summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDave Heller <hellerda@linux.vnet.ibm.com>2018-06-19 14:39:16 -0400
committerDave Heller <hellerda@linux.vnet.ibm.com>2018-06-19 14:39:16 -0400
commit2de789ef3c935749d0f2490b4afdd642a7cae62f (patch)
tree646dfcba270b1b5acf280c548ed107d4af0769da
parent62dbeaa3fdbd4690ab84a9a18c5f01037b9c3970 (diff)
downloadsb-signing-utils-2de789ef3c935749d0f2490b4afdd642a7cae62f.tar.gz
sb-signing-utils-2de789ef3c935749d0f2490b4afdd642a7cae62f.zip
Support inter-mode import
Supports the case where HW key signing is done standalone in Local or Independent mode, and the signatures are imported into Production mode. The use of "signing project" names, used previously in Production only, is now extended to Local or Independent mode. The HW key signer may set a "hw_signing_project_basename". If set, the export will be prepared for import to a Production mode process where the same project basename is in use. On import, signtool will pick up the artifacts generated by this basename.
Diffstat
-rwxr-xr-xcrtSignedContainer.sh179
1 files changed, 125 insertions, 54 deletions
diff --git a/crtSignedContainer.sh b/crtSignedContainer.sh
index 26d5cfb..b176336 100755
--- a/crtSignedContainer.sh
+++ b/crtSignedContainer.sh
@@ -110,6 +110,26 @@ get_date_string () {
}
exportArchive () {
+ # If project basename is set, prepare the export for import to a system
+ # using the same project basename.
+ if [ "$SIGN_MODE" == "local" ] || \
+ [ "$SIGN_MODE" == "independent" ] && \
+ [ "$SF_HW_SIGNING_PROJECT_BASE" ]
+ then
+ cd "$T" || die "Cannot cd to $T"
+ for KEY in a b c; do
+ cp -p &>/dev/null "HW_key_$KEY.pub" \
+ "project.${SF_HW_SIGNING_PROJECT_BASE}_${KEY}.HW_key_${KEY}.pub"
+ cp -p &>/dev/null "HW_key_$KEY.raw" \
+ "project.${SF_HW_SIGNING_PROJECT_BASE}_${KEY}.HW_key_${KEY}.raw"
+ cp -p &>/dev/null "HW_key_$KEY.sig" \
+ "project.${SF_HW_SIGNING_PROJECT_BASE}_${KEY}.HW_sig_${KEY}.sig"
+ cp -p &>/dev/null "HW_key_$KEY.raw" \
+ "project.${SF_HW_SIGNING_PROJECT_BASE}_${KEY}.HW_sig_${KEY}.raw"
+ done
+ fi
+
+ # Create the archive.
cd "$SB_SCRATCH_DIR" || die "Cannot cd to $SB_SCRATCH_DIR"
if tar -zcf "$SB_ARCHIVE_OUT" "$buildID/$LABEL/"; then
echo "--> $P: Archive saved to: $SB_ARCHIVE_OUT"
@@ -476,9 +496,12 @@ test "$SB_DEBUG" && SF_DEBUG_ARGS="$SF_DEBUG_ARGS -d -stdout"
#
# Set defaults for signframework project basenames
#
+if [ "$SIGN_MODE" == "production" ]
+then
: "${SF_HW_SIGNING_PROJECT_BASE:=sign_ecc_pwr_hw_key}"
: "${SF_FW_SIGNING_PROJECT_BASE:=sign_ecc_pwr_fw_key_op_bld}"
: "${SF_GETPUBKEY_PROJECT_BASE:=getpubkeyecc}"
+fi
#
# Get the public keys
@@ -497,6 +520,17 @@ then
# Add to HW_KEY_ARGS
HW_KEY_ARGS="$HW_KEY_ARGS -$KEY $KEYFILE"
+
+ # Copy the pubkey to the cache.
+ if [ -f "$KEYFILE" ]; then
+ if is_private_key "$KEYFILE"; then
+ openssl ec -in "$KEYFILE" -pubout -out "$T/HW_key_$KEY.pub" &>/dev/null
+ elif is_public_key "$KEYFILE"; then
+ cp -p "$KEYFILE" "$T/HW_key_$KEY.pub"
+ elif is_raw_key "$KEYFILE"; then
+ cp -p "$KEYFILE" "$T/HW_key_$KEY.raw"
+ fi
+ fi
done
for KEY in p q r; do
@@ -526,33 +560,48 @@ then
# Currently we use it only to check if __skip was specified.
SF_PROJECT=${SF_HW_SIGNING_PROJECT_BASE}_${KEY}
- KEYFILE=project.$SF_PROJECT.HW_key_$KEY.raw
+ KEYFILE_BASE=project.$SF_PROJECT.HW_key_$KEY
+
+ KEYFOUND=""
+ while [ -z "$KEYFOUND" ]
+ do
+ for KEYFILE in "$KEYFILE_BASE.pub" "$KEYFILE_BASE.raw"
+ do
+ # Look for key in the component cache.
+ KEYFOUND=$(find "$T" -name $KEYFILE | head -1)
+ if [ "$KEYFOUND" ]; then
+ test "$SB_VERBOSE" && msg=" ($KEYFILE)"
+ echo "--> $P: Found key for HW key $(to_upper $KEY).${msg}"
+ break 2
+ fi
- # If no keyfile in the current dir, try to find one. If none found, try to get one.
- if [ -f "$T/$KEYFILE" ]
- then
- echo "--> $P: Found key for HW key $(to_upper $KEY)."
- else
- KEYFOUND=$(find "$TOPDIR" -name $KEYFILE | head -1)
+ # If not in the component cache, look elsewhere in the cache.
+ KEYFOUND=$(find "$TOPDIR" -name $KEYFILE | head -1)
+ if [ "$KEYFOUND" ]; then
+ test "$SB_VERBOSE" && msg=" ($KEYFILE)"
+ echo "--> $P: Found key for HW key $(to_upper $KEY).${msg}"
+ cp -p "$KEYFOUND" "$T/"
+ break 2
+ fi
+ done
+
+ # No key found, request one.
+ KEYFILE="$KEYFILE_BASE.raw"
+ echo "--> $P: Requesting public key for HW key $(to_upper $KEY)..."
+ sf_client $SF_DEBUG_ARGS -project "$SF_GETPUBKEY_PROJECT_BASE" \
+ -param "-signproject $SF_PROJECT" \
+ -epwd "$SF_EPWD" -comments "Requesting $SF_PROJECT" \
+ -url sftp://$SF_USER@$SF_SERVER -pkey "$SF_SSHKEY" \
+ -o "$T/$KEYFILE"
+ rc=$?
- if [ "$KEYFOUND" ]
- then
- echo "--> $P: Found key for HW key $(to_upper $KEY)."
- cp -p "$KEYFOUND" "$T/"
- else
- echo "--> $P: Requesting public key for HW key $(to_upper $KEY)..."
- sf_client $SF_DEBUG_ARGS -project "$SF_GETPUBKEY_PROJECT_BASE" \
- -param "-signproject $SF_PROJECT" \
- -epwd "$SF_EPWD" -comments "Requesting $SF_PROJECT" \
- -url sftp://$SF_USER@$SF_SERVER -pkey "$SF_SSHKEY" \
- -o "$T/$KEYFILE"
- rc=$?
+ test $rc -ne 0 && die "Call to sf_client failed with error: $rc"
- test $rc -ne 0 && die "Call to sf_client failed with error: $rc"
+ KEYFOUND=$(find "$T" -name $KEYFILE)
+ test -z "$KEYFOUND" && die "Unable to retrieve HW key $(to_upper $KEY)."
- echo "--> $P: Retrieved public key for HW key $(to_upper $KEY)."
- fi
- fi
+ echo "--> $P: Retrieved public key for HW key $(to_upper $KEY)."
+ done
# Add to HW_KEY_ARGS
HW_KEY_ARGS="$HW_KEY_ARGS -$KEY $T/$KEYFILE"
@@ -571,13 +620,15 @@ then
if [ -f "$T/$KEYFILE" ]
then
- echo "--> $P: Found key for SW key $(to_upper $KEY)."
+ test "$SB_VERBOSE" && msg=" ($KEYFILE)"
+ echo "--> $P: Found key for SW key $(to_upper $KEY).${msg}"
else
KEYFOUND=$(find "$TOPDIR" -name $KEYFILE | head -1)
if [ "$KEYFOUND" ]
then
- echo "--> $P: Found key for SW key $(to_upper $KEY)."
+ test "$SB_VERBOSE" && msg=" ($KEYFILE)"
+ echo "--> $P: Found key for SW key $(to_upper $KEY).${msg}"
cp -p "$KEYFOUND" "$T/"
else
echo "--> $P: Requesting public key for SW key $(to_upper $KEY)..."
@@ -642,7 +693,8 @@ then
# Look for signature in the local cache dir.
if [ -f "$T/$SIGFILE" ]
then
- echo "--> $P: Found signature for HW key $(to_upper $KEY)."
+ test "$SB_VERBOSE" && msg=" ($SIGFILE)"
+ echo "--> $P: Found signature for HW key $(to_upper $KEY).${msg}"
else
# Check elsewhere in the cache.
if [ "$SIGN_MODE" == "independent" ] && [ "$SB_ARCHIVE_IN" ]
@@ -654,7 +706,8 @@ then
if [ "$SIGFOUND" ]
then
- echo "--> $P: Found signature for HW key $(to_upper $KEY)."
+ test "$SB_VERBOSE" && msg=" ($SIGFILE)"
+ echo "--> $P: Found signature for HW key $(to_upper $KEY).${msg}"
cp -p "$SIGFOUND" "$T/"
else
# If no signature found, try to generate one.
@@ -691,7 +744,8 @@ then
[ "$(to_upper "$LABEL")" != SBKT ] && \
[ "$(to_upper "$LABEL")" != SBKTRAND ]
then
- echo "--> $P: Found signature for SW key $(to_upper $KEY)."
+ test "$SB_VERBOSE" && msg=" ($SIGFILE)"
+ echo "--> $P: Found signature for SW key $(to_upper $KEY).${msg}"
elif test -f "$KEYFILE" && is_private_key "$KEYFILE"
then
# No signature found, try to generate one.
@@ -711,9 +765,6 @@ then
elif [ "$SIGN_MODE" == "production" ]
then
for KEY in a b c; do
- SF_PROJECT=${SF_HW_SIGNING_PROJECT_BASE}_${KEY}
- SIGFILE=project.$SF_PROJECT.HW_sig_$KEY.raw
-
varname=HW_KEY_$(to_upper $KEY); KEYFILE=${!varname}
# Handle the special values, or empty value
@@ -722,31 +773,50 @@ then
# TODO: Add full support for user-specified keys in Production mode.
# Currently we use it only to check if __skip or __getkey was specified.
- # If no signature in the current dir, try to find one. If none found, request one.
- if [ -f "$T/$SIGFILE" ]
- then
- echo "--> $P: Found signature for HW key $(to_upper $KEY)."
- else
- SIGFOUND=$(find "$TOPDIR" -type f -name $SIGFILE | head -1)
+ SF_PROJECT=${SF_HW_SIGNING_PROJECT_BASE}_${KEY}
+ SIGFILE_BASE=project.$SF_PROJECT.HW_sig_$KEY
+
+ SIGFOUND=""
+ while [ -z "$SIGFOUND" ]
+ do
+ for SIGFILE in "$SIGFILE_BASE.sig" "$SIGFILE_BASE.raw"
+ do
+ # Look for sig in the component cache.
+ SIGFOUND=$(find "$T" -name $SIGFILE | head -1)
+ if [ "$SIGFOUND" ]; then
+ test "$SB_VERBOSE" && msg=" ($SIGFILE)"
+ echo "--> $P: Found sig for HW key $(to_upper $KEY).${msg}"
+ break 2
+ fi
- if [ "$SIGFOUND" ]
- then
- echo "--> $P: Found signature for HW key $(to_upper $KEY)."
- cp -p "$SIGFOUND" "$T/"
- else
- test "$KEYFILE" == __getkey && continue
- echo "--> $P: Requesting signature for HW key $(to_upper $KEY)..."
- sf_client $SF_DEBUG_ARGS -project $SF_PROJECT -epwd "$SF_EPWD" \
- -comments "Requesting sig for $SF_PROJECT" \
- -url sftp://$SF_USER@$SF_SERVER -pkey "$SF_SSHKEY" \
- -payload "$T/prefix_hdr" -o "$T/$SIGFILE"
- rc=$?
+ # If not in the component cache, look elsewhere in the cache.
+ SIGFOUND=$(find "$TOPDIR" -name $SIGFILE | head -1)
+ if [ "$SIGFOUND" ]; then
+ test "$SB_VERBOSE" && msg=" ($SIGFILE)"
+ echo "--> $P: Found sig for HW key $(to_upper $KEY).${msg}"
+ cp -p "$SIGFOUND" "$T/"
+ break 2
+ fi
+ done
- test $rc -ne 0 && die "Call to sf_client failed with error: $rc"
+ # No signature found, request one.
+ test "$KEYFILE" == __getkey && break
- echo "--> $P: Retrieved signature for HW key $(to_upper $KEY)."
- fi
- fi
+ SIGFILE="$SIGFILE_BASE.raw"
+ echo "--> $P: Requesting signature for HW key $(to_upper $KEY)..."
+ sf_client $SF_DEBUG_ARGS -project $SF_PROJECT -epwd "$SF_EPWD" \
+ -comments "Requesting sig for $SF_PROJECT" \
+ -url sftp://$SF_USER@$SF_SERVER -pkey "$SF_SSHKEY" \
+ -payload "$T/prefix_hdr" -o "$T/$SIGFILE"
+ rc=$?
+
+ test $rc -ne 0 && die "Call to sf_client failed with error: $rc"
+
+ SIGFOUND=$(find "$T" -name $SIGFILE)
+ test -z "$SIGFOUND" && die "Unable to retrieve sig for HW key $(to_upper $KEY)."
+
+ echo "--> $P: Retrieved signature for HW key $(to_upper $KEY)."
+ done
FOUND="${FOUND}$(to_upper $KEY),"
HW_SIG_ARGS="$HW_SIG_ARGS -$(to_upper $KEY) $T/$SIGFILE"
@@ -767,7 +837,8 @@ then
[ "$(to_upper "$LABEL")" != SBKT ] && \
[ "$(to_upper "$LABEL")" != SBKTRAND ]
then
- echo "--> $P: Found signature for SW key $(to_upper $KEY)."
+ test "$SB_VERBOSE" && msg=" ($SIGFILE)"
+ echo "--> $P: Found signature for SW key $(to_upper $KEY).${msg}"
else
# No signature found, request one.
test "$KEYFILE" == __getkey && continue
OpenPOWER on IntegriCloud