Do not sort signature files for image-full.sig

4 files changed, 38 insertions, 63 deletions

diff --git a/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/0001-IBS-Sort-images-list-to-verify-full-image-correctly.patch b/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/0001-IBS-Sort-images-list-to-verify-full-image-correctly.patch
deleted file mode 100644
index 257a604d74..0000000000
--- a/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/0001-IBS-Sort-images-list-to-verify-full-image-correctly.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From d7aeac195462d075e3d598010394e19945284ec8 Mon Sep 17 00:00:00 2001
-From: "Andrey V.Kosteltsev" <AKosteltsev@IBS.RU>
-Date: Fri, 5 Aug 2022 02:56:05 +0300
-Subject: [PATCH] IBS: Sort images list to verify full image correctly
-
----
- image_verify.cpp | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/image_verify.cpp b/image_verify.cpp
-index 098ad9d..e8ca62d 100644
---- a/image_verify.cpp
-+++ b/image_verify.cpp
-@@ -102,6 +102,9 @@ bool Signature::verifyFullImage()
-         fs::path(imageDirPath) / "MANIFEST.sig",
-         fs::path(imageDirPath) / "publickey.sig"};
- 
-+    // Sort items like make_signatures() in image_types_phosphor.bbclass
-+    sort(fullImages.begin(), fullImages.end());
-+
-     // Merge files
-     std::string tmpFullFile = "/tmp/image-full";
-     utils::mergeFiles(fullImages, tmpFullFile);
--- 
-2.35.1
-
diff --git a/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/0002-IBS-Use-usr-bin-flash-bios-tool-for-BIOS-update.patch b/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/0001-IBS-Use-usr-bin-flash-bios-tool-for-BIOS-update.patch
index 4cd9c434d5..4cd9c434d5 100644
--- a/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/0002-IBS-Use-usr-bin-flash-bios-tool-for-BIOS-update.patch
+++ b/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/0001-IBS-Use-usr-bin-flash-bios-tool-for-BIOS-update.patch
diff --git a/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/gen-bios-tarball b/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/gen-bios-tarball
index 46a62effe7..aeb0cb20cd 100644
--- a/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/gen-bios-tarball
+++ b/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/gen-bios-tarball
@@ -48,18 +48,34 @@ cM5FN5UeMcwz+yjfHAsePMkcmMaU7jUCQHlg9+N8upXuIo7Dqj2zOU7nMmkgvSNE
 6ATvfP1Vrx4CbP11eKXbCsZ9OGPHSgyvVjn68oY5ZP3uPsIattoN7dE2BRfuJm7m
 F0nIdUAhR0yTfKM=
 -----END PRIVATE KEY-----
-
 '
 
 do_sign=true
 PRIVATE_KEY_PATH=${PRIVATE_KEY_PATH:-}
-private_key_path="${PRIVATE_KEY_PATH}"
+SIGNING_KEY="${PRIVATE_KEY_PATH}"
 outfile=""
 machine=""
 version=""
 extended_version=""
 image_name="image-hostfw"
 
+make_signatures() {
+  signature_files=""
+  for file in "$@"; do
+    openssl dgst -sha256 -sign ${SIGNING_KEY} -out "${file}.sig" $file
+    signature_files="${signature_files} ${file}.sig"
+  done
+
+  if [ -n "$signature_files" ]; then
+    # DO NOT SORT: sort_signature_files=`echo "$signature_files" | tr ' ' '\n' | sort | tr '\n' ' '`
+    sort_signature_files="$signature_files"
+    cat $sort_signature_files > image-full
+    openssl dgst -sha256 -sign ${SIGNING_KEY} -out image-full.sig image-full
+    signature_files="${signature_files} image-full.sig"
+  fi
+}
+
+
 while [[ $# -gt 0 ]]; do
   key="$1"
   case $key in
@@ -70,7 +86,7 @@ while [[ $# -gt 0 ]]; do
     -s|--sign)
       do_sign=true
       if [[ -n "${2}"  && "${2}" != -* ]]; then
-        private_key_path="$2"
+        SIGNING_KEY="$2"
         shift 2
       else
         shift 1
@@ -134,64 +150,49 @@ scratch_dir=$(mktemp -d)
 trap '{ rm -r --interactive=never ${scratch_dir}; }' EXIT
 
 if [[ "${do_sign}" == true ]]; then
-  if [[ -z "${private_key_path}" ]]; then
-    private_key_path=${scratch_dir}/OpenBMC.priv
-    echo "${private_key}" > "${private_key_path}"
+  if [[ -z "${SIGNING_KEY}" ]]; then
+    SIGNING_KEY=${scratch_dir}/OpenBMC.priv
+    echo "${private_key}" > "${SIGNING_KEY}"
     echo "Image is NOT secure!! Signing with the open private key!"
   else
-    if [[ ! -f "${private_key_path}" ]]; then
-      echo "Couldn't find private key ${private_key_path}."
+    if [[ ! -f "${SIGNING_KEY}" ]]; then
+      echo "Couldn't find private key ${SIGNING_KEY}."
       exit 1
     fi
 
-    echo "Signing with ${private_key_path}."
+    echo "Signing with ${SIGNING_KEY}."
   fi
 
   public_key_file=publickey
   public_key_path=${scratch_dir}/$public_key_file
-  openssl pkey -in "${private_key_path}" -pubout -out "${public_key_path}"
+  openssl pkey -in "${SIGNING_KEY}" -pubout -out "${public_key_path}"
 fi
 
 manifest_location="MANIFEST"
-files_to_sign="$manifest_location $public_key_file"
 
 # Go to scratch_dir
 cp "${file}" "${scratch_dir}/${image_name}"
 cd "${scratch_dir}"
-files_to_sign+=" ${image_name}"
 
 echo "Creating MANIFEST for the image"
 echo -e "purpose=xyz.openbmc_project.Software.Version.VersionPurpose.Host\n\
-version=$version" > $manifest_location
+version=${version}" > ${manifest_location}
 
-echo "ExtendedVersion=${extended_version}" >> $manifest_location
-echo "CompatibleName=${image_name}" >> $manifest_location
+echo "ExtendedVersion=${extended_version}" >> ${manifest_location}
+echo "CompatibleName=${image_name}" >> ${manifest_location}
 
 if [[ -n "${machine}" ]]; then
-    echo -e "MachineName=${machine}" >> $manifest_location
+    echo -e "MachineName=${machine}" >> ${manifest_location}
 fi
 
 if [[ "${do_sign}" == true ]]; then
-  signature_files=
-  private_key_name=$(basename "${private_key_path}")
+  private_key_name=$(basename "${SIGNING_KEY}")
   key_type="${private_key_name%.*}"
-  echo KeyType="${key_type}" >> $manifest_location
-  echo HashType="RSA-SHA256" >> $manifest_location
-
-  for file in $files_to_sign; do
-    openssl dgst -sha256 -sign "${private_key_path}" -out "${file}.sig" "$file"
-    signature_files="${signature_files} ${file}.sig"
-  done
-
-  if [ -n "$signature_files" ]; then
-    sort_signature_files=`echo "$signature_files" | tr ' ' '\n' | sort | tr '\n' ' '`
-    cat $sort_signature_files > image-full
-    openssl dgst -sha256 -sign ${private_key_path} -out image-full.sig image-full
-    signature_files="${signature_files} image-full.sig"
-  fi
+  echo KeyType="${key_type}" >> ${manifest_location}
+  echo HashType="RSA-SHA256" >> ${manifest_location}
 
-  additional_files="${signature_files}"
+  make_signatures ${image_name} ${manifest_location} ${public_key_file}
 fi
 
-tar -czvf $outfile $files_to_sign $additional_files
-echo "Bios image tarball is at $outfile"
+tar -czvf ${outfile} ${image_name} ${manifest_location} ${public_key_file} ${signature_files}
+echo "Bios image tarball is at ${outfile}"
diff --git a/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager_%.bbappend b/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager_%.bbappend
index ae6d2a0140..aedba88044 100644
--- a/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager_%.bbappend
+++ b/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager_%.bbappend
@@ -4,11 +4,11 @@ PACKAGECONFIG:append = " verify_signature flash_bios"
 
 SRC_URI:append = " \
                   file://gen-bios-tarball \
-                  file://0001-IBS-Sort-images-list-to-verify-full-image-correctly.patch \
-                  file://0002-IBS-Use-usr-bin-flash-bios-tool-for-BIOS-update.patch \
+                  file://0001-IBS-Use-usr-bin-flash-bios-tool-for-BIOS-update.patch \
                  "
 
 EXTRA_OEMESON += "\
+    -Dverify-full-signature=enabled \
     -Doptional-images=image-hostfw \
     "