-
-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathcapsule.sh
executable file
·294 lines (245 loc) · 8.07 KB
/
capsule.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
#!/bin/bash
set -e
edk_workspace=payloads/external/edk2/workspace
edk_tools=${edk_workspace}/Dasharo/BaseTools/BinWrappers/PosixLike
edk_scripts=${edk_workspace}/Dasharo/BaseTools/Scripts
function die() {
echo error: "$@" 1>&2
exit 1
}
function confirm() {
local msg=$1
read -r -n1 -p "$msg [y/N] "
echo
if [ "$REPLY" != y ]; then
die "operation cancelled by the user"
fi
}
function print_banner() {
local msg=$1
echo
echo ========== "${msg^^*}" ==========
echo
}
function print_usage() {
echo "Usage: $(basename "$0") subcommand [subcommand-args...]"
echo
echo 'Subcommands:'
echo ' help print this message'
echo ' keygen use OpenSSL to auto-generate test keys suitable for signing'
echo ' positional argument: directory-path'
echo ' make build a capsule, options:'
echo ' -t root-certificate-file'
echo ' -o subroot-certificate-file'
echo ' -s signing-certificate-file'
}
function help_subcommand() {
print_usage
}
function keygen_subcommand() {
local dir=$1
if [ $# -ne 1 ]; then
echo "Usage: $(basename "$0") keygen keys-dir"
exit 1
fi
if [ -e "$dir" ]; then
confirm "OK to remove '$dir'?"
rm -r "$dir"
fi
mkdir "$dir"
cd "$dir"
# this is needed to make `openssl req` work non-interactively
cat > "openssl.cnf" << 'EOF'
.include /etc/ssl/openssl.cnf
[ CA_default ]
dir = ./test-ca
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/crl.pem
private_key = $dir/private/cakey.pem
[ req_root ]
prompt = no
distinguished_name = req_root_dn
x509_extensions = v3_ca
string_mask = utf8only
[ req_root_dn ]
countryName = XX
stateOrProvinceName = Province
organizationName = Org
commonName = root
[ req_sub ]
prompt = no
distinguished_name = req_sub_dn
x509_extensions = v3_ca
string_mask = utf8only
[ req_sub_dn ]
countryName = XX
stateOrProvinceName = Province
organizationName = Org
commonName = sub
[ req_sign ]
prompt = no
distinguished_name = req_sign_dn
x509_extensions = v3_ca
string_mask = utf8only
[ req_sign_dn ]
countryName = XX
stateOrProvinceName = Province
organizationName = Org
commonName = sign
EOF
print_banner 'Making root certificate'
# make root certificate
openssl genrsa -out root.p8e 2048
openssl req -config openssl.cnf -section req_root -new -x509 -days 3650 -key root.p8e -out root.pub.pem
# dump certificate information like `openssl ca` does for completeness
openssl x509 -in root.pub.pem -text -certopt no_sigdump,no_pubkey -nocert
# create a CA
mkdir -p test-ca/newcerts
touch test-ca/index.txt
echo 01 > test-ca/serial
openssl x509 -in root.pub.pem -out root.cer -outform DER
python "${OLDPWD}/${edk_scripts}/BinToPcd.py" \
-p gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr \
-i root.cer -x -o CapsuleRootKey.inc
print_banner 'Making subroot certificate'
# make subroot certificate
openssl genrsa -out sub.p8e 2048
openssl req -config openssl.cnf -section req_sub -new -key sub.p8e -out sub.csr
yes | openssl ca -config openssl.cnf -extensions v3_ca -in sub.csr -days 3650 -cert root.pub.pem -keyfile root.p8e -notext -out sub.pub.pem
print_banner 'Making signing certificate'
# make signing certificate
openssl genrsa -out sign.p8e 2048
openssl req -config openssl.cnf -section req_sign -new -key sign.p8e -out sign.csr
yes | openssl ca -config openssl.cnf -in sign.csr -days 3650 -cert sub.pub.pem -keyfile sub.p8e -notext -out sign.crt
# create binary PKCS12 (certificate + private key) from signing certificate
openssl pkcs12 -export -passout pass: -inkey sign.p8e -in sign.crt -out sign.pfx
# now convert binary PKCS12 into PEM PKCS12 with no password
openssl pkcs12 -in sign.pfx -passin pass: -nodes -out sign.p12
print_banner 'Usage examples'
echo "Installing root certificate (before build):"
echo " cp $dir/CapsuleRootKey.inc ${edk_workspace}/Dasharo/DasharoPayloadPkg/"
echo
echo "Signing a capsule (after build):"
echo " $0 make -t $dir/root.pub.pem -o $dir/sub.pub.pem -s $dir/sign.p12"
}
function check_cert() {
local name=$1
local path=$2
if [ -z "$path" ]; then
die "$name certificate wasn't provided"
fi
if [ ! -f "$path" ]; then
die "can't read $name certificate at '$path'"
fi
}
function make_subcommand() {
if [ ! -f .config ]; then
die "no '.config' file in current directory"
fi
if [ ! -f build/coreboot.rom ]; then
die "no 'build/coreboot.rom'; the firmware wasn't built?"
fi
if [ ! build/coreboot.rom -nt .config ]; then
die "'build/coreboot.rom' is not newer than .config'; need a re-build?"
fi
if [ ! -x "${edk_tools}/GenerateCapsule" ]; then
die "'${edk_tools}/GenerateCapsule' can't be executed"
fi
# import coreboot's config file replacing $(...) with ${...}
while read -r line; do
if ! eval "$line"; then
die "failed to source '.config'"
fi
done <<< "$(sed 's/\$(\([^)]\+\))/${\1}/g' .config)"
if [ "$CONFIG_DRIVERS_EFI_UPDATE_CAPSULES" != y ]; then
die "current board configuration lacks support of update capsules"
fi
# Option names match terminology of GenerateCapsule which conveniently start
# with different letters:
# * t - trusted
# * o - other
# * s - signer
local root_cert sub_cert sign_cert
while getopts "t:o:s:" OPTION; do
case $OPTION in
t) root_cert="$OPTARG" ;;
o) sub_cert="$OPTARG" ;;
s) sign_cert="$OPTARG" ;;
*) exit 1 ;;
esac
done
check_cert root "$root_cert"
check_cert sub "$sub_cert"
check_cert sign "$sign_cert"
local cap_file=${CONFIG_MAINBOARD_DIR/\//-}
if [[ ${CONFIG_MAINBOARD_PART_NUMBER} =~ DDR4 ]]; then
cap_file+=-ddr4
fi
cap_file+=-${CONFIG_LOCALVERSION}
cap_file+=.cap
if [ -e "$cap_file" ]; then
confirm "Overwrite already existing '$cap_file'?"
fi
local build_type
if [ "$CONFIG_EDK2_RELEASE" = y ]; then
build_type=RELEASE
else
build_type=DEBUG
fi
local json_file
json_file=$(mktemp --tmpdir --suffix -cap.json XXXXXXXX)
trap "$(printf 'rm -f %q' "$json_file")" EXIT
cat > "$json_file" << EOF
{
"EmbeddedDrivers": [
{
"Driver": "${edk_workspace}/Build/DasharoPayloadPkgX64/${build_type}_COREBOOT/X64/CapsuleSplashDxe.efi"
},
{
"Driver": "${edk_workspace}/Build/DasharoPayloadPkgX64/${build_type}_COREBOOT/X64/FmpDxe.efi"
}
],
"Payloads": [
{
"Payload": "build/coreboot.rom",
"Guid": "${CONFIG_DRIVERS_EFI_MAIN_FW_GUID}",
"FwVersion": "${CONFIG_DRIVERS_EFI_MAIN_FW_VERSION}",
"LowestSupportedVersion": "${CONFIG_DRIVERS_EFI_MAIN_FW_LSV}",
"OpenSslSignerPrivateCertFile": "${sign_cert}",
"OpenSslOtherPublicCertFile": "${sub_cert}",
"OpenSslTrustedPublicCertFile": "${root_cert}"
}
]
}
EOF
# Linux doesn't support InitiateReset flag, omitting it to rely on manual
# warm reset
if ! "${edk_tools}/GenerateCapsule" --encode \
--capflag PersistAcrossReset \
--json-file "$json_file" \
--output "$cap_file"; then
die "GenerateCapsule failed"
fi
echo "Created the capsule at '$cap_file'"
}
if [ $# -eq 0 ]; then
print_usage
exit 1
fi
subcommand=$1
shift
case "$subcommand" in
help|keygen|make)
"$subcommand"_subcommand "$@" ;;
*)
echo "Unexpected subcommand: $subcommand"
echo
print_usage
exit 1 ;;
esac