[Buildroot] [EXTERNAL] Re: Verifying linux 5.4.x hashes

Ian Merin Ian.Merin at entrust.com
Wed Jun 9 14:28:36 UTC 2021


Why wouldn't you be able to set a custom hash in a BR2-External directory?  

Isn't the issue of multiple kernel versions solvable in the same way it already works?

If you have say 5.4.123 and 5.10.25 why couldn't you have a file that looks like this:

Sha256 abc123 linux-5.4.123.tar.xz
Sha256 123abc linux-5.10.25.tar.xz

-----Original Message-----
From: Yann E. MORIN <yann.morin.1998 at free.fr> 
Sent: Friday, May 28, 2021 4:17 PM
To: Arnout Vandecappelle <arnout at mind.be>
Cc: Ian Merin <Ian.Merin at entrust.com>; buildroot at busybox.net
Subject: [EXTERNAL] Re: [Buildroot] Verifying linux 5.4.x hashes

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

Arnout, All,

On 2021-05-28 22:03 +0200, Arnout Vandecappelle spake thusly:
> On 28/05/2021 21:55, Yann E. MORIN wrote:
> > On 2021-05-28 17:15 +0000, Ian Merin via buildroot spake thusly:
> >> What would be the method to have buildroot download the ???latest???
> >> 5.4.x kernel and also verify its hash against linux.hash?
> > And now a quick summary for that part;
> > 
> >  1. expand the hash-checking infra to accept custom hashes; that would
> >     impact:
> >         package/pkg-generic
> >         package/pkg-download
> >         support/download/dl-wrapper
> >         support/download/check-hash
> > 
> >  2. in linux/Config.in add a new entry for custom version:
> >         BR2_LINUX_KERNEL_CUSTOM_VERSION_HASHES="sha256:1234abcd sha512:abcd1234"
> > 
> > Note that I am not vey fond of the hash being set in the menuconfig, 
> > but I don't have a definitive better idea.
>  Why not? The kernel version itself is specified in the config file, 
> so it makes sense that the hash is there to. Compare to a normal 
> package, where the version and the hash are both specified in the package itself.
> > One thing to consider, though: people that want to check custom 
> > versions are probably already using a br2-external tree, so they 
> > could very well set such hashes in their tree, e.g;
>  That doesn't work at all! You can have two different configs (with 
> two different kernel versions) in the same external, so you need to 
> make the hash specific for the config. An easy way to do that: make 
> the hash part of the config :-)

That is why a email client is not meant to write code: you can't test it. ;-)

But more seriously, that is still doable with some hackery (which means:
don't do it):

    LINUX_CUSTOM_HASH_5.4.123 = sha256:1234abcd
    LINUX_CUSTOM_HASH_5.10.25 = sha256:1234abcd

and so on... Of course, that is still limiting to a set of know versions.
But in a project, the set of kernel versions to ever use is more often than not very small, i.e. probably a single one, or just one per suported board...

But OK, the hash in Config.in is more flexible, so yes, Ian: go with that initial idea of yours.

Yann E. MORIN.

|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' 
| conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| https://urldefense.com/v3/__http://ymorin.is-a-geek.org/__;!!FJ-Y8qCqXTj2!OUuT-bsJ5X27mcQXNyq0D_2DViN3j2LNd6MuYUs2xLcgV6-WYtDstIbF2PqUkAI$  | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |

More information about the buildroot mailing list