From 3db39f403b233773c8b6123b87597825feba7e6d Mon Sep 17 00:00:00 2001 From: nikstur Date: Sat, 14 Jan 2023 02:31:31 +0100 Subject: [PATCH] treewide: blake3 -> sha256 Using the sha2 crate instead of blake3 decreases the binary size of the stub by around 50%. --- rust/lanzaboote/Cargo.lock | 100 +++++++++++++++++++++++++----------- rust/lanzaboote/Cargo.toml | 4 +- rust/lanzaboote/src/main.rs | 8 +-- rust/lanzatool/Cargo.lock | 61 +++++++--------------- rust/lanzatool/Cargo.toml | 2 +- rust/lanzatool/src/pe.rs | 13 +++-- 6 files changed, 104 insertions(+), 84 deletions(-) diff --git a/rust/lanzaboote/Cargo.lock b/rust/lanzaboote/Cargo.lock index 5d8413c..8d0a54c 100644 --- a/rust/lanzaboote/Cargo.lock +++ b/rust/lanzaboote/Cargo.lock @@ -2,18 +2,6 @@ # It is not intended for manual editing. version = 3 -[[package]] -name = "arrayref" -version = "0.3.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a4c527152e37cf757a3f78aae5a06fbeefdb07ccc535c980a3208ee3060dd544" - -[[package]] -name = "arrayvec" -version = "0.7.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8da52d66c7071e2e3fa2a1e5c6d088fec47b593032b254f5e980de8ea54454d6" - [[package]] name = "bit_field" version = "0.10.1" @@ -27,24 +15,14 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" [[package]] -name = "blake3" -version = "1.3.3" +name = "block-buffer" +version = "0.10.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "42ae2468a89544a466886840aa467a25b766499f4f04bf7d9fcd10ecee9fccef" +checksum = "69cce20737498f97b993470a6e536b8523f0af7892a4f928cceb1ac5e52ebe7e" dependencies = [ - "arrayref", - "arrayvec", - "cc", - "cfg-if", - "constant_time_eq", + "generic-array", ] -[[package]] -name = "cc" -version = "1.0.77" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e9f73505338f7d905b19d18738976aae232eb46b8efc15554ffc56deb5d9ebe4" - [[package]] name = "cfg-if" version = "1.0.0" @@ -52,10 +30,33 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" [[package]] -name = "constant_time_eq" -version = "0.2.4" +name = "cpufeatures" +version = "0.2.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f3ad85c1f65dc7b37604eb0e89748faf0b9653065f2a8ef69f96a687ec1e9279" +checksum = "28d997bd5e24a5928dd43e46dc529867e207907fe0b239c3477d924f7f2ca320" +dependencies = [ + "libc", +] + +[[package]] +name = "crypto-common" +version = "0.1.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3" +dependencies = [ + "generic-array", + "typenum", +] + +[[package]] +name = "digest" +version = "0.10.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8168378f4e5023e7218c89c891c0fd8ecdb5e5e4f18cb78f38cf245dd021e76f" +dependencies = [ + "block-buffer", + "crypto-common", +] [[package]] name = "ed25519-compact" @@ -63,6 +64,16 @@ version = "2.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1f2d21333b679bbbac680b3eb45c86937e42f69277028f4e97b599b80b86c253" +[[package]] +name = "generic-array" +version = "0.14.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bff49e947297f3312447abdca79f45f4738097cc82b06e72054d2223f601f1b9" +dependencies = [ + "typenum", + "version_check", +] + [[package]] name = "goblin" version = "0.6.0" @@ -78,14 +89,20 @@ dependencies = [ name = "lanzaboote" version = "0.1.0" dependencies = [ - "blake3", "ed25519-compact", "goblin", "log", + "sha2", "uefi", "uefi-services", ] +[[package]] +name = "libc" +version = "0.2.139" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "201de327520df007757c1f0adce6e827fe8562fbc28bfd9c15571c66ca1f5f79" + [[package]] name = "log" version = "0.4.17" @@ -139,6 +156,17 @@ dependencies = [ "syn", ] +[[package]] +name = "sha2" +version = "0.10.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "82e6b795fe2e3b1e845bafcb27aa35405c4d47cdfc92af5fc8d3002f76cebdc0" +dependencies = [ + "cfg-if", + "cpufeatures", + "digest", +] + [[package]] name = "syn" version = "1.0.103" @@ -150,6 +178,12 @@ dependencies = [ "unicode-ident", ] +[[package]] +name = "typenum" +version = "1.16.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "497961ef93d974e23eb6f433eb5fe1b7930b659f06d12dec6fc44a8f554c0bba" + [[package]] name = "ucs2" version = "0.3.2" @@ -198,3 +232,9 @@ name = "unicode-ident" version = "1.0.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6ceab39d59e4c9499d4e5a8ee0e2735b891bb7308ac83dfb4e80cad195c9f6f3" + +[[package]] +name = "version_check" +version = "0.9.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f" diff --git a/rust/lanzaboote/Cargo.toml b/rust/lanzaboote/Cargo.toml index 06f4aaf..e3fb344 100644 --- a/rust/lanzaboote/Cargo.toml +++ b/rust/lanzaboote/Cargo.toml @@ -11,8 +11,8 @@ log = "0.4.17" ed25519-compact = { version = "2.0.2", default-features = false, features = [] } goblin = { version = "0.6.0", default-features = false, features = [ "pe64", "alloc" ]} -# We don't want the assembly implementations for now. -blake3 = { version = "1.3.3", default-features = false, features = [ "pure" ]} +# Use software implementation because the UEFI target seems to need it. +sha2 = { version = "0.10.6", default-features = false, features = ["force-soft"] } [profile.release] opt-level = "s" diff --git a/rust/lanzaboote/src/main.rs b/rust/lanzaboote/src/main.rs index 15a1a06..7850482 100644 --- a/rust/lanzaboote/src/main.rs +++ b/rust/lanzaboote/src/main.rs @@ -9,8 +9,8 @@ mod linux_loader; mod pe_section; mod uefi_helpers; -use blake3::Hash; use pe_section::{pe_section, pe_section_as_string}; +use sha2::{Digest, Sha256}; use uefi::{ prelude::*, proto::{ @@ -26,6 +26,8 @@ use crate::{ uefi_helpers::{booted_image_cmdline, booted_image_file, read_all}, }; +type Hash = sha2::digest::Output; + /// Print the startup logo on boot. fn print_logo(output: &mut Output) -> Result<()> { output.clear()?; @@ -144,7 +146,7 @@ fn main(handle: Handle, mut system_table: SystemTable) -> Status { initrd_data = read_all(&mut initrd_file).expect("Failed to read kernel file into memory"); } - if blake3::hash(&kernel_data) != config.kernel_hash { + if Sha256::digest(&kernel_data) != config.kernel_hash { system_table .stdout() .output_string(cstr16!("Hash mismatch for kernel. Refusing to load!\r\n")) @@ -152,7 +154,7 @@ fn main(handle: Handle, mut system_table: SystemTable) -> Status { return Status::SECURITY_VIOLATION; } - if blake3::hash(&initrd_data) != config.initrd_hash { + if Sha256::digest(&initrd_data) != config.initrd_hash { system_table .stdout() .output_string(cstr16!("Hash mismatch for initrd. Refusing to load!\r\n")) diff --git a/rust/lanzatool/Cargo.lock b/rust/lanzatool/Cargo.lock index 96cbb95..4dd43d1 100644 --- a/rust/lanzatool/Cargo.lock +++ b/rust/lanzatool/Cargo.lock @@ -8,18 +8,6 @@ version = "1.0.66" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "216261ddc8289130e551ddcd5ce8a064710c0d064a4d2895c67151c92b5443f6" -[[package]] -name = "arrayref" -version = "0.3.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a4c527152e37cf757a3f78aae5a06fbeefdb07ccc535c980a3208ee3060dd544" - -[[package]] -name = "arrayvec" -version = "0.7.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8da52d66c7071e2e3fa2a1e5c6d088fec47b593032b254f5e980de8ea54454d6" - [[package]] name = "assert_cmd" version = "2.0.7" @@ -57,20 +45,6 @@ version = "1.3.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" -[[package]] -name = "blake3" -version = "1.3.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "42ae2468a89544a466886840aa467a25b766499f4f04bf7d9fcd10ecee9fccef" -dependencies = [ - "arrayref", - "arrayvec", - "cc", - "cfg-if", - "constant_time_eq", - "digest", -] - [[package]] name = "block-buffer" version = "0.10.3" @@ -101,12 +75,6 @@ dependencies = [ "serde", ] -[[package]] -name = "cc" -version = "1.0.77" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e9f73505338f7d905b19d18738976aae232eb46b8efc15554ffc56deb5d9ebe4" - [[package]] name = "cfg-if" version = "1.0.0" @@ -151,10 +119,13 @@ dependencies = [ ] [[package]] -name = "constant_time_eq" -version = "0.2.4" +name = "cpufeatures" +version = "0.2.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f3ad85c1f65dc7b37604eb0e89748faf0b9653065f2a8ef69f96a687ec1e9279" +checksum = "28d997bd5e24a5928dd43e46dc529867e207907fe0b239c3477d924f7f2ca320" +dependencies = [ + "libc", +] [[package]] name = "crypto-common" @@ -180,7 +151,6 @@ checksum = "8168378f4e5023e7218c89c891c0fd8ecdb5e5e4f18cb78f38cf245dd021e76f" dependencies = [ "block-buffer", "crypto-common", - "subtle", ] [[package]] @@ -309,7 +279,6 @@ version = "0.1.0" dependencies = [ "anyhow", "assert_cmd", - "blake3", "bootspec", "clap", "expect-test", @@ -319,6 +288,7 @@ dependencies = [ "rand", "serde", "serde_json", + "sha2", "tempfile", "time", "walkdir", @@ -570,18 +540,23 @@ dependencies = [ "serde", ] +[[package]] +name = "sha2" +version = "0.10.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "82e6b795fe2e3b1e845bafcb27aa35405c4d47cdfc92af5fc8d3002f76cebdc0" +dependencies = [ + "cfg-if", + "cpufeatures", + "digest", +] + [[package]] name = "strsim" version = "0.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623" -[[package]] -name = "subtle" -version = "2.4.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6bdef32e8150c2a081110b42772ffe7d7c9032b606bc226c8260fd97e0976601" - [[package]] name = "syn" version = "1.0.105" diff --git a/rust/lanzatool/Cargo.toml b/rust/lanzatool/Cargo.toml index 8e37e04..a5a189e 100644 --- a/rust/lanzatool/Cargo.toml +++ b/rust/lanzatool/Cargo.toml @@ -13,11 +13,11 @@ nix = { version = "0.25.0", default-features = false, features = [ "fs" ] } serde = { version = "1.0.151", features = ["derive"] } serde_json = "1.0.89" tempfile = "3.3.0" -blake3 = "1.3.3" # TODO: wait for a upstream release and pin it. bootspec = { git = "https://github.com/DeterminateSystems/bootspec" } walkdir = "2.3.2" time = "0.3.17" +sha2 = "0.10.6" [dev-dependencies] assert_cmd = "2.0.7" diff --git a/rust/lanzatool/src/pe.rs b/rust/lanzatool/src/pe.rs index 166c3c0..520b82e 100644 --- a/rust/lanzatool/src/pe.rs +++ b/rust/lanzatool/src/pe.rs @@ -8,9 +8,12 @@ use std::process::Command; use anyhow::{Context, Result}; use goblin::pe::PE; +use sha2::{Digest, Sha256}; use tempfile::TempDir; +type Hash = sha2::digest::Output; + /// Attach all information that lanzaboote needs into the PE binary. /// /// When this function is called the referenced files already need to @@ -37,7 +40,7 @@ pub fn lanzaboote_image( let kernel_hash_file = write_to_tmp( target_dir, "kernel-hash", - file_hash(kernel_path)?.as_bytes(), + file_hash(kernel_path)?.as_slice(), )?; let initrd_path_file = write_to_tmp( @@ -48,7 +51,7 @@ pub fn lanzaboote_image( let initrd_hash_file = write_to_tmp( target_dir, "initrd-hash", - file_hash(initrd_path)?.as_bytes(), + file_hash(initrd_path)?.as_slice(), )?; let os_release_offs = stub_offset(lanzaboote_stub)?; @@ -70,9 +73,9 @@ pub fn lanzaboote_image( wrap_in_pe(target_dir, "lanzaboote-stub.efi", lanzaboote_stub, sections) } -/// Compute the blake3 hash of a file. -fn file_hash(file: &Path) -> Result { - Ok(blake3::hash(&fs::read(file)?)) +/// Compute the SHA 256 hash of a file. +fn file_hash(file: &Path) -> Result { + Ok(Sha256::digest(fs::read(file)?)) } /// Take a PE binary stub and attach sections to it.