Metadata Support (#22)

Roll-up of #22 changes

Co-authored-by: Ben Benson <[email protected]>

README.txt

@@ -0,0 +1 @@
+Automated provisioning of secure boot for Raspberry Pi Devices

config/config.sh

@@ -1,4 +1,4 @@
 #!/bin/sh
 
-cd /usr/share/rpi-sb-provisioner/config/
-python3 config.py
+cd /usr/share/rpi-sb-provisioner/config
+/usr/share/rpi-sb-provisioner/bin/python3 config.py

debian/.gitignore

@@ -0,0 +1,6 @@
+rpi-sb-provisioner.*.debhelper
+rpi-sb-provisioner.substvars
+rpi-sb-provisioner/
+rpi-sb-provisioner-*/
+files
+debhelper-build-stamp

debian/changelog

@@ -0,0 +1,5 @@
+rpi-sb-provisioner (1.0.2) UNRELEASED; urgency=low
+
+  * rpi-sb-provisioner: Changed Debian Packaging
+
+ -- Ben Benson <[email protected]> Fri, 23 Aug 2024 11:24:00 +0000

debian/compat

@@ -0,0 +1 @@
+10

debian/control

@@ -0,0 +1,13 @@
+Source: rpi-sb-provisioner
+Section: default
+Priority: extra
+Maintainer: Tom Dewey <[email protected]>
+Build-Depends: debhelper (>= 9), python3, dh-virtualenv (>= 0.8)
+Standards-Version: 1.0.2
+homepage: https://www.raspberrypi.com/software
+
+Package: rpi-sb-provisioner
+Architecture: arm64
+Pre-Depends: dpkg (>= 1.16.1), python3, ${misc:Pre-Depends}
+Depends: ${misc:Depends}, fastboot (>= 33.0.3), python3, python3-pycryptodome, openssl, cpio, sed, android-sdk-platform-tools, awk, xxd, rpi-eeprom, rpiboot, coreutils, curl, bash, gzip, dctrl-tools, diffutils, findutils, libengine-pkcs11-openssl, libp11-kit-dev, gnutls-bin
+Description: Automated provisioning of secure boot for Raspberry Pi Devices

debian/copyright

@@ -0,0 +1,5 @@
+Copyright (c) 2020, Ben Benson <[email protected]>
+
+Some rights reserved.
+
+**TODO** Copy main project's license file here.

debian/install

@@ -0,0 +1,33 @@
+config/config.sh /usr/local/bin/
+config/config.py /usr/share/rpi-sb-provisioner/config
+config/validator.py /usr/share/rpi-sb-provisioner/config
+config/config_app.css /usr/share/rpi-sb-provisioner/config
+config/config_app.helper /usr/share/rpi-sb-provisioner/config
+
+monitor/monitor.sh /usr/local/bin
+monitor/monitor.py /usr/share/rpi-sb-provisioner/monitor
+monitor/systemctl_python.py /usr/share/rpi-sb-provisioner/monitor/
+monitor/monitor.css /usr/share/rpi-sb-provisioner/monitor/
+
+rpi-package-download/rpi-package-download /usr/local/bin/
+rpi-package-download/[email protected] /usr/local/lib/systemd/system/
+
+key-writer/keywriter.sh /usr/local/bin
+key-writer/[email protected] /usr/local/lib/systemd/system/
+
+host-support/terminal-functions.sh /usr/local/bin
+host-support/cryptroot_initramfs /var/lib/rpi-sb-provisioner
+host-support/boot_ramdisk_config.txt /var/lib/rpi-sb-provisioner
+host-support/fastboot-gadget.img /var/lib/rpi-sb-provisioner
+host-support/make-boot-image /usr/local/bin
+host-support/rpi-sb-provisioner /etc/default/
+host-support/bootloader.config /var/lib/rpi-sb-provisioner/
+
+device-provisioner/provisioner.sh /usr/local/bin
+device-provisioner/[email protected] /usr/local/lib/systemd/system
+device-triage/triage.sh /usr/local/bin
+device-triage/[email protected] /usr/local/lib/systemd/system
+
+fetch-repo-package-list/fetch-repo-package-list /usr/local/bin/
+fetch-repo-package-list/[email protected] /usr/local/lib/systemd/system/
+fetch-repo-package-list/[email protected] /usr/local/lib/systemd/system/

debian/postinst

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+if [ ! $(getent group rpi-sb-provisioner) ]; then
+  groupadd rpi-sb-provisioner
+else
+    echo "Group rpi-sb-provisioner already exists"
+fi
+
+if id -nGz "pi" | grep -qzxF "rpi-sb-provisioner"
+then
+    echo User \`pi\' already belongs to group \`rpi-sb-provisioner\'
+else
+    usermod --append --groups rpi-sb-provisioner pi
+fi
+
+if id -nGz "root" | grep -qzxF "rpi-sb-provisioner"
+then
+    echo User \`root\' already belongs to group \`rpi-sb-provisioner\'
+else
+    usermod --append --groups rpi-sb-provisioner root
+fi
+
+if [ -d "/etc/rpi-sb-provisioner/" ]; then
+  echo "/etc/rpi-sb-provisioner/ already exists"
+else 
+  mkdir -p /etc/rpi-sb-provisioner/
+fi
+
+if ! [ -f /etc/rpi-sb-provisioner/config ]; then
+  touch /etc/rpi-sb-provisioner/config
+else
+    echo "Config file already exists"
+fi
+
+chown :rpi-sb-provisioner /etc/rpi-sb-provisioner/config
+chmod g+w /etc/rpi-sb-provisioner/config

debian/rules

@@ -0,0 +1,9 @@
+#!/usr/bin/make -f
+
+export DH_VERBOSE = 1
+export DH_VIRTUALENV_INSTALL_ROOT=/usr/share/
+
+%:
+	dh $@ --with python-virtualenv --with systemd
+
+override_dh_usrlocal:

debian/source/format

@@ -0,0 +1 @@
+3.0 (native)

debian/source/options

@@ -0,0 +1,8 @@
+tar-ignore
+tar-ignore = .coverage
+tar-ignore = .tox
+tar-ignore = .venv
+tar-ignore = bin
+tar-ignore = docs/_build
+tar-ignore = *.log
+tar-ignore = *.egg-info

device-provisioner/provisioner.sh

@@ -90,7 +90,7 @@ unmount_image() {
 
 cleanup() {
     mkdir -p /var/log/rpi-sb-provisioner/${TARGET_DEVICE_SERIAL}/
-    echo "1" > /var/log/rpi-sb-provisioner/${TARGET_DEVICE_SERIAL}/finished
+    echo "PROVISIONER-EXITED" >> /var/log/rpi-sb-provisioner/${TARGET_DEVICE_SERIAL}/progress
     unmount_image "${COPY_OS_COMBINED_FILE}"
     if [ -d "${TMP_DIR}" ]; then
         rm -rf "${TMP_DIR}"
@@ -472,6 +472,6 @@ fastboot oem led PWR 0
 announce_stop "Set LED status"
 
 mkdir -p /var/log/rpi-sb-provisioner/${TARGET_DEVICE_SERIAL}/
-echo "1" > /var/log/rpi-sb-provisioner/${TARGET_DEVICE_SERIAL}/success
+echo "PROVISIONER-FINISHED" >> /var/log/rpi-sb-provisioner/${TARGET_DEVICE_SERIAL}/progress
 
 echo "Provisioning completed. Remove the device from this machine."

device-triage/99-rpi-sb-triage.rules

@@ -0,0 +1,5 @@
+ACTION=="add", SUBSYSTEM=="usb", \
+  ATTRS{idVendor}=="0a5c", ATTR{idProduct}=="27[16][1234]", \
+  TAG+="systemd", \
+  PROGRAM="/usr/bin/systemd-escape -p [email protected] $env{DEVNAME}", \
+  ENV{SYSTEMD_WANTS}+="%c"

device-triage/rpi-sb-triage.service → device-triage/rpi-sb-triage@.service

@@ -7,6 +7,7 @@ After=%i.device
 [Service]
 Type=oneshot
 ExecStart=/usr/local/bin/triage.sh /%I
+# '/' is needed - otherwise triage does not use correct address of device
 EnvironmentFile=/etc/rpi-sb-provisioner/config
 # StandardOutput will fail if the file does not exist (consider tmpfiles.d or udev creation approach?)
 #StandardOutput=append:/var/log/rpi-sb-provisioner/%I/triage.log

key-writer/keywriter.sh

@@ -15,6 +15,8 @@ die() {
 
 TMP_DIR=""
 cleanup() {
+    mkdir -p /var/log/rpi-sb-provisioner/${TARGET_DEVICE_SERIAL}/
+    echo "KEYWRITER-EXITED" >> /var/log/rpi-sb-provisioner/${TARGET_DEVICE_SERIAL}/progress
    if [ -d "${TMP_DIR}" ]; then
       rm -rf "${TMP_DIR}"
    fi
@@ -158,7 +160,7 @@ BOOTCODE_FLASHING_NAME=
 case ${RPI_DEVICE_FAMILY} in
     4)
         SOURCE_EEPROM_IMAGE="/lib/firmware/raspberrypi/bootloader-2711/latest/pieeprom-2024-05-17.bin"
-        BOOTCODE_BINARY_IMAGE="/lib/firmware/raspberrypi/bootloader-2711/latest/recovery.bin"
+        BOOTCODE_BINARY_IMAGE="/var/lib/rpi-sb-provisioner/recovery.bin"
         BOOTCODE_FLASHING_NAME="${FLASHING_DIR}/bootcode4.bin"
         ;;
     # 5)
@@ -199,6 +201,7 @@ cp "${BOOTCODE_BINARY_IMAGE}" "${BOOTCODE_FLASHING_NAME}"
 echo "program_pubkey=1" > "${FLASHING_DIR}/config.txt"
 # This directive tells the bootloader to reboot once it's written the OTP
 echo "recovery_reboot=1" >> "${FLASHING_DIR}/config.txt"
+echo "recovery_metadata=1" >> "${FLASHING_DIR}/config.txt"
 
 if [ -n "${RPI_DEVICE_JTAG_LOCK}" ]; then
 echo "program_jtag_lock=1" >> "${FLASHING_DIR}/config.txt"
@@ -209,8 +212,65 @@ echo "eeprom_write_protect=1" >> "${FLASHING_DIR}/config.txt"
 fi
 
 # With the EEPROMs configured and signed, RPIBoot them.
-[ -z "${DEMO_MODE_ONLY}" ] && rpiboot -d "${FLASHING_DIR}" -i "${TARGET_DEVICE_SERIAL}"
+mkdir -p "/var/log/rpi-sb-provisioner/${TARGET_DEVICE_SERIAL}/metadata/"
+[ -z "${DEMO_MODE_ONLY}" ] && rpiboot -d "${FLASHING_DIR}" -i "${TARGET_DEVICE_SERIAL}" -j "/var/log/rpi-sb-provisioner/${TARGET_DEVICE_SERIAL}/metadata/"
 
 touch "${DEVICE_SERIAL_STORE}/${TARGET_DEVICE_SERIAL}"
 
+USER_BOARDREV="0x$(cat /var/log/rpi-sb-provisioner/${TARGET_DEVICE_SERIAL}/metadata/${TARGET_DEVICE_SERIAL}.json | jq -r '.USER_BOARDREV')"
+MAC_ADDRESS=$(cat /var/log/rpi-sb-provisioner/${TARGET_DEVICE_SERIAL}/metadata/${TARGET_DEVICE_SERIAL}.json | jq -r '.MAC_ADDR')
+
+TYPE=$(printf "0x%X\n" $(((USER_BOARDREV & 0xFF0) >> 4)))
+PROCESSOR=$(printf "0x%X\n" $(((USER_BOARDREV & 0xF000) >> 12)))
+MEMORY=$(printf "0x%X\n" $(((USER_BOARDREV & 0x700000) >> 20)))
+MANUFACTURER=$(printf "0x%X\n" $(((USER_BOARDREV & 0xF0000) >> 16)))
+REVISION=$(((USER_BOARDREV & 0xF)))
+
+case ${TYPE} in
+    "0x11") BOARD_STR="CM4" ;;
+    "0x12") BOARD_STR="Zero 2 W" ;;
+    "0x13") BOARD_STR="400" ;;
+    "0x14") BOARD_STR="CM4" ;;
+    "0x15") BOARD_STR="CM4S" ;;
+    "0x17") BOARD_STR="5" ;;
+    *)
+        BOARD_STR="Unsupported Board"
+esac
+
+case ${PROCESSOR} in
+    "0x0") PROCESSOR_STR="BCM2835" ;;
+    "0x1") PROCESSOR_STR="BCM2836" ;;
+    "0x2") PROCESSOR_STR="BCM2837" ;;
+    "0x3") PROCESSOR_STR="BCM2711" ;;
+    "0x4") PROCESSOR_STR="BCM2712" ;;
+    *)
+        PROCESSOR_STR="Unknown"
+esac
+
+case ${MEMORY} in
+    "0x0") MEMORY_STR="256MB" ;;
+    "0x1") MEMORY_STR="512MB" ;;
+    "0x2") MEMORY_STR="1GB" ;;
+    "0x3") MEMORY_STR="2GB" ;;
+    "0x4") MEMORY_STR="4GB" ;;
+    "0x5") MEMORY_STR="8GB" ;;
+    *)
+        MEMORY_STR="Unknown"
+esac
+
+case ${MANUFACTURER} in
+    "0x0") MANUFACTURER_STR="Sony UK" ;;
+    "0x1") MANUFACTURER_STR="Egoman" ;;
+    "0x2") MANUFACTURER_STR="Embest" ;;
+    "0x3") MANUFACTURER_STR="Sony Japan" ;;
+    "0x4") MANUFACTURER_STR="Embest" ;;
+    "0x5") MANUFACTURER_STR="Stadium" ;;
+    *)
+        MANUFACTURER_STR="Unknown"
+esac
+
+echo "Board is: ${BOARD_STR}, with revision number ${REVISION}. Has Processor ${PROCESSOR_STR} with Memory ${MEMORY_STR}. Was manufactured by ${MANUFACTURER_STR}"
 echo "Keywriting completed. Rebooting for next phase."
+
+mkdir -p /var/log/rpi-sb-provisioner/${TARGET_DEVICE_SERIAL}/
+echo "KEYWRITER-FINISHED" >> /var/log/rpi-sb-provisioner/${TARGET_DEVICE_SERIAL}/progress

monitor/monitor.sh

@@ -1,4 +1,4 @@
 #!/bin/sh
 
 cd /usr/share/rpi-sb-provisioner/monitor/
-python3 monitor.py
+/usr/share/rpi-sb-provisioner/bin/python3 monitor.py

monitor/systemctl_python.py

@@ -52,10 +52,14 @@ def list_completed_devices():
     all_devices = list_seen_devices()
     completed_devices = []
     for device in all_devices:
-        if path.exists("/var/log/rpi-sb-provisioner/" + device + "/success"):
-            f = open("/var/log/rpi-sb-provisioner/" + device + "/success", "r")
+        provisioner_success = -1
+        if path.exists("/var/log/rpi-sb-provisioner/" + device + "/progress"):
+            f = open("/var/log/rpi-sb-provisioner/" + device + "/progress", "r")
             status = f.read()
-            if "1" in status:
+            if "PROVISIONER-EXITED" in status:
+                if "PROVISIONER-FINISHED" in status: provisioner_success = 1
+                else: provisioner_success = 0
+            if provisioner_success == 1:
                 completed_devices.append(device)
             f.close()
     return completed_devices
@@ -64,18 +68,28 @@ def list_failed_devices():
     all_devices = list_seen_devices()
     failed_devices = []
     for device in all_devices:
-        if path.exists("/var/log/rpi-sb-provisioner/" + device + "/finished"):
-            if not(path.exists("/var/log/rpi-sb-provisioner/" + device + "/success")):
-                f = open("/var/log/rpi-sb-provisioner/" + device + "/finished", "r")
-                status = f.read()
-                if "1" in status:
-                    failed_devices.append(device)
-                f.close()
+        provisioner_success = -1
+        keywriter_success = -1
+        if path.exists("/var/log/rpi-sb-provisioner/" + device + "/progress"):
+            f = open("/var/log/rpi-sb-provisioner/" + device + "/progress", "r")
+            status = f.read()
+            if "PROVISIONER-EXITED" in status:
+                if "PROVISIONER-FINISHED" in status: provisioner_success = 1
+                else: provisioner_success = 0
+            if "KEYWRITER-EXITED" in status:
+                if "KEYWRITER-FINISHED" in status: keywriter_success = 1
+                else: keywriter_success = 0
+            if provisioner_success == 0 or keywriter_success == 0:
+                failed_devices.append(device)
+            f.close()
     return failed_devices
 
 def list_device_files(device_name):
     if path.exists("/var/log/rpi-sb-provisioner/" + device_name):
-        return listdir("/var/log/rpi-sb-provisioner/" + device_name)
+        ret = listdir("/var/log/rpi-sb-provisioner/" + device_name)
+        if "metadata" in ret:
+            ret.remove("metadata")
+        return ret
     else:
         return []