On Mon, Aug 05, 2024 at 03:50:35PM +0000, Alejandro Zeise wrote:
> The goal of this patch series is to fix accumulative hashing support in the
> Aspeed HACE module. The issue that stemmed this patch was a failure to boot an
> OpenBMC image using the "ast2600-evb" machine. The U-boot
> 2019.04 loader failed to verify image hashes.
>
> These incorrect image hashes given by the HACE to the U-boot guest are due to
> an oversight in the HACE module. Previously when operating in
> scatter-gather accumulative mode, the HACE would cache the address provided by
> the guest which contained the source data. However, there was no deep copy,
> so when HACE generated the digest upon the reception of the final accumulative chunk
> the digest was incorrect, as the addresses provided had their regions overwritten
> by that time.
>
> This fix consists of two main steps:
> * Add an accumulative hashing function to the qcrypto library
> * Modify the HACE module to use the accumulative hashing functions
>
> All the crypto library backends (nettle, gnutls, etc.) support accumulative hashing,
> so it was trivial to create wrappers for those functions.
>
> Changes in V3:
> * Reworked crypto hash API with comments from Daniel
> * Creation/Deletion of contexts, updating, and finalizing
> * Modified existing API functions to use the new 4 main core functions
> * Added test for accumulative hashing
> * Added afalg driver implementation
> * Fixed bug in HACE module where hash context fails to allocate,
> causing the HACE internal state to be incorrect and segfault.
>
> Changes in V2:
> * Fixed error checking bug in libgcrypt crypto backend of
> accumulate_bytesv
>
> Alejandro Zeise (12):
> crypto: accumulative hashing API
> crypto/hash-glib: Remove old hash API implementation
> crypto/hash-glib: Implement new hash API
> crypto/hash-gcrypt: Remove old hash API implementation
> crypto/hash-gcrypt: Implement new hash API
> crypto/hash-gnutls: Remove old hash API
> crypto/hash-gnutls: Implement new hash API
> crypto/hash-nettle: Remove old hash API
> crypto/hash-nettle: Implement new hash API
> crypto/hash-afalg: Update to new API
> tests/unit/test-crypto-hash: accumulative hashing
> hw/misc/aspeed_hace: Fix SG Accumulative hashing
To allow 'make check' to succeed at every individual patch, you'll need to
re-order these, and split a couple of patches, to be more or less like this:
crypto: accumulative hashing API (only define new driver APIs & new public APIs here)
crypto/hash-glib: Implement new hash API
crypto/hash-gcrypt: Implement new hash API
crypto/hash-gnutls: Implement new hash API
crypto/hash-nettle: Implement new hash API
crypto/hash-afalg: Update to new API (only add new APIs here )
< convert old public APIs to call the new driver APIs here>
tests/unit/test-crypto-hash: accumulative hashing
crypto/hash-glib: Remove old hash API implementation
crypto/hash-gcrypt: Remove old hash API implementation
crypto/hash-gnutls: Remove old hash API
crypto/hash-nettle: Remove old hash API
< remove old afalg support here >
< remove old driver APIs here >
hw/misc/aspeed_hace: Fix SG Accumulative hashing
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|