[SmartSwitch] Add smartswitch bfb checksum file integrity validation #24757
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Creates a checksum of bfb contents and uses it for validation in the sonic-bfb-installer.sh script Signed-off-by: Connor Roos <[email protected]>
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
croos12
changed the title
oleksandrivantsiv
approved these changes
Dec 5, 2025
Signed-off-by: Connor Roos <[email protected]>
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Turns the sonic-nvidia-bluefield.bfb file into a tar archive with a bfb, sonic-nvidia-bluefield.bfb-intermediate and a sha256 checksum, sonic-nvidia-bluefield.bfb-intermediate.sha256 so that the contents of the bfb can be validated before shutting down an rshim when running sonic-bfb-installer.sh
Why I did it
There is currently a bug that any file can be used as the bfb input for sonic-bfb-installer.sh and the script does not validate if it is a proper bfb before shutting down rshims on smartswitch. This can be a problem for when trying to use the download functionality of the script since if the call to download the bfb fails the script will shutdown the rshims and attempt to install the html response page as a bfb.
How I did it
The bfb file is now an archive with the old bfb file, now names bfb-intermediate and a checksum using shasum256. The checksum is used to ensure that the file contents are the bfb that was intended to be installed for the sake of having a method of proving file integrity to the bfb, this is not intended to be a security feature.
How to verify it
Build the new bfb using the make file and attempt to install it using sonic-bfb-installer.sh.
Description for the changelog
Add smartswitch bfb checksum file integrity validation
A picture of a cute animal (not mandatory but encouraged)