meta-google: Add glome-login and glome-config

We have to use glome-config since the sample config is removed in
glome recipe. As a result, now glome depends on glome-config.

The platform also needs to overwrite these variables in their
bbappend files:
- glome-login.bb
  * GLOME_FALLBACK_SERV
  * GLOME_FALLBACK_OBJ
  * GLOME_HOSTNAME_SUFFIX
  * GLOME_BOARDSN_KEY
- glome-config.bb
  * GLOME_PUBLIC_KEY
  * GLOME_KEY_VERSION
  * GLOME_URL_PREFIX

Tested:
1) `bitbake obmc-phosphor-image` build passes
2) inplace update the image on a real machine
3) connect to it
The glome is enabled and login is successful

Signed-off-by: Leo Tu <leotu@google.com>
Change-Id: I21a48cbdcfea67772f143b4fc115f717e6d7cbc5

5 files changed, 158 insertions, 3 deletions

diff --git a/meta-google/recipes-google/console/glome-config.bb b/meta-google/recipes-google/console/glome-config.bb
new file mode 100644
index 0000000000..be3612d398
--- /dev/null
+++ b/meta-google/recipes-google/console/glome-config.bb
@@ -0,0 +1,39 @@
+SUMMARY = "Glome Config"
+DESCRIPTION = "Glome config file provides a glome config file"
+PR = "r1"
+
+# This is required to replace the glome/config that is removed in glome_git.bb
+
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10"
+
+# Example Privkey: A0F1D0A0CB254839D04637F567325B850B5174850B129E811F5E203A42CC3B6C
+GLOME_PUBLIC_KEY ?= "AC11D4582261F2D05CDDE1BD94383393D26C5C269642EE26D7EABD1EADC03C14"
+GLOME_KEY_VERSION ?= "4"
+GLOME_URL_PREFIX ?= "http://example-glome-service/"
+
+SRC_URI = "file://config.in"
+
+do_install:append() {
+  if [ -z '${GLOME_PUBLIC_KEY}' ]; then
+    echo 'Missing GLOME_PUBLIC_KEY' >&2
+    exit 1
+  fi
+  if [ -z '${GLOME_KEY_VERSION}' ]; then
+    echo 'Missing GLOME_KEY_VERSION' >&2
+    exit 1
+  fi
+  if [ -z '${GLOME_URL_PREFIX}' ]; then
+    echo 'Missing GLOME_URL_PREFIX' >&2
+    exit 1
+  fi
+
+  sed ${WORKDIR}/config.in \
+    -e 's#@PUBLIC_KEY@#${GLOME_PUBLIC_KEY}#' \
+    -e 's#@KEY_VERSION@#${GLOME_KEY_VERSION}#' \
+    -e 's#@URL_PREFIX@#${GLOME_URL_PREFIX}#' \
+    > ${WORKDIR}/config
+
+  install -d ${D}${sysconfdir}/glome
+  install -m 0644 ${WORKDIR}/config ${D}${sysconfdir}/glome
+}
diff --git a/meta-google/recipes-google/console/glome-config/config.in b/meta-google/recipes-google/console/glome-config/config.in
new file mode 100644
index 0000000000..291f6a57fb
--- /dev/null
+++ b/meta-google/recipes-google/console/glome-config/config.in
@@ -0,0 +1,8 @@
+# This is the configuration file for serial console authentication with glome.
+# /usr/sbin/glome-login tries to read this file on startup at its canonical
+# location /etc/glome/config.
+
+[service]
+key = @PUBLIC_KEY@
+key-version = @KEY_VERSION@
+url-prefix = @URL_PREFIX@
diff --git a/meta-google/recipes-google/console/glome-login.bb b/meta-google/recipes-google/console/glome-login.bb
new file mode 100644
index 0000000000..ea043d3a5e
--- /dev/null
+++ b/meta-google/recipes-google/console/glome-login.bb
@@ -0,0 +1,59 @@
+SUMMARY = "Glome Login Scripts"
+DESCRIPTION = "Glome Login Scripts"
+PR = "r1"
+
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10"
+
+GLOME_FALLBACK_SERV ?= ""
+GLOME_FALLBACK_OBJ ?= ""
+GLOME_HOSTNAME_SUFFIX ?= ""
+GLOME_BOARDSN_KEY ?= "bmc-boardsn"
+
+RDEPENDS:${PN} += "bash"
+RDEPENDS:${PN} += "glome"
+RDEPENDS:${PN} += "jq"
+RDEPENDS:${PN} += "obmc-console"
+
+SRC_URI += "file://glome-login.sh.in"
+
+do_install:append() {
+  if [ -z '${GLOME_FALLBACK_SERV}' ]; then
+    echo 'Missing GLOME_FALLBACK_SERV' >&2
+    exit 1
+  fi
+
+  if [ -z '${GLOME_FALLBACK_OBJ}' ]; then
+    echo 'Missing GLOME_FALLBACK_OBJ' >&2
+    exit 1
+  fi
+
+  if [ -z '${GLOME_HOSTNAME_SUFFIX}' ]; then
+    echo 'Missing GLOME_HOSTNAME_SUFFIX' >&2
+    exit 1
+  fi
+
+  sed ${WORKDIR}/glome-login.sh.in \
+    -e 's#@INV_SERV@#${GLOME_FALLBACK_SERV}#' \
+    -e 's#@INV_OBJ@#${GLOME_FALLBACK_OBJ}#' \
+    -e 's#@HOSTNAME_SUFFIX@#${GLOME_HOSTNAME_SUFFIX}#' \
+    -e 's#@BOARDSN_KEY@#${GLOME_BOARDSN_KEY}#' \
+    > ${WORKDIR}/glome-login.sh
+
+  install -d ${D}${bindir}
+  install -m 0755 ${WORKDIR}/glome-login.sh ${D}${bindir}
+}
+
+# This is an example to override the glome login service in the bbappend for 'prod'
+#
+#FILES:${PN}:append:prod = " \
+#  ${systemd_system_unitdir}/serial-to-bmc@.service.d/bmc-login-glome-override.conf \
+#  ${systemd_system_unitdir}/serial-getty@.service.d/bmc-login-glome-override.conf \
+#  "
+#
+#do_install:append:prod() {
+#  install -D -m 0644 ${WORKDIR}/bmc-login-glome-override.conf \
+#    ${D}${systemd_system_unitdir}/serial-to-bmc@.service.d/bmc-login-glome-override.conf
+#  install -D -m 0644 ${WORKDIR}/bmc-login-glome-override.conf \
+#    ${D}${systemd_system_unitdir}/serial-getty@.service.d/bmc-login-glome-override.conf
+#}
diff --git a/meta-google/recipes-google/console/glome-login/glome-login.sh.in b/meta-google/recipes-google/console/glome-login/glome-login.sh.in
new file mode 100644
index 0000000000..2d12e355d1
--- /dev/null
+++ b/meta-google/recipes-google/console/glome-login/glome-login.sh.in
@@ -0,0 +1,42 @@
+#!/bin/bash
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+set -eo pipefail
+
+HOSTNAME="$(hostname)"
+USER="${1?Missing first param: USER (Usually passed by agetty via \\u)}"
+
+if [[ "$HOSTNAME" =~ ^([^-.]+)[^.]*(.*[.]corp[.]google[.]com)$ ]]; then
+  # for google corp address the suffix must be removed from the name
+  HOSTNAME="${BASH_REMATCH[1]}${BASH_REMATCH[2]}"
+fi
+
+if [[ "${HOSTNAME}" == *"@HOSTNAME_SUFFIX@" ]];  then
+  # Valid hostname is already set, invoke normal glome
+  exec /usr/sbin/glome-login -M "${HOSTNAME}" "${USER}"
+fi
+
+# Get the board serial number from the FRU EEPROM
+# Service passed in as a parameter would be either inventory-manager or
+# entity-manager depending on platforms
+# Path to the FRU EEPROM object has to be passed in as a parameter
+# If the target platform has neither of them, the fallback mechanism is useless
+INT="xyz.openbmc_project.Inventory.Decorator.Asset"
+PART="SerialNumber"
+BOARDSN="$(busctl get-property -j "@INV_SERV@" "@INV_OBJ@" "${INT}" "${PART}" | jq -r '.data')"
+
+WARN_MSG="WARNING: Hostname is not set, using Board Serial Number"
+echo "${WARN_MSG}"
+echo "${WARN_MSG}" | systemd-cat -t gbmc-glome -p warning
+exec /usr/sbin/glome-login -M "@BOARDSN_KEY@:${BOARDSN}" "${USER}"
diff --git a/meta-google/recipes-google/console/glome_git.bb b/meta-google/recipes-google/console/glome_git.bb
index 42dcbda25e..418179f050 100644
--- a/meta-google/recipes-google/console/glome_git.bb
+++ b/meta-google/recipes-google/console/glome_git.bb
@@ -8,16 +8,23 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
 
 inherit meson pkgconfig
 
-DEPENDS += "openssl"
+DEPENDS += " \
+  openssl \
+  glome-config \
+  "
+RDEPENDS:${PN} += "glome-config"
 
 S = "${WORKDIR}/git"
 SRC_URI = "git://github.com/google/glome.git;branch=master;protocol=https"
 SRCREV = "978ad9fb165f1e382c875f2ce08a1fc4f2ddcf1b"
 
-FILES_${PN} += "${libdir}/security"
-
 PACKAGECONFIG ??= ""
 PACKAGECONFIG[glome-cli] = "-Dglome-cli=true,-Dglome-cli=false"
 PACKAGECONFIG[pam-glome] = "-Dpam-glome=true,-Dpam-glome=false,libpam"
 
 EXTRA_OEMESON = "-Dtests=false"
+
+# remove the default glome config so it can be overridden by `glome-config`
+do_install:append() {
+  rm -f ${D}${sysconfdir}/glome/config
+}