[PATCH] meta-isar: add support to verify sha512 checksum for target image

["'Arulpandiyan Vadivel' via isar-users" <isar-users@googlegroups.com>]

In current approach, target images from installer is installed without any
verifications and validations.
Adding support of verifying image with sha512 checksum before installing image
Currently during the image installation .bmap files also listed in the menu.
Update to show only image name instead of showing supported artifacts
like .bmap and .sha512.
Added a class to support generating sha512 checksum for the images.

Signed-off-by: Arulpandiyan Vadivel <arulpandiyan.vadivel@siemens.com>
---
 .../classes/installer-add-rootfs.bbclass      |  6 +-
 ...eploy-image_0.1.bb => deploy-image_0.2.bb} |  2 +-
 .../files/usr/bin/deploy-image-wic.sh         | 56 ++++++++++++++++++-
 meta/classes/image-checksum.bbclass           | 14 +++++
 meta/classes/image.bbclass                    |  1 +
 5 files changed, 76 insertions(+), 3 deletions(-)
 rename meta-isar/recipes-installer/deploy-image/{deploy-image_0.1.bb => deploy-image_0.2.bb} (96%)
 create mode 100644 meta/classes/image-checksum.bbclass

diff --git a/meta-isar/classes/installer-add-rootfs.bbclass b/meta-isar/classes/installer-add-rootfs.bbclass
index c738f690..185e4a3c 100644
--- a/meta-isar/classes/installer-add-rootfs.bbclass
+++ b/meta-isar/classes/installer-add-rootfs.bbclass
@@ -19,7 +19,7 @@ IMAGE_DATA_POSTFIX ??= "wic.zst"
 IMAGE_DATA_POSTFIX:buster ??= "wic.xz"
 IMAGE_DATA_POSTFIX:bullseye ??= "wic.xz"
 
-ROOTFS_ADDITIONAL_FILES ??= "installer-target installer-target-bmap"
+ROOTFS_ADDITIONAL_FILES ??= "installer-target installer-target-bmap installer-target-sha512"
 
 def get_installer_source(d, suffix):
     installer_target_image = d.getVar('INSTALLER_TARGET_IMAGE') or ""
@@ -49,4 +49,8 @@ ROOTFS_ADDITIONAL_FILE_installer-target[destination] = "${@ get_installer_destin
 ROOTFS_ADDITIONAL_FILE_installer-target-bmap[source] = "${@ get_installer_source(d, "wic.bmap")}"
 ROOTFS_ADDITIONAL_FILE_installer-target-bmap[destination] = "${@ get_installer_destination(d, "wic.bmap")}"
 
+# Add support for SHA512 checksum files
+ROOTFS_ADDITIONAL_FILE_installer-target-sha512[source] = "${@ get_installer_source(d, d.getVar('IMAGE_DATA_POSTFIX') + '.sha512')}"
+ROOTFS_ADDITIONAL_FILE_installer-target-sha512[destination] = "${@ get_installer_destination(d, d.getVar('IMAGE_DATA_POSTFIX') + '.sha512')}"
+
 do_rootfs_install[mcdepends] += "${@ get_mc_depends(d, "do_image_wic")}"
diff --git a/meta-isar/recipes-installer/deploy-image/deploy-image_0.1.bb b/meta-isar/recipes-installer/deploy-image/deploy-image_0.2.bb
similarity index 96%
rename from meta-isar/recipes-installer/deploy-image/deploy-image_0.1.bb
rename to meta-isar/recipes-installer/deploy-image/deploy-image_0.2.bb
index b287a8d1..0259a5af 100644
--- a/meta-isar/recipes-installer/deploy-image/deploy-image_0.1.bb
+++ b/meta-isar/recipes-installer/deploy-image/deploy-image_0.2.bb
@@ -1,5 +1,5 @@
 # This software is a part of ISAR.
-# Copyright (C) Siemens AG, 2024
+# Copyright (C) Siemens AG, 2025
 #
 # SPDX-License-Identifier: MIT
 
diff --git a/meta-isar/recipes-installer/deploy-image/files/usr/bin/deploy-image-wic.sh b/meta-isar/recipes-installer/deploy-image/files/usr/bin/deploy-image-wic.sh
index 333762f1..963f5756 100755
--- a/meta-isar/recipes-installer/deploy-image/files/usr/bin/deploy-image-wic.sh
+++ b/meta-isar/recipes-installer/deploy-image/files/usr/bin/deploy-image-wic.sh
@@ -10,11 +10,65 @@ SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
 
 . "${SCRIPT_DIR}/../lib/deploy-image-wic/handle-config.sh"
 
+verify_checksum() {
+    checksum_file="$1"
+    hash_image_file="$2"
+
+    # Get the extension from the checksum file
+    algorithm=$(echo "$checksum_file" | awk -F. '{print $NF}')
+
+    #Read the expected checksum
+    expected_checksum=$(cut -d' ' -f1 "$checksum_file")
+
+    # Check if the checksum file was empty
+    if [[ -z "$expected_checksum" ]]; then
+        dialog --msgbox "Error: Checksum file is empty or unreadable, Installation aborted." 6 60
+        exit 1
+    fi
+
+    # Calculate the current checksum of the file
+    local current_checksum
+    case "$algorithm" in
+        sha512)
+            current_checksum=$("${algorithm}sum" "$hash_image_file" | awk '{print $1}')
+            ;;
+        *)
+            dialog --msgbox "Error: Unsupported algorithm($algorithm), Installation aborted." 6 60
+            exit 1
+            ;;
+    esac
+
+    # Compare the checksums
+    if [[ "$current_checksum" == "$expected_checksum" ]]; then
+        echo "Checksum validation success for $checksum_file and $hash_image_file"
+    else
+        dialog --msgbox "Error: Checksum validation failure for $checksum_file and $hash_image_file, Installation aborted." 6 60
+        exit 1
+    fi
+}
+
+hash_files_uri=$(find "$installdata" -type f -iname "*.sha512")
+if [ -n "$hash_files_uri" ]; then
+    for hash_file in $hash_files_uri; do
+        # extract the checksum / bmap file from signed files name
+        hash_image_file="${hash_file%.*}"
+        if [ -f "$hash_image_file" ] && [ -f "$hash_file" ]; then
+            verify_checksum "$hash_file" "$hash_image_file"
+        else
+            dialog --msgbox "[ERROR] Checksum file or image file is missing! Installation aborted" 6 60
+            exit 1
+        fi
+    done
+else
+    dialog --msgbox "Error: No checksum file(s) found for image artifacts, Installation aborted." 6 60
+    exit 1
+fi
+
 if ! $installer_unattended; then
     installer_image_uri=$(find "$installdata" -type f -iname "*.wic*" -a -not -iname "*.wic.bmap" -exec basename {} \;)
     if [ -z "$installer_image_uri" ] || [ ! -f "$installdata/$installer_image_uri" ]; then
         pushd "$installdata"
-        for f in $(find . -type f); do
+        for f in $(find . -type f -iname "*.wic.zst" -exec basename {} \;); do
             array+=("$f" "$f")
         done
         popd
diff --git a/meta/classes/image-checksum.bbclass b/meta/classes/image-checksum.bbclass
new file mode 100644
index 00000000..673235a0
--- /dev/null
+++ b/meta/classes/image-checksum.bbclass
@@ -0,0 +1,14 @@
+# This software is a part of ISAR.
+# Copyright (C) 2025 Siemens AG
+#
+# SPDX-License-Identifier: MIT
+
+do_generate_checksum() {
+    cd ${DEPLOY_DIR_IMAGE}
+    for postfix in ${IMAGE_FSTYPES}; do
+        [ -f "${IMAGE_FULLNAME}.$postfix" ] || continue
+        sha512sum "${IMAGE_FULLNAME}.$postfix" > "${IMAGE_FULLNAME}.$postfix.sha512"
+    done
+}
+
+do_image_wic[postfuncs] += "do_generate_checksum"
diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index bd1b8552..57216014 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -141,6 +141,7 @@ IMAGE_CLASSES ??= ""
 IMGCLASSES = "imagetypes imagetypes_wic imagetypes_vm imagetypes_container squashfs"
 IMGCLASSES += "${IMAGE_CLASSES}"
 inherit ${IMGCLASSES}
+inherit image-checksum
 
 # convenience variables to be used by CMDs
 IMAGE_FILE_HOST = "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.${type}"
-- 
2.39.5

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251009130928.84805-1-arulpandiyan.vadivel%40siemens.com.