diff options
| author | Andrey V.Kosteltsev <AKosteltsev@IBS.RU> | 2022-08-06 23:52:07 +0300 |
|---|---|---|
| committer | Andrey V.Kosteltsev <AKosteltsev@IBS.RU> | 2022-08-06 23:52:07 +0300 |
| commit | b3bc57222f6a5cf0817e30abd1f3d717a63509a4 (patch) | |
| tree | 2f4e79b0ab38cdc8f5550a864481dc387350b366 | |
| parent | 08192b751ca1320b3827cf63080ae12c15d96df4 (diff) | |
| download | sila-service-b3bc57222f6a5cf0817e30abd1f3d717a63509a4.tar.xz | |
Do not sort signature files for image-full.sig
| -rwxr-xr-x | BIOS/gen-bios-tarball | 71 | ||||
| -rw-r--r-- | BMC/README.md | 2 | ||||
| -rwxr-xr-x | BMC/gen-image-all-tarball | 77 |
3 files changed, 80 insertions, 70 deletions
diff --git a/BIOS/gen-bios-tarball b/BIOS/gen-bios-tarball index 46a62ef..aeb0cb2 100755 --- a/BIOS/gen-bios-tarball +++ b/BIOS/gen-bios-tarball @@ -48,18 +48,34 @@ cM5FN5UeMcwz+yjfHAsePMkcmMaU7jUCQHlg9+N8upXuIo7Dqj2zOU7nMmkgvSNE 6ATvfP1Vrx4CbP11eKXbCsZ9OGPHSgyvVjn68oY5ZP3uPsIattoN7dE2BRfuJm7m F0nIdUAhR0yTfKM= -----END PRIVATE KEY----- - ' do_sign=true PRIVATE_KEY_PATH=${PRIVATE_KEY_PATH:-} -private_key_path="${PRIVATE_KEY_PATH}" +SIGNING_KEY="${PRIVATE_KEY_PATH}" outfile="" machine="" version="" extended_version="" image_name="image-hostfw" +make_signatures() { + signature_files="" + for file in "$@"; do + openssl dgst -sha256 -sign ${SIGNING_KEY} -out "${file}.sig" $file + signature_files="${signature_files} ${file}.sig" + done + + if [ -n "$signature_files" ]; then + # DO NOT SORT: sort_signature_files=`echo "$signature_files" | tr ' ' '\n' | sort | tr '\n' ' '` + sort_signature_files="$signature_files" + cat $sort_signature_files > image-full + openssl dgst -sha256 -sign ${SIGNING_KEY} -out image-full.sig image-full + signature_files="${signature_files} image-full.sig" + fi +} + + while [[ $# -gt 0 ]]; do key="$1" case $key in @@ -70,7 +86,7 @@ while [[ $# -gt 0 ]]; do -s|--sign) do_sign=true if [[ -n "${2}" && "${2}" != -* ]]; then - private_key_path="$2" + SIGNING_KEY="$2" shift 2 else shift 1 @@ -134,64 +150,49 @@ scratch_dir=$(mktemp -d) trap '{ rm -r --interactive=never ${scratch_dir}; }' EXIT if [[ "${do_sign}" == true ]]; then - if [[ -z "${private_key_path}" ]]; then - private_key_path=${scratch_dir}/OpenBMC.priv - echo "${private_key}" > "${private_key_path}" + if [[ -z "${SIGNING_KEY}" ]]; then + SIGNING_KEY=${scratch_dir}/OpenBMC.priv + echo "${private_key}" > "${SIGNING_KEY}" echo "Image is NOT secure!! Signing with the open private key!" else - if [[ ! -f "${private_key_path}" ]]; then - echo "Couldn't find private key ${private_key_path}." + if [[ ! -f "${SIGNING_KEY}" ]]; then + echo "Couldn't find private key ${SIGNING_KEY}." exit 1 fi - echo "Signing with ${private_key_path}." + echo "Signing with ${SIGNING_KEY}." fi public_key_file=publickey public_key_path=${scratch_dir}/$public_key_file - openssl pkey -in "${private_key_path}" -pubout -out "${public_key_path}" + openssl pkey -in "${SIGNING_KEY}" -pubout -out "${public_key_path}" fi manifest_location="MANIFEST" -files_to_sign="$manifest_location $public_key_file" # Go to scratch_dir cp "${file}" "${scratch_dir}/${image_name}" cd "${scratch_dir}" -files_to_sign+=" ${image_name}" echo "Creating MANIFEST for the image" echo -e "purpose=xyz.openbmc_project.Software.Version.VersionPurpose.Host\n\ -version=$version" > $manifest_location +version=${version}" > ${manifest_location} -echo "ExtendedVersion=${extended_version}" >> $manifest_location -echo "CompatibleName=${image_name}" >> $manifest_location +echo "ExtendedVersion=${extended_version}" >> ${manifest_location} +echo "CompatibleName=${image_name}" >> ${manifest_location} if [[ -n "${machine}" ]]; then - echo -e "MachineName=${machine}" >> $manifest_location + echo -e "MachineName=${machine}" >> ${manifest_location} fi if [[ "${do_sign}" == true ]]; then - signature_files= - private_key_name=$(basename "${private_key_path}") + private_key_name=$(basename "${SIGNING_KEY}") key_type="${private_key_name%.*}" - echo KeyType="${key_type}" >> $manifest_location - echo HashType="RSA-SHA256" >> $manifest_location - - for file in $files_to_sign; do - openssl dgst -sha256 -sign "${private_key_path}" -out "${file}.sig" "$file" - signature_files="${signature_files} ${file}.sig" - done - - if [ -n "$signature_files" ]; then - sort_signature_files=`echo "$signature_files" | tr ' ' '\n' | sort | tr '\n' ' '` - cat $sort_signature_files > image-full - openssl dgst -sha256 -sign ${private_key_path} -out image-full.sig image-full - signature_files="${signature_files} image-full.sig" - fi + echo KeyType="${key_type}" >> ${manifest_location} + echo HashType="RSA-SHA256" >> ${manifest_location} - additional_files="${signature_files}" + make_signatures ${image_name} ${manifest_location} ${public_key_file} fi -tar -czvf $outfile $files_to_sign $additional_files -echo "Bios image tarball is at $outfile" +tar -czvf ${outfile} ${image_name} ${manifest_location} ${public_key_file} ${signature_files} +echo "Bios image tarball is at ${outfile}" diff --git a/BMC/README.md b/BMC/README.md index 10019d4..8b79dd9 100644 --- a/BMC/README.md +++ b/BMC/README.md @@ -14,7 +14,7 @@ --version 2.13.0-dev-270-ga8eaf1b7d-dirty \ --image-name image-bmc \ --build-id 20220803101734 \ - --out obmc-phosphor-image-cp2-5422-20220803101734.tar.gz \ + --out obmc-phosphor-image-cp2-5422-20220803101734.static.mtd.all.tar \ obmc-phosphor-image-cp2-5422-20220803101734.static.mtd ``` diff --git a/BMC/gen-image-all-tarball b/BMC/gen-image-all-tarball index b82fa3c..866ae00 100755 --- a/BMC/gen-image-all-tarball +++ b/BMC/gen-image-all-tarball @@ -52,13 +52,32 @@ F0nIdUAhR0yTfKM= do_sign=true PRIVATE_KEY_PATH=${PRIVATE_KEY_PATH:-} -private_key_path="${PRIVATE_KEY_PATH}" +SIGNING_KEY="${PRIVATE_KEY_PATH}" outfile="" machine="" version="" build_id=`date +"%Y%m%d%H%M%S"` image_name="image-bmc" +extended_version="0" +compatible_name="CP2-5422" + +make_signatures() { + signature_files="" + for file in "$@"; do + openssl dgst -sha256 -sign ${SIGNING_KEY} -out "${file}.sig" $file + signature_files="${signature_files} ${file}.sig" + done + + if [ -n "$signature_files" ]; then + # DO NOT SORT: sort_signature_files=`echo "$signature_files" | tr ' ' '\n' | sort | tr '\n' ' '` + sort_signature_files="$signature_files" + cat $sort_signature_files > image-full + openssl dgst -sha256 -sign ${SIGNING_KEY} -out image-full.sig image-full + signature_files="${signature_files} image-full.sig" + fi +} + while [[ $# -gt 0 ]]; do key="$1" case $key in @@ -69,7 +88,7 @@ while [[ $# -gt 0 ]]; do -s|--sign) do_sign=true if [[ -n "${2}" && "${2}" != -* ]]; then - private_key_path="$2" + SIGNING_KEY="$2" shift 2 else shift 1 @@ -133,22 +152,22 @@ scratch_dir=$(mktemp -d) trap '{ rm -r --interactive=never ${scratch_dir}; }' EXIT if [[ "${do_sign}" == true ]]; then - if [[ -z "${private_key_path}" ]]; then - private_key_path=${scratch_dir}/OpenBMC.priv - echo "${private_key}" > "${private_key_path}" + if [[ -z "${SIGNING_KEY}" ]]; then + SIGNING_KEY=${scratch_dir}/OpenBMC.priv + echo "${private_key}" > "${SIGNING_KEY}" echo "Image is NOT secure!! Signing with the open private key!" else - if [[ ! -f "${private_key_path}" ]]; then - echo "Couldn't find private key ${private_key_path}." + if [[ ! -f "${SIGNING_KEY}" ]]; then + echo "Couldn't find private key ${SIGNING_KEY}." exit 1 fi - echo "Signing with ${private_key_path}." + echo "Signing with ${SIGNING_KEY}." fi public_key_file=publickey public_key_path=${scratch_dir}/$public_key_file - openssl pkey -in "${private_key_path}" -pubout -out "${public_key_path}" + openssl pkey -in "${SIGNING_KEY}" -pubout -out "${public_key_path}" fi manifest_location="MANIFEST" @@ -161,35 +180,25 @@ files_to_sign+=" ${image_name}" echo "Creating MANIFEST for the image" echo -e "purpose=xyz.openbmc_project.Software.Version.VersionPurpose.BMC\n\ -version=$version" > $manifest_location - -echo "BuildId=${build_id}" >> $manifest_location - -if [[ "${do_sign}" == true ]]; then - signature_files= - private_key_name=$(basename "${private_key_path}") - key_type="${private_key_name%.*}" - echo KeyType="${key_type}" >> $manifest_location - echo HashType="RSA-SHA256" >> $manifest_location +version=$version" > ${manifest_location} - for file in $files_to_sign; do - openssl dgst -sha256 -sign "${private_key_path}" -out "${file}.sig" "$file" - signature_files="${signature_files} ${file}.sig" - done +echo "BuildId=${build_id}" >> ${manifest_location} - if [ -n "$signature_files" ]; then - sort_signature_files=`echo "$signature_files" | tr ' ' '\n' | sort | tr '\n' ' '` - cat $sort_signature_files > image-full - openssl dgst -sha256 -sign ${private_key_path} -out image-full.sig image-full - signature_files="${signature_files} image-full.sig" - fi +echo "ExtendedVersion=${extended_version}" >> ${manifest_location} +echo "CompatibleName=${compatible_name}" >> ${manifest_location} - additional_files="${signature_files}" +if [[ -n "${machine}" ]]; then + echo -e "MachineName=${machine}" >> ${manifest_location} fi -if [[ -n "${machine}" ]]; then - echo -e "MachineName=${machine}" >> $manifest_location +if [[ "${do_sign}" == true ]]; then + private_key_name=$(basename "${SIGNING_KEY}") + key_type="${private_key_name%.*}" + echo KeyType="${key_type}" >> ${manifest_location} + echo HashType="RSA-SHA256" >> ${manifest_location} + + make_signatures ${image_name} ${manifest_location} ${public_key_file} fi -tar -czvf $outfile $files_to_sign $additional_files -echo "Full image tarball is at $outfile" +tar -cvf ${outfile} ${image_name} ${manifest_location} ${public_key_file} ${signature_files} +echo "Full image tarball is at ${outfile}" |