From 5bd50652a09ee7129f130318016a59397c76ee07 Mon Sep 17 00:00:00 2001 From: Jonathon Hall Date: Mon, 13 Nov 2023 16:42:05 -0500 Subject: [PATCH 1/8] flash-gui.sh: Extend NPF archive format to ZIP, improve workflow Allow configuring the ZIP-format update file extension with CONFIG_BRAND_UPDATE_PKG_EXT in board config. Default is 'zip'. Create update package in the default Makefile target. Delete create_npf.sh. Do not require /tmp/verified_rom in the update file package's sha256sum.txt (but allow it for backward compatibility). Show the integrity error if unzip fails instead of dying (which returns to main menu with no explanation, error is left on recovery console). This is the most likely way corruption would be detected as ZIP has CRCs. The sha256sum is still present for more robust detection. Don't require the ROM to be the first file in sha256sum.txt since it raises complexity of adding more files to the update archive in the future. Instead require that the package contains exactly one file matching '*.rom'. Restore confirmation prompt for the update-package flow, at some point this was lost. Signed-off-by: Jonathon Hall --- Makefile | 18 +++++++++- create-npf.sh | 8 ----- initrd/bin/flash-gui.sh | 79 +++++++++++++++++++++++++++++++---------- 3 files changed, 78 insertions(+), 27 deletions(-) delete mode 100755 create-npf.sh diff --git a/Makefile b/Makefile index 539554e1..a6d31b21 100644 --- a/Makefile +++ b/Makefile @@ -52,6 +52,11 @@ CONFIG_TARGET_ARCH := x86 include $(CONFIG) +# Default update package extension is 'zip' unless a brand wants a branded +# extension +CONFIG_BRAND_UPDATE_PKG_EXT ?= zip +CB_UPDATE_PKG_FILE := $(CB_OUTPUT_BASENAME).$(CONFIG_BRAND_UPDATE_PKG_EXT) + # Unless otherwise specified, we are building for heads CONFIG_HEADS ?= y @@ -159,7 +164,18 @@ payload: $(build)/$(BOARD)/bzImage $(build)/$(initrd_dir)/initrd.cpio.xz ifeq ($(CONFIG_COREBOOT), y) -all: $(board_build)/$(CB_OUTPUT_FILE) +# Coreboot targets create an update package that can be applied with integrity +# verification before flashing (see flash-gui.sh). The ZIP package format +# allows other metadata that might be needed to added in the future without +# breaking backward compatibility. +$(board_build)/$(CB_UPDATE_PKG_FILE): $(board_build)/$(CB_OUTPUT_FILE) + rm -rf "$(board_build)/update_pkg" + mkdir -p "$(board_build)/update_pkg" + cp "$<" "$(board_build)/update_pkg/" + cd "$(board_build)/update_pkg" && sha256sum "$(CB_OUTPUT_FILE)" >sha256sum.txt + cd "$(board_build)/update_pkg" && zip -9 "$@" "$(CB_OUTPUT_FILE)" sha256sum.txt + +all: $(board_build)/$(CB_OUTPUT_FILE) $(board_build)/$(CB_UPDATE_PKG_FILE) ifneq ($(CONFIG_COREBOOT_BOOTBLOCK),) all: $(board_build)/$(CB_BOOTBLOCK_FILE) endif diff --git a/create-npf.sh b/create-npf.sh deleted file mode 100755 index 2c64fede..00000000 --- a/create-npf.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash -set -exuo pipefail -HEADS_GIT_VERSION=$(git describe --tags) -BOARD=$1 -cd ./build/x86/${BOARD}/ -sha256sum heads-${BOARD}-${HEADS_GIT_VERSION}.rom > sha256sum.txt -sed -ie 's@ @ /tmp/verified_rom/@g' sha256sum.txt -zip heads-${BOARD}-${HEADS_GIT_VERSION}.npf heads-${BOARD}-${HEADS_GIT_VERSION}.rom sha256sum.txt diff --git a/initrd/bin/flash-gui.sh b/initrd/bin/flash-gui.sh index 4b66d5c0..ff58c901 100755 --- a/initrd/bin/flash-gui.sh +++ b/initrd/bin/flash-gui.sh @@ -13,6 +13,26 @@ if [ "$CONFIG_RESTRICTED_BOOT" = y ]; then exit 1 fi +# A brand can override the extension used for update packages if desired +UPDATE_PKG_EXT="${CONFIG_BRAND_UPDATE_PKG_EXT:-zip}" + +# Check that a glob matches exactly one thing. If so, echoes the single value. +# Otherwise, fails. As always, do not quote the glob. +# +# E.g, locate a ROM with unknown version when only one should be present: +# if ROM_FILE="$(single_glob /media/heads-*.rom)"; then +# echo "ROM is $ROM_FILE" +# else +# echo "Failed to find a ROM" >&2 +# fi +single_glob() { + if [ "$#" -eq 1 ] && [ -f "$1" ]; then + echo "$1" + else + return 1 + fi +} + while true; do unset menu_choice whiptail $BG_COLOR_MAIN_MENU --title "Firmware Management Menu" \ @@ -30,38 +50,61 @@ while true; do ;; f | c) if (whiptail $BG_COLOR_WARNING --title 'Flash the BIOS with a new ROM' \ - --yesno "You will need to insert a USB drive containing your BIOS image (*.rom, *.npf or *.tgz).\n\nAfter you select this file, this program will reflash your BIOS.\n\nDo you want to proceed?" 0 80); then + --yesno "You will need to insert a USB drive containing your BIOS image (*.$UPDATE_PKG_EXT, *.rom, or *.tgz).\n\nAfter you select this file, this program will reflash your BIOS.\n\nDo you want to proceed?" 0 80); then mount_usb if grep -q /media /proc/mounts; then - find /media ! -path '*/\.*' -type f \( -name '*.rom' -o -name '*.tgz' -o -type f -name '*.npf' \) | sort >/tmp/filelist.txt + find /media ! -path '*/\.*' -type f \( -name '*.rom' -o -name '*.tgz' -o -type f -name "*.$UPDATE_PKG_EXT" \) | sort >/tmp/filelist.txt file_selector "/tmp/filelist.txt" "Choose the ROM to flash" if [ "$FILE" == "" ]; then exit 1 else - ROM=$FILE + PKG_FILE=$FILE fi - # is a .npf provided? - if [ -z "${ROM##*.npf}" ]; then - #preventive cleanup - rm -rf /tmp/verified_rom >/dev/null 2>&1 || true - # unzip to /tmp/verified_rom - mkdir -p /tmp/verified_rom >/dev/null 2>&1 || true - unzip $ROM -d /tmp/verified_rom || die "Failed to unzip ROM file" + # is an update package provided? + if [ -z "${PKG_FILE##*.$UPDATE_PKG_EXT}" ]; then + # Unzip the package + PKG_EXTRACT="/tmp/flash_gui/update_package" + rm -rf "$PKG_EXTRACT" + mkdir -p "$PKG_EXTRACT" + # If extraction fails, delete everything and fall through to the + # integrity failure prompt. This is the most likely path if the ROM + # was actually corrupted in transit. Corrupting the ZIP in a way that + # still extracts is possible (the sha256sum detects this) but less + # likely. + unzip "$PKG_FILE" -d "$PKG_EXTRACT" || rm -rf "$PKG_EXTRACT" + # Older packages had /tmp/verified_rom hard-coded in the sha256sum.txt + # Remove that so it's a relative path to the ROM in the package. + # Ignore failure, if there is no sha256sum.txt the sha256sum will fail + sed -i -e 's| /tmp/verified_rom/\+| |g' "$PKG_EXTRACT/sha256sum.txt" || true # check file integrity - if (cd /tmp/verified_rom/ && sha256sum -cs /tmp/verified_rom/sha256sum.txt); then - ROM="$(head -n1 /tmp/verified_rom/sha256sum.txt | cut -d ' ' -f 3)" - else + if ! (cd "$PKG_EXTRACT" && sha256sum -cs sha256sum.txt); then whiptail --title 'ROM Integrity Check Failed! ' \ - --msgbox "$ROM integrity check failed. Did not flash.\n\nPlease check your file (e.g. re-download).\n" 16 60 - exit + --msgbox "Integrity check failed in\n$PKG_FILE.\nDid not flash.\n\nPlease check your file (e.g. re-download).\n" 16 60 + exit 1 fi + + # The package must contain exactly one *.rom file, flash that. + if ! PACKAGE_ROM="$(single_glob "$PKG_EXTRACT/"*.rom)"; then + whiptail --title 'BIOS Image Not Found! ' \ + --msgbox "A BIOS image was not found in\n$PKG_FILE.\n\nPlease check your file (e.g. re-download).\n" 16 60 + exit 1 + fi + + if ! whiptail $BG_COLOR_WARNING --title 'Flash ROM?' \ + --yesno "This will replace your current ROM with:\n\n${PKG_FILE#"/media/"}\n\nDo you want to proceed?" 0 80; then + exit 1 + fi + + # Continue on using the verified ROM + ROM="$PACKAGE_ROM" else # a rom file was provided. exit if we shall not proceed + ROM="$PKG_FILE" ROM_HASH=$(sha256sum "$ROM" | awk '{print $1}') || die "Failed to hash ROM file" if ! (whiptail $CONFIG_ERROR_BG_COLOR --title 'Flash ROM without integrity check?' \ - --yesno "You have provided a *.rom file. The integrity of the file can not be\nchecked automatically for this file type.\n\nROM: $ROM\nSHA256SUM: $ROM_HASH\n\nIf you do not know how to check the file integrity yourself,\nyou should use a *.npf file instead.\n\nIf the file is damaged, you will not be able to boot anymore.\nDo you want to proceed flashing without file integrity check?" 0 80); then - exit + --yesno "You have provided a *.rom file. The integrity of the file can not be\nchecked automatically for this file type.\n\nROM: $ROM\nSHA256SUM: $ROM_HASH\n\nIf you do not know how to check the file integrity yourself,\nyou should use a *.$UPDATE_PKG_EXT file instead.\n\nIf the file is damaged, you will not be able to boot anymore.\nDo you want to proceed flashing without file integrity check?" 0 80); then + exit 1 fi fi @@ -79,7 +122,7 @@ while true; do /bin/flash.sh "$ROM" fi whiptail --title 'ROM Flashed Successfully' \ - --msgbox "${ROM#"/media/"}\n\nhas been flashed successfully.\n\nPress Enter to reboot\n" 0 80 + --msgbox "${PKG_FILE#"/media/"}\n\nhas been flashed successfully.\n\nPress Enter to reboot\n" 0 80 umount /media /bin/reboot fi From 7b2b95cb94c2de6e69845b0210e31e914cfb5599 Mon Sep 17 00:00:00 2001 From: Jonathon Hall Date: Mon, 13 Nov 2023 17:17:07 -0500 Subject: [PATCH 2/8] flash-gui.sh: Show .rom or .tgz in UI, not both talos-2 (only) uses .tgz instead of .rom for updates. Currently, both are treated as alternatives to a ZIP-format update archive with SHA-256 integrity check, extend that to the prompts to reduce clutter. Reflow the "You will need ... your BIOS image" prompt to fit on fbwhiptail. The .tgz format could be better integrated with the ZIP updates, but this needs more work specific to talos-2. Signed-off-by: Jonathon Hall --- initrd/bin/flash-gui.sh | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/initrd/bin/flash-gui.sh b/initrd/bin/flash-gui.sh index ff58c901..524f36b1 100755 --- a/initrd/bin/flash-gui.sh +++ b/initrd/bin/flash-gui.sh @@ -16,6 +16,16 @@ fi # A brand can override the extension used for update packages if desired UPDATE_PKG_EXT="${CONFIG_BRAND_UPDATE_PKG_EXT:-zip}" +# Most boards use a .rom file as a "plain" update, contents of the BIOS flash +UPDATE_PLAIN_EXT=rom +# talos-2 uses a .tgz file for its "plain" update, contains other parts as well +# as its own integrity check. This isn't integrated with the "update package" +# workflow (as-is, a .tgz could be inside that package in theory) but more work +# would be needed to properly integrate it. +if [ "${CONFIG_BOARD%_*}" = talos-2 ]; then + UPDATE_PLAIN_EXT=tgz +fi + # Check that a glob matches exactly one thing. If so, echoes the single value. # Otherwise, fails. As always, do not quote the glob. # @@ -50,10 +60,10 @@ while true; do ;; f | c) if (whiptail $BG_COLOR_WARNING --title 'Flash the BIOS with a new ROM' \ - --yesno "You will need to insert a USB drive containing your BIOS image (*.$UPDATE_PKG_EXT, *.rom, or *.tgz).\n\nAfter you select this file, this program will reflash your BIOS.\n\nDo you want to proceed?" 0 80); then + --yesno "You will need to insert a USB drive containing your BIOS image (*.$UPDATE_PKG_EXT or\n*.$UPDATE_PLAIN_EXT).\n\nAfter you select this file, this program will reflash your BIOS.\n\nDo you want to proceed?" 0 80); then mount_usb if grep -q /media /proc/mounts; then - find /media ! -path '*/\.*' -type f \( -name '*.rom' -o -name '*.tgz' -o -type f -name "*.$UPDATE_PKG_EXT" \) | sort >/tmp/filelist.txt + find /media ! -path '*/\.*' -type f \( -name "*.$UPDATE_PLAIN_EXT" -o -type f -name "*.$UPDATE_PKG_EXT" \) | sort >/tmp/filelist.txt file_selector "/tmp/filelist.txt" "Choose the ROM to flash" if [ "$FILE" == "" ]; then exit 1 @@ -85,7 +95,7 @@ while true; do fi # The package must contain exactly one *.rom file, flash that. - if ! PACKAGE_ROM="$(single_glob "$PKG_EXTRACT/"*.rom)"; then + if ! PACKAGE_ROM="$(single_glob "$PKG_EXTRACT/"*."$UPDATE_PLAIN_EXT")"; then whiptail --title 'BIOS Image Not Found! ' \ --msgbox "A BIOS image was not found in\n$PKG_FILE.\n\nPlease check your file (e.g. re-download).\n" 16 60 exit 1 @@ -103,7 +113,7 @@ while true; do ROM="$PKG_FILE" ROM_HASH=$(sha256sum "$ROM" | awk '{print $1}') || die "Failed to hash ROM file" if ! (whiptail $CONFIG_ERROR_BG_COLOR --title 'Flash ROM without integrity check?' \ - --yesno "You have provided a *.rom file. The integrity of the file can not be\nchecked automatically for this file type.\n\nROM: $ROM\nSHA256SUM: $ROM_HASH\n\nIf you do not know how to check the file integrity yourself,\nyou should use a *.$UPDATE_PKG_EXT file instead.\n\nIf the file is damaged, you will not be able to boot anymore.\nDo you want to proceed flashing without file integrity check?" 0 80); then + --yesno "You have provided a *.$UPDATE_PLAIN_EXT file. The integrity of the file can not be\nchecked automatically for this file type.\n\nROM: $ROM\nSHA256SUM: $ROM_HASH\n\nIf you do not know how to check the file integrity yourself,\nyou should use a *.$UPDATE_PKG_EXT file instead.\n\nIf the file is damaged, you will not be able to boot anymore.\nDo you want to proceed flashing without file integrity check?" 0 80); then exit 1 fi fi From 6ca1d670f4f173098c6ea745e28d41c1e077e45b Mon Sep 17 00:00:00 2001 From: Jonathon Hall Date: Tue, 14 Nov 2023 08:21:13 -0500 Subject: [PATCH 3/8] CircleCI: Install 'zip' dependency Signed-off-by: Jonathon Hall --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index cd6487f7..ae77cce8 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -15,7 +15,7 @@ commands: command: | ln -fs /usr/share/zoneinfo/America/New_York /etc/localtime apt update - apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg gawk iasl m4 nasm patch python python2 python3 wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync innoextract sudo libssl-dev device-tree-compiler u-boot-tools sharutils e2fsprogs parted curl unzip imagemagick libncurses5-dev + apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg gawk iasl m4 nasm patch python python2 python3 wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync innoextract sudo libssl-dev device-tree-compiler u-boot-tools sharutils e2fsprogs parted curl unzip imagemagick libncurses5-dev zip - run: name: Make Board (FULL ORDERED BUILD LOGS HERE UNTIL JOB FAILED) command: | From bb7294476d7d62e6a2d8c2f2e4b05aee2048fc99 Mon Sep 17 00:00:00 2001 From: Jonathon Hall Date: Tue, 14 Nov 2023 12:14:18 -0500 Subject: [PATCH 4/8] Makefile: Don't generate update package for legacy flash boards The only purpose of legacy flash boards is to be flashed over vendor firmware using an exploit, to then flash non-maximized Heads firmware. They are never upgraded to another legacy flash build, and they move the coreboot ROM from the build directory, so don't build an update package for those boards. Signed-off-by: Jonathon Hall --- Makefile | 10 ++++++++++ .../UNTESTED_t430-legacy-flash.config | 2 ++ boards/x230-legacy-flash/x230-legacy-flash.config | 2 ++ 3 files changed, 14 insertions(+) diff --git a/Makefile b/Makefile index a6d31b21..591d3b31 100644 --- a/Makefile +++ b/Makefile @@ -50,6 +50,12 @@ endif # By default, we are building for x86, up to a board to change this variable CONFIG_TARGET_ARCH := x86 +# Legacy flash boards have to be handled specifically for some functionality +# (e.g. they don't generate upgrade packages, lack bash, etc.) Use this to +# guard behavior that is specific to legacy flash boards only. Don't use it for +# behavior that might be needed for other boards, use specific configs instead. +CONFIG_LEGACY_FLASH := n + include $(CONFIG) # Default update package extension is 'zip' unless a brand wants a branded @@ -164,6 +170,9 @@ payload: $(build)/$(BOARD)/bzImage $(build)/$(initrd_dir)/initrd.cpio.xz ifeq ($(CONFIG_COREBOOT), y) +# Legacy flash boards don't generate an update package, the only purpose of +# those boards is to be flashed over vendor firmware via an exploit. +ifneq ($(CONFIG_LEGACY_FLASH), y) # Coreboot targets create an update package that can be applied with integrity # verification before flashing (see flash-gui.sh). The ZIP package format # allows other metadata that might be needed to added in the future without @@ -174,6 +183,7 @@ $(board_build)/$(CB_UPDATE_PKG_FILE): $(board_build)/$(CB_OUTPUT_FILE) cp "$<" "$(board_build)/update_pkg/" cd "$(board_build)/update_pkg" && sha256sum "$(CB_OUTPUT_FILE)" >sha256sum.txt cd "$(board_build)/update_pkg" && zip -9 "$@" "$(CB_OUTPUT_FILE)" sha256sum.txt +endif all: $(board_build)/$(CB_OUTPUT_FILE) $(board_build)/$(CB_UPDATE_PKG_FILE) ifneq ($(CONFIG_COREBOOT_BOOTBLOCK),) diff --git a/boards/UNTESTED_t430-legacy-flash/UNTESTED_t430-legacy-flash.config b/boards/UNTESTED_t430-legacy-flash/UNTESTED_t430-legacy-flash.config index 3d8cdadb..b09fd7ef 100644 --- a/boards/UNTESTED_t430-legacy-flash/UNTESTED_t430-legacy-flash.config +++ b/boards/UNTESTED_t430-legacy-flash/UNTESTED_t430-legacy-flash.config @@ -30,6 +30,8 @@ export CONFIG_BOOTSCRIPT=/bin/xx30-flash.init export CONFIG_BOARD_NAME="ThinkPad T430-legacy-flash" export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal --ifd --image bios" +CONFIG_LEGACY_FLASH=y + # This board is "special" in that we need a 4MB top SPI flashable ROM. # This is enough to allow the board to boot into a minimal Heads and read the full Legacy # ROM from an external USB media. diff --git a/boards/x230-legacy-flash/x230-legacy-flash.config b/boards/x230-legacy-flash/x230-legacy-flash.config index 1ad51a0f..533b5912 100644 --- a/boards/x230-legacy-flash/x230-legacy-flash.config +++ b/boards/x230-legacy-flash/x230-legacy-flash.config @@ -31,6 +31,8 @@ export CONFIG_BOOTSCRIPT=/bin/xx30-flash.init export CONFIG_BOARD_NAME="ThinkPad X230-legacy-flash" export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal --ifd --image bios" +CONFIG_LEGACY_FLASH=y + # This board is "special" in that we need a 4MB top SPI flashable ROM. # This is enough to allow the board to boot into a minimal Heads and read the full Legacy # ROM from an external USB media. From 51e2d789b4040c40fc1b27fecc78965672320aff Mon Sep 17 00:00:00 2001 From: Jonathon Hall Date: Tue, 14 Nov 2023 13:26:18 -0500 Subject: [PATCH 5/8] Makefile: Only add update package to all if it's actually built Only add the update package to all if it is actually being built, fixes default target with CONFIG_LEGACY_FLASH=y. Signed-off-by: Jonathon Hall --- Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 591d3b31..2f3a32f4 100644 --- a/Makefile +++ b/Makefile @@ -183,9 +183,10 @@ $(board_build)/$(CB_UPDATE_PKG_FILE): $(board_build)/$(CB_OUTPUT_FILE) cp "$<" "$(board_build)/update_pkg/" cd "$(board_build)/update_pkg" && sha256sum "$(CB_OUTPUT_FILE)" >sha256sum.txt cd "$(board_build)/update_pkg" && zip -9 "$@" "$(CB_OUTPUT_FILE)" sha256sum.txt -endif all: $(board_build)/$(CB_OUTPUT_FILE) $(board_build)/$(CB_UPDATE_PKG_FILE) +endif + ifneq ($(CONFIG_COREBOOT_BOOTBLOCK),) all: $(board_build)/$(CB_BOOTBLOCK_FILE) endif From 6ef5298d20b824e5178ca6b9401c4936394c5a97 Mon Sep 17 00:00:00 2001 From: Jonathon Hall Date: Tue, 14 Nov 2023 14:44:36 -0500 Subject: [PATCH 6/8] Makefile: Don't build ZIP update package for talos-2 talos-2 builds its own tgz update package that is not currently integrated with the zip method. While the zip method right now would theoretically if the tgz was inside it, this would have to be hooked up for talos-2 specifically. Signed-off-by: Jonathon Hall --- Makefile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Makefile b/Makefile index 2f3a32f4..f44652b5 100644 --- a/Makefile +++ b/Makefile @@ -173,6 +173,9 @@ ifeq ($(CONFIG_COREBOOT), y) # Legacy flash boards don't generate an update package, the only purpose of # those boards is to be flashed over vendor firmware via an exploit. ifneq ($(CONFIG_LEGACY_FLASH), y) +# talos-2 builds its own update package, which is not integrated with the ZIP +# method currently +ifneq ($(BOARD), talos-2) # Coreboot targets create an update package that can be applied with integrity # verification before flashing (see flash-gui.sh). The ZIP package format # allows other metadata that might be needed to added in the future without @@ -186,6 +189,7 @@ $(board_build)/$(CB_UPDATE_PKG_FILE): $(board_build)/$(CB_OUTPUT_FILE) all: $(board_build)/$(CB_OUTPUT_FILE) $(board_build)/$(CB_UPDATE_PKG_FILE) endif +endif ifneq ($(CONFIG_COREBOOT_BOOTBLOCK),) all: $(board_build)/$(CB_BOOTBLOCK_FILE) From 56d38e112c6d4077ef2bac23a4b17b7549344462 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Wed, 15 Nov 2023 10:00:37 -0500 Subject: [PATCH 7/8] Talos-2 fixes to comply with hashing file standard. Bypass flash-gui.sh prompt when talos-2 ato validate hashes against hashes provided under tgz through flash.sh validation (still offer zip and tgz, which tgz might change to zip later but only tgz offered through builds) Attempt to address https://github.com/linuxboot/heads/pull/1526#issuecomment-1811185197 Signed-off-by: Thierry Laurion --- boards/talos-2/talos-2.config | 2 +- initrd/bin/flash-gui.sh | 13 ++++++++++++- initrd/bin/flash.sh | 2 +- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/boards/talos-2/talos-2.config b/boards/talos-2/talos-2.config index ad4347bc..7de53584 100644 --- a/boards/talos-2/talos-2.config +++ b/boards/talos-2/talos-2.config @@ -64,6 +64,6 @@ $(board_build)/$(OUTPUT_PREFIX).tgz: \ rm -rf $(board_build)/pkg # cleanup in case directory exists mkdir $(board_build)/pkg cp $^ $(board_build)/pkg - cd $(board_build)/pkg && sha256sum * > hashes.txt + cd $(board_build)/pkg && sha256sum * > sha256sum.txt cd $(board_build)/pkg && tar zcf $@ * rm -r $(board_build)/pkg diff --git a/initrd/bin/flash-gui.sh b/initrd/bin/flash-gui.sh index 524f36b1..d1564aea 100755 --- a/initrd/bin/flash-gui.sh +++ b/initrd/bin/flash-gui.sh @@ -63,7 +63,11 @@ while true; do --yesno "You will need to insert a USB drive containing your BIOS image (*.$UPDATE_PKG_EXT or\n*.$UPDATE_PLAIN_EXT).\n\nAfter you select this file, this program will reflash your BIOS.\n\nDo you want to proceed?" 0 80); then mount_usb if grep -q /media /proc/mounts; then - find /media ! -path '*/\.*' -type f \( -name "*.$UPDATE_PLAIN_EXT" -o -type f -name "*.$UPDATE_PKG_EXT" \) | sort >/tmp/filelist.txt + if [ "${CONFIG_BOARD%_*}" = talos-2 ]; then + find /media ! -path '*/\.*' -type f -name "*.$UPDATE_PLAIN_EXT" | sort >/tmp/filelist.txt + else + find /media ! -path '*/\.*' -type f \( -name "*.$UPDATE_PLAIN_EXT" -o -type f -name "*.$UPDATE_PKG_EXT" \) | sort >/tmp/filelist.txt + fi file_selector "/tmp/filelist.txt" "Choose the ROM to flash" if [ "$FILE" == "" ]; then exit 1 @@ -109,12 +113,19 @@ while true; do # Continue on using the verified ROM ROM="$PACKAGE_ROM" else + # talos-2 uses a .tgz file for its "plain" update, contains other parts as well, validated against hashes under flash.sh + # Skip prompt for hash validation for talos-2. Only method is through tgz or through bmc with individual parts + if [ "${CONFIG_BOARD%_*}" != talos-2 ]; then # a rom file was provided. exit if we shall not proceed ROM="$PKG_FILE" ROM_HASH=$(sha256sum "$ROM" | awk '{print $1}') || die "Failed to hash ROM file" if ! (whiptail $CONFIG_ERROR_BG_COLOR --title 'Flash ROM without integrity check?' \ --yesno "You have provided a *.$UPDATE_PLAIN_EXT file. The integrity of the file can not be\nchecked automatically for this file type.\n\nROM: $ROM\nSHA256SUM: $ROM_HASH\n\nIf you do not know how to check the file integrity yourself,\nyou should use a *.$UPDATE_PKG_EXT file instead.\n\nIf the file is damaged, you will not be able to boot anymore.\nDo you want to proceed flashing without file integrity check?" 0 80); then exit 1 + fi + else + #We are on talos-2, so we have a tgz file. We will pass it directly to flash.sh which will take care of it + ROM="$PKG_FILE" fi fi diff --git a/initrd/bin/flash.sh b/initrd/bin/flash.sh index 2d983862..6ef16a52 100755 --- a/initrd/bin/flash.sh +++ b/initrd/bin/flash.sh @@ -180,7 +180,7 @@ if [ "$READ" -eq 0 ] && [ "${ROM##*.}" = tgz ]; then mkdir /tmp/verified_rom tar -C /tmp/verified_rom -xf $ROM || die "Rom archive $ROM could not be extracted" - if ! (cd /tmp/verified_rom/ && sha256sum -cs hashes.txt); then + if ! (cd /tmp/verified_rom/ && sha256sum -cs sha256sum.txt); then die "Provided tgz image did not pass hash verification" fi From 6873df60c1c965ac812a49d9d245f338d8a3b128 Mon Sep 17 00:00:00 2001 From: Jonathon Hall Date: Thu, 16 Nov 2023 08:58:38 -0500 Subject: [PATCH 8/8] Remove CONFIG_BRAND_UPDATE_PKG_EXT, use zip everywhere Nitrokey is going to switch from npf to zip per discussion. Remove this config. Signed-off-by: Jonathon Hall --- Makefile | 6 +----- initrd/bin/flash-gui.sh | 11 ++++------- 2 files changed, 5 insertions(+), 12 deletions(-) diff --git a/Makefile b/Makefile index f44652b5..258911f3 100644 --- a/Makefile +++ b/Makefile @@ -16,6 +16,7 @@ CB_OUTPUT_BASENAME := $(shell echo $(BRAND_NAME) | tr A-Z a-z)-$(BOARD)-$(HEADS_ CB_OUTPUT_FILE := $(CB_OUTPUT_BASENAME).rom CB_OUTPUT_FILE_GPG_INJ := $(CB_OUTPUT_BASENAME)-gpg-injected.rom CB_BOOTBLOCK_FILE := $(CB_OUTPUT_BASENAME).bootblock +CB_UPDATE_PKG_FILE := $(CB_OUTPUT_BASENAME).zip LB_OUTPUT_FILE := linuxboot-$(BOARD)-$(HEADS_GIT_VERSION).rom all: @@ -58,11 +59,6 @@ CONFIG_LEGACY_FLASH := n include $(CONFIG) -# Default update package extension is 'zip' unless a brand wants a branded -# extension -CONFIG_BRAND_UPDATE_PKG_EXT ?= zip -CB_UPDATE_PKG_FILE := $(CB_OUTPUT_BASENAME).$(CONFIG_BRAND_UPDATE_PKG_EXT) - # Unless otherwise specified, we are building for heads CONFIG_HEADS ?= y diff --git a/initrd/bin/flash-gui.sh b/initrd/bin/flash-gui.sh index d1564aea..4f1bb537 100755 --- a/initrd/bin/flash-gui.sh +++ b/initrd/bin/flash-gui.sh @@ -13,9 +13,6 @@ if [ "$CONFIG_RESTRICTED_BOOT" = y ]; then exit 1 fi -# A brand can override the extension used for update packages if desired -UPDATE_PKG_EXT="${CONFIG_BRAND_UPDATE_PKG_EXT:-zip}" - # Most boards use a .rom file as a "plain" update, contents of the BIOS flash UPDATE_PLAIN_EXT=rom # talos-2 uses a .tgz file for its "plain" update, contains other parts as well @@ -60,13 +57,13 @@ while true; do ;; f | c) if (whiptail $BG_COLOR_WARNING --title 'Flash the BIOS with a new ROM' \ - --yesno "You will need to insert a USB drive containing your BIOS image (*.$UPDATE_PKG_EXT or\n*.$UPDATE_PLAIN_EXT).\n\nAfter you select this file, this program will reflash your BIOS.\n\nDo you want to proceed?" 0 80); then + --yesno "You will need to insert a USB drive containing your BIOS image (*.zip or\n*.$UPDATE_PLAIN_EXT).\n\nAfter you select this file, this program will reflash your BIOS.\n\nDo you want to proceed?" 0 80); then mount_usb if grep -q /media /proc/mounts; then if [ "${CONFIG_BOARD%_*}" = talos-2 ]; then find /media ! -path '*/\.*' -type f -name "*.$UPDATE_PLAIN_EXT" | sort >/tmp/filelist.txt else - find /media ! -path '*/\.*' -type f \( -name "*.$UPDATE_PLAIN_EXT" -o -type f -name "*.$UPDATE_PKG_EXT" \) | sort >/tmp/filelist.txt + find /media ! -path '*/\.*' -type f \( -name "*.$UPDATE_PLAIN_EXT" -o -type f -name "*.zip" \) | sort >/tmp/filelist.txt fi file_selector "/tmp/filelist.txt" "Choose the ROM to flash" if [ "$FILE" == "" ]; then @@ -76,7 +73,7 @@ while true; do fi # is an update package provided? - if [ -z "${PKG_FILE##*.$UPDATE_PKG_EXT}" ]; then + if [ -z "${PKG_FILE##*.zip}" ]; then # Unzip the package PKG_EXTRACT="/tmp/flash_gui/update_package" rm -rf "$PKG_EXTRACT" @@ -120,7 +117,7 @@ while true; do ROM="$PKG_FILE" ROM_HASH=$(sha256sum "$ROM" | awk '{print $1}') || die "Failed to hash ROM file" if ! (whiptail $CONFIG_ERROR_BG_COLOR --title 'Flash ROM without integrity check?' \ - --yesno "You have provided a *.$UPDATE_PLAIN_EXT file. The integrity of the file can not be\nchecked automatically for this file type.\n\nROM: $ROM\nSHA256SUM: $ROM_HASH\n\nIf you do not know how to check the file integrity yourself,\nyou should use a *.$UPDATE_PKG_EXT file instead.\n\nIf the file is damaged, you will not be able to boot anymore.\nDo you want to proceed flashing without file integrity check?" 0 80); then + --yesno "You have provided a *.$UPDATE_PLAIN_EXT file. The integrity of the file can not be\nchecked automatically for this file type.\n\nROM: $ROM\nSHA256SUM: $ROM_HASH\n\nIf you do not know how to check the file integrity yourself,\nyou should use a *.zip file instead.\n\nIf the file is damaged, you will not be able to boot anymore.\nDo you want to proceed flashing without file integrity check?" 0 80); then exit 1 fi else