From 878550d51949cec38cc475c1ec87b968e8fbec6b Mon Sep 17 00:00:00 2001
From: Leah Rowe <leah@libreboot.org>
Date: Sat, 9 Sep 2023 16:39:26 +0100
Subject: use sha512sum to check downloads, not sha1sum

sha-1 has known collision issues, which may not be readily
exploitable yet (in our context), but we should ideally use
a more secure method for checking file integrity.

therefore, use sha-2 (sha512sum) for checking files. this is
slower than sha-1, but checksum verification is only a minor
part of what lbmk does, so the overall effect on build times
is quite negligible.

Signed-off-by: Leah Rowe <leah@libreboot.org>
---
 script/update/blobs/download |  2 +-
 script/update/blobs/inject   |  5 ++++-
 script/update/blobs/mrc      | 14 +++++++-------
 3 files changed, 12 insertions(+), 9 deletions(-)

(limited to 'script/update/blobs')

diff --git a/script/update/blobs/download b/script/update/blobs/download
index 2903c504..0364bfa5 100755
--- a/script/update/blobs/download
+++ b/script/update/blobs/download
@@ -455,7 +455,7 @@ vendor_checksum()
 		printf "Vendor update not found on disk for: %s\n" "${board}" \
 		    1>&2
 		return 1
-	elif [ "$(sha1sum ${dl_path} | awk '{print $1}')" != "${1}" ]; then
+	elif [ "$(sha512sum ${dl_path} | awk '{print $1}')" != "${1}" ]; then
 		printf "Bad checksum on vendor update for: %s\n" "${board}" 1>&2
 		return 1
 	fi
diff --git a/script/update/blobs/inject b/script/update/blobs/inject
index ab943a3c..10691658 100755
--- a/script/update/blobs/inject
+++ b/script/update/blobs/inject
@@ -127,7 +127,10 @@ patch_release_roms()
 
 	(
 	cd "${_tmpdir}"/bin/*
-	sha1sum --status -c blobhashes || \
+
+	# NOTE: For compatibility with older rom releases, defer to sha1
+	sha512sum --status -c blobhashes || \
+	    sha1sum --statuc -c blobhashes || \
 	    err "patch_release_roms: ROMs did not match expected hashes"
 	)
 
diff --git a/script/update/blobs/mrc b/script/update/blobs/mrc
index 59ed12f1..e4de2be4 100755
--- a/script/update/blobs/mrc
+++ b/script/update/blobs/mrc
@@ -39,8 +39,8 @@ _board="peppy"
 _file="chromeos_12239.92.0_peppy_recovery_stable-channel_mp-v3.bin"
 _url="https://dl.google.com/dl/edgedl/chromeos/recovery/chromeos_12239.92.0_peppy_recovery_stable-channel_mp-v3.bin.zip"
 _url2="https://web.archive.org/web/20200516070928/https://dl.google.com/dl/edgedl/chromeos/recovery/chromeos_12239.92.0_peppy_recovery_stable-channel_mp-v3.bin.zip"
-_sha1sum="cd5917cbe7f821ad769bf0fd87046898f9e175c8"
-_mrc_complete_hash="d18de1e3d52c0815b82ea406ca07897c56c65696"
+_sha512sum="340a1cd41136a3ba0de9d306db0e65f51640a2efe63aee9934f326b276adc1af0a2df80c0731c5a749161ec32546909eedfa8ba95801faeb5dcfe1aa4e0840c7"
+_mrc_complete_hash="e5b6d510a5fdb6a7ba0027588dbceef363a2bf30255e9222020abbe71468822f49962d423d872cc05b37098682281c016445f6aa20f88351a134facfe5f70d5b"
 _mrc_complete="mrc/haswell/mrc.bin"
 
 cbdir="coreboot/default"
@@ -63,7 +63,7 @@ check_existing()
 	[ -f "${_mrc_complete}" ] || \
 		return 0
 	printf 'found existing mrc.bin\n'
-	[ "$(sha1sum "${_mrc_complete}" | awk '{print $1}')" \
+	[ "$(sha512sum "${_mrc_complete}" | awk '{print $1}')" \
 	    = "${_mrc_complete_hash}" ] && \
 		return 1
 	printf 'hashes did not match, starting over\n'
@@ -84,9 +84,9 @@ fetch_mrc()
 	(
 	cd mrc/haswell/ || err "fetch_mrc: !cd mrc/haswell"
 
-	download_image "${_url}" "${_file}" "${_sha1sum}"
+	download_image "${_url}" "${_file}" "${_sha512sum}"
 	[ -f ${_file} ] || \
-		download_image "${_url2}" "${_file}" "${_sha1sum}"
+		download_image "${_url2}" "${_file}" "${_sha512sum}"
 	[ -f $_file ] || \
 		err "fetch_mrc: ${_file} not downloaded / verification failed."
 
@@ -108,12 +108,12 @@ download_image()
 {
 	url=${1}
 	_file=${2}
-	_sha1sum=${3}
+	_sha512sum=${3}
 
 	printf "Downloading recovery image\n"
 	curl --retry 3 "$url" > "$_file.zip" || err "download_image: curl failed"
 	printf "Verifying recovery image checksum\n"
-	if [ "$(sha1sum "${_file}.zip" | awk '{print $1}')" = "${_sha1sum}" ]
+	if [ "$(sha512sum "${_file}.zip" | awk '{print $1}')" = "${_sha512sum}" ]
 	then
 		unzip -q "${_file}.zip" || err "download_image: cannot unzip"
 		rm -f "${_file}.zip" || err "download_image: can't rm zip {1}"
-- 
cgit v1.2.1