From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Thu, 09 Oct 2025 15:06:42 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-qv1-f59.google.com (mail-qv1-f59.google.com [209.85.219.59]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 599D6eCH013003 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 9 Oct 2025 15:06:41 +0200 Received: by mail-qv1-f59.google.com with SMTP id 6a1803df08f44-7f78d761f74sf34793686d6.1 for ; Thu, 09 Oct 2025 06:06:41 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1760015195; cv=pass; d=google.com; s=arc-20240605; b=QI+Vv36gzTAHTYifsnv7wsyMaqfZmj81jVoCsJ/RGXHOOimNzyBNBBezAOP27qnM5h U6wTJ/sBCdpwq8qZtZKg/qQJZAzHXjwi86u8IM7T56kn9wS6VxFhT7JY7ipOyI29g//3 EQ0guSWYCZo8FbXl8/fsN1U91T4xJYja4Pv0K2PhQViePpKlY0pj+Ivz3obh08sbbVyd ItiKFHG3Jl38I6l+jJTkVyt086n4z0EnvcE5xNaxMH6m7+R2ZGtw9KC2p9MrmWHAlI3g l1dOP65bcXkhfAFNANJnsplr9rGJc0VZOHefJY8bn5UOygJ1ZCMYUzuiOATjofnP7FqZ pbqg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=e5DqffozW5nwTKAwGROE3SnGK2psM8nZLIn+1HbrzS4=; fh=MaLlwg37UxhbqYkH6F+Cl5IwGJBeP3bjEyipWciE0CY=; b=DmP8TItcVNvZjrSFPs3m3qKhKNjK21Z8r9l/wN1vgBOxcd4Kk5ls1xYhnD25iSKata T4tzWRVtmO78bx7WRr9r/5K0p+3kSXz/+WTBg9DaP3C91YtQ0dRxUwHlKnqfSS8qlLHb ADZTZS913DdEeM9fkB/qI+DBCLPA+Fmo7DRLRP6TJnJQqZGH4tO0qLpgbNJOysHCTjiJ 3tredKs+BjkXk/yWgFy66QhNwXRuODv10DQP6+jSb/qdYKHKND3nR3mTrqu/cSi3H9iw L211OXpAj4bp9iWOs6AuHwPaskciFMyqq8om7CFdLaR69oUx0uo5nnwJjBey6erVvRvN g5gg==; darn=ilbers.de ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=SVTV5dRA; spf=pass (google.com: domain of fm-1328317-20251009130631c82261b6840002076e-kmj8vv@rts-flowmailer.siemens.com designates 185.136.64.225 as permitted sender) smtp.mailfrom=fm-1328317-20251009130631c82261b6840002076e-KMj8VV@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1760015195; x=1760619995; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=e5DqffozW5nwTKAwGROE3SnGK2psM8nZLIn+1HbrzS4=; b=Icph0sKGnsMl1ILDOzOTFhns/PozcqjwM6eZIfIti23ZQ6UmirUks3FvAVLxP9T1Y1 x60NW2MI7Wuts4/ui3tk/G4h9gsiId+A/3ScBJ9o5JHF9Rxwr84gPH96vyuQikb5LLWv 8NDCMYOK7i4ITI+NSMSQNEvZvdogVl7H4nukeoYyXycApFXcXS/wtg+sknheaY1lIn4g 0AUzO/IYLpJ5y9twb5csHPTWh9F6oHEhnNfdGIwFJI8jxX7eTkbcV6OzcCepDOZGGWvQ FHUtxhZ8Ip8zlckOK9ADWWzKOneiRv+NUkVur9CpLZW5HZxQMPRdikLTP/26S7GB8Z+C 9wlg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760015195; x=1760619995; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:x-beenthere :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=e5DqffozW5nwTKAwGROE3SnGK2psM8nZLIn+1HbrzS4=; b=gfiUlZKn8oS7LQ6dlyWzGWmyFXsSUAqskcxLGZDMCRKjqZ86pscyHhX9VciqLnuzEe m2Ko/iTMib+MtKUhI8zMtEl4PuyiBjoPQUEDpZwZW1NkcRUrcmvElqHeL9fOywbDffOJ wYPmMi32KvIGCVdrDuO8oukD0PZQ0SCAcd8elDFoXZCwBcFHpIKq7tUuA4pkVA8T2wJQ dB0prJQ/9tqxl2cOpp8NLbD9vp+93DxBf80nQLlvJ2Oic3IlsKfx/BYqPFioMupwymCF Y2ljH5dN5t20HYXtwkdVDpo4fVxu4uJPPyq2v1jWRbONcd8vqV+cbXgrkv3y3CXR2FTA e6KA== X-Forwarded-Encrypted: i=2; AJvYcCXvU29rIIwmOGLXXOaw3jjP5aAEftsvOr+BpVz+hbfJon2391lroXIwQdYlD38n8z482lgH@ilbers.de X-Gm-Message-State: AOJu0YwPPROdzTBu5ou4hrlFJkuI+RuXiW43GTWegs60/Wkg4OcDZqR6 jQMBkhydGC2UoGdTRfcL5t73FDIyEz31jPFWh4rpA7RzgyCG4/uiytQA X-Google-Smtp-Source: AGHT+IEabzETI3zAE1VESPRCb/5RjC1h62vEOrkpRkn8U7AOPx7z5v2oFT4X28Zt8hl52FG5Czxx8w== X-Received: by 2002:a05:6214:301a:b0:879:e817:ba65 with SMTP id 6a1803df08f44-87b2efe822dmr93842296d6.56.1760015194766; Thu, 09 Oct 2025 06:06:34 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h="ARHlJd4WNfFxLXNLoodU4U41cxb+JULQ09mzERgquYFE3nID9w==" Received: by 2002:a05:6214:2f0b:b0:779:d180:7e3f with SMTP id 6a1803df08f44-87bb5093867ls15097716d6.1.-pod-prod-01-us; Thu, 09 Oct 2025 06:06:33 -0700 (PDT) X-Received: by 2002:a05:6102:3a13:b0:5d4:4f3:dafd with SMTP id ada2fe7eead31-5d5e2348ab8mr3273927137.18.1760015193433; Thu, 09 Oct 2025 06:06:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1760015193; cv=none; d=google.com; s=arc-20240605; b=J+s2eAGYvg51YwaToLJRKY9SdRWez/c3B5wYFm0qkWl4ZXKEF1pjs7vtnOvUVfvgR6 RaSGkbjhlzed4YoOvOLNH1jnCyqch7cypWLT+aEfnKXsgBQCOW5wBLtsNWND/5YyCqoT IDQVfOc81d1JJkTLdfi3ZWwzgN1ERPnp7BQNonDg9mRSZkk4CnlGzXxOjGBZxZ8t4cFL MFOALzJuTX+saGuSrZzLAMYrRS/Ir4qln6Oum8a+DzmcwW632Ag3TaWCtBcpxd/cxmb/ kQNxqL7Nsnow4tuWwIydRz4A/VoVPAn7fn7e1uXPljj8VSc2l6JoNHhHYNRC0SyxFaGG ftJA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:message-id:date :subject:cc:to:from:dkim-signature; bh=94D5D0/aawcc+hjnyEv5iugEnMhYWU1lKc8cp9pzI44=; fh=iHHF6vtnzKjJkhrO05u9v0MUSNeeXiQJBQUXoyW1+LE=; b=DHAqx1HWATV98QiN78+9WeLg7cKPHVtq/Y8///qIJKI56fwpFSEGVP8kF7NMJwvH/d 4Tcl3LBqaS1MhYBHpLiCswUQYaPyAMBU4jL7NyC1j0//4unD1GUblid/qtCT6T1GYkK3 /cHRu0K1irYgh155sQA9TLEmMDgj7DUhGdmMG3sP7bQh7zlIU7//X4W98+KnKKzt4Ivl CMlIkSSPuargB7XLbONI2ZkdLtBhHKU23X93jau/S4y99nHRFYukJmjNGJB8L88IfaQv S2m2VHthh6u3zbLiZkKnaJZ5BKaOt6IUY2mpc/ZZDO2Z/TdpJdeqjPBTwtFIUVGh3HBS u4rA==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=SVTV5dRA; spf=pass (google.com: domain of fm-1328317-20251009130631c82261b6840002076e-kmj8vv@rts-flowmailer.siemens.com designates 185.136.64.225 as permitted sender) smtp.mailfrom=fm-1328317-20251009130631c82261b6840002076e-KMj8VV@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net. [185.136.64.225]) by gmr-mx.google.com with ESMTPS id 71dfb90a1353d-5523cf3bbc4si104960e0c.3.2025.10.09.06.06.33 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Oct 2025 06:06:33 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-1328317-20251009130631c82261b6840002076e-kmj8vv@rts-flowmailer.siemens.com designates 185.136.64.225 as permitted sender) client-ip=185.136.64.225; Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 20251009130631c82261b6840002076e for ; Thu, 09 Oct 2025 15:06:32 +0200 From: "'Arulpandiyan Vadivel' via isar-users" To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, felix.moessbauer@siemens.com, cedric.hombourger@siemens.com, Arulpandiyan Vadivel Subject: [PATCH] meta-isar: add support to verify sha512 checksum for target image Date: Thu, 9 Oct 2025 18:39:28 +0530 Message-ID: <20251009130928.84805-1-arulpandiyan.vadivel@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1328317:519-21489:flowmailer X-Original-Sender: arulpandiyan.vadivel@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=SVTV5dRA; spf=pass (google.com: domain of fm-1328317-20251009130631c82261b6840002076e-kmj8vv@rts-flowmailer.siemens.com designates 185.136.64.225 as permitted sender) smtp.mailfrom=fm-1328317-20251009130631c82261b6840002076e-KMj8VV@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Arulpandiyan Vadivel Reply-To: Arulpandiyan Vadivel Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: PoCgKA6eFqHY In current approach, target images from installer is installed without any verifications and validations. Adding support of verifying image with sha512 checksum before installing image Currently during the image installation .bmap files also listed in the menu. Update to show only image name instead of showing supported artifacts like .bmap and .sha512. Added a class to support generating sha512 checksum for the images. Signed-off-by: Arulpandiyan Vadivel --- .../classes/installer-add-rootfs.bbclass | 6 +- ...eploy-image_0.1.bb => deploy-image_0.2.bb} | 2 +- .../files/usr/bin/deploy-image-wic.sh | 56 ++++++++++++++++++- meta/classes/image-checksum.bbclass | 14 +++++ meta/classes/image.bbclass | 1 + 5 files changed, 76 insertions(+), 3 deletions(-) rename meta-isar/recipes-installer/deploy-image/{deploy-image_0.1.bb => deploy-image_0.2.bb} (96%) create mode 100644 meta/classes/image-checksum.bbclass diff --git a/meta-isar/classes/installer-add-rootfs.bbclass b/meta-isar/classes/installer-add-rootfs.bbclass index c738f690..185e4a3c 100644 --- a/meta-isar/classes/installer-add-rootfs.bbclass +++ b/meta-isar/classes/installer-add-rootfs.bbclass @@ -19,7 +19,7 @@ IMAGE_DATA_POSTFIX ??= "wic.zst" IMAGE_DATA_POSTFIX:buster ??= "wic.xz" IMAGE_DATA_POSTFIX:bullseye ??= "wic.xz" -ROOTFS_ADDITIONAL_FILES ??= "installer-target installer-target-bmap" +ROOTFS_ADDITIONAL_FILES ??= "installer-target installer-target-bmap installer-target-sha512" def get_installer_source(d, suffix): installer_target_image = d.getVar('INSTALLER_TARGET_IMAGE') or "" @@ -49,4 +49,8 @@ ROOTFS_ADDITIONAL_FILE_installer-target[destination] = "${@ get_installer_destin ROOTFS_ADDITIONAL_FILE_installer-target-bmap[source] = "${@ get_installer_source(d, "wic.bmap")}" ROOTFS_ADDITIONAL_FILE_installer-target-bmap[destination] = "${@ get_installer_destination(d, "wic.bmap")}" +# Add support for SHA512 checksum files +ROOTFS_ADDITIONAL_FILE_installer-target-sha512[source] = "${@ get_installer_source(d, d.getVar('IMAGE_DATA_POSTFIX') + '.sha512')}" +ROOTFS_ADDITIONAL_FILE_installer-target-sha512[destination] = "${@ get_installer_destination(d, d.getVar('IMAGE_DATA_POSTFIX') + '.sha512')}" + do_rootfs_install[mcdepends] += "${@ get_mc_depends(d, "do_image_wic")}" diff --git a/meta-isar/recipes-installer/deploy-image/deploy-image_0.1.bb b/meta-isar/recipes-installer/deploy-image/deploy-image_0.2.bb similarity index 96% rename from meta-isar/recipes-installer/deploy-image/deploy-image_0.1.bb rename to meta-isar/recipes-installer/deploy-image/deploy-image_0.2.bb index b287a8d1..0259a5af 100644 --- a/meta-isar/recipes-installer/deploy-image/deploy-image_0.1.bb +++ b/meta-isar/recipes-installer/deploy-image/deploy-image_0.2.bb @@ -1,5 +1,5 @@ # This software is a part of ISAR. -# Copyright (C) Siemens AG, 2024 +# Copyright (C) Siemens AG, 2025 # # SPDX-License-Identifier: MIT diff --git a/meta-isar/recipes-installer/deploy-image/files/usr/bin/deploy-image-wic.sh b/meta-isar/recipes-installer/deploy-image/files/usr/bin/deploy-image-wic.sh index 333762f1..963f5756 100755 --- a/meta-isar/recipes-installer/deploy-image/files/usr/bin/deploy-image-wic.sh +++ b/meta-isar/recipes-installer/deploy-image/files/usr/bin/deploy-image-wic.sh @@ -10,11 +10,65 @@ SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) . "${SCRIPT_DIR}/../lib/deploy-image-wic/handle-config.sh" +verify_checksum() { + checksum_file="$1" + hash_image_file="$2" + + # Get the extension from the checksum file + algorithm=$(echo "$checksum_file" | awk -F. '{print $NF}') + + #Read the expected checksum + expected_checksum=$(cut -d' ' -f1 "$checksum_file") + + # Check if the checksum file was empty + if [[ -z "$expected_checksum" ]]; then + dialog --msgbox "Error: Checksum file is empty or unreadable, Installation aborted." 6 60 + exit 1 + fi + + # Calculate the current checksum of the file + local current_checksum + case "$algorithm" in + sha512) + current_checksum=$("${algorithm}sum" "$hash_image_file" | awk '{print $1}') + ;; + *) + dialog --msgbox "Error: Unsupported algorithm($algorithm), Installation aborted." 6 60 + exit 1 + ;; + esac + + # Compare the checksums + if [[ "$current_checksum" == "$expected_checksum" ]]; then + echo "Checksum validation success for $checksum_file and $hash_image_file" + else + dialog --msgbox "Error: Checksum validation failure for $checksum_file and $hash_image_file, Installation aborted." 6 60 + exit 1 + fi +} + +hash_files_uri=$(find "$installdata" -type f -iname "*.sha512") +if [ -n "$hash_files_uri" ]; then + for hash_file in $hash_files_uri; do + # extract the checksum / bmap file from signed files name + hash_image_file="${hash_file%.*}" + if [ -f "$hash_image_file" ] && [ -f "$hash_file" ]; then + verify_checksum "$hash_file" "$hash_image_file" + else + dialog --msgbox "[ERROR] Checksum file or image file is missing! Installation aborted" 6 60 + exit 1 + fi + done +else + dialog --msgbox "Error: No checksum file(s) found for image artifacts, Installation aborted." 6 60 + exit 1 +fi + if ! $installer_unattended; then installer_image_uri=$(find "$installdata" -type f -iname "*.wic*" -a -not -iname "*.wic.bmap" -exec basename {} \;) if [ -z "$installer_image_uri" ] || [ ! -f "$installdata/$installer_image_uri" ]; then pushd "$installdata" - for f in $(find . -type f); do + for f in $(find . -type f -iname "*.wic.zst" -exec basename {} \;); do array+=("$f" "$f") done popd diff --git a/meta/classes/image-checksum.bbclass b/meta/classes/image-checksum.bbclass new file mode 100644 index 00000000..673235a0 --- /dev/null +++ b/meta/classes/image-checksum.bbclass @@ -0,0 +1,14 @@ +# This software is a part of ISAR. +# Copyright (C) 2025 Siemens AG +# +# SPDX-License-Identifier: MIT + +do_generate_checksum() { + cd ${DEPLOY_DIR_IMAGE} + for postfix in ${IMAGE_FSTYPES}; do + [ -f "${IMAGE_FULLNAME}.$postfix" ] || continue + sha512sum "${IMAGE_FULLNAME}.$postfix" > "${IMAGE_FULLNAME}.$postfix.sha512" + done +} + +do_image_wic[postfuncs] += "do_generate_checksum" diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass index bd1b8552..57216014 100644 --- a/meta/classes/image.bbclass +++ b/meta/classes/image.bbclass @@ -141,6 +141,7 @@ IMAGE_CLASSES ??= "" IMGCLASSES = "imagetypes imagetypes_wic imagetypes_vm imagetypes_container squashfs" IMGCLASSES += "${IMAGE_CLASSES}" inherit ${IMGCLASSES} +inherit image-checksum # convenience variables to be used by CMDs IMAGE_FILE_HOST = "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.${type}" -- 2.39.5 -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251009130928.84805-1-arulpandiyan.vadivel%40siemens.com.