xref: /openbmc/phosphor-bmc-code-mgmt/bmc/gen-bios-tar (revision cab87e9cdeeb3e166d6d577511f6be4dc7721aca)
1*cab87e9cSJagpal Singh Gill#!/bin/bash
2*cab87e9cSJagpal Singh Gillset -eo pipefail
3*cab87e9cSJagpal Singh Gill
4*cab87e9cSJagpal Singh Gillhelp=$(cat <<EOF
5*cab87e9cSJagpal Singh GillGenerate Tarball with Bios image and MANIFEST Script
6*cab87e9cSJagpal Singh Gill
7*cab87e9cSJagpal Singh GillGenerates a Bios image tarball from given file as input.
8*cab87e9cSJagpal Singh GillCreates a MANIFEST for image verification and recreation
9*cab87e9cSJagpal Singh GillPackages the image and MANIFEST together in a tarball
10*cab87e9cSJagpal Singh Gill
11*cab87e9cSJagpal Singh Gillusage: gen-bios-tar [OPTION] <Bios FILE>...
12*cab87e9cSJagpal Singh Gill
13*cab87e9cSJagpal Singh GillOptions:
14*cab87e9cSJagpal Singh Gill   -o, --out <file>       Specify destination file. Defaults to
15*cab87e9cSJagpal Singh Gill                          $(pwd)/obmc-bios.tar.gz if unspecified.
16*cab87e9cSJagpal Singh Gill   -s, --sign <path>      Sign the image. The optional path argument specifies
17*cab87e9cSJagpal Singh Gill                          the private key file. Defaults to the bash variable
18*cab87e9cSJagpal Singh Gill                          PRIVATE_KEY_PATH if available, or else uses the
19*cab87e9cSJagpal Singh Gill                          open-source private key in this script.
20*cab87e9cSJagpal Singh Gill   -m, --machine <name>   Optionally specify the target machine name of this
21*cab87e9cSJagpal Singh Gill                          image.
22*cab87e9cSJagpal Singh Gill   -v, --version <name>   Specify the version of bios image file
23*cab87e9cSJagpal Singh Gill   -e, --extended <name>  Specify the extended version of bios image file
24*cab87e9cSJagpal Singh Gill   -h, --help             Display this help text and exit.
25*cab87e9cSJagpal Singh GillEOF
26*cab87e9cSJagpal Singh Gill)
27*cab87e9cSJagpal Singh Gill
28*cab87e9cSJagpal Singh Gill#################################################################
29*cab87e9cSJagpal Singh Gill# It's the OpenBMC "public" private key (currently under
30*cab87e9cSJagpal Singh Gill# meta-phosphor/recipes-phosphor/flash/files/OpenBMC.priv):
31*cab87e9cSJagpal Singh Gill# https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/8949/15/
32*cab87e9cSJagpal Singh Gill# meta-phosphor/common/recipes-phosphor/flash/files/OpenBMC.priv
33*cab87e9cSJagpal Singh Gill#
34*cab87e9cSJagpal Singh Gill#################################################################
35*cab87e9cSJagpal Singh Gillprivate_key=$'-----BEGIN PRIVATE KEY-----
36*cab87e9cSJagpal Singh GillMIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDO7vWM6ZOylO6T
37*cab87e9cSJagpal Singh GilllxDiRWgKCFauAxMVM4A7NmgZxfV73xqTzAtIzzF9CIKUEhqMT4LhNy1rU2oUUivH
38*cab87e9cSJagpal Singh Gill4BZO2oC6yFafEPVla2oYAeWtXJmQTixYgJplKQCtLzFtb57DQJpl9Od0RVFC61yg
39*cab87e9cSJagpal Singh Gill4LihsiENnRjncLPP7OkL68ssiELu+WxazDtewmVYQEHOMWQa2zDh9yrWsblLAyo4
40*cab87e9cSJagpal Singh GillgsG9rdwWjqIUnZkoeJuT7zks4Jes4qAtQUuZhCxMcvwvOq8od3e4nLVFnyUOGMpE
41*cab87e9cSJagpal Singh GilljdDDGddKh5e+9BJGqkfsLCT9UFTYi62Ifuxl1Gp963cZLapJS0CneHIrG3gapiCO
42*cab87e9cSJagpal Singh Gillea4TH/xySfts2jpl7DnEIUo3Qs0rZrOLQDLVVXvRJvHdsVoZcSRCD8Jf0YTQ6tT7
43*cab87e9cSJagpal Singh Gillj3ejUOH8j3DGkgKRHGtH7yyCgmDyPYVQdEu3q4E1NBwODAyxppYGBqkwpSGRnf6q
44*cab87e9cSJagpal Singh GillE6i5rQJuoPCm3rb9ZmoHVzeb8HW3ofYfNnZNuae/2LdEtJ/cFs8ILXP5AKiaKpmS
45*cab87e9cSJagpal Singh GillH4GB8GUcgRMITGI1pcXhevO2wHi0ReJkme+m5GpuVIg9LpTs6YvvNoFeu6ux7up/
46*cab87e9cSJagpal Singh GillTjTa+Zdy3tLUZvvIIlS2Asu32uiGBFjZ2WiLeHq+ScaDsSyEJQkoYLqv+3MoPKhy
47*cab87e9cSJagpal Singh GilliX4yanZCwG3yx68RDe9qQBt6WXqAEwIDAQABAoICAA6OxAqKQiA9lv0eEwuAC34t
48*cab87e9cSJagpal Singh GillMP/j6ntC2MIRpUgu44K34tRD9gVEwjwEFb+Z+HEnhNMYQSM8RomwcDELBDa+63B4
49*cab87e9cSJagpal Singh GilleJOPK1xbrqaKt6A3E/yRa1A8l+AG/uuwFr+WqyocSOBkVsYYvEtDaIxO0t5ZPDcL
50*cab87e9cSJagpal Singh Gilldr2NcbDuf0Sd7XiwC1lphaRrmr+jWGLZfmellN/IzMsQytw4u4rZ6aX5GO0hpoqV
51*cab87e9cSJagpal Singh GilltTRTE/vDZFqHaVPNZw48ET2tysY9hKpKKpCeBcWIhg0gRSZlOEOiHdStz2JyVnGB
52*cab87e9cSJagpal Singh GillUX0XCZQcFZw5TM7fUGC9jtM77qCJTYaXQpUsX77xQtalRA7hS1VAm6i6SbNBvE4j
53*cab87e9cSJagpal Singh Gillle2JWBmOCbh9A/Dqnxh/3R2ZpsbffMG3O4KLkObquP8QGsItxwZYm4Bo37/HS6ki
54*cab87e9cSJagpal Singh Gill1Ilym014DUT1+mTybi+2TjlPgh2LeECo1lbgFRJ/p9Vs7TJV2jeVPKDHF72cVvp2
55*cab87e9cSJagpal Singh GillLy6dGQVtBPz7/HpvxwYA5TJstNWgiU1sZPwgVzhgeZEKt5DO3Da6DVoXt96/tHk4
56*cab87e9cSJagpal Singh Gill577MA9P4qYLJldq5rfFW3IeyGUjLZ1yLmmDWj2Hz2IQe/YqrHHQH5UO6xxhrjuCa
57*cab87e9cSJagpal Singh GillFrAOv7wJxmmbhZ9AptmR0PnmTU79LM8gxyNY9nn0R+XMJd/3UvrrjzJWw+LUGdhC
58*cab87e9cSJagpal Singh GillzG0pF0JGMb71wHwlmmUpAoIBAQDyUHAcpgWtCl70qVpHnAG6WnsRP6ZS0dtBjqnN
59*cab87e9cSJagpal Singh Gilll9GachlNLOyQHfKcs7Vj7dkrcumSTbZ7zzgsazQcwfJMEvVq2RS8iTrtKAq+yYmj
60*cab87e9cSJagpal Singh GilluejaJ3gAuiaU5Shv9PL+P25zGlwJtqEADYjiSrzO1ZRgM1M31tlH7f0wjYIrV6LP
61*cab87e9cSJagpal Singh Gill5P5HYFVDFujsiWY9oUZ+PFaCWPRQ2P47zF3ocbiqD9TbFSwNfq5B2WPLCURExQAh
62*cab87e9cSJagpal Singh GillXT/GH8Devz2M79CWKjvDMQutZ8dcLZx6JNhpre5JoNbAxE2u9jIM++srSb41zArE
63*cab87e9cSJagpal Singh Gill2lcy2tqNAWJV5jhFz5DZ451kvz7AKLaehWYj7D+TvX4V4UwpAoIBAQDanvWQCoop
64*cab87e9cSJagpal Singh GillLoh5s5tYwHB/iFE+jzVvyrytfRcDIjrBaCDCQrObgh/fllk44h9DpKHbM4nYlMpU
65*cab87e9cSJagpal Singh GillGXOsQCVkE/SiJakzeXfoecCJ3ebp+mlBILs79AWlfETJFLx1FKJQOQoraoICVFxx
66*cab87e9cSJagpal Singh GilljcI/OvGlABRLvRYhNnq22//IgLlyKWfO0yS6FASIjriIjDwibKZqHt+DJ98Lv2d+
67*cab87e9cSJagpal Singh Gill1fsOw/Ai7e2e3nK0+2vmXusZAwpcPuTYb+5LOnHE7GbPecuM22BSTiUAekoHq3/k
68*cab87e9cSJagpal Singh GillfdYw+od4B4BJB0bAnRVu7y+TQXRkZ462RvP05AYXUzudjknv48mFuBslrybr3f50
69*cab87e9cSJagpal Singh GillaIwtFADeJrHbAoIBAQCYcEwnabaWZrjX+BZoiFd58eQMNNugrI7fzi06vrDJFdCf
70*cab87e9cSJagpal Singh GillAY0NGRoAxPlvFTmTIOaZ+LO9bd5r60FMeiLBAwhLoKdv+HEOsysXXVhunM1FOKFA
71*cab87e9cSJagpal Singh Gill69rLvuJSlGmt0x/b35BZOABPNTSRD+15vVlrr75BmbL1kl2/BrcGJ0qwuOHS62KY
72*cab87e9cSJagpal Singh GillIziDXejpCqV7UuAlfmqs1eYSnn3RdoFy0yTYcphVIQXlPSqPl5PQI5LyamRtcpp2
73*cab87e9cSJagpal Singh GillRx8ko9W4MneIUzmCbJA5iCQxny5aRWZsAXg4qwYn9JAGJRGMGQdFdsirkKRcxNvK
74*cab87e9cSJagpal Singh Gill6zz+xydNm8gHmy7wK3QBlVtVnJxmKwDQI9zHTQYJAoIBAQDVKrXJ81zv9r1/3U8V
75*cab87e9cSJagpal Singh Gill5N5MnACL/VtfW9FJYHU1ywR7XSrEAAHdGa42dwUcX++YJ0ji0YgRNFNsWTzesdVD
76*cab87e9cSJagpal Singh GilllemsyQgIduIiPcUtKL9lWZOTu3SVasSurVLstllj1/DERDnUR4/o8ZUJ6+2Bddn0
77*cab87e9cSJagpal Singh GillxvUDPKX9UH+rGSx4tnscA5+CnYJsJeSdunvYONTRxBsn0l6iJhhn/gPOOpsHtKnL
78*cab87e9cSJagpal Singh GillhS9y/vfd3GFDST33L23EsFa3a7xwgdY460D8AIgnGij7V9Lgel0AyYp0ovZc34uD
79*cab87e9cSJagpal Singh Gillz9yYWI32dbRWbMZ40RPKaudOeDSbjlMaH0A7ymfxjqwKxI9D2VscFWNs4hv8QErw
80*cab87e9cSJagpal Singh GillUc6NAoIBAQCmWWyARU/x4m7K4vNAWjD2Qx6R7PAdLs/6ZBqWw0RSpRHlYr73Qggw
81*cab87e9cSJagpal Singh GilldCK+LrsR0O7y1KW2WUfrJmzHEdFQEYcZ1vZWeN85dMLVhYmazSXlaIegRE4FmMUa
82*cab87e9cSJagpal Singh GillDbzViUJA60Y4D/l6QWqdhxdZZe81QgqyLPXAv/e5esxRIi8yvEYhCx4pq7QtWYBm
83*cab87e9cSJagpal Singh GilltvQnPaZd8emlKARivF2ecGDlWzhf4NotDDtFRT4jOHZKUC58uVjbiXJ445Vimqlb
84*cab87e9cSJagpal Singh GillDa7noVGwDQ93Ib1qyAilzFY5gWDeMyCnSQpnlVRHQ/8vlwLDsZs1kVau6k8WlcpM
85*cab87e9cSJagpal Singh GillJbmuCRNy7YvALVTzyQsQ4yw87BoONt1L
86*cab87e9cSJagpal Singh Gill-----END PRIVATE KEY-----
87*cab87e9cSJagpal Singh Gill'
88*cab87e9cSJagpal Singh Gill
89*cab87e9cSJagpal Singh Gilldo_sign=false
90*cab87e9cSJagpal Singh GillPRIVATE_KEY_PATH=${PRIVATE_KEY_PATH:-}
91*cab87e9cSJagpal Singh Gillprivate_key_path="${PRIVATE_KEY_PATH}"
92*cab87e9cSJagpal Singh Gilloutfile=""
93*cab87e9cSJagpal Singh Gillmachine=""
94*cab87e9cSJagpal Singh Gillversion=""
95*cab87e9cSJagpal Singh Gill
96*cab87e9cSJagpal Singh Gillwhile [[ $# -gt 0 ]]; do
97*cab87e9cSJagpal Singh Gill  key="$1"
98*cab87e9cSJagpal Singh Gill  case $key in
99*cab87e9cSJagpal Singh Gill    -o|--out)
100*cab87e9cSJagpal Singh Gill      outfile="$2"
101*cab87e9cSJagpal Singh Gill      shift 2
102*cab87e9cSJagpal Singh Gill      ;;
103*cab87e9cSJagpal Singh Gill    -s|--sign)
104*cab87e9cSJagpal Singh Gill      do_sign=true
105*cab87e9cSJagpal Singh Gill      if [[ -n "${2}"  && "${2}" != -* ]]; then
106*cab87e9cSJagpal Singh Gill        private_key_path="$2"
107*cab87e9cSJagpal Singh Gill        shift 2
108*cab87e9cSJagpal Singh Gill      else
109*cab87e9cSJagpal Singh Gill        shift 1
110*cab87e9cSJagpal Singh Gill      fi
111*cab87e9cSJagpal Singh Gill      ;;
112*cab87e9cSJagpal Singh Gill    -m|--machine)
113*cab87e9cSJagpal Singh Gill      machine="$2"
114*cab87e9cSJagpal Singh Gill      shift 2
115*cab87e9cSJagpal Singh Gill      ;;
116*cab87e9cSJagpal Singh Gill    -v|--version)
117*cab87e9cSJagpal Singh Gill      version="$2"
118*cab87e9cSJagpal Singh Gill      shift 2
119*cab87e9cSJagpal Singh Gill      ;;
120*cab87e9cSJagpal Singh Gill    -e|--extended)
121*cab87e9cSJagpal Singh Gill      extended="$2"
122*cab87e9cSJagpal Singh Gill      shift 2
123*cab87e9cSJagpal Singh Gill      ;;
124*cab87e9cSJagpal Singh Gill    -h|--help)
125*cab87e9cSJagpal Singh Gill      echo "$help"
126*cab87e9cSJagpal Singh Gill      exit
127*cab87e9cSJagpal Singh Gill      ;;
128*cab87e9cSJagpal Singh Gill    -*)
129*cab87e9cSJagpal Singh Gill      echo "Unrecognised option $1"
130*cab87e9cSJagpal Singh Gill      echo "$help"
131*cab87e9cSJagpal Singh Gill      exit
132*cab87e9cSJagpal Singh Gill      ;;
133*cab87e9cSJagpal Singh Gill    *)
134*cab87e9cSJagpal Singh Gill      file="$1"
135*cab87e9cSJagpal Singh Gill      shift 1
136*cab87e9cSJagpal Singh Gill      ;;
137*cab87e9cSJagpal Singh Gill  esac
138*cab87e9cSJagpal Singh Gilldone
139*cab87e9cSJagpal Singh Gill
140*cab87e9cSJagpal Singh Gillif [ ! -f "${file}" ]; then
141*cab87e9cSJagpal Singh Gill  echo "${file} not found, Please enter a valid Bios image file"
142*cab87e9cSJagpal Singh Gill  echo "$help"
143*cab87e9cSJagpal Singh Gill  exit 1
144*cab87e9cSJagpal Singh Gillfi
145*cab87e9cSJagpal Singh Gill
146*cab87e9cSJagpal Singh Gillif [[ -z $version ]]; then
147*cab87e9cSJagpal Singh Gill  echo "Please provide version of image with -v option"
148*cab87e9cSJagpal Singh Gill  exit 1
149*cab87e9cSJagpal Singh Gillfi
150*cab87e9cSJagpal Singh Gill
151*cab87e9cSJagpal Singh Gillif [[ -z $outfile ]]; then
152*cab87e9cSJagpal Singh Gill  outfile=$(pwd)/obmc-bios.tar.gz
153*cab87e9cSJagpal Singh Gillelse
154*cab87e9cSJagpal Singh Gill  if [[ $outfile != /* ]]; then
155*cab87e9cSJagpal Singh Gill    outfile=$(pwd)/$outfile
156*cab87e9cSJagpal Singh Gill  fi
157*cab87e9cSJagpal Singh Gillfi
158*cab87e9cSJagpal Singh Gill
159*cab87e9cSJagpal Singh Gillscratch_dir=$(mktemp -d)
160*cab87e9cSJagpal Singh Gill# Remove the temp directory on exit.
161*cab87e9cSJagpal Singh Gill# The files in the temp directory may contain read-only files, so add
162*cab87e9cSJagpal Singh Gill# --interactive=never to skip the prompt.
163*cab87e9cSJagpal Singh Gilltrap '{ rm -r --interactive=never ${scratch_dir}; }' EXIT
164*cab87e9cSJagpal Singh Gill
165*cab87e9cSJagpal Singh Gillif [[ "${do_sign}" == true ]]; then
166*cab87e9cSJagpal Singh Gill  if [[ -z "${private_key_path}" ]]; then
167*cab87e9cSJagpal Singh Gill    private_key_path=${scratch_dir}/OpenBMC.priv
168*cab87e9cSJagpal Singh Gill    echo "${private_key}" > "${private_key_path}"
169*cab87e9cSJagpal Singh Gill    echo "Image is NOT secure!! Signing with the open private key!"
170*cab87e9cSJagpal Singh Gill  else
171*cab87e9cSJagpal Singh Gill    if [[ ! -f "${private_key_path}" ]]; then
172*cab87e9cSJagpal Singh Gill      echo "Couldn't find private key ${private_key_path}."
173*cab87e9cSJagpal Singh Gill      exit 1
174*cab87e9cSJagpal Singh Gill    fi
175*cab87e9cSJagpal Singh Gill
176*cab87e9cSJagpal Singh Gill    echo "Signing with ${private_key_path}."
177*cab87e9cSJagpal Singh Gill  fi
178*cab87e9cSJagpal Singh Gill
179*cab87e9cSJagpal Singh Gill  public_key_file=publickey
180*cab87e9cSJagpal Singh Gill  public_key_path=${scratch_dir}/$public_key_file
181*cab87e9cSJagpal Singh Gill  openssl pkey -in "${private_key_path}" -pubout -out "${public_key_path}"
182*cab87e9cSJagpal Singh Gillfi
183*cab87e9cSJagpal Singh Gill
184*cab87e9cSJagpal Singh Gillmanifest_location="MANIFEST"
185*cab87e9cSJagpal Singh Gillfiles_to_sign="$manifest_location $public_key_file"
186*cab87e9cSJagpal Singh Gill
187*cab87e9cSJagpal Singh Gill# Go to scratch_dir
188*cab87e9cSJagpal Singh Gillcp "${file}" "${scratch_dir}"
189*cab87e9cSJagpal Singh Gillcd "${scratch_dir}"
190*cab87e9cSJagpal Singh Gillfiles_to_sign+=" $(basename "${file}")"
191*cab87e9cSJagpal Singh Gill
192*cab87e9cSJagpal Singh Gillecho "Creating MANIFEST for the image"
193*cab87e9cSJagpal Singh Gillecho -e "purpose=xyz.openbmc_project.Software.Version.VersionPurpose.Host\n\
194*cab87e9cSJagpal Singh Gillversion=$version" > $manifest_location
195*cab87e9cSJagpal Singh Gill
196*cab87e9cSJagpal Singh Gillif [[ -n "${extended}" ]]; then
197*cab87e9cSJagpal Singh Gill    echo -e "ExtendedVersion=\"${extended}\"" >> $manifest_location
198*cab87e9cSJagpal Singh Gillfi
199*cab87e9cSJagpal Singh Gill
200*cab87e9cSJagpal Singh Gillif [[ -n "${machine}" ]]; then
201*cab87e9cSJagpal Singh Gill    echo -e "MachineName=${machine}" >> $manifest_location
202*cab87e9cSJagpal Singh Gillfi
203*cab87e9cSJagpal Singh Gill
204*cab87e9cSJagpal Singh Gillif [[ "${do_sign}" == true ]]; then
205*cab87e9cSJagpal Singh Gill  private_key_name=$(basename "${private_key_path}")
206*cab87e9cSJagpal Singh Gill  key_type="${private_key_name%.*}"
207*cab87e9cSJagpal Singh Gill  echo KeyType="${key_type}" >> $manifest_location
208*cab87e9cSJagpal Singh Gill  echo HashType="RSA-SHA256" >> $manifest_location
209*cab87e9cSJagpal Singh Gill
210*cab87e9cSJagpal Singh Gill  for file in $files_to_sign; do
211*cab87e9cSJagpal Singh Gill    openssl dgst -sha256 -sign "${private_key_path}" -out "${file}.sig" "$file"
212*cab87e9cSJagpal Singh Gill  done
213*cab87e9cSJagpal Singh Gill
214*cab87e9cSJagpal Singh Gill  additional_files="*.sig"
215*cab87e9cSJagpal Singh Gillfi
216*cab87e9cSJagpal Singh Gill
217*cab87e9cSJagpal Singh Gill# shellcheck disable=SC2086
218*cab87e9cSJagpal Singh Gill# Do not quote the files variables since they list multiple files
219*cab87e9cSJagpal Singh Gill# and tar would assume to be a single file name within quotes
220*cab87e9cSJagpal Singh Gilltar -czvf $outfile $files_to_sign $additional_files
221*cab87e9cSJagpal Singh Gillecho "Bios image tarball is at $outfile"
222