From a4d4a88dd3ebccc2c032bad85a1fd8288de414e8 Mon Sep 17 00:00:00 2001 From: "Andrey V.Kosteltsev" Date: Wed, 3 Aug 2022 22:04:11 +0300 Subject: SILA service scripts (first implementation) --- BIOS/README.md | 26 +++++++ BIOS/gen-bios-tarball | 187 ++++++++++++++++++++++++++++++++++++++++++++ BMC/README.md | 26 +++++++ BMC/gen-image-all-tarball | 195 ++++++++++++++++++++++++++++++++++++++++++++++ README.md | 6 ++ 5 files changed, 440 insertions(+) create mode 100644 BIOS/README.md create mode 100755 BIOS/gen-bios-tarball create mode 100644 BMC/README.md create mode 100755 BMC/gen-image-all-tarball create mode 100644 README.md diff --git a/BIOS/README.md b/BIOS/README.md new file mode 100644 index 0000000..34d8293 --- /dev/null +++ b/BIOS/README.md @@ -0,0 +1,26 @@ + +Создание образа BIOS +==================== + +Скрипт `gen-bios-tarball` предназначен для создания образа для +прошивки BIOS посредством веб-интерфейса BMC CP2-5422. + +Использование: +------------- + +``` +./gen-bios-tarball \ + --machine cp2-5422 \ + --version 1.50 \ + --compatible-name bios-image \ + --extended-version 456555-012 \ + --out obmc-bios-image-cp2-5422-1.50-456555-012.tar.gz \ + 469555_012_sila_bios_test_kcs_cpuinfo.fd + +``` + +Здесь файл `469555_012_sila_bios_test_kcs_cpuinfo.fd` является исходным +образом SPI NOR Flach чипа BIOS. + +Enjoy. + diff --git a/BIOS/gen-bios-tarball b/BIOS/gen-bios-tarball new file mode 100755 index 0000000..e4dcea6 --- /dev/null +++ b/BIOS/gen-bios-tarball @@ -0,0 +1,187 @@ +#!/bin/bash +set -eo pipefail + +help=$'Generate Tarball with Bios image and MANIFEST Script + +Generates a Bios image tarball from given file as input. +Creates a MANIFEST for image verification and recreation +Packages the image and MANIFEST together in a tarball + +usage: gen-bios-tarball [OPTION] ... + +Options: + -o, --out Specify destination file. Defaults to + `pwd`/obmc-bios.tar.gz if unspecified. + -s, --sign Sign the image. The optional path argument specifies + the private key file. Defaults to the bash variable + PRIVATE_KEY_PATH if available, or else uses the + open-source private key in this script. + -m, --machine Optionally specify the target machine name of this + image. + -v, --version Specify the version of bios image file. + -e, --extended-version Specify the Extended Version of bios image file + -c, --compatible-name Specify the name of bios image in tarball. + Default: 'bios-image'. + -h, --help Display this help text and exit. +' + +################################################################# +# It's the OpenBMC "public" private key (currently under +# meta-phosphor/recipes-phosphor/flash/files/OpenBMC.priv): +# https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/8949/15/ +# meta-phosphor/common/recipes-phosphor/flash/files/OpenBMC.priv +# +################################################################# +private_key=$'-----BEGIN PRIVATE KEY----- +MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAPvSDLu6slkP1gri +PaeQXL9ysD69J/HjbBCIQ0RPfeWBb75US1tRTjPP0Ub8CtH8ExVf8iF1ulsZA78B +zIjBYZVp9pyD6LbpZ/hjV7rIH6dTNhoVpdA+F8LzmQ7cyhHG8l2JMvdunwF2uX5k +D4WDcZt/ITKZNQNavPtmIyD5HprdAgMBAAECgYEAuQkTSi5ZNpAoWz76xtGRFSwU +zUT4wQi3Mz6tDtjKTYXasiQGa0dHC1M9F8fDu6BZ9W7W4Dc9hArRcdzEighuxoI/ +nZI/0uL89iUEywnDEIHuS6D5JlZaj86/nx9YvQnO8F/seM+MX0EAWVrd5wC7aAF1 +h6Fu7ykZB4ggUjQAWwECQQD+AUiDOEO+8btLJ135dQfSGc5VFcZiequnKWVm6uXt +rX771hEYjYMjLqWGFg9G4gE3GuABM5chMINuQQUivy8tAkEA/cxfy19XkjtqcMgE +x/UDt6Nr+Ky/tk+4Y65WxPRDas0uxFOPk/vEjgVmz1k/TAy9G4giisluTvtmltr5 +DCLocQJBAJnRHx9PiD7uVhRJz6/L/iNuOzPtTsi+Loq5F83+O6T15qsM1CeBMsOw +cM5FN5UeMcwz+yjfHAsePMkcmMaU7jUCQHlg9+N8upXuIo7Dqj2zOU7nMmkgvSNE +5yuNImRZabC3ZolwaTdd7nf5r1y1Eyec5Ag5yENV6JKPe1Xkbb1XKJECQDngA0h4 +6ATvfP1Vrx4CbP11eKXbCsZ9OGPHSgyvVjn68oY5ZP3uPsIattoN7dE2BRfuJm7m +F0nIdUAhR0yTfKM= +-----END PRIVATE KEY----- +' + +do_sign=true +PRIVATE_KEY_PATH=${PRIVATE_KEY_PATH:-} +private_key_path="${PRIVATE_KEY_PATH}" +outfile="" +machine="" +version="" +extended_version="" +compatible_name="bios-image" + +while [[ $# -gt 0 ]]; do + key="$1" + case $key in + -o|--out) + outfile="$2" + shift 2 + ;; + -s|--sign) + do_sign=true + if [[ -n "${2}" && "${2}" != -* ]]; then + private_key_path="$2" + shift 2 + else + shift 1 + fi + ;; + -m|--machine) + machine="$2" + shift 2 + ;; + -v|--version) + version="$2" + shift 2 + ;; + -e|--extended-version) + extended_version="$2" + shift 2 + ;; + -c|--compatible-name) + compatible_name="$2" + shift 2 + ;; + -h|--help) + echo "$help" + exit + ;; + -*) + echo "Unrecognised option $1" + echo "$help" + exit + ;; + *) + file="$1" + shift 1 + ;; + esac +done + +if [ ! -f "${file}" ]; then + echo "${file} not found, Please enter a valid Bios image file" + echo "$help" + exit 1 +fi + +if [[ -z $version ]]; then + echo "Please provide version of image with -v option" + exit 1 +fi + +if [[ -z $outfile ]]; then + outfile=$(pwd)/obmc-bios.tar.gz +else + if [[ $outfile != /* ]]; then + outfile=$(pwd)/$outfile + fi +fi + +scratch_dir=$(mktemp -d) +# Remove the temp directory on exit. +# The files in the temp directory may contain read-only files, so add +# --interactive=never to skip the prompt. +trap '{ rm -r --interactive=never ${scratch_dir}; }' EXIT + +if [[ "${do_sign}" == true ]]; then + if [[ -z "${private_key_path}" ]]; then + private_key_path=${scratch_dir}/OpenBMC.priv + echo "${private_key}" > "${private_key_path}" + echo "Image is NOT secure!! Signing with the open private key!" + else + if [[ ! -f "${private_key_path}" ]]; then + echo "Couldn't find private key ${private_key_path}." + exit 1 + fi + + echo "Signing with ${private_key_path}." + fi + + public_key_file=publickey + public_key_path=${scratch_dir}/$public_key_file + openssl pkey -in "${private_key_path}" -pubout -out "${public_key_path}" +fi + +manifest_location="MANIFEST" +files_to_sign="$manifest_location $public_key_file" + +# Go to scratch_dir +cp "${file}" "${scratch_dir}/${compatible_name}" +cd "${scratch_dir}" +files_to_sign+=" ${compatible_name}" + +echo "Creating MANIFEST for the image" +echo -e "purpose=xyz.openbmc_project.Software.Version.VersionPurpose.Host\n\ +version=$version" > $manifest_location + +echo "ExtendedVersion=${extended_version}" >> $manifest_location +echo "CompatibleName=${compatible_name}" >> $manifest_location + +if [[ -n "${machine}" ]]; then + echo -e "MachineName=${machine}" >> $manifest_location +fi + +if [[ "${do_sign}" == true ]]; then + private_key_name=$(basename "${private_key_path}") + key_type="${private_key_name%.*}" + echo KeyType="${key_type}" >> $manifest_location + echo HashType="RSA-SHA256" >> $manifest_location + + for file in $files_to_sign; do + openssl dgst -sha256 -sign "${private_key_path}" -out "${file}.sig" "$file" + done + + additional_files="*.sig" +fi + +tar -czvf $outfile $files_to_sign $additional_files +echo "Bios image tarball is at $outfile" diff --git a/BMC/README.md b/BMC/README.md new file mode 100644 index 0000000..c43e02d --- /dev/null +++ b/BMC/README.md @@ -0,0 +1,26 @@ + +Создание образа BMC +=================== + +Скрипт `gen-image-all-tarball` предназначен для создания образа для +прошивки BMC CP2-5422 посредством веб-интерфейса BMC. + +Использование: +------------- + +``` +./gen-image-all-tarball \ + --machine cp2-5422 \ + --version 2.13.0-dev-270-ga8eaf1b7d-dirty \ + --image-name image-bmc \ + --compatible-name image-full \ + --build-id 20220803101734 \ + --out obmc-phosphor-image-cp2-5422-20220803101734.tar.gz \ + obmc-phosphor-image-cp2-5422-20220803101734.static.mtd +``` + +Здесь файл `obmc-phosphor-image-cp2-5422-20220803101734.static.mtd` является исходным +образом SPI NOR Flach чипа BMC CP2-5422. + +Enjoy. + diff --git a/BMC/gen-image-all-tarball b/BMC/gen-image-all-tarball new file mode 100755 index 0000000..06d3b8a --- /dev/null +++ b/BMC/gen-image-all-tarball @@ -0,0 +1,195 @@ +#!/bin/bash +set -eo pipefail + +help=$'Generate Tarball with Full BMC image and MANIFEST Script + +Generates a Full BMC image tarball from given file as input. +Creates a MANIFEST for image verification and recreation +Packages the image and MANIFEST together in a tarball + +usage: gen-image-all-tarball [OPTION] ... + +Options: + -o, --out Specify destination file. Defaults to + `pwd`/obmc-image-all.tar.gz if unspecified. + -s, --sign Sign the image. The optional path argument specifies + the private key file. Defaults to the bash variable + PRIVATE_KEY_PATH if available, or else uses the + open-source private key in this script. + -m, --machine Optionally specify the target machine name of this + image. + -v, --version Specify the version of Full image file. + -b, --build-id Specify the BuildId of Full image file. + -i, --image-name Specify the name of Full image in tarball. + Default: 'image-bmc'. + -c, --compatible-name Specify the name of Full image in tarball. + Default: 'image-full'. + -h, --help Display this help text and exit. +' + +################################################################# +# It's the OpenBMC "public" private key (currently under +# meta-phosphor/recipes-phosphor/flash/files/OpenBMC.priv): +# https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/8949/15/ +# meta-phosphor/common/recipes-phosphor/flash/files/OpenBMC.priv +# +################################################################# +private_key=$'-----BEGIN PRIVATE KEY----- +MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAPvSDLu6slkP1gri +PaeQXL9ysD69J/HjbBCIQ0RPfeWBb75US1tRTjPP0Ub8CtH8ExVf8iF1ulsZA78B +zIjBYZVp9pyD6LbpZ/hjV7rIH6dTNhoVpdA+F8LzmQ7cyhHG8l2JMvdunwF2uX5k +D4WDcZt/ITKZNQNavPtmIyD5HprdAgMBAAECgYEAuQkTSi5ZNpAoWz76xtGRFSwU +zUT4wQi3Mz6tDtjKTYXasiQGa0dHC1M9F8fDu6BZ9W7W4Dc9hArRcdzEighuxoI/ +nZI/0uL89iUEywnDEIHuS6D5JlZaj86/nx9YvQnO8F/seM+MX0EAWVrd5wC7aAF1 +h6Fu7ykZB4ggUjQAWwECQQD+AUiDOEO+8btLJ135dQfSGc5VFcZiequnKWVm6uXt +rX771hEYjYMjLqWGFg9G4gE3GuABM5chMINuQQUivy8tAkEA/cxfy19XkjtqcMgE +x/UDt6Nr+Ky/tk+4Y65WxPRDas0uxFOPk/vEjgVmz1k/TAy9G4giisluTvtmltr5 +DCLocQJBAJnRHx9PiD7uVhRJz6/L/iNuOzPtTsi+Loq5F83+O6T15qsM1CeBMsOw +cM5FN5UeMcwz+yjfHAsePMkcmMaU7jUCQHlg9+N8upXuIo7Dqj2zOU7nMmkgvSNE +5yuNImRZabC3ZolwaTdd7nf5r1y1Eyec5Ag5yENV6JKPe1Xkbb1XKJECQDngA0h4 +6ATvfP1Vrx4CbP11eKXbCsZ9OGPHSgyvVjn68oY5ZP3uPsIattoN7dE2BRfuJm7m +F0nIdUAhR0yTfKM= +-----END PRIVATE KEY----- +' + +do_sign=true +PRIVATE_KEY_PATH=${PRIVATE_KEY_PATH:-} +private_key_path="${PRIVATE_KEY_PATH}" +outfile="" +machine="" +version="" +build_id=`date +"%Y%m%d%H%M%S` +image_name="image-bmc" +compatible_name="image-full" + +while [[ $# -gt 0 ]]; do + key="$1" + case $key in + -o|--out) + outfile="$2" + shift 2 + ;; + -s|--sign) + do_sign=true + if [[ -n "${2}" && "${2}" != -* ]]; then + private_key_path="$2" + shift 2 + else + shift 1 + fi + ;; + -m|--machine) + machine="$2" + shift 2 + ;; + -v|--version) + version="$2" + shift 2 + ;; + -b|--build-id) + build_id="$2" + shift 2 + ;; + -i|--image-name) + image_name="$2" + shift 2 + ;; + -c|--compatible-name) + compatible_name="$2" + shift 2 + ;; + -h|--help) + echo "$help" + exit + ;; + -*) + echo "Unrecognised option $1" + echo "$help" + exit + ;; + *) + file="$1" + shift 1 + ;; + esac +done + +if [ ! -f "${file}" ]; then + echo "${file} not found, Please enter a valid Bios image file" + echo "$help" + exit 1 +fi + +if [[ -z $version ]]; then + echo "Please provide version of image with -v option" + exit 1 +fi + +if [[ -z $outfile ]]; then + outfile=$(pwd)/obmc-image-all.tar.gz +else + if [[ $outfile != /* ]]; then + outfile=$(pwd)/$outfile + fi +fi + +scratch_dir=$(mktemp -d) +# Remove the temp directory on exit. +# The files in the temp directory may contain read-only files, so add +# --interactive=never to skip the prompt. +trap '{ rm -r --interactive=never ${scratch_dir}; }' EXIT + +if [[ "${do_sign}" == true ]]; then + if [[ -z "${private_key_path}" ]]; then + private_key_path=${scratch_dir}/OpenBMC.priv + echo "${private_key}" > "${private_key_path}" + echo "Image is NOT secure!! Signing with the open private key!" + else + if [[ ! -f "${private_key_path}" ]]; then + echo "Couldn't find private key ${private_key_path}." + exit 1 + fi + + echo "Signing with ${private_key_path}." + fi + + public_key_file=publickey + public_key_path=${scratch_dir}/$public_key_file + openssl pkey -in "${private_key_path}" -pubout -out "${public_key_path}" +fi + +manifest_location="MANIFEST" +files_to_sign="$manifest_location $public_key_file" + +# Go to scratch_dir +cp "${file}" "${scratch_dir}/${image_name}" +cd "${scratch_dir}" +files_to_sign+=" ${image_name}" + +echo "Creating MANIFEST for the image" +echo -e "purpose=xyz.openbmc_project.Software.Version.VersionPurpose.BMC\n\ +version=$version" > $manifest_location + +echo "BuildId=${build_id}" >> $manifest_location + +if [[ "${do_sign}" == true ]]; then + private_key_name=$(basename "${private_key_path}") + key_type="${private_key_name%.*}" + echo KeyType="${key_type}" >> $manifest_location + echo HashType="RSA-SHA256" >> $manifest_location + + for file in $files_to_sign; do + openssl dgst -sha256 -sign "${private_key_path}" -out "${file}.sig" "$file" + done + + openssl dgst -sha256 -sign "${private_key_path}" -out "${compatible_name}.sig" "${image_name}" + + additional_files="*.sig" +fi + +if [[ -n "${machine}" ]]; then + echo -e "MachineName=${machine}" >> $manifest_location +fi + +tar -czvf $outfile $files_to_sign $additional_files +echo "Full image tarball is at $outfile" diff --git a/README.md b/README.md new file mode 100644 index 0000000..1d3df6d --- /dev/null +++ b/README.md @@ -0,0 +1,6 @@ + +SILA service scripts and tools +============================== + +Данный репозиторий содержит сервисные скрипты и утилиты для создания +образов BIOS/BMC, совместимых с продуктами компании СИЛА. -- cgit v1.2.3