diff options
-rwxr-xr-x | Makefile.am | 11 | ||||
-rw-r--r-- | activation.cpp | 31 | ||||
-rwxr-xr-x | configure.ac | 7 |
3 files changed, 45 insertions, 4 deletions
diff --git a/Makefile.am b/Makefile.am index 4e2b209..10c3bf8 100755 --- a/Makefile.am +++ b/Makefile.am @@ -7,8 +7,7 @@ noinst_HEADERS = \ version.hpp \ image_manager.hpp \ item_updater.hpp \ - activation.hpp \ - image_verify.hpp + activation.hpp sbin_PROGRAMS = \ phosphor-version-software-manager \ @@ -38,8 +37,12 @@ phosphor_image_updater_SOURCES = \ version.cpp \ serialize.cpp \ item_updater.cpp \ - item_updater_main.cpp \ - image_verify.cpp + item_updater_main.cpp + +if WANT_SIGNATURE_VERIFY_BUILD +noinst_HEADERS += image_verify.hpp +phosphor_image_updater_SOURCES += image_verify.cpp +endif nodist_phosphor_image_updater_SOURCES = \ org/openbmc/Associations/server.cpp diff --git a/activation.cpp b/activation.cpp index 823f1fb..8d4b202 100644 --- a/activation.cpp +++ b/activation.cpp @@ -4,6 +4,14 @@ #include "serialize.hpp" #include <phosphor-logging/log.hpp> +#ifdef WANT_SIGNATURE_VERIFY +#include <phosphor-logging/elog.hpp> +#include <phosphor-logging/elog-errors.hpp> +#include <xyz/openbmc_project/Common/error.hpp> +#include "image_verify.hpp" +#include "config.h" +#endif + namespace phosphor { namespace software @@ -15,6 +23,11 @@ namespace softwareServer = sdbusplus::xyz::openbmc_project::Software::server; using namespace phosphor::logging; +#ifdef WANT_SIGNATURE_VERIFY +using InternalFailure = + sdbusplus::xyz::openbmc_project::Common::Error::InternalFailure; +#endif + void Activation::subscribeToSystemdSignals() { auto method = this->bus.new_method_call(SYSTEMD_BUSNAME, SYSTEMD_PATH, @@ -60,6 +73,24 @@ auto Activation::activation(Activations value) -> Activations std::make_unique<ActivationBlocksTransition>(bus, path); } +#ifdef WANT_SIGNATURE_VERIFY + using Signature = phosphor::software::image::Signature; + + fs::path uploadDir(IMG_UPLOAD_DIR); + + Signature signature(uploadDir / versionId, SIGNED_IMAGE_CONF_PATH); + + // Validate the signed image. + if (!signature.verify()) + { + log<level::ERR>("Error occurred during image validation"); + report<InternalFailure>(); + + return softwareServer::Activation::activation( + softwareServer::Activation::Activations::Failed); + } +#endif + auto method = bus.new_method_call(SYSTEMD_BUSNAME, SYSTEMD_PATH, SYSTEMD_INTERFACE, "StartUnit"); method.append("obmc-flash-bmc-ubirw.service", "replace"); diff --git a/configure.ac b/configure.ac index 6caf4b9..54f8eea 100755 --- a/configure.ac +++ b/configure.ac @@ -129,6 +129,13 @@ AS_IF([test "x$ACTIVE_BMC_MAX_ALLOWED" == "x"], [ACTIVE_BMC_MAX_ALLOWED=2]) AC_DEFINE_UNQUOTED([ACTIVE_BMC_MAX_ALLOWED], [$ACTIVE_BMC_MAX_ALLOWED], [The maximum allowed active BMC versions]) +# setup signature verification +AC_ARG_ENABLE([verify_signature], + AS_HELP_STRING([--enable-verify_signature], [Enable image signature validation.])) +AS_IF([test "x$enable_verify_signature" == "xyes"], \ + [AC_DEFINE([WANT_SIGNATURE_VERIFY],[],[Enable image signature validation.])]) +AM_CONDITIONAL([WANT_SIGNATURE_VERIFY_BUILD], [test "x$enable_verify_signature" == "xyes"]) + AC_DEFINE(BUSNAME_UPDATER, "xyz.openbmc_project.Software.BMC.Updater", [The item updater DBus busname to own.]) |