Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Updates RustCrypto-related dependencies (notably der, rsa, sha2) to address component governance warnings, and adapts OpenVMM/OpenHCL code to the updated APIs.
Changes:
- Bump workspace crypto crates (
der→ 0.8,sha2→ 0.11,rsa→ 0.10.0-rc.17) and refreshCargo.lock. - Update test IGVM agent crypto shims to match new
rand_core/digestAPIs andrsabig-int types. - Adjust OpenHCL boot hashing configuration to avoid
cpuidusage via cfg-based sha2 backend selection.
Reviewed changes
Copilot reviewed 7 out of 8 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| vm/devices/get/test_igvm_agent_lib/src/test_crypto.rs | Updates digest/rand-core trait usage for the test-only crypto helpers. |
| vm/devices/get/test_igvm_agent_lib/src/lib.rs | Adapts RSA-OAEP usage and JWK→RSA conversion to updated rsa APIs. |
| vm/devices/get/test_igvm_agent_lib/Cargo.toml | Enables needed rsa features (std, encoding) for this test library. |
| vm/devices/firmware/firmware_uefi/src/service/nvram/spec_services/auth_var_crypto.rs | Updates der API usage for ASN.1 tag number construction. |
| openhcl/openhcl_boot/build.rs | Adds crate-local cfgs to force sha2 “soft” backend for x86_64 boot code. |
| openhcl/openhcl_boot/Cargo.toml | Removes sha2 force-soft feature usage (now handled via cfg). |
| Cargo.toml | Bumps workspace dependency versions for der, rsa, sha2. |
| Cargo.lock | Lockfile updates reflecting new RustCrypto dependency graph. |
The previous attempt emitted `cargo:rustc-cfg=sha2_backend="soft"` from `openhcl_boot`'s build.rs, but those cfgs only apply to the crate that emits them; they do not propagate to the `sha2` dependency and so did not force the soft backend. As a result the default backend with runtime cpuid-based feature detection was still compiled in. Move the cfgs into `openhcl/minimal_rt/x86_64-config.toml` as target rustflags, which are applied to every crate in the build (including sha2), so the software backend is actually selected. Also emit the matching `--check-cfg` declarations to avoid spurious `unexpected_cfgs` warnings.
smalis-msft
added
the
release-ci-required
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This resolves component governance warnings.