ "$BOARD" == "all" ]; then grep ^name= $CONF| while read _line; do name=$( echo $_line | cut -f2 -d= ) echo Processing board $name eval $( grep -v hwid= $CONF | grep -A11 "$_line" | \ grep '(url=|file=)' ) BOARD=$( echo $url | cut -f3 -d_ ) - do_one_board $BOARD $url $file + do_one_board $BOARD $url $file $CONF done - - rm "$CONF" elif [ "$BOARD" != "" ]; then - CONF=$( mktemp ) - get_inventory $CONF - echo Processing board $BOARD - eval $( grep $BOARD $CONF | grep '(url=|file=)' ) - do_one_board $BOARD $url $file - - rm "$CONF" + eval $( grep $BOARD ${CONF} | grep '(url=|file=)' ) + do_one_board $BOARD $url $file $CONF else echo "Usage: $0 <boardname>" echo " $0 all" echo + rm -f "${CONF}" "${CONF_SHA1_FILE}" exit 1 fi + +rm -f "${CONF}" "${CONF_SHA1_FILE}"