|
| 1 | +#!/bin/bash |
| 2 | + |
| 3 | +set -e |
| 4 | + |
| 5 | +data=$1 |
| 6 | + |
| 7 | +verity_hdr=$(veritysetup format $data ${data}.verity) |
| 8 | +root_hash=$(echo $(awk -F: '/Root hash:/ { print $2 }' <<<$verity_hdr)) |
| 9 | + |
| 10 | +data_size=$(stat -c %s $data) |
| 11 | +hash_size=$(stat -c %s ${data}.verity) |
| 12 | +root_hash_front=${root_hash:0:32} |
| 13 | +root_hash_back=${root_hash:32:32} |
| 14 | + |
| 15 | +# 512-byte sectors |
| 16 | +data_sectors=$(( $data_size >> 9 )) |
| 17 | +hash_sectors=$(( $hash_size >> 9 )) |
| 18 | +data_type=4f68bce3-e8cd-4db1-96e7-fbcaf984b709 |
| 19 | +hash_type=2c7357ed-ebd2-46d9-aec1-23d437ec2bf5 |
| 20 | + |
| 21 | +openssl req -batch -new -x509 -sha256 -newkey rsa:2048 -nodes -out root_key.crt -keyout root_key.pem -days 3650 |
| 22 | +echo -n "$root_hash" >${data}.roothash |
| 23 | +openssl smime -sign -nocerts -noattr -binary -in "${data}.roothash" -inkey "root_key.pem" -signer "root_key.crt" -outform der -out "${data}.roothash.p7s" |
| 24 | + |
| 25 | +cat <<EOF | tr -d '\n' >${data}.verity.sig |
| 26 | +{"rootHash":"$root_hash","signature":"$(base64 -w 0 <${data}.roothash.p7s)"} |
| 27 | +EOF |
| 28 | +sig_size=$(stat -c %s ${data}.verity.sig) |
| 29 | +# rounded up to 4096 bytes |
| 30 | +sig_size=$(( ( $sig_size + 4095 ) / 4096 * 4096 )) |
| 31 | +sig_sectors=$(( $sig_size >> 9 )) |
| 32 | +sig_type=41092b05-9fc8-4523-994f-2def0408b176 |
| 33 | + |
| 34 | +# signature + GPT header + PMBR (?) |
| 35 | +disk_size=$(( $data_size + $hash_size + 4096 + 2048 * 512 + 33 * 512)) |
| 36 | +rm -f disk.img |
| 37 | +fallocate -l $disk_size disk.img |
| 38 | + |
| 39 | +as_hex() { |
| 40 | + str=$1 |
| 41 | + printf "%.8s-%.4s-%.4s-%.4s-%.12s" \ |
| 42 | + "${str:0:8}" "${str:8:4}" "${str:12:4}" \ |
| 43 | + "${str:16:4}" "${str:20:12}" |
| 44 | +} |
| 45 | +data_uuid=$(as_hex $root_hash_front) |
| 46 | +hash_uuid=$(as_hex $root_hash_back) |
| 47 | + |
| 48 | +cat <<EOF >sda.sfdisk |
| 49 | +label: gpt |
| 50 | +unit: sectors |
| 51 | +sector-size: 512 |
| 52 | +
|
| 53 | +/dev/sda1 : start=2048, size= ${data_sectors}, type=${data_type}, uuid=${data_uuid} |
| 54 | +/dev/sda2 : start=$(( $data_sectors + 2048 )), size= ${hash_sectors}, type=${hash_type}, uuid=${hash_uuid} |
| 55 | +/dev/sda3 : start=$(( ${hash_sectors} + $data_sectors + 2048 )), size= ${sig_sectors}, type=${sig_type} |
| 56 | +EOF |
| 57 | + |
| 58 | +sfdisk disk.img <sda.sfdisk |
| 59 | + |
| 60 | +loop=$(sudo losetup --find --show disk.img) |
| 61 | +sudo partx -u $loop |
| 62 | +sudo dd bs=512 if=$data of=${loop}p1 |
| 63 | +sudo dd bs=512 if=${data}.verity of=${loop}p2 |
| 64 | +sudo dd bs=512 if=${data}.verity.sig of=${loop}p3 |
| 65 | +sudo losetup -d $loop |
| 66 | + |
| 67 | +echo |
| 68 | +echo "Finished!" |
| 69 | +echo "Copy disk.img to /etc/extensions/$(basename $data)" |
| 70 | +echo "Copy root_key.crt to /etc/verity.d/root_key.crt" |
0 commit comments