hardware-observer docs - Cryptography

Cryptography

Resource checksums

This charm can make use of for some additional vendor-specific binary tooling to enhance its functionality. Since those tools are available after agreeing to an EULA, they are not redistributed directly by the charm and must be sideloaded via juju resources.

In order to protect users from mistakenly deploying malicious variants of the expected tools, all resources are validated against a hardcoded list of known-good SHA256 checksums.

The checksums are maintained in file checksum.py

Sources verification

Whenever HPE hardware is detected, this charm deploys the ssacli binary. SSACLI is retrieved from the mcp repository, which is owned by HPE and is located at http://downloads.linux.hpe.com/SDR/repo/mcp.

Validation of this additional source follows the standard protocol used for all apt sources, using keys stored in file keys.py. These GPG keys were imported from https://downloads.linux.hpe.com/SDR/keys.html and are now held as static files in the hardware-exporter repository.

Use of TLS

This charm leverages TLS in one area:

  • the presence of Redfish support (used to determine whether to enable the relative collector) is detected by querying the Redfish API of the local BMC over https.

Both connections are performed via the requests library.

Passwords

This charm handles credentials for the Redfish collector included in hardware-exporter. The credentials are specified in the charm config and are rendered in an on-disk, plain-text configuration file only readable by the root user.