From 878550d51949cec38cc475c1ec87b968e8fbec6b Mon Sep 17 00:00:00 2001 From: Leah Rowe Date: Sat, 9 Sep 2023 16:39:26 +0100 Subject: use sha512sum to check downloads, not sha1sum sha-1 has known collision issues, which may not be readily exploitable yet (in our context), but we should ideally use a more secure method for checking file integrity. therefore, use sha-2 (sha512sum) for checking files. this is slower than sha-1, but checksum verification is only a minor part of what lbmk does, so the overall effect on build times is quite negligible. Signed-off-by: Leah Rowe --- script/build/release/roms | 4 ++-- script/update/blobs/download | 2 +- script/update/blobs/inject | 5 ++++- script/update/blobs/mrc | 14 +++++++------- 4 files changed, 14 insertions(+), 11 deletions(-) (limited to 'script') diff --git a/script/build/release/roms b/script/build/release/roms index a56c43f5..53c75c63 100755 --- a/script/build/release/roms +++ b/script/build/release/roms @@ -171,8 +171,8 @@ strip_archive() ( cd "${romdir}" || err "strip_archive: !cd ${romdir}" - sha1sum *.rom >> blobhashes || \ - err "strip_archive: ${romdir}: !sha1sum *.rom >> blobhashes" + sha512sum *.rom >> blobhashes || \ + err "strip_archive: ${romdir}: !sha512sum *.rom >> blobhashes" ) for romfile in "${romdir}"/*.rom; do diff --git a/script/update/blobs/download b/script/update/blobs/download index 2903c504..0364bfa5 100755 --- a/script/update/blobs/download +++ b/script/update/blobs/download @@ -455,7 +455,7 @@ vendor_checksum() printf "Vendor update not found on disk for: %s\n" "${board}" \ 1>&2 return 1 - elif [ "$(sha1sum ${dl_path} | awk '{print $1}')" != "${1}" ]; then + elif [ "$(sha512sum ${dl_path} | awk '{print $1}')" != "${1}" ]; then printf "Bad checksum on vendor update for: %s\n" "${board}" 1>&2 return 1 fi diff --git a/script/update/blobs/inject b/script/update/blobs/inject index ab943a3c..10691658 100755 --- a/script/update/blobs/inject +++ b/script/update/blobs/inject @@ -127,7 +127,10 @@ patch_release_roms() ( cd "${_tmpdir}"/bin/* - sha1sum --status -c blobhashes || \ + + # NOTE: For compatibility with older rom releases, defer to sha1 + sha512sum --status -c blobhashes || \ + sha1sum --statuc -c blobhashes || \ err "patch_release_roms: ROMs did not match expected hashes" ) diff --git a/script/update/blobs/mrc b/script/update/blobs/mrc index 59ed12f1..e4de2be4 100755 --- a/script/update/blobs/mrc +++ b/script/update/blobs/mrc @@ -39,8 +39,8 @@ _board="peppy" _file="chromeos_12239.92.0_peppy_recovery_stable-channel_mp-v3.bin" _url="https://dl.google.com/dl/edgedl/chromeos/recovery/chromeos_12239.92.0_peppy_recovery_stable-channel_mp-v3.bin.zip" _url2="https://web.archive.org/web/20200516070928/https://dl.google.com/dl/edgedl/chromeos/recovery/chromeos_12239.92.0_peppy_recovery_stable-channel_mp-v3.bin.zip" -_sha1sum="cd5917cbe7f821ad769bf0fd87046898f9e175c8" -_mrc_complete_hash="d18de1e3d52c0815b82ea406ca07897c56c65696" +_sha512sum="340a1cd41136a3ba0de9d306db0e65f51640a2efe63aee9934f326b276adc1af0a2df80c0731c5a749161ec32546909eedfa8ba95801faeb5dcfe1aa4e0840c7" +_mrc_complete_hash="e5b6d510a5fdb6a7ba0027588dbceef363a2bf30255e9222020abbe71468822f49962d423d872cc05b37098682281c016445f6aa20f88351a134facfe5f70d5b" _mrc_complete="mrc/haswell/mrc.bin" cbdir="coreboot/default" @@ -63,7 +63,7 @@ check_existing() [ -f "${_mrc_complete}" ] || \ return 0 printf 'found existing mrc.bin\n' - [ "$(sha1sum "${_mrc_complete}" | awk '{print $1}')" \ + [ "$(sha512sum "${_mrc_complete}" | awk '{print $1}')" \ = "${_mrc_complete_hash}" ] && \ return 1 printf 'hashes did not match, starting over\n' @@ -84,9 +84,9 @@ fetch_mrc() ( cd mrc/haswell/ || err "fetch_mrc: !cd mrc/haswell" - download_image "${_url}" "${_file}" "${_sha1sum}" + download_image "${_url}" "${_file}" "${_sha512sum}" [ -f ${_file} ] || \ - download_image "${_url2}" "${_file}" "${_sha1sum}" + download_image "${_url2}" "${_file}" "${_sha512sum}" [ -f $_file ] || \ err "fetch_mrc: ${_file} not downloaded / verification failed." @@ -108,12 +108,12 @@ download_image() { url=${1} _file=${2} - _sha1sum=${3} + _sha512sum=${3} printf "Downloading recovery image\n" curl --retry 3 "$url" > "$_file.zip" || err "download_image: curl failed" printf "Verifying recovery image checksum\n" - if [ "$(sha1sum "${_file}.zip" | awk '{print $1}')" = "${_sha1sum}" ] + if [ "$(sha512sum "${_file}.zip" | awk '{print $1}')" = "${_sha512sum}" ] then unzip -q "${_file}.zip" || err "download_image: cannot unzip" rm -f "${_file}.zip" || err "download_image: can't rm zip {1}" -- cgit v1.2.1