blob: 7ff682728bd9418366f11ec02c128c4f711da779 [file] [log] [blame]
#!/bin/bash
set -eo pipefail
help=$(cat <<EOF
Generate Tarball with PSU image and MANIFEST Script
usage: generate-psu-tar [OPTION] <parameter>...
Options:
--image <file> PSU FW image
--version <version> PSU FW version
--model <model> PSU FW model
--manufacture <version> PSU FW manufacture
--machineName <machineName> Optionally specify the target machine name of this image.
--outfile <filename> Outfile name
For example : -o psufw.tar
The default outfile name is image.tar,and
"image" is what you input.
--sign <path> Sign the image. The optional path argument specifies
the private key file. Defaults to the bash variable
PRIVATE_KEY_PATH if available, or else uses the
open-source private key in this script.
--help Display this help text and exit.
EOF
)
private_key=$'-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAPvSDLu6slkP1gri
PaeQXL9ysD69J/HjbBCIQ0RPfeWBb75US1tRTjPP0Ub8CtH8ExVf8iF1ulsZA78B
zIjBYZVp9pyD6LbpZ/hjV7rIH6dTNhoVpdA+F8LzmQ7cyhHG8l2JMvdunwF2uX5k
D4WDcZt/ITKZNQNavPtmIyD5HprdAgMBAAECgYEAuQkTSi5ZNpAoWz76xtGRFSwU
zUT4wQi3Mz6tDtjKTYXasiQGa0dHC1M9F8fDu6BZ9W7W4Dc9hArRcdzEighuxoI/
nZI/0uL89iUEywnDEIHuS6D5JlZaj86/nx9YvQnO8F/seM+MX0EAWVrd5wC7aAF1
h6Fu7ykZB4ggUjQAWwECQQD+AUiDOEO+8btLJ135dQfSGc5VFcZiequnKWVm6uXt
rX771hEYjYMjLqWGFg9G4gE3GuABM5chMINuQQUivy8tAkEA/cxfy19XkjtqcMgE
x/UDt6Nr+Ky/tk+4Y65WxPRDas0uxFOPk/vEjgVmz1k/TAy9G4giisluTvtmltr5
DCLocQJBAJnRHx9PiD7uVhRJz6/L/iNuOzPtTsi+Loq5F83+O6T15qsM1CeBMsOw
cM5FN5UeMcwz+yjfHAsePMkcmMaU7jUCQHlg9+N8upXuIo7Dqj2zOU7nMmkgvSNE
5yuNImRZabC3ZolwaTdd7nf5r1y1Eyec5Ag5yENV6JKPe1Xkbb1XKJECQDngA0h4
6ATvfP1Vrx4CbP11eKXbCsZ9OGPHSgyvVjn68oY5ZP3uPsIattoN7dE2BRfuJm7m
F0nIdUAhR0yTfKM=
-----END PRIVATE KEY-----
'
do_sign=false
# shellcheck disable=SC2153
private_key_path="${PRIVATE_KEY_PATH}"
image=""
outfile=""
version=""
model=""
manufacture=""
machineName=""
while [[ $# -gt 0 ]]; do
key="$1"
case $key in
--image)
image="$2"
shift 2
;;
--version)
version="$2"
shift 2
;;
--model)
model="$2"
shift 2
;;
--manufacture)
manufacture="$2"
shift 2
;;
--machineName)
machineName="$2"
shift 2
;;
--outfile)
outfile="$2"
shift 2
;;
--sign)
do_sign=true
if [[ -n "${2}" && "${2}" != -* ]]; then
private_key_path="$2"
shift 2
else
shift 1
fi
;;
--help)
echo "$help"
exit
;;
*)
echo "Please enter the correct parameters."
echo "$help"
exit 1
;;
esac
done
if [ ! -f "${image}" ]; then
echo "Please enter a valid PSU FW image file."
echo "$help"
exit 1
fi
if [ -z "${version}" ]; then
echo "Please enter a valid PSU FW image version."
echo "$help"
exit 1
fi
if [ -z "${model}" ]; then
echo "Please enter a valid PSU FW image model."
echo "$help"
exit 1
fi
if [ -z "${manufacture}" ]; then
echo "Please enter a valid PSU FW image manufacture."
echo "$help"
exit 1
fi
if [ -z "${outfile}" ]; then
outfile=$(pwd)/$image.tar
else
outfile=$(pwd)/$outfile
fi
scratch_dir=$(mktemp -d)
# shellcheck disable=SC2064
trap "{ rm -r ${scratch_dir}; }" EXIT
if [[ "${do_sign}" == true ]]; then
if [[ -z "${private_key_path}" ]]; then
private_key_path=${scratch_dir}/OpenBMC.priv
echo "${private_key}" > "${private_key_path}"
echo "Image is NOT secure!! Signing with the open private key!"
else
if [[ ! -f "${private_key_path}" ]]; then
echo "Couldn't find private key ${private_key_path}."
exit 1
fi
echo "Signing with ${private_key_path}."
fi
public_key_file=publickey
public_key_path=${scratch_dir}/$public_key_file
openssl pkey -in "${private_key_path}" -pubout -out "${public_key_path}"
cp "${private_key_path}" "${scratch_dir}/private_key"
fi
manifest_location="MANIFEST"
files_to_sign="$manifest_location $public_key_file $image"
cp "${image}" "${scratch_dir}"
cd "${scratch_dir}"
echo "Creating MANIFEST for the image"
echo -e "purpose=xyz.openbmc_project.Software.Version.VersionPurpose.PSU\nversion=$version\n\
extended_version=model=$model,manufacture=$manufacture" > $manifest_location
if [[ -n "${machineName}" ]]; then
echo -e "MachineName=${machineName}" >> $manifest_location
fi
if [[ "${do_sign}" == true ]]; then
private_key_name=$(basename "${private_key_path}")
key_type="${private_key_name%.*}"
echo KeyType="${key_type}" >> $manifest_location
echo HashType="RSA-SHA256" >> $manifest_location
for file in $files_to_sign; do
openssl dgst -sha256 -sign private_key -out "${file}.sig" "$file"
done
additional_files="*.sig"
fi
# shellcheck disable=SC2086
# Do not quote the files variables since they list multiple files
# and tar would assume to be a single file name within quotes
tar -cvf $outfile $files_to_sign $additional_files
echo "PSU FW tarball at $outfile"
exit