Leah Rowe has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/51168 )

Change subject: util/chromeos: Verify sha1sums of downloaded recovery images ......................................................................

util/chromeos: Verify sha1sums of downloaded recovery images

coreboot wasn't doing any integrity checks. This change adds sha1sum checking on all downloaded recovery images, using sha1sums defined inside Google's own inventory file.

If downloading multiple recovery images, the process does not stop. For example if one file fails verification, the script will still download other files if *those* pass verification.

Change-Id: I2b21c89f2d2d89f4a161a0aa5eea904ca547cb80 Signed-off-by: Leah Rowe leah@retroboot.org --- M util/chromeos/crosfirmware.sh 1 file changed, 31 insertions(+), 10 deletions(-)

git pull ssh://review.coreboot.org:29418/coreboot refs/changes/68/51168/1

diff --git a/util/chromeos/crosfirmware.sh b/util/chromeos/crosfirmware.sh index 25c88fa..bf16af8 100755 --- a/util/chromeos/crosfirmware.sh +++ b/util/chromeos/crosfirmware.sh @@ -42,12 +42,26 @@ { _url=$1 _file=$2 + _cfgfile=$3

echo "Downloading recovery image" curl "$_url" > "$_file.zip" - echo "Decompressing recovery image" - unzip -q "$_file.zip" - rm "$_file.zip" + + _file_sha1="$(sha1sum ${_file}.zip)" + sha1_list="$(grep sha1 ${_cfgfile} | sed 's/sha1=//g')" + + echo "Verifying sha1sum of recovery image from inventory..." + for _sha1 in ${sha1_list}; do + if [ "${_sha1} ${_file}.zip" = "${_file_sha1}" ]; then + unzip -q "${_file}.zip" + rm "${_file}.zip" + echo "...correct sha1sum found. File downloaded and extracted." + return 0 + fi + done + rm "${_file}.zip" + echo "...sha1sum not found in the inventory. Recovery image deleted." + return 1 }

extract_partition() @@ -98,14 +112,19 @@ _board=$1 _url=$2 _file=$3 + _cfgfile=$4 # for searching sha1sums when verifying images

- download_image $_url $_file + download_image $_url $_file $_cfgfile

- extract_partition ROOT-A $_file root-a.ext2 - extract_shellball root-a.ext2 chromeos-firmwareupdate-$_board - rm $_file root-a.ext2 + if [ -f "${_file}" ]; then + extract_partition ROOT-A $_file root-a.ext2 + extract_shellball root-a.ext2 chromeos-firmwareupdate-$_board + rm $_file root-a.ext2

- extract_coreboot chromeos-firmwareupdate-$_board + extract_coreboot chromeos-firmwareupdate-$_board + else + echo "${_file}.zip was not downloaded. Skipping extraction." + fi }

# @@ -116,6 +135,7 @@

exit_if_dependencies_are_missing

+ if [ "$BOARD" == "all" ]; then CONF=$( mktemp ) get_inventory $CONF @@ -126,7 +146,7 @@ eval $( grep -v hwid= $CONF | grep -A11 "$_line" | \ grep '(url=|file=)' ) BOARD=$( echo $url | cut -f3 -d_ ) - do_one_board $BOARD $url $file + do_one_board $BOARD $url $file $CONF done

rm "$CONF" @@ -136,7 +156,7 @@

echo Processing board $BOARD eval $( grep $BOARD $CONF | grep '(url=|file=)' ) - do_one_board $BOARD $url $file + do_one_board $BOARD $url $file $CONF

rm "$CONF" else @@ -145,3 +165,4 @@ echo exit 1 fi +