-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
build: Support build with Slim Bootloader
1. Add build with SBL support 2. Add scripts that build ELF as container image Tracked-On: OAM-110589 Signed-off-by: Chen, Gang G <[email protected]>
- Loading branch information
1 parent
feac8fd
commit 198de98
Showing
8 changed files
with
1,946 additions
and
0 deletions.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,301 @@ | ||
#!/usr/bin/env python | ||
## @ SingleSign.py | ||
# Single signing script | ||
# | ||
# Copyright (c) 2020, Intel Corporation. All rights reserved.<BR> | ||
# SPDX-License-Identifier: BSD-2-Clause-Patent | ||
# | ||
## | ||
|
||
## | ||
# Import Modules | ||
# | ||
import os | ||
import sys | ||
import re | ||
import shutil | ||
import subprocess | ||
import struct | ||
import hashlib | ||
import string | ||
|
||
SIGNING_KEY = { | ||
# Key Id | Key File Name start | | ||
# ================================================================= | ||
# KEY_ID_MASTER is used for signing Slimboot Key Hash Manifest container (KEYH Component) | ||
"KEY_ID_MASTER_RSA2048" : "MasterTestKey_Priv_RSA2048.pem", | ||
"KEY_ID_MASTER_RSA3072" : "MasterTestKey_Priv_RSA3072.pem", | ||
|
||
# KEY_ID_CFGDATA is used for signing external Config data blob) | ||
"KEY_ID_CFGDATA_RSA2048" : "ConfigTestKey_Priv_RSA2048.pem", | ||
"KEY_ID_CFGDATA_RSA3072" : "ConfigTestKey_Priv_RSA3072.pem", | ||
|
||
# KEY_ID_FIRMWAREUPDATE is used for signing capsule firmware update image) | ||
"KEY_ID_FIRMWAREUPDATE_RSA2048" : "FirmwareUpdateTestKey_Priv_RSA2048.pem", | ||
"KEY_ID_FIRMWAREUPDATE_RSA3072" : "FirmwareUpdateTestKey_Priv_RSA3072.pem", | ||
|
||
# KEY_ID_CONTAINER is used for signing container header with mono signature | ||
"KEY_ID_CONTAINER_RSA2048" : "ContainerTestKey_Priv_RSA2048.pem", | ||
"KEY_ID_CONTAINER_RSA3072" : "ContainerTestKey_Priv_RSA3072.pem", | ||
|
||
# CONTAINER_COMP1_KEY_ID is used for signing container components | ||
"KEY_ID_CONTAINER_COMP_RSA2048" : "ContainerCompTestKey_Priv_RSA2048.pem", | ||
"KEY_ID_CONTAINER_COMP_RSA3072" : "ContainerCompTestKey_Priv_RSA3072.pem", | ||
|
||
# KEY_ID_OS1_PUBLIC, KEY_ID_OS2_PUBLIC is used for referencing Boot OS public keys | ||
"KEY_ID_OS1_PUBLIC_RSA2048" : "OS1_TestKey_Pub_RSA2048.pem", | ||
"KEY_ID_OS1_PUBLIC_RSA3072" : "OS1_TestKey_Pub_RSA3072.pem", | ||
|
||
"KEY_ID_OS2_PUBLIC_RSA2048" : "OS2_TestKey_Pub_RSA2048.pem", | ||
"KEY_ID_OS2_PUBLIC_RSA3072" : "OS2_TestKey_Pub_RSA3072.pem", | ||
|
||
} | ||
|
||
MESSAGE_SBL_KEY_DIR = ( | ||
"!!! PRE-REQUISITE: Path to SBL_KEY_DIR has to be set with SBL KEYS DIRECTORY !!! \n" | ||
"!!! Generate keys using GenerateKeys.py available in BootloaderCorePkg/Tools directory !!! \n" | ||
"!!! Run $python BootloaderCorePkg/Tools/GenerateKeys.py -k $PATH_TO_SBL_KEY_DIR !!!\n" | ||
"!!! Set SBL_KEY_DIR environ with path to SBL KEYS DIR !!!\n" | ||
"!!! Windows $set SBL_KEY_DIR=$PATH_TO_SBL_KEY_DIR !!!\n" | ||
"!!! Linux $export SBL_KEY_DIR=$PATH_TO_SBL_KEY_DIR !!!\n" | ||
) | ||
|
||
def get_openssl_path (): | ||
if os.name == 'nt': | ||
if 'OPENSSL_PATH' not in os.environ: | ||
openssl_dir = "C:\\Openssl\\bin\\" | ||
if os.path.exists (openssl_dir): | ||
os.environ['OPENSSL_PATH'] = openssl_dir | ||
else: | ||
os.environ['OPENSSL_PATH'] = "C:\\Openssl\\" | ||
if 'OPENSSL_CONF' not in os.environ: | ||
openssl_cfg = "C:\\Openssl\\openssl.cfg" | ||
if os.path.exists(openssl_cfg): | ||
os.environ['OPENSSL_CONF'] = openssl_cfg | ||
openssl = os.path.join(os.environ.get ('OPENSSL_PATH', ''), 'openssl.exe') | ||
else: | ||
# Get openssl path for Linux cases | ||
openssl = shutil.which('openssl') | ||
|
||
return openssl | ||
|
||
def run_process (arg_list, print_cmd = False, capture_out = False): | ||
sys.stdout.flush() | ||
if print_cmd: | ||
print (' '.join(arg_list)) | ||
|
||
exc = None | ||
result = 0 | ||
output = '' | ||
try: | ||
if capture_out: | ||
output = subprocess.check_output(arg_list).decode() | ||
else: | ||
result = subprocess.call (arg_list) | ||
except Exception as ex: | ||
result = 1 | ||
exc = ex | ||
|
||
if result: | ||
if not print_cmd: | ||
print ('Error in running process:\n %s' % ' '.join(arg_list)) | ||
if exc is None: | ||
sys.exit(1) | ||
else: | ||
raise exc | ||
|
||
return output | ||
|
||
def check_file_pem_format (priv_key): | ||
# Check for file .pem format | ||
key_name = os.path.basename(priv_key) | ||
if os.path.splitext(key_name)[1] == ".pem": | ||
return True | ||
else: | ||
return False | ||
|
||
def get_key_id (priv_key): | ||
# Extract base name if path is provided. | ||
key_name = os.path.basename(priv_key) | ||
# Check for KEY_ID in key naming. | ||
if key_name.startswith('KEY_ID'): | ||
return key_name | ||
else: | ||
return None | ||
|
||
def get_sbl_key_dir (): | ||
# Check Key store setting SBL_KEY_DIR path | ||
if 'SBL_KEY_DIR' not in os.environ: | ||
raise Exception ("ERROR: SBL_KEY_DIR is not defined. Set SBL_KEY_DIR with SBL Keys directory!!\n" | ||
+ MESSAGE_SBL_KEY_DIR) | ||
|
||
sbl_key_dir = os.environ.get('SBL_KEY_DIR') | ||
if not os.path.exists(sbl_key_dir): | ||
raise Exception (("ERROR:SBL_KEY_DIR set %s is not valid. Set the correct SBL_KEY_DIR path !!\n" | ||
+ MESSAGE_SBL_KEY_DIR) % sbl_key_dir) | ||
else: | ||
return sbl_key_dir | ||
|
||
def get_key_from_store (in_key): | ||
|
||
#Check in_key is path to key | ||
if os.path.exists(in_key): | ||
return in_key | ||
|
||
# Get Slimboot key dir path | ||
sbl_key_dir = get_sbl_key_dir() | ||
|
||
# Extract if in_key is key_id | ||
priv_key = get_key_id (in_key) | ||
if priv_key is not None: | ||
if (priv_key in SIGNING_KEY): | ||
# Generate key file name from key id | ||
priv_key_file = SIGNING_KEY[priv_key] | ||
else: | ||
raise Exception('KEY_ID %s is not found in supported KEY IDs!!' % priv_key) | ||
elif check_file_pem_format(in_key) == True: | ||
# check if file name is provided in pem format | ||
priv_key_file = in_key | ||
else: | ||
priv_key_file = None | ||
raise Exception('key provided %s is not valid!' % in_key) | ||
|
||
# Create a file path | ||
# Join Key Dir and priv_key_file | ||
try: | ||
priv_key = os.path.join (sbl_key_dir, priv_key_file) | ||
except: | ||
raise Exception('priv_key is not found %s!' % priv_key) | ||
|
||
# Check for priv_key construted based on KEY ID exists in specified path | ||
if not os.path.isfile(priv_key): | ||
raise Exception (("!!! ERROR: Key file corresponding to '%s' do not exist in Sbl key directory at '%s' !!! \n" + MESSAGE_SBL_KEY_DIR) % (in_key, sbl_key_dir)) | ||
|
||
return priv_key | ||
|
||
# | ||
# Sign an file using openssl | ||
# | ||
# priv_key [Input] Key Id or Path to Private key | ||
# hash_type [Input] Signing hash | ||
# sign_scheme[Input] Sign/padding scheme | ||
# in_file [Input] Input file to be signed | ||
# out_file [Input/Output] Signed data file | ||
# | ||
|
||
def single_sign_file (priv_key, hash_type, sign_scheme, in_file, out_file): | ||
|
||
_hash_type_string = { | ||
"SHA2_256" : 'sha256', | ||
"SHA2_384" : 'sha384', | ||
"SHA2_512" : 'sha512', | ||
} | ||
|
||
_hash_digest_Size = { | ||
# Hash_string : Hash_Size | ||
"SHA2_256" : 32, | ||
"SHA2_384" : 48, | ||
"SHA2_512" : 64, | ||
"SM3_256" : 32, | ||
} | ||
|
||
_sign_scheme_string = { | ||
"RSA_PKCS1" : 'pkcs1', | ||
"RSA_PSS" : 'pss', | ||
} | ||
|
||
priv_key = get_key_from_store(priv_key) | ||
|
||
# Temporary files to store hash generated | ||
hash_file_tmp = out_file+'.hash.tmp' | ||
hash_file = out_file+'.hash' | ||
|
||
# Generate hash using openssl dgst in hex format | ||
cmdargs = [get_openssl_path(), 'dgst', '-'+'%s' % _hash_type_string[hash_type], '-out', '%s' % hash_file_tmp, '%s' % in_file] | ||
run_process (cmdargs) | ||
|
||
# Extract hash form dgst command output and convert to ascii | ||
with open(hash_file_tmp, 'r') as fin: | ||
hashdata = fin.read() | ||
fin.close() | ||
|
||
try: | ||
hashdata = hashdata.rsplit('=', 1)[1].strip() | ||
except: | ||
raise Exception('Hash Data not found for signing!') | ||
|
||
if len(hashdata) != (_hash_digest_Size[hash_type] * 2): | ||
raise Exception('Hash Data size do match with for hash type!') | ||
|
||
hashdata_bytes = bytearray.fromhex(hashdata) | ||
open (hash_file, 'wb').write(hashdata_bytes) | ||
|
||
print ("Key used for Singing %s !!" % priv_key) | ||
|
||
# sign using Openssl pkeyutl | ||
cmdargs = [get_openssl_path(), 'pkeyutl', '-sign', '-in', '%s' % hash_file, '-inkey', '%s' % priv_key, | ||
'-out', '%s' % out_file, '-pkeyopt', 'digest:%s' % _hash_type_string[hash_type], | ||
'-pkeyopt', 'rsa_padding_mode:%s' % _sign_scheme_string[sign_scheme]] | ||
|
||
run_process (cmdargs) | ||
|
||
return | ||
|
||
# | ||
# Extract public key using openssl | ||
# | ||
# in_key [Input] Private key or public key in pem format | ||
# pub_key_file [Input/Output] Public Key to a file | ||
# | ||
# return keydata (mod, exp) in bin format | ||
# | ||
|
||
def single_sign_gen_pub_key (in_key, pub_key_file = None): | ||
|
||
in_key = get_key_from_store(in_key) | ||
|
||
# Expect key to be in PEM format | ||
is_prv_key = False | ||
cmdline = [get_openssl_path(), 'rsa', '-pubout', '-text', '-noout', '-in', '%s' % in_key] | ||
# Check if it is public key or private key | ||
text = open(in_key, 'r').read() | ||
if '-BEGIN RSA PRIVATE KEY-' in text or '-BEGIN PRIVATE KEY-' in text: | ||
is_prv_key = True | ||
elif '-BEGIN PUBLIC KEY-' in text: | ||
cmdline.extend (['-pubin']) | ||
else: | ||
raise Exception('Unknown key format "%s" !' % in_key) | ||
|
||
if pub_key_file: | ||
cmdline.extend (['-out', '%s' % pub_key_file]) | ||
capture = False | ||
else: | ||
capture = True | ||
|
||
output = run_process (cmdline, capture_out = capture) | ||
if not capture: | ||
output = text = open(pub_key_file, 'r').read() | ||
data = output.replace('\r', '') | ||
data = data.replace('\n', '') | ||
data = data.replace(' ', '') | ||
|
||
# Extract the modulus | ||
if is_prv_key: | ||
match = re.search('modulus(.*)publicExponent:\s+(\d+)\s+', data) | ||
else: | ||
match = re.search('Modulus(?:.*?):(.*)Exponent:\s+(\d+)\s+', data) | ||
if not match: | ||
raise Exception('Public key not found!') | ||
modulus = match.group(1).replace(':', '') | ||
exponent = int(match.group(2)) | ||
|
||
mod = bytearray.fromhex(modulus) | ||
# Remove the '00' from the front if the MSB is 1 | ||
if mod[0] == 0 and (mod[1] & 0x80): | ||
mod = mod[1:] | ||
exp = bytearray.fromhex('{:08x}'.format(exponent)) | ||
|
||
keydata = mod + exp | ||
|
||
return keydata | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
ifeq ($(strip $(LOCAL_MODULE_CLASS)),) | ||
LOCAL_MODULE_CLASS := ABL | ||
endif | ||
|
||
ifeq ($(strip $(LOCAL_MODULE_SUFFIX)),) | ||
LOCAL_MODULE_SUFFIX := .abl | ||
endif | ||
|
||
ifeq ($(strip $(LOCAL_MODULE_PATH)),) | ||
LOCAL_MODULE_PATH := $(PRODUCT_OUT)/abl | ||
endif | ||
|
||
LOCAL_CC := $(IAFW_CC) | ||
LOCAL_CLANG := true | ||
LOCAL_SANITIZE := never | ||
LOCAL_NO_DEFAULT_COMPILER_FLAGS := true | ||
LOCAL_CFLAGS += $(TARGET_IAFW_GLOBAL_CFLAGS) | ||
LOCAL_ASFLAGS += $(TARGET_IAFW_ASFLAGS) | ||
LOCAL_LDFLAGS := $(TARGET_IAFW_GLOBAL_LDFLAGS) -static \ | ||
-T $(TARGET_ABL_LDS) $(LOCAL_LDFLAGS) | ||
# If kernel enforce superpages the .text section gets aligned at | ||
# offset 0x200000 which break multiboot compliance. | ||
LOCAL_LDFLAGS += -z max-page-size=0x1000 | ||
LOCAL_ABL_LDFALGS := $(LOCAL_LDFLAGS) | ||
LOCAL_OBJCOPY_FLAGS := $(TARGET_IAFW_GLOBAL_OBJCOPY_FLAGS) $(LOCAL_OBJCOPY_FLAGS) | ||
|
||
skip_build_from_source := | ||
ifdef LOCAL_PREBUILT_MODULE_FILE | ||
ifeq (,$(call if-build-from-source,$(LOCAL_MODULE),$(LOCAL_PATH))) | ||
include $(BUILD_SYSTEM)/prebuilt_internal.mk | ||
skip_build_from_source := true | ||
endif | ||
endif | ||
|
||
ifndef skip_build_from_source | ||
|
||
ifdef LOCAL_IS_HOST_MODULE | ||
$(error This file should not be used to build host binaries. Included by (or near) $(lastword $(filter-out config/%,$(MAKEFILE_LIST)))) | ||
endif | ||
|
||
WITHOUT_LIBCOMPILER_RT := true | ||
include $(BUILD_SYSTEM)/binary.mk | ||
WITHOUT_LIBCOMPILER_RT := | ||
|
||
LIBPAYLOAD_CRT0_LIB := $(call intermediates-dir-for,STATIC_LIBRARIES,$(LIBPAYLOAD_CRT0))/$(LIBPAYLOAD_CRT0).a | ||
all_objects += $(LIBPAYLOAD_CRT0_LIB) | ||
|
||
$(LOCAL_BUILT_MODULE): PRIVATE_OBJCOPY_FLAGS := $(LOCAL_OBJCOPY_FLAGS) | ||
|
||
#$(LOCAL_BUILT_MODULE): $(all_objects) $(all_libraries) $(ABLIMAGE) $(ABLSIGN) | ||
$(LOCAL_BUILT_MODULE): $(all_objects) $(all_libraries) | ||
$(call transform-o-to-sbl-executable,$(LOCAL_ABL_LDFALGS)) | ||
|
||
endif # skip_build_from_source | ||
|
Oops, something went wrong.