Add fips-hash-offline.sh#10749
Conversation
This script calculates the FIPS integrity hash for an already-linked binary offline at build time.
dfce905 to
83f46f8
Compare
There was a problem hiding this comment.
Pull request overview
Adds a new build-time utility script to compute and patch the wolfCrypt FIPS in-core integrity hash directly into an already-linked binary (intended for static/offline build flows), and documents how it differs from the existing source-patching workflow.
Changes:
- Added
fips-hash-offline.shto compute the in-core integrity HMAC over ELF ranges and patchverifyCore[]in-place in the binary. - Updated
fips-hash.shheader comments to clarify its runtime/scrape-and-patch-source behavior and reference the offline variant. - Listed the new script in
SCRIPTS-LIST.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| SCRIPTS-LIST | Adds an entry for the new offline FIPS hash patching script. |
| fips-hash.sh | Adds documentation explaining purpose and when to use the offline script instead. |
| fips-hash-offline.sh | New script implementing offline hash computation and in-place patching of verifyCore[] in a linked ELF binary. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
retest this please |
|
dgarske
left a comment
There was a problem hiding this comment.
Skoll Code Review
Scan type: reviewOverall recommendation: COMMENT
Findings: 5 total — 5 posted, 0 skipped
5 finding(s) posted as inline comments (see file-level comments below)
Posted findings
- [Medium] Hash pipeline can silently emit a wrong-but-correct-length hash (no pipefail, dd errors hidden) —
fips-hash-offline.sh:141-163 - [Medium] Offline hash is never validated against the module's own self-test —
fips-hash-offline.sh:41-46,161-170 - [Medium] New 170-line FIPS helper script has no automated test —
fips-hash-offline.sh:1-170 - [Low] Relies on GNU dd byte-granular flags; command -v check does not detect them —
fips-hash-offline.sh:58-62,88-90,158 - [Low] readelf re-invoked many times over the same binary —
fips-hash-offline.sh:67-84,93-100,125-157
Review generated by Skoll
Set pipefail option Check that the output binary file is writable Use POSIX-compatible dd flags
douzzer
left a comment
There was a problem hiding this comment.
This is great! Worked for me on src/.libs/libwolfssl.so.45.0.0 once I fixed sym_val() and sym_size().
Description
This script calculates the FIPS integrity hash for an already-linked binary offline at build time.
Tested with fips/optest-140-3/static-building/optest-run-static-test.sh
Testing
How did you test?
Checklist