diff --git a/build_image.sh b/build_image.sh index 4b1dfc9582..62d0329602 100755 --- a/build_image.sh +++ b/build_image.sh @@ -86,7 +86,7 @@ generate_onie_installer_image() ## Note: Don't leave blank between lines. It is single line command. ./onie-mk-demo.sh $CONFIGURED_ARCH $TARGET_MACHINE $TARGET_PLATFORM-$TARGET_MACHINE-$ONIEIMAGE_VERSION \ installer platform/$TARGET_MACHINE/platform.conf $output_file OS $IMAGE_VERSION $ONIE_IMAGE_PART_SIZE \ - $ONIE_INSTALLER_PAYLOAD + $ONIE_INSTALLER_PAYLOAD $SECURE_UPGRADE_SIGNING_CERT $SECURE_UPGRADE_DEV_SIGNING_KEY } # Generate asic-specific device list diff --git a/installer/sharch_body.sh b/installer/sharch_body.sh index e6289371cd..9683b4692d 100644 --- a/installer/sharch_body.sh +++ b/installer/sharch_body.sh @@ -11,7 +11,9 @@ ## echo -n "Verifying image checksum ..." -sha1=$(sed -e '1,/^exit_marker$/d' "$0" | sha1sum | awk '{ print $1 }') +payload_image_size=%%PAYLOAD_IMAGE_SIZE%% + +sha1=$(sed -e '1,/^exit_marker$/d' "$0" | head -c $payload_image_size | sha1sum | awk '{ print $1 }') payload_sha1=%%IMAGE_SHA1%% @@ -45,7 +47,9 @@ if [ "$(id -u)" = "0" ] ; then fi cd $tmp_dir echo -n "Preparing image archive ..." -sed -e '1,/^exit_marker$/d' $archive_path | tar xf - || exit 1 + +sed -e '1,/^exit_marker$/d' $archive_path | head -c $payload_image_size | tar xf - || exit 1 + echo " OK." cd $cur_wd if [ -n "$extract" ] ; then diff --git a/onie-mk-demo.sh b/onie-mk-demo.sh index 0905673d42..b466441ca3 100755 --- a/onie-mk-demo.sh +++ b/onie-mk-demo.sh @@ -14,6 +14,9 @@ output_file=$6 demo_type=$7 image_version=$8 onie_image_part_size=$9 +onie_installer_payload=${10} +cert_file=${11} +key_file=${12} shift 9 @@ -100,7 +103,7 @@ sed -i -e "s/%%DEMO_TYPE%%/$demo_type/g" \ -e "s@%%OUTPUT_RAW_IMAGE%%@$output_raw_image@" \ $tmp_installdir/install.sh || clean_up 1 echo -n "." -cp -r $* $tmp_installdir || clean_up 1 +cp -r $onie_installer_payload $tmp_installdir || clean_up 1 echo -n "." [ -r "$platform_conf" ] && { cp $platform_conf $tmp_installdir || clean_up 1 @@ -130,7 +133,50 @@ cp $installer_dir/sharch_body.sh $output_file || { # Replace variables in the sharch template sed -i -e "s/%%IMAGE_SHA1%%/$sha1/" $output_file echo -n "." +tar_size="$(wc -c < "${sharch}")" +sed -i -e "s|%%PAYLOAD_IMAGE_SIZE%%|${tar_size}|" ${output_file} cat $sharch >> $output_file +echo "secure upgrade flags: SECURE_UPGRADE_MODE = $SECURE_UPGRADE_MODE, \ +SECURE_UPGRADE_DEV_SIGNING_KEY = $SECURE_UPGRADE_DEV_SIGNING_KEY, SECURE_UPGRADE_SIGNING_CERT = $SECURE_UPGRADE_SIGNING_CERT" + +if [ "$SECURE_UPGRADE_MODE" = "dev" -o "$SECURE_UPGRADE_MODE" = "prod" ]; then + CMS_SIG="${tmp_dir}/signature.sig" + DIR="$(dirname "$0")" + scripts_dir="${DIR}/scripts" + echo "$0 $SECURE_UPGRADE_MODE signing - creating CMS signature for ${output_file}. Output file ${CMS_SIG}" + + if [ "$SECURE_UPGRADE_MODE" = "dev" ]; then + echo "$0 dev keyfile location: ${key_file}." + [ -f ${scripts_dir}/sign_image_dev.sh ] || { + echo "dev sign script ${scripts_dir}/sign_image_dev.sh not found" + rm -rf ${output_file} + } + (${scripts_dir}/sign_image_dev.sh ${cert_file} ${key_file} ${output_file} ${CMS_SIG}) || { + echo "CMS sign error $?" + rm -rf ${CMS_SIG} ${output_file} + } + else # "$SECURE_UPGRADE_MODE" has to be equal to "prod" + [ -f ${scripts_dir}/sign_image_${machine}.sh ] || { + echo "prod sign script ${scripts_dir}/sign_image_${machine}.sh not found" + rm -rf ${output_file} + } + (${scripts_dir}/sign_image_${machine}.sh ${output_file} ${CMS_SIG} ${SECURE_UPGRADE_MODE}) || { + echo "CMS sign error $?" + rm -rf ${CMS_SIG} ${output_file} + } + fi + + [ -f "$CMS_SIG" ] || { + echo "Error: CMS signature not created - exiting without signing" + clean_up 1 + } + # append signature to binary + cat ${CMS_SIG} >> ${output_file} + sudo rm -rf ${CMS_SIG} +elif [ "$SECURE_UPGRADE_MODE" -ne "no_sign" ]; then + echo "SECURE_UPGRADE_MODE not defined or defined as $SECURE_UPGRADE_MODE - build without signing" +fi + rm -rf $tmp_dir echo " Done." diff --git a/scripts/sign_image_dev.sh b/scripts/sign_image_dev.sh new file mode 100755 index 0000000000..668672f493 --- /dev/null +++ b/scripts/sign_image_dev.sh @@ -0,0 +1,11 @@ +cert_file=$1 +key_file=$2 +image_to_sign=$3 +cms_sig_out=$4 +openssl cms -sign -nosmimecap -signer ${cert_file} -inkey ${key_file} -binary -in $image_to_sign -outform pem -out ${cms_sig_out} || { + echo "$?: CMS sign error" + sudo rm -rf ${cms_sig_out} + exit 1 +} +echo "CMS sign OK" +exit 0