blob: 056c98b68203a70d4ae10a9e5697e153339c1831 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
|
#!/bin/bash
#
# Copyright 2021 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
#
# Calculate hash of fips module and inject it into the .elf file.
SCRIPT="$(basename "$0")"
main() {
local objcopy="${1}"
local objdump="${2}"
local rw_elf_in="${3}"
local base="${rw_elf_in%.elf}"
local rw_elf_out="${rw_elf_in}.fips"
local checksum_section=".text.fips_checksum"
local fips_body="${base}.fips.body"
local fips_checksum_dump="${base}.fips.checksum_dump"
local fips_error="${base}.fips.error"
local size
local sections
local fips_start
local fips_end
local fips_offset
local file_offset
local base_addr
if [ ! -f "${rw_elf_in}" ] ; then
echo " ${rw_elf_in} doesn't exist"
return 1
fi
echo "${rw_elf_in} ${rw_elf_out}"
sections=$( objdump -t "${rw_elf_in}" )
# Never mind the shellcheck suggestion to remove the quotes,
# literal match is required in this case.
if [[ "${sections}" =~ "${checksum_section}" ]] ; then
echo " get fips checksum"
else
echo " no fips checksum"
return 1
fi
vals=( $(${objdump} -x -j .text "${rw_elf_in}" | awk '
{
if ($2 == ".text" ) {
file_offs = $6
base_addr = $5
}
if ($5 == "__fips_module_start") {fips_start = $1 }
if ($5 == "__fips_module_end") {fips_end = $1 }
}
END { printf "0x%s 0x%s 0x%s 0x%s\n", file_offs, base_addr, fips_start,
fips_end }') )
file_offset=${vals[0]}
base_addr=${vals[1]}
fips_start=${vals[2]}
fips_end=${vals[3]}
size=$((fips_end - fips_start))
fips_offset=$((file_offset + fips_start - base_addr))
if ! dd if="${rw_elf_in}" skip="${fips_offset}" count="${size}" bs=1 \
>"${fips_body}" 2>"${fips_error}"; then
printf "%s: error:\n$(cat "${fips_error}")" "${SCRIPT}" >&2
exit 1
fi
sha256sum "${fips_body}" | xxd -r -p -l 32 > "${fips_checksum_dump}"
cp "${rw_elf_in}" "${rw_elf_out}"
# don't update digest if run with FIPS_BREAK=1
[ -v FIPS_BREAK ] && return 0
${objcopy} --update-section "${checksum_section}"="${fips_checksum_dump}" \
"${rw_elf_out}"
}
main "$@"
|