| Message ID | 20240602070634.597337-1-francois.perrad@gadz.org |
|---|---|
| State | Accepted |
| Headers | show |
| Series | configs/olimex_stmp157_olinuxino_lime: add hashes | expand |
Francois, All, On 2024-06-02 09:06 +0200, Francois Perrad spake thusly: > and enable BR2_DOWNLOAD_FORCE_CHECK_HASHES > > Signed-off-by: Francois Perrad <francois.perrad@gadz.org> Thank you for this patch. It uncovered a very nasty issue we have had since we introduce _DL_SUBDIR more than 6 years ago now, and for which I just sent a fix: https://lore.kernel.org/buildroot/20240602145542.2485828-1-yann.morin.1998@free.fr/T/#u Basically, Peter and I spent quite some time trying to udnerstand why we got a hash different from yours: $ make olimex_stmp157_olinuxino_lime_defconfig $ make source [...] ERROR: while checking hashes from board/olimex/stmp1_olinuxino/patches/linux-headers/linux-headers.hash ERROR: linux-fc74113e14d76aea9482264ff42e07397b94553d-git4.tar.gz has wrong sha256 hash: ERROR: expected: 5d3ca43b81056305860d7407c871eac4f8eafa603029ee67816574a31444fd93 ERROR: got : ee94af461da08f406408c70094582232a348b14069bc4dcbe7ff97e16cfe0c70 ERROR: Incomplete download, or man-in-the-middle (MITM) attack However, what was even stranger to us, was that the download was OK when we actually tried to directly trigger the linux download (there is a hint in the trace above, but we did not see it immediately): $ make linux-source [...] linux-fc74113e14d76aea9482264ff42e07397b94553d-git4.tar.gz: OK (sha256: 5d3ca43b81056305860d7407c871eac4f8eafa603029ee67816574a31444fd93) So, sometimes the hash is OK, sometimes it is not? I seriously considered Gremlins at one point... ;-] Of course, when we identified the delta between the two archives, we eventually noticed the download was failing for linux-headers, not for linux... This is something that you too could have spotted on your side, if all you had done was to run the download from scratch to validate the change (I pretty much always do that to be sure): $ rm -rf $(pwd)/dl-empty $ make olimex_stmp157_olinuxino_lime_defconfig $ BR2_DL_DIR=$(pwd)/dl-empty make source Anyway, that was a really nasty issue, but we now have a fix. Could you please help test and review that patch, please? Regards, Yann E. MORIN. > --- > .checkpackageignore | 1 - > .../stmp1_olinuxino/patches/linux-headers/linux-headers.hash | 1 + > board/olimex/stmp1_olinuxino/patches/linux/linux.hash | 2 ++ > board/olimex/stmp1_olinuxino/patches/uboot/uboot.hash | 2 ++ > configs/olimex_stmp157_olinuxino_lime_defconfig | 4 ++++ > 5 files changed, 9 insertions(+), 1 deletion(-) > create mode 120000 board/olimex/stmp1_olinuxino/patches/linux-headers/linux-headers.hash > create mode 100644 board/olimex/stmp1_olinuxino/patches/linux/linux.hash > create mode 100644 board/olimex/stmp1_olinuxino/patches/uboot/uboot.hash > > diff --git a/.checkpackageignore b/.checkpackageignore > index 8f5fc0a47..201ec2a85 100644 > --- a/.checkpackageignore > +++ b/.checkpackageignore > @@ -253,7 +253,6 @@ configs/olimex_a20_olinuxino_lime_defconfig lib_defconfig.ForceCheckHash > configs/olimex_a20_olinuxino_micro_defconfig lib_defconfig.ForceCheckHash > configs/olimex_a33_olinuxino_defconfig lib_defconfig.ForceCheckHash > configs/olimex_a64_olinuxino_defconfig lib_defconfig.ForceCheckHash > -configs/olimex_stmp157_olinuxino_lime_defconfig lib_defconfig.ForceCheckHash > configs/olpc_xo175_defconfig lib_defconfig.ForceCheckHash > configs/olpc_xo1_defconfig lib_defconfig.ForceCheckHash > configs/orangepi_lite2_defconfig lib_defconfig.ForceCheckHash > diff --git a/board/olimex/stmp1_olinuxino/patches/linux-headers/linux-headers.hash b/board/olimex/stmp1_olinuxino/patches/linux-headers/linux-headers.hash > new file mode 120000 > index 000000000..5808d92af > --- /dev/null > +++ b/board/olimex/stmp1_olinuxino/patches/linux-headers/linux-headers.hash > @@ -0,0 +1 @@ > +../linux/linux.hash > \ No newline at end of file > diff --git a/board/olimex/stmp1_olinuxino/patches/linux/linux.hash b/board/olimex/stmp1_olinuxino/patches/linux/linux.hash > new file mode 100644 > index 000000000..8691d5ffd > --- /dev/null > +++ b/board/olimex/stmp1_olinuxino/patches/linux/linux.hash > @@ -0,0 +1,2 @@ > +# Locally computed > +sha256 5d3ca43b81056305860d7407c871eac4f8eafa603029ee67816574a31444fd93 linux-fc74113e14d76aea9482264ff42e07397b94553d-git4.tar.gz > diff --git a/board/olimex/stmp1_olinuxino/patches/uboot/uboot.hash b/board/olimex/stmp1_olinuxino/patches/uboot/uboot.hash > new file mode 100644 > index 000000000..a991a1922 > --- /dev/null > +++ b/board/olimex/stmp1_olinuxino/patches/uboot/uboot.hash > @@ -0,0 +1,2 @@ > +# Locally computed > +sha256 6aaa18a9023db29ceaad5bca240605990b68a6bf348aaefad0bee8be8d37648e uboot-efadf793a0a5924e2c96362dc1df3e56622ebb97-git4.tar.gz > diff --git a/configs/olimex_stmp157_olinuxino_lime_defconfig b/configs/olimex_stmp157_olinuxino_lime_defconfig > index 8bd8e10ca..ecfa78135 100644 > --- a/configs/olimex_stmp157_olinuxino_lime_defconfig > +++ b/configs/olimex_stmp157_olinuxino_lime_defconfig > @@ -5,6 +5,10 @@ BR2_cortex_a7=y > # Linux headers same as kernel, a 5.10 series > BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_5_10=y > > +# Build > +BR2_GLOBAL_PATCH_DIR="board/olimex/stmp1_olinuxino/patches" > +BR2_DOWNLOAD_FORCE_CHECK_HASHES=y > + > # System configuration > BR2_TARGET_GENERIC_HOSTNAME="stmp1-olinuxino" > BR2_TARGET_GENERIC_ISSUE="Welcome to OLinuXino!" > -- > 2.43.0 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
>>>>> "Francois" == Francois Perrad <francois.perrad@gadz.org> writes: > and enable BR2_DOWNLOAD_FORCE_CHECK_HASHES > Signed-off-by: Francois Perrad <francois.perrad@gadz.org> Committed, thanks.
Le dim. 2 juin 2024 à 17:37, Yann E. MORIN <yann.morin.1998@free.fr> a écrit : > Francois, All, > > On 2024-06-02 09:06 +0200, Francois Perrad spake thusly: > > and enable BR2_DOWNLOAD_FORCE_CHECK_HASHES > > > > Signed-off-by: Francois Perrad <francois.perrad@gadz.org> > > Thank you for this patch. It uncovered a very nasty issue we have had > since we introduce _DL_SUBDIR more than 6 years ago now, and for which I > just sent a fix: > > > https://lore.kernel.org/buildroot/20240602145542.2485828-1-yann.morin.1998@free.fr/T/#u > > Basically, Peter and I spent quite some time trying to udnerstand why > we got a hash different from yours: > > $ make olimex_stmp157_olinuxino_lime_defconfig > $ make source > [...] > ERROR: while checking hashes from > board/olimex/stmp1_olinuxino/patches/linux-headers/linux-headers.hash > ERROR: linux-fc74113e14d76aea9482264ff42e07397b94553d-git4.tar.gz has > wrong sha256 hash: > ERROR: expected: > 5d3ca43b81056305860d7407c871eac4f8eafa603029ee67816574a31444fd93 > ERROR: got : > ee94af461da08f406408c70094582232a348b14069bc4dcbe7ff97e16cfe0c70 > ERROR: Incomplete download, or man-in-the-middle (MITM) attack > > However, what was even stranger to us, was that the download was OK when > we actually tried to directly trigger the linux download (there is a hint > in the trace above, but we did not see it immediately): > > $ make linux-source > [...] > linux-fc74113e14d76aea9482264ff42e07397b94553d-git4.tar.gz: OK > (sha256: 5d3ca43b81056305860d7407c871eac4f8eafa603029ee67816574a31444fd93) > > So, sometimes the hash is OK, sometimes it is not? I seriously > considered Gremlins at one point... ;-] Of course, when we identified > the delta between the two archives, we eventually noticed the download > was failing for linux-headers, not for linux... > > This is something that you too could have spotted on your side, if all > you had done was to run the download from scratch to validate the change > (I pretty much always do that to be sure): > > $ rm -rf $(pwd)/dl-empty > $ make olimex_stmp157_olinuxino_lime_defconfig > $ BR2_DL_DIR=$(pwd)/dl-empty make source > > Anyway, that was a really nasty issue, but we now have a fix. Could you > please help test and review that patch, please? > > All sounds good. François > Regards, > Yann E. MORIN. > > > --- > > .checkpackageignore | 1 - > > .../stmp1_olinuxino/patches/linux-headers/linux-headers.hash | 1 + > > board/olimex/stmp1_olinuxino/patches/linux/linux.hash | 2 ++ > > board/olimex/stmp1_olinuxino/patches/uboot/uboot.hash | 2 ++ > > configs/olimex_stmp157_olinuxino_lime_defconfig | 4 ++++ > > 5 files changed, 9 insertions(+), 1 deletion(-) > > create mode 120000 > board/olimex/stmp1_olinuxino/patches/linux-headers/linux-headers.hash > > create mode 100644 board/olimex/stmp1_olinuxino/patches/linux/linux.hash > > create mode 100644 board/olimex/stmp1_olinuxino/patches/uboot/uboot.hash > > > > diff --git a/.checkpackageignore b/.checkpackageignore > > index 8f5fc0a47..201ec2a85 100644 > > --- a/.checkpackageignore > > +++ b/.checkpackageignore > > @@ -253,7 +253,6 @@ configs/olimex_a20_olinuxino_lime_defconfig > lib_defconfig.ForceCheckHash > > configs/olimex_a20_olinuxino_micro_defconfig > lib_defconfig.ForceCheckHash > > configs/olimex_a33_olinuxino_defconfig lib_defconfig.ForceCheckHash > > configs/olimex_a64_olinuxino_defconfig lib_defconfig.ForceCheckHash > > -configs/olimex_stmp157_olinuxino_lime_defconfig > lib_defconfig.ForceCheckHash > > configs/olpc_xo175_defconfig lib_defconfig.ForceCheckHash > > configs/olpc_xo1_defconfig lib_defconfig.ForceCheckHash > > configs/orangepi_lite2_defconfig lib_defconfig.ForceCheckHash > > diff --git > a/board/olimex/stmp1_olinuxino/patches/linux-headers/linux-headers.hash > b/board/olimex/stmp1_olinuxino/patches/linux-headers/linux-headers.hash > > new file mode 120000 > > index 000000000..5808d92af > > --- /dev/null > > +++ > b/board/olimex/stmp1_olinuxino/patches/linux-headers/linux-headers.hash > > @@ -0,0 +1 @@ > > +../linux/linux.hash > > \ No newline at end of file > > diff --git a/board/olimex/stmp1_olinuxino/patches/linux/linux.hash > b/board/olimex/stmp1_olinuxino/patches/linux/linux.hash > > new file mode 100644 > > index 000000000..8691d5ffd > > --- /dev/null > > +++ b/board/olimex/stmp1_olinuxino/patches/linux/linux.hash > > @@ -0,0 +1,2 @@ > > +# Locally computed > > +sha256 > 5d3ca43b81056305860d7407c871eac4f8eafa603029ee67816574a31444fd93 > linux-fc74113e14d76aea9482264ff42e07397b94553d-git4.tar.gz > > diff --git a/board/olimex/stmp1_olinuxino/patches/uboot/uboot.hash > b/board/olimex/stmp1_olinuxino/patches/uboot/uboot.hash > > new file mode 100644 > > index 000000000..a991a1922 > > --- /dev/null > > +++ b/board/olimex/stmp1_olinuxino/patches/uboot/uboot.hash > > @@ -0,0 +1,2 @@ > > +# Locally computed > > +sha256 > 6aaa18a9023db29ceaad5bca240605990b68a6bf348aaefad0bee8be8d37648e > uboot-efadf793a0a5924e2c96362dc1df3e56622ebb97-git4.tar.gz > > diff --git a/configs/olimex_stmp157_olinuxino_lime_defconfig > b/configs/olimex_stmp157_olinuxino_lime_defconfig > > index 8bd8e10ca..ecfa78135 100644 > > --- a/configs/olimex_stmp157_olinuxino_lime_defconfig > > +++ b/configs/olimex_stmp157_olinuxino_lime_defconfig > > @@ -5,6 +5,10 @@ BR2_cortex_a7=y > > # Linux headers same as kernel, a 5.10 series > > BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_5_10=y > > > > +# Build > > +BR2_GLOBAL_PATCH_DIR="board/olimex/stmp1_olinuxino/patches" > > +BR2_DOWNLOAD_FORCE_CHECK_HASHES=y > > + > > # System configuration > > BR2_TARGET_GENERIC_HOSTNAME="stmp1-olinuxino" > > BR2_TARGET_GENERIC_ISSUE="Welcome to OLinuXino!" > > -- > > 2.43.0 > > > > _______________________________________________ > > buildroot mailing list > > buildroot@buildroot.org > > https://lists.buildroot.org/mailman/listinfo/buildroot > > -- > > .-----------------.--------------------.------------------.--------------------. > | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' > conspiracy: | > | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ > | > | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is > no | > | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v > conspiracy. | > > '------------------------------^-------^------------------^--------------------' >
diff --git a/.checkpackageignore b/.checkpackageignore index 8f5fc0a47..201ec2a85 100644 --- a/.checkpackageignore +++ b/.checkpackageignore @@ -253,7 +253,6 @@ configs/olimex_a20_olinuxino_lime_defconfig lib_defconfig.ForceCheckHash configs/olimex_a20_olinuxino_micro_defconfig lib_defconfig.ForceCheckHash configs/olimex_a33_olinuxino_defconfig lib_defconfig.ForceCheckHash configs/olimex_a64_olinuxino_defconfig lib_defconfig.ForceCheckHash -configs/olimex_stmp157_olinuxino_lime_defconfig lib_defconfig.ForceCheckHash configs/olpc_xo175_defconfig lib_defconfig.ForceCheckHash configs/olpc_xo1_defconfig lib_defconfig.ForceCheckHash configs/orangepi_lite2_defconfig lib_defconfig.ForceCheckHash diff --git a/board/olimex/stmp1_olinuxino/patches/linux-headers/linux-headers.hash b/board/olimex/stmp1_olinuxino/patches/linux-headers/linux-headers.hash new file mode 120000 index 000000000..5808d92af --- /dev/null +++ b/board/olimex/stmp1_olinuxino/patches/linux-headers/linux-headers.hash @@ -0,0 +1 @@ +../linux/linux.hash \ No newline at end of file diff --git a/board/olimex/stmp1_olinuxino/patches/linux/linux.hash b/board/olimex/stmp1_olinuxino/patches/linux/linux.hash new file mode 100644 index 000000000..8691d5ffd --- /dev/null +++ b/board/olimex/stmp1_olinuxino/patches/linux/linux.hash @@ -0,0 +1,2 @@ +# Locally computed +sha256 5d3ca43b81056305860d7407c871eac4f8eafa603029ee67816574a31444fd93 linux-fc74113e14d76aea9482264ff42e07397b94553d-git4.tar.gz diff --git a/board/olimex/stmp1_olinuxino/patches/uboot/uboot.hash b/board/olimex/stmp1_olinuxino/patches/uboot/uboot.hash new file mode 100644 index 000000000..a991a1922 --- /dev/null +++ b/board/olimex/stmp1_olinuxino/patches/uboot/uboot.hash @@ -0,0 +1,2 @@ +# Locally computed +sha256 6aaa18a9023db29ceaad5bca240605990b68a6bf348aaefad0bee8be8d37648e uboot-efadf793a0a5924e2c96362dc1df3e56622ebb97-git4.tar.gz diff --git a/configs/olimex_stmp157_olinuxino_lime_defconfig b/configs/olimex_stmp157_olinuxino_lime_defconfig index 8bd8e10ca..ecfa78135 100644 --- a/configs/olimex_stmp157_olinuxino_lime_defconfig +++ b/configs/olimex_stmp157_olinuxino_lime_defconfig @@ -5,6 +5,10 @@ BR2_cortex_a7=y # Linux headers same as kernel, a 5.10 series BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_5_10=y +# Build +BR2_GLOBAL_PATCH_DIR="board/olimex/stmp1_olinuxino/patches" +BR2_DOWNLOAD_FORCE_CHECK_HASHES=y + # System configuration BR2_TARGET_GENERIC_HOSTNAME="stmp1-olinuxino" BR2_TARGET_GENERIC_ISSUE="Welcome to OLinuXino!"
and enable BR2_DOWNLOAD_FORCE_CHECK_HASHES Signed-off-by: Francois Perrad <francois.perrad@gadz.org> --- .checkpackageignore | 1 - .../stmp1_olinuxino/patches/linux-headers/linux-headers.hash | 1 + board/olimex/stmp1_olinuxino/patches/linux/linux.hash | 2 ++ board/olimex/stmp1_olinuxino/patches/uboot/uboot.hash | 2 ++ configs/olimex_stmp157_olinuxino_lime_defconfig | 4 ++++ 5 files changed, 9 insertions(+), 1 deletion(-) create mode 120000 board/olimex/stmp1_olinuxino/patches/linux-headers/linux-headers.hash create mode 100644 board/olimex/stmp1_olinuxino/patches/linux/linux.hash create mode 100644 board/olimex/stmp1_olinuxino/patches/uboot/uboot.hash