[build] add cvitek build scripts

Change-Id: If63ce4a669e5d4d72b8e3b9253336dd99bf74c30
2023-02-23 11:21:38 +08:00
parent cbb030f19f
commit a4f213ceb0
1219 changed files with 149149 additions and 0 deletions
--- a/build/scripts/sign_fip.py
+++ b/build/scripts/sign_fip.py
@ -0,0 +1,194 @@
+#!/usr/bin/env python3
+# PYTHON_ARGCOMPLETE_OK
+
+import logging
+import argparse
+import os
+import stat
+import re
+import subprocess
+import tempfile
+import os.path
+import tarfile
+
+import build_helper
+
+try:
+    import argcomplete
+except ImportError:
+    argcomplete = None
+
+
+build_helper.check_python_min_version()
+
+
+def parse_args():
+    parser = argparse.ArgumentParser(
+        description="Scan boards to generate env and configs"
+    )
+    parser.add_argument("-v", "--verbose", default="INFO")
+    parser.add_argument("--logfile", type=str)
+    parser.add_argument("--sign-atf", type=str)
+    parser.add_argument("--sign-bld", type=str)
+
+    if argcomplete:
+        argcomplete.autocomplete(parser)
+
+    return parser.parse_args()
+
+
+def sign_atf(fip_path):
+    keyserver = os.environ["KEYSERVER"]
+    keyserver_sshkey_path = os.environ["KEYSERVER_SSHKEY_PATH"]
+    logging.info(
+        "keyserver=%s keyserver_sshkey_path=%s", keyserver, keyserver_sshkey_path
+    )
+
+    os.chmod(keyserver_sshkey_path, stat.S_IRUSR)
+
+    logging.info("scp %s to keyserver", fip_path)
+    ret = subprocess.run(
+        [
+            "scp",
+            "-i",
+            keyserver_sshkey_path,
+            fip_path,
+            "service_sign@%s:fip.bin" % keyserver,
+        ],
+        stderr=subprocess.PIPE,
+        check=True,
+    )
+    print(ret.stderr.decode())
+
+    m = re.search(r"TOKEN:(.{32})", ret.stderr.decode())
+    token = m.group(1)
+    logging.info("token=%s", token)
+
+    logging.info("sign in keyserver")
+    ret = subprocess.run(
+        [
+            "ssh",
+            "-i",
+            keyserver_sshkey_path,
+            "service_sign@%s" % keyserver,
+            "sign_fip",
+            "--chip=cv1835",
+            "--token=%s" % token,
+        ],
+        check=False,
+    )
+    logging.debug("%r" % ret)
+
+    fip_signed_path = os.path.splitext(fip_path.replace("_key0", ""))
+    fip_signed_path = fip_signed_path[0] + "_key1" + fip_signed_path[1]
+
+    logging.info("copy %s from keyserver", fip_signed_path)
+    ret = subprocess.run(
+        [
+            "scp",
+            "-i",
+            keyserver_sshkey_path,
+            "service_sign@%s:fip_ID%s_signed_encrypted.bin" % (keyserver, token),
+            fip_signed_path,
+        ],
+        check=False,
+    )
+    logging.debug("%r" % ret)
+
+
+def extract_bld_bin(bld_tar_path, dst):
+    with tarfile.open(bld_tar_path, "r") as tf:
+        tf.extract("BLD.bin", dst)
+
+    return os.path.join(dst, "BLD.bin")
+
+
+def sign_bld(bld_path, chip_arch, chip):
+    logging.info("chip_arch=%s:%s bld_path=%s", chip_arch, chip, bld_path)
+    fip_atf_key0_path = os.path.join(
+        os.environ["RELEASE_BIN_ATF_DIR"],
+        "fip_atf_%s_key0.bin" % chip_arch,
+    )
+
+    logging.debug("fip_atf_key0_path=%s", fip_atf_key0_path)
+    assert os.path.exists(fip_atf_key0_path)
+
+    with tempfile.TemporaryDirectory() as tmpdir:
+        logging.debug("tmpdir=%s", tmpdir)
+
+        fip_w_bld_path = os.path.join(
+            tmpdir, os.path.basename(fip_atf_key0_path).replace("_key0", "")
+        )
+        pack_fip_path = os.path.join("build/tools", chip_arch, "pack_fip", "pack_fip.py")
+
+        bld_bin_path = bld_path
+        if os.path.splitext(bld_path)[1] == ".tar":
+            bld_bin_path = extract_bld_bin(bld_path, tmpdir)
+        else:
+            bld_bin_path = bld_path
+
+        if os.path.getsize(bld_bin_path) % 16 != 0:
+            raise ValueError("bld_bin_path size is %d", os.path.getsize(bld_bin_path))
+
+        subprocess.run(
+            [
+                "python3",
+                pack_fip_path,
+                fip_atf_key0_path,
+                "--output",
+                fip_w_bld_path,
+                "--add-bld",
+                bld_bin_path,
+            ],
+            check=True,
+        )
+
+        subprocess.run(
+            ["python3", pack_fip_path, "--parse", fip_w_bld_path], check=True
+        )
+
+        sign_atf(fip_w_bld_path)
+
+        fip_signed_path = os.path.splitext(fip_w_bld_path)
+        fip_signed_path = fip_signed_path[0] + "_key1" + fip_signed_path[1]
+        logging.debug("fip_signed_path=%s", fip_signed_path)
+        assert os.path.exists(fip_signed_path)
+
+        subprocess.run(
+            ["python3", pack_fip_path, "--unpack", fip_signed_path],
+            check=True,
+        )
+
+        bld_tar_path = os.path.splitext(bld_path)[0].replace("_key0", "") + "_key1.tar"
+        logging.info("bld_tar_path=%s", bld_tar_path)
+        members = [
+            "BLD_CONTENT_CERT.bin",
+            "BLD2_KEY_CERT.bin",
+            "BLD1_KEY_CERT.bin",
+            "BLD.bin",
+        ]
+        with tarfile.open(bld_tar_path, "w") as tf:
+            for m in members:
+                s = os.path.splitext(fip_signed_path)[0] + "_" + m
+                logging.debug("Add %s", s)
+                tf.add(s, arcname=m, recursive=False)
+
+
+def main():
+    args = parse_args()
+
+    build_helper.init_logging(args.logfile, stdout_level=args.verbose)
+
+    if args.sign_atf:
+        sign_atf(args.sign_atf)
+
+    if args.sign_bld:
+        chip_arch = os.environ["CHIP_ARCH_L"]
+        chip = os.environ["CHIP"]
+        sign_bld(args.sign_bld, chip_arch, chip)
+
+    logging.info("END")
+
+
+if __name__ == "__main__":
+    main()