FIPS Integrity Hash Tooling #2296
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
smittals2
approved these changes
Mar 28, 2025
justsmth
approved these changes
Mar 31, 2025
skmcgrail
added a commit
to skmcgrail/aws-lc
that referenced
this pull request
Mar 31, 2025
### Description of changes: Renames the `compare_hash` tool to be `integrity_tool`. Now supports two optional flags `-verify` and `-extract` when passing in a single file path. Like before it will output the recorded FIPS module integrity hash. With `-verify` flag provided it will also compute the module hash based on the contents and validate that the recorded hash matches. `-extract` can also be specified which will dump the `.text` and `.rodata` subsection areas bounded by the BCM symbols. It will write these to temporary file paths in both binary and hex to aide in subsequent investigations. # Example Output ``` sh $ ./integrity_tool -verify -extract after/build/crypto/libcrypto.so 3ae14c6e301a93c4b98a4e1281e2919cacbedf35955733bdf261ab5b25ed3c6b Integrity Hash: VERIFIED Extracted BORINGSSL_bcm_text: /tmp/2817692511.BORINGSSL_bcm_text.bin Extracted BORINGSSL_bcm_text: /tmp/1854918462.BORINGSSL_bcm_text.hex Extracted BORINGSSL_bcm_rodata: /tmp/404959500.BORINGSSL_bcm_rodata.bin Extracted BORINGSSL_bcm_rodata: /tmp/176508435.BORINGSSL_bcm_rodata.hex ``` By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license. (cherry picked from commit 92e1332)
Merged
smittals2
added a commit
that referenced
this pull request
Apr 1, 2025
## What's Changed * FIPS Integrity Hash Tooling by @skmcgrail in #2296 * Add more build options to match callback build by @andrewhop in #2279 * Add req to OpenSSL CLI tool by @smittals2 in #2284 * Turn on better logging for EC2 test framework by @andrewhop in #2298 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of changes:
Renames the
compare_hashtool to beintegrity_tool. Now supports two optional flags-verifyand-extractwhen passing in a single file path. Like before it will output the recorded FIPS module integrity hash. With-verifyflag provided it will also compute the module hash based on the contents and validate that the recorded hash matches.-extractcan also be specified which will dump the.textand.rodatasubsection areas bounded by the BCM symbols. It will write these to temporary file paths in both binary and hex to aide in subsequent investigations.Example Output
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.