Skip to content

Commit e15b5d9

Browse files
authored
[tuf] Store rkth/sign hashes in TUF repo description (#8729)
This commit introduces a new field in `TufArtifactMeta` that maps an RoT/RoT bootloader artifact with its associated sign. This will be necessary for the planner to support [RoT](#8421) and [RoT bootloader](#8664) updates.
1 parent 444761e commit e15b5d9

File tree

13 files changed

+85
-13
lines changed

13 files changed

+85
-13
lines changed

common/src/api/external/mod.rs

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3408,6 +3408,12 @@ pub struct TufArtifactMeta {
34083408

34093409
/// The size of the artifact in bytes.
34103410
pub size: u64,
3411+
3412+
/// Contents of the `SIGN` field of a Hubris archive caboose, i.e.,
3413+
/// an identifier for the set of valid signing keys. Currently only
3414+
/// applicable to RoT image and bootloader artifacts, where it will
3415+
/// be an LPC55 Root Key Table Hash (RKTH).
3416+
pub sign: Option<Vec<u8>>,
34113417
}
34123418

34133419
/// Data about a successful TUF repo import into Nexus.

nexus/db-model/src/schema_versions.rs

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ use std::{collections::BTreeMap, sync::LazyLock};
1616
///
1717
/// This must be updated when you change the database schema. Refer to
1818
/// schema/crdb/README.adoc in the root of this repository for details.
19-
pub const SCHEMA_VERSION: Version = Version::new(173, 0, 0);
19+
pub const SCHEMA_VERSION: Version = Version::new(174, 0, 0);
2020

2121
/// List of all past database schema versions, in *reverse* order
2222
///
@@ -28,6 +28,7 @@ static KNOWN_VERSIONS: LazyLock<Vec<KnownVersion>> = LazyLock::new(|| {
2828
// | leaving the first copy as an example for the next person.
2929
// v
3030
// KnownVersion::new(next_int, "unique-dirname-with-the-sql-files"),
31+
KnownVersion::new(174, "add-tuf-rot-by-sign"),
3132
KnownVersion::new(173, "inv-internal-dns"),
3233
KnownVersion::new(172, "add-zones-with-mupdate-override"),
3334
KnownVersion::new(171, "inv-clear-mupdate-override"),

nexus/db-model/src/tuf_repo.rs

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -165,6 +165,7 @@ pub struct TufArtifact {
165165
pub sha256: ArtifactHash,
166166
artifact_size: i64,
167167
pub generation_added: Generation,
168+
pub sign: Option<Vec<u8>>,
168169
}
169170

170171
impl TufArtifact {
@@ -174,6 +175,7 @@ impl TufArtifact {
174175
sha256: ArtifactHash,
175176
artifact_size: u64,
176177
generation_added: external::Generation,
178+
sign: Option<Vec<u8>>,
177179
) -> Self {
178180
Self {
179181
id: TypedUuid::new_v4().into(),
@@ -184,6 +186,7 @@ impl TufArtifact {
184186
sha256,
185187
artifact_size: artifact_size as i64,
186188
generation_added: generation_added.into(),
189+
sign,
187190
}
188191
}
189192

@@ -202,6 +205,7 @@ impl TufArtifact {
202205
artifact.hash.into(),
203206
artifact.size,
204207
generation_added,
208+
artifact.sign,
205209
)
206210
}
207211

@@ -215,6 +219,7 @@ impl TufArtifact {
215219
},
216220
hash: self.sha256.into(),
217221
size: self.artifact_size as u64,
222+
sign: self.sign,
218223
}
219224
}
220225

nexus/db-queries/src/db/datastore/deployment.rs

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3197,6 +3197,7 @@ mod tests {
31973197
},
31983198
hash: ZONE_ARTIFACT_HASH_1,
31993199
size: 0,
3200+
sign: None,
32003201
},
32013202
TufArtifactMeta {
32023203
id: ArtifactId {
@@ -3206,6 +3207,7 @@ mod tests {
32063207
},
32073208
hash: HOST_ARTIFACT_HASH_1,
32083209
size: 0,
3210+
sign: None,
32093211
},
32103212
TufArtifactMeta {
32113213
id: ArtifactId {
@@ -3215,6 +3217,7 @@ mod tests {
32153217
},
32163218
hash: HOST_ARTIFACT_HASH_2,
32173219
size: 0,
3220+
sign: None,
32183221
},
32193222
],
32203223
},

nexus/db-queries/src/db/datastore/target_release.rs

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -228,6 +228,7 @@ mod test {
228228
},
229229
hash,
230230
size: 0,
231+
sign: None,
231232
}],
232233
},
233234
)

nexus/db-schema/src/schema.rs

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1415,6 +1415,7 @@ table! {
14151415
sha256 -> Text,
14161416
artifact_size -> Int8,
14171417
generation_added -> Int8,
1418+
sign -> Nullable<Binary>,
14181419
}
14191420
}
14201421

nexus/reconfigurator/planning/src/mgs_updates/mod.rs

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -693,7 +693,8 @@ mod test {
693693
kind: kind.into(),
694694
},
695695
hash,
696-
size: 0, // unused here
696+
size: 0, // unused here
697+
sign: None, // unused here
697698
}
698699
}
699700

nexus/reconfigurator/planning/src/planner.rs

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5531,6 +5531,7 @@ pub(crate) mod test {
55315531
},
55325532
hash: ArtifactHash([0; 32]),
55335533
size: 0,
5534+
sign: None,
55345535
}
55355536
};
55365537
}

openapi/nexus.json

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25384,6 +25384,16 @@
2538425384
}
2538525385
]
2538625386
},
25387+
"sign": {
25388+
"nullable": true,
25389+
"description": "Contents of the `SIGN` field of a Hubris archive caboose, i.e., an identifier for the set of valid signing keys. Currently only applicable to RoT image and bootloader artifacts, where it will be an LPC55 Root Key Table Hash (RKTH).",
25390+
"type": "array",
25391+
"items": {
25392+
"type": "integer",
25393+
"format": "uint8",
25394+
"minimum": 0
25395+
}
25396+
},
2538725397
"size": {
2538825398
"description": "The size of the artifact in bytes.",
2538925399
"type": "integer",
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
ALTER TABLE omicron.public.tuf_artifact ADD COLUMN IF NOT EXISTS sign BYTES;

0 commit comments

Comments
 (0)