From 096b3edf0b5f3543f02aa7b0c9271069306659cd Mon Sep 17 00:00:00 2001 From: "Andrey V.Kosteltsev" Date: Sat, 23 Jul 2022 15:17:56 +0300 Subject: IBS: Flashing Host BIOS feature (stub implementation) --- .../images/obmc-phosphor-image.bbappend | 1 + .../0001-Fix-gen-bios-tar-script.patch | 32 ++++ ...e-usr-bin-flash-bios-tool-for-BIOS-update.patch | 22 +++ .../phosphor-software-manager/gen-bios-tarball | 187 +++++++++++++++++++++ .../flash/phosphor-software-manager_%.bbappend | 17 +- .../recipes-phosphor/flash/sila-flash-bios.bb | 16 ++ .../flash/sila-flash-bios/flash-bios | 169 +++++++++++++++++++ 7 files changed, 443 insertions(+), 1 deletion(-) create mode 100644 meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/0001-Fix-gen-bios-tar-script.patch create mode 100644 meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/0002-IBS-Use-usr-bin-flash-bios-tool-for-BIOS-update.patch create mode 100644 meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/gen-bios-tarball create mode 100644 meta-ibs/meta-cp2-5422/recipes-phosphor/flash/sila-flash-bios.bb create mode 100644 meta-ibs/meta-cp2-5422/recipes-phosphor/flash/sila-flash-bios/flash-bios diff --git a/meta-ibs/meta-common/recipes-ibs/images/obmc-phosphor-image.bbappend b/meta-ibs/meta-common/recipes-ibs/images/obmc-phosphor-image.bbappend index 115a3c72ba..319b095435 100644 --- a/meta-ibs/meta-common/recipes-ibs/images/obmc-phosphor-image.bbappend +++ b/meta-ibs/meta-common/recipes-ibs/images/obmc-phosphor-image.bbappend @@ -9,6 +9,7 @@ IMAGE_INSTALL += " openssl-bin \ bmcweb-init-certs \ firmware-watchdog \ ibmcutil \ + sila-flash-bios \ " IMAGE_INSTALL += " net-snmp-lib-agent \ diff --git a/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/0001-Fix-gen-bios-tar-script.patch b/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/0001-Fix-gen-bios-tar-script.patch new file mode 100644 index 0000000000..27cf90de64 --- /dev/null +++ b/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/0001-Fix-gen-bios-tar-script.patch @@ -0,0 +1,32 @@ +From a279caec497be9c4c413add4aad23ccd3b24a713 Mon Sep 17 00:00:00 2001 +From: "Andrey V.Kosteltsev" +Date: Sat, 23 Jul 2022 14:28:48 +0300 +Subject: [PATCH] Fix gen-bios-tar script + +--- + gen-bios-tar | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/gen-bios-tar b/gen-bios-tar +index 837d496..7c59776 100755 +--- a/gen-bios-tar ++++ b/gen-bios-tar +@@ -47,7 +47,7 @@ F0nIdUAhR0yTfKM= + -----END PRIVATE KEY----- + ' + +-do_sign=false ++do_sign=true + PRIVATE_KEY_PATH=${PRIVATE_KEY_PATH:-} + private_key_path="${PRIVATE_KEY_PATH}" + outfile="" +@@ -167,5 +167,5 @@ if [[ "${do_sign}" == true ]]; then + additional_files="*.sig" + fi + +-tar -czvf "$outfile" "$files_to_sign" "$additional_files" ++tar -czvf $outfile $files_to_sign $additional_files + echo "Bios image tarball is at $outfile" +-- +2.35.1 + diff --git a/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/0002-IBS-Use-usr-bin-flash-bios-tool-for-BIOS-update.patch b/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/0002-IBS-Use-usr-bin-flash-bios-tool-for-BIOS-update.patch new file mode 100644 index 0000000000..4cd9c434d5 --- /dev/null +++ b/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/0002-IBS-Use-usr-bin-flash-bios-tool-for-BIOS-update.patch @@ -0,0 +1,22 @@ +From b6797cda23908ff9a1edc2f25cd6eb559f79a503 Mon Sep 17 00:00:00 2001 +From: "Andrey V.Kosteltsev" +Date: Sat, 23 Jul 2022 14:43:14 +0300 +Subject: [PATCH 2/2] IBS: Use /usr/bin/flash-bios tool for BIOS update + +--- + obmc-flash-host-bios@.service.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/obmc-flash-host-bios@.service.in b/obmc-flash-host-bios@.service.in +index 13a01af..0b7ceec 100644 +--- a/obmc-flash-host-bios@.service.in ++++ b/obmc-flash-host-bios@.service.in +@@ -4,4 +4,4 @@ Description=Flash Host Bios image %I to Host + [Service] + Type=oneshot + RemainAfterExit=no +-ExecStart=echo Please add custom command for flashing image /tmp/image/%i ++ExecStart=/usr/sbin/flash-bios /tmp/image/%i +-- +2.35.1 + diff --git a/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/gen-bios-tarball b/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/gen-bios-tarball new file mode 100644 index 0000000000..d7e54bee38 --- /dev/null +++ b/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager/gen-bios-tarball @@ -0,0 +1,187 @@ +#!/bin/bash +set -eo pipefail + +help=$'Generate Tarball with Bios image and MANIFEST Script + +Generates a Bios image tarball from given file as input. +Creates a MANIFEST for image verification and recreation +Packages the image and MANIFEST together in a tarball + +usage: gen-bios-tar [OPTION] ... + +Options: + -o, --out Specify destination file. Defaults to + `pwd`/obmc-bios.tar.gz if unspecified. + -s, --sign Sign the image. The optional path argument specifies + the private key file. Defaults to the bash variable + PRIVATE_KEY_PATH if available, or else uses the + open-source private key in this script. + -m, --machine Optionally specify the target machine name of this + image. + -v, --version Specify the version of bios image file. + -e, --extended-version Specify the Extended Version of bios image file + -c, --compatible-name Specify the name of bios image in tarball. + Default: 'bios-image'. + -h, --help Display this help text and exit. +' + +################################################################# +# It's the OpenBMC "public" private key (currently under +# meta-phosphor/recipes-phosphor/flash/files/OpenBMC.priv): +# https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/8949/15/ +# meta-phosphor/common/recipes-phosphor/flash/files/OpenBMC.priv +# +################################################################# +private_key=$'-----BEGIN PRIVATE KEY----- +MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAPvSDLu6slkP1gri +PaeQXL9ysD69J/HjbBCIQ0RPfeWBb75US1tRTjPP0Ub8CtH8ExVf8iF1ulsZA78B +zIjBYZVp9pyD6LbpZ/hjV7rIH6dTNhoVpdA+F8LzmQ7cyhHG8l2JMvdunwF2uX5k +D4WDcZt/ITKZNQNavPtmIyD5HprdAgMBAAECgYEAuQkTSi5ZNpAoWz76xtGRFSwU +zUT4wQi3Mz6tDtjKTYXasiQGa0dHC1M9F8fDu6BZ9W7W4Dc9hArRcdzEighuxoI/ +nZI/0uL89iUEywnDEIHuS6D5JlZaj86/nx9YvQnO8F/seM+MX0EAWVrd5wC7aAF1 +h6Fu7ykZB4ggUjQAWwECQQD+AUiDOEO+8btLJ135dQfSGc5VFcZiequnKWVm6uXt +rX771hEYjYMjLqWGFg9G4gE3GuABM5chMINuQQUivy8tAkEA/cxfy19XkjtqcMgE +x/UDt6Nr+Ky/tk+4Y65WxPRDas0uxFOPk/vEjgVmz1k/TAy9G4giisluTvtmltr5 +DCLocQJBAJnRHx9PiD7uVhRJz6/L/iNuOzPtTsi+Loq5F83+O6T15qsM1CeBMsOw +cM5FN5UeMcwz+yjfHAsePMkcmMaU7jUCQHlg9+N8upXuIo7Dqj2zOU7nMmkgvSNE +5yuNImRZabC3ZolwaTdd7nf5r1y1Eyec5Ag5yENV6JKPe1Xkbb1XKJECQDngA0h4 +6ATvfP1Vrx4CbP11eKXbCsZ9OGPHSgyvVjn68oY5ZP3uPsIattoN7dE2BRfuJm7m +F0nIdUAhR0yTfKM= +-----END PRIVATE KEY----- +' + +do_sign=true +PRIVATE_KEY_PATH=${PRIVATE_KEY_PATH:-} +private_key_path="${PRIVATE_KEY_PATH}" +outfile="" +machine="" +version="" +extended_version="" +compatible_name="bios-image" + +while [[ $# -gt 0 ]]; do + key="$1" + case $key in + -o|--out) + outfile="$2" + shift 2 + ;; + -s|--sign) + do_sign=true + if [[ -n "${2}" && "${2}" != -* ]]; then + private_key_path="$2" + shift 2 + else + shift 1 + fi + ;; + -m|--machine) + machine="$2" + shift 2 + ;; + -v|--version) + version="$2" + shift 2 + ;; + -e|--extended-version) + extended_version="$2" + shift 2 + ;; + -c|--compatible-name) + compatible_name="$2" + shift 2 + ;; + -h|--help) + echo "$help" + exit + ;; + -*) + echo "Unrecognised option $1" + echo "$help" + exit + ;; + *) + file="$1" + shift 1 + ;; + esac +done + +if [ ! -f "${file}" ]; then + echo "${file} not found, Please enter a valid Bios image file" + echo "$help" + exit 1 +fi + +if [[ -z $version ]]; then + echo "Please provide version of image with -v option" + exit 1 +fi + +if [[ -z $outfile ]]; then + outfile=$(pwd)/obmc-bios.tar.gz +else + if [[ $outfile != /* ]]; then + outfile=$(pwd)/$outfile + fi +fi + +scratch_dir=$(mktemp -d) +# Remove the temp directory on exit. +# The files in the temp directory may contain read-only files, so add +# --interactive=never to skip the prompt. +trap '{ rm -r --interactive=never ${scratch_dir}; }' EXIT + +if [[ "${do_sign}" == true ]]; then + if [[ -z "${private_key_path}" ]]; then + private_key_path=${scratch_dir}/OpenBMC.priv + echo "${private_key}" > "${private_key_path}" + echo "Image is NOT secure!! Signing with the open private key!" + else + if [[ ! -f "${private_key_path}" ]]; then + echo "Couldn't find private key ${private_key_path}." + exit 1 + fi + + echo "Signing with ${private_key_path}." + fi + + public_key_file=publickey + public_key_path=${scratch_dir}/$public_key_file + openssl pkey -in "${private_key_path}" -pubout -out "${public_key_path}" +fi + +manifest_location="MANIFEST" +files_to_sign="$manifest_location $public_key_file" + +# Go to scratch_dir +cp "${file}" "${scratch_dir}/${compatible_name}" +cd "${scratch_dir}" +files_to_sign+=" ${compatible_name}" + +echo "Creating MANIFEST for the image" +echo -e "purpose=xyz.openbmc_project.Software.Version.VersionPurpose.Host\n\ +version=$version" > $manifest_location + +echo "ExtendedVersion=${extended_version}" >> $manifest_location +echo "CompatibleName=${compatible_name}" >> $manifest_location + +if [[ -n "${machine}" ]]; then + echo -e "MachineName=${machine}" >> $manifest_location +fi + +if [[ "${do_sign}" == true ]]; then + private_key_name=$(basename "${private_key_path}") + key_type="${private_key_name%.*}" + echo KeyType="${key_type}" >> $manifest_location + echo HashType="RSA-SHA256" >> $manifest_location + + for file in $files_to_sign; do + openssl dgst -sha256 -sign "${private_key_path}" -out "${file}.sig" "$file" + done + + additional_files="*.sig" +fi + +tar -czvf $outfile $files_to_sign $additional_files +echo "Bios image tarball is at $outfile" diff --git a/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager_%.bbappend b/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager_%.bbappend index 04f574b10b..107dbed9f2 100644 --- a/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager_%.bbappend +++ b/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/phosphor-software-manager_%.bbappend @@ -1,3 +1,18 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" -PACKAGECONFIG:append = " verify_signature" +PACKAGECONFIG:append = " verify_signature flash_bios" + +SRC_URI:append = " \ + file://gen-bios-tarball \ + file://0001-Fix-gen-bios-tar-script.patch \ + file://0002-IBS-Use-usr-bin-flash-bios-tool-for-BIOS-update.patch \ + " + +RDEPENDS:${PN} += " sila-flash-bios" + +do_provide_gen_bios_tarball () { + cp ${WORKDIR}/gen-bios-tarball ${S}/gen-bios-tarball + chmod 755 ${S}/gen-bios-tarball +} + +addtask do_provide_gen_bios_tarball after do_unpack before do_configure diff --git a/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/sila-flash-bios.bb b/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/sila-flash-bios.bb new file mode 100644 index 0000000000..a54cc58626 --- /dev/null +++ b/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/sila-flash-bios.bb @@ -0,0 +1,16 @@ +SUMMARY = "Flash BIOS utility" +DESCRIPTION = "Utility for flashing Host BIOS image" + +SRC_URI = "file://flash-bios;subdir=${BP} \ + " +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "\ + file://${IBSBASE}/COPYING.apache-2.0;md5=34400b68072d710fecd0a2940a0d1658 \ + " + +RDEPENDS:${PN} += " bash" + +do_install:append() { + install -d ${D}${sbindir} + install -m 0755 ${S}/flash-bios ${D}${sbindir}/flash-bios +} diff --git a/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/sila-flash-bios/flash-bios b/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/sila-flash-bios/flash-bios new file mode 100644 index 0000000000..0ad86deef4 --- /dev/null +++ b/meta-ibs/meta-cp2-5422/recipes-phosphor/flash/sila-flash-bios/flash-bios @@ -0,0 +1,169 @@ +#!/bin/bash + +set -eo pipefail + +programm=`basename $0` + +log() { + logger -t ${programm} -p 1 "$@" +} + +FWTYPE="BIOS" +FWVER="0.00" +redfish_log_fw_evt() { + local evt=$1 + [ -z "$FWTYPE" ] && return + [ -z "$FWVER" ] && return + case "$evt" in + start) + logger -t ${programm} -p 1 "${FWTYPE} firmware update to version ${FWVER} started" + ;; + success) + logger -t ${programm} -p 1 "${FWTYPE} firmware update to version ${FWVER} completed successfully." + ;; + abort) + logger -t ${programm} -p 1 "${FWTYPE} firmware update to version ${FWVER} failed." + ;; + invalid_args) + logger -t ${programm} -p 1 "${FWTYPE} firmware update failed: Invalid argument" + ;; + invalid_image) + logger -t ${programm} -p 1 "${FWTYPE} firmware update failed: Invalid firmware image" + ;; + *) return ;; + esac +} + +wait_for_log_sync() +{ + sync + sleep 5 +} + +interface=xyz.openbmc_project.Software.BMC.Updater +busctl_path= +bios_image= +bios_version= +bios_ext_version= + +get_firmware_busctl_path() { + local ipath=$1 + local bpath=/xyz/openbmc_project/software/`echo "${ipath}" | rev | cut -f1 -d'/' | rev` + echo "${bpath}" +} + +get_firmware_purpose() { + local iface=$1 + local fwpath=$2 + local purpose=`busctl get-property ${iface} ${fwpath} xyz.openbmc_project.Software.Version Purpose | sed 's,^s ",,' | sed 's,"$,,' | rev | cut -f1 -d'.' | rev` + echo "${purpose}" +} + +get_firmware_activation() { + local iface=$1 + local fwpath=$2 + local activation=`busctl get-property ${iface} ${fwpath} xyz.openbmc_project.Software.Activation Activation | sed 's,^s ",,' | sed 's,"$,,' | rev | cut -f1 -d'.' | rev` + echo "${activation}" +} + +get_firmware_path() { + local iface=$1 + local fwpath=$2 + local path=`busctl get-property ${iface} ${fwpath} xyz.openbmc_project.Common.FilePath Path | sed 's,^s ",,' | sed 's,"$,,'` + echo "${path}" +} + +get_firmware_version() { + local iface=$1 + local fwpath=$2 + local version=`busctl get-property ${iface} ${fwpath} xyz.openbmc_project.Software.Version Version | sed 's,^s ",,' | sed 's,"$,,'` + echo "${version}" +} + +get_firmware_extended_version() { + local iface=$1 + local fwpath=$2 + local eversion=`busctl get-property ${iface} ${fwpath} xyz.openbmc_project.Software.ExtendedVersion ExtendedVersion | sed 's,^s ",,' | sed 's,"$,,'` + echo "${eversion}" +} + +get_firmware_file_name() { + local iface=$1 + local fwpath=$2 + local fname=`busctl get-property ${iface} ${fwpath} xyz.openbmc_project.Inventory.Decorator.Compatible Names | grep "as 1" | sed 's,^as 1 ",,' | sed 's,"$,,'` + echo "${fname}" +} + +get_bios_image() { + local iface=$1 + local bpath=$2 + local purpose=`get_firmware_purpose ${iface} ${bpath}` + local active=`get_firmware_activation ${iface} ${bpath}` + if [ "${purpose}" = "Host" -a "${active}" = "Activating" ] ; then + local path=`get_firmware_path ${iface} ${bpath}` + local fname=`get_firmware_file_name ${iface} ${bpath}` + if [ -f "${path}/${fname}" ] ; then + echo "${path}/${fname}" + fi + fi +} + +get_bios_version() { + local image=$1 + local hash=`echo ${image} | rev | cut -f2 -d'/' | rev` + local version=`get_firmware_version ${interface} /xyz/openbmc_project/software/${hash}` + echo "${version}" +} + +get_bios_extended_version() { + local image=$1 + local hash=`echo ${image} | rev | cut -f2 -d'/' | rev` + local ext_version=`get_firmware_extended_version ${interface} /xyz/openbmc_project/software/${hash}` + echo "${ext_version}" +} + + +image_path=$1 + +if [ "x${image_path}" = "x" ] ; then + redfish_log_fw_evt invalid_args + exit 1 +fi + +busctl_path="`get_firmware_busctl_path ${image_path}`" +bios_image="`get_bios_image ${interface} ${busctl_path}`" +bios_version="`get_bios_version ${bios_image}`" +bios_ext_version="`get_bios_extended_version ${bios_image}`" + +if [ "${bios_image}" = "x" ] ; then + redfish_log_fw_evt invalid_image + exit 1 +fi +if [ "${bios_version}" = "x" ] ; then + redfish_log_fw_evt invalid_image + exit 1 +fi + +FWVER="${bios_version}" + +####################### +# Start BIOS Flashing: +# +redfish_log_fw_evt start + + +####################### +# main routine: +# +logger -t ${programm} -p 1 "Flashing the '${bios_image}' image..." +# +# end of main routine. +####################### + + +####################### +# Stop BIOS Flashing: +# +redfish_log_fw_evt success +wait_for_log_sync + -- cgit v1.2.3