diff options
author | Brandon Kim <brandonkim@google.com> | 2021-07-21 01:41:04 +0300 |
---|---|---|
committer | Brandon Kim <brandonkim@google.com> | 2021-08-02 19:23:11 +0300 |
commit | 4e2735e0dc487c0cb3c3e38e10df7b728ff85cef (patch) | |
tree | 17ea8300aee40e44dbf408308f3a8a03e8d5ca05 /meta-google | |
parent | 236c94eb62df7d2694225996d83c51d45594004f (diff) | |
download | openbmc-4e2735e0dc487c0cb3c3e38e10df7b728ff85cef.tar.xz |
meta-google: flash: Import google-key from gBMC
Google key installation script and bitbake recipe.
Google-Bug-Id: 179618162
Upstream: 22e2c3dd5f610777dee173a09d8e82dc2509a975
Signed-off-by: Brandon Kim <brandonkim@google.com>
Change-Id: I21c88b6c2810c4ab3f6089f79143e59b6ce935db
Diffstat (limited to 'meta-google')
-rw-r--r-- | meta-google/recipes-phosphor/flash/google-key.bb | 26 | ||||
-rw-r--r-- | meta-google/recipes-phosphor/flash/google-key/platforms_gbmc_bringup.gpg | bin | 0 -> 552 bytes | |||
-rw-r--r-- | meta-google/recipes-phosphor/flash/google-key/platforms_gbmc_secure.gpg | bin | 0 -> 551 bytes | |||
-rwxr-xr-x | meta-google/recipes-phosphor/flash/google-key/verify-bmc-image.sh | 63 |
4 files changed, 89 insertions, 0 deletions
diff --git a/meta-google/recipes-phosphor/flash/google-key.bb b/meta-google/recipes-phosphor/flash/google-key.bb new file mode 100644 index 000000000..220211526 --- /dev/null +++ b/meta-google/recipes-phosphor/flash/google-key.bb @@ -0,0 +1,26 @@ +SUMMARY = "Google Key installation Script" +DESCRIPTION = "Google Key installation Script" +PR = "r1" + +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10" + +RDEPENDS_${PN} += "bash" +RDEPENDS_${PN} += "gnupg" + +SRC_URI += " \ + file://platforms_gbmc_bringup.gpg \ + file://platforms_gbmc_secure.gpg \ + file://verify-bmc-image.sh \ +" + +do_install() { + # Install keys into image. + install -d -m 0755 ${D}${datadir}/google-key + install -m 0644 ${WORKDIR}/platforms_gbmc_secure.gpg ${D}${datadir}/google-key/prod.key + install -m 0644 ${WORKDIR}/platforms_gbmc_bringup.gpg ${D}${datadir}/google-key/dev.key + + # Install the verification helper + install -d -m 0755 ${D}${bindir} + install -m 0755 ${WORKDIR}/verify-bmc-image.sh ${D}${bindir} +} diff --git a/meta-google/recipes-phosphor/flash/google-key/platforms_gbmc_bringup.gpg b/meta-google/recipes-phosphor/flash/google-key/platforms_gbmc_bringup.gpg Binary files differnew file mode 100644 index 000000000..f347e224b --- /dev/null +++ b/meta-google/recipes-phosphor/flash/google-key/platforms_gbmc_bringup.gpg diff --git a/meta-google/recipes-phosphor/flash/google-key/platforms_gbmc_secure.gpg b/meta-google/recipes-phosphor/flash/google-key/platforms_gbmc_secure.gpg Binary files differnew file mode 100644 index 000000000..9281f7790 --- /dev/null +++ b/meta-google/recipes-phosphor/flash/google-key/platforms_gbmc_secure.gpg diff --git a/meta-google/recipes-phosphor/flash/google-key/verify-bmc-image.sh b/meta-google/recipes-phosphor/flash/google-key/verify-bmc-image.sh new file mode 100755 index 000000000..cac229a94 --- /dev/null +++ b/meta-google/recipes-phosphor/flash/google-key/verify-bmc-image.sh @@ -0,0 +1,63 @@ +#!/bin/bash +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +help_out() { + echo "$ARG0 [--allow-dev] <image file> <sig file>" >&2 + exit 2 +} + +opts="$(getopt -o 'd' -l 'allow-dev' -- "$@")" || exit +dev= +eval set -- "$opts" +while true; do + case "$1" in + --allow-dev|-d) + dev=1 + shift + ;; + --) + shift + break + ;; + *) + echo "Bad option: $1" >&2 + help_out + ;; + esac +done +image_file="${1?Missing image file}" || help_out +sig_file="${2?Missing sig file}" || help_out + +# gnupg needs a home directory even though we don't want to persist any +# information. We always make a new temporary directory for this +GNUPGHOME= +cleanup() { + test -n "$GNUPGHOME" && rm -rf "$GNUPGHOME" +} +trap cleanup ERR EXIT INT +export GNUPGHOME="$(mktemp -d)" || exit + +gpg() { + command gpg --batch --allow-non-selfsigned-uid --no-tty "$@" +} +import_key() { + gpg --import "/usr/share/google-key/$1.key" +} + +import_key prod +if [ -n "$dev" ]; then + import_key dev +fi +gpg --verify --ignore-time-conflict "$sig_file" "$image_file" |