[tuf] Store rkth/sign hashes in TUF repo description (#8729)

karencfv · web-flow · commit e15b5d9335b6 · 2025-08-07T00:51:39.000Z
This commit introduces a new field in `TufArtifactMeta` that maps an RoT/RoT bootloader artifact with its associated sign. This will be necessary for the planner to support [RoT](#8421) and [RoT bootloader](#8664) updates.
diff --git a/common/src/api/external/mod.rs b/common/src/api/external/mod.rs
@@ -3408,6 +3408,12 @@ pub struct TufArtifactMeta {
 
     /// The size of the artifact in bytes.
     pub size: u64,
+
+    /// Contents of the `SIGN` field of a Hubris archive caboose, i.e.,
+    /// an identifier for the set of valid signing keys. Currently only
+    /// applicable to RoT image and bootloader artifacts, where it will
+    /// be an LPC55 Root Key Table Hash (RKTH).
+    pub sign: Option<Vec<u8>>,
 }
 
 /// Data about a successful TUF repo import into Nexus.
diff --git a/nexus/db-model/src/schema_versions.rs b/nexus/db-model/src/schema_versions.rs
@@ -16,7 +16,7 @@ use std::{collections::BTreeMap, sync::LazyLock};
 ///
 /// This must be updated when you change the database schema.  Refer to
 /// schema/crdb/README.adoc in the root of this repository for details.
-pub const SCHEMA_VERSION: Version = Version::new(173, 0, 0);
+pub const SCHEMA_VERSION: Version = Version::new(174, 0, 0);
 
 /// List of all past database schema versions, in *reverse* order
 ///
@@ -28,6 +28,7 @@ static KNOWN_VERSIONS: LazyLock<Vec<KnownVersion>> = LazyLock::new(|| {
         // |  leaving the first copy as an example for the next person.
         // v
         // KnownVersion::new(next_int, "unique-dirname-with-the-sql-files"),
+        KnownVersion::new(174, "add-tuf-rot-by-sign"),
         KnownVersion::new(173, "inv-internal-dns"),
         KnownVersion::new(172, "add-zones-with-mupdate-override"),
         KnownVersion::new(171, "inv-clear-mupdate-override"),
diff --git a/nexus/db-model/src/tuf_repo.rs b/nexus/db-model/src/tuf_repo.rs
@@ -165,6 +165,7 @@ pub struct TufArtifact {
     pub sha256: ArtifactHash,
     artifact_size: i64,
     pub generation_added: Generation,
+    pub sign: Option<Vec<u8>>,
 }
 
 impl TufArtifact {
@@ -174,6 +175,7 @@ impl TufArtifact {
         sha256: ArtifactHash,
         artifact_size: u64,
         generation_added: external::Generation,
+        sign: Option<Vec<u8>>,
     ) -> Self {
         Self {
             id: TypedUuid::new_v4().into(),
@@ -184,6 +186,7 @@ impl TufArtifact {
             sha256,
             artifact_size: artifact_size as i64,
             generation_added: generation_added.into(),
+            sign,
         }
     }
 
@@ -202,6 +205,7 @@ impl TufArtifact {
             artifact.hash.into(),
             artifact.size,
             generation_added,
+            artifact.sign,
         )
     }
 
@@ -215,6 +219,7 @@ impl TufArtifact {
             },
             hash: self.sha256.into(),
             size: self.artifact_size as u64,
+            sign: self.sign,
         }
     }
 
diff --git a/nexus/db-queries/src/db/datastore/deployment.rs b/nexus/db-queries/src/db/datastore/deployment.rs
@@ -3197,6 +3197,7 @@ mod tests {
                                 },
                                 hash: ZONE_ARTIFACT_HASH_1,
                                 size: 0,
+                                sign: None,
                             },
                             TufArtifactMeta {
                                 id: ArtifactId {
@@ -3206,6 +3207,7 @@ mod tests {
                                 },
                                 hash: HOST_ARTIFACT_HASH_1,
                                 size: 0,
+                                sign: None,
                             },
                             TufArtifactMeta {
                                 id: ArtifactId {
@@ -3215,6 +3217,7 @@ mod tests {
                                 },
                                 hash: HOST_ARTIFACT_HASH_2,
                                 size: 0,
+                                sign: None,
                             },
                         ],
                     },
diff --git a/nexus/db-queries/src/db/datastore/target_release.rs b/nexus/db-queries/src/db/datastore/target_release.rs
@@ -228,6 +228,7 @@ mod test {
                         },
                         hash,
                         size: 0,
+                        sign: None,
                     }],
                 },
             )
diff --git a/nexus/db-schema/src/schema.rs b/nexus/db-schema/src/schema.rs
@@ -1415,6 +1415,7 @@ table! {
         sha256 -> Text,
         artifact_size -> Int8,
         generation_added -> Int8,
+        sign -> Nullable<Binary>,
     }
 }
 
diff --git a/nexus/reconfigurator/planning/src/mgs_updates/mod.rs b/nexus/reconfigurator/planning/src/mgs_updates/mod.rs
@@ -693,7 +693,8 @@ mod test {
                 kind: kind.into(),
             },
             hash,
-            size: 0, // unused here
+            size: 0,    // unused here
+            sign: None, // unused here
         }
     }
 
diff --git a/nexus/reconfigurator/planning/src/planner.rs b/nexus/reconfigurator/planning/src/planner.rs
@@ -5531,6 +5531,7 @@ pub(crate) mod test {
                 },
                 hash: ArtifactHash([0; 32]),
                 size: 0,
+                sign: None,
             }
         };
     }
diff --git a/openapi/nexus.json b/openapi/nexus.json
@@ -25384,6 +25384,16 @@
               }
             ]
           },
+          "sign": {
+            "nullable": true,
+            "description": "Contents of the `SIGN` field of a Hubris archive caboose, i.e., an identifier for the set of valid signing keys. Currently only applicable to RoT image and bootloader artifacts, where it will be an LPC55 Root Key Table Hash (RKTH).",
+            "type": "array",
+            "items": {
+              "type": "integer",
+              "format": "uint8",
+              "minimum": 0
+            }
+          },
           "size": {
             "description": "The size of the artifact in bytes.",
             "type": "integer",
diff --git a/schema/crdb/add-tuf-rot-by-sign/up1.sql b/schema/crdb/add-tuf-rot-by-sign/up1.sql
@@ -0,0 +1 @@
+ALTER TABLE omicron.public.tuf_artifact ADD COLUMN IF NOT EXISTS sign BYTES;
diff --git a/schema/crdb/dbinit.sql b/schema/crdb/dbinit.sql
@@ -2513,6 +2513,9 @@ CREATE TABLE IF NOT EXISTS omicron.public.tuf_artifact (
     -- The generation number this artifact was added for.
     generation_added INT8 NOT NULL,
 
+    -- Sign (root key hash table) hash of a signed RoT or RoT bootloader image.
+    sign BYTES, -- nullable
+
     CONSTRAINT unique_name_version_kind UNIQUE (name, version, kind)
 );
 
@@ -6347,7 +6350,7 @@ INSERT INTO omicron.public.db_metadata (
     version,
     target_version
 ) VALUES
-    (TRUE, NOW(), NOW(), '173.0.0', NULL)
+    (TRUE, NOW(), NOW(), '174.0.0', NULL)
 ON CONFLICT DO NOTHING;
 
 COMMIT;
diff --git a/update-common/src/artifacts/update_plan.rs b/update-common/src/artifacts/update_plan.rs
@@ -364,6 +364,7 @@ impl<'a> UpdatePlanBuilder<'a> {
             artifact_id,
             data,
             artifact_kind.into(),
+            None,
             self.log,
         )?;
 
@@ -419,11 +420,20 @@ impl<'a> UpdatePlanBuilder<'a> {
         let (artifact_id, bootloader_caboose) =
             read_hubris_caboose_from_archive(artifact_id, data.clone())?;
 
+        let sign = match bootloader_caboose.sign {
+            Some(sign) => sign,
+            None => {
+                return Err(RepositoryError::MissingHubrisCabooseSign(
+                    artifact_id,
+                ));
+            }
+        };
+
         // We restrict the bootloader to exactly one entry per (kind, signature)
-        match self.rot_by_sign.entry(RotSignData {
-            kind: artifact_kind,
-            sign: bootloader_caboose.sign.expect("required SIGN in caboose"),
-        }) {
+        match self
+            .rot_by_sign
+            .entry(RotSignData { kind: artifact_kind, sign: sign.clone() })
+        {
             hash_map::Entry::Occupied(_) => {
                 return Err(RepositoryError::DuplicateBoardEntry {
                     board: bootloader_caboose.board,
@@ -454,6 +464,7 @@ impl<'a> UpdatePlanBuilder<'a> {
             artifact_id,
             data,
             bootloader_kind,
+            Some(sign),
             self.log,
         )?;
 
@@ -555,11 +566,17 @@ impl<'a> UpdatePlanBuilder<'a> {
             });
         }
 
-        let entry_a = RotSignData {
-            kind: artifact_kind,
-            sign: image_a_caboose.sign.expect("required SIGN in caboose"),
+        let sign_a = match image_a_caboose.sign {
+            Some(sign) => sign,
+            None => {
+                return Err(RepositoryError::MissingHubrisCabooseSign(
+                    artifact_id,
+                ));
+            }
         };
 
+        let entry_a = RotSignData { kind: artifact_kind, sign: sign_a.clone() };
+
         let target_a = RotSignTarget {
             id: artifact_id.clone(),
             bord: image_a_caboose.board,
@@ -583,11 +600,17 @@ impl<'a> UpdatePlanBuilder<'a> {
             }
         };
 
-        let entry_b = RotSignData {
-            kind: artifact_kind,
-            sign: image_b_caboose.sign.expect("required SIGN in caboose"),
+        let sign_b = match image_b_caboose.sign {
+            Some(sign) => sign,
+            None => {
+                return Err(RepositoryError::MissingHubrisCabooseSign(
+                    artifact_id,
+                ));
+            }
         };
 
+        let entry_b = RotSignData { kind: artifact_kind, sign: sign_b.clone() };
+
         let target_b = RotSignTarget {
             id: artifact_id.clone(),
             bord: image_b_caboose.board,
@@ -620,12 +643,14 @@ impl<'a> UpdatePlanBuilder<'a> {
             artifact_id.clone(),
             rot_a_data,
             rot_a_kind,
+            Some(sign_a),
             self.log,
         )?;
         self.record_extracted_artifact(
             artifact_id,
             rot_b_data,
             rot_b_kind,
+            Some(sign_b),
             self.log,
         )?;
 
@@ -668,12 +693,14 @@ impl<'a> UpdatePlanBuilder<'a> {
             artifact_id.clone(),
             phase_1_data,
             ArtifactKind::HOST_PHASE_1,
+            None,
             self.log,
         )?;
         self.record_extracted_artifact(
             artifact_id,
             phase_2_data,
             ArtifactKind::HOST_PHASE_2,
+            None,
             self.log,
         )?;
 
@@ -725,12 +752,14 @@ impl<'a> UpdatePlanBuilder<'a> {
             artifact_id.clone(),
             phase_1_data,
             ArtifactKind::TRAMPOLINE_PHASE_1,
+            None,
             self.log,
         )?;
         self.record_extracted_artifact(
             artifact_id,
             phase_2_data,
             ArtifactKind::TRAMPOLINE_PHASE_2,
+            None,
             self.log,
         )?;
 
@@ -761,6 +790,7 @@ impl<'a> UpdatePlanBuilder<'a> {
             artifact_id,
             data,
             artifact_kind,
+            None,
             self.log,
         )?;
 
@@ -796,6 +826,7 @@ impl<'a> UpdatePlanBuilder<'a> {
                     artifact_id,
                     data,
                     KnownArtifactKind::ControlPlane.into(),
+                    None,
                     self.log,
                 )?;
             }
@@ -830,6 +861,7 @@ impl<'a> UpdatePlanBuilder<'a> {
             artifact_id,
             data,
             artifact_kind,
+            None,
             self.log,
         )?;
 
@@ -994,6 +1026,7 @@ impl<'a> UpdatePlanBuilder<'a> {
                 artifact_id,
                 data,
                 KnownArtifactKind::Zone.into(),
+                None,
                 self.log,
             )?;
             Ok(())
@@ -1017,6 +1050,7 @@ impl<'a> UpdatePlanBuilder<'a> {
         tuf_repo_artifact_id: ArtifactId,
         data: ExtractedArtifactDataHandle,
         data_kind: ArtifactKind,
+        sign: Option<Vec<u8>>,
         log: &Logger,
     ) -> Result<(), RepositoryError> {
         use std::collections::hash_map::Entry;
@@ -1059,6 +1093,7 @@ impl<'a> UpdatePlanBuilder<'a> {
             id: artifacts_meta_id,
             hash: data.hash(),
             size: data.file_size() as u64,
+            sign,
         });
         by_hash_slot.insert(data);
 
diff --git a/update-common/src/errors.rs b/update-common/src/errors.rs
@@ -140,6 +140,9 @@ pub enum RepositoryError {
     #[error("error reading name from hubris caboose of {0:?}: non-utf8 value")]
     ReadHubrisCabooseNameUtf8(ArtifactId),
 
+    #[error("missing sign from hubris caboose of {0:?}")]
+    MissingHubrisCabooseSign(ArtifactId),
+
     #[error("missing artifact of kind `{0:?}`")]
     MissingArtifactKind(KnownArtifactKind),
 
@@ -203,6 +206,7 @@ impl RepositoryError {
             | RepositoryError::LocateTarget { .. }
             | RepositoryError::TargetHashLength(_)
             | RepositoryError::MissingArtifactKind(_)
+            | RepositoryError::MissingHubrisCabooseSign(_)
             | RepositoryError::MissingTarget(_)
             | RepositoryError::DuplicateHashEntry(_)
             | RepositoryError::DuplicateBoardEntry { .. }

Original file line number	Diff line number	Diff line change
`@@ -165,6 +165,7 @@ pub struct TufArtifact {`
`165`	`165`	`pub sha256: ArtifactHash,`
`166`	`166`	`artifact_size: i64,`
`167`	`167`	`pub generation_added: Generation,`
	`168`	`+ pub sign: Option<Vec<u8>>,`
`168`	`169`	`}`
`169`	`170`
`170`	`171`	`impl TufArtifact {`
`@@ -174,6 +175,7 @@ impl TufArtifact {`
`174`	`175`	`sha256: ArtifactHash,`
`175`	`176`	`artifact_size: u64,`
`176`	`177`	`generation_added: external::Generation,`
	`178`	`+ sign: Option<Vec<u8>>,`
`177`	`179`	`) -> Self {`
`178`	`180`	`Self {`
`179`	`181`	`id: TypedUuid::new_v4().into(),`
`@@ -184,6 +186,7 @@ impl TufArtifact {`
`184`	`186`	`sha256,`
`185`	`187`	`artifact_size: artifact_size as i64,`
`186`	`188`	`generation_added: generation_added.into(),`
	`189`	`+ sign,`
`187`	`190`	`}`
`188`	`191`	`}`
`189`	`192`
`@@ -202,6 +205,7 @@ impl TufArtifact {`
`202`	`205`	`artifact.hash.into(),`
`203`	`206`	`artifact.size,`
`204`	`207`	`generation_added,`
	`208`	`+ artifact.sign,`
`205`	`209`	`)`
`206`	`210`	`}`
`207`	`211`
`@@ -215,6 +219,7 @@ impl TufArtifact {`
`215`	`219`	`},`
`216`	`220`	`hash: self.sha256.into(),`
`217`	`221`	`size: self.artifact_size as u64,`
	`222`	`+ sign: self.sign,`
`218`	`223`	`}`
`219`	`224`	`}`
`220`	`225`
Original file line number	Diff line number	Diff line change
`@@ -228,6 +228,7 @@ mod test {`
`228`	`228`	`},`
`229`	`229`	`hash,`
`230`	`230`	`size: 0,`
	`231`	`+ sign: None,`
`231`	`232`	`}],`
`232`	`233`	`},`
`233`	`234`	`)`
Original file line number	Diff line number	Diff line change
`@@ -1415,6 +1415,7 @@ table! {`
`1415`	`1415`	`sha256 -> Text,`
`1416`	`1416`	`artifact_size -> Int8,`
`1417`	`1417`	`generation_added -> Int8,`
	`1418`	`+ sign -> Nullable<Binary>,`
`1418`	`1419`	`}`
`1419`	`1420`	`}`
`1420`	`1421`
Original file line number	Diff line number	Diff line change
`@@ -693,7 +693,8 @@ mod test {`
`693`	`693`	`kind: kind.into(),`
`694`	`694`	`},`
`695`	`695`	`hash,`
`696`		`- size: 0, // unused here`
	`696`	`+ size: 0, // unused here`
	`697`	`+ sign: None, // unused here`
`697`	`698`	`}`
`698`	`699`	`}`
`699`	`700`
Original file line number	Diff line number	Diff line change
`@@ -5531,6 +5531,7 @@ pub(crate) mod test {`
`5531`	`5531`	`},`
`5532`	`5532`	`hash: ArtifactHash([0; 32]),`
`5533`	`5533`	`size: 0,`
	`5534`	`+ sign: None,`
`5534`	`5535`	`}`
`5535`	`5536`	`};`
`5536`	`5537`	`}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+ALTER TABLE omicron.public.tuf_artifact ADD COLUMN IF NOT EXISTS sign BYTES;`