Talos-2 fixes to comply with hashing file standard. Bypass flash-gui.sh prompt when talos-2 ato validate hashes against hashes provided under tgz through flash.sh validation (still offer zip and tgz, which tgz might change to zip later but only tgz offered through builds)

Attempt to address https://github.com/linuxboot/heads/pull/1526#issuecomment-1811185197

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
Thierry Laurion 2023-11-15 10:00:37 -05:00 committed by Jonathon Hall
parent 6ef5298d20
commit 56d38e112c
No known key found for this signature in database
GPG Key ID: 1E9C3CA91AE25114
3 changed files with 14 additions and 3 deletions

View File

@ -64,6 +64,6 @@ $(board_build)/$(OUTPUT_PREFIX).tgz: \
rm -rf $(board_build)/pkg # cleanup in case directory exists rm -rf $(board_build)/pkg # cleanup in case directory exists
mkdir $(board_build)/pkg mkdir $(board_build)/pkg
cp $^ $(board_build)/pkg cp $^ $(board_build)/pkg
cd $(board_build)/pkg && sha256sum * > hashes.txt cd $(board_build)/pkg && sha256sum * > sha256sum.txt
cd $(board_build)/pkg && tar zcf $@ * cd $(board_build)/pkg && tar zcf $@ *
rm -r $(board_build)/pkg rm -r $(board_build)/pkg

View File

@ -63,7 +63,11 @@ while true; do
--yesno "You will need to insert a USB drive containing your BIOS image (*.$UPDATE_PKG_EXT or\n*.$UPDATE_PLAIN_EXT).\n\nAfter you select this file, this program will reflash your BIOS.\n\nDo you want to proceed?" 0 80); then --yesno "You will need to insert a USB drive containing your BIOS image (*.$UPDATE_PKG_EXT or\n*.$UPDATE_PLAIN_EXT).\n\nAfter you select this file, this program will reflash your BIOS.\n\nDo you want to proceed?" 0 80); then
mount_usb mount_usb
if grep -q /media /proc/mounts; then if grep -q /media /proc/mounts; then
find /media ! -path '*/\.*' -type f \( -name "*.$UPDATE_PLAIN_EXT" -o -type f -name "*.$UPDATE_PKG_EXT" \) | sort >/tmp/filelist.txt if [ "${CONFIG_BOARD%_*}" = talos-2 ]; then
find /media ! -path '*/\.*' -type f -name "*.$UPDATE_PLAIN_EXT" | sort >/tmp/filelist.txt
else
find /media ! -path '*/\.*' -type f \( -name "*.$UPDATE_PLAIN_EXT" -o -type f -name "*.$UPDATE_PKG_EXT" \) | sort >/tmp/filelist.txt
fi
file_selector "/tmp/filelist.txt" "Choose the ROM to flash" file_selector "/tmp/filelist.txt" "Choose the ROM to flash"
if [ "$FILE" == "" ]; then if [ "$FILE" == "" ]; then
exit 1 exit 1
@ -109,12 +113,19 @@ while true; do
# Continue on using the verified ROM # Continue on using the verified ROM
ROM="$PACKAGE_ROM" ROM="$PACKAGE_ROM"
else else
# talos-2 uses a .tgz file for its "plain" update, contains other parts as well, validated against hashes under flash.sh
# Skip prompt for hash validation for talos-2. Only method is through tgz or through bmc with individual parts
if [ "${CONFIG_BOARD%_*}" != talos-2 ]; then
# a rom file was provided. exit if we shall not proceed # a rom file was provided. exit if we shall not proceed
ROM="$PKG_FILE" ROM="$PKG_FILE"
ROM_HASH=$(sha256sum "$ROM" | awk '{print $1}') || die "Failed to hash ROM file" ROM_HASH=$(sha256sum "$ROM" | awk '{print $1}') || die "Failed to hash ROM file"
if ! (whiptail $CONFIG_ERROR_BG_COLOR --title 'Flash ROM without integrity check?' \ if ! (whiptail $CONFIG_ERROR_BG_COLOR --title 'Flash ROM without integrity check?' \
--yesno "You have provided a *.$UPDATE_PLAIN_EXT file. The integrity of the file can not be\nchecked automatically for this file type.\n\nROM: $ROM\nSHA256SUM: $ROM_HASH\n\nIf you do not know how to check the file integrity yourself,\nyou should use a *.$UPDATE_PKG_EXT file instead.\n\nIf the file is damaged, you will not be able to boot anymore.\nDo you want to proceed flashing without file integrity check?" 0 80); then --yesno "You have provided a *.$UPDATE_PLAIN_EXT file. The integrity of the file can not be\nchecked automatically for this file type.\n\nROM: $ROM\nSHA256SUM: $ROM_HASH\n\nIf you do not know how to check the file integrity yourself,\nyou should use a *.$UPDATE_PKG_EXT file instead.\n\nIf the file is damaged, you will not be able to boot anymore.\nDo you want to proceed flashing without file integrity check?" 0 80); then
exit 1 exit 1
fi
else
#We are on talos-2, so we have a tgz file. We will pass it directly to flash.sh which will take care of it
ROM="$PKG_FILE"
fi fi
fi fi

View File

@ -180,7 +180,7 @@ if [ "$READ" -eq 0 ] && [ "${ROM##*.}" = tgz ]; then
mkdir /tmp/verified_rom mkdir /tmp/verified_rom
tar -C /tmp/verified_rom -xf $ROM || die "Rom archive $ROM could not be extracted" tar -C /tmp/verified_rom -xf $ROM || die "Rom archive $ROM could not be extracted"
if ! (cd /tmp/verified_rom/ && sha256sum -cs hashes.txt); then if ! (cd /tmp/verified_rom/ && sha256sum -cs sha256sum.txt); then
die "Provided tgz image did not pass hash verification" die "Provided tgz image did not pass hash verification"
fi fi