We recently decided to use Mender Professional for our RaspberryPi-based fleet updates and noticed that there is no check if the SD card is corrupted or something so we decided to implement this ourselves as Pi’s can suffer sometimes.
We want to read back from disk from the inactive partition once the download is completed and verify file integrity.
My questions specifically are:
Can we get the hash off the cloud server or the deployment?
Can we rerun the same hashing process from disk expected to produce the same hash?
Which script (location?) should we place this above code? Return values to allow/block the update?
Unfortunately there is no way to get the hash from the server. Here’s what I would recommend: Prepare an ArtifactInstall_Enter state script, and inside it, define two values:
ROOTFS_IMAGE_CHECKSUM=0
ROOTFS_IMAGE_SIZE=0
In your build process, obtain the sha256sum checksum of the image, and its size, and replace them in ArtifactInstall_Enter like this:
sed -i -e "s/ROOTFS_IMAGE_CHECKSUM=.*/ROOTFS_IMAGE_CHECKSUM=<actual-checksum>/"
sed -i -e "s/ROOTFS_IMAGE_SIZE=.*/ROOTFS_IMAGE_SIZE=<actual-size>/"
And add it to the Artifact using the mender-artifact -s argument. The rest of the ArtifactInstall_Enter script should be reading the checksum from the inactive partition and comparing it to the checksum. Make sure you do not read more than ROOTFS_IMAGE_SIZE bytes; it’s common that the partition is a little bit larger than the filesystem.
If you make the replacing step part of your build process, then it should be relatively automatic.