flash.sh x200: board addition.

Generic flash.sh to use cbfs extraction to replace flashrom whole flash extraction (KGPE-D16 is 16MB. Useless to read it all. Plus, s3nv changes each boot so it's impossible to read the whole flash and compare for integrity attestation.) unseal-hotp: use cbfs file extraction loop to measure modules.
tlaurion · Dec 27, 2018 · 0690df4 · 0690df4
1 parent 60101c7
commit 0690df4
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 8 deletions.
diff --git a/initrd/bin/flash.sh b/initrd/bin/flash.sh
@@ -16,6 +16,9 @@ case "$CONFIG_BOARD" in
   "kgpe-d16" )
     FLASHROM_OPTIONS='--force --noverify --programmer internal'
   ;;
+  "x200" )
+    FLASHROM_OPTIONS='--force --noverify --programmer internal'
+  ;;
   * )
     die "ERROR: No board has been configured!\n\nEach board requires specific flashrom options and it's unsafe to flash without them.\n\nAborting."
   ;;
@@ -37,9 +40,10 @@ flash_rom() {
       die "$ROM: Read inconsistent"
     fi
   elif [ "$SHA" -eq 1 ]; then
-    flashrom $FLASHROM_OPTIONS -r "${ROM}" 1&>2 >/dev/null \
-    || die "$ROM: Read failed"
-    sha256sum ${ROM} | cut -f1 -d ' '
+    #flashrom $FLASHROM_OPTIONS -r "${ROM}" 1&>2 >/dev/null \
+    #|| die "$ROM: Read failed"
+    #sha256sum ${ROM} | cut -f1 -d ' '
+    cbfs --list | grep -E 'fallback|heads|microcode|bootblock' | while read CBFS_FILES; do cbfs -r $CBFS_FILES; done | sha256sum | cut -f1 -d ' '
   else
     cp "$ROM" /tmp/${CONFIG_BOARD}.rom
     sha256sum /tmp/${CONFIG_BOARD}.rom

diff --git a/initrd/bin/unseal-hotp b/initrd/bin/unseal-hotp
@@ -35,11 +35,12 @@ else
 # without a TPM, use the first 20 characters of the ROM SHA256sum 
   echo "TPM not configured, measuring ROM directly" 1>&2
   # use a previously-copied image if it exists
-  if [ -f ${ROM_IMAGE} ]; then
-    sha256sum ${ROM_IMAGE} | cut -f1 -d ' ' | cut -c 1-20 | tr -d '\n' > $HOTP_SECRET
-  else
-    flash.sh -s ${ROM_IMAGE} | cut -c 1-20 | tr -d '\n' > $HOTP_SECRET
-  fi
+  #if [ -f ${ROM_IMAGE} ]; then
+  #  sha256sum ${ROM_IMAGE} | cut -f1 -d ' ' | cut -c 1-20 | tr -d '\n' > $HOTP_SECRET
+  #else
+    #flash.sh -s ${ROM_IMAGE} | cut -c 1-20 | tr -d '\n' > $HOTP_SECRET
+  cbfs --list | grep -E 'fallback|heads|microcode|bootblock' | while read CBFS_FILES; do cbfs -r $CBFS_FILES; done | sha256sum | cut -f1 -d ' ' | cut -c 1-20 | tr -d '\n' > $HOTP_SECRET 
+  #fi
 fi
 
 # Store counter in file instead of TPM for now, as it conflicts with Heads