diff options
author | Mary Ruthven <mruthven@chromium.org> | 2021-08-06 19:21:01 -0500 |
---|---|---|
committer | Commit Bot <commit-bot@chromium.org> | 2021-09-07 17:52:51 +0000 |
commit | 1c3b00c3f7c0c819c330ddd98812d9085c578230 (patch) | |
tree | 8fe3a82953dffe2b178a738e3e123be7d02071b5 /Makefile.rules | |
parent | 519a3cf7cdef12437ae27a58d0dd70e12ca07278 (diff) | |
download | chrome-ec-1c3b00c3f7c0c819c330ddd98812d9085c578230.tar.gz |
add script to inject the fips fingerprint
Inject the fips fingerprint into the cr50 image, so it can verify the
fips module before starting to execute it. This change adds a script to
calculate the checksum and inject it into a elf file before signing.
If CONFIG_FIPS_CHECKSUM is defined, generate an elf file with the fips
checksum and use that to create signed images and hex files.
The build process doesn't change for RO artifacts. Nothing changes if
CONFIG_FIPS_CHECKSUM isn't defined.
The new chain for RW is
ec.RW.elf -> ec.RW.elf.fips -> ec.RW.flat
ec.RW.elf.fips is generated with util/inject_fips_fingerprint.sh.
util/inject_fips_fingerprint.sh calculates the fips module fingerprint,
copies ec.RW.elf to ec.RW.elf.fips, and then injects the fingerprint
into ec.RW.elf.fips.
util/signer/bs will be modified to use ec.RW.elf.fips if it exists in a
followup CL.
BUG=none
TEST=manual
# Verify cr50 is the only board that creates the fips artifacts
make buildall -j
objdump the text.fips_checksum section of ec.RW.elf and
ec.RW_B.elf. Make sure they match ec.RW.fips.checksum and
ec.RW_B.fips.checksum
# Verify cr50 can update to image signed with devid and that
# image shows Stored hash that matches the computed one.
H1_DEVIDS="${DEVID}" make -j BOARD=cr50 CR50_DEV=1
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Change-Id: Iab857ec1b7e3ae0d23681a25467e26286bd68210
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3078053
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Diffstat (limited to 'Makefile.rules')
-rw-r--r-- | Makefile.rules | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/Makefile.rules b/Makefile.rules index 41de0b7495..976e0a92e2 100644 --- a/Makefile.rules +++ b/Makefile.rules @@ -69,6 +69,7 @@ cmd_ec_elf_to_flat_dram ?= $(OBJCOPY) -j .dram* -O binary $< $@ cmd_elf_to_signed ?= $(SIGNER) --key=util/signer/$(3) \ --b --input=$< --format=bin --output=$@.signed $(SIGNER_EXTRAS) \ && sudo chown $(shell whoami) $@.signed && mv $@.signed $@ +cmd_elf_to_elf_fips = ./util/inject_fips_fingerprint.sh $(OBJCOPY) $(OBJDUMP) $^ cmd_elf_to_dis = $(OBJDUMP) -D $< > $@ cmd_elf_to_bin = $(OBJCOPY) -O binary $< $@ cmd_elf_to_hex = $(OBJCOPY) -O ihex $< $@ @@ -419,7 +420,16 @@ $(out)/$(PROJECT).obj: common/firmware_image.S $(out)/firmware_image.lds \ $(out)/%.dis: $(out)/%.elf $(call quiet,elf_to_dis,OBJDUMP) -$(out)/RW/%.hex: $(out)/RW/%.elf $(out)/RW/%.smap +ifeq ($(CONFIG_FIPS_CHECKSUM),) +rw_elf_ext= +else +rw_elf_ext=.fips + +$(out)/RW/%.elf.fips: $(out)/RW/%.elf + $(call quiet,elf_to_elf_fips,ELF_FIPS) +endif + +$(out)/RW/%.hex: $(out)/RW/%.elf$(rw_elf_ext) $(out)/RW/%.smap $(call quiet,elf_to_hex,OBJCOPY) ifeq ($(SIGNED_IMAGES),) @@ -435,7 +445,7 @@ else $(out)/RO/%.flat: $(out)/RO/%.elf $(out)/RO/%.smap $(call quiet,elf_to_signed,RO_SIGN,$(CR50_RO_KEY)) -$(out)/RW/%.flat: $(out)/RW/%.elf $(out)/RW/%.smap +$(out)/RW/%.flat: $(out)/RW/%.elf$(rw_elf_ext) $(out)/RW/%.smap $(call quiet,elf_to_signed,RW_SIGN,$(CR50_RW_KEY)) $(out)/RO/%.hex: $(out)/RO/%.flat |