Skip to content

Verification

Zack Didcott edited this page Apr 7, 2025 · 1 revision

Summary

The integrity of a section is confirmed by the CRC32 checksum in the section header and the hash block (if present).

When setting these values, it must be calculated in the following order: hash, signature (depends on hash), CRC32 (influenced by previous values).

Checksum

The CRC32 checksum is calculated from all of the bytes in a section, starting at CRC_OFFSET, which excludes the checksum value itself from the input.

Hash

The hash values are calculated using the BLAKE2b algorithm with a digest size specified in hash_bytes, from all sections in a partition, excluding the indicies specified by the ranges in the hash excludes. The start, end and size are based on absolute addresses not relative to section or partition headers. Excluded bytes are replaced with null bytes (\x00).

Please see the docstring below from igelfs.models.hash.HashExclude for more information:

The following bytes are normally excluded for each section (inclusive):

  • 0-3 => SectionHeader.crc
  • 16-17 => SectionHeader.generation
  • 22-25 => SectionHeader.next_section

The following bytes are normally excluded for section zero (inclusive, shifted by partition extents):

  • 164-675 => HashHeader.signature
  • 836-836 + (HashHeader.hash_bytes * HashHeader.count_hash) => Section.hash_value

Similarly to the CRC_OFFSET, the hash excludes serve to remove dynamic values from the hash input; only the payload and metadata of the section is verified.

Signature

The hash block also contains a signature of all hash values and excludes, using SHA-256. The public keys to verify these signatures can be found in igelfs.keys.

This confirms the authenticity of the data, and prevents modifying the hash values.

Clone this wiki locally