Sbl2

containertool/SingleSign.py

@@ -0,0 +1,301 @@
+#!/usr/bin/env python
+## @ SingleSign.py
+# Single signing script
+#
+# Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+##
+# Import Modules
+#
+import os
+import sys
+import re
+import shutil
+import subprocess
+import struct
+import hashlib
+import string
+
+SIGNING_KEY = {
+    # Key Id                                | Key File Name start |
+    # =================================================================
+    # KEY_ID_MASTER is used for signing Slimboot Key Hash Manifest container (KEYH Component)
+    "KEY_ID_MASTER_RSA2048"          :    "MasterTestKey_Priv_RSA2048.pem",
+    "KEY_ID_MASTER_RSA3072"          :    "MasterTestKey_Priv_RSA3072.pem",
+
+    # KEY_ID_CFGDATA is used for signing external Config data blob)
+    "KEY_ID_CFGDATA_RSA2048"         :    "ConfigTestKey_Priv_RSA2048.pem",
+    "KEY_ID_CFGDATA_RSA3072"         :    "ConfigTestKey_Priv_RSA3072.pem",
+
+    # KEY_ID_FIRMWAREUPDATE is used for signing capsule firmware update image)
+    "KEY_ID_FIRMWAREUPDATE_RSA2048"  :    "FirmwareUpdateTestKey_Priv_RSA2048.pem",
+    "KEY_ID_FIRMWAREUPDATE_RSA3072"  :    "FirmwareUpdateTestKey_Priv_RSA3072.pem",
+
+    # KEY_ID_CONTAINER is used for signing container header with mono signature
+    "KEY_ID_CONTAINER_RSA2048"       :    "ContainerTestKey_Priv_RSA2048.pem",
+    "KEY_ID_CONTAINER_RSA3072"       :    "ContainerTestKey_Priv_RSA3072.pem",
+
+    # CONTAINER_COMP1_KEY_ID is used for signing container components
+    "KEY_ID_CONTAINER_COMP_RSA2048" :    "ContainerCompTestKey_Priv_RSA2048.pem",
+    "KEY_ID_CONTAINER_COMP_RSA3072" :    "ContainerCompTestKey_Priv_RSA3072.pem",
+
+    # KEY_ID_OS1_PUBLIC, KEY_ID_OS2_PUBLIC is used for referencing Boot OS public keys
+    "KEY_ID_OS1_PUBLIC_RSA2048"      :    "OS1_TestKey_Pub_RSA2048.pem",
+    "KEY_ID_OS1_PUBLIC_RSA3072"      :    "OS1_TestKey_Pub_RSA3072.pem",
+
+    "KEY_ID_OS2_PUBLIC_RSA2048"      :    "OS2_TestKey_Pub_RSA2048.pem",
+    "KEY_ID_OS2_PUBLIC_RSA3072"      :    "OS2_TestKey_Pub_RSA3072.pem",
+
+    }
+
+MESSAGE_SBL_KEY_DIR = (
+            "!!! PRE-REQUISITE: Path to SBL_KEY_DIR has to be set with SBL KEYS DIRECTORY !!! \n"
+            "!!! Generate keys using GenerateKeys.py available in BootloaderCorePkg/Tools directory !!! \n"
+            "!!! Run $python BootloaderCorePkg/Tools/GenerateKeys.py -k $PATH_TO_SBL_KEY_DIR !!!\n"
+            "!!! Set SBL_KEY_DIR environ with path to SBL KEYS DIR !!!\n"
+            "!!! Windows $set    SBL_KEY_DIR=$PATH_TO_SBL_KEY_DIR !!!\n"
+            "!!! Linux   $export SBL_KEY_DIR=$PATH_TO_SBL_KEY_DIR !!!\n"
+        )
+
+def get_openssl_path ():
+    if os.name == 'nt':
+        if 'OPENSSL_PATH' not in os.environ:
+            openssl_dir = "C:\\Openssl\\bin\\"
+            if os.path.exists (openssl_dir):
+                os.environ['OPENSSL_PATH'] = openssl_dir
+            else:
+                os.environ['OPENSSL_PATH'] = "C:\\Openssl\\"
+                if 'OPENSSL_CONF' not in os.environ:
+                    openssl_cfg = "C:\\Openssl\\openssl.cfg"
+                    if os.path.exists(openssl_cfg):
+                        os.environ['OPENSSL_CONF'] = openssl_cfg
+        openssl = os.path.join(os.environ.get ('OPENSSL_PATH', ''), 'openssl.exe')
+    else:
+        # Get openssl path for Linux cases
+        openssl = shutil.which('openssl')
+
+    return openssl
+
+def run_process (arg_list, print_cmd = False, capture_out = False):
+    sys.stdout.flush()
+    if print_cmd:
+        print (' '.join(arg_list))
+
+    exc    = None
+    result = 0
+    output = ''
+    try:
+        if capture_out:
+            output = subprocess.check_output(arg_list).decode()
+        else:
+            result = subprocess.call (arg_list)
+    except Exception as ex:
+        result = 1
+        exc    = ex
+
+    if result:
+        if not print_cmd:
+            print ('Error in running process:\n  %s' % ' '.join(arg_list))
+        if exc is None:
+            sys.exit(1)
+        else:
+            raise exc
+
+    return output
+
+def check_file_pem_format (priv_key):
+    # Check for file .pem format
+    key_name = os.path.basename(priv_key)
+    if os.path.splitext(key_name)[1] == ".pem":
+        return True
+    else:
+        return False
+
+def get_key_id (priv_key):
+    # Extract base name if path is provided.
+    key_name = os.path.basename(priv_key)
+    # Check for KEY_ID in key naming.
+    if key_name.startswith('KEY_ID'):
+        return key_name
+    else:
+        return None
+
+def get_sbl_key_dir ():
+    # Check Key store setting SBL_KEY_DIR path
+    if 'SBL_KEY_DIR' not in os.environ:
+        raise Exception ("ERROR: SBL_KEY_DIR is not defined. Set SBL_KEY_DIR with SBL Keys directory!!\n"
+                                                                + MESSAGE_SBL_KEY_DIR)
+
+    sbl_key_dir = os.environ.get('SBL_KEY_DIR')
+    if not os.path.exists(sbl_key_dir):
+        raise Exception (("ERROR:SBL_KEY_DIR set %s is not valid. Set the correct SBL_KEY_DIR path !!\n"
+                                                                        + MESSAGE_SBL_KEY_DIR) % sbl_key_dir)
+    else:
+        return sbl_key_dir
+
+def get_key_from_store (in_key):
+
+    #Check in_key is path to  key
+    if os.path.exists(in_key):
+        return in_key
+
+    # Get Slimboot key dir path
+    sbl_key_dir = get_sbl_key_dir()
+
+    # Extract if in_key is key_id
+    priv_key = get_key_id (in_key)
+    if priv_key is not None:
+        if (priv_key in SIGNING_KEY):
+            # Generate key file name from key id
+            priv_key_file = SIGNING_KEY[priv_key]
+        else:
+            raise Exception('KEY_ID %s is not found in supported KEY IDs!!' % priv_key)
+    elif check_file_pem_format(in_key) == True:
+        # check if file name is provided in pem format
+        priv_key_file = in_key
+    else:
+        priv_key_file = None
+        raise Exception('key provided %s is not valid!' % in_key)
+
+    # Create a file path
+    # Join Key Dir and priv_key_file
+    try:
+        priv_key = os.path.join (sbl_key_dir, priv_key_file)
+    except:
+        raise Exception('priv_key is not found %s!' % priv_key)
+
+    # Check for priv_key construted based on KEY ID exists in specified path
+    if not os.path.isfile(priv_key):
+        raise Exception (("!!! ERROR: Key file corresponding to '%s' do not exist in Sbl key directory at '%s' !!! \n" + MESSAGE_SBL_KEY_DIR)  % (in_key, sbl_key_dir))
+
+    return priv_key
+
+#
+# Sign an file using openssl
+#
+# priv_key   [Input]        Key Id or Path to Private key
+# hash_type  [Input]        Signing hash
+# sign_scheme[Input]        Sign/padding scheme
+# in_file    [Input]        Input file to be signed
+# out_file   [Input/Output] Signed data file
+#
+
+def single_sign_file (priv_key, hash_type, sign_scheme, in_file, out_file):
+
+    _hash_type_string = {
+        "SHA2_256"    : 'sha256',
+        "SHA2_384"    : 'sha384',
+        "SHA2_512"    : 'sha512',
+    }
+
+    _hash_digest_Size = {
+        # Hash_string : Hash_Size
+        "SHA2_256"    : 32,
+        "SHA2_384"    : 48,
+        "SHA2_512"    : 64,
+        "SM3_256"     : 32,
+    }
+
+    _sign_scheme_string = {
+        "RSA_PKCS1"    : 'pkcs1',
+        "RSA_PSS"      : 'pss',
+    }
+
+    priv_key = get_key_from_store(priv_key)
+
+    # Temporary files to store hash generated
+    hash_file_tmp = out_file+'.hash.tmp'
+    hash_file     = out_file+'.hash'
+
+    # Generate hash using openssl dgst in hex format
+    cmdargs = [get_openssl_path(), 'dgst', '-'+'%s' % _hash_type_string[hash_type], '-out', '%s' % hash_file_tmp, '%s' % in_file]
+    run_process (cmdargs)
+
+    # Extract hash form dgst command output and convert to ascii
+    with open(hash_file_tmp, 'r') as fin:
+        hashdata = fin.read()
+    fin.close()
+
+    try:
+        hashdata = hashdata.rsplit('=', 1)[1].strip()
+    except:
+        raise Exception('Hash Data not found for signing!')
+
+    if len(hashdata) != (_hash_digest_Size[hash_type] * 2):
+        raise Exception('Hash Data size do match with for hash type!')
+
+    hashdata_bytes = bytearray.fromhex(hashdata)
+    open (hash_file, 'wb').write(hashdata_bytes)
+
+    print ("Key used for Singing %s !!" % priv_key)
+
+    # sign using Openssl pkeyutl
+    cmdargs = [get_openssl_path(), 'pkeyutl', '-sign', '-in', '%s' % hash_file, '-inkey', '%s' % priv_key,
+               '-out', '%s' % out_file, '-pkeyopt', 'digest:%s' % _hash_type_string[hash_type],
+               '-pkeyopt', 'rsa_padding_mode:%s' % _sign_scheme_string[sign_scheme]]
+
+    run_process (cmdargs)
+
+    return
+
+#
+# Extract public key using openssl
+#
+# in_key        [Input]         Private key or public key in pem format
+# pub_key_file  [Input/Output]  Public Key to a file
+#
+# return        keydata (mod, exp) in bin format
+#
+
+def single_sign_gen_pub_key (in_key, pub_key_file = None):
+
+    in_key = get_key_from_store(in_key)
+
+    # Expect key to be in PEM format
+    is_prv_key = False
+    cmdline = [get_openssl_path(), 'rsa', '-pubout', '-text', '-noout', '-in', '%s' % in_key]
+    # Check if it is public key or private key
+    text = open(in_key, 'r').read()
+    if '-BEGIN RSA PRIVATE KEY-' in text or '-BEGIN PRIVATE KEY-' in text:
+        is_prv_key = True
+    elif '-BEGIN PUBLIC KEY-' in text:
+        cmdline.extend (['-pubin'])
+    else:
+        raise Exception('Unknown key format "%s" !' % in_key)
+
+    if pub_key_file:
+        cmdline.extend (['-out', '%s' % pub_key_file])
+        capture = False
+    else:
+        capture = True
+
+    output = run_process (cmdline, capture_out = capture)
+    if not capture:
+        output = text = open(pub_key_file, 'r').read()
+    data     = output.replace('\r', '')
+    data     = data.replace('\n', '')
+    data     = data.replace('  ', '')
+
+    # Extract the modulus
+    if is_prv_key:
+        match = re.search('modulus(.*)publicExponent:\s+(\d+)\s+', data)
+    else:
+        match = re.search('Modulus(?:.*?):(.*)Exponent:\s+(\d+)\s+', data)
+    if not match:
+        raise Exception('Public key not found!')
+    modulus  = match.group(1).replace(':', '')
+    exponent = int(match.group(2))
+
+    mod = bytearray.fromhex(modulus)
+    # Remove the '00' from the front if the MSB is 1
+    if mod[0] == 0 and (mod[1] & 0x80):
+        mod = mod[1:]
+    exp = bytearray.fromhex('{:08x}'.format(exponent))
+
+    keydata   = mod + exp
+
+    return keydata
+

core/definitions.mk

@@ -5,6 +5,7 @@ IAFW_BUILD_SYSTEM := $(INTEL_PATH_BUILD)/core
 BUILD_EFI_STATIC_LIBRARY := $(IAFW_BUILD_SYSTEM)/iafw_static_library.mk
 BUILD_IAFW_STATIC_LIBRARY := $(IAFW_BUILD_SYSTEM)/iafw_static_library.mk
 BUILD_EFI_EXECUTABLE := $(IAFW_BUILD_SYSTEM)/efi_executable.mk
+BUILD_SBL_EXECUTABLE := $(IAFW_BUILD_SYSTEM)/sbl_executable.mk
 
 # Override default definition
 CLEAR_VARS := $(IAFW_BUILD_SYSTEM)/clear_vars.mk
@@ -15,19 +16,36 @@ GENERATE_VERITY_KEY := $(HOST_OUT_EXECUTABLES)/generate_verity_key$(HOST_EXECUTA
 OPENSSL := openssl
 SBSIGN := sbsign
 MKDOSFS := mkdosfs
-MKEXT2IMG := $(HOST_OUT_EXECUTABLES)/mkext2img
-DUMPEXT2IMG := $(HOST_OUT_EXECUTABLES)/dumpext2img
+#MKEXT2IMG := $(HOST_OUT_EXECUTABLES)/mkext2img
+#DUMPEXT2IMG := $(HOST_OUT_EXECUTABLES)/dumpext2img
 MCOPY := mcopy
 SESL := sign-efi-sig-list$(HOST_EXECUTABLE_SUFFIX)
 CTESL := cert-to-efi-sig-list$(HOST_EXECUTABLE_SUFFIX)
 IASL := $(INTEL_PATH_BUILD)/acpi-tools/linux64/bin/iasl
 
+# Generation
+KF4SBL_SYMBOLS_ZIP := $(PRODUCT_OUT)/kf4sbl_symbols.zip
+FB4SBL_SYMBOLS_ZIP := $(PRODUCT_OUT)/fb4sbl_symbols.zip
+
 # Extra host tools we need built to use our *_from_target_files
 # or sign_target_files_* scripts
 INTEL_OTATOOLS := \
     $(GENERATE_VERITY_KEY) \
     $(AVBTOOL)
 
+ifeq ($(KERNELFLINGER_SUPPORT_NON_EFI_BOOT),true)
+# NON UEFI platform
+INTEL_OTATOOLS += \
+ #   $(MKEXT2IMG) \
+ #  $(DUMPEXT2IMG) \
+    $(FASTBOOT) \
+    $(IASL)
+endif
+
+ifeq ($(BOARD_USE_SBL),true)
+INTEL_OTATOOLS += abl_toolchain
+endif
+
 otatools: $(INTEL_OTATOOLS)
 
 # FIXME: may be unsafe to omit -no-sse
@@ -73,6 +91,7 @@ GNU_EFI_CRT0 := crt0-efi-$(TARGET_IAFW_ARCH_NAME)
 LIBPAYLOAD_CRT0 := crt0-libpayload-$(TARGET_IAFW_ARCH_NAME)
 
 TARGET_EFI_LDS := $(IAFW_BUILD_SYSTEM)/elf_$(TARGET_IAFW_ARCH_NAME)_efi.lds
+TARGET_SBL_LDS := $(IAFW_BUILD_SYSTEM)/elf_$(TARGET_IAFW_ARCH_NAME)_sbl.lds
 TARGET_IAFW_GLOBAL_OBJCOPY_FLAGS := \
 	-j .text -j .sdata -j .data \
 	-j .dynamic -j .dynsym  -j .rel \
@@ -125,6 +144,32 @@ $(hide) $(IAFW_OBJCOPY) $(PRIVATE_OBJCOPY_FLAGS) \
 $(hide) $(SBSIGN) --key $1 --cert $2 --output $@ $(@:.efi=.efiunsigned)
 endef
 
+define transform-o-to-sbl-executable
+@echo "target SBL Executable: $(PRIVATE_MODULE) ($@)"
+$(hide) mkdir -p $(dir $@)
+$(hide) $(IAFW_LD) $1 \
+    --defsym=CONFIG_LP_BASE_ADDRESS=$(LIBPAYLOAD_BASE_ADDRESS) \
+    --defsym=CONFIG_LP_HEAP_SIZE=$(LIBPAYLOAD_HEAP_SIZE) \
+    --defsym=CONFIG_LP_STACK_SIZE=$(LIBPAYLOAD_STACK_SIZE) \
+    --whole-archive $(call module-built-files,$(LIBPAYLOAD_CRT0)) --no-whole-archive \
+    $(PRIVATE_ALL_OBJECTS) --start-group $(PRIVATE_ALL_STATIC_LIBRARIES) --end-group $(IAFW_LIBCLANG) \
+    -Map $(@:.sbl=.map) -o $(@:.sbl=.sym.elf)
+$(hide)$(IAFW_STRIP) --strip-all $(@:.sbl=.sym.elf) -o $(@:.sbl=.elf)
+
+$(hide) cp $(@:.sbl=.elf) $@
+
+
+python3 $(INTEL_PATH_BUILD)/containertool/GenContainer.py create -t NORMAL -cl ELF1:$@ -k $(INTEL_PATH_BUILD)/testkeys/OS1_TestKey_Priv_RSA2048.pem -o $(PRODUCT_OUT)/sbl_os
+
+
+$(hide) if [ "$(PRIVATE_MODULE:debug=)" = fb4sbl-user ]; then \
+	zip -juy $(FB4SBL_SYMBOLS_ZIP) $(@:.sbl=.map) $(@:.sbl=.sym.elf); \
+	zip -juy $(FB4SBL_SYMBOLS_ZIP) $@; \
+elif [ "$(PRIVATE_MODULE:debug=)" = kf4sbl-user ]; then \
+	zip -juy $(KF4SBL_SYMBOLS_ZIP) $(@:.sbl=.map) $(@:.sbl=.sym.elf); \
+fi
+endef
+
 # Hook up the prebuilts generation mechanism
 include $(INTEL_PATH_COMMON)/external/external.mk