Google Git
Sign in
cos / third_party / overlays / chromiumos-overlay / f35bcfec90d3e6dbee5410f9ee4de6b5e31c88d2 / . / chromeos-base / verity / files / support-new-dm-verity-format.patch
blob: 7ca01982fb018e6b310cae8976a5046e5a1e0e54 [file] [log] [blame]
From aa8554610451cf297f3da99ac65e53439a2d6169 Mon Sep 17 00:00:00 2001
From: Meena Shanmugam <meenashanmugam@google.com>
Date: Mon, 10 Oct 2022 00:32:50 +0000
Subject: [PATCH] LAKITU:verity: Add support to print new and old dm-verity
format.
Current verity tool returns old dm-verity format. COS plan to use the
new dm verity format in the upcoming release. Added a version option to
specify the dm verity format. If no option is given, it returns old
format by default. Once the patch is upstreamed and SDK tool is updated
with this option, this patch can be removed.
Change-Id: If21c2d164c1cd0bede24d551e32ae71b8293eead
---
verity/file_hasher.cc | 54 +++++++++++++++++++++++++++++++------------
verity/file_hasher.h | 4 ++--
verity/verity_main.cc | 16 ++++++++++---
3 files changed, 54 insertions(+), 20 deletions(-)
diff --git a/file_hasher.cc b/file_hasher.cc
index f3624bf1ae..f5ec32a7f0 100644
--- a/file_hasher.cc
+++ b/file_hasher.cc
@@ -146,7 +146,8 @@ const char* FileHasher::RandomSalt() {
return random_salt_;
}
-std::string FileHasher::GetTable(bool colocated) {
+std::string FileHasher::GetTable(bool colocated,
+ unsigned int version) {
// Grab the digest (up to 1kbit supported)
uint8_t digest[128];
char hexsalt[DM_BHT_SALT_SIZE * 2 + 1];
@@ -160,24 +161,47 @@ std::string FileHasher::GetTable(bool colocated) {
if (colocated)
hash_start = root_end;
- std::vector<std::string> parts = {
- "0",
- base::NumberToString(root_end),
- "verity",
- "payload=ROOT_DEV",
- "hashtree=HASH_DEV",
- "hashstart=" + base::NumberToString(hash_start),
- "alg=" + std::string(alg_),
- "root_hexdigest=" + std::string(reinterpret_cast<char*>(digest)),
- };
- if (have_salt)
- parts.push_back("salt=" + std::string(hexsalt));
+ std::vector<std::string> parts;
+ if (version == 1) {
+ parts = {
+ "0",
+ base::NumberToString(root_end),
+ "verity",
+ "0",
+ "ROOT_DEV",
+ "HASH_DEV",
+ "4096",
+ "4096",
+ base::NumberToString(hash_start>>3),
+ base::NumberToString(hash_start>>3),
+ std::string(alg_),
+ std::string(reinterpret_cast<char*>(digest)),
+ };
+ if (have_salt) {
+ parts.push_back(std::string(hexsalt));
+ }
+ } else {
+ parts = {
+ "0",
+ base::NumberToString(root_end),
+ "verity",
+ "payload=ROOT_DEV",
+ "hashtree=HASH_DEV",
+ "hashstart=" + base::NumberToString(hash_start),
+ "alg=" + std::string(alg_),
+ "root_hexdigest=" + std::string(reinterpret_cast<char*>(digest)),
+ };
+ if (have_salt) {
+ parts.push_back("salt=" + std::string(hexsalt));
+ }
+ }
return base::JoinString(parts, " ");
}
-void FileHasher::PrintTable(bool colocated) {
- printf("%s\n", GetTable(colocated).c_str());
+void FileHasher::PrintTable(bool colocated,
+ unsigned int version) {
+ printf("%s\n", GetTable(colocated, version).c_str());
}
} // namespace verity
diff --git a/file_hasher.h b/file_hasher.h
index 4db0233bf1..5c2e6b1683 100644
--- a/file_hasher.h
+++ b/file_hasher.h
@@ -40,8 +40,8 @@ class BRILLO_EXPORT FileHasher {
virtual bool Hash();
virtual bool Store();
// Print a table to stdout which contains a dmsetup compatible format
- virtual void PrintTable(bool colocated);
- virtual std::string GetTable(bool colocated);
+ virtual void PrintTable(bool colocated, unsigned int version);
+ virtual std::string GetTable(bool colocated, unsigned int version);
virtual const char* RandomSalt();
virtual void set_salt(const char* salt);
diff --git a/verity_main.cc b/verity_main.cc
index 8fb8ed0e51..9d10366007 100644
--- a/verity_main.cc
+++ b/verity_main.cc
@@ -33,6 +33,7 @@ void print_usage(const char* name) {
" hashtree Path to a hash tree to create or read from\n"
" root_hexdigest Digest of the root node (in hex) for verification\n"
" salt Salt (in hex)\n"
+ " version one of 0 or 1\n"
"\n",
name);
}
@@ -43,7 +44,8 @@ int verity_create(const std::string& alg,
const std::string& image_path,
unsigned int image_blocks,
const std::string& hash_path,
- const std::string& salt) {
+ const std::string& salt,
+ unsigned int version) {
auto source = std::make_unique<base::File>(
base::FilePath(image_path),
base::File::FLAG_OPEN | base::File::FLAG_READ);
@@ -63,7 +65,7 @@ int verity_create(const std::string& alg,
hasher.set_salt(salt.c_str());
LOG_IF(FATAL, !hasher.Hash()) << "Failed to hash hasher";
LOG_IF(FATAL, !hasher.Store()) << "Failed to store hasher";
- hasher.PrintTable(true);
+ hasher.PrintTable(true, version);
return 0;
}
} // namespace
@@ -72,6 +74,7 @@ int main(int argc, char** argv) {
verity_mode_t mode = VERITY_CREATE;
std::string alg, payload, hashtree, salt;
unsigned int payload_blocks = 0;
+ unsigned int version = 0;
// TODO(b/269707854): Use flag arguments + update callers to verity tool.
for (int i = 1; i < argc; i++) {
@@ -100,6 +103,13 @@ int main(int argc, char** argv) {
// Silently drop the mode for now...
} else if (key == "salt") {
salt = val;
+ } else if (key == "version") {
+ CHECK(base::StringToUint(val, &version));
+ if (version > 1) {
+ fprintf(stderr, "version should be either 0 or 1\n");
+ print_usage(argv[0]);
+ return -1;
+ }
} else {
fprintf(stderr, "bogus key: '%s'\n", key.c_str());
print_usage(argv[0]);
@@ -116,7 +126,7 @@ int main(int argc, char** argv) {
}
if (mode == VERITY_CREATE) {
- return verity_create(alg, payload, payload_blocks, hashtree, salt);
+ return verity_create(alg, payload, payload_blocks, hashtree, salt, version);
} else {
LOG(FATAL) << "Verification not done yet";
}
--
2.41.0.162.gfafddb0af9-goog