hash: log version and sha256 of /proc/self/exe at boot#161
Open
zvonkok wants to merge 4 commits into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a small module that hashes /proc/self/exe with SHA-256 at boot and logs version=… sha256=…, so operators / CI can correlate the running NVRC against the Rekor-published digest in the release evidence bundle.
Changes:
- New
hashmodule that reads/proc/self/exe, computes SHA-256, and logs it together withCARGO_PKG_VERSION. - Wires
hash::exe()intomainafter kernlog/syslog setup; exposes module vialib.rs. - Adds
sha2(no_std, default-features off) as a dependency and updatesCargo.lock; documents a "self-describing code" guideline inCLAUDE.md.
Reviewed changes
Copilot reviewed 5 out of 6 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| src/hash.rs | New module: sha256() reads /proc/self/exe and exe() logs version + digest; includes hex-encode + sha256 tests. |
| src/main.rs | Registers hash module and calls hash::exe() early in boot. |
| src/lib.rs | Exposes pub mod hash for library/test consumers. |
| Cargo.toml | Adds sha2 = "0.10" with default-features = false. |
| Cargo.lock | Pulls in sha2 and transitive deps (digest, block-buffer, cpufeatures, etc.). |
| CLAUDE.md | Adds guideline #7 on self-describing code vs. comments. |
zvonkok
force-pushed
the
main
branch
2 times, most recently
from
b38b233 to
3ccba21
Compare
Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com> Assisted-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Lets operators correlate dmesg output against the cosign/Rekor digest published in the release evidence bundle (ARCHITECTURE.md §"Provenance & Supply-Chain Security"). Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com> Assisted-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
CARGO_PKG_VERSION alone cannot tell a clean release apart from a local or CI build of uncommitted code. CI computes a short commit (plus -dirty for an unclean tree) and exports it as GIT_REV on the cargo build command; hash.rs reads it via option_env! and appends it as semver build metadata, e.g. "version=0.1.4+g3ccba213b033". Release builds leave GIT_REV unset and log the bare version. NVRC is an init process: its mounts, module loads, daemon forks and the poweroff panic hook would wreck a normal host. init::as_pid1() now gates all of that on a raw SYS_getpid syscall (no /proc, which isn't mounted this early): as PID 1 it returns and boot continues; anywhere else (CI smoke test, dev shell) it prints the version+sha256 line to stdout and exits 0. That makes the binary safe to execute directly and usable as a CI smoke test of the build. This stays a dev-convenience hint: a tampered binary can forge it, so authoritative release identity remains the sha256 correlated against Rekor. CARGO_PKG_VERSION cannot be overridden from the environment (cargo sets it from Cargo.toml), hence a separate var rather than a build.rs, which would make the otherwise hermetic build depend on git state. Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com> Assisted-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Enables operators to correlate dmesg output against the cosign/Rekor digest published in the release evidence bundle (ARCHITECTURE.md §"Provenance & Supply-Chain Security").
Also, an indicator for CI runs to verify we're indeed running the new binary.