openstack/ironic
Code Issues Proposed changes

Merge "Support sha256/sha512 with the ilo firmware upgrade logic"

Browse Source
This commit is contained in:
Zuul 2023-08-14 16:36:21 +00:00 committed by Gerrit Code Review
commit 9b181b83a8
4 changed files with 56 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
doc/source/admin/drivers/ilo.rst
View File

@ -1379,17 +1379,17 @@ step could be::
}, },
{ {
"url": "http://my_address:port/firmwares/bios_vLatest.scexe", "url": "http://my_address:port/firmwares/bios_vLatest.scexe",
"checksum": "<md5-checksum-of-this-file>", "checksum": "<sha256-checksum-of-this-file>",
"component": "bios" "component": "bios"
}, },
{ {
"url": "https://my_secure_address_url/firmwares/chassis_vLatest.scexe", "url": "https://my_secure_address_url/firmwares/chassis_vLatest.scexe",
"checksum": "<md5-checksum-of-this-file>", "checksum": "<sha512-checksum-of-this-file>",
"component": "chassis" "component": "chassis"
}, },
{ {
"url": "file:///home/ubuntu/firmware_images/power_pic/pmc_v3.0.bin", "url": "file:///home/ubuntu/firmware_images/power_pic/pmc_v3.0.bin",
"checksum": "<md5-checksum-of-this-file>", "checksum": "<sha256-checksum-of-this-file>",
"component": "power_pic" "component": "power_pic"
} }
] ]
@ -1412,7 +1412,7 @@ Each firmware image block is represented by a dictionary (JSON), in the form::
{ {
"url": "<url of firmware image file>", "url": "<url of firmware image file>",
"checksum": "<md5 checksum of firmware image file to verify the image>", "checksum": "<SHA256, SHA512, or MD5 checksum of firmware image file to verify the image>",
"component": "<device on which firmware image will be flashed>" "component": "<device on which firmware image will be flashed>"
} }
@ -1459,11 +1459,11 @@ All the fields in the firmware image block are mandatory.
things were left off or where things failed. You can then fix or work around things were left off or where things failed. You can then fix or work around
and then try again. A common cause of update failure is HPE Secure Digital and then try again. A common cause of update failure is HPE Secure Digital
Signature check failure for the firmware image file. Signature check failure for the firmware image file.
* To compute ``md5`` checksum for your image file, you can use the following * To compute ``sha256`` checksum for your image file, you can use the following
command:: command::
$ md5sum image.rpm $ sha256sum image.rpm
66cdb090c80b71daa21a67f06ecd3f33 image.rpm 24f6abba6fb6921b05afdb4f9a671aed72af3add90c912b5e3989f51f1b359e5 image.rpm
Smart Update Manager (SUM) based firmware update Smart Update Manager (SUM) based firmware update
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

22
ironic/drivers/modules/ilo/common.py
View File

@ -908,7 +908,7 @@ def remove_single_or_list_of_files(file_location):
def verify_image_checksum(image_location, expected_checksum): def verify_image_checksum(image_location, expected_checksum):
"""Verifies checksum (md5) of image file against the expected one. """Verifies checksum of image file against the expected one.
This method generates the checksum of the image file on the fly and This method generates the checksum of the image file on the fly and
verifies it against the expected checksum provided as argument. verifies it against the expected checksum provided as argument.
@ -919,8 +919,24 @@ def verify_image_checksum(image_location, expected_checksum):
verification fails. verification fails.
""" """
try: try:
actual_checksum = fileutils.compute_file_checksum(image_location, if len(expected_checksum) <= 32:
algorithm='md5') actual_checksum = fileutils.compute_file_checksum(image_location,
algorithm='md5')
elif len(expected_checksum) <= 64:
actual_checksum = fileutils.compute_file_checksum(
image_location,
algorithm='sha256')
elif len(expected_checksum) <= 128:
actual_checksum = fileutils.compute_file_checksum(
image_location,
algorithm='sha512')
else:
raise exception.ImageRefValidationFailed(
image_href=image_location,
reason="Unable to identify checksum based upon length. "
"Please validate your checksum and ensure it is "
"MD5, SHA256, or SHA512")
except IOError as e: except IOError as e:
LOG.error("Error opening file: %(file)s", {'file': image_location}) LOG.error("Error opening file: %(file)s", {'file': image_location})
raise exception.ImageRefValidationFailed(image_href=image_location, raise exception.ImageRefValidationFailed(image_href=image_location,

24
ironic/tests/unit/drivers/modules/ilo/test_common.py
View File

@ -1170,6 +1170,30 @@ class IloCommonMethodsTestCase(BaseIloTest):
# | THEN | # | THEN |
# no any exception thrown # no any exception thrown
@mock.patch.object(builtins, 'open', autospec=True)
def test_verify_image_checksum_sha256(self, open_mock):
# | GIVEN |
data = b'Yankee Doodle went to town riding on a pony;'
file_like_object = io.BytesIO(data)
open_mock().__enter__.return_value = file_like_object
actual_hash = hashlib.sha256(data).hexdigest()
# | WHEN |
ilo_common.verify_image_checksum(file_like_object, actual_hash)
# | THEN |
# no any exception thrown
@mock.patch.object(builtins, 'open', autospec=True)
def test_verify_image_checksum_sha512(self, open_mock):
# | GIVEN |
data = b'Yankee Doodle went to town riding on a pony;'
file_like_object = io.BytesIO(data)
open_mock().__enter__.return_value = file_like_object
actual_hash = hashlib.sha512(data).hexdigest()
# | WHEN |
ilo_common.verify_image_checksum(file_like_object, actual_hash)
# | THEN |
# no any exception thrown
def test_verify_image_checksum_throws_for_nonexistent_file(self): def test_verify_image_checksum_throws_for_nonexistent_file(self):
# | GIVEN | # | GIVEN |
invalid_file_path = '/some/invalid/file/path' invalid_file_path = '/some/invalid/file/path'

6
releasenotes/notes/ilo-driver-firmware-upgrade-supports-sha256-sha512-ae76569042750a07.yaml Normal file
View File

@ -0,0 +1,6 @@
---
features:
- |
The ``ilo`` hardware type firmware upgrade steps, now support checksum
determination by legnth in order to allow SHA256 and SHA512 checksums
to be supplied by the step caller.