From 8c16b311ad2f2f6b95eedf579ce58b9de102667e Mon Sep 17 00:00:00 2001 From: "haijiao.liu" Date: Tue, 7 Nov 2023 17:36:06 +0800 Subject: [PATCH] scripts: generate obmc-bios.tar.gz for bmc to upgrade host firmware Signed-off-by: haijiao.liu --- scripts/envsetup.sh | 7 +- scripts/gen-tar-for-bmc.sh | 176 +++++++++++++++++++++++++++++++++++++ 2 files changed, 182 insertions(+), 1 deletion(-) create mode 100755 scripts/gen-tar-for-bmc.sh diff --git a/scripts/envsetup.sh b/scripts/envsetup.sh index def22593..bc52d0b6 100755 --- a/scripts/envsetup.sh +++ b/scripts/envsetup.sh @@ -1177,6 +1177,7 @@ function clean_rv_firmware() function build_rv_firmware_bin() { + version=$(date "+%Y%m%d%H%M%S") build_rv_firmware gcc -g -Werror $RV_SCRIPTS_DIR/gen_spi_flash.c -o $RV_FIRMWARE_INSTALL_DIR/gen_spi_flash @@ -1193,9 +1194,13 @@ function build_rv_firmware_bin() initrd.img initrd.img 0x30000000 \ zsbl.bin zsbl.bin 0x40000000 - mv spi_flash.bin firmware.bin + mv spi_flash.bin firmware-$version.bin rm -f gen_spi_flash + cp firmware-$version.bin image-bmc + $RV_SCRIPTS_DIR/gen-tar-for-bmc.sh image-bmc -o obmc-bios.tar.gz -m ast2600-sophgo -v $version -s + rm -f image-bmc + popd } diff --git a/scripts/gen-tar-for-bmc.sh b/scripts/gen-tar-for-bmc.sh new file mode 100755 index 00000000..a82a8433 --- /dev/null +++ b/scripts/gen-tar-for-bmc.sh @@ -0,0 +1,176 @@ +#!/bin/bash +set -eo pipefail + +help=$(cat <... + +Options: + -o, --out Specify destination file. Defaults to + $(pwd)/obmc-bios.tar.gz if unspecified. + -s, --sign Sign the image. The optional path argument specifies + the private key file. Defaults to the bash variable + PRIVATE_KEY_PATH if available, or else uses the + open-source private key in this script. + -m, --machine Optionally specify the target machine name of this + image. + -v, --version Specify the version of bios image file + -h, --help Display this help text and exit. +EOF +) + +################################################################# +# It's the OpenBMC "public" private key (currently under +# meta-phosphor/recipes-phosphor/flash/files/OpenBMC.priv): +# https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/8949/15/ +# meta-phosphor/common/recipes-phosphor/flash/files/OpenBMC.priv +# +################################################################# +private_key=$'-----BEGIN PRIVATE KEY----- +MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAPvSDLu6slkP1gri +PaeQXL9ysD69J/HjbBCIQ0RPfeWBb75US1tRTjPP0Ub8CtH8ExVf8iF1ulsZA78B +zIjBYZVp9pyD6LbpZ/hjV7rIH6dTNhoVpdA+F8LzmQ7cyhHG8l2JMvdunwF2uX5k +D4WDcZt/ITKZNQNavPtmIyD5HprdAgMBAAECgYEAuQkTSi5ZNpAoWz76xtGRFSwU +zUT4wQi3Mz6tDtjKTYXasiQGa0dHC1M9F8fDu6BZ9W7W4Dc9hArRcdzEighuxoI/ +nZI/0uL89iUEywnDEIHuS6D5JlZaj86/nx9YvQnO8F/seM+MX0EAWVrd5wC7aAF1 +h6Fu7ykZB4ggUjQAWwECQQD+AUiDOEO+8btLJ135dQfSGc5VFcZiequnKWVm6uXt +rX771hEYjYMjLqWGFg9G4gE3GuABM5chMINuQQUivy8tAkEA/cxfy19XkjtqcMgE +x/UDt6Nr+Ky/tk+4Y65WxPRDas0uxFOPk/vEjgVmz1k/TAy9G4giisluTvtmltr5 +DCLocQJBAJnRHx9PiD7uVhRJz6/L/iNuOzPtTsi+Loq5F83+O6T15qsM1CeBMsOw +cM5FN5UeMcwz+yjfHAsePMkcmMaU7jUCQHlg9+N8upXuIo7Dqj2zOU7nMmkgvSNE +5yuNImRZabC3ZolwaTdd7nf5r1y1Eyec5Ag5yENV6JKPe1Xkbb1XKJECQDngA0h4 +6ATvfP1Vrx4CbP11eKXbCsZ9OGPHSgyvVjn68oY5ZP3uPsIattoN7dE2BRfuJm7m +F0nIdUAhR0yTfKM= +-----END PRIVATE KEY----- +' + +do_sign=false +PRIVATE_KEY_PATH=${PRIVATE_KEY_PATH:-} +private_key_path="${PRIVATE_KEY_PATH}" +outfile="" +machine="" +version="" + +while [[ $# -gt 0 ]]; do + key="$1" + case $key in + -o|--out) + outfile="$2" + shift 2 + ;; + -s|--sign) + do_sign=true + if [[ -n "${2}" && "${2}" != -* ]]; then + private_key_path="$2" + shift 2 + else + shift 1 + fi + ;; + -m|--machine) + machine="$2" + shift 2 + ;; + -v|--version) + version="$2" + shift 2 + ;; + -h|--help) + echo "$help" + exit + ;; + -*) + echo "Unrecognised option $1" + echo "$help" + exit + ;; + *) + file="$1" + shift 1 + ;; + esac +done + +if [ ! -f "${file}" ]; then + echo "${file} not found, Please enter a valid Bios image file" + echo "$help" + exit 1 +fi + +if [[ -z $version ]]; then + echo "Please provide version of image with -v option" + exit 1 +fi + +if [[ -z $outfile ]]; then + outfile=$(pwd)/obmc-bios.tar.gz +else + if [[ $outfile != /* ]]; then + outfile=$(pwd)/$outfile + fi +fi + +scratch_dir=$(mktemp -d) +# Remove the temp directory on exit. +# The files in the temp directory may contain read-only files, so add +# --interactive=never to skip the prompt. +trap '{ rm -r --interactive=never ${scratch_dir}; }' EXIT + +if [[ "${do_sign}" == true ]]; then + if [[ -z "${private_key_path}" ]]; then + private_key_path=${scratch_dir}/OpenBMC.priv + echo "${private_key}" > "${private_key_path}" + echo "Image is NOT secure!! Signing with the open private key!" + else + if [[ ! -f "${private_key_path}" ]]; then + echo "Couldn't find private key ${private_key_path}." + exit 1 + fi + + echo "Signing with ${private_key_path}." + fi + + public_key_file=publickey + public_key_path=${scratch_dir}/$public_key_file + openssl pkey -in "${private_key_path}" -pubout -out "${public_key_path}" +fi + +manifest_location="MANIFEST" +files_to_sign="$manifest_location $public_key_file" + +# Go to scratch_dir +cp "${file}" "${scratch_dir}" +cd "${scratch_dir}" +files_to_sign+=" $(basename "${file}")" + +echo "Creating MANIFEST for the image" +echo -e "purpose=xyz.openbmc_project.Software.Version.VersionPurpose.Host\n\ +version=$version" > $manifest_location + +if [[ -n "${machine}" ]]; then + echo -e "MachineName=${machine}" >> $manifest_location +fi + +if [[ "${do_sign}" == true ]]; then + private_key_name=$(basename "${private_key_path}") + key_type="${private_key_name%.*}" + echo KeyType="${key_type}" >> $manifest_location + echo HashType="RSA-SHA256" >> $manifest_location + + for file in $files_to_sign; do + openssl dgst -sha256 -sign "${private_key_path}" -out "${file}.sig" "$file" + done + + additional_files="*.sig" +fi + +# shellcheck disable=SC2086 +# Do not quote the files variables since they list multiple files +# and tar would assume to be a single file name within quotes +tar -czvf $outfile $files_to_sign $additional_files +echo "Bios image tarball is at $outfile"