Skip to content

Planner to verify the RoT artifacts and choose correct one for environment #8630

@karencfv

Description

@karencfv

As part of the work to get MGS driven updates incorporated into the planner, we came across a roadbump. Previously, wicket created a RawHubrisArchive from each artifact to verify the CMPA and CFPA pages against. In the planner, this step isn't as straightforward because we don't have access to the artifacts, but rather just the metadata. The TUF metadata does not contain any of this information from the RoT artifacts.

To get to a point where we have the information available to the planner we'll need the following work:

  • Retrieve the Root Key Table Hash (RKTH) from the RoT artifacts before Nexus re-packages the TUF repo's RoT artifacts. Should be done as a new lpc55_sign routine.
  • Then we can store those hashes somewhere, perhaps the artifact metadata (TufArtifactMeta)? Will need input from @iliana on such kind-specific metadata.
  • Have the planner verify the RKTH against the CMPA/CFPA found in inventory as part of [reconfigurator] RoT planner support #8421.

Metadata

Metadata

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions