Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(662)

Side by Side Diff: utility/dev_debug_vboot

Issue 6824018: Address symlink attack on dev_debug_vboot. (Closed) Base URL: ssh://gitrw.chromium.org:9222/vboot_reference.git@master
Patch Set: Created 9 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 #!/bin/sh 1 #!/bin/sh -u
2 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. 2 # Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
3 # Use of this source code is governed by a BSD-style license that can be 3 # Use of this source code is governed by a BSD-style license that can be
4 # found in the LICENSE file. 4 # found in the LICENSE file.
5 # 5 #
6 # Usage: dev_debug_vboot [ --cleanup | DIRECTORY ] 6 # Usage: dev_debug_vboot [ --cleanup | DIRECTORY ]
7 # 7 #
8 # This extracts some useful debugging information about verified boot. A short 8 # This extracts some useful debugging information about verified boot. A short
9 # summary is printed on stdout, more detailed information and working files are 9 # summary is printed on stdout, more detailed information and working files are
10 # left in a log directory. 10 # left in a log directory.
11 # 11 #
12 12
13 TMPDIR=/tmp/debug_vboot 13 PATH=/bin:/sbin:/usr/bin:/usr/sbin
14
15 TMPDIR=$(mktemp -d /tmp/debug_vboot_XXXXXXXXX)
14 LOGFILE=noisy.log 16 LOGFILE=noisy.log
17 # The public file must live directly in /tmp, not in a subdirectory.
18 # See http://crosbug.com/8947
19 PUBLOGFILE=/tmp/debug_vboot_noisy.log
15 20
16 # TODO(wfrichar): Need to support ARM. The hard disk path is likely different. 21 # TODO(wfrichar): Need to support ARM. The hard disk path is likely different.
Randall Spangler 2011/04/08 21:31:13 For a future CL: can use `crossystem arch` to find
17 HD=/dev/sda 22 HD=/dev/sda
18 ACPI=/sys/devices/platform/chromeos_acpi
19 23
20 cleanup() { 24 cleanup() {
21 if [ -n "${CLEANUP}" ]; then 25 if [ -z "${USE_EXISTING:-}" ]; then
22 find "${TMPDIR}" -type f -not -name "${LOGFILE}" -exec rm {} ";" 26 # See http://crosbug.com/8947
27 cp --no-target-directory --remove-destination "${LOGFILE}" "${PUBLOGFILE}"
28 info "exporting log file as ${PUBLOGFILE}"
29 fi
30 if [ -n "${CLEANUP:-}" ]; then
31 cd /
32 rm -rf "${TMPDIR}"
23 fi 33 fi
24 } 34 }
25 35
26 die() { 36 die() {
27 echo "$*" 1>&2 37 echo "$*" 1>&2
28 exit 1 38 exit 1
29 } 39 }
30 40
31 info() { 41 info() {
32 echo "$@" 42 echo "$@"
(...skipping 24 matching lines...) Expand all
57 if [ "$?" = "0" ]; then 67 if [ "$?" = "0" ]; then
58 info "OK" 68 info "OK"
59 else 69 else
60 info "FAILED" 70 info "FAILED"
61 fi 71 fi
62 } 72 }
63 73
64 require_chromeos_bios() { 74 require_chromeos_bios() {
65 log cgpt show "${HD}" 75 log cgpt show "${HD}"
66 log rootdev -s 76 log rootdev -s
67 if [ ! -e "${ACPI}/HWID" ]; then 77 log crossystem
Randall Spangler 2011/04/08 21:31:13 log crossystem --all (so that you get vdat_lfdebug
68 info "Not running Chrome OS BIOS, no further information available" 78 log ls -aCF /root
69 exit 0 79 log ls -aCF /mnt/stateful_partition
70 fi
71 # including /dev/null just to get final "\n"
72 log head "${ACPI}"/*ID "${ACPI}"/BINF* "${ACPI}"/CHSW /dev/null
73 log reboot_mode
74 log ls -la /mnt/stateful_partition/.need_firmware_update
75 log ls -la /root/.force_update_firmware
76 } 80 }
77 81
78 # Search for files from the FMAP, in the order listed. Return the first one 82 # Search for files from the FMAP, in the order listed. Return the first one
79 # found or die if none are there. 83 # found or die if none are there.
80 find_name() { 84 find_name() {
81 for fn in "$@"; do 85 for fn in "$@"; do
82 if [ -e "$fn" ]; then 86 if [ -e "$fn" ]; then
83 echo "$fn" 87 echo "$fn"
84 return 88 return
85 fi 89 fi
86 done 90 done
87 echo "+ no files named $@" >> "$LOGFILE" 91 echo "+ no files named $@" >> "$LOGFILE"
88 exit 1 92 exit 1
89 } 93 }
90 94
91 # Here we go... 95 # Here we go...
92 umask 022 96 umask 022
93 trap cleanup EXIT 97 trap cleanup EXIT
94 98
95 # Parse args 99 # Parse args
96 if [ -n "$1" ]; then 100 if [ -n "${1:-}" ]; then
97 if [ "$1" = "--cleanup" ]; then 101 if [ "$1" = "--cleanup" ]; then
98 CLEANUP=1 102 CLEANUP=1
99 else 103 else
100 TMPDIR="$1" 104 TMPDIR="$1"
101 [ -d ${TMPDIR} ] || die "${TMPDIR} doesn't exist" 105 [ -d ${TMPDIR} ] || die "${TMPDIR} doesn't exist"
102 USE_EXISTING=yes 106 USE_EXISTING=yes
103 fi 107 fi
104 fi 108 fi
105 109
106 [ -d ${TMPDIR} ] || mkdir -p ${TMPDIR} || exit 1 110 [ -d ${TMPDIR} ] || mkdir -p ${TMPDIR} || exit 1
107 cd ${TMPDIR} 111 cd ${TMPDIR}
108 echo "$0 $*" > "$LOGFILE" 112 echo "$0 $*" > "$LOGFILE"
109 log date 113 log date
110 echo "Saving verbose log as $(pwd)/$LOGFILE" 114 echo "Saving verbose log as $(pwd)/$LOGFILE"
111 115
112 BIOS=bios.rom 116 BIOS=bios.rom
113 117
114 # Find BIOS and kernel images 118 # Find BIOS and kernel images
115 if [ -n "$USE_EXISTING" ]; then 119 if [ -n "${USE_EXISTING:-}" ]; then
116 info "Using images in $(pwd)/" 120 info "Using images in $(pwd)/"
117 else 121 else
118 require_chromeos_bios 122 require_chromeos_bios
119 info "Extracting BIOS image from flash..." 123 info "Extracting BIOS image from flash..."
120 log flashrom -p internal:bus=spi --wp-status 124 log flashrom -p internal:bus=spi --wp-status
121 log flashrom -p internal:bus=spi -r ${BIOS} 125 log flashrom -p internal:bus=spi -r ${BIOS}
122 126
123 HD_KERN_A="${HD}2" 127 HD_KERN_A="${HD}2"
124 HD_KERN_B="${HD}4" 128 HD_KERN_B="${HD}4"
125 tmp=$(rootdev -s -d)2 129 tmp=$(rootdev -s -d)2
126 if [ "$tmp" != "$HD_KERN_A" ]; then 130 if [ "$tmp" != "$HD_KERN_A" ]; then
127 USB_KERN_A="$tmp" 131 USB_KERN_A="$tmp"
128 fi 132 fi
129 133
130 info "Extracting kernel images from drives..." 134 info "Extracting kernel images from drives..."
131 log dd if=${HD_KERN_A} of=hd_kern_a.blob 135 log dd if=${HD_KERN_A} of=hd_kern_a.blob
132 log dd if=${HD_KERN_B} of=hd_kern_b.blob 136 log dd if=${HD_KERN_B} of=hd_kern_b.blob
133 if [ -n "$USB_KERN_A" ]; then 137 if [ -n "${USB_KERN_A:-}" ]; then
134 log dd if=${USB_KERN_A} of=usb_kern_a.blob 138 log dd if=${USB_KERN_A} of=usb_kern_a.blob
135 fi 139 fi
136 fi 140 fi
137 141
138 # Make sure we have something to work on 142 # Make sure we have something to work on
139 [ -f "$BIOS" ] || logdie "no BIOS image found" 143 [ -f "$BIOS" ] || logdie "no BIOS image found"
140 ls *kern*.blob >/dev/null 2>&1 || logdie "no kernel images found" 144 ls *kern*.blob >/dev/null 2>&1 || logdie "no kernel images found"
141 145
142 info "Extracting BIOS components..." 146 info "Extracting BIOS components..."
143 log dump_fmap -x ${BIOS} || logdie "Unable to extract BIOS components" 147 log dump_fmap -x ${BIOS} || logdie "Unable to extract BIOS components"
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after
179 loghead od -Ax -tx1 $keyblock 183 loghead od -Ax -tx1 $keyblock
180 done 184 done
181 185
182 # Test each kernel with each key 186 # Test each kernel with each key
183 for key in kernel_subkey_a.vbpubk kernel_subkey_b.vbpubk recoverykey.vbpubk; do 187 for key in kernel_subkey_a.vbpubk kernel_subkey_b.vbpubk recoverykey.vbpubk; do
184 for kern in *kern*.blob; do 188 for kern in *kern*.blob; do
185 infon "Verify $kern with $key... " 189 infon "Verify $kern with $key... "
186 log vbutil_kernel --verify $kern --signpubkey $key ; result 190 log vbutil_kernel --verify $kern --signpubkey $key ; result
187 done 191 done
188 done 192 done
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698