diff options
| author | Vadim Bendebury <vbendeb@chromium.org> | 2021-10-06 18:48:21 -0700 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2021-10-11 23:41:56 +0000 |
| commit | 7e66297fc54237b1867e448c1992c837f036a275 (patch) | |
| tree | d397730059d4a8dd0bb0961d0aca682006894a0b | |
| parent | 289dfac48450fe2707b0ca381c399ecaabc9b949 (diff) | |
| download | chrome-ec-7e66297fc54237b1867e448c1992c837f036a275.tar.gz | |
fips: silence fips section filler
Script inserting FIPS checksum into the image uses the dd utility
which generates stderr output even when there is no errors.
This patch adds code which captures the dd stderr output and prints it
out only if there is an actual error. stdout output of the script is
suppressed unless make was invoked with V=1.
Also made a few modifications as requested by shellcheck.
BUG=none
TEST=make output does not have extra lines.
built and ran a Cr50 image, it reports successful FIPS integrity
self check.
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: I9121bc5a9a40633b9a3d18ea5766bc1ed274a9c2
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3210946
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
| -rw-r--r-- | Makefile.rules | 3 | ||||
| -rwxr-xr-x | util/inject_fips_fingerprint.sh | 20 |
2 files changed, 15 insertions, 8 deletions
diff --git a/Makefile.rules b/Makefile.rules index abb1cf289d..9ce35db8c6 100644 --- a/Makefile.rules +++ b/Makefile.rules @@ -69,7 +69,8 @@ cmd_ec_elf_to_flat_dram ?= $(OBJCOPY) -j .dram* -O binary $< $@ cmd_elf_to_signed ?= $(SIGNER) --key=util/signer/$(3) \ --b --input=$< --format=bin --output=$@.signed $(SIGNER_EXTRAS) \ && sudo chown $(shell whoami) $@.signed && mv $@.signed $@ -cmd_elf_to_elf_fips = ./util/inject_fips_fingerprint.sh $(OBJCOPY) $(OBJDUMP) $^ +cmd_elf_to_elf_fips = ./util/inject_fips_fingerprint.sh $(OBJCOPY) $(OBJDUMP) \ + $^ $(silent) cmd_elf_to_dis = $(OBJDUMP) -D $< > $@ cmd_elf_to_bin = $(OBJCOPY) -O binary $< $@ cmd_elf_to_hex = $(OBJCOPY) -O ihex $< $@ diff --git a/util/inject_fips_fingerprint.sh b/util/inject_fips_fingerprint.sh index 830310af3e..a079c44401 100755 --- a/util/inject_fips_fingerprint.sh +++ b/util/inject_fips_fingerprint.sh @@ -6,6 +6,8 @@ # # Calculate hash of fips module and inject it into the .elf file. +SCRIPT="$(basename "$0")" + main() { local objcopy="${1}" local objdump="${2}" @@ -13,8 +15,9 @@ main() { local base="${rw_elf_in%.elf}" local rw_elf_out="${rw_elf_in}.fips" local checksum_section=".text.fips_checksum" - local fips_checksum="${base}.fips.checksum" - local fips_checksum_dump="${fips_checksum}.dump" + local fips_body="${base}.fips.body" + local fips_checksum_dump="${base}.fips.checksum_dump" + local fips_error="${base}.fips.error" local size local sections local fips_start @@ -22,7 +25,6 @@ main() { local fips_offset local file_offset local base_addr - local result if [ ! -f "${rw_elf_in}" ] ; then echo " ${rw_elf_in} doesn't exist" @@ -32,6 +34,8 @@ main() { echo "${rw_elf_in} ${rw_elf_out}" sections=$( objdump -t "${rw_elf_in}" ) + # Never mind the shellcheck suggestion to remove the quotes, + # literal match is required in this case. if [[ "${sections}" =~ "${checksum_section}" ]] ; then echo " get fips checksum" else @@ -57,11 +61,13 @@ main() { size=$((fips_end - fips_start)) fips_offset=$((file_offset + fips_start - base_addr)) - result=$(dd if="${rw_elf_in}" skip="${fips_offset}" count="${size}" bs=1 | \ - sha256sum) + if ! dd if="${rw_elf_in}" skip="${fips_offset}" count="${size}" bs=1 \ + >"${fips_body}" 2>"${fips_error}"; then + printf "%s: error:\n$(cat "${fips_error}")" "${SCRIPT}" >&2 + exit 1 + fi - echo "${result%% *}" > "${fips_checksum}" - echo "${result%% *}" | xxd -r -p > "${fips_checksum_dump}" + sha256sum "${fips_body}" | xxd -r -p -l 32 > "${fips_checksum_dump}" cp "${rw_elf_in}" "${rw_elf_out}" ${objcopy} --update-section "${checksum_section}"="${fips_checksum_dump}" \ |