From 236c94eb62df7d2694225996d83c51d45594004f Mon Sep 17 00:00:00 2001 From: Brandon Kim Date: Tue, 20 Jul 2021 15:48:31 -0700 Subject: meta-google: flash: Import dummy-gbmc-update Dummy image uploader for sending debug binaries. Google-Bug-Id: 179618162 Upstream: 22e2c3dd5f610777dee173a09d8e82dc2509a975 Signed-off-by: Brandon Kim Change-Id: I53c0defeefffa007d71d68ceeb2602d83c22f523 --- .../recipes-phosphor/flash/dummy-gbmc-update.bb | 23 ++++++++++++++++++++++ .../flash/dummy-gbmc-update/config-dummy.json | 19 ++++++++++++++++++ .../flash/dummy-gbmc-update/dummy-verify.service | 6 ++++++ 3 files changed, 48 insertions(+) create mode 100644 meta-google/recipes-phosphor/flash/dummy-gbmc-update.bb create mode 100644 meta-google/recipes-phosphor/flash/dummy-gbmc-update/config-dummy.json create mode 100644 meta-google/recipes-phosphor/flash/dummy-gbmc-update/dummy-verify.service (limited to 'meta-google/recipes-phosphor/flash') diff --git a/meta-google/recipes-phosphor/flash/dummy-gbmc-update.bb b/meta-google/recipes-phosphor/flash/dummy-gbmc-update.bb new file mode 100644 index 000000000..7eba3b0fc --- /dev/null +++ b/meta-google/recipes-phosphor/flash/dummy-gbmc-update.bb @@ -0,0 +1,23 @@ +SUMMARY = "Dummy image uploader for sending debug binaries" +DESCRIPTION = "Dummy image uploader for sending debug binaries" +PR = "r1" + +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10" + +inherit systemd + +SRC_URI += "file://config-dummy.json" +SRC_URI += "file://dummy-verify.service" + +FILES_${PN} += "${datadir}/phosphor-ipmi-flash" + +SYSTEMD_SERVICE_${PN} += "dummy-verify.service" + +do_install() { + install -d ${D}${datadir}/phosphor-ipmi-flash + install -m 0644 ${WORKDIR}/config-dummy.json ${D}${datadir}/phosphor-ipmi-flash + + install -d ${D}${systemd_system_unitdir} + install -m 0644 ${WORKDIR}/dummy-verify.service ${D}${systemd_system_unitdir} +} diff --git a/meta-google/recipes-phosphor/flash/dummy-gbmc-update/config-dummy.json b/meta-google/recipes-phosphor/flash/dummy-gbmc-update/config-dummy.json new file mode 100644 index 000000000..e68e9105b --- /dev/null +++ b/meta-google/recipes-phosphor/flash/dummy-gbmc-update/config-dummy.json @@ -0,0 +1,19 @@ +[{ + "blob": "/flash/dummy", + "handler": { + "type": "file", + "path": "/run/initramfs/bmc-image" + }, + "actions": { + "preparation": { + "type": "skip" + }, + "verification": { + "type": "systemd", + "unit": "dummy-verify.service" + }, + "update": { + "type": "skip" + } + } +}] diff --git a/meta-google/recipes-phosphor/flash/dummy-gbmc-update/dummy-verify.service b/meta-google/recipes-phosphor/flash/dummy-gbmc-update/dummy-verify.service new file mode 100644 index 000000000..ec320d551 --- /dev/null +++ b/meta-google/recipes-phosphor/flash/dummy-gbmc-update/dummy-verify.service @@ -0,0 +1,6 @@ +[Unit] +Description=Dummy flash file verification + +[Service] +Type=oneshot +ExecStart=/bin/mv /run/initramfs/bmc-image /run/initramfs/dummy -- cgit v1.2.3 From 4e2735e0dc487c0cb3c3e38e10df7b728ff85cef Mon Sep 17 00:00:00 2001 From: Brandon Kim Date: Tue, 20 Jul 2021 15:41:04 -0700 Subject: meta-google: flash: Import google-key from gBMC Google key installation script and bitbake recipe. Google-Bug-Id: 179618162 Upstream: 22e2c3dd5f610777dee173a09d8e82dc2509a975 Signed-off-by: Brandon Kim Change-Id: I21c88b6c2810c4ab3f6089f79143e59b6ce935db --- meta-google/recipes-phosphor/flash/google-key.bb | 26 +++++++++ .../flash/google-key/platforms_gbmc_bringup.gpg | Bin 0 -> 552 bytes .../flash/google-key/platforms_gbmc_secure.gpg | Bin 0 -> 551 bytes .../flash/google-key/verify-bmc-image.sh | 63 +++++++++++++++++++++ 4 files changed, 89 insertions(+) create mode 100644 meta-google/recipes-phosphor/flash/google-key.bb create mode 100644 meta-google/recipes-phosphor/flash/google-key/platforms_gbmc_bringup.gpg create mode 100644 meta-google/recipes-phosphor/flash/google-key/platforms_gbmc_secure.gpg create mode 100755 meta-google/recipes-phosphor/flash/google-key/verify-bmc-image.sh (limited to 'meta-google/recipes-phosphor/flash') diff --git a/meta-google/recipes-phosphor/flash/google-key.bb b/meta-google/recipes-phosphor/flash/google-key.bb new file mode 100644 index 000000000..220211526 --- /dev/null +++ b/meta-google/recipes-phosphor/flash/google-key.bb @@ -0,0 +1,26 @@ +SUMMARY = "Google Key installation Script" +DESCRIPTION = "Google Key installation Script" +PR = "r1" + +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10" + +RDEPENDS_${PN} += "bash" +RDEPENDS_${PN} += "gnupg" + +SRC_URI += " \ + file://platforms_gbmc_bringup.gpg \ + file://platforms_gbmc_secure.gpg \ + file://verify-bmc-image.sh \ +" + +do_install() { + # Install keys into image. + install -d -m 0755 ${D}${datadir}/google-key + install -m 0644 ${WORKDIR}/platforms_gbmc_secure.gpg ${D}${datadir}/google-key/prod.key + install -m 0644 ${WORKDIR}/platforms_gbmc_bringup.gpg ${D}${datadir}/google-key/dev.key + + # Install the verification helper + install -d -m 0755 ${D}${bindir} + install -m 0755 ${WORKDIR}/verify-bmc-image.sh ${D}${bindir} +} diff --git a/meta-google/recipes-phosphor/flash/google-key/platforms_gbmc_bringup.gpg b/meta-google/recipes-phosphor/flash/google-key/platforms_gbmc_bringup.gpg new file mode 100644 index 000000000..f347e224b Binary files /dev/null and b/meta-google/recipes-phosphor/flash/google-key/platforms_gbmc_bringup.gpg differ diff --git a/meta-google/recipes-phosphor/flash/google-key/platforms_gbmc_secure.gpg b/meta-google/recipes-phosphor/flash/google-key/platforms_gbmc_secure.gpg new file mode 100644 index 000000000..9281f7790 Binary files /dev/null and b/meta-google/recipes-phosphor/flash/google-key/platforms_gbmc_secure.gpg differ diff --git a/meta-google/recipes-phosphor/flash/google-key/verify-bmc-image.sh b/meta-google/recipes-phosphor/flash/google-key/verify-bmc-image.sh new file mode 100755 index 000000000..cac229a94 --- /dev/null +++ b/meta-google/recipes-phosphor/flash/google-key/verify-bmc-image.sh @@ -0,0 +1,63 @@ +#!/bin/bash +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +help_out() { + echo "$ARG0 [--allow-dev] " >&2 + exit 2 +} + +opts="$(getopt -o 'd' -l 'allow-dev' -- "$@")" || exit +dev= +eval set -- "$opts" +while true; do + case "$1" in + --allow-dev|-d) + dev=1 + shift + ;; + --) + shift + break + ;; + *) + echo "Bad option: $1" >&2 + help_out + ;; + esac +done +image_file="${1?Missing image file}" || help_out +sig_file="${2?Missing sig file}" || help_out + +# gnupg needs a home directory even though we don't want to persist any +# information. We always make a new temporary directory for this +GNUPGHOME= +cleanup() { + test -n "$GNUPGHOME" && rm -rf "$GNUPGHOME" +} +trap cleanup ERR EXIT INT +export GNUPGHOME="$(mktemp -d)" || exit + +gpg() { + command gpg --batch --allow-non-selfsigned-uid --no-tty "$@" +} +import_key() { + gpg --import "/usr/share/google-key/$1.key" +} + +import_key prod +if [ -n "$dev" ]; then + import_key dev +fi +gpg --verify --ignore-time-conflict "$sig_file" "$image_file" -- cgit v1.2.3 From 0547cc4c492e6a4c42b710b98dc6ab414bf46c5d Mon Sep 17 00:00:00 2001 From: Brandon Kim Date: Tue, 20 Jul 2021 15:59:47 -0700 Subject: meta-google: flash: Import inplace-gbmc-update Google BMC inplace update script and bitbake recipe. Google-Bug-Id: 179618162 Upstream: 22e2c3dd5f610777dee173a09d8e82dc2509a975 Signed-off-by: Brandon Kim Change-Id: Ia1beded107382dacb9f2f7e3cb9bbd86ae99d8c1 --- .../recipes-phosphor/flash/inplace-gbmc-update.bb | 44 +++++++++++++++++ .../flash/inplace-gbmc-update/config-bmc.json | 33 +++++++++++++ .../inplace-gbmc-verify.service | 6 +++ .../inplace-gbmc-update/inplace-gbmc-verify.sh | 57 ++++++++++++++++++++++ .../inplace-gbmc-version.service | 9 ++++ .../inplace-gbmc-update/inplace-gbmc-version.sh | 16 ++++++ 6 files changed, 165 insertions(+) create mode 100644 meta-google/recipes-phosphor/flash/inplace-gbmc-update.bb create mode 100644 meta-google/recipes-phosphor/flash/inplace-gbmc-update/config-bmc.json create mode 100644 meta-google/recipes-phosphor/flash/inplace-gbmc-update/inplace-gbmc-verify.service create mode 100644 meta-google/recipes-phosphor/flash/inplace-gbmc-update/inplace-gbmc-verify.sh create mode 100644 meta-google/recipes-phosphor/flash/inplace-gbmc-update/inplace-gbmc-version.service create mode 100644 meta-google/recipes-phosphor/flash/inplace-gbmc-update/inplace-gbmc-version.sh (limited to 'meta-google/recipes-phosphor/flash') diff --git a/meta-google/recipes-phosphor/flash/inplace-gbmc-update.bb b/meta-google/recipes-phosphor/flash/inplace-gbmc-update.bb new file mode 100644 index 000000000..c71a579e1 --- /dev/null +++ b/meta-google/recipes-phosphor/flash/inplace-gbmc-update.bb @@ -0,0 +1,44 @@ +SUMMARY = "Google BMC Inplace Update Script" +DESCRIPTION = "Google BMC Inplace Update Script" +PR = "r1" + +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10" + +inherit obmc-phosphor-systemd + +PROVIDES += "virtual/bmc-update" +RPROVIDES_${PN} += "virtual/bmc-update" + +RDEPENDS_${PN} += "google-key" +RDEPENDS_${PN} += "bash" + +SRC_URI += " \ + file://config-bmc.json \ + file://inplace-gbmc-verify.service \ + file://inplace-gbmc-verify.sh \ + file://inplace-gbmc-version.service \ + file://inplace-gbmc-version.sh \ +" + +SYSTEMD_SERVICE_${PN} += "inplace-gbmc-verify.service" +SYSTEMD_SERVICE_${PN} += "inplace-gbmc-version.service" + +FILES_${PN} += "${datadir}/phosphor-ipmi-flash" + +do_install() { + sed -i 's,@ALLOW_DEV@,,' ${WORKDIR}/inplace-gbmc-verify.sh + + install -d ${D}${bindir} + install -m 0755 ${WORKDIR}/*.sh ${D}${bindir} + + install -d ${D}${systemd_system_unitdir} + install -m 0644 ${WORKDIR}/*.service ${D}${systemd_system_unitdir} + + install -d ${D}${datadir}/phosphor-ipmi-flash + install -m 0644 ${WORKDIR}/config-bmc.json ${D}${datadir}/phosphor-ipmi-flash +} + +do_install_prepend_dev() { + sed -i 's,@ALLOW_DEV@,--allow-dev,' ${WORKDIR}/inplace-gbmc-verify.sh +} diff --git a/meta-google/recipes-phosphor/flash/inplace-gbmc-update/config-bmc.json b/meta-google/recipes-phosphor/flash/inplace-gbmc-update/config-bmc.json new file mode 100644 index 000000000..8bd11f2e1 --- /dev/null +++ b/meta-google/recipes-phosphor/flash/inplace-gbmc-update/config-bmc.json @@ -0,0 +1,33 @@ +[{ + "blob": "/flash/image", + "version": { + "handler": { + "type": "file", + "path": "/run/inplace-gbmc-version" + }, + "actions":{ + "open": { + "type": "systemd", + "unit": "inplace-gbmc-version.service" + } + } + }, + "handler": { + "type": "file", + "path": "/run/initramfs/bmc-image" + }, + "actions": { + "preparation": { + "type": "skip" + }, + "verification": { + "type": "systemd", + "unit": "inplace-gbmc-verify.service" + }, + "update": { + "type": "systemd", + "unit": "reboot.target", + "mode": "replace-irreversibly" + } + } +}] diff --git a/meta-google/recipes-phosphor/flash/inplace-gbmc-update/inplace-gbmc-verify.service b/meta-google/recipes-phosphor/flash/inplace-gbmc-update/inplace-gbmc-verify.service new file mode 100644 index 000000000..4552780af --- /dev/null +++ b/meta-google/recipes-phosphor/flash/inplace-gbmc-update/inplace-gbmc-verify.service @@ -0,0 +1,6 @@ +[Unit] +Description=Verify the Flash Image File + +[Service] +Type=oneshot +ExecStart=/usr/bin/inplace-gbmc-verify.sh diff --git a/meta-google/recipes-phosphor/flash/inplace-gbmc-update/inplace-gbmc-verify.sh b/meta-google/recipes-phosphor/flash/inplace-gbmc-update/inplace-gbmc-verify.sh new file mode 100644 index 000000000..d5307d3d1 --- /dev/null +++ b/meta-google/recipes-phosphor/flash/inplace-gbmc-update/inplace-gbmc-verify.sh @@ -0,0 +1,57 @@ +#!/bin/bash +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +# This script will check the signature for the BMC image against +# the baked in keyring available. If any aspect of this fails, +# the scripts returns non-zero and this can be reported to the +# host. +# +# 1. Verify the image +# 2. Rename the image + +KEYRING=/etc/googlekeys/gbmc/gbmc.gpg +SIGNATURE_FILE=/tmp/bmc.sig +STATUS_FILE=/tmp/bmc.verify + +# Store in /run/initramfs because the behaviour of mv changes +# depending on whether the file is moving within a tree or not. +IMAGE_FILE=/run/initramfs/bmc-image +VERIFIED_FILE=/run/initramfs/image-bmc + +# Make sure we run ERR traps when a function returns an error +set -e + +# Write out the result of the script to a status file upon exiting +# normally or due to an error +exit_handler() { + local status="$?" + if (( status == 0 )); then + echo "success" >"${STATUS_FILE}" + else + echo "failed" >"${STATUS_FILE}" + fi + trap - EXIT ERR + exit "$status" +} +trap exit_handler EXIT ERR + +echo "running" > ${STATUS_FILE} + +# Verify the image. +verify-bmc-image.sh @ALLOW_DEV@ "$IMAGE_FILE" "$SIGNATURE_FILE" || exit + +# Rename the staged file for initramfs updates. +mv ${IMAGE_FILE} ${VERIFIED_FILE}#!/bin/bash diff --git a/meta-google/recipes-phosphor/flash/inplace-gbmc-update/inplace-gbmc-version.service b/meta-google/recipes-phosphor/flash/inplace-gbmc-update/inplace-gbmc-version.service new file mode 100644 index 000000000..3f6b67179 --- /dev/null +++ b/meta-google/recipes-phosphor/flash/inplace-gbmc-update/inplace-gbmc-version.service @@ -0,0 +1,9 @@ +[Unit] +Description=Version string for inplace BMC + +[Service] +Type=oneshot +StandardOutput=file:/run/inplace-gbmc-version +StandardError=journal +ExecStartPre=/bin/rm -f /run/inplace-gbmc-version +ExecStart=/usr/bin/inplace-gbmc-version.sh diff --git a/meta-google/recipes-phosphor/flash/inplace-gbmc-update/inplace-gbmc-version.sh b/meta-google/recipes-phosphor/flash/inplace-gbmc-update/inplace-gbmc-version.sh new file mode 100644 index 000000000..0c5c4e787 --- /dev/null +++ b/meta-google/recipes-phosphor/flash/inplace-gbmc-update/inplace-gbmc-version.sh @@ -0,0 +1,16 @@ +#!/bin/bash +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +grep '^VERSION_ID=' /etc/os-release | sed 's,.*-\([^-]*\),\1,g' | tr -d '\n'#!/bin/bash -- cgit v1.2.3