diff --git a/doc/source/admin/drivers/ilo.rst b/doc/source/admin/drivers/ilo.rst index 34401db0fe..40f2dc77d3 100644 --- a/doc/source/admin/drivers/ilo.rst +++ b/doc/source/admin/drivers/ilo.rst @@ -1379,17 +1379,17 @@ step could be:: }, { "url": "http://my_address:port/firmwares/bios_vLatest.scexe", - "checksum": "", + "checksum": "", "component": "bios" }, { "url": "https://my_secure_address_url/firmwares/chassis_vLatest.scexe", - "checksum": "", + "checksum": "", "component": "chassis" }, { "url": "file:///home/ubuntu/firmware_images/power_pic/pmc_v3.0.bin", - "checksum": "", + "checksum": "", "component": "power_pic" } ] @@ -1412,7 +1412,7 @@ Each firmware image block is represented by a dictionary (JSON), in the form:: { "url": "", - "checksum": "", + "checksum": "", "component": "" } @@ -1459,11 +1459,11 @@ All the fields in the firmware image block are mandatory. things were left off or where things failed. You can then fix or work around and then try again. A common cause of update failure is HPE Secure Digital Signature check failure for the firmware image file. -* To compute ``md5`` checksum for your image file, you can use the following +* To compute ``sha256`` checksum for your image file, you can use the following command:: - $ md5sum image.rpm - 66cdb090c80b71daa21a67f06ecd3f33 image.rpm + $ sha256sum image.rpm + 24f6abba6fb6921b05afdb4f9a671aed72af3add90c912b5e3989f51f1b359e5 image.rpm Smart Update Manager (SUM) based firmware update ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/ironic/drivers/modules/ilo/common.py b/ironic/drivers/modules/ilo/common.py index 13f975c67c..012696c2a1 100644 --- a/ironic/drivers/modules/ilo/common.py +++ b/ironic/drivers/modules/ilo/common.py @@ -908,7 +908,7 @@ def remove_single_or_list_of_files(file_location): def verify_image_checksum(image_location, expected_checksum): - """Verifies checksum (md5) of image file against the expected one. + """Verifies checksum of image file against the expected one. This method generates the checksum of the image file on the fly and verifies it against the expected checksum provided as argument. @@ -919,8 +919,24 @@ def verify_image_checksum(image_location, expected_checksum): verification fails. """ try: - actual_checksum = fileutils.compute_file_checksum(image_location, - algorithm='md5') + if len(expected_checksum) <= 32: + actual_checksum = fileutils.compute_file_checksum(image_location, + algorithm='md5') + elif len(expected_checksum) <= 64: + actual_checksum = fileutils.compute_file_checksum( + image_location, + algorithm='sha256') + elif len(expected_checksum) <= 128: + actual_checksum = fileutils.compute_file_checksum( + image_location, + algorithm='sha512') + else: + raise exception.ImageRefValidationFailed( + image_href=image_location, + reason="Unable to identify checksum based upon length. " + "Please validate your checksum and ensure it is " + "MD5, SHA256, or SHA512") + except IOError as e: LOG.error("Error opening file: %(file)s", {'file': image_location}) raise exception.ImageRefValidationFailed(image_href=image_location, diff --git a/ironic/tests/unit/drivers/modules/ilo/test_common.py b/ironic/tests/unit/drivers/modules/ilo/test_common.py index c3e22453fe..6555f3396d 100644 --- a/ironic/tests/unit/drivers/modules/ilo/test_common.py +++ b/ironic/tests/unit/drivers/modules/ilo/test_common.py @@ -1170,6 +1170,30 @@ class IloCommonMethodsTestCase(BaseIloTest): # | THEN | # no any exception thrown + @mock.patch.object(builtins, 'open', autospec=True) + def test_verify_image_checksum_sha256(self, open_mock): + # | GIVEN | + data = b'Yankee Doodle went to town riding on a pony;' + file_like_object = io.BytesIO(data) + open_mock().__enter__.return_value = file_like_object + actual_hash = hashlib.sha256(data).hexdigest() + # | WHEN | + ilo_common.verify_image_checksum(file_like_object, actual_hash) + # | THEN | + # no any exception thrown + + @mock.patch.object(builtins, 'open', autospec=True) + def test_verify_image_checksum_sha512(self, open_mock): + # | GIVEN | + data = b'Yankee Doodle went to town riding on a pony;' + file_like_object = io.BytesIO(data) + open_mock().__enter__.return_value = file_like_object + actual_hash = hashlib.sha512(data).hexdigest() + # | WHEN | + ilo_common.verify_image_checksum(file_like_object, actual_hash) + # | THEN | + # no any exception thrown + def test_verify_image_checksum_throws_for_nonexistent_file(self): # | GIVEN | invalid_file_path = '/some/invalid/file/path' diff --git a/releasenotes/notes/ilo-driver-firmware-upgrade-supports-sha256-sha512-ae76569042750a07.yaml b/releasenotes/notes/ilo-driver-firmware-upgrade-supports-sha256-sha512-ae76569042750a07.yaml new file mode 100644 index 0000000000..1e588e5fe2 --- /dev/null +++ b/releasenotes/notes/ilo-driver-firmware-upgrade-supports-sha256-sha512-ae76569042750a07.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + The ``ilo`` hardware type firmware upgrade steps, now support checksum + determination by legnth in order to allow SHA256 and SHA512 checksums + to be supplied by the step caller.