From 56d38e112c6d4077ef2bac23a4b17b7549344462 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Wed, 15 Nov 2023 10:00:37 -0500 Subject: [PATCH] Talos-2 fixes to comply with hashing file standard. Bypass flash-gui.sh prompt when talos-2 ato validate hashes against hashes provided under tgz through flash.sh validation (still offer zip and tgz, which tgz might change to zip later but only tgz offered through builds) Attempt to address https://github.com/linuxboot/heads/pull/1526#issuecomment-1811185197 Signed-off-by: Thierry Laurion --- boards/talos-2/talos-2.config | 2 +- initrd/bin/flash-gui.sh | 13 ++++++++++++- initrd/bin/flash.sh | 2 +- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/boards/talos-2/talos-2.config b/boards/talos-2/talos-2.config index ad4347bc..7de53584 100644 --- a/boards/talos-2/talos-2.config +++ b/boards/talos-2/talos-2.config @@ -64,6 +64,6 @@ $(board_build)/$(OUTPUT_PREFIX).tgz: \ rm -rf $(board_build)/pkg # cleanup in case directory exists mkdir $(board_build)/pkg cp $^ $(board_build)/pkg - cd $(board_build)/pkg && sha256sum * > hashes.txt + cd $(board_build)/pkg && sha256sum * > sha256sum.txt cd $(board_build)/pkg && tar zcf $@ * rm -r $(board_build)/pkg diff --git a/initrd/bin/flash-gui.sh b/initrd/bin/flash-gui.sh index 524f36b1..d1564aea 100755 --- a/initrd/bin/flash-gui.sh +++ b/initrd/bin/flash-gui.sh @@ -63,7 +63,11 @@ while true; do --yesno "You will need to insert a USB drive containing your BIOS image (*.$UPDATE_PKG_EXT or\n*.$UPDATE_PLAIN_EXT).\n\nAfter you select this file, this program will reflash your BIOS.\n\nDo you want to proceed?" 0 80); then mount_usb if grep -q /media /proc/mounts; then - find /media ! -path '*/\.*' -type f \( -name "*.$UPDATE_PLAIN_EXT" -o -type f -name "*.$UPDATE_PKG_EXT" \) | sort >/tmp/filelist.txt + if [ "${CONFIG_BOARD%_*}" = talos-2 ]; then + find /media ! -path '*/\.*' -type f -name "*.$UPDATE_PLAIN_EXT" | sort >/tmp/filelist.txt + else + find /media ! -path '*/\.*' -type f \( -name "*.$UPDATE_PLAIN_EXT" -o -type f -name "*.$UPDATE_PKG_EXT" \) | sort >/tmp/filelist.txt + fi file_selector "/tmp/filelist.txt" "Choose the ROM to flash" if [ "$FILE" == "" ]; then exit 1 @@ -109,12 +113,19 @@ while true; do # Continue on using the verified ROM ROM="$PACKAGE_ROM" else + # talos-2 uses a .tgz file for its "plain" update, contains other parts as well, validated against hashes under flash.sh + # Skip prompt for hash validation for talos-2. Only method is through tgz or through bmc with individual parts + if [ "${CONFIG_BOARD%_*}" != talos-2 ]; then # a rom file was provided. exit if we shall not proceed ROM="$PKG_FILE" ROM_HASH=$(sha256sum "$ROM" | awk '{print $1}') || die "Failed to hash ROM file" if ! (whiptail $CONFIG_ERROR_BG_COLOR --title 'Flash ROM without integrity check?' \ --yesno "You have provided a *.$UPDATE_PLAIN_EXT file. The integrity of the file can not be\nchecked automatically for this file type.\n\nROM: $ROM\nSHA256SUM: $ROM_HASH\n\nIf you do not know how to check the file integrity yourself,\nyou should use a *.$UPDATE_PKG_EXT file instead.\n\nIf the file is damaged, you will not be able to boot anymore.\nDo you want to proceed flashing without file integrity check?" 0 80); then exit 1 + fi + else + #We are on talos-2, so we have a tgz file. We will pass it directly to flash.sh which will take care of it + ROM="$PKG_FILE" fi fi diff --git a/initrd/bin/flash.sh b/initrd/bin/flash.sh index 2d983862..6ef16a52 100755 --- a/initrd/bin/flash.sh +++ b/initrd/bin/flash.sh @@ -180,7 +180,7 @@ if [ "$READ" -eq 0 ] && [ "${ROM##*.}" = tgz ]; then mkdir /tmp/verified_rom tar -C /tmp/verified_rom -xf $ROM || die "Rom archive $ROM could not be extracted" - if ! (cd /tmp/verified_rom/ && sha256sum -cs hashes.txt); then + if ! (cd /tmp/verified_rom/ && sha256sum -cs sha256sum.txt); then die "Provided tgz image did not pass hash verification" fi