Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / update_engine / 74475bfd0ed945d9035c1760c6ccf938f4f0cdff^! / . / update_metadata.proto
commit74475bfd0ed945d9035c1760c6ccf938f4f0cdff[log] [tgz]
authorJay Srinivasan <jaysri@chromium.org>Thu Sep 13 19:26:26 2012 -0700
committerGerrit <chrome-bot@google.com>Thu Sep 13 22:28:35 2012 -0700
treee0eda8b3e59246d36fcf901058d15d8d431b5f17
parent51dcf260754837962dd22db3b7babee181471e7d [diff] [blame]
Update manifest protobuf to include optional hash for operation blobs.

In order to support downloads over http for a number of reasons, we need
to secure http downloads. Among other things, we reduce the attack surface
by adding an extra hash for each operation that uses a blob. This CL
adds this extra field in the update_engine metadata protobuf. Checking this
first so that subsequent CLs that populate/consume this field in
delta diff generator and update_engine can be developed independently.

BUG=chromium-os:33602
TEST=Tested on ZGB to make sure existing functionality works fine.

Change-Id: I2aba79242aa515f1f288c93e9e778f4eb51ba962
Reviewed-on: https://gerrit.chromium.org/gerrit/33264
Reviewed-by: Jay Srinivasan <jaysri@chromium.org>
Tested-by: Jay Srinivasan <jaysri@chromium.org>
Commit-Ready: Jay Srinivasan <jaysri@chromium.org>

diff --git a/update_metadata.proto b/update_metadata.proto
index 40ba24f..b9c061b 100644
--- a/update_metadata.proto
+++ b/update_metadata.proto

@@ -62,7 +62,7 @@
 
 // Signatures: Updates may be signed by the OS vendor. The client verifies
 // an update's signature by hashing the entire download. The section of the
-// download the contains the signature is at the end of the file, so when
+// download that contains the signature is at the end of the file, so when
 // signing a file, only the part up to the signature part is signed.
 // Then, the client looks inside the download's Signatures message for a
 // Signature message that it knows how to handle. Generally, a client will
@@ -117,6 +117,13 @@
     // BSDIFF, because we need to fill in the rest of the last block
     // that bsdiff writes with '\0' bytes.
     optional uint64 dst_length = 7;
+
+    // Optional SHA 256 hash of the blob associated with this operation.
+    // This is used as a primary validation for http-based downloads and
+    // as a defense-in-depth validation for https-based downloads. If
+    // the operation doesn't refer to any blob, this field will have
+    // zero bytes.
+    optional bytes data_sha256_hash = 8;
   }
   repeated InstallOperation install_operations = 1;
   repeated InstallOperation kernel_install_operations = 2;