From b3bc57222f6a5cf0817e30abd1f3d717a63509a4 Mon Sep 17 00:00:00 2001
From: "Andrey V.Kosteltsev" <AKosteltsev@IBS.RU>
Date: Sat, 6 Aug 2022 23:52:07 +0300
Subject: Do not sort signature files for image-full.sig

---
 BIOS/gen-bios-tarball     | 71 ++++++++++++++++++++++---------------------
 BMC/README.md             |  2 +-
 BMC/gen-image-all-tarball | 77 ++++++++++++++++++++++++++---------------------
 3 files changed, 80 insertions(+), 70 deletions(-)

diff --git a/BIOS/gen-bios-tarball b/BIOS/gen-bios-tarball
index 46a62ef..aeb0cb2 100755
--- a/BIOS/gen-bios-tarball
+++ b/BIOS/gen-bios-tarball
@@ -48,18 +48,34 @@ cM5FN5UeMcwz+yjfHAsePMkcmMaU7jUCQHlg9+N8upXuIo7Dqj2zOU7nMmkgvSNE
 6ATvfP1Vrx4CbP11eKXbCsZ9OGPHSgyvVjn68oY5ZP3uPsIattoN7dE2BRfuJm7m
 F0nIdUAhR0yTfKM=
 -----END PRIVATE KEY-----
-
 '
 
 do_sign=true
 PRIVATE_KEY_PATH=${PRIVATE_KEY_PATH:-}
-private_key_path="${PRIVATE_KEY_PATH}"
+SIGNING_KEY="${PRIVATE_KEY_PATH}"
 outfile=""
 machine=""
 version=""
 extended_version=""
 image_name="image-hostfw"
 
+make_signatures() {
+  signature_files=""
+  for file in "$@"; do
+    openssl dgst -sha256 -sign ${SIGNING_KEY} -out "${file}.sig" $file
+    signature_files="${signature_files} ${file}.sig"
+  done
+
+  if [ -n "$signature_files" ]; then
+    # DO NOT SORT: sort_signature_files=`echo "$signature_files" | tr ' ' '\n' | sort | tr '\n' ' '`
+    sort_signature_files="$signature_files"
+    cat $sort_signature_files > image-full
+    openssl dgst -sha256 -sign ${SIGNING_KEY} -out image-full.sig image-full
+    signature_files="${signature_files} image-full.sig"
+  fi
+}
+
+
 while [[ $# -gt 0 ]]; do
   key="$1"
   case $key in
@@ -70,7 +86,7 @@ while [[ $# -gt 0 ]]; do
     -s|--sign)
       do_sign=true
       if [[ -n "${2}"  && "${2}" != -* ]]; then
-        private_key_path="$2"
+        SIGNING_KEY="$2"
         shift 2
       else
         shift 1
@@ -134,64 +150,49 @@ scratch_dir=$(mktemp -d)
 trap '{ rm -r --interactive=never ${scratch_dir}; }' EXIT
 
 if [[ "${do_sign}" == true ]]; then
-  if [[ -z "${private_key_path}" ]]; then
-    private_key_path=${scratch_dir}/OpenBMC.priv
-    echo "${private_key}" > "${private_key_path}"
+  if [[ -z "${SIGNING_KEY}" ]]; then
+    SIGNING_KEY=${scratch_dir}/OpenBMC.priv
+    echo "${private_key}" > "${SIGNING_KEY}"
     echo "Image is NOT secure!! Signing with the open private key!"
   else
-    if [[ ! -f "${private_key_path}" ]]; then
-      echo "Couldn't find private key ${private_key_path}."
+    if [[ ! -f "${SIGNING_KEY}" ]]; then
+      echo "Couldn't find private key ${SIGNING_KEY}."
       exit 1
     fi
 
-    echo "Signing with ${private_key_path}."
+    echo "Signing with ${SIGNING_KEY}."
   fi
 
   public_key_file=publickey
   public_key_path=${scratch_dir}/$public_key_file
-  openssl pkey -in "${private_key_path}" -pubout -out "${public_key_path}"
+  openssl pkey -in "${SIGNING_KEY}" -pubout -out "${public_key_path}"
 fi
 
 manifest_location="MANIFEST"
-files_to_sign="$manifest_location $public_key_file"
 
 # Go to scratch_dir
 cp "${file}" "${scratch_dir}/${image_name}"
 cd "${scratch_dir}"
-files_to_sign+=" ${image_name}"
 
 echo "Creating MANIFEST for the image"
 echo -e "purpose=xyz.openbmc_project.Software.Version.VersionPurpose.Host\n\
-version=$version" > $manifest_location
+version=${version}" > ${manifest_location}
 
-echo "ExtendedVersion=${extended_version}" >> $manifest_location
-echo "CompatibleName=${image_name}" >> $manifest_location
+echo "ExtendedVersion=${extended_version}" >> ${manifest_location}
+echo "CompatibleName=${image_name}" >> ${manifest_location}
 
 if [[ -n "${machine}" ]]; then
-    echo -e "MachineName=${machine}" >> $manifest_location
+    echo -e "MachineName=${machine}" >> ${manifest_location}
 fi
 
 if [[ "${do_sign}" == true ]]; then
-  signature_files=
-  private_key_name=$(basename "${private_key_path}")
+  private_key_name=$(basename "${SIGNING_KEY}")
   key_type="${private_key_name%.*}"
-  echo KeyType="${key_type}" >> $manifest_location
-  echo HashType="RSA-SHA256" >> $manifest_location
-
-  for file in $files_to_sign; do
-    openssl dgst -sha256 -sign "${private_key_path}" -out "${file}.sig" "$file"
-    signature_files="${signature_files} ${file}.sig"
-  done
-
-  if [ -n "$signature_files" ]; then
-    sort_signature_files=`echo "$signature_files" | tr ' ' '\n' | sort | tr '\n' ' '`
-    cat $sort_signature_files > image-full
-    openssl dgst -sha256 -sign ${private_key_path} -out image-full.sig image-full
-    signature_files="${signature_files} image-full.sig"
-  fi
+  echo KeyType="${key_type}" >> ${manifest_location}
+  echo HashType="RSA-SHA256" >> ${manifest_location}
 
-  additional_files="${signature_files}"
+  make_signatures ${image_name} ${manifest_location} ${public_key_file}
 fi
 
-tar -czvf $outfile $files_to_sign $additional_files
-echo "Bios image tarball is at $outfile"
+tar -czvf ${outfile} ${image_name} ${manifest_location} ${public_key_file} ${signature_files}
+echo "Bios image tarball is at ${outfile}"
diff --git a/BMC/README.md b/BMC/README.md
index 10019d4..8b79dd9 100644
--- a/BMC/README.md
+++ b/BMC/README.md
@@ -14,7 +14,7 @@
   --version 2.13.0-dev-270-ga8eaf1b7d-dirty \
   --image-name image-bmc \
   --build-id 20220803101734  \
-  --out obmc-phosphor-image-cp2-5422-20220803101734.tar.gz \
+  --out obmc-phosphor-image-cp2-5422-20220803101734.static.mtd.all.tar \
   obmc-phosphor-image-cp2-5422-20220803101734.static.mtd
 ```
 
diff --git a/BMC/gen-image-all-tarball b/BMC/gen-image-all-tarball
index b82fa3c..866ae00 100755
--- a/BMC/gen-image-all-tarball
+++ b/BMC/gen-image-all-tarball
@@ -52,13 +52,32 @@ F0nIdUAhR0yTfKM=
 
 do_sign=true
 PRIVATE_KEY_PATH=${PRIVATE_KEY_PATH:-}
-private_key_path="${PRIVATE_KEY_PATH}"
+SIGNING_KEY="${PRIVATE_KEY_PATH}"
 outfile=""
 machine=""
 version=""
 build_id=`date +"%Y%m%d%H%M%S"`
 image_name="image-bmc"
 
+extended_version="0"
+compatible_name="CP2-5422"
+
+make_signatures() {
+  signature_files=""
+  for file in "$@"; do
+    openssl dgst -sha256 -sign ${SIGNING_KEY} -out "${file}.sig" $file
+    signature_files="${signature_files} ${file}.sig"
+  done
+
+  if [ -n "$signature_files" ]; then
+    # DO NOT SORT: sort_signature_files=`echo "$signature_files" | tr ' ' '\n' | sort | tr '\n' ' '`
+    sort_signature_files="$signature_files"
+    cat $sort_signature_files > image-full
+    openssl dgst -sha256 -sign ${SIGNING_KEY} -out image-full.sig image-full
+    signature_files="${signature_files} image-full.sig"
+  fi
+}
+
 while [[ $# -gt 0 ]]; do
   key="$1"
   case $key in
@@ -69,7 +88,7 @@ while [[ $# -gt 0 ]]; do
     -s|--sign)
       do_sign=true
       if [[ -n "${2}"  && "${2}" != -* ]]; then
-        private_key_path="$2"
+        SIGNING_KEY="$2"
         shift 2
       else
         shift 1
@@ -133,22 +152,22 @@ scratch_dir=$(mktemp -d)
 trap '{ rm -r --interactive=never ${scratch_dir}; }' EXIT
 
 if [[ "${do_sign}" == true ]]; then
-  if [[ -z "${private_key_path}" ]]; then
-    private_key_path=${scratch_dir}/OpenBMC.priv
-    echo "${private_key}" > "${private_key_path}"
+  if [[ -z "${SIGNING_KEY}" ]]; then
+    SIGNING_KEY=${scratch_dir}/OpenBMC.priv
+    echo "${private_key}" > "${SIGNING_KEY}"
     echo "Image is NOT secure!! Signing with the open private key!"
   else
-    if [[ ! -f "${private_key_path}" ]]; then
-      echo "Couldn't find private key ${private_key_path}."
+    if [[ ! -f "${SIGNING_KEY}" ]]; then
+      echo "Couldn't find private key ${SIGNING_KEY}."
       exit 1
     fi
 
-    echo "Signing with ${private_key_path}."
+    echo "Signing with ${SIGNING_KEY}."
   fi
 
   public_key_file=publickey
   public_key_path=${scratch_dir}/$public_key_file
-  openssl pkey -in "${private_key_path}" -pubout -out "${public_key_path}"
+  openssl pkey -in "${SIGNING_KEY}" -pubout -out "${public_key_path}"
 fi
 
 manifest_location="MANIFEST"
@@ -161,35 +180,25 @@ files_to_sign+=" ${image_name}"
 
 echo "Creating MANIFEST for the image"
 echo -e "purpose=xyz.openbmc_project.Software.Version.VersionPurpose.BMC\n\
-version=$version" > $manifest_location
-
-echo "BuildId=${build_id}" >> $manifest_location
-
-if [[ "${do_sign}" == true ]]; then
-  signature_files=
-  private_key_name=$(basename "${private_key_path}")
-  key_type="${private_key_name%.*}"
-  echo KeyType="${key_type}" >> $manifest_location
-  echo HashType="RSA-SHA256" >> $manifest_location
+version=$version" > ${manifest_location}
 
-  for file in $files_to_sign; do
-    openssl dgst -sha256 -sign "${private_key_path}" -out "${file}.sig" "$file"
-    signature_files="${signature_files} ${file}.sig"
-  done
+echo "BuildId=${build_id}" >> ${manifest_location}
 
-  if [ -n "$signature_files" ]; then
-    sort_signature_files=`echo "$signature_files" | tr ' ' '\n' | sort | tr '\n' ' '`
-    cat $sort_signature_files > image-full
-    openssl dgst -sha256 -sign ${private_key_path} -out image-full.sig image-full
-    signature_files="${signature_files} image-full.sig"
-  fi
+echo "ExtendedVersion=${extended_version}" >> ${manifest_location}
+echo "CompatibleName=${compatible_name}" >> ${manifest_location}
 
-  additional_files="${signature_files}"
+if [[ -n "${machine}" ]]; then
+  echo -e "MachineName=${machine}" >> ${manifest_location}
 fi
 
-if [[ -n "${machine}" ]]; then
-  echo -e "MachineName=${machine}" >> $manifest_location
+if [[ "${do_sign}" == true ]]; then
+  private_key_name=$(basename "${SIGNING_KEY}")
+  key_type="${private_key_name%.*}"
+  echo KeyType="${key_type}" >> ${manifest_location}
+  echo HashType="RSA-SHA256" >> ${manifest_location}
+
+  make_signatures ${image_name} ${manifest_location} ${public_key_file}
 fi
 
-tar -czvf $outfile $files_to_sign $additional_files
-echo "Full image tarball is at $outfile"
+tar -cvf ${outfile} ${image_name} ${manifest_location} ${public_key_file} ${signature_files}
+echo "Full image tarball is at ${outfile}"
-- 
cgit v1.2.3