scripts: generate obmc-bios.tar.gz for bmc to upgrade host firmware

Signed-off-by: haijiao.liu <[email protected]>

scripts/envsetup.sh

@@ -1177,6 +1177,7 @@ function clean_rv_firmware()
 
 function build_rv_firmware_bin()
 {
+	version=$(date "+%Y%m%d%H%M%S")
 	build_rv_firmware
 
 	gcc -g -Werror $RV_SCRIPTS_DIR/gen_spi_flash.c -o $RV_FIRMWARE_INSTALL_DIR/gen_spi_flash
@@ -1193,9 +1194,13 @@ function build_rv_firmware_bin()
 			initrd.img initrd.img 0x30000000 \
 			zsbl.bin zsbl.bin 0x40000000
 
-	mv spi_flash.bin firmware.bin
+	mv spi_flash.bin firmware-$version.bin
 	rm -f gen_spi_flash
 
+	cp firmware-$version.bin image-bmc
+	$RV_SCRIPTS_DIR/gen-tar-for-bmc.sh image-bmc -o obmc-bios.tar.gz -m ast2600-sophgo -v $version -s
+	rm -f image-bmc
+
 	popd
 }
 

scripts/gen-tar-for-bmc.sh

@@ -0,0 +1,176 @@
+#!/bin/bash
+set -eo pipefail
+
+help=$(cat <<EOF
+Generate Tarball with Bios image and MANIFEST Script
+
+Generates a Bios image tarball from given file as input.
+Creates a MANIFEST for image verification and recreation
+Packages the image and MANIFEST together in a tarball
+
+usage: gen-bios-tar [OPTION] <Bios FILE>...
+
+Options:
+   -o, --out <file>       Specify destination file. Defaults to
+                          $(pwd)/obmc-bios.tar.gz if unspecified.
+   -s, --sign <path>      Sign the image. The optional path argument specifies
+                          the private key file. Defaults to the bash variable
+                          PRIVATE_KEY_PATH if available, or else uses the
+                          open-source private key in this script.
+   -m, --machine <name>   Optionally specify the target machine name of this
+                          image.
+   -v, --version <name>   Specify the version of bios image file
+   -h, --help             Display this help text and exit.
+EOF
+)
+
+#################################################################
+# It's the OpenBMC "public" private key (currently under
+# meta-phosphor/recipes-phosphor/flash/files/OpenBMC.priv):
+# https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/8949/15/
+# meta-phosphor/common/recipes-phosphor/flash/files/OpenBMC.priv
+#
+#################################################################
+private_key=$'-----BEGIN PRIVATE KEY-----
+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAPvSDLu6slkP1gri
+PaeQXL9ysD69J/HjbBCIQ0RPfeWBb75US1tRTjPP0Ub8CtH8ExVf8iF1ulsZA78B
+zIjBYZVp9pyD6LbpZ/hjV7rIH6dTNhoVpdA+F8LzmQ7cyhHG8l2JMvdunwF2uX5k
+D4WDcZt/ITKZNQNavPtmIyD5HprdAgMBAAECgYEAuQkTSi5ZNpAoWz76xtGRFSwU
+zUT4wQi3Mz6tDtjKTYXasiQGa0dHC1M9F8fDu6BZ9W7W4Dc9hArRcdzEighuxoI/
+nZI/0uL89iUEywnDEIHuS6D5JlZaj86/nx9YvQnO8F/seM+MX0EAWVrd5wC7aAF1
+h6Fu7ykZB4ggUjQAWwECQQD+AUiDOEO+8btLJ135dQfSGc5VFcZiequnKWVm6uXt
+rX771hEYjYMjLqWGFg9G4gE3GuABM5chMINuQQUivy8tAkEA/cxfy19XkjtqcMgE
+x/UDt6Nr+Ky/tk+4Y65WxPRDas0uxFOPk/vEjgVmz1k/TAy9G4giisluTvtmltr5
+DCLocQJBAJnRHx9PiD7uVhRJz6/L/iNuOzPtTsi+Loq5F83+O6T15qsM1CeBMsOw
+cM5FN5UeMcwz+yjfHAsePMkcmMaU7jUCQHlg9+N8upXuIo7Dqj2zOU7nMmkgvSNE
+5yuNImRZabC3ZolwaTdd7nf5r1y1Eyec5Ag5yENV6JKPe1Xkbb1XKJECQDngA0h4
+6ATvfP1Vrx4CbP11eKXbCsZ9OGPHSgyvVjn68oY5ZP3uPsIattoN7dE2BRfuJm7m
+F0nIdUAhR0yTfKM=
+-----END PRIVATE KEY-----
+'
+
+do_sign=false
+PRIVATE_KEY_PATH=${PRIVATE_KEY_PATH:-}
+private_key_path="${PRIVATE_KEY_PATH}"
+outfile=""
+machine=""
+version=""
+
+while [[ $# -gt 0 ]]; do
+  key="$1"
+  case $key in
+    -o|--out)
+      outfile="$2"
+      shift 2
+      ;;
+    -s|--sign)
+      do_sign=true
+      if [[ -n "${2}"  && "${2}" != -* ]]; then
+        private_key_path="$2"
+        shift 2
+      else
+        shift 1
+      fi
+      ;;
+    -m|--machine)
+      machine="$2"
+      shift 2
+      ;;
+    -v|--version)
+      version="$2"
+      shift 2
+      ;;
+    -h|--help)
+      echo "$help"
+      exit
+      ;;
+    -*)
+      echo "Unrecognised option $1"
+      echo "$help"
+      exit
+      ;;
+    *)
+      file="$1"
+      shift 1
+      ;;
+  esac
+done
+
+if [ ! -f "${file}" ]; then
+  echo "${file} not found, Please enter a valid Bios image file"
+  echo "$help"
+  exit 1
+fi
+
+if [[ -z $version ]]; then
+  echo "Please provide version of image with -v option"
+  exit 1
+fi
+
+if [[ -z $outfile ]]; then
+  outfile=$(pwd)/obmc-bios.tar.gz
+else
+  if [[ $outfile != /* ]]; then
+    outfile=$(pwd)/$outfile
+  fi
+fi
+
+scratch_dir=$(mktemp -d)
+# Remove the temp directory on exit.
+# The files in the temp directory may contain read-only files, so add
+# --interactive=never to skip the prompt.
+trap '{ rm -r --interactive=never ${scratch_dir}; }' EXIT
+
+if [[ "${do_sign}" == true ]]; then
+  if [[ -z "${private_key_path}" ]]; then
+    private_key_path=${scratch_dir}/OpenBMC.priv
+    echo "${private_key}" > "${private_key_path}"
+    echo "Image is NOT secure!! Signing with the open private key!"
+  else
+    if [[ ! -f "${private_key_path}" ]]; then
+      echo "Couldn't find private key ${private_key_path}."
+      exit 1
+    fi
+
+    echo "Signing with ${private_key_path}."
+  fi
+
+  public_key_file=publickey
+  public_key_path=${scratch_dir}/$public_key_file
+  openssl pkey -in "${private_key_path}" -pubout -out "${public_key_path}"
+fi
+
+manifest_location="MANIFEST"
+files_to_sign="$manifest_location $public_key_file"
+
+# Go to scratch_dir
+cp "${file}" "${scratch_dir}"
+cd "${scratch_dir}"
+files_to_sign+=" $(basename "${file}")"
+
+echo "Creating MANIFEST for the image"
+echo -e "purpose=xyz.openbmc_project.Software.Version.VersionPurpose.Host\n\
+version=$version" > $manifest_location
+
+if [[ -n "${machine}" ]]; then
+    echo -e "MachineName=${machine}" >> $manifest_location
+fi
+
+if [[ "${do_sign}" == true ]]; then
+  private_key_name=$(basename "${private_key_path}")
+  key_type="${private_key_name%.*}"
+  echo KeyType="${key_type}" >> $manifest_location
+  echo HashType="RSA-SHA256" >> $manifest_location
+
+  for file in $files_to_sign; do
+    openssl dgst -sha256 -sign "${private_key_path}" -out "${file}.sig" "$file"
+  done
+
+  additional_files="*.sig"
+fi
+
+# shellcheck disable=SC2086
+# Do not quote the files variables since they list multiple files
+# and tar would assume to be a single file name within quotes
+tar -czvf $outfile $files_to_sign $additional_files
+echo "Bios image tarball is at $outfile"