On Mon, Aug 05, 2024 at 03:50:35PM +0000, Alejandro Zeise wrote: > The goal of this patch series is to fix accumulative hashing support in the > Aspeed HACE module. The issue that stemmed this patch was a failure to boot an > OpenBMC image using the "ast2600-evb" machine. The U-boot > 2019.04 loader failed to verify image hashes. > > These incorrect image hashes given by the HACE to the U-boot guest are due to > an oversight in the HACE module. Previously when operating in > scatter-gather accumulative mode, the HACE would cache the address provided > by > the guest which contained the source data. However, there was no deep copy, > so when HACE generated the digest upon the reception of the final > accumulative chunk > the digest was incorrect, as the addresses provided had their regions > overwritten > by that time. > > This fix consists of two main steps: > * Add an accumulative hashing function to the qcrypto library > * Modify the HACE module to use the accumulative hashing functions > > All the crypto library backends (nettle, gnutls, etc.) support accumulative > hashing, > so it was trivial to create wrappers for those functions. > > Changes in V3: > * Reworked crypto hash API with comments from Daniel > * Creation/Deletion of contexts, updating, and finalizing > * Modified existing API functions to use the new 4 main core functions > * Added test for accumulative hashing > * Added afalg driver implementation > * Fixed bug in HACE module where hash context fails to allocate, > causing the HACE internal state to be incorrect and segfault. > > Changes in V2: > * Fixed error checking bug in libgcrypt crypto backend of > accumulate_bytesv > > Alejandro Zeise (12): > crypto: accumulative hashing API > crypto/hash-glib: Remove old hash API implementation > crypto/hash-glib: Implement new hash API > crypto/hash-gcrypt: Remove old hash API implementation > crypto/hash-gcrypt: Implement new hash API > crypto/hash-gnutls: Remove old hash API > crypto/hash-gnutls: Implement new hash API > crypto/hash-nettle: Remove old hash API > crypto/hash-nettle: Implement new hash API > crypto/hash-afalg: Update to new API > tests/unit/test-crypto-hash: accumulative hashing > hw/misc/aspeed_hace: Fix SG Accumulative hashing
To allow 'make check' to succeed at every individual patch, you'll need to re-order these, and split a couple of patches, to be more or less like this: crypto: accumulative hashing API (only define new driver APIs & new public APIs here) crypto/hash-glib: Implement new hash API crypto/hash-gcrypt: Implement new hash API crypto/hash-gnutls: Implement new hash API crypto/hash-nettle: Implement new hash API crypto/hash-afalg: Update to new API (only add new APIs here ) < convert old public APIs to call the new driver APIs here> tests/unit/test-crypto-hash: accumulative hashing crypto/hash-glib: Remove old hash API implementation crypto/hash-gcrypt: Remove old hash API implementation crypto/hash-gnutls: Remove old hash API crypto/hash-nettle: Remove old hash API < remove old afalg support here > < remove old driver APIs here > hw/misc/aspeed_hace: Fix SG Accumulative hashing With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
