hash: log version and sha256 of /proc/self/exe at boot#166
Open
zvonkok wants to merge 5 commits into
Open
Conversation
Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com> Assisted-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Lets operators correlate dmesg output against the cosign/Rekor digest published in the release evidence bundle (ARCHITECTURE.md §"Provenance & Supply-Chain Security"). Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com> Assisted-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
CARGO_PKG_VERSION alone cannot tell a clean release apart from a local or CI build of uncommitted code. CI computes a short commit (plus -dirty for an unclean tree) and exports it as GIT_REV on the cargo build command; hash.rs reads it via option_env! and appends it as semver build metadata, e.g. "version=0.1.4+g3ccba213b033". Release builds leave GIT_REV unset and log the bare version. NVRC is an init process: its mounts, module loads, daemon forks and the poweroff panic hook would wreck a normal host. init::as_pid1() now gates all of that on a raw SYS_getpid syscall (no /proc, which isn't mounted this early): as PID 1 it returns and boot continues; anywhere else (CI smoke test, dev shell) it prints the version+sha256 line to stdout and exits 0. That makes the binary safe to execute directly and usable as a CI smoke test of the build. This stays a dev-convenience hint: a tampered binary can forge it, so authoritative release identity remains the sha256 correlated against Rekor. CARGO_PKG_VERSION cannot be overridden from the environment (cargo sets it from Cargo.toml), hence a separate var rather than a build.rs, which would make the otherwise hermetic build depend on git state. Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com> Assisted-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
Make the workflow name more descriptive. Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds a boot-time identity line for NVRC (version + SHA-256 of the running binary) so operators can correlate kernel logs with the release evidence bundle’s published digest, and CI can confirm it is exercising the newly built binary.
Changes:
- Add an early “must be PID 1” gate that prints NVRC identity and exits when run outside an init context.
- Add a
hashmodule that computes SHA-256 of/proc/self/exeand logsNVRC version=… sha256=…during boot. - Plumb a
GIT_REVbuild stamp from CI into the binary for dev/dirty build identification.
Reviewed changes
Copilot reviewed 7 out of 8 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| src/main.rs | Adds PID 1 gating and logs the self-binary hash during boot. |
| src/lib.rs | Exposes the new hash module via the library crate (testing/fuzzing interface). |
| src/init.rs | Implements PID 1 detection + non-PID-1 identity output/exit path. |
| src/hash.rs | Computes SHA-256 of /proc/self/exe and formats the boot identity line (version + optional git rev). |
| CLAUDE.md | Documents a “self-describing code” guideline (naming over “what” comments). |
| Cargo.toml | Adds the sha2 dependency used for hashing. |
| Cargo.lock | Locks new transitive dependencies pulled in by sha2. |
| .github/workflows/ci.yaml | Sets GIT_REV in CI before building NVRC (and renames the job). |
Comment on lines
+36
to
+39
| pub fn version_line() -> String { | ||
| let digest = sha256().or_panic(format_args!("hash {SELF_EXE}")); | ||
| boot_line(&digest, GIT_REV) | ||
| } |
Collaborator
There was a problem hiding this comment.
I don't think we need to address this one, as we'd rather panic.
Comment on lines
+49
to
+51
| fn sha256() -> std::io::Result<String> { | ||
| fs::read(SELF_EXE).map(|data| hex_encode(&Sha256::digest(&data))) | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Enables operators to correlate dmesg output against the cosign/Rekor digest published in the release evidence bundle (ARCHITECTURE.md §"Provenance & Supply-Chain Security").
Also, an indicator for CI runs to verify we're indeed running the new binary.