| OLD | NEW |
|---|
| (Empty) | |
| 1 #!/bin/bash |
| 2 # |
| 3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
| 4 # Use of this source code is governed by a BSD-style license that can be |
| 5 # found in the LICENSE file. |
| 6 |
| 7 # Script to verify integrity of root file system for a GPT-based image |
| 8 |
| 9 # Load functions and constants |
| 10 . "$(dirname "$0")/common.sh" || exit 1 |
| 11 . "$(dirname "$0")/chromeos-common.sh" || exit 1 |
| 12 |
| 13 # Needed for partoffset and partsize calls |
| 14 locate_gpt |
| 15 |
| 16 # Script must be run inside the chroot. |
| 17 restart_in_chroot_if_needed $* |
| 18 |
| 19 DEFINE_string image "" "Device or an image path. Default: (empty)." |
| 20 |
| 21 # Parse command line. |
| 22 FLAGS "$@" || exit 1 |
| 23 eval set -- "${FLAGS_ARGV}" |
| 24 |
| 25 if [ -z $FLAGS_image ] ; then |
| 26 die "Use --from to specify a device or an image file." |
| 27 fi |
| 28 |
| 29 # Turn path into an absolute path. |
| 30 FLAGS_image=$(eval readlink -f ${FLAGS_image}) |
| 31 |
| 32 # Abort early if we can't find the image |
| 33 if [ ! -b ${FLAGS_image} ] && [ ! -f $FLAGS_image ] ; then |
| 34 die "No image found at $FLAGS_image" |
| 35 fi |
| 36 |
| 37 set -e |
| 38 |
| 39 function get_partitions() { |
| 40 if [ -b ${FLAGS_image} ] ; then |
| 41 KERNEL_IMG=$(make_partition_dev "${FLAGS_image}" 2) |
| 42 ROOTFS_IMG=$(make_partition_dev "${FLAGS_image}" 3) |
| 43 return |
| 44 fi |
| 45 |
| 46 KERNEL_IMG=$(mktemp) |
| 47 ROOTFS_IMG=$(mktemp) |
| 48 local kernel_offset=$(partoffset "${FLAGS_image}" 2) |
| 49 local kernel_count=$(partsize "${FLAGS_image}" 2) |
| 50 local rootfs_offset=$(partoffset "${FLAGS_image}" 3) |
| 51 local rootfs_count=$(partsize "${FLAGS_image}" 3) |
| 52 |
| 53 # TODO(tgao): use loop device to save 1GB in temp space |
| 54 dd if="${FLAGS_image}" of=${KERNEL_IMG} bs=512 skip=${kernel_offset} \ |
| 55 count=${kernel_count} &>/dev/null |
| 56 dd if="${FLAGS_image}" of=${ROOTFS_IMG} bs=512 skip=${rootfs_offset} \ |
| 57 count=${rootfs_count} &>/dev/null |
| 58 } |
| 59 |
| 60 function cleanup() { |
| 61 for i in ${KERNEL_IMG} ${ROOTFS_IMG} |
| 62 do |
| 63 if [ ! -b ${i} ]; then |
| 64 rm -f ${i} |
| 65 fi |
| 66 done |
| 67 } |
| 68 |
| 69 get_partitions |
| 70 |
| 71 # Logic below extracted from src/platform/installer/chromeos-setimage |
| 72 DUMP_KERNEL_CONFIG=/usr/bin/dump_kernel_config |
| 73 KERNEL_CONFIG=$(sudo "${DUMP_KERNEL_CONFIG}" "${KERNEL_IMG}") |
| 74 kernel_cfg="$(echo "${KERNEL_CONFIG}" | sed -e 's/.*dm="\([^"]*\)".*/\1/g' | |
| 75 cut -f2- -d,)" |
| 76 rootfs_sectors=$(echo ${kernel_cfg} | cut -f2 -d' ') |
| 77 verity_depth=$(echo ${kernel_cfg} | cut -f7 -d' ') |
| 78 verity_algorithm=$(echo ${kernel_cfg} | cut -f8 -d' ') |
| 79 |
| 80 # Compute the rootfs hash tree |
| 81 VERITY=/bin/verity |
| 82 table="vroot none ro,"$(sudo "${VERITY}" create \ |
| 83 ${verity_depth} \ |
| 84 "${verity_algorithm}" \ |
| 85 "${ROOTFS_IMG}" \ |
| 86 $((rootfs_sectors / 8)) \ |
| 87 /dev/null) |
| 88 |
| 89 expected_hash=$(echo ${kernel_cfg} | cut -f9 -d' ') |
| 90 generated_hash=$(echo ${table} | cut -f2- -d, | cut -f9 -d' ') |
| 91 |
| 92 cleanup |
| 93 |
| 94 if [ "${expected_hash}" != "${generated_hash}" ]; then |
| 95 warn "expected hash = ${expected_hash}" |
| 96 warn "actual hash = ${generated_hash}" |
| 97 die "Root filesystem has been modified unexpectedly!" |
| 98 else |
| 99 info "Root filesystem checksum match!" |
| 100 fi |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 3452013:
Issue 6821: script to verify rootfs integrity against value stored in kernel (Closed)
Base URL: http://git.chromium.org/git/crosutils.git