asserts/snap_asserts*: add support for separate block sizes for data/…

…hash dm-verity devices
canonical · Dec 17, 2024 · 5be00ff · 5be00ff
1 parent 23941f7
commit 5be00ff
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 19 deletions.
diff --git a/asserts/snap_asserts.go b/asserts/snap_asserts.go
@@ -553,12 +553,13 @@ func toHash(s string) crypto.Hash {
 // A single snap revision can have multiple variants of integrity data which are represented as an array in the
 // snap revision assertion.
 type SnapIntegrityData struct {
-	Type      string
-	Version   uint
-	HashAlg   string
-	BlockSize uint
-	Digest    string
-	Salt      string
+	Type          string
+	Version       uint
+	HashAlg       string
+	DataBlockSize uint
+	HashBlockSize uint
+	Digest        string
+	Salt          string
 }
 
 // SnapFileSHA3_384 computes the SHA3-384 digest of the given snap file.
@@ -827,7 +828,13 @@ func checkSnapIntegrity(headers map[string]interface{}) ([]SnapIntegrityData, er
 		}
 
 		what = fmt.Sprintf("for integrity data with index %d of type %q", i, typ)
-		blockSize, err := checkUintWhat(id, "block-size", 64, what)
+		dataBlockSize, err := checkUintWhat(id, "data-block-size", 64, what)
+		if err != nil {
+			return nil, err
+		}
+
+		what = fmt.Sprintf("for integrity data with index %d of type %q", i, typ)
+		hashBlockSize, err := checkUintWhat(id, "hash-block-size", 64, what)
 		if err != nil {
 			return nil, err
 		}
@@ -847,12 +854,13 @@ func checkSnapIntegrity(headers map[string]interface{}) ([]SnapIntegrityData, er
 		}
 
 		snapIntegrityData := SnapIntegrityData{
-			Type:      typ,
-			Version:   uint(version),
-			HashAlg:   alg,
-			BlockSize: uint(blockSize),
-			Digest:    hex.EncodeToString(digest),
-			Salt:      hex.EncodeToString(salt),
+			Type:          typ,
+			Version:       uint(version),
+			HashAlg:       alg,
+			DataBlockSize: uint(dataBlockSize),
+			HashBlockSize: uint(hashBlockSize),
+			Digest:        hex.EncodeToString(digest),
+			Salt:          hex.EncodeToString(salt),
 		}
 
 		snapIntegrityDataList = append(snapIntegrityDataList, snapIntegrityData)

diff --git a/asserts/snap_asserts_test.go b/asserts/snap_asserts_test.go
@@ -1031,7 +1031,8 @@ func (srs *snapRevSuite) makeValidEncodedWithIntegrity() string {
 		"    digest: " + hexSHA256 + "\n" +
 		"    version: 1\n" +
 		"    hash-alg: sha256\n" +
-		"    block-size: 4096\n" +
+		"    data-block-size: 4096\n" +
+		"    hash-block-size: 4096\n" +
 		"    salt: " + hexSHA256 + "\n"
 
 	return "type: snap-revision\n" +
@@ -1124,7 +1125,8 @@ func (srs *snapRevSuite) TestDecodeOKWithIntegrity(c *C) {
 	c.Check(snapRev.SnapIntegrityData()[0].Type, Equals, "dm-verity")
 	c.Check(snapRev.SnapIntegrityData()[0].Version, Equals, uint(1))
 	c.Check(snapRev.SnapIntegrityData()[0].HashAlg, Equals, "sha256")
-	c.Check(snapRev.SnapIntegrityData()[0].BlockSize, Equals, uint(4096))
+	c.Check(snapRev.SnapIntegrityData()[0].DataBlockSize, Equals, uint(4096))
+	c.Check(snapRev.SnapIntegrityData()[0].HashBlockSize, Equals, uint(4096))
 	c.Check(snapRev.SnapIntegrityData()[0].Digest, Equals, hexSHA256)
 	c.Check(snapRev.SnapIntegrityData()[0].Salt, Equals, hexSHA256)
 }
@@ -1178,13 +1180,15 @@ func (srs *snapRevSuite) TestDecodeInvalidWithIntegrity(c *C) {
 		"    digest: " + hexSHA256 + "\n" +
 		"    version: 1\n" +
 		"    hash-alg: sha256\n" +
-		"    block-size: 4096\n" +
+		"    data-block-size: 4096\n" +
+		"    hash-block-size: 4096\n" +
 		"    salt: " + hexSHA256 + "\n"
 
 	integrityTypeHdr := "    type: dm-verity\n"
 	integrityVersionHdr := "    version: 1\n"
 	integrityHashAlgHdr := "    hash-alg: sha256\n"
-	integrityBlockSizeHdr := "    block-size: 4096\n"
+	integrityDataBlockSizeHdr := "    data-block-size: 4096\n"
+	integrityHashBlockSizeHdr := "    hash-block-size: 4096\n"
 	integrityDigestHdr := "    digest: " + hexSHA256 + "\n"
 	integritySaltHdr := "    salt: " + hexSHA256 + "\n"
 
@@ -1204,8 +1208,10 @@ func (srs *snapRevSuite) TestDecodeInvalidWithIntegrity(c *C) {
 		{integrityHashAlgHdr, "    hash-alg: a\n", `hash algorithm for integrity data with index 0 of type "dm-verity" must be one of .*`},
 		{integrityHashAlgHdr, "    hash-alg: sha123\n", `hash algorithm for integrity data with index 0 of type "dm-verity" must be one of .*`},
 		{integrityHashAlgHdr, "    hash-alg: sm3\n", `hash algorithm for integrity data with index 0 of type "dm-verity" must be one of .*`},
-		{integrityBlockSizeHdr, "", `"block-size" for integrity data with index 0 of type "dm-verity" is mandatory`},
-		{integrityBlockSizeHdr, "    block-size: a\n", `"block-size" for integrity data with index 0 of type "dm-verity" is not an unsigned integer: a`},
+		{integrityDataBlockSizeHdr, "", `"data-block-size" for integrity data with index 0 of type "dm-verity" is mandatory`},
+		{integrityDataBlockSizeHdr, "    data-block-size: a\n", `"data-block-size" for integrity data with index 0 of type "dm-verity" is not an unsigned integer: a`},
+		{integrityHashBlockSizeHdr, "", `"hash-block-size" for integrity data with index 0 of type "dm-verity" is mandatory`},
+		{integrityHashBlockSizeHdr, "    hash-block-size: a\n", `"hash-block-size" for integrity data with index 0 of type "dm-verity" is not an unsigned integer: a`},
 		{integrityDigestHdr, "", `"digest" for integrity data with index 0 of type "dm-verity" is mandatory`},
 		{integrityDigestHdr, "    digest: a\n", `"digest" for integrity data with index 0 of type "dm-verity" cannot be decoded: encoding/hex: odd length hex string`},
 		{integrityDigestHdr, "    digest: ab\n", `"digest" for integrity data with index 0 of type "dm-verity" does not have the expected bit length: 8`},