Skip to content

Commit

Permalink
Update image-builder to output a hashes file.
Browse files Browse the repository at this point in the history
This can be useful for offline/external signing to extract the digests
for an image bundle to be passed to the signing interface.

The output is a JSON file with the vendor and owner hashes tagged with
their respective names.

This was tested by printing the hash from the ROM in the smoke tests to
ensure the calculated hash is the same for both the firmware and tool.
  • Loading branch information
zhalvorsen committed Jan 9, 2025
1 parent 8730762 commit e247ad3
Show file tree
Hide file tree
Showing 3 changed files with 36 additions and 1 deletion.
3 changes: 3 additions & 0 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions builder/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,11 @@ caliptra-image-types.workspace = true
clap.workspace = true
elf.workspace = true
hex.workspace = true
memoffset.workspace = true
nix.workspace = true
once_cell.workspace = true
serde_json.workspace = true
sha2.workspace = true
zerocopy.workspace = true

[features]
Expand Down
31 changes: 30 additions & 1 deletion builder/bin/image_gen.rs
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,12 @@
use caliptra_builder::firmware;
use caliptra_builder::version;
use caliptra_builder::ImageOptions;
use caliptra_image_types::ImageHeader;
use caliptra_image_types::ImageManifest;
use clap::{arg, value_parser, Command};
use memoffset::{offset_of, span_of};
use serde_json::{json, to_string_pretty};
use sha2::{Digest, Sha384};
use std::collections::HashSet;
use std::path::PathBuf;

Expand All @@ -25,6 +30,10 @@ fn main() {
)
.arg(arg!(--"fake-rom" [FILE] "Fake ROM").value_parser(value_parser!(PathBuf)))
.arg(arg!(--"fake-fw" [FILE] "Fake FW bundle image").value_parser(value_parser!(PathBuf)))
.arg(
arg!(--"hashes" [FILE] "JSON file with image bundle header hashes for external signing tools")
.value_parser(value_parser!(PathBuf)),
)
.get_matches();

if let Some(path) = args.get_one::<PathBuf>("rom-no-log") {
Expand Down Expand Up @@ -53,7 +62,27 @@ fn main() {
},
)
.unwrap();
std::fs::write(path, image.to_bytes().unwrap()).unwrap();

let contents = image.to_bytes().unwrap();
std::fs::write(path, contents.clone()).unwrap();

if let Some(path) = args.get_one::<PathBuf>("hashes") {
let header_range = span_of!(ImageManifest, header);

// Get the vendor digest which is taken from a subset of the header
let vendor_header_len = offset_of!(ImageHeader, owner_data);
let vendor_range = header_range.start..header_range.start + vendor_header_len;
let vendor_digest = Sha384::digest(&contents[vendor_range]);

// Get the owner digest which is the full header
let owner_digest = Sha384::digest(&contents[header_range]);

let json = json!({
"vendor": vendor_digest.to_vec(),
"owner": owner_digest.to_vec(),
});
std::fs::write(path, to_string_pretty(&json).unwrap()).unwrap();
}
}

if let Some(path) = args.get_one::<PathBuf>("fake-fw") {
Expand Down

0 comments on commit e247ad3

Please sign in to comment.