commit 2b2d2298f5c6e9e596ed3ae84326a6ae804c46a4
author Lei YU <mine260309@gmail.com> Mon Mar 18 15:22:56 2019 +0800
committer Gunnar Mills <gmills@us.ibm.com> Thu Apr 04 20:13:55 2019 +0000
tree 29dbffbb025678743a19d2fac3ca0f4cf64be017
parent 799eb1972c141271068cd4ea1010753e0347d8ab

Static layout: support image verification

Add support of image verification for static layout PNOR code update.

Tested: Verify the PNOR code update succeeds with valid-signed PNOR;
        and fails with invalid-signed PNOR or a PNOR tarball without
        signature.

Change-Id: I1aafeb4e8e07eaa16c170f33f4f21940f7c9c146
Signed-off-by: Lei YU <mine260309@gmail.com>

static/activation_static.cpp

diff --git a/static/activation_static.cpp b/static/activation_static.cpp
index 193d6b3..19bb19e 100644
--- a/static/activation_static.cpp
+++ b/static/activation_static.cpp
@@ -2,7 +2,6 @@
 
 #include "item_updater.hpp"
 
-#include <filesystem>
 #include <phosphor-logging/log.hpp>
 
 namespace openpower
@@ -11,7 +10,6 @@
 {
 namespace updater
 {
-namespace fs = std::filesystem;
 namespace softwareServer = sdbusplus::xyz::openbmc_project::Software::server;
 
 using namespace phosphor::logging;
@@ -27,6 +25,36 @@
 
     if (value == softwareServer::Activation::Activations::Activating)
     {
+        fs::path imagePath(IMG_DIR);
+        imagePath /= versionId;
+
+        for (const auto& entry : fs::directory_iterator(imagePath))
+        {
+            if (entry.path().extension() == ".pnor")
+            {
+                pnorFilePath = entry;
+                break;
+            }
+        }
+        if (pnorFilePath.empty())
+        {
+            log<level::ERR>("Unable to find pnor file",
+                            entry("DIR=%s", imagePath.c_str()));
+            ret = softwareServer::Activation::Activations::Failed;
+            goto out;
+        }
+#ifdef WANT_SIGNATURE_VERIFY
+        // Validate the signed image.
+        if (!validateSignature(pnorFilePath.filename()))
+        {
+            // Cleanup
+            activationBlocksTransition.reset(nullptr);
+            activationProgress.reset(nullptr);
+
+            ret = softwareServer::Activation::Activations::Failed;
+            goto out;
+        }
+#endif
         if (parent.freeSpace())
         {
             startActivation();
@@ -42,30 +70,12 @@
         activationProgress.reset(nullptr);
     }
 
+out:
     return softwareServer::Activation::activation(ret);
 }
 
 void ActivationStatic::startActivation()
 {
-    fs::path pnorFile;
-    fs::path imagePath(IMG_DIR);
-    imagePath /= versionId;
-
-    for (const auto& entry : fs::directory_iterator(imagePath))
-    {
-        if (entry.path().extension() == ".pnor")
-        {
-            pnorFile = entry;
-            break;
-        }
-    }
-    if (pnorFile.empty())
-    {
-        log<level::ERR>("Unable to find pnor file",
-                        entry("DIR=%s", imagePath.c_str()));
-        return;
-    }
-
     if (!activationProgress)
     {
         activationProgress = std::make_unique<ActivationProgress>(bus, path);
@@ -82,9 +92,9 @@
     subscribeToSystemdSignals();
 
     log<level::INFO>("Start programming...",
-                     entry("PNOR=%s", pnorFile.c_str()));
+                     entry("PNOR=%s", pnorFilePath.c_str()));
 
-    std::string pnorFileEscaped = pnorFile.string();
+    std::string pnorFileEscaped = pnorFilePath.string();
     // Escape all '/' to '-'
     std::replace(pnorFileEscaped.begin(), pnorFileEscaped.end(), '/', '-');