diff options
| author | Jason M. Bills <jason.m.bills@linux.intel.com> | 2021-08-26 22:04:05 +0300 |
|---|---|---|
| committer | Jason M. Bills <jason.m.bills@linux.intel.com> | 2021-08-26 22:04:05 +0300 |
| commit | ae908254d22318b9e27acf6e5e28d1a4ab5e2195 (patch) | |
| tree | 0d057ad30ca7f77c7c299762d60929e34ff51ab5 /meta-google/recipes-phosphor/flash | |
| parent | 67327ddc580cb9a85219a534844832a1682780d4 (diff) | |
| parent | 66d661a7f7784d58c8a437f1cdeb0c0ab03f0364 (diff) | |
| download | openbmc-ae908254d22318b9e27acf6e5e28d1a4ab5e2195.tar.xz | |
Merge tag '0.70' of ssh://git-amr-1.devtools.intel.com:29418/openbmc-openbmc into update
Diffstat (limited to 'meta-google/recipes-phosphor/flash')
13 files changed, 302 insertions, 0 deletions
diff --git a/meta-google/recipes-phosphor/flash/dummy-gbmc-update.bb b/meta-google/recipes-phosphor/flash/dummy-gbmc-update.bb new file mode 100644 index 000000000..7eba3b0fc --- /dev/null +++ b/meta-google/recipes-phosphor/flash/dummy-gbmc-update.bb @@ -0,0 +1,23 @@ +SUMMARY = "Dummy image uploader for sending debug binaries" +DESCRIPTION = "Dummy image uploader for sending debug binaries" +PR = "r1" + +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10" + +inherit systemd + +SRC_URI += "file://config-dummy.json" +SRC_URI += "file://dummy-verify.service" + +FILES_${PN} += "${datadir}/phosphor-ipmi-flash" + +SYSTEMD_SERVICE_${PN} += "dummy-verify.service" + +do_install() { + install -d ${D}${datadir}/phosphor-ipmi-flash + install -m 0644 ${WORKDIR}/config-dummy.json ${D}${datadir}/phosphor-ipmi-flash + + install -d ${D}${systemd_system_unitdir} + install -m 0644 ${WORKDIR}/dummy-verify.service ${D}${systemd_system_unitdir} +} diff --git a/meta-google/recipes-phosphor/flash/dummy-gbmc-update/config-dummy.json b/meta-google/recipes-phosphor/flash/dummy-gbmc-update/config-dummy.json new file mode 100644 index 000000000..e68e9105b --- /dev/null +++ b/meta-google/recipes-phosphor/flash/dummy-gbmc-update/config-dummy.json @@ -0,0 +1,19 @@ +[{ + "blob": "/flash/dummy", + "handler": { + "type": "file", + "path": "/run/initramfs/bmc-image" + }, + "actions": { + "preparation": { + "type": "skip" + }, + "verification": { + "type": "systemd", + "unit": "dummy-verify.service" + }, + "update": { + "type": "skip" + } + } +}] diff --git a/meta-google/recipes-phosphor/flash/dummy-gbmc-update/dummy-verify.service b/meta-google/recipes-phosphor/flash/dummy-gbmc-update/dummy-verify.service new file mode 100644 index 000000000..ec320d551 --- /dev/null +++ b/meta-google/recipes-phosphor/flash/dummy-gbmc-update/dummy-verify.service @@ -0,0 +1,6 @@ +[Unit] +Description=Dummy flash file verification + +[Service] +Type=oneshot +ExecStart=/bin/mv /run/initramfs/bmc-image /run/initramfs/dummy diff --git a/meta-google/recipes-phosphor/flash/google-key.bb b/meta-google/recipes-phosphor/flash/google-key.bb new file mode 100644 index 000000000..220211526 --- /dev/null +++ b/meta-google/recipes-phosphor/flash/google-key.bb @@ -0,0 +1,26 @@ +SUMMARY = "Google Key installation Script" +DESCRIPTION = "Google Key installation Script" +PR = "r1" + +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10" + +RDEPENDS_${PN} += "bash" +RDEPENDS_${PN} += "gnupg" + +SRC_URI += " \ + file://platforms_gbmc_bringup.gpg \ + file://platforms_gbmc_secure.gpg \ + file://verify-bmc-image.sh \ +" + +do_install() { + # Install keys into image. + install -d -m 0755 ${D}${datadir}/google-key + install -m 0644 ${WORKDIR}/platforms_gbmc_secure.gpg ${D}${datadir}/google-key/prod.key + install -m 0644 ${WORKDIR}/platforms_gbmc_bringup.gpg ${D}${datadir}/google-key/dev.key + + # Install the verification helper + install -d -m 0755 ${D}${bindir} + install -m 0755 ${WORKDIR}/verify-bmc-image.sh ${D}${bindir} +} diff --git a/meta-google/recipes-phosphor/flash/google-key/platforms_gbmc_bringup.gpg b/meta-google/recipes-phosphor/flash/google-key/platforms_gbmc_bringup.gpg Binary files differnew file mode 100644 index 000000000..f347e224b --- /dev/null +++ b/meta-google/recipes-phosphor/flash/google-key/platforms_gbmc_bringup.gpg diff --git a/meta-google/recipes-phosphor/flash/google-key/platforms_gbmc_secure.gpg b/meta-google/recipes-phosphor/flash/google-key/platforms_gbmc_secure.gpg Binary files differnew file mode 100644 index 000000000..9281f7790 --- /dev/null +++ b/meta-google/recipes-phosphor/flash/google-key/platforms_gbmc_secure.gpg diff --git a/meta-google/recipes-phosphor/flash/google-key/verify-bmc-image.sh b/meta-google/recipes-phosphor/flash/google-key/verify-bmc-image.sh new file mode 100755 index 000000000..cac229a94 --- /dev/null +++ b/meta-google/recipes-phosphor/flash/google-key/verify-bmc-image.sh @@ -0,0 +1,63 @@ +#!/bin/bash +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +help_out() { + echo "$ARG0 [--allow-dev] <image file> <sig file>" >&2 + exit 2 +} + +opts="$(getopt -o 'd' -l 'allow-dev' -- "$@")" || exit +dev= +eval set -- "$opts" +while true; do + case "$1" in + --allow-dev|-d) + dev=1 + shift + ;; + --) + shift + break + ;; + *) + echo "Bad option: $1" >&2 + help_out + ;; + esac +done +image_file="${1?Missing image file}" || help_out +sig_file="${2?Missing sig file}" || help_out + +# gnupg needs a home directory even though we don't want to persist any +# information. We always make a new temporary directory for this +GNUPGHOME= +cleanup() { + test -n "$GNUPGHOME" && rm -rf "$GNUPGHOME" +} +trap cleanup ERR EXIT INT +export GNUPGHOME="$(mktemp -d)" || exit + +gpg() { + command gpg --batch --allow-non-selfsigned-uid --no-tty "$@" +} +import_key() { + gpg --import "/usr/share/google-key/$1.key" +} + +import_key prod +if [ -n "$dev" ]; then + import_key dev +fi +gpg --verify --ignore-time-conflict "$sig_file" "$image_file" diff --git a/meta-google/recipes-phosphor/flash/inplace-gbmc-update.bb b/meta-google/recipes-phosphor/flash/inplace-gbmc-update.bb new file mode 100644 index 000000000..c71a579e1 --- /dev/null +++ b/meta-google/recipes-phosphor/flash/inplace-gbmc-update.bb @@ -0,0 +1,44 @@ +SUMMARY = "Google BMC Inplace Update Script" +DESCRIPTION = "Google BMC Inplace Update Script" +PR = "r1" + +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10" + +inherit obmc-phosphor-systemd + +PROVIDES += "virtual/bmc-update" +RPROVIDES_${PN} += "virtual/bmc-update" + +RDEPENDS_${PN} += "google-key" +RDEPENDS_${PN} += "bash" + +SRC_URI += " \ + file://config-bmc.json \ + file://inplace-gbmc-verify.service \ + file://inplace-gbmc-verify.sh \ + file://inplace-gbmc-version.service \ + file://inplace-gbmc-version.sh \ +" + +SYSTEMD_SERVICE_${PN} += "inplace-gbmc-verify.service" +SYSTEMD_SERVICE_${PN} += "inplace-gbmc-version.service" + +FILES_${PN} += "${datadir}/phosphor-ipmi-flash" + +do_install() { + sed -i 's,@ALLOW_DEV@,,' ${WORKDIR}/inplace-gbmc-verify.sh + + install -d ${D}${bindir} + install -m 0755 ${WORKDIR}/*.sh ${D}${bindir} + + install -d ${D}${systemd_system_unitdir} + install -m 0644 ${WORKDIR}/*.service ${D}${systemd_system_unitdir} + + install -d ${D}${datadir}/phosphor-ipmi-flash + install -m 0644 ${WORKDIR}/config-bmc.json ${D}${datadir}/phosphor-ipmi-flash +} + +do_install_prepend_dev() { + sed -i 's,@ALLOW_DEV@,--allow-dev,' ${WORKDIR}/inplace-gbmc-verify.sh +} diff --git a/meta-google/recipes-phosphor/flash/inplace-gbmc-update/config-bmc.json b/meta-google/recipes-phosphor/flash/inplace-gbmc-update/config-bmc.json new file mode 100644 index 000000000..8bd11f2e1 --- /dev/null +++ b/meta-google/recipes-phosphor/flash/inplace-gbmc-update/config-bmc.json @@ -0,0 +1,33 @@ +[{ + "blob": "/flash/image", + "version": { + "handler": { + "type": "file", + "path": "/run/inplace-gbmc-version" + }, + "actions":{ + "open": { + "type": "systemd", + "unit": "inplace-gbmc-version.service" + } + } + }, + "handler": { + "type": "file", + "path": "/run/initramfs/bmc-image" + }, + "actions": { + "preparation": { + "type": "skip" + }, + "verification": { + "type": "systemd", + "unit": "inplace-gbmc-verify.service" + }, + "update": { + "type": "systemd", + "unit": "reboot.target", + "mode": "replace-irreversibly" + } + } +}] diff --git a/meta-google/recipes-phosphor/flash/inplace-gbmc-update/inplace-gbmc-verify.service b/meta-google/recipes-phosphor/flash/inplace-gbmc-update/inplace-gbmc-verify.service new file mode 100644 index 000000000..4552780af --- /dev/null +++ b/meta-google/recipes-phosphor/flash/inplace-gbmc-update/inplace-gbmc-verify.service @@ -0,0 +1,6 @@ +[Unit] +Description=Verify the Flash Image File + +[Service] +Type=oneshot +ExecStart=/usr/bin/inplace-gbmc-verify.sh diff --git a/meta-google/recipes-phosphor/flash/inplace-gbmc-update/inplace-gbmc-verify.sh b/meta-google/recipes-phosphor/flash/inplace-gbmc-update/inplace-gbmc-verify.sh new file mode 100644 index 000000000..d5307d3d1 --- /dev/null +++ b/meta-google/recipes-phosphor/flash/inplace-gbmc-update/inplace-gbmc-verify.sh @@ -0,0 +1,57 @@ +#!/bin/bash +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +# This script will check the signature for the BMC image against +# the baked in keyring available. If any aspect of this fails, +# the scripts returns non-zero and this can be reported to the +# host. +# +# 1. Verify the image +# 2. Rename the image + +KEYRING=/etc/googlekeys/gbmc/gbmc.gpg +SIGNATURE_FILE=/tmp/bmc.sig +STATUS_FILE=/tmp/bmc.verify + +# Store in /run/initramfs because the behaviour of mv changes +# depending on whether the file is moving within a tree or not. +IMAGE_FILE=/run/initramfs/bmc-image +VERIFIED_FILE=/run/initramfs/image-bmc + +# Make sure we run ERR traps when a function returns an error +set -e + +# Write out the result of the script to a status file upon exiting +# normally or due to an error +exit_handler() { + local status="$?" + if (( status == 0 )); then + echo "success" >"${STATUS_FILE}" + else + echo "failed" >"${STATUS_FILE}" + fi + trap - EXIT ERR + exit "$status" +} +trap exit_handler EXIT ERR + +echo "running" > ${STATUS_FILE} + +# Verify the image. +verify-bmc-image.sh @ALLOW_DEV@ "$IMAGE_FILE" "$SIGNATURE_FILE" || exit + +# Rename the staged file for initramfs updates. +mv ${IMAGE_FILE} ${VERIFIED_FILE}#!/bin/bash diff --git a/meta-google/recipes-phosphor/flash/inplace-gbmc-update/inplace-gbmc-version.service b/meta-google/recipes-phosphor/flash/inplace-gbmc-update/inplace-gbmc-version.service new file mode 100644 index 000000000..3f6b67179 --- /dev/null +++ b/meta-google/recipes-phosphor/flash/inplace-gbmc-update/inplace-gbmc-version.service @@ -0,0 +1,9 @@ +[Unit] +Description=Version string for inplace BMC + +[Service] +Type=oneshot +StandardOutput=file:/run/inplace-gbmc-version +StandardError=journal +ExecStartPre=/bin/rm -f /run/inplace-gbmc-version +ExecStart=/usr/bin/inplace-gbmc-version.sh diff --git a/meta-google/recipes-phosphor/flash/inplace-gbmc-update/inplace-gbmc-version.sh b/meta-google/recipes-phosphor/flash/inplace-gbmc-update/inplace-gbmc-version.sh new file mode 100644 index 000000000..0c5c4e787 --- /dev/null +++ b/meta-google/recipes-phosphor/flash/inplace-gbmc-update/inplace-gbmc-version.sh @@ -0,0 +1,16 @@ +#!/bin/bash +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +grep '^VERSION_ID=' /etc/os-release | sed 's,.*-\([^-]*\),\1,g' | tr -d '\n'#!/bin/bash |