From 23f4a7d993f11228baffb0b85c0db35e64ffba7d Mon Sep 17 00:00:00 2001 From: Julia Kreger Date: Wed, 3 May 2023 08:41:39 -0700 Subject: [PATCH] Support sha256/sha512 with the ilo firmware upgrade logic Adds support for SHA256 and SHA512 checksums to be passed to firmware upgrade steps for the ilo hardware type. Change-Id: I5455c4bfa4741a35b0ddada37298c897887e6cea --- doc/source/admin/drivers/ilo.rst | 14 +++++------ ironic/drivers/modules/ilo/common.py | 22 ++++++++++++++--- .../unit/drivers/modules/ilo/test_common.py | 24 +++++++++++++++++++ ...pports-sha256-sha512-ae76569042750a07.yaml | 6 +++++ 4 files changed, 56 insertions(+), 10 deletions(-) create mode 100644 releasenotes/notes/ilo-driver-firmware-upgrade-supports-sha256-sha512-ae76569042750a07.yaml diff --git a/doc/source/admin/drivers/ilo.rst b/doc/source/admin/drivers/ilo.rst index 34401db0fe..40f2dc77d3 100644 --- a/doc/source/admin/drivers/ilo.rst +++ b/doc/source/admin/drivers/ilo.rst @@ -1379,17 +1379,17 @@ step could be:: }, { "url": "http://my_address:port/firmwares/bios_vLatest.scexe", - "checksum": "", + "checksum": "", "component": "bios" }, { "url": "https://my_secure_address_url/firmwares/chassis_vLatest.scexe", - "checksum": "", + "checksum": "", "component": "chassis" }, { "url": "file:///home/ubuntu/firmware_images/power_pic/pmc_v3.0.bin", - "checksum": "", + "checksum": "", "component": "power_pic" } ] @@ -1412,7 +1412,7 @@ Each firmware image block is represented by a dictionary (JSON), in the form:: { "url": "", - "checksum": "", + "checksum": "", "component": "" } @@ -1459,11 +1459,11 @@ All the fields in the firmware image block are mandatory. things were left off or where things failed. You can then fix or work around and then try again. A common cause of update failure is HPE Secure Digital Signature check failure for the firmware image file. -* To compute ``md5`` checksum for your image file, you can use the following +* To compute ``sha256`` checksum for your image file, you can use the following command:: - $ md5sum image.rpm - 66cdb090c80b71daa21a67f06ecd3f33 image.rpm + $ sha256sum image.rpm + 24f6abba6fb6921b05afdb4f9a671aed72af3add90c912b5e3989f51f1b359e5 image.rpm Smart Update Manager (SUM) based firmware update ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/ironic/drivers/modules/ilo/common.py b/ironic/drivers/modules/ilo/common.py index 13f975c67c..012696c2a1 100644 --- a/ironic/drivers/modules/ilo/common.py +++ b/ironic/drivers/modules/ilo/common.py @@ -908,7 +908,7 @@ def remove_single_or_list_of_files(file_location): def verify_image_checksum(image_location, expected_checksum): - """Verifies checksum (md5) of image file against the expected one. + """Verifies checksum of image file against the expected one. This method generates the checksum of the image file on the fly and verifies it against the expected checksum provided as argument. @@ -919,8 +919,24 @@ def verify_image_checksum(image_location, expected_checksum): verification fails. """ try: - actual_checksum = fileutils.compute_file_checksum(image_location, - algorithm='md5') + if len(expected_checksum) <= 32: + actual_checksum = fileutils.compute_file_checksum(image_location, + algorithm='md5') + elif len(expected_checksum) <= 64: + actual_checksum = fileutils.compute_file_checksum( + image_location, + algorithm='sha256') + elif len(expected_checksum) <= 128: + actual_checksum = fileutils.compute_file_checksum( + image_location, + algorithm='sha512') + else: + raise exception.ImageRefValidationFailed( + image_href=image_location, + reason="Unable to identify checksum based upon length. " + "Please validate your checksum and ensure it is " + "MD5, SHA256, or SHA512") + except IOError as e: LOG.error("Error opening file: %(file)s", {'file': image_location}) raise exception.ImageRefValidationFailed(image_href=image_location, diff --git a/ironic/tests/unit/drivers/modules/ilo/test_common.py b/ironic/tests/unit/drivers/modules/ilo/test_common.py index c3e22453fe..6555f3396d 100644 --- a/ironic/tests/unit/drivers/modules/ilo/test_common.py +++ b/ironic/tests/unit/drivers/modules/ilo/test_common.py @@ -1170,6 +1170,30 @@ class IloCommonMethodsTestCase(BaseIloTest): # | THEN | # no any exception thrown + @mock.patch.object(builtins, 'open', autospec=True) + def test_verify_image_checksum_sha256(self, open_mock): + # | GIVEN | + data = b'Yankee Doodle went to town riding on a pony;' + file_like_object = io.BytesIO(data) + open_mock().__enter__.return_value = file_like_object + actual_hash = hashlib.sha256(data).hexdigest() + # | WHEN | + ilo_common.verify_image_checksum(file_like_object, actual_hash) + # | THEN | + # no any exception thrown + + @mock.patch.object(builtins, 'open', autospec=True) + def test_verify_image_checksum_sha512(self, open_mock): + # | GIVEN | + data = b'Yankee Doodle went to town riding on a pony;' + file_like_object = io.BytesIO(data) + open_mock().__enter__.return_value = file_like_object + actual_hash = hashlib.sha512(data).hexdigest() + # | WHEN | + ilo_common.verify_image_checksum(file_like_object, actual_hash) + # | THEN | + # no any exception thrown + def test_verify_image_checksum_throws_for_nonexistent_file(self): # | GIVEN | invalid_file_path = '/some/invalid/file/path' diff --git a/releasenotes/notes/ilo-driver-firmware-upgrade-supports-sha256-sha512-ae76569042750a07.yaml b/releasenotes/notes/ilo-driver-firmware-upgrade-supports-sha256-sha512-ae76569042750a07.yaml new file mode 100644 index 0000000000..1e588e5fe2 --- /dev/null +++ b/releasenotes/notes/ilo-driver-firmware-upgrade-supports-sha256-sha512-ae76569042750a07.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + The ``ilo`` hardware type firmware upgrade steps, now support checksum + determination by legnth in order to allow SHA256 and SHA512 checksums + to be supplied by the step caller.