| Message ID | 20231006125845.2661-3-venkata.pyla@toshiba-tsip.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | Enable SWU file in reproducible test | expand |
On 06.10.23 14:58, venkata.pyla@toshiba-tsip.com wrote: > From: venkata pyla <venkata.pyla@toshiba-tsip.com> > > signed artifacts are not reproducible due to fact that the signature > can include some randomness for security reasons, so skip signature > verifications in reproducible tests. > > Fixes #80 > > Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com> > --- > kas/opt/reproducible.yml | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/kas/opt/reproducible.yml b/kas/opt/reproducible.yml > index 5d6a896..73dd4d5 100644 > --- a/kas/opt/reproducible.yml > +++ b/kas/opt/reproducible.yml > @@ -15,3 +15,4 @@ local_conf_header: > reproducible-builds: | > SOURCE_DATE_EPOCH := "${@bb.process.run("git -C ${LAYERDIR_cip-core} log -1 --pretty=%ct | tr -d '\n'")[0]}" > WIC_DEPLOY_PARTITIONS = "1" > + SWU_SIGNED = "0" Shouldn't we rather or also check if everything except for the .sig element in a signed SWU is identical? Jan
> -----Original Message----- > From: Jan Kiszka <jan.kiszka@siemens.com> > Sent: Friday, October 6, 2023 6:35 PM > To: pyla venkata(TSIP TMIEC ODG Porting) <Venkata.Pyla@toshiba- > tsip.com>; cip-dev@lists.cip-project.org > Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba- > tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) > <kazuhiro3.hayashi@toshiba.co.jp>; Quirin Gylstorff > <quirin.gylstorff@siemens.com>; Christian Storm > <christian.storm@siemens.com> > Subject: Re: [isar-cip-core 2/2] reproducible.yml: Disable signed swupdate in > reproducible tests > > On 06.10.23 14:58, venkata.pyla@toshiba-tsip.com wrote: > > From: venkata pyla <venkata.pyla@toshiba-tsip.com> > > > > signed artifacts are not reproducible due to fact that the signature > > can include some randomness for security reasons, so skip signature > > verifications in reproducible tests. > > > > Fixes #80 > > > > Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com> > > --- > > kas/opt/reproducible.yml | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/kas/opt/reproducible.yml b/kas/opt/reproducible.yml index > > 5d6a896..73dd4d5 100644 > > --- a/kas/opt/reproducible.yml > > +++ b/kas/opt/reproducible.yml > > @@ -15,3 +15,4 @@ local_conf_header: > > reproducible-builds: | > > SOURCE_DATE_EPOCH := "${@bb.process.run("git -C ${LAYERDIR_cip-core} > log -1 --pretty=%ct | tr -d '\n'")[0]}" > > WIC_DEPLOY_PARTITIONS = "1" > > + SWU_SIGNED = "0" > > Shouldn't we rather or also check if everything except for the .sig element in a > signed SWU is identical? If we have to skip the "sw-description.sig" file then it will also skip sw-description file from reproducible verification. If I understand correctly, the difference between signed and unsigned swupdate is the sw-discription file and it will be signed in case of SWU_SIGNED="1", otherwise it is unsigned file. So, if we disable SWU_SIGNED that will discard the signature. > > Jan > > -- > Siemens AG, Technology > Linux Expert Center
> -----Original Message----- > From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of > Venkata Pyla > Sent: Saturday, October 7, 2023 9:37 PM > To: jan.kiszka@siemens.com; cip-dev@lists.cip-project.org > Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba- > tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) > <kazuhiro3.hayashi@toshiba.co.jp>; quirin.gylstorff@siemens.com; > christian.storm@siemens.com > Subject: Re: [cip-dev] [isar-cip-core 2/2] reproducible.yml: Disable signed > swupdate in reproducible tests > > > > > -----Original Message----- > > From: Jan Kiszka <jan.kiszka@siemens.com> > > Sent: Friday, October 6, 2023 6:35 PM > > To: pyla venkata(TSIP TMIEC ODG Porting) <Venkata.Pyla@toshiba- > > tsip.com>; cip-dev@lists.cip-project.org > > Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba- > > tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) > > <kazuhiro3.hayashi@toshiba.co.jp>; Quirin Gylstorff > > <quirin.gylstorff@siemens.com>; Christian Storm > > <christian.storm@siemens.com> > > Subject: Re: [isar-cip-core 2/2] reproducible.yml: Disable signed > > swupdate in reproducible tests > > > > On 06.10.23 14:58, venkata.pyla@toshiba-tsip.com wrote: > > > From: venkata pyla <venkata.pyla@toshiba-tsip.com> > > > > > > signed artifacts are not reproducible due to fact that the signature > > > can include some randomness for security reasons, so skip signature > > > verifications in reproducible tests. > > > > > > Fixes #80 > > > > > > Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com> > > > --- > > > kas/opt/reproducible.yml | 1 + > > > 1 file changed, 1 insertion(+) > > > > > > diff --git a/kas/opt/reproducible.yml b/kas/opt/reproducible.yml > > > index > > > 5d6a896..73dd4d5 100644 > > > --- a/kas/opt/reproducible.yml > > > +++ b/kas/opt/reproducible.yml > > > @@ -15,3 +15,4 @@ local_conf_header: > > > reproducible-builds: | > > > SOURCE_DATE_EPOCH := "${@bb.process.run("git -C > > > ${LAYERDIR_cip-core} > > log -1 --pretty=%ct | tr -d '\n'")[0]}" > > > WIC_DEPLOY_PARTITIONS = "1" > > > + SWU_SIGNED = "0" > > > > Shouldn't we rather or also check if everything except for the .sig > > element in a signed SWU is identical? > > If we have to skip the "sw-description.sig" file then it will also skip sw-description > file from reproducible verification. > > If I understand correctly, the difference between signed and unsigned swupdate is > the sw-discription file and it will be signed in case of SWU_SIGNED="1", > otherwise it is unsigned file. > So, if we disable SWU_SIGNED that will discard the signature. > (Sorry to jump in) Any comments on this approach (disabling signed swupdate)? > > > > Jan > > > > -- > > Siemens AG, Technology > > Linux Expert Center
On 10.10.23 06:59, Venkata.Pyla@toshiba-tsip.com wrote: > > >> -----Original Message----- >> From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of >> Venkata Pyla >> Sent: Saturday, October 7, 2023 9:37 PM >> To: jan.kiszka@siemens.com; cip-dev@lists.cip-project.org >> Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba- >> tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) >> <kazuhiro3.hayashi@toshiba.co.jp>; quirin.gylstorff@siemens.com; >> christian.storm@siemens.com >> Subject: Re: [cip-dev] [isar-cip-core 2/2] reproducible.yml: Disable signed >> swupdate in reproducible tests >> >> >> >>> -----Original Message----- >>> From: Jan Kiszka <jan.kiszka@siemens.com> >>> Sent: Friday, October 6, 2023 6:35 PM >>> To: pyla venkata(TSIP TMIEC ODG Porting) <Venkata.Pyla@toshiba- >>> tsip.com>; cip-dev@lists.cip-project.org >>> Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba- >>> tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) >>> <kazuhiro3.hayashi@toshiba.co.jp>; Quirin Gylstorff >>> <quirin.gylstorff@siemens.com>; Christian Storm >>> <christian.storm@siemens.com> >>> Subject: Re: [isar-cip-core 2/2] reproducible.yml: Disable signed >>> swupdate in reproducible tests >>> >>> On 06.10.23 14:58, venkata.pyla@toshiba-tsip.com wrote: >>>> From: venkata pyla <venkata.pyla@toshiba-tsip.com> >>>> >>>> signed artifacts are not reproducible due to fact that the signature >>>> can include some randomness for security reasons, so skip signature >>>> verifications in reproducible tests. >>>> >>>> Fixes #80 >>>> >>>> Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com> >>>> --- >>>> kas/opt/reproducible.yml | 1 + >>>> 1 file changed, 1 insertion(+) >>>> >>>> diff --git a/kas/opt/reproducible.yml b/kas/opt/reproducible.yml >>>> index >>>> 5d6a896..73dd4d5 100644 >>>> --- a/kas/opt/reproducible.yml >>>> +++ b/kas/opt/reproducible.yml >>>> @@ -15,3 +15,4 @@ local_conf_header: >>>> reproducible-builds: | >>>> SOURCE_DATE_EPOCH := "${@bb.process.run("git -C >>>> ${LAYERDIR_cip-core} >>> log -1 --pretty=%ct | tr -d '\n'")[0]}" >>>> WIC_DEPLOY_PARTITIONS = "1" >>>> + SWU_SIGNED = "0" >>> >>> Shouldn't we rather or also check if everything except for the .sig >>> element in a signed SWU is identical? >> >> If we have to skip the "sw-description.sig" file then it will also skip sw-description >> file from reproducible verification. >> >> If I understand correctly, the difference between signed and unsigned swupdate is >> the sw-discription file and it will be signed in case of SWU_SIGNED="1", >> otherwise it is unsigned file. >> So, if we disable SWU_SIGNED that will discard the signature. >> > > (Sorry to jump in) > Any comments on this approach (disabling signed swupdate)? > I would suggest to discuss with the diffoscope people if there is a way to configure the tool for this scenario. I'm still concern that we are not testing the right thing when we disable signing. BTW, the same applies to other signed artifacts: It should be possible to validate that you can rebuild things bit-identically, just minus any included certificate or hash or you-name-it. We currently exploit that we use a demo key, thus have access to its private part. But that should not be a precondition to check reproducibility. Jan
> -----Original Message----- > From: Jan Kiszka <jan.kiszka@siemens.com> > Sent: Tuesday, October 10, 2023 12:32 PM > To: pyla venkata(TSIP TMIEC ODG Porting) <Venkata.Pyla@toshiba- > tsip.com>; cip-dev@lists.cip-project.org > Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba- > tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) > <kazuhiro3.hayashi@toshiba.co.jp>; quirin.gylstorff@siemens.com; > christian.storm@siemens.com > Subject: Re: [cip-dev] [isar-cip-core 2/2] reproducible.yml: Disable signed > swupdate in reproducible tests > > On 10.10.23 06:59, Venkata.Pyla@toshiba-tsip.com wrote: > > > > > >> -----Original Message----- > >> From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> > >> On Behalf Of Venkata Pyla > >> Sent: Saturday, October 7, 2023 9:37 PM > >> To: jan.kiszka@siemens.com; cip-dev@lists.cip-project.org > >> Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba- > >> tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) > >> <kazuhiro3.hayashi@toshiba.co.jp>; quirin.gylstorff@siemens.com; > >> christian.storm@siemens.com > >> Subject: Re: [cip-dev] [isar-cip-core 2/2] reproducible.yml: Disable > >> signed swupdate in reproducible tests > >> > >> > >> > >>> -----Original Message----- > >>> From: Jan Kiszka <jan.kiszka@siemens.com> > >>> Sent: Friday, October 6, 2023 6:35 PM > >>> To: pyla venkata(TSIP TMIEC ODG Porting) <Venkata.Pyla@toshiba- > >>> tsip.com>; cip-dev@lists.cip-project.org > >>> Cc: dinesh kumar(TSIP TMIEC ODG Porting) > <dinesh.kumar@toshiba- > >>> tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) > >>> <kazuhiro3.hayashi@toshiba.co.jp>; Quirin Gylstorff > >>> <quirin.gylstorff@siemens.com>; Christian Storm > >>> <christian.storm@siemens.com> > >>> Subject: Re: [isar-cip-core 2/2] reproducible.yml: Disable signed > >>> swupdate in reproducible tests > >>> > >>> On 06.10.23 14:58, venkata.pyla@toshiba-tsip.com wrote: > >>>> From: venkata pyla <venkata.pyla@toshiba-tsip.com> > >>>> > >>>> signed artifacts are not reproducible due to fact that the > >>>> signature can include some randomness for security reasons, so skip > >>>> signature verifications in reproducible tests. > >>>> > >>>> Fixes #80 > >>>> > >>>> Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com> > >>>> --- > >>>> kas/opt/reproducible.yml | 1 + > >>>> 1 file changed, 1 insertion(+) > >>>> > >>>> diff --git a/kas/opt/reproducible.yml b/kas/opt/reproducible.yml > >>>> index > >>>> 5d6a896..73dd4d5 100644 > >>>> --- a/kas/opt/reproducible.yml > >>>> +++ b/kas/opt/reproducible.yml > >>>> @@ -15,3 +15,4 @@ local_conf_header: > >>>> reproducible-builds: | > >>>> SOURCE_DATE_EPOCH := "${@bb.process.run("git -C > >>>> ${LAYERDIR_cip-core} > >>> log -1 --pretty=%ct | tr -d '\n'")[0]}" > >>>> WIC_DEPLOY_PARTITIONS = "1" > >>>> + SWU_SIGNED = "0" > >>> > >>> Shouldn't we rather or also check if everything except for the .sig > >>> element in a signed SWU is identical? > >> > >> If we have to skip the "sw-description.sig" file then it will also > >> skip sw-description file from reproducible verification. > >> > >> If I understand correctly, the difference between signed and unsigned > >> swupdate is the sw-discription file and it will be signed in case of > >> SWU_SIGNED="1", otherwise it is unsigned file. > >> So, if we disable SWU_SIGNED that will discard the signature. > >> > > > > (Sorry to jump in) > > Any comments on this approach (disabling signed swupdate)? > > > > I would suggest to discuss with the diffoscope people if there is a way to > configure the tool for this scenario. I'm still concern that we are not testing the > right thing when we disable signing. > > BTW, the same applies to other signed artifacts: It should be possible to > validate that you can rebuild things bit-identically, just minus any included > certificate or hash or you-name-it. We currently exploit that we use a demo > key, thus have access to its private part. But that should not be a precondition > to check reproducibility. I investigated little more and found that the signatures of the swupdate file is not deterministically created because in "cms" method it adds signing time in the attributes section of the signature data, This can be avoided by passing "-noattr" to the openssl-cms command, then it creates the signatures deterministically. Also, when signing method is used as "rsa" then also the signed swupdate files are reproducible. I will resend the patch with "-noattr" option used in openssl-cms command. > > Jan > > -- > Siemens AG, Technology > Linux Expert Center
On 24.10.23 18:36, Venkata.Pyla@toshiba-tsip.com wrote: > > >> -----Original Message----- >> From: Jan Kiszka <jan.kiszka@siemens.com> >> Sent: Tuesday, October 10, 2023 12:32 PM >> To: pyla venkata(TSIP TMIEC ODG Porting) <Venkata.Pyla@toshiba- >> tsip.com>; cip-dev@lists.cip-project.org >> Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba- >> tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) >> <kazuhiro3.hayashi@toshiba.co.jp>; quirin.gylstorff@siemens.com; >> christian.storm@siemens.com >> Subject: Re: [cip-dev] [isar-cip-core 2/2] reproducible.yml: Disable signed >> swupdate in reproducible tests >> >> On 10.10.23 06:59, Venkata.Pyla@toshiba-tsip.com wrote: >>> >>> >>>> -----Original Message----- >>>> From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> >>>> On Behalf Of Venkata Pyla >>>> Sent: Saturday, October 7, 2023 9:37 PM >>>> To: jan.kiszka@siemens.com; cip-dev@lists.cip-project.org >>>> Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba- >>>> tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) >>>> <kazuhiro3.hayashi@toshiba.co.jp>; quirin.gylstorff@siemens.com; >>>> christian.storm@siemens.com >>>> Subject: Re: [cip-dev] [isar-cip-core 2/2] reproducible.yml: Disable >>>> signed swupdate in reproducible tests >>>> >>>> >>>> >>>>> -----Original Message----- >>>>> From: Jan Kiszka <jan.kiszka@siemens.com> >>>>> Sent: Friday, October 6, 2023 6:35 PM >>>>> To: pyla venkata(TSIP TMIEC ODG Porting) <Venkata.Pyla@toshiba- >>>>> tsip.com>; cip-dev@lists.cip-project.org >>>>> Cc: dinesh kumar(TSIP TMIEC ODG Porting) >> <dinesh.kumar@toshiba- >>>>> tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) >>>>> <kazuhiro3.hayashi@toshiba.co.jp>; Quirin Gylstorff >>>>> <quirin.gylstorff@siemens.com>; Christian Storm >>>>> <christian.storm@siemens.com> >>>>> Subject: Re: [isar-cip-core 2/2] reproducible.yml: Disable signed >>>>> swupdate in reproducible tests >>>>> >>>>> On 06.10.23 14:58, venkata.pyla@toshiba-tsip.com wrote: >>>>>> From: venkata pyla <venkata.pyla@toshiba-tsip.com> >>>>>> >>>>>> signed artifacts are not reproducible due to fact that the >>>>>> signature can include some randomness for security reasons, so skip >>>>>> signature verifications in reproducible tests. >>>>>> >>>>>> Fixes #80 >>>>>> >>>>>> Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com> >>>>>> --- >>>>>> kas/opt/reproducible.yml | 1 + >>>>>> 1 file changed, 1 insertion(+) >>>>>> >>>>>> diff --git a/kas/opt/reproducible.yml b/kas/opt/reproducible.yml >>>>>> index >>>>>> 5d6a896..73dd4d5 100644 >>>>>> --- a/kas/opt/reproducible.yml >>>>>> +++ b/kas/opt/reproducible.yml >>>>>> @@ -15,3 +15,4 @@ local_conf_header: >>>>>> reproducible-builds: | >>>>>> SOURCE_DATE_EPOCH := "${@bb.process.run("git -C >>>>>> ${LAYERDIR_cip-core} >>>>> log -1 --pretty=%ct | tr -d '\n'")[0]}" >>>>>> WIC_DEPLOY_PARTITIONS = "1" >>>>>> + SWU_SIGNED = "0" >>>>> >>>>> Shouldn't we rather or also check if everything except for the .sig >>>>> element in a signed SWU is identical? >>>> >>>> If we have to skip the "sw-description.sig" file then it will also >>>> skip sw-description file from reproducible verification. >>>> >>>> If I understand correctly, the difference between signed and unsigned >>>> swupdate is the sw-discription file and it will be signed in case of >>>> SWU_SIGNED="1", otherwise it is unsigned file. >>>> So, if we disable SWU_SIGNED that will discard the signature. >>>> >>> >>> (Sorry to jump in) >>> Any comments on this approach (disabling signed swupdate)? >>> >> >> I would suggest to discuss with the diffoscope people if there is a way to >> configure the tool for this scenario. I'm still concern that we are not testing the >> right thing when we disable signing. >> >> BTW, the same applies to other signed artifacts: It should be possible to >> validate that you can rebuild things bit-identically, just minus any included >> certificate or hash or you-name-it. We currently exploit that we use a demo >> key, thus have access to its private part. But that should not be a precondition >> to check reproducibility. > > I investigated little more and found that the signatures of the swupdate file is not deterministically created because in "cms" method it adds signing time in the attributes section of the signature data, > This can be avoided by passing "-noattr" to the openssl-cms command, then it creates the signatures deterministically. > > Also, when signing method is used as "rsa" then also the signed swupdate files are reproducible. > > I will resend the patch with "-noattr" option used in openssl-cms command. > While that is great news, we would still benefit from some "ignore the signature" filter because you may not have the private key in hands in other setups. Jan
diff --git a/kas/opt/reproducible.yml b/kas/opt/reproducible.yml index 5d6a896..73dd4d5 100644 --- a/kas/opt/reproducible.yml +++ b/kas/opt/reproducible.yml @@ -15,3 +15,4 @@ local_conf_header: reproducible-builds: | SOURCE_DATE_EPOCH := "${@bb.process.run("git -C ${LAYERDIR_cip-core} log -1 --pretty=%ct | tr -d '\n'")[0]}" WIC_DEPLOY_PARTITIONS = "1" + SWU_SIGNED = "0"