diff options
author | Andrey V.Kosteltsev <AKosteltsev@IBS.RU> | 2022-08-07 00:08:22 +0300 |
---|---|---|
committer | Andrey V.Kosteltsev <AKosteltsev@IBS.RU> | 2022-08-07 00:14:02 +0300 |
commit | 725866d0198ca0885f4ad03e0e1e4170bdd1079d (patch) | |
tree | 47f0c3883efa23b98e914d62a465cfd5ab611211 | |
parent | eb2bbf48eeeda99282c211a38016327ee31283d7 (diff) | |
download | openbmc-725866d0198ca0885f4ad03e0e1e4170bdd1079d.tar.xz |
Do not sort signature files for image-full.sig
-rw-r--r-- | meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/0001-IBS-Sort-images-list-to-verify-full-image-correctly.patch | 26 | ||||
-rw-r--r-- | meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/0001-IBS-Use-usr-bin-flash-bios-tool-for-BIOS-update.patch (renamed from meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/0002-IBS-Use-usr-bin-flash-bios-tool-for-BIOS-update.patch) | 0 | ||||
-rw-r--r-- | meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/gen-bios-tarball | 71 | ||||
-rw-r--r-- | meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager_%.bbappend | 4 |
4 files changed, 38 insertions, 63 deletions
diff --git a/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/0001-IBS-Sort-images-list-to-verify-full-image-correctly.patch b/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/0001-IBS-Sort-images-list-to-verify-full-image-correctly.patch deleted file mode 100644 index 257a604d74..0000000000 --- a/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/0001-IBS-Sort-images-list-to-verify-full-image-correctly.patch +++ /dev/null @@ -1,26 +0,0 @@ -From d7aeac195462d075e3d598010394e19945284ec8 Mon Sep 17 00:00:00 2001 -From: "Andrey V.Kosteltsev" <AKosteltsev@IBS.RU> -Date: Fri, 5 Aug 2022 02:56:05 +0300 -Subject: [PATCH] IBS: Sort images list to verify full image correctly - ---- - image_verify.cpp | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/image_verify.cpp b/image_verify.cpp -index 098ad9d..e8ca62d 100644 ---- a/image_verify.cpp -+++ b/image_verify.cpp -@@ -102,6 +102,9 @@ bool Signature::verifyFullImage() - fs::path(imageDirPath) / "MANIFEST.sig", - fs::path(imageDirPath) / "publickey.sig"}; - -+ // Sort items like make_signatures() in image_types_phosphor.bbclass -+ sort(fullImages.begin(), fullImages.end()); -+ - // Merge files - std::string tmpFullFile = "/tmp/image-full"; - utils::mergeFiles(fullImages, tmpFullFile); --- -2.35.1 - diff --git a/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/0002-IBS-Use-usr-bin-flash-bios-tool-for-BIOS-update.patch b/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/0001-IBS-Use-usr-bin-flash-bios-tool-for-BIOS-update.patch index 4cd9c434d5..4cd9c434d5 100644 --- a/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/0002-IBS-Use-usr-bin-flash-bios-tool-for-BIOS-update.patch +++ b/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/0001-IBS-Use-usr-bin-flash-bios-tool-for-BIOS-update.patch diff --git a/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/gen-bios-tarball b/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/gen-bios-tarball index 46a62effe7..aeb0cb20cd 100644 --- a/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/gen-bios-tarball +++ b/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/gen-bios-tarball @@ -48,18 +48,34 @@ cM5FN5UeMcwz+yjfHAsePMkcmMaU7jUCQHlg9+N8upXuIo7Dqj2zOU7nMmkgvSNE 6ATvfP1Vrx4CbP11eKXbCsZ9OGPHSgyvVjn68oY5ZP3uPsIattoN7dE2BRfuJm7m F0nIdUAhR0yTfKM= -----END PRIVATE KEY----- - ' do_sign=true PRIVATE_KEY_PATH=${PRIVATE_KEY_PATH:-} -private_key_path="${PRIVATE_KEY_PATH}" +SIGNING_KEY="${PRIVATE_KEY_PATH}" outfile="" machine="" version="" extended_version="" image_name="image-hostfw" +make_signatures() { + signature_files="" + for file in "$@"; do + openssl dgst -sha256 -sign ${SIGNING_KEY} -out "${file}.sig" $file + signature_files="${signature_files} ${file}.sig" + done + + if [ -n "$signature_files" ]; then + # DO NOT SORT: sort_signature_files=`echo "$signature_files" | tr ' ' '\n' | sort | tr '\n' ' '` + sort_signature_files="$signature_files" + cat $sort_signature_files > image-full + openssl dgst -sha256 -sign ${SIGNING_KEY} -out image-full.sig image-full + signature_files="${signature_files} image-full.sig" + fi +} + + while [[ $# -gt 0 ]]; do key="$1" case $key in @@ -70,7 +86,7 @@ while [[ $# -gt 0 ]]; do -s|--sign) do_sign=true if [[ -n "${2}" && "${2}" != -* ]]; then - private_key_path="$2" + SIGNING_KEY="$2" shift 2 else shift 1 @@ -134,64 +150,49 @@ scratch_dir=$(mktemp -d) trap '{ rm -r --interactive=never ${scratch_dir}; }' EXIT if [[ "${do_sign}" == true ]]; then - if [[ -z "${private_key_path}" ]]; then - private_key_path=${scratch_dir}/OpenBMC.priv - echo "${private_key}" > "${private_key_path}" + if [[ -z "${SIGNING_KEY}" ]]; then + SIGNING_KEY=${scratch_dir}/OpenBMC.priv + echo "${private_key}" > "${SIGNING_KEY}" echo "Image is NOT secure!! Signing with the open private key!" else - if [[ ! -f "${private_key_path}" ]]; then - echo "Couldn't find private key ${private_key_path}." + if [[ ! -f "${SIGNING_KEY}" ]]; then + echo "Couldn't find private key ${SIGNING_KEY}." exit 1 fi - echo "Signing with ${private_key_path}." + echo "Signing with ${SIGNING_KEY}." fi public_key_file=publickey public_key_path=${scratch_dir}/$public_key_file - openssl pkey -in "${private_key_path}" -pubout -out "${public_key_path}" + openssl pkey -in "${SIGNING_KEY}" -pubout -out "${public_key_path}" fi manifest_location="MANIFEST" -files_to_sign="$manifest_location $public_key_file" # Go to scratch_dir cp "${file}" "${scratch_dir}/${image_name}" cd "${scratch_dir}" -files_to_sign+=" ${image_name}" echo "Creating MANIFEST for the image" echo -e "purpose=xyz.openbmc_project.Software.Version.VersionPurpose.Host\n\ -version=$version" > $manifest_location +version=${version}" > ${manifest_location} -echo "ExtendedVersion=${extended_version}" >> $manifest_location -echo "CompatibleName=${image_name}" >> $manifest_location +echo "ExtendedVersion=${extended_version}" >> ${manifest_location} +echo "CompatibleName=${image_name}" >> ${manifest_location} if [[ -n "${machine}" ]]; then - echo -e "MachineName=${machine}" >> $manifest_location + echo -e "MachineName=${machine}" >> ${manifest_location} fi if [[ "${do_sign}" == true ]]; then - signature_files= - private_key_name=$(basename "${private_key_path}") + private_key_name=$(basename "${SIGNING_KEY}") key_type="${private_key_name%.*}" - echo KeyType="${key_type}" >> $manifest_location - echo HashType="RSA-SHA256" >> $manifest_location - - for file in $files_to_sign; do - openssl dgst -sha256 -sign "${private_key_path}" -out "${file}.sig" "$file" - signature_files="${signature_files} ${file}.sig" - done - - if [ -n "$signature_files" ]; then - sort_signature_files=`echo "$signature_files" | tr ' ' '\n' | sort | tr '\n' ' '` - cat $sort_signature_files > image-full - openssl dgst -sha256 -sign ${private_key_path} -out image-full.sig image-full - signature_files="${signature_files} image-full.sig" - fi + echo KeyType="${key_type}" >> ${manifest_location} + echo HashType="RSA-SHA256" >> ${manifest_location} - additional_files="${signature_files}" + make_signatures ${image_name} ${manifest_location} ${public_key_file} fi -tar -czvf $outfile $files_to_sign $additional_files -echo "Bios image tarball is at $outfile" +tar -czvf ${outfile} ${image_name} ${manifest_location} ${public_key_file} ${signature_files} +echo "Bios image tarball is at ${outfile}" diff --git a/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager_%.bbappend b/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager_%.bbappend index ae6d2a0140..aedba88044 100644 --- a/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager_%.bbappend +++ b/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager_%.bbappend @@ -4,11 +4,11 @@ PACKAGECONFIG:append = " verify_signature flash_bios" SRC_URI:append = " \ file://gen-bios-tarball \ - file://0001-IBS-Sort-images-list-to-verify-full-image-correctly.patch \ - file://0002-IBS-Use-usr-bin-flash-bios-tool-for-BIOS-update.patch \ + file://0001-IBS-Use-usr-bin-flash-bios-tool-for-BIOS-update.patch \ " EXTRA_OEMESON += "\ + -Dverify-full-signature=enabled \ -Doptional-images=image-hostfw \ " |