diff options
| author | Jayanth Othayoth <ojayanth@in.ibm.com> | 2018-03-20 09:39:06 -0500 |
|---|---|---|
| committer | Adriana Kobylak <anoo@us.ibm.com> | 2018-03-23 11:19:54 -0500 |
| commit | 4016e52644159d93e3a6a98e059af48a1fe4be04 (patch) | |
| tree | 45a7ef92bd04e81a3b3770a87e3584a0359fb389 | |
| parent | 70804dcd6b6d4f2d5c2eda4dd80741da0471510e (diff) | |
| download | openpower-pnor-code-mgmt-4016e52644159d93e3a6a98e059af48a1fe4be04.tar.gz openpower-pnor-code-mgmt-4016e52644159d93e3a6a98e059af48a1fe4be04.zip | |
Enabled PNOR signed image validation
Enable signature validation during version activation
based on the WANT_SIGNATURE_VERIFY flag.
Change-Id: If8f4357553be9ed2fbcf86b4dddec768532a043a
Signed-off-by: Jayanth Othayoth <ojayanth@in.ibm.com>
Signed-off-by: Adriana Kobylak <anoo@us.ibm.com>
| -rwxr-xr-x | activation.cpp | 32 | ||||
| -rwxr-xr-x | configure.ac | 4 |
2 files changed, 36 insertions, 0 deletions
diff --git a/activation.cpp b/activation.cpp index 350bf5ad1..ce20dcbd2 100755 --- a/activation.cpp +++ b/activation.cpp @@ -5,6 +5,14 @@ #include "serialize.hpp" #include <phosphor-logging/log.hpp> +#ifdef WANT_SIGNATURE_VERIFY +#include <phosphor-logging/elog.hpp> +#include <phosphor-logging/elog-errors.hpp> +#include <xyz/openbmc_project/Common/error.hpp> +#include "image_verify.hpp" +#include "config.h" +#endif + namespace openpower { namespace software @@ -17,6 +25,11 @@ namespace softwareServer = sdbusplus::xyz::openbmc_project::Software::server; using namespace phosphor::logging; +#ifdef WANT_SIGNATURE_VERIFY +using InternalFailure = + sdbusplus::xyz::openbmc_project::Common::Error::InternalFailure; +#endif + constexpr auto SYSTEMD_SERVICE = "org.freedesktop.systemd1"; constexpr auto SYSTEMD_OBJ_PATH = "/org/freedesktop/systemd1"; @@ -105,6 +118,25 @@ auto Activation::activation(Activations value) -> Activations if (ubiVolumesCreated == false) { + +#ifdef WANT_SIGNATURE_VERIFY + using Signature = openpower::software::image::Signature; + + fs::path imagePath(IMG_DIR); + + Signature signature(imagePath / versionId, SIGNED_IMAGE_CONF_PATH); + + // Validate the signed image. + if (!signature.verify()) + { + log<level::ERR>("Error occurred during image validation"); + report<InternalFailure>(); + + return softwareServer::Activation::activation( + softwareServer::Activation::Activations::Failed); + } +#endif + Activation::startActivation(); return softwareServer::Activation::activation(value); } diff --git a/configure.ac b/configure.ac index f9f8d37bd..fd8a17d68 100755 --- a/configure.ac +++ b/configure.ac @@ -72,6 +72,10 @@ AC_DEFINE(FILEPATH_IFACE, "xyz.openbmc_project.Common.FilePath", AC_DEFINE(BUSNAME_UPDATER, "org.open_power.Software.Host.Updater", [The item updater DBus busname to own.]) +AC_ARG_VAR(IMG_DIR, [Directory where downloaded or uploaded software images are placed and extracted]) +AS_IF([test "x$IMG_DIR" == "x"], [IMG_DIR="/tmp/images"]) +AC_DEFINE_UNQUOTED([IMG_DIR], ["$IMG_DIR"], [Directory where downloaded or uploaded software images are placed and extracted]) + AC_ARG_VAR(MANIFEST_FILE, [The path to the MANIFEST file]) AS_IF([test "x$MANIFEST_FILE" == "x"], [MANIFEST_FILE="MANIFEST"]) AC_DEFINE_UNQUOTED([MANIFEST_FILE], ["$MANIFEST_FILE"], [The path to the MANIFEST file]) |
