Merge pull request #63 from nix-community/sha256-insteadof-blake3

blake3 -> sha256
This commit is contained in:
nikstur 2023-01-17 20:57:02 +01:00 committed by GitHub
commit 76d9cb9bf9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 104 additions and 84 deletions

View File

@ -2,18 +2,6 @@
# It is not intended for manual editing.
version = 3
[[package]]
name = "arrayref"
version = "0.3.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a4c527152e37cf757a3f78aae5a06fbeefdb07ccc535c980a3208ee3060dd544"
[[package]]
name = "arrayvec"
version = "0.7.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8da52d66c7071e2e3fa2a1e5c6d088fec47b593032b254f5e980de8ea54454d6"
[[package]]
name = "bit_field"
version = "0.10.1"
@ -27,24 +15,14 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
[[package]]
name = "blake3"
version = "1.3.3"
name = "block-buffer"
version = "0.10.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "42ae2468a89544a466886840aa467a25b766499f4f04bf7d9fcd10ecee9fccef"
checksum = "69cce20737498f97b993470a6e536b8523f0af7892a4f928cceb1ac5e52ebe7e"
dependencies = [
"arrayref",
"arrayvec",
"cc",
"cfg-if",
"constant_time_eq",
"generic-array",
]
[[package]]
name = "cc"
version = "1.0.77"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e9f73505338f7d905b19d18738976aae232eb46b8efc15554ffc56deb5d9ebe4"
[[package]]
name = "cfg-if"
version = "1.0.0"
@ -52,10 +30,33 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
[[package]]
name = "constant_time_eq"
version = "0.2.4"
name = "cpufeatures"
version = "0.2.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f3ad85c1f65dc7b37604eb0e89748faf0b9653065f2a8ef69f96a687ec1e9279"
checksum = "28d997bd5e24a5928dd43e46dc529867e207907fe0b239c3477d924f7f2ca320"
dependencies = [
"libc",
]
[[package]]
name = "crypto-common"
version = "0.1.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3"
dependencies = [
"generic-array",
"typenum",
]
[[package]]
name = "digest"
version = "0.10.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8168378f4e5023e7218c89c891c0fd8ecdb5e5e4f18cb78f38cf245dd021e76f"
dependencies = [
"block-buffer",
"crypto-common",
]
[[package]]
name = "ed25519-compact"
@ -63,6 +64,16 @@ version = "2.0.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1f2d21333b679bbbac680b3eb45c86937e42f69277028f4e97b599b80b86c253"
[[package]]
name = "generic-array"
version = "0.14.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bff49e947297f3312447abdca79f45f4738097cc82b06e72054d2223f601f1b9"
dependencies = [
"typenum",
"version_check",
]
[[package]]
name = "goblin"
version = "0.6.0"
@ -78,14 +89,20 @@ dependencies = [
name = "lanzaboote"
version = "0.1.0"
dependencies = [
"blake3",
"ed25519-compact",
"goblin",
"log",
"sha2",
"uefi",
"uefi-services",
]
[[package]]
name = "libc"
version = "0.2.139"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "201de327520df007757c1f0adce6e827fe8562fbc28bfd9c15571c66ca1f5f79"
[[package]]
name = "log"
version = "0.4.17"
@ -139,6 +156,17 @@ dependencies = [
"syn",
]
[[package]]
name = "sha2"
version = "0.10.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "82e6b795fe2e3b1e845bafcb27aa35405c4d47cdfc92af5fc8d3002f76cebdc0"
dependencies = [
"cfg-if",
"cpufeatures",
"digest",
]
[[package]]
name = "syn"
version = "1.0.103"
@ -150,6 +178,12 @@ dependencies = [
"unicode-ident",
]
[[package]]
name = "typenum"
version = "1.16.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "497961ef93d974e23eb6f433eb5fe1b7930b659f06d12dec6fc44a8f554c0bba"
[[package]]
name = "ucs2"
version = "0.3.2"
@ -198,3 +232,9 @@ name = "unicode-ident"
version = "1.0.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6ceab39d59e4c9499d4e5a8ee0e2735b891bb7308ac83dfb4e80cad195c9f6f3"
[[package]]
name = "version_check"
version = "0.9.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f"

View File

@ -11,8 +11,8 @@ log = "0.4.17"
ed25519-compact = { version = "2.0.2", default-features = false, features = [] }
goblin = { version = "0.6.0", default-features = false, features = [ "pe64", "alloc" ]}
# We don't want the assembly implementations for now.
blake3 = { version = "1.3.3", default-features = false, features = [ "pure" ]}
# Use software implementation because the UEFI target seems to need it.
sha2 = { version = "0.10.6", default-features = false, features = ["force-soft"] }
[profile.release]
opt-level = "s"

View File

@ -9,8 +9,8 @@ mod linux_loader;
mod pe_section;
mod uefi_helpers;
use blake3::Hash;
use pe_section::{pe_section, pe_section_as_string};
use sha2::{Digest, Sha256};
use uefi::{
prelude::*,
proto::{
@ -26,6 +26,8 @@ use crate::{
uefi_helpers::{booted_image_cmdline, booted_image_file, read_all},
};
type Hash = sha2::digest::Output<Sha256>;
/// Print the startup logo on boot.
fn print_logo(output: &mut Output) -> Result<()> {
output.clear()?;
@ -144,7 +146,7 @@ fn main(handle: Handle, mut system_table: SystemTable<Boot>) -> Status {
initrd_data = read_all(&mut initrd_file).expect("Failed to read kernel file into memory");
}
if blake3::hash(&kernel_data) != config.kernel_hash {
if Sha256::digest(&kernel_data) != config.kernel_hash {
system_table
.stdout()
.output_string(cstr16!("Hash mismatch for kernel. Refusing to load!\r\n"))
@ -152,7 +154,7 @@ fn main(handle: Handle, mut system_table: SystemTable<Boot>) -> Status {
return Status::SECURITY_VIOLATION;
}
if blake3::hash(&initrd_data) != config.initrd_hash {
if Sha256::digest(&initrd_data) != config.initrd_hash {
system_table
.stdout()
.output_string(cstr16!("Hash mismatch for initrd. Refusing to load!\r\n"))

View File

@ -8,18 +8,6 @@ version = "1.0.66"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "216261ddc8289130e551ddcd5ce8a064710c0d064a4d2895c67151c92b5443f6"
[[package]]
name = "arrayref"
version = "0.3.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a4c527152e37cf757a3f78aae5a06fbeefdb07ccc535c980a3208ee3060dd544"
[[package]]
name = "arrayvec"
version = "0.7.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8da52d66c7071e2e3fa2a1e5c6d088fec47b593032b254f5e980de8ea54454d6"
[[package]]
name = "assert_cmd"
version = "2.0.7"
@ -57,20 +45,6 @@ version = "1.3.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
[[package]]
name = "blake3"
version = "1.3.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "42ae2468a89544a466886840aa467a25b766499f4f04bf7d9fcd10ecee9fccef"
dependencies = [
"arrayref",
"arrayvec",
"cc",
"cfg-if",
"constant_time_eq",
"digest",
]
[[package]]
name = "block-buffer"
version = "0.10.3"
@ -101,12 +75,6 @@ dependencies = [
"serde",
]
[[package]]
name = "cc"
version = "1.0.77"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e9f73505338f7d905b19d18738976aae232eb46b8efc15554ffc56deb5d9ebe4"
[[package]]
name = "cfg-if"
version = "1.0.0"
@ -151,10 +119,13 @@ dependencies = [
]
[[package]]
name = "constant_time_eq"
version = "0.2.4"
name = "cpufeatures"
version = "0.2.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f3ad85c1f65dc7b37604eb0e89748faf0b9653065f2a8ef69f96a687ec1e9279"
checksum = "28d997bd5e24a5928dd43e46dc529867e207907fe0b239c3477d924f7f2ca320"
dependencies = [
"libc",
]
[[package]]
name = "crypto-common"
@ -180,7 +151,6 @@ checksum = "8168378f4e5023e7218c89c891c0fd8ecdb5e5e4f18cb78f38cf245dd021e76f"
dependencies = [
"block-buffer",
"crypto-common",
"subtle",
]
[[package]]
@ -309,7 +279,6 @@ version = "0.1.0"
dependencies = [
"anyhow",
"assert_cmd",
"blake3",
"bootspec",
"clap",
"expect-test",
@ -319,6 +288,7 @@ dependencies = [
"rand",
"serde",
"serde_json",
"sha2",
"tempfile",
"time",
"walkdir",
@ -570,18 +540,23 @@ dependencies = [
"serde",
]
[[package]]
name = "sha2"
version = "0.10.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "82e6b795fe2e3b1e845bafcb27aa35405c4d47cdfc92af5fc8d3002f76cebdc0"
dependencies = [
"cfg-if",
"cpufeatures",
"digest",
]
[[package]]
name = "strsim"
version = "0.10.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623"
[[package]]
name = "subtle"
version = "2.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6bdef32e8150c2a081110b42772ffe7d7c9032b606bc226c8260fd97e0976601"
[[package]]
name = "syn"
version = "1.0.105"

View File

@ -13,11 +13,11 @@ nix = { version = "0.25.0", default-features = false, features = [ "fs" ] }
serde = { version = "1.0.151", features = ["derive"] }
serde_json = "1.0.89"
tempfile = "3.3.0"
blake3 = "1.3.3"
# TODO: wait for a upstream release and pin it.
bootspec = { git = "https://github.com/DeterminateSystems/bootspec" }
walkdir = "2.3.2"
time = "0.3.17"
sha2 = "0.10.6"
[dev-dependencies]
assert_cmd = "2.0.7"

View File

@ -8,9 +8,12 @@ use std::process::Command;
use anyhow::{Context, Result};
use goblin::pe::PE;
use sha2::{Digest, Sha256};
use tempfile::TempDir;
type Hash = sha2::digest::Output<Sha256>;
/// Attach all information that lanzaboote needs into the PE binary.
///
/// When this function is called the referenced files already need to
@ -37,7 +40,7 @@ pub fn lanzaboote_image(
let kernel_hash_file = write_to_tmp(
target_dir,
"kernel-hash",
file_hash(kernel_path)?.as_bytes(),
file_hash(kernel_path)?.as_slice(),
)?;
let initrd_path_file = write_to_tmp(
@ -48,7 +51,7 @@ pub fn lanzaboote_image(
let initrd_hash_file = write_to_tmp(
target_dir,
"initrd-hash",
file_hash(initrd_path)?.as_bytes(),
file_hash(initrd_path)?.as_slice(),
)?;
let os_release_offs = stub_offset(lanzaboote_stub)?;
@ -70,9 +73,9 @@ pub fn lanzaboote_image(
wrap_in_pe(target_dir, "lanzaboote-stub.efi", lanzaboote_stub, sections)
}
/// Compute the blake3 hash of a file.
fn file_hash(file: &Path) -> Result<blake3::Hash> {
Ok(blake3::hash(&fs::read(file)?))
/// Compute the SHA 256 hash of a file.
fn file_hash(file: &Path) -> Result<Hash> {
Ok(Sha256::digest(fs::read(file)?))
}
/// Take a PE binary stub and attach sections to it.