use sha512sum to check downloads, not sha1sum

sha-1 has known collision issues, which may not be readily
exploitable yet (in our context), but we should ideally use
a more secure method for checking file integrity.

therefore, use sha-2 (sha512sum) for checking files. this is
slower than sha-1, but checksum verification is only a minor
part of what lbmk does, so the overall effect on build times
is quite negligible.

Signed-off-by: Leah Rowe <leah@libreboot.org>
btrfsvols
Leah Rowe 2023-09-09 16:39:26 +01:00
parent 022e0200df
commit 878550d519
5 changed files with 37 additions and 30 deletions

View File

@ -5,92 +5,96 @@
# If you want to make additions, try to add a backup url for download links and
# list hashes as sha1 sums.
# NOTE: this file now defines checksums as sha512 (of the sha-2 family),
# where previously we used 160-bit SHA-1 algorithm; SHA-1 is not secure,
# having demonstrated collisions, so we have switched to using sha512sum
{x230 x230t x230i x230edp t430 t530 w530}{
DL_hash 039c89c6d44ae11ae2510cbd5fed756e97ed9a31
DL_hash 4dc908050c91c1227645c900ddee88652937540af4ba222b0239b7f459f260cdf6e5e8113ac14e5543d00cf53abdd6c7bd23e61f690de1ce45a3709a30cbb91c
DL_url https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe
DL_url_bkup https://web.archive.org/web/20210706183911/https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe
}
{x220 x220t t420 t520 t420s}{
DL_hash fa0f96c8f36646492fb8c57ad3296bf5f647d9c5
DL_hash 81c9917938c4a2a4f128c976250451931efd0f25b51ff34f058ddacb8eec27272691371864a683ec7abcb924fea32592d061584c7b2571a5d3e84eb870281cc3
DL_url https://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/83rf46ww.exe
DL_url_bkup https://web.archive.org/web/20220202201637/https://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/83rf46ww.exe
}
{t440pmrc w541mrc t440plibremrc w541}{
DL_hash b2f2a1baa1f0c8139e46b0d3e206386ff197bed5
DL_hash f3d79aec805c8b0094a4081be76b3a22d329c479ad18210449b7acc3236ccfc4a2103eaa7c5b79a4872bfd699eede047efd46dfb06dc8f47e3216fc254612998
DL_url https://download.lenovo.com/pccbbs/mobiles/glrg22ww.exe
DL_url_bkup https://web.archive.org/web/20211120031520/https://download.lenovo.com/pccbbs/mobiles/glrg22ww.exe
}
{hp8200sff}{
DL_hash c59e693effc1862c38cc4caa15be0a6a92557e0b
DL_hash 8fcb691bf84dc1feefc3c84f7cc59eadaabb200477bb3ecba1b050f23f133b0a8c2539015a523f676544c2dff64599bcba7e844e8c31757b90d70bb4485b5664
DL_url https://ftp.ext.hp.com/pub/softpaq/sp96001-96500/sp96026.exe
DL_url_bkup https://web.archive.org/web/20220708171920/https://ftp.ext.hp.com/pub/softpaq/sp96001-96500/sp96026.exe
}
{hp8300usdt}{
DL_hash 039c89c6d44ae11ae2510cbd5fed756e97ed9a31
DL_hash 4dc908050c91c1227645c900ddee88652937540af4ba222b0239b7f459f260cdf6e5e8113ac14e5543d00cf53abdd6c7bd23e61f690de1ce45a3709a30cbb91c
DL_url https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe
DL_url_bkup https://web.archive.org/web/20210706183911/https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe
}
{hp2560p}{
DL_hash fa0f96c8f36646492fb8c57ad3296bf5f647d9c5
DL_hash 81c9917938c4a2a4f128c976250451931efd0f25b51ff34f058ddacb8eec27272691371864a683ec7abcb924fea32592d061584c7b2571a5d3e84eb870281cc3
DL_url https://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/83rf46ww.exe
DL_url_bkup https://web.archive.org/web/20220202201637/https://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/83rf46ww.exe
EC_hash c1b1fb0a525cf90459bf024f407e302314bd981b
EC_hash a602cc7627c569bc423a5857cf506fbc3bcd68cb6b43a7c1b99d12a569b4107c412748cf49605ef4d5b930eb14b6815c4d1b1dc20145fe9d707e445fc201cea2
EC_url https://ftp.hp.com/pub/softpaq/sp85501-86000/sp85526.exe
EC_url_bkup https://web.archive.org/web/20230416125725/https://ftp.hp.com/pub/softpaq/sp85501-86000/sp85526.exe
}
{hp2570p}{
DL_hash 039c89c6d44ae11ae2510cbd5fed756e97ed9a31
DL_hash 4dc908050c91c1227645c900ddee88652937540af4ba222b0239b7f459f260cdf6e5e8113ac14e5543d00cf53abdd6c7bd23e61f690de1ce45a3709a30cbb91c
DL_url https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe
DL_url_bkup https://web.archive.org/web/20210706183911/https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe
EC_hash a896ef72799e8abd4d0601ec415a2113b2a7f240
EC_hash 61ed284bdf938c5f36ad3267263fb3963a6608339425bc41aaef3ab0cd98f07c998d816b0233735ca35dc6cb771257da3f09a40d5cfc96bb6388b4366348275e
EC_url https://ftp.hp.com/pub/softpaq/sp96001-96500/sp96085.exe
EC_url_bkup https://web.archive.org/web/20230610174558/https://ftp.hp.com/pub/softpaq/sp96001-96500/sp96085.exe
}
{hp9470m}{
DL_hash 039c89c6d44ae11ae2510cbd5fed756e97ed9a31
DL_hash 4dc908050c91c1227645c900ddee88652937540af4ba222b0239b7f459f260cdf6e5e8113ac14e5543d00cf53abdd6c7bd23e61f690de1ce45a3709a30cbb91c
DL_url https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe
DL_url_bkup https://web.archive.org/web/20210706183911/https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe
EC_hash 1a03e985552060a9dfe7c40b5ea97ecfb2794583
EC_hash 563422bf5420da18b89439f28a38ea28a175f0ad3588f0f5ea39b08dfdd14c8d513cbf11c2125ec3869fc3b7222c7dc3d111415185ea9b73f41410b1b57f13bd
EC_url https://ftp.hp.com/pub/softpaq/sp96001-96500/sp96090.exe
EC_url_bkup http://web.archive.org/web/20220504072602/https://ftp.ext.hp.com/pub/softpaq/sp96001-96500/sp96090.exe
}
{hp2170p}{
DL_hash 039c89c6d44ae11ae2510cbd5fed756e97ed9a31
DL_hash 4dc908050c91c1227645c900ddee88652937540af4ba222b0239b7f459f260cdf6e5e8113ac14e5543d00cf53abdd6c7bd23e61f690de1ce45a3709a30cbb91c
DL_url https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe
DL_url_bkup https://web.archive.org/web/20210706183911/https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe
EC_hash 201f7f40c02df42188f4ee3073f8df7f21ab6fa1
EC_hash 940e533b6a276c13a6e46a93795ca84b19877b05e82c0c1795b7fea9cbea63c28e606ef994352fc77c4fdfb2e0c31c5edeefa98b989e1990364dfc6417b25460
EC_url https://ftp.hp.com/pub/softpaq/sp96001-96500/sp96088.exe
EC_url_bkup https://ftp.hp.com/pub/softpaq/sp96001-96500/sp96088.exe
}
{t1650}{
DL_hash 039c89c6d44ae11ae2510cbd5fed756e97ed9a31
DL_hash 4dc908050c91c1227645c900ddee88652937540af4ba222b0239b7f459f260cdf6e5e8113ac14e5543d00cf53abdd6c7bd23e61f690de1ce45a3709a30cbb91c
DL_url https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe
DL_url_bkup https://web.archive.org/web/20210706183911/https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe
SCH5545EC_DL_url https://dl.dell.com/FOLDER05065992M/1/T1650A28.exe
SCH5545EC_DL_url_bkup https://web.archive.org/web/20230811151654/https://dl.dell.com/FOLDER05065992M/1/T1650A28.exe
SCH5545EC_DL_hash 9651bab78b8a0063997f568f7698590c7deb7925
SCH5545EC_DL_hash 18261d0f7f27e9de3b0b5a25019b9a934ef1a61cd3f0140e34f38553695e91e671e227a8fa962774edceab5c7804d13ed9fe1c518c5643c7c8f15632f903a6c4
}
{hp8470pintel}{
DL_hash 039c89c6d44ae11ae2510cbd5fed756e97ed9a31
DL_hash 4dc908050c91c1227645c900ddee88652937540af4ba222b0239b7f459f260cdf6e5e8113ac14e5543d00cf53abdd6c7bd23e61f690de1ce45a3709a30cbb91c
DL_url https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe
DL_url_bkup https://web.archive.org/web/20210706183911/https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe
EC_hash 20e49c92f610e0bba4b67faac7ae2bc78f421cb7
EC_hash b95c9cf909ed537fb448e2be69eddcb57459efbaf0a979a73cd2bce90a7014b110f4dbbeecfd596c072636396b8f20c229c59ffe34e45500ce9edb000c6ccaf9
EC_url https://ftp.hp.com/pub/softpaq/sp77501-78000/sp77818.exe
EC_url_bkup https://ftp.hp.com/pub/softpaq/sp77501-78000/sp77818.exe
}
@ -98,7 +102,7 @@
# nvidia vga option rom for dgpu models of Dell Latitude E6400
# for downloading the nvidia rom to pciroms/pci10de,06eb.rom
{e6400}{
E6400_VGA_DL_hash a24ed919e80287b281e407d525af31f307746250
E6400_VGA_DL_hash 6217d5fce2291d15bb0649fd2faaeb78e4c48962b07a2bea6af60466bfdc5f233af0d077c2c6e71dd96047bdbb1f612324cef0a5e728ba9a9ec5c69a4022cd8d
E6400_VGA_DL_url https://dl.dell.com/FOLDER01530530M/1/E6400A34.exe
E6400_VGA_DL_url_bkup https://web.archive.org/web/20230506014903/https://dl.dell.com/FOLDER01530530M/1/E6400A34.exe
E6400_VGA_offset 274451
@ -106,7 +110,7 @@
}
{e6430}{
DL_hash 039c89c6d44ae11ae2510cbd5fed756e97ed9a31
DL_hash 4dc908050c91c1227645c900ddee88652937540af4ba222b0239b7f459f260cdf6e5e8113ac14e5543d00cf53abdd6c7bd23e61f690de1ce45a3709a30cbb91c
DL_url https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe
DL_url_bkup https://web.archive.org/web/20210706183911/https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe
}

View File

@ -171,8 +171,8 @@ strip_archive()
(
cd "${romdir}" || err "strip_archive: !cd ${romdir}"
sha1sum *.rom >> blobhashes || \
err "strip_archive: ${romdir}: !sha1sum *.rom >> blobhashes"
sha512sum *.rom >> blobhashes || \
err "strip_archive: ${romdir}: !sha512sum *.rom >> blobhashes"
)
for romfile in "${romdir}"/*.rom; do

View File

@ -455,7 +455,7 @@ vendor_checksum()
printf "Vendor update not found on disk for: %s\n" "${board}" \
1>&2
return 1
elif [ "$(sha1sum ${dl_path} | awk '{print $1}')" != "${1}" ]; then
elif [ "$(sha512sum ${dl_path} | awk '{print $1}')" != "${1}" ]; then
printf "Bad checksum on vendor update for: %s\n" "${board}" 1>&2
return 1
fi

View File

@ -127,7 +127,10 @@ patch_release_roms()
(
cd "${_tmpdir}"/bin/*
sha1sum --status -c blobhashes || \
# NOTE: For compatibility with older rom releases, defer to sha1
sha512sum --status -c blobhashes || \
sha1sum --statuc -c blobhashes || \
err "patch_release_roms: ROMs did not match expected hashes"
)

View File

@ -39,8 +39,8 @@ _board="peppy"
_file="chromeos_12239.92.0_peppy_recovery_stable-channel_mp-v3.bin"
_url="https://dl.google.com/dl/edgedl/chromeos/recovery/chromeos_12239.92.0_peppy_recovery_stable-channel_mp-v3.bin.zip"
_url2="https://web.archive.org/web/20200516070928/https://dl.google.com/dl/edgedl/chromeos/recovery/chromeos_12239.92.0_peppy_recovery_stable-channel_mp-v3.bin.zip"
_sha1sum="cd5917cbe7f821ad769bf0fd87046898f9e175c8"
_mrc_complete_hash="d18de1e3d52c0815b82ea406ca07897c56c65696"
_sha512sum="340a1cd41136a3ba0de9d306db0e65f51640a2efe63aee9934f326b276adc1af0a2df80c0731c5a749161ec32546909eedfa8ba95801faeb5dcfe1aa4e0840c7"
_mrc_complete_hash="e5b6d510a5fdb6a7ba0027588dbceef363a2bf30255e9222020abbe71468822f49962d423d872cc05b37098682281c016445f6aa20f88351a134facfe5f70d5b"
_mrc_complete="mrc/haswell/mrc.bin"
cbdir="coreboot/default"
@ -63,7 +63,7 @@ check_existing()
[ -f "${_mrc_complete}" ] || \
return 0
printf 'found existing mrc.bin\n'
[ "$(sha1sum "${_mrc_complete}" | awk '{print $1}')" \
[ "$(sha512sum "${_mrc_complete}" | awk '{print $1}')" \
= "${_mrc_complete_hash}" ] && \
return 1
printf 'hashes did not match, starting over\n'
@ -84,9 +84,9 @@ fetch_mrc()
(
cd mrc/haswell/ || err "fetch_mrc: !cd mrc/haswell"
download_image "${_url}" "${_file}" "${_sha1sum}"
download_image "${_url}" "${_file}" "${_sha512sum}"
[ -f ${_file} ] || \
download_image "${_url2}" "${_file}" "${_sha1sum}"
download_image "${_url2}" "${_file}" "${_sha512sum}"
[ -f $_file ] || \
err "fetch_mrc: ${_file} not downloaded / verification failed."
@ -108,12 +108,12 @@ download_image()
{
url=${1}
_file=${2}
_sha1sum=${3}
_sha512sum=${3}
printf "Downloading recovery image\n"
curl --retry 3 "$url" > "$_file.zip" || err "download_image: curl failed"
printf "Verifying recovery image checksum\n"
if [ "$(sha1sum "${_file}.zip" | awk '{print $1}')" = "${_sha1sum}" ]
if [ "$(sha512sum "${_file}.zip" | awk '{print $1}')" = "${_sha512sum}" ]
then
unzip -q "${_file}.zip" || err "download_image: cannot unzip"
rm -f "${_file}.zip" || err "download_image: can't rm zip {1}"