[Buildroot] [git commit branch/2023.11.x] configs/rock5b: add hash for custom kernel

Peter Korsgaard peter at korsgaard.com
Mon Jan 8 11:03:55 UTC 2024 

commit: https://git.buildroot.net/buildroot/commit/?id=9519bde956934fcafdc0835a4ad9a05258149060
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2023.11.x

Commit d344ffe6245b (configs/rock5b: add hash for custom uboot)
explicitly noted that the kernel was retrieved from a git-clone, so the
sha1 of the commit was enough to get what we expect.

However, that does not account for the fact that the upstream repository
can disapear or be temporarily unavailable (maliciously or not). In that
case, the kernel archive will be looked up on the backup mirror.

In that case, the download is via wget over https, which protects the
transport, but does not guarantee that the remote server serves the
expected archive.

The hash file was dropped when d344ffe6245b was applied; restore it.

Since the defconfig now has hashes for all its downloads, enforce
checking hashes.

Signed-off-by: Kilian Zinnecker <kilian.zinnecker at mail.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998 at free.fr>
(cherry picked from commit 9ebbfeff38770876e48a4d38741dd9fffc001a42)
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
---
 board/radxa/rock5b/patches/linux/linux.hash | 2 ++
 configs/rock5b_defconfig                    | 1 +
 2 files changed, 3 insertions(+)

diff --git a/board/radxa/rock5b/patches/linux/linux.hash b/board/radxa/rock5b/patches/linux/linux.hash
new file mode 100644
index 0000000000..95ad749554
--- /dev/null
+++ b/board/radxa/rock5b/patches/linux/linux.hash
@@ -0,0 +1,2 @@
+# Locally calculated
+sha256  a5eca7b8f929a1918125e2e4fbd7ab4ea5b3910b5ae4547e81c794b47373ffb5  linux-52f51a2b5ba178f331af62260d2da86d7472c14b-br1.tar.gz
diff --git a/configs/rock5b_defconfig b/configs/rock5b_defconfig
index eed656ef5f..2e72b386b1 100644
--- a/configs/rock5b_defconfig
+++ b/configs/rock5b_defconfig
@@ -6,6 +6,7 @@ BR2_ROOTFS_POST_SCRIPT_ARGS=""
 BR2_TARGET_GENERIC_HOSTNAME="rock5b"
 BR2_TARGET_GENERIC_ISSUE="Welcome to the rock5b board"
 BR2_GLOBAL_PATCH_DIR="board/radxa/rock5b/patches"
+BR2_DOWNLOAD_FORCE_CHECK_HASHES=y
 BR2_SYSTEM_DHCP="eth0"
 BR2_LINUX_KERNEL=y
 BR2_LINUX_KERNEL_CUSTOM_GIT=y

More information about the buildroot mailing list