Skip to content

Update Go dependencies in hook-bootkit; add resilience to kernel download and verify: #281

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 17, 2025
Merged

Update Go dependencies in hook-bootkit; add resilience to kernel download and verify: #281

merged 3 commits into from
Jul 17, 2025

Conversation

@jacobweinstock
Copy link
Member

@jacobweinstock jacobweinstock commented Jul 17, 2025
edited
Loading

Description

The hook-bootkit dependency updates resolve some security issues.

Use backup locations for kernel downloads. It happened that today the latest point releases for the 5.x and 6.x kernels were in the https://www.kernel.org/releases.json but not in corresponding sha256sum.asc file, https://www.kernel.org/pub/linux/kernel/v6.x/sha256sums.asc for example. Interestingly enough, the kernels were in https://cdn.kernel.org/pub/linux/kernel/v6.x/sha256sums.asc. The difference being https://www.kernel.org vs https://cdn.kernel.org. This new script will try against www.kernel.org and fall back to cdn.kernel.org.

Why is this needed

Fixes: #

How Has This Been Tested?

How are existing users impacted? What migration steps/scripts do we need?

Checklist:

I have:

  • updated the documentation and/or roadmap (if required)
  • added unit or e2e tests
  • provided instructions on how to upgrade

@jacobweinstock
[hook-bootkit] Update Go dependencies:
59694e8 
This resolves some security issues.

Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>
@jacobweinstock
Exit on signals:
6bf10e5 
This makes the binary respect signals and shutdown
properly.

Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>
@jacobweinstock
Use backup locations for kernel downloads:
77fd5a0 
It happened that today the latest point releases
for the 5.x and 6.x kernels were in the https://www.kernel.org/releases.json
but not in corresponding sha256sum.asc file,
https://www.kernel.org/pub/linux/kernel/v6.x/sha256sums.asc for example.
Interestingly enough, the kernels were in
https://cdn.kernel.org/pub/linux/kernel/v6.x/sha256sums.asc.
The difference being https://www.kernel.org vs https://cdn.kernel.org.
This new script will try against www.kernel.org and fall back
to cdn.kernel.org.

Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>
@jacobweinstock jacobweinstock changed the title [hook-bootkit] Update Go dependencies: Update Go dependencies in hook-bootkit; add resilience to kernel download and verify: Jul 17, 2025
@jacobweinstock jacobweinstock added linux kernel ready-to-merge Signal to Mergify to merge the PR. labels Jul 17, 2025
@jacobweinstock jacobweinstock merged commit 6dba03f into tinkerbell:main Jul 17, 2025
29 checks passed
@jacobweinstock jacobweinstock deleted the update-hook-bootkit branch July 17, 2025 23:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

images/hook-bootkit linux kernel ready-to-merge Signal to Mergify to merge the PR.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jacobweinstock