commit ce2197669a935b377de05ca8af53fb017150e25c
author Lei YU <yulei.sh@bytedance.com> Wed Jan 18 15:07:05 2023 +0800
committer Patrick Williams <patrick@stwcx.xyz> Mon Mar 20 15:13:27 2023 +0000
tree 320e07397be071aeb0ff847ffc8a3a0494f6affa
parent 2d72bdd6a5273902b47968ec60c73de509341041

phosphor-image-signing: Add SIGNING_PUBLIC_KEY

Add SIGNING_PUBLIC_KEY so that it installs the public key to the BMC
image.
If it's defined, the user shall not define SIGNING_KEY.

Tested:
* Do not define SIGNING_KEY or SIGNING_PUBLIC_KEY, the build is the same
as before;
* Define SIGNING_PUBLIC_KEY and do not define SIGNING_KEY, the build
installs the SIGNING_PUBLIC_KEY into the BMC image;
* Define SIGNING_KEY and do not define SIGNING_PUBLIC_KEY, the build
installs the public key from SIGNING_KEY;
* Define both SIGNING_PUBLIC_KEY and SIGNING_KEY, the build fails with
below error message:

```
Both SIGNING_KEY and SIGNING_PUBLIC_KEY are defined, expecting only one
```

Signed-off-by: Lei YU <yulei.sh@bytedance.com>
Change-Id: I3f345cc90b82f8964c2b498e8d9616cb20cd65cd

meta-phosphor/recipes-phosphor/flash/phosphor-image-signing.bb

diff --git a/meta-phosphor/recipes-phosphor/flash/phosphor-image-signing.bb b/meta-phosphor/recipes-phosphor/flash/phosphor-image-signing.bb
index cfacfbe..09080bc 100644
--- a/meta-phosphor/recipes-phosphor/flash/phosphor-image-signing.bb
+++ b/meta-phosphor/recipes-phosphor/flash/phosphor-image-signing.bb
@@ -6,6 +6,8 @@
 DEPENDS += "${@oe.utils.conditional('INSECURE_KEY', 'True', 'phosphor-insecure-signing-key-native', '', d)}"
 PR = "r1"
 
+SIGNING_PUBLIC_KEY ?= ""
+SIGNING_PUBLIC_KEY_TYPE = "${@os.path.splitext(os.path.basename('${SIGNING_PUBLIC_KEY}'))[0]}"
 SIGNING_KEY ?= "${STAGING_DIR_NATIVE}${datadir}/OpenBMC.priv"
 SIGNING_KEY_TYPE = "${@os.path.splitext(os.path.basename('${SIGNING_KEY}'))[0]}"
 SYSROOT_DIRS:append = " ${sysconfdir}"
@@ -13,9 +15,26 @@
 inherit allarch
 
 do_install() {
-        openssl pkey -in "${SIGNING_KEY}" -pubout -out ${WORKDIR}/publickey
+        signing_key="${SIGNING_KEY}"
+        if [ "${INSECURE_KEY}" == "True" ] && [ -n "${SIGNING_PUBLIC_KEY}" ]; then
+            echo "Using SIGNING_PUBLIC_KEY"
+            signing_key=""
+        fi
+        if [ -n "${signing_key}" ] && [ -n "${SIGNING_PUBLIC_KEY}" ]; then
+            echo "Both SIGNING_KEY and SIGNING_PUBLIC_KEY are defined, expecting only one"
+            exit 1
+        fi
+        if [ -n "${signing_key}" ]; then
+            openssl pkey -in "${signing_key}" -pubout -out ${WORKDIR}/publickey
+            idir="${D}${sysconfdir}/activationdata/${SIGNING_KEY_TYPE}"
+        elif [ -n "${SIGNING_PUBLIC_KEY}" ]; then
+            cp "${SIGNING_PUBLIC_KEY}" ${WORKDIR}/publickey
+            idir="${D}${sysconfdir}/activationdata/${SIGNING_PUBLIC_KEY_TYPE}"
+        else
+            echo "No SIGNING_KEY or SIGNING_PUBLIC_KEY defined, expecting one"
+            exit 1
+        fi
         echo HashType=RSA-SHA256 > "${WORKDIR}/hashfunc"
-        idir="${D}${sysconfdir}/activationdata/${SIGNING_KEY_TYPE}"
         install -d ${idir}
         install -m 644 ${WORKDIR}/publickey ${idir}
         install -m 644 ${WORKDIR}/hashfunc ${idir}