From 523cca014976bce4015b55c391d340761b28676b Mon Sep 17 00:00:00 2001 From: cybersnakeh Date: Thu, 4 Jun 2026 20:30:56 +0200 Subject: [PATCH] docs: update driver changelog for 2.0.2 --- README.md | 78 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 78 insertions(+) diff --git a/README.md b/README.md index fd7045d..46f9b2d 100755 --- a/README.md +++ b/README.md @@ -177,6 +177,84 @@ sign-module.sh Secure Boot module signing (MOK) ## Changelog +### 2.0.2 (2026-06-04) + +**Driver update and source-install pipeline:** +- Added a production source-release flow for `snakedrv-updater`: GitHub + tags now publish `snakeengine-driver-X.Y.Z.tar.gz` plus a matching + `.sigstore` bundle, checksum files, and a standalone `sigstore-verify` + binary. +- Switched release signing to cosign's protobuf bundle format + (`--new-bundle-format`) so the bundled `sigstore-verify` can parse and + verify release signatures. +- Hardened `snakedrv-updater` into a fail-closed updater: + network timeouts, bounded Sigstore verification, fatal `modprobe` + failures, loaded-module verification, ABI verification, `/dev/snakedrv` + verification, and clear error messages. +- Fixed update ordering: the kernel module is now built, installed, + loaded, and validated before replacing `libsnakedrv.so` and headers, + preventing mixed `libsnakedrv`/`snakedrv.ko` ABI states. +- DKMS updates now remove stale `snakedrv` versions and `/usr/src` + trees before registering the new version, avoiding stale source trees + breaking later updates. +- Added the source-install templates required by updater/deploy installs: + `packaging/dkms/dkms.conf.in`, `packaging/pkgconfig/snakedrv.pc.in`, + and `packaging/cmake/SnakeDrvConfigVersion.cmake.in`. +- Added a package-free release workflow: no `nfpm`, no `.deb`, no `.rpm`; + releases publish only the signed source tarball and verifier assets. + +**Install and deployment tooling:** +- `deploy.sh install` now installs the updater and verifier under + `/usr/lib/snakeengine/`. +- `deploy.sh status` reports update-tool installation state, loaded + driver version/ABI, DKMS state, device state, and recent kernel logs. +- `deploy.sh load` now treats an already-loaded module as a state to + validate instead of blindly running `insmod` and failing with + `File exists`. +- `deploy.sh build/install` no longer requires the local `tests/` or + `tests/payload_imgui/` directories. They are optional developer + assets; production source installs build the driver, userland library, + and verifier without them. +- Fixed the advertised `deploy.sh build-kernel` command so it is accepted + by the command parser and can be used for VM/kernel-only validation. +- `deploy.sh` now builds `tools/sigstore-verify` with + `-buildvcs=false`, making Go builds deterministic in source archives + and temporary worktrees without reliable Git metadata. +- The udev rule is now installed as a minimal root-owned `0644` rule for + `/dev/snakedrv` with group `snakeengine`. + +**Kernel driver ABI and runtime validation:** +- Introduced `SNAKEDRV_ABI_VERSION` and exposed the loaded ABI through + driver info/module parameters so userland can reject unsupported + kernels instead of failing later with mismatched IOCTL layouts. +- Added runtime scanner ABI coverage for backend selection, scan options, + first scan, next scan, result-set info, result retrieval, perf stats, + reset, free, and detach paths. +- Fixed the scanner IOCTL header duplication issue by consolidating + `SNAKEDRV_IOCTL_MAGIC` usage between core and scanner headers. +- Added safer kernel scanner/result-set plumbing and ABI checks for the + process backend. + +**Kernel safety fixes:** +- Fixed the `injector_shadow_alloc` error path so partially created + shadow mappings are unmapped if later allocation steps fail. +- Added validation for breakpoint target addresses before programming + hardware breakpoints, avoiding arbitrary kernel-address breakpoints. +- Kept VMA stealth explicit and bounded; deferred VMA hiding remains + disabled unless the target mapping can be handled safely. + +**Userland library and manual mapping:** +- Hardened ELF symbol and relocation parsing in + `userland/src/snakedrv_injector.cpp` with stricter bounds checks. +- Added local selftests for IOCTL ABI validation and manual-map ELF entry + discovery. +- `manualMapLibrary()` now has a concrete test path using a payload that + exports `ManualMapEntry`. +- Added installable pkg-config and CMake metadata for downstream driver + consumers, with ABI checks in the generated CMake config. +- Installed headers now live under `include/snakedrv/`, matching the + installed library and generated metadata. + ### 2.0.1 (2026-04-10) **Cross-distro kernel build fixes (tested on Ubuntu 24.04 / kernel