Description
Binary blobs and their companion west blobs command are really handy.
But running west blobs fetch will not verify the digests of downloaded files, which does not match the documented [1] behavior:
A checksum for the blob, which
west blobschecks after downloading. This is required for reproducibility and to allow bisecting issues as blobs change using Git and west
Problem description
The current behavior is:
- if the checksum of the previously downloaded file equals to that in the blob metadata (status
BLOB_PRESENT), do nothing - if the checksum of the previously downloaded file differs from that in the blob metadata (status
BLOB_OUTDATED), assume versions differ and download the up to date file - if the blob has not yet been downloaded (status
BLOB_NOT_PRESENT), download it
None of the 2) and 3) code paths will verify that the checksum of the file just downloaded actually matches the digest in the blob's metadata.
Consequences:
- in the event that the metadata of a module is incorrect, then the user will not notice anything, and may rely on an unexpected binary, e.g. a static library for a different architecture
- this makes these SHA digests less reliable for "reproducibility and bisecting issues as blobs change using Git and west"
- this skips a (basic) mitigation against supply chain attacks
How to reproduce
- Change the SHA256 digest of some blob, e.g. blob
lib/esp32c3/libbtdm_app.ainmodules/hal/espressif/zephyr/module.yml - Run
west blobs fetch hal_espressif: this will download the file, without warning the user that its checksum does not match that in the blob metadata - Users will only notice if they find it suspicious that the file is downloaded again and again
$ west blobs fetch hal_espressif
Fetching blob hal_espressif: path/to/zephyr/modules/hal/espressif/zephyr/blobs/lib/esp32c3/libbtdm_app.a
$ west blobs fetch hal_espressif
Fetching blob hal_espressif: path/to/zephyr/modules/hal/espressif/zephyr/blobs/lib/esp32c3/libbtdm_app.a
Expected behavior
Something like:
$ west blobs fetch hal_espressif
Fetching blob hal_espressif: path/to/zephyr/modules/hal/espressif/zephyr/blobs/lib/esp32c3/libbtdm_app.a
ERROR: The checksum of the downloaded file does not match that in the blob metadata:
- if it is not certain that the download was successful,
try running 'west blobs fetch hal_espressif'
to re-download the file
- if the error persists, please consider contacting
the maintainers of the module so that they can check
the corresponding blob metadata
Module: hal_espressif
Blob: lib/esp32c3/libbtdm_app.a
URL: https://github.com/espressif/esp32c3-bt-lib/raw/b438f60a295183e7c67eb42ae05f4580f4b1ced0/esp32c3/libbtdm_app.a
Info: Binary libraries supporting the ESP32 series RF subsystems
Thanks.
[1] Fetching blobs: https://docs.zephyrproject.org/3.6.0/contribute/bin_blobs.html#fetching-blobs