From 7e66297fc54237b1867e448c1992c837f036a275 Mon Sep 17 00:00:00 2001 From: Vadim Bendebury Date: Wed, 6 Oct 2021 18:48:21 -0700 Subject: fips: silence fips section filler Script inserting FIPS checksum into the image uses the dd utility which generates stderr output even when there is no errors. This patch adds code which captures the dd stderr output and prints it out only if there is an actual error. stdout output of the script is suppressed unless make was invoked with V=1. Also made a few modifications as requested by shellcheck. BUG=none TEST=make output does not have extra lines. built and ran a Cr50 image, it reports successful FIPS integrity self check. Signed-off-by: Vadim Bendebury Change-Id: I9121bc5a9a40633b9a3d18ea5766bc1ed274a9c2 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3210946 Reviewed-by: Vadim Sukhomlinov --- Makefile.rules | 3 ++- util/inject_fips_fingerprint.sh | 20 +++++++++++++------- 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/Makefile.rules b/Makefile.rules index abb1cf289d..9ce35db8c6 100644 --- a/Makefile.rules +++ b/Makefile.rules @@ -69,7 +69,8 @@ cmd_ec_elf_to_flat_dram ?= $(OBJCOPY) -j .dram* -O binary $< $@ cmd_elf_to_signed ?= $(SIGNER) --key=util/signer/$(3) \ --b --input=$< --format=bin --output=$@.signed $(SIGNER_EXTRAS) \ && sudo chown $(shell whoami) $@.signed && mv $@.signed $@ -cmd_elf_to_elf_fips = ./util/inject_fips_fingerprint.sh $(OBJCOPY) $(OBJDUMP) $^ +cmd_elf_to_elf_fips = ./util/inject_fips_fingerprint.sh $(OBJCOPY) $(OBJDUMP) \ + $^ $(silent) cmd_elf_to_dis = $(OBJDUMP) -D $< > $@ cmd_elf_to_bin = $(OBJCOPY) -O binary $< $@ cmd_elf_to_hex = $(OBJCOPY) -O ihex $< $@ diff --git a/util/inject_fips_fingerprint.sh b/util/inject_fips_fingerprint.sh index 830310af3e..a079c44401 100755 --- a/util/inject_fips_fingerprint.sh +++ b/util/inject_fips_fingerprint.sh @@ -6,6 +6,8 @@ # # Calculate hash of fips module and inject it into the .elf file. +SCRIPT="$(basename "$0")" + main() { local objcopy="${1}" local objdump="${2}" @@ -13,8 +15,9 @@ main() { local base="${rw_elf_in%.elf}" local rw_elf_out="${rw_elf_in}.fips" local checksum_section=".text.fips_checksum" - local fips_checksum="${base}.fips.checksum" - local fips_checksum_dump="${fips_checksum}.dump" + local fips_body="${base}.fips.body" + local fips_checksum_dump="${base}.fips.checksum_dump" + local fips_error="${base}.fips.error" local size local sections local fips_start @@ -22,7 +25,6 @@ main() { local fips_offset local file_offset local base_addr - local result if [ ! -f "${rw_elf_in}" ] ; then echo " ${rw_elf_in} doesn't exist" @@ -32,6 +34,8 @@ main() { echo "${rw_elf_in} ${rw_elf_out}" sections=$( objdump -t "${rw_elf_in}" ) + # Never mind the shellcheck suggestion to remove the quotes, + # literal match is required in this case. if [[ "${sections}" =~ "${checksum_section}" ]] ; then echo " get fips checksum" else @@ -57,11 +61,13 @@ main() { size=$((fips_end - fips_start)) fips_offset=$((file_offset + fips_start - base_addr)) - result=$(dd if="${rw_elf_in}" skip="${fips_offset}" count="${size}" bs=1 | \ - sha256sum) + if ! dd if="${rw_elf_in}" skip="${fips_offset}" count="${size}" bs=1 \ + >"${fips_body}" 2>"${fips_error}"; then + printf "%s: error:\n$(cat "${fips_error}")" "${SCRIPT}" >&2 + exit 1 + fi - echo "${result%% *}" > "${fips_checksum}" - echo "${result%% *}" | xxd -r -p > "${fips_checksum_dump}" + sha256sum "${fips_body}" | xxd -r -p -l 32 > "${fips_checksum_dump}" cp "${rw_elf_in}" "${rw_elf_out}" ${objcopy} --update-section "${checksum_section}"="${fips_checksum_dump}" \ -- cgit v1.2.1