#!/bin/bash set -eo pipefail help=$'Generate Tarball with Full BMC image and MANIFEST Script Generates a Full BMC image tarball from given file as input. Creates a MANIFEST for image verification and recreation Packages the image and MANIFEST together in a tarball usage: gen-image-all-tarball [OPTION] ... Options: -o, --out Specify destination file. Defaults to `pwd`/obmc-image-all.tar.gz if unspecified. -s, --sign Sign the image. The optional path argument specifies the private key file. Defaults to the bash variable PRIVATE_KEY_PATH if available, or else uses the open-source private key in this script. -m, --machine Optionally specify the target machine name of this image. -v, --version Specify the version of Full image file. -b, --build-id Specify the BuildId of Full image file. -i, --image-name Specify the name of Full image in tarball. Default: 'image-bmc'. -h, --help Display this help text and exit. ' ################################################################# # It's the OpenBMC "public" private key (currently under # meta-phosphor/recipes-phosphor/flash/files/OpenBMC.priv): # https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/8949/15/ # meta-phosphor/common/recipes-phosphor/flash/files/OpenBMC.priv # ################################################################# private_key=$'-----BEGIN PRIVATE KEY----- MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAPvSDLu6slkP1gri PaeQXL9ysD69J/HjbBCIQ0RPfeWBb75US1tRTjPP0Ub8CtH8ExVf8iF1ulsZA78B zIjBYZVp9pyD6LbpZ/hjV7rIH6dTNhoVpdA+F8LzmQ7cyhHG8l2JMvdunwF2uX5k D4WDcZt/ITKZNQNavPtmIyD5HprdAgMBAAECgYEAuQkTSi5ZNpAoWz76xtGRFSwU zUT4wQi3Mz6tDtjKTYXasiQGa0dHC1M9F8fDu6BZ9W7W4Dc9hArRcdzEighuxoI/ nZI/0uL89iUEywnDEIHuS6D5JlZaj86/nx9YvQnO8F/seM+MX0EAWVrd5wC7aAF1 h6Fu7ykZB4ggUjQAWwECQQD+AUiDOEO+8btLJ135dQfSGc5VFcZiequnKWVm6uXt rX771hEYjYMjLqWGFg9G4gE3GuABM5chMINuQQUivy8tAkEA/cxfy19XkjtqcMgE x/UDt6Nr+Ky/tk+4Y65WxPRDas0uxFOPk/vEjgVmz1k/TAy9G4giisluTvtmltr5 DCLocQJBAJnRHx9PiD7uVhRJz6/L/iNuOzPtTsi+Loq5F83+O6T15qsM1CeBMsOw cM5FN5UeMcwz+yjfHAsePMkcmMaU7jUCQHlg9+N8upXuIo7Dqj2zOU7nMmkgvSNE 5yuNImRZabC3ZolwaTdd7nf5r1y1Eyec5Ag5yENV6JKPe1Xkbb1XKJECQDngA0h4 6ATvfP1Vrx4CbP11eKXbCsZ9OGPHSgyvVjn68oY5ZP3uPsIattoN7dE2BRfuJm7m F0nIdUAhR0yTfKM= -----END PRIVATE KEY----- ' do_sign=true PRIVATE_KEY_PATH=${PRIVATE_KEY_PATH:-} SIGNING_KEY="${PRIVATE_KEY_PATH}" outfile="" machine="" version="" build_id=`date +"%Y%m%d%H%M%S"` image_name="image-bmc" extended_version="0" compatible_name="CP2-5422" make_signatures() { signature_files="" for file in "$@"; do openssl dgst -sha256 -sign ${SIGNING_KEY} -out "${file}.sig" $file signature_files="${signature_files} ${file}.sig" done if [ -n "$signature_files" ]; then # DO NOT SORT: sort_signature_files=`echo "$signature_files" | tr ' ' '\n' | sort | tr '\n' ' '` sort_signature_files="$signature_files" cat $sort_signature_files > image-full openssl dgst -sha256 -sign ${SIGNING_KEY} -out image-full.sig image-full signature_files="${signature_files} image-full.sig" fi } while [[ $# -gt 0 ]]; do key="$1" case $key in -o|--out) outfile="$2" shift 2 ;; -s|--sign) do_sign=true if [[ -n "${2}" && "${2}" != -* ]]; then SIGNING_KEY="$2" shift 2 else shift 1 fi ;; -m|--machine) machine="$2" shift 2 ;; -v|--version) version="$2" shift 2 ;; -b|--build-id) build_id="$2" shift 2 ;; -i|--image-name) image_name="$2" shift 2 ;; -h|--help) echo "$help" exit ;; -*) echo "Unrecognised option $1" echo "$help" exit ;; *) file="$1" shift 1 ;; esac done if [ ! -f "${file}" ]; then echo "${file} not found, Please enter a valid Bios image file" echo "$help" exit 1 fi if [[ -z $version ]]; then echo "Please provide version of image with -v option" exit 1 fi if [[ -z $outfile ]]; then outfile=$(pwd)/obmc-image-all.tar.gz else if [[ $outfile != /* ]]; then outfile=$(pwd)/$outfile fi fi scratch_dir=$(mktemp -d) # Remove the temp directory on exit. # The files in the temp directory may contain read-only files, so add # --interactive=never to skip the prompt. trap '{ rm -r --interactive=never ${scratch_dir}; }' EXIT if [[ "${do_sign}" == true ]]; then if [[ -z "${SIGNING_KEY}" ]]; then SIGNING_KEY=${scratch_dir}/OpenBMC.priv echo "${private_key}" > "${SIGNING_KEY}" echo "Image is NOT secure!! Signing with the open private key!" else if [[ ! -f "${SIGNING_KEY}" ]]; then echo "Couldn't find private key ${SIGNING_KEY}." exit 1 fi echo "Signing with ${SIGNING_KEY}." fi public_key_file=publickey public_key_path=${scratch_dir}/$public_key_file openssl pkey -in "${SIGNING_KEY}" -pubout -out "${public_key_path}" fi manifest_location="MANIFEST" files_to_sign="$manifest_location $public_key_file" # Go to scratch_dir cp "${file}" "${scratch_dir}/${image_name}" cd "${scratch_dir}" files_to_sign+=" ${image_name}" echo "Creating MANIFEST for the image" echo -e "purpose=xyz.openbmc_project.Software.Version.VersionPurpose.BMC\n\ version=$version" > ${manifest_location} echo "BuildId=${build_id}" >> ${manifest_location} echo "ExtendedVersion=${extended_version}" >> ${manifest_location} echo "CompatibleName=${compatible_name}" >> ${manifest_location} if [[ -n "${machine}" ]]; then echo -e "MachineName=${machine}" >> ${manifest_location} fi if [[ "${do_sign}" == true ]]; then private_key_name=$(basename "${SIGNING_KEY}") key_type="${private_key_name%.*}" echo KeyType="${key_type}" >> ${manifest_location} echo HashType="RSA-SHA256" >> ${manifest_location} make_signatures ${image_name} ${manifest_location} ${public_key_file} fi tar -cvf ${outfile} ${image_name} ${manifest_location} ${public_key_file} ${signature_files} echo "Full image tarball is at ${outfile}"