build: Support build with Slim Bootloader

SingleSign.py

@@ -0,0 +1,301 @@
+#!/usr/bin/env python
+## @ SingleSign.py
+# Single signing script
+#
+# Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+##
+# Import Modules
+#
+import os
+import sys
+import re
+import shutil
+import subprocess
+import struct
+import hashlib
+import string
+
+SIGNING_KEY = {
+    # Key Id                                | Key File Name start |
+    # =================================================================
+    # KEY_ID_MASTER is used for signing Slimboot Key Hash Manifest container (KEYH Component)
+    "KEY_ID_MASTER_RSA2048"          :    "MasterTestKey_Priv_RSA2048.pem",
+    "KEY_ID_MASTER_RSA3072"          :    "MasterTestKey_Priv_RSA3072.pem",
+
+    # KEY_ID_CFGDATA is used for signing external Config data blob)
+    "KEY_ID_CFGDATA_RSA2048"         :    "ConfigTestKey_Priv_RSA2048.pem",
+    "KEY_ID_CFGDATA_RSA3072"         :    "ConfigTestKey_Priv_RSA3072.pem",
+
+    # KEY_ID_FIRMWAREUPDATE is used for signing capsule firmware update image)
+    "KEY_ID_FIRMWAREUPDATE_RSA2048"  :    "FirmwareUpdateTestKey_Priv_RSA2048.pem",
+    "KEY_ID_FIRMWAREUPDATE_RSA3072"  :    "FirmwareUpdateTestKey_Priv_RSA3072.pem",
+
+    # KEY_ID_CONTAINER is used for signing container header with mono signature
+    "KEY_ID_CONTAINER_RSA2048"       :    "ContainerTestKey_Priv_RSA2048.pem",
+    "KEY_ID_CONTAINER_RSA3072"       :    "ContainerTestKey_Priv_RSA3072.pem",
+
+    # CONTAINER_COMP1_KEY_ID is used for signing container components
+    "KEY_ID_CONTAINER_COMP_RSA2048" :    "ContainerCompTestKey_Priv_RSA2048.pem",
+    "KEY_ID_CONTAINER_COMP_RSA3072" :    "ContainerCompTestKey_Priv_RSA3072.pem",
+
+    # KEY_ID_OS1_PUBLIC, KEY_ID_OS2_PUBLIC is used for referencing Boot OS public keys
+    "KEY_ID_OS1_PUBLIC_RSA2048"      :    "OS1_TestKey_Pub_RSA2048.pem",
+    "KEY_ID_OS1_PUBLIC_RSA3072"      :    "OS1_TestKey_Pub_RSA3072.pem",
+
+    "KEY_ID_OS2_PUBLIC_RSA2048"      :    "OS2_TestKey_Pub_RSA2048.pem",
+    "KEY_ID_OS2_PUBLIC_RSA3072"      :    "OS2_TestKey_Pub_RSA3072.pem",
+
+    }
+
+MESSAGE_SBL_KEY_DIR = (
+            "!!! PRE-REQUISITE: Path to SBL_KEY_DIR has to be set with SBL KEYS DIRECTORY !!! \n"
+            "!!! Generate keys using GenerateKeys.py available in BootloaderCorePkg/Tools directory !!! \n"
+            "!!! Run $python BootloaderCorePkg/Tools/GenerateKeys.py -k $PATH_TO_SBL_KEY_DIR !!!\n"
+            "!!! Set SBL_KEY_DIR environ with path to SBL KEYS DIR !!!\n"
+            "!!! Windows $set    SBL_KEY_DIR=$PATH_TO_SBL_KEY_DIR !!!\n"
+            "!!! Linux   $export SBL_KEY_DIR=$PATH_TO_SBL_KEY_DIR !!!\n"
+        )
+
+def get_openssl_path ():
+    if os.name == 'nt':
+        if 'OPENSSL_PATH' not in os.environ:
+            openssl_dir = "C:\\Openssl\\bin\\"
+            if os.path.exists (openssl_dir):
+                os.environ['OPENSSL_PATH'] = openssl_dir
+            else:
+                os.environ['OPENSSL_PATH'] = "C:\\Openssl\\"
+                if 'OPENSSL_CONF' not in os.environ:
+                    openssl_cfg = "C:\\Openssl\\openssl.cfg"
+                    if os.path.exists(openssl_cfg):
+                        os.environ['OPENSSL_CONF'] = openssl_cfg
+        openssl = os.path.join(os.environ.get ('OPENSSL_PATH', ''), 'openssl.exe')
+    else:
+        # Get openssl path for Linux cases
+        openssl = shutil.which('openssl')
+
+    return openssl
+
+def run_process (arg_list, print_cmd = False, capture_out = False):
+    sys.stdout.flush()
+    if print_cmd:
+        print (' '.join(arg_list))
+
+    exc    = None
+    result = 0
+    output = ''
+    try:
+        if capture_out:
+            output = subprocess.check_output(arg_list).decode()
+        else:
+            result = subprocess.call (arg_list)
+    except Exception as ex:
+        result = 1
+        exc    = ex
+
+    if result:
+        if not print_cmd:
+            print ('Error in running process:\n  %s' % ' '.join(arg_list))
+        if exc is None:
+            sys.exit(1)
+        else:
+            raise exc
+
+    return output
+
+def check_file_pem_format (priv_key):
+    # Check for file .pem format
+    key_name = os.path.basename(priv_key)
+    if os.path.splitext(key_name)[1] == ".pem":
+        return True
+    else:
+        return False
+
+def get_key_id (priv_key):
+    # Extract base name if path is provided.
+    key_name = os.path.basename(priv_key)
+    # Check for KEY_ID in key naming.
+    if key_name.startswith('KEY_ID'):
+        return key_name
+    else:
+        return None
+
+def get_sbl_key_dir ():
+    # Check Key store setting SBL_KEY_DIR path
+    if 'SBL_KEY_DIR' not in os.environ:
+        raise Exception ("ERROR: SBL_KEY_DIR is not defined. Set SBL_KEY_DIR with SBL Keys directory!!\n"
+                                                                + MESSAGE_SBL_KEY_DIR)
+
+    sbl_key_dir = os.environ.get('SBL_KEY_DIR')
+    if not os.path.exists(sbl_key_dir):
+        raise Exception (("ERROR:SBL_KEY_DIR set %s is not valid. Set the correct SBL_KEY_DIR path !!\n"
+                                                                        + MESSAGE_SBL_KEY_DIR) % sbl_key_dir)
+    else:
+        return sbl_key_dir
+
+def get_key_from_store (in_key):
+
+    #Check in_key is path to  key
+    if os.path.exists(in_key):
+        return in_key
+
+    # Get Slimboot key dir path
+    sbl_key_dir = get_sbl_key_dir()
+
+    # Extract if in_key is key_id
+    priv_key = get_key_id (in_key)
+    if priv_key is not None:
+        if (priv_key in SIGNING_KEY):
+            # Generate key file name from key id
+            priv_key_file = SIGNING_KEY[priv_key]
+        else:
+            raise Exception('KEY_ID %s is not found in supported KEY IDs!!' % priv_key)
+    elif check_file_pem_format(in_key) == True:
+        # check if file name is provided in pem format
+        priv_key_file = in_key
+    else:
+        priv_key_file = None
+        raise Exception('key provided %s is not valid!' % in_key)
+
+    # Create a file path
+    # Join Key Dir and priv_key_file
+    try:
+        priv_key = os.path.join (sbl_key_dir, priv_key_file)
+    except:
+        raise Exception('priv_key is not found %s!' % priv_key)
+
+    # Check for priv_key construted based on KEY ID exists in specified path
+    if not os.path.isfile(priv_key):
+        raise Exception (("!!! ERROR: Key file corresponding to '%s' do not exist in Sbl key directory at '%s' !!! \n" + MESSAGE_SBL_KEY_DIR)  % (in_key, sbl_key_dir))
+
+    return priv_key
+
+#
+# Sign an file using openssl
+#
+# priv_key   [Input]        Key Id or Path to Private key
+# hash_type  [Input]        Signing hash
+# sign_scheme[Input]        Sign/padding scheme
+# in_file    [Input]        Input file to be signed
+# out_file   [Input/Output] Signed data file
+#
+
+def single_sign_file (priv_key, hash_type, sign_scheme, in_file, out_file):
+
+    _hash_type_string = {
+        "SHA2_256"    : 'sha256',
+        "SHA2_384"    : 'sha384',
+        "SHA2_512"    : 'sha512',
+    }
+
+    _hash_digest_Size = {
+        # Hash_string : Hash_Size
+        "SHA2_256"    : 32,
+        "SHA2_384"    : 48,
+        "SHA2_512"    : 64,
+        "SM3_256"     : 32,
+    }
+
+    _sign_scheme_string = {
+        "RSA_PKCS1"    : 'pkcs1',
+        "RSA_PSS"      : 'pss',
+    }
+
+    priv_key = get_key_from_store(priv_key)
+
+    # Temporary files to store hash generated
+    hash_file_tmp = out_file+'.hash.tmp'
+    hash_file     = out_file+'.hash'
+
+    # Generate hash using openssl dgst in hex format
+    cmdargs = [get_openssl_path(), 'dgst', '-'+'%s' % _hash_type_string[hash_type], '-out', '%s' % hash_file_tmp, '%s' % in_file]
+    run_process (cmdargs)
+
+    # Extract hash form dgst command output and convert to ascii
+    with open(hash_file_tmp, 'r') as fin:
+        hashdata = fin.read()
+    fin.close()
+
+    try:
+        hashdata = hashdata.rsplit('=', 1)[1].strip()
+    except:
+        raise Exception('Hash Data not found for signing!')
+
+    if len(hashdata) != (_hash_digest_Size[hash_type] * 2):
+        raise Exception('Hash Data size do match with for hash type!')
+
+    hashdata_bytes = bytearray.fromhex(hashdata)
+    open (hash_file, 'wb').write(hashdata_bytes)
+
+    print ("Key used for Singing %s !!" % priv_key)
+
+    # sign using Openssl pkeyutl
+    cmdargs = [get_openssl_path(), 'pkeyutl', '-sign', '-in', '%s' % hash_file, '-inkey', '%s' % priv_key,
+               '-out', '%s' % out_file, '-pkeyopt', 'digest:%s' % _hash_type_string[hash_type],
+               '-pkeyopt', 'rsa_padding_mode:%s' % _sign_scheme_string[sign_scheme]]
+
+    run_process (cmdargs)
+
+    return
+
+#
+# Extract public key using openssl
+#
+# in_key        [Input]         Private key or public key in pem format
+# pub_key_file  [Input/Output]  Public Key to a file
+#
+# return        keydata (mod, exp) in bin format
+#
+
+def single_sign_gen_pub_key (in_key, pub_key_file = None):
+
+    in_key = get_key_from_store(in_key)
+
+    # Expect key to be in PEM format
+    is_prv_key = False
+    cmdline = [get_openssl_path(), 'rsa', '-pubout', '-text', '-noout', '-in', '%s' % in_key]
+    # Check if it is public key or private key
+    text = open(in_key, 'r').read()
+    if '-BEGIN RSA PRIVATE KEY-' in text or '-BEGIN PRIVATE KEY-' in text:
+        is_prv_key = True
+    elif '-BEGIN PUBLIC KEY-' in text:
+        cmdline.extend (['-pubin'])
+    else:
+        raise Exception('Unknown key format "%s" !' % in_key)
+
+    if pub_key_file:
+        cmdline.extend (['-out', '%s' % pub_key_file])
+        capture = False
+    else:
+        capture = True
+
+    output = run_process (cmdline, capture_out = capture)
+    if not capture:
+        output = text = open(pub_key_file, 'r').read()
+    data     = output.replace('\r', '')
+    data     = data.replace('\n', '')
+    data     = data.replace('  ', '')
+
+    # Extract the modulus
+    if is_prv_key:
+        match = re.search('modulus(.*)publicExponent:\s+(\d+)\s+', data)
+    else:
+        match = re.search('Modulus(?:.*?):(.*)Exponent:\s+(\d+)\s+', data)
+    if not match:
+        raise Exception('Public key not found!')
+    modulus  = match.group(1).replace(':', '')
+    exponent = int(match.group(2))
+
+    mod = bytearray.fromhex(modulus)
+    # Remove the '00' from the front if the MSB is 1
+    if mod[0] == 0 and (mod[1] & 0x80):
+        mod = mod[1:]
+    exp = bytearray.fromhex('{:08x}'.format(exponent))
+
+    keydata   = mod + exp
+
+    return keydata
+

core/abl_executable.mk

@@ -0,0 +1,55 @@
+ifeq ($(strip $(LOCAL_MODULE_CLASS)),)
+LOCAL_MODULE_CLASS := ABL
+endif
+
+ifeq ($(strip $(LOCAL_MODULE_SUFFIX)),)
+LOCAL_MODULE_SUFFIX := .abl
+endif
+
+ifeq ($(strip $(LOCAL_MODULE_PATH)),)
+LOCAL_MODULE_PATH := $(PRODUCT_OUT)/abl
+endif
+
+LOCAL_CC := $(IAFW_CC)
+LOCAL_CLANG := true
+LOCAL_SANITIZE := never
+LOCAL_NO_DEFAULT_COMPILER_FLAGS := true
+LOCAL_CFLAGS += $(TARGET_IAFW_GLOBAL_CFLAGS)
+LOCAL_ASFLAGS += $(TARGET_IAFW_ASFLAGS)
+LOCAL_LDFLAGS := $(TARGET_IAFW_GLOBAL_LDFLAGS) -static \
+	-T $(TARGET_ABL_LDS) $(LOCAL_LDFLAGS)
+# If kernel enforce superpages the .text section gets aligned at
+# offset 0x200000 which break multiboot compliance.
+LOCAL_LDFLAGS += -z max-page-size=0x1000
+LOCAL_ABL_LDFALGS := $(LOCAL_LDFLAGS)
+LOCAL_OBJCOPY_FLAGS := $(TARGET_IAFW_GLOBAL_OBJCOPY_FLAGS) $(LOCAL_OBJCOPY_FLAGS)
+
+skip_build_from_source :=
+ifdef LOCAL_PREBUILT_MODULE_FILE
+ifeq (,$(call if-build-from-source,$(LOCAL_MODULE),$(LOCAL_PATH)))
+include $(BUILD_SYSTEM)/prebuilt_internal.mk
+skip_build_from_source := true
+endif
+endif
+
+ifndef skip_build_from_source
+
+ifdef LOCAL_IS_HOST_MODULE
+$(error This file should not be used to build host binaries.  Included by (or near) $(lastword $(filter-out config/%,$(MAKEFILE_LIST))))
+endif
+
+WITHOUT_LIBCOMPILER_RT := true
+include $(BUILD_SYSTEM)/binary.mk
+WITHOUT_LIBCOMPILER_RT :=
+
+LIBPAYLOAD_CRT0_LIB := $(call intermediates-dir-for,STATIC_LIBRARIES,$(LIBPAYLOAD_CRT0))/$(LIBPAYLOAD_CRT0).a
+all_objects += $(LIBPAYLOAD_CRT0_LIB)
+
+$(LOCAL_BUILT_MODULE): PRIVATE_OBJCOPY_FLAGS := $(LOCAL_OBJCOPY_FLAGS)
+
+#$(LOCAL_BUILT_MODULE): $(all_objects) $(all_libraries) $(ABLIMAGE) $(ABLSIGN)
+$(LOCAL_BUILT_MODULE): $(all_objects) $(all_libraries)
+	$(call transform-o-to-sbl-executable,$(LOCAL_ABL_LDFALGS))
+
+endif # skip_build_from_source
+