1*cab87e9cSJagpal Singh Gill#!/bin/bash 2*cab87e9cSJagpal Singh Gillset -eo pipefail 3*cab87e9cSJagpal Singh Gill 4*cab87e9cSJagpal Singh Gillhelp=$(cat <<EOF 5*cab87e9cSJagpal Singh GillGenerate Tarball with Bios image and MANIFEST Script 6*cab87e9cSJagpal Singh Gill 7*cab87e9cSJagpal Singh GillGenerates a Bios image tarball from given file as input. 8*cab87e9cSJagpal Singh GillCreates a MANIFEST for image verification and recreation 9*cab87e9cSJagpal Singh GillPackages the image and MANIFEST together in a tarball 10*cab87e9cSJagpal Singh Gill 11*cab87e9cSJagpal Singh Gillusage: gen-bios-tar [OPTION] <Bios FILE>... 12*cab87e9cSJagpal Singh Gill 13*cab87e9cSJagpal Singh GillOptions: 14*cab87e9cSJagpal Singh Gill -o, --out <file> Specify destination file. Defaults to 15*cab87e9cSJagpal Singh Gill $(pwd)/obmc-bios.tar.gz if unspecified. 16*cab87e9cSJagpal Singh Gill -s, --sign <path> Sign the image. The optional path argument specifies 17*cab87e9cSJagpal Singh Gill the private key file. Defaults to the bash variable 18*cab87e9cSJagpal Singh Gill PRIVATE_KEY_PATH if available, or else uses the 19*cab87e9cSJagpal Singh Gill open-source private key in this script. 20*cab87e9cSJagpal Singh Gill -m, --machine <name> Optionally specify the target machine name of this 21*cab87e9cSJagpal Singh Gill image. 22*cab87e9cSJagpal Singh Gill -v, --version <name> Specify the version of bios image file 23*cab87e9cSJagpal Singh Gill -e, --extended <name> Specify the extended version of bios image file 24*cab87e9cSJagpal Singh Gill -h, --help Display this help text and exit. 25*cab87e9cSJagpal Singh GillEOF 26*cab87e9cSJagpal Singh Gill) 27*cab87e9cSJagpal Singh Gill 28*cab87e9cSJagpal Singh Gill################################################################# 29*cab87e9cSJagpal Singh Gill# It's the OpenBMC "public" private key (currently under 30*cab87e9cSJagpal Singh Gill# meta-phosphor/recipes-phosphor/flash/files/OpenBMC.priv): 31*cab87e9cSJagpal Singh Gill# https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/8949/15/ 32*cab87e9cSJagpal Singh Gill# meta-phosphor/common/recipes-phosphor/flash/files/OpenBMC.priv 33*cab87e9cSJagpal Singh Gill# 34*cab87e9cSJagpal Singh Gill################################################################# 35*cab87e9cSJagpal Singh Gillprivate_key=$'-----BEGIN PRIVATE KEY----- 36*cab87e9cSJagpal Singh GillMIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDO7vWM6ZOylO6T 37*cab87e9cSJagpal Singh GilllxDiRWgKCFauAxMVM4A7NmgZxfV73xqTzAtIzzF9CIKUEhqMT4LhNy1rU2oUUivH 38*cab87e9cSJagpal Singh Gill4BZO2oC6yFafEPVla2oYAeWtXJmQTixYgJplKQCtLzFtb57DQJpl9Od0RVFC61yg 39*cab87e9cSJagpal Singh Gill4LihsiENnRjncLPP7OkL68ssiELu+WxazDtewmVYQEHOMWQa2zDh9yrWsblLAyo4 40*cab87e9cSJagpal Singh GillgsG9rdwWjqIUnZkoeJuT7zks4Jes4qAtQUuZhCxMcvwvOq8od3e4nLVFnyUOGMpE 41*cab87e9cSJagpal Singh GilljdDDGddKh5e+9BJGqkfsLCT9UFTYi62Ifuxl1Gp963cZLapJS0CneHIrG3gapiCO 42*cab87e9cSJagpal Singh Gillea4TH/xySfts2jpl7DnEIUo3Qs0rZrOLQDLVVXvRJvHdsVoZcSRCD8Jf0YTQ6tT7 43*cab87e9cSJagpal Singh Gillj3ejUOH8j3DGkgKRHGtH7yyCgmDyPYVQdEu3q4E1NBwODAyxppYGBqkwpSGRnf6q 44*cab87e9cSJagpal Singh GillE6i5rQJuoPCm3rb9ZmoHVzeb8HW3ofYfNnZNuae/2LdEtJ/cFs8ILXP5AKiaKpmS 45*cab87e9cSJagpal Singh GillH4GB8GUcgRMITGI1pcXhevO2wHi0ReJkme+m5GpuVIg9LpTs6YvvNoFeu6ux7up/ 46*cab87e9cSJagpal Singh GillTjTa+Zdy3tLUZvvIIlS2Asu32uiGBFjZ2WiLeHq+ScaDsSyEJQkoYLqv+3MoPKhy 47*cab87e9cSJagpal Singh GilliX4yanZCwG3yx68RDe9qQBt6WXqAEwIDAQABAoICAA6OxAqKQiA9lv0eEwuAC34t 48*cab87e9cSJagpal Singh GillMP/j6ntC2MIRpUgu44K34tRD9gVEwjwEFb+Z+HEnhNMYQSM8RomwcDELBDa+63B4 49*cab87e9cSJagpal Singh GilleJOPK1xbrqaKt6A3E/yRa1A8l+AG/uuwFr+WqyocSOBkVsYYvEtDaIxO0t5ZPDcL 50*cab87e9cSJagpal Singh Gilldr2NcbDuf0Sd7XiwC1lphaRrmr+jWGLZfmellN/IzMsQytw4u4rZ6aX5GO0hpoqV 51*cab87e9cSJagpal Singh GilltTRTE/vDZFqHaVPNZw48ET2tysY9hKpKKpCeBcWIhg0gRSZlOEOiHdStz2JyVnGB 52*cab87e9cSJagpal Singh GillUX0XCZQcFZw5TM7fUGC9jtM77qCJTYaXQpUsX77xQtalRA7hS1VAm6i6SbNBvE4j 53*cab87e9cSJagpal Singh Gillle2JWBmOCbh9A/Dqnxh/3R2ZpsbffMG3O4KLkObquP8QGsItxwZYm4Bo37/HS6ki 54*cab87e9cSJagpal Singh Gill1Ilym014DUT1+mTybi+2TjlPgh2LeECo1lbgFRJ/p9Vs7TJV2jeVPKDHF72cVvp2 55*cab87e9cSJagpal Singh GillLy6dGQVtBPz7/HpvxwYA5TJstNWgiU1sZPwgVzhgeZEKt5DO3Da6DVoXt96/tHk4 56*cab87e9cSJagpal Singh Gill577MA9P4qYLJldq5rfFW3IeyGUjLZ1yLmmDWj2Hz2IQe/YqrHHQH5UO6xxhrjuCa 57*cab87e9cSJagpal Singh GillFrAOv7wJxmmbhZ9AptmR0PnmTU79LM8gxyNY9nn0R+XMJd/3UvrrjzJWw+LUGdhC 58*cab87e9cSJagpal Singh GillzG0pF0JGMb71wHwlmmUpAoIBAQDyUHAcpgWtCl70qVpHnAG6WnsRP6ZS0dtBjqnN 59*cab87e9cSJagpal Singh Gilll9GachlNLOyQHfKcs7Vj7dkrcumSTbZ7zzgsazQcwfJMEvVq2RS8iTrtKAq+yYmj 60*cab87e9cSJagpal Singh GilluejaJ3gAuiaU5Shv9PL+P25zGlwJtqEADYjiSrzO1ZRgM1M31tlH7f0wjYIrV6LP 61*cab87e9cSJagpal Singh Gill5P5HYFVDFujsiWY9oUZ+PFaCWPRQ2P47zF3ocbiqD9TbFSwNfq5B2WPLCURExQAh 62*cab87e9cSJagpal Singh GillXT/GH8Devz2M79CWKjvDMQutZ8dcLZx6JNhpre5JoNbAxE2u9jIM++srSb41zArE 63*cab87e9cSJagpal Singh Gill2lcy2tqNAWJV5jhFz5DZ451kvz7AKLaehWYj7D+TvX4V4UwpAoIBAQDanvWQCoop 64*cab87e9cSJagpal Singh GillLoh5s5tYwHB/iFE+jzVvyrytfRcDIjrBaCDCQrObgh/fllk44h9DpKHbM4nYlMpU 65*cab87e9cSJagpal Singh GillGXOsQCVkE/SiJakzeXfoecCJ3ebp+mlBILs79AWlfETJFLx1FKJQOQoraoICVFxx 66*cab87e9cSJagpal Singh GilljcI/OvGlABRLvRYhNnq22//IgLlyKWfO0yS6FASIjriIjDwibKZqHt+DJ98Lv2d+ 67*cab87e9cSJagpal Singh Gill1fsOw/Ai7e2e3nK0+2vmXusZAwpcPuTYb+5LOnHE7GbPecuM22BSTiUAekoHq3/k 68*cab87e9cSJagpal Singh GillfdYw+od4B4BJB0bAnRVu7y+TQXRkZ462RvP05AYXUzudjknv48mFuBslrybr3f50 69*cab87e9cSJagpal Singh GillaIwtFADeJrHbAoIBAQCYcEwnabaWZrjX+BZoiFd58eQMNNugrI7fzi06vrDJFdCf 70*cab87e9cSJagpal Singh GillAY0NGRoAxPlvFTmTIOaZ+LO9bd5r60FMeiLBAwhLoKdv+HEOsysXXVhunM1FOKFA 71*cab87e9cSJagpal Singh Gill69rLvuJSlGmt0x/b35BZOABPNTSRD+15vVlrr75BmbL1kl2/BrcGJ0qwuOHS62KY 72*cab87e9cSJagpal Singh GillIziDXejpCqV7UuAlfmqs1eYSnn3RdoFy0yTYcphVIQXlPSqPl5PQI5LyamRtcpp2 73*cab87e9cSJagpal Singh GillRx8ko9W4MneIUzmCbJA5iCQxny5aRWZsAXg4qwYn9JAGJRGMGQdFdsirkKRcxNvK 74*cab87e9cSJagpal Singh Gill6zz+xydNm8gHmy7wK3QBlVtVnJxmKwDQI9zHTQYJAoIBAQDVKrXJ81zv9r1/3U8V 75*cab87e9cSJagpal Singh Gill5N5MnACL/VtfW9FJYHU1ywR7XSrEAAHdGa42dwUcX++YJ0ji0YgRNFNsWTzesdVD 76*cab87e9cSJagpal Singh GilllemsyQgIduIiPcUtKL9lWZOTu3SVasSurVLstllj1/DERDnUR4/o8ZUJ6+2Bddn0 77*cab87e9cSJagpal Singh GillxvUDPKX9UH+rGSx4tnscA5+CnYJsJeSdunvYONTRxBsn0l6iJhhn/gPOOpsHtKnL 78*cab87e9cSJagpal Singh GillhS9y/vfd3GFDST33L23EsFa3a7xwgdY460D8AIgnGij7V9Lgel0AyYp0ovZc34uD 79*cab87e9cSJagpal Singh Gillz9yYWI32dbRWbMZ40RPKaudOeDSbjlMaH0A7ymfxjqwKxI9D2VscFWNs4hv8QErw 80*cab87e9cSJagpal Singh GillUc6NAoIBAQCmWWyARU/x4m7K4vNAWjD2Qx6R7PAdLs/6ZBqWw0RSpRHlYr73Qggw 81*cab87e9cSJagpal Singh GilldCK+LrsR0O7y1KW2WUfrJmzHEdFQEYcZ1vZWeN85dMLVhYmazSXlaIegRE4FmMUa 82*cab87e9cSJagpal Singh GillDbzViUJA60Y4D/l6QWqdhxdZZe81QgqyLPXAv/e5esxRIi8yvEYhCx4pq7QtWYBm 83*cab87e9cSJagpal Singh GilltvQnPaZd8emlKARivF2ecGDlWzhf4NotDDtFRT4jOHZKUC58uVjbiXJ445Vimqlb 84*cab87e9cSJagpal Singh GillDa7noVGwDQ93Ib1qyAilzFY5gWDeMyCnSQpnlVRHQ/8vlwLDsZs1kVau6k8WlcpM 85*cab87e9cSJagpal Singh GillJbmuCRNy7YvALVTzyQsQ4yw87BoONt1L 86*cab87e9cSJagpal Singh Gill-----END PRIVATE KEY----- 87*cab87e9cSJagpal Singh Gill' 88*cab87e9cSJagpal Singh Gill 89*cab87e9cSJagpal Singh Gilldo_sign=false 90*cab87e9cSJagpal Singh GillPRIVATE_KEY_PATH=${PRIVATE_KEY_PATH:-} 91*cab87e9cSJagpal Singh Gillprivate_key_path="${PRIVATE_KEY_PATH}" 92*cab87e9cSJagpal Singh Gilloutfile="" 93*cab87e9cSJagpal Singh Gillmachine="" 94*cab87e9cSJagpal Singh Gillversion="" 95*cab87e9cSJagpal Singh Gill 96*cab87e9cSJagpal Singh Gillwhile [[ $# -gt 0 ]]; do 97*cab87e9cSJagpal Singh Gill key="$1" 98*cab87e9cSJagpal Singh Gill case $key in 99*cab87e9cSJagpal Singh Gill -o|--out) 100*cab87e9cSJagpal Singh Gill outfile="$2" 101*cab87e9cSJagpal Singh Gill shift 2 102*cab87e9cSJagpal Singh Gill ;; 103*cab87e9cSJagpal Singh Gill -s|--sign) 104*cab87e9cSJagpal Singh Gill do_sign=true 105*cab87e9cSJagpal Singh Gill if [[ -n "${2}" && "${2}" != -* ]]; then 106*cab87e9cSJagpal Singh Gill private_key_path="$2" 107*cab87e9cSJagpal Singh Gill shift 2 108*cab87e9cSJagpal Singh Gill else 109*cab87e9cSJagpal Singh Gill shift 1 110*cab87e9cSJagpal Singh Gill fi 111*cab87e9cSJagpal Singh Gill ;; 112*cab87e9cSJagpal Singh Gill -m|--machine) 113*cab87e9cSJagpal Singh Gill machine="$2" 114*cab87e9cSJagpal Singh Gill shift 2 115*cab87e9cSJagpal Singh Gill ;; 116*cab87e9cSJagpal Singh Gill -v|--version) 117*cab87e9cSJagpal Singh Gill version="$2" 118*cab87e9cSJagpal Singh Gill shift 2 119*cab87e9cSJagpal Singh Gill ;; 120*cab87e9cSJagpal Singh Gill -e|--extended) 121*cab87e9cSJagpal Singh Gill extended="$2" 122*cab87e9cSJagpal Singh Gill shift 2 123*cab87e9cSJagpal Singh Gill ;; 124*cab87e9cSJagpal Singh Gill -h|--help) 125*cab87e9cSJagpal Singh Gill echo "$help" 126*cab87e9cSJagpal Singh Gill exit 127*cab87e9cSJagpal Singh Gill ;; 128*cab87e9cSJagpal Singh Gill -*) 129*cab87e9cSJagpal Singh Gill echo "Unrecognised option $1" 130*cab87e9cSJagpal Singh Gill echo "$help" 131*cab87e9cSJagpal Singh Gill exit 132*cab87e9cSJagpal Singh Gill ;; 133*cab87e9cSJagpal Singh Gill *) 134*cab87e9cSJagpal Singh Gill file="$1" 135*cab87e9cSJagpal Singh Gill shift 1 136*cab87e9cSJagpal Singh Gill ;; 137*cab87e9cSJagpal Singh Gill esac 138*cab87e9cSJagpal Singh Gilldone 139*cab87e9cSJagpal Singh Gill 140*cab87e9cSJagpal Singh Gillif [ ! -f "${file}" ]; then 141*cab87e9cSJagpal Singh Gill echo "${file} not found, Please enter a valid Bios image file" 142*cab87e9cSJagpal Singh Gill echo "$help" 143*cab87e9cSJagpal Singh Gill exit 1 144*cab87e9cSJagpal Singh Gillfi 145*cab87e9cSJagpal Singh Gill 146*cab87e9cSJagpal Singh Gillif [[ -z $version ]]; then 147*cab87e9cSJagpal Singh Gill echo "Please provide version of image with -v option" 148*cab87e9cSJagpal Singh Gill exit 1 149*cab87e9cSJagpal Singh Gillfi 150*cab87e9cSJagpal Singh Gill 151*cab87e9cSJagpal Singh Gillif [[ -z $outfile ]]; then 152*cab87e9cSJagpal Singh Gill outfile=$(pwd)/obmc-bios.tar.gz 153*cab87e9cSJagpal Singh Gillelse 154*cab87e9cSJagpal Singh Gill if [[ $outfile != /* ]]; then 155*cab87e9cSJagpal Singh Gill outfile=$(pwd)/$outfile 156*cab87e9cSJagpal Singh Gill fi 157*cab87e9cSJagpal Singh Gillfi 158*cab87e9cSJagpal Singh Gill 159*cab87e9cSJagpal Singh Gillscratch_dir=$(mktemp -d) 160*cab87e9cSJagpal Singh Gill# Remove the temp directory on exit. 161*cab87e9cSJagpal Singh Gill# The files in the temp directory may contain read-only files, so add 162*cab87e9cSJagpal Singh Gill# --interactive=never to skip the prompt. 163*cab87e9cSJagpal Singh Gilltrap '{ rm -r --interactive=never ${scratch_dir}; }' EXIT 164*cab87e9cSJagpal Singh Gill 165*cab87e9cSJagpal Singh Gillif [[ "${do_sign}" == true ]]; then 166*cab87e9cSJagpal Singh Gill if [[ -z "${private_key_path}" ]]; then 167*cab87e9cSJagpal Singh Gill private_key_path=${scratch_dir}/OpenBMC.priv 168*cab87e9cSJagpal Singh Gill echo "${private_key}" > "${private_key_path}" 169*cab87e9cSJagpal Singh Gill echo "Image is NOT secure!! Signing with the open private key!" 170*cab87e9cSJagpal Singh Gill else 171*cab87e9cSJagpal Singh Gill if [[ ! -f "${private_key_path}" ]]; then 172*cab87e9cSJagpal Singh Gill echo "Couldn't find private key ${private_key_path}." 173*cab87e9cSJagpal Singh Gill exit 1 174*cab87e9cSJagpal Singh Gill fi 175*cab87e9cSJagpal Singh Gill 176*cab87e9cSJagpal Singh Gill echo "Signing with ${private_key_path}." 177*cab87e9cSJagpal Singh Gill fi 178*cab87e9cSJagpal Singh Gill 179*cab87e9cSJagpal Singh Gill public_key_file=publickey 180*cab87e9cSJagpal Singh Gill public_key_path=${scratch_dir}/$public_key_file 181*cab87e9cSJagpal Singh Gill openssl pkey -in "${private_key_path}" -pubout -out "${public_key_path}" 182*cab87e9cSJagpal Singh Gillfi 183*cab87e9cSJagpal Singh Gill 184*cab87e9cSJagpal Singh Gillmanifest_location="MANIFEST" 185*cab87e9cSJagpal Singh Gillfiles_to_sign="$manifest_location $public_key_file" 186*cab87e9cSJagpal Singh Gill 187*cab87e9cSJagpal Singh Gill# Go to scratch_dir 188*cab87e9cSJagpal Singh Gillcp "${file}" "${scratch_dir}" 189*cab87e9cSJagpal Singh Gillcd "${scratch_dir}" 190*cab87e9cSJagpal Singh Gillfiles_to_sign+=" $(basename "${file}")" 191*cab87e9cSJagpal Singh Gill 192*cab87e9cSJagpal Singh Gillecho "Creating MANIFEST for the image" 193*cab87e9cSJagpal Singh Gillecho -e "purpose=xyz.openbmc_project.Software.Version.VersionPurpose.Host\n\ 194*cab87e9cSJagpal Singh Gillversion=$version" > $manifest_location 195*cab87e9cSJagpal Singh Gill 196*cab87e9cSJagpal Singh Gillif [[ -n "${extended}" ]]; then 197*cab87e9cSJagpal Singh Gill echo -e "ExtendedVersion=\"${extended}\"" >> $manifest_location 198*cab87e9cSJagpal Singh Gillfi 199*cab87e9cSJagpal Singh Gill 200*cab87e9cSJagpal Singh Gillif [[ -n "${machine}" ]]; then 201*cab87e9cSJagpal Singh Gill echo -e "MachineName=${machine}" >> $manifest_location 202*cab87e9cSJagpal Singh Gillfi 203*cab87e9cSJagpal Singh Gill 204*cab87e9cSJagpal Singh Gillif [[ "${do_sign}" == true ]]; then 205*cab87e9cSJagpal Singh Gill private_key_name=$(basename "${private_key_path}") 206*cab87e9cSJagpal Singh Gill key_type="${private_key_name%.*}" 207*cab87e9cSJagpal Singh Gill echo KeyType="${key_type}" >> $manifest_location 208*cab87e9cSJagpal Singh Gill echo HashType="RSA-SHA256" >> $manifest_location 209*cab87e9cSJagpal Singh Gill 210*cab87e9cSJagpal Singh Gill for file in $files_to_sign; do 211*cab87e9cSJagpal Singh Gill openssl dgst -sha256 -sign "${private_key_path}" -out "${file}.sig" "$file" 212*cab87e9cSJagpal Singh Gill done 213*cab87e9cSJagpal Singh Gill 214*cab87e9cSJagpal Singh Gill additional_files="*.sig" 215*cab87e9cSJagpal Singh Gillfi 216*cab87e9cSJagpal Singh Gill 217*cab87e9cSJagpal Singh Gill# shellcheck disable=SC2086 218*cab87e9cSJagpal Singh Gill# Do not quote the files variables since they list multiple files 219*cab87e9cSJagpal Singh Gill# and tar would assume to be a single file name within quotes 220*cab87e9cSJagpal Singh Gilltar -czvf $outfile $files_to_sign $additional_files 221*cab87e9cSJagpal Singh Gillecho "Bios image tarball is at $outfile" 222