Verify signature for non ubifs image
Enable signature verification on non ubifs build.
The code is the same for ubifs and non ubifs, so move related code into
separated functions.
Tested: Verify that the signature check happens during code update, and
successfully updated the code when the image is valid;
verify it fails to update in field mode when the image is
modified.
Change-Id: I81a536fb7ea05d804fa592c57bbed8f32f07a559
Signed-off-by: Lei YU <mine260309@gmail.com>
diff --git a/activation.hpp b/activation.hpp
index ba7c618..7f0120f 100644
--- a/activation.hpp
+++ b/activation.hpp
@@ -8,6 +8,12 @@
#include "xyz/openbmc_project/Software/ActivationProgress/server.hpp"
#include "org/openbmc/Associations/server.hpp"
+#include "config.h"
+
+#ifdef WANT_SIGNATURE_VERIFY
+#include <experimental/filesystem>
+#endif
+
namespace phosphor
{
namespace software
@@ -15,6 +21,10 @@
namespace updater
{
+#ifdef WANT_SIGNATURE_VERIFY
+namespace fs = std::experimental::filesystem;
+#endif
+
using AssociationList =
std::vector<std::tuple<std::string, std::string, std::string>>;
using ActivationInherit = sdbusplus::server::object::object<
@@ -320,6 +330,21 @@
/** @brief Tracks if the service that updates the U-Boot environment
* variables has completed. **/
bool ubootEnvVarsUpdated = false;
+
+#ifdef WANT_SIGNATURE_VERIFY
+ private:
+ /** @brief Verify signature of the images.
+ *
+ * @param[in] imageDir - The path of images to verify
+ * @param[in] confDir - The path of configs for verification
+ *
+ * @return true if verification successful and false otherwise
+ */
+ bool verifySignature(const fs::path& imageDir, const fs::path& confDir);
+
+ /** @brief Called when image verification fails. */
+ void onVerifyFailed();
+#endif
};
} // namespace updater