| From aa8554610451cf297f3da99ac65e53439a2d6169 Mon Sep 17 00:00:00 2001 |
| From: Meena Shanmugam <meenashanmugam@google.com> |
| Date: Mon, 10 Oct 2022 00:32:50 +0000 |
| Subject: [PATCH] LAKITU:verity: Add support to print new and old dm-verity |
| format. |
| |
| Current verity tool returns old dm-verity format. COS plan to use the |
| new dm verity format in the upcoming release. Added a version option to |
| specify the dm verity format. If no option is given, it returns old |
| format by default. Once the patch is upstreamed and SDK tool is updated |
| with this option, this patch can be removed. |
| |
| Change-Id: If21c2d164c1cd0bede24d551e32ae71b8293eead |
| --- |
| verity/file_hasher.cc | 54 +++++++++++++++++++++++++++++++------------ |
| verity/file_hasher.h | 4 ++-- |
| verity/verity_main.cc | 16 ++++++++++--- |
| 3 files changed, 54 insertions(+), 20 deletions(-) |
| |
| diff --git a/file_hasher.cc b/file_hasher.cc |
| index f3624bf1ae..f5ec32a7f0 100644 |
| --- a/file_hasher.cc |
| +++ b/file_hasher.cc |
| @@ -146,7 +146,8 @@ const char* FileHasher::RandomSalt() { |
| return random_salt_; |
| } |
| |
| -std::string FileHasher::GetTable(bool colocated) { |
| +std::string FileHasher::GetTable(bool colocated, |
| + unsigned int version) { |
| // Grab the digest (up to 1kbit supported) |
| uint8_t digest[128]; |
| char hexsalt[DM_BHT_SALT_SIZE * 2 + 1]; |
| @@ -160,24 +161,47 @@ std::string FileHasher::GetTable(bool colocated) { |
| if (colocated) |
| hash_start = root_end; |
| |
| - std::vector<std::string> parts = { |
| - "0", |
| - base::NumberToString(root_end), |
| - "verity", |
| - "payload=ROOT_DEV", |
| - "hashtree=HASH_DEV", |
| - "hashstart=" + base::NumberToString(hash_start), |
| - "alg=" + std::string(alg_), |
| - "root_hexdigest=" + std::string(reinterpret_cast<char*>(digest)), |
| - }; |
| - if (have_salt) |
| - parts.push_back("salt=" + std::string(hexsalt)); |
| + std::vector<std::string> parts; |
| + if (version == 1) { |
| + parts = { |
| + "0", |
| + base::NumberToString(root_end), |
| + "verity", |
| + "0", |
| + "ROOT_DEV", |
| + "HASH_DEV", |
| + "4096", |
| + "4096", |
| + base::NumberToString(hash_start>>3), |
| + base::NumberToString(hash_start>>3), |
| + std::string(alg_), |
| + std::string(reinterpret_cast<char*>(digest)), |
| + }; |
| + if (have_salt) { |
| + parts.push_back(std::string(hexsalt)); |
| + } |
| + } else { |
| + parts = { |
| + "0", |
| + base::NumberToString(root_end), |
| + "verity", |
| + "payload=ROOT_DEV", |
| + "hashtree=HASH_DEV", |
| + "hashstart=" + base::NumberToString(hash_start), |
| + "alg=" + std::string(alg_), |
| + "root_hexdigest=" + std::string(reinterpret_cast<char*>(digest)), |
| + }; |
| + if (have_salt) { |
| + parts.push_back("salt=" + std::string(hexsalt)); |
| + } |
| + } |
| |
| return base::JoinString(parts, " "); |
| } |
| |
| -void FileHasher::PrintTable(bool colocated) { |
| - printf("%s\n", GetTable(colocated).c_str()); |
| +void FileHasher::PrintTable(bool colocated, |
| + unsigned int version) { |
| + printf("%s\n", GetTable(colocated, version).c_str()); |
| } |
| |
| } // namespace verity |
| diff --git a/file_hasher.h b/file_hasher.h |
| index 4db0233bf1..5c2e6b1683 100644 |
| --- a/file_hasher.h |
| +++ b/file_hasher.h |
| @@ -40,8 +40,8 @@ class BRILLO_EXPORT FileHasher { |
| virtual bool Hash(); |
| virtual bool Store(); |
| // Print a table to stdout which contains a dmsetup compatible format |
| - virtual void PrintTable(bool colocated); |
| - virtual std::string GetTable(bool colocated); |
| + virtual void PrintTable(bool colocated, unsigned int version); |
| + virtual std::string GetTable(bool colocated, unsigned int version); |
| |
| virtual const char* RandomSalt(); |
| virtual void set_salt(const char* salt); |
| diff --git a/verity_main.cc b/verity_main.cc |
| index 8fb8ed0e51..9d10366007 100644 |
| --- a/verity_main.cc |
| +++ b/verity_main.cc |
| @@ -33,6 +33,7 @@ void print_usage(const char* name) { |
| " hashtree Path to a hash tree to create or read from\n" |
| " root_hexdigest Digest of the root node (in hex) for verification\n" |
| " salt Salt (in hex)\n" |
| + " version one of 0 or 1\n" |
| "\n", |
| name); |
| } |
| @@ -43,7 +44,8 @@ int verity_create(const std::string& alg, |
| const std::string& image_path, |
| unsigned int image_blocks, |
| const std::string& hash_path, |
| - const std::string& salt) { |
| + const std::string& salt, |
| + unsigned int version) { |
| auto source = std::make_unique<base::File>( |
| base::FilePath(image_path), |
| base::File::FLAG_OPEN | base::File::FLAG_READ); |
| @@ -63,7 +65,7 @@ int verity_create(const std::string& alg, |
| hasher.set_salt(salt.c_str()); |
| LOG_IF(FATAL, !hasher.Hash()) << "Failed to hash hasher"; |
| LOG_IF(FATAL, !hasher.Store()) << "Failed to store hasher"; |
| - hasher.PrintTable(true); |
| + hasher.PrintTable(true, version); |
| return 0; |
| } |
| } // namespace |
| @@ -72,6 +74,7 @@ int main(int argc, char** argv) { |
| verity_mode_t mode = VERITY_CREATE; |
| std::string alg, payload, hashtree, salt; |
| unsigned int payload_blocks = 0; |
| + unsigned int version = 0; |
| |
| // TODO(b/269707854): Use flag arguments + update callers to verity tool. |
| for (int i = 1; i < argc; i++) { |
| @@ -100,6 +103,13 @@ int main(int argc, char** argv) { |
| // Silently drop the mode for now... |
| } else if (key == "salt") { |
| salt = val; |
| + } else if (key == "version") { |
| + CHECK(base::StringToUint(val, &version)); |
| + if (version > 1) { |
| + fprintf(stderr, "version should be either 0 or 1\n"); |
| + print_usage(argv[0]); |
| + return -1; |
| + } |
| } else { |
| fprintf(stderr, "bogus key: '%s'\n", key.c_str()); |
| print_usage(argv[0]); |
| @@ -116,7 +126,7 @@ int main(int argc, char** argv) { |
| } |
| |
| if (mode == VERITY_CREATE) { |
| - return verity_create(alg, payload, payload_blocks, hashtree, salt); |
| + return verity_create(alg, payload, payload_blocks, hashtree, salt, version); |
| } else { |
| LOG(FATAL) << "Verification not done yet"; |
| } |
| -- |
| 2.41.0.162.gfafddb0af9-goog |
| |