meta-google: flash: Import google-key from gBMC
Google key installation script and bitbake recipe.
Google-Bug-Id: 179618162
Upstream: 22e2c3dd5f610777dee173a09d8e82dc2509a975
Signed-off-by: Brandon Kim <brandonkim@google.com>
Change-Id: I21c88b6c2810c4ab3f6089f79143e59b6ce935db
diff --git a/meta-google/recipes-phosphor/flash/google-key.bb b/meta-google/recipes-phosphor/flash/google-key.bb
new file mode 100644
index 0000000..2202115
--- /dev/null
+++ b/meta-google/recipes-phosphor/flash/google-key.bb
@@ -0,0 +1,26 @@
+SUMMARY = "Google Key installation Script"
+DESCRIPTION = "Google Key installation Script"
+PR = "r1"
+
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10"
+
+RDEPENDS_${PN} += "bash"
+RDEPENDS_${PN} += "gnupg"
+
+SRC_URI += " \
+ file://platforms_gbmc_bringup.gpg \
+ file://platforms_gbmc_secure.gpg \
+ file://verify-bmc-image.sh \
+"
+
+do_install() {
+ # Install keys into image.
+ install -d -m 0755 ${D}${datadir}/google-key
+ install -m 0644 ${WORKDIR}/platforms_gbmc_secure.gpg ${D}${datadir}/google-key/prod.key
+ install -m 0644 ${WORKDIR}/platforms_gbmc_bringup.gpg ${D}${datadir}/google-key/dev.key
+
+ # Install the verification helper
+ install -d -m 0755 ${D}${bindir}
+ install -m 0755 ${WORKDIR}/verify-bmc-image.sh ${D}${bindir}
+}
diff --git a/meta-google/recipes-phosphor/flash/google-key/platforms_gbmc_bringup.gpg b/meta-google/recipes-phosphor/flash/google-key/platforms_gbmc_bringup.gpg
new file mode 100644
index 0000000..f347e22
--- /dev/null
+++ b/meta-google/recipes-phosphor/flash/google-key/platforms_gbmc_bringup.gpg
Binary files differ
diff --git a/meta-google/recipes-phosphor/flash/google-key/platforms_gbmc_secure.gpg b/meta-google/recipes-phosphor/flash/google-key/platforms_gbmc_secure.gpg
new file mode 100644
index 0000000..9281f77
--- /dev/null
+++ b/meta-google/recipes-phosphor/flash/google-key/platforms_gbmc_secure.gpg
Binary files differ
diff --git a/meta-google/recipes-phosphor/flash/google-key/verify-bmc-image.sh b/meta-google/recipes-phosphor/flash/google-key/verify-bmc-image.sh
new file mode 100755
index 0000000..cac229a
--- /dev/null
+++ b/meta-google/recipes-phosphor/flash/google-key/verify-bmc-image.sh
@@ -0,0 +1,63 @@
+#!/bin/bash
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+help_out() {
+ echo "$ARG0 [--allow-dev] <image file> <sig file>" >&2
+ exit 2
+}
+
+opts="$(getopt -o 'd' -l 'allow-dev' -- "$@")" || exit
+dev=
+eval set -- "$opts"
+while true; do
+ case "$1" in
+ --allow-dev|-d)
+ dev=1
+ shift
+ ;;
+ --)
+ shift
+ break
+ ;;
+ *)
+ echo "Bad option: $1" >&2
+ help_out
+ ;;
+ esac
+done
+image_file="${1?Missing image file}" || help_out
+sig_file="${2?Missing sig file}" || help_out
+
+# gnupg needs a home directory even though we don't want to persist any
+# information. We always make a new temporary directory for this
+GNUPGHOME=
+cleanup() {
+ test -n "$GNUPGHOME" && rm -rf "$GNUPGHOME"
+}
+trap cleanup ERR EXIT INT
+export GNUPGHOME="$(mktemp -d)" || exit
+
+gpg() {
+ command gpg --batch --allow-non-selfsigned-uid --no-tty "$@"
+}
+import_key() {
+ gpg --import "/usr/share/google-key/$1.key"
+}
+
+import_key prod
+if [ -n "$dev" ]; then
+ import_key dev
+fi
+gpg --verify --ignore-time-conflict "$sig_file" "$image_file"