SDK_SG200x_V2/build/scripts/sign_fip.py

#!/usr/bin/env python3
# PYTHON_ARGCOMPLETE_OK

import logging
import argparse
import os
import stat
import re
import subprocess
import tempfile
import os.path
import tarfile

import build_helper

try:
    import argcomplete
except ImportError:
    argcomplete = None


build_helper.check_python_min_version()


def parse_args():
    parser = argparse.ArgumentParser(
        description="Scan boards to generate env and configs"
    )
    parser.add_argument("-v", "--verbose", default="INFO")
    parser.add_argument("--logfile", type=str)
    parser.add_argument("--sign-atf", type=str)
    parser.add_argument("--sign-bld", type=str)

    if argcomplete:
        argcomplete.autocomplete(parser)

    return parser.parse_args()


def sign_atf(fip_path):
    keyserver = os.environ["KEYSERVER"]
    keyserver_sshkey_path = os.environ["KEYSERVER_SSHKEY_PATH"]
    logging.info(
        "keyserver=%s keyserver_sshkey_path=%s", keyserver, keyserver_sshkey_path
    )

    os.chmod(keyserver_sshkey_path, stat.S_IRUSR)

    logging.info("scp %s to keyserver", fip_path)
    ret = subprocess.run(
        [
            "scp",
            "-i",
            keyserver_sshkey_path,
            fip_path,
            "service_sign@%s:fip.bin" % keyserver,
        ],
        stderr=subprocess.PIPE,
        check=True,
    )
    print(ret.stderr.decode())

    m = re.search(r"TOKEN:(.{32})", ret.stderr.decode())
    token = m.group(1)
    logging.info("token=%s", token)

    logging.info("sign in keyserver")
    ret = subprocess.run(
        [
            "ssh",
            "-i",
            keyserver_sshkey_path,
            "service_sign@%s" % keyserver,
            "sign_fip",
            "--chip=cv1835",
            "--token=%s" % token,
        ],
        check=False,
    )
    logging.debug("%r" % ret)

    fip_signed_path = os.path.splitext(fip_path.replace("_key0", ""))
    fip_signed_path = fip_signed_path[0] + "_key1" + fip_signed_path[1]

    logging.info("copy %s from keyserver", fip_signed_path)
    ret = subprocess.run(
        [
            "scp",
            "-i",
            keyserver_sshkey_path,
            "service_sign@%s:fip_ID%s_signed_encrypted.bin" % (keyserver, token),
            fip_signed_path,
        ],
        check=False,
    )
    logging.debug("%r" % ret)


def extract_bld_bin(bld_tar_path, dst):
    with tarfile.open(bld_tar_path, "r") as tf:
        tf.extract("BLD.bin", dst)

    return os.path.join(dst, "BLD.bin")


def sign_bld(bld_path, chip_arch, chip):
    logging.info("chip_arch=%s:%s bld_path=%s", chip_arch, chip, bld_path)
    fip_atf_key0_path = os.path.join(
        os.environ["RELEASE_BIN_ATF_DIR"],
        "fip_atf_%s_key0.bin" % chip_arch,
    )

    logging.debug("fip_atf_key0_path=%s", fip_atf_key0_path)
    assert os.path.exists(fip_atf_key0_path)

    with tempfile.TemporaryDirectory() as tmpdir:
        logging.debug("tmpdir=%s", tmpdir)

        fip_w_bld_path = os.path.join(
            tmpdir, os.path.basename(fip_atf_key0_path).replace("_key0", "")
        )
        pack_fip_path = os.path.join("build/tools", chip_arch, "pack_fip", "pack_fip.py")

        bld_bin_path = bld_path
        if os.path.splitext(bld_path)[1] == ".tar":
            bld_bin_path = extract_bld_bin(bld_path, tmpdir)
        else:
            bld_bin_path = bld_path

        if os.path.getsize(bld_bin_path) % 16 != 0:
            raise ValueError("bld_bin_path size is %d", os.path.getsize(bld_bin_path))

        subprocess.run(
            [
                "python3",
                pack_fip_path,
                fip_atf_key0_path,
                "--output",
                fip_w_bld_path,
                "--add-bld",
                bld_bin_path,
            ],
            check=True,
        )

        subprocess.run(
            ["python3", pack_fip_path, "--parse", fip_w_bld_path], check=True
        )

        sign_atf(fip_w_bld_path)

        fip_signed_path = os.path.splitext(fip_w_bld_path)
        fip_signed_path = fip_signed_path[0] + "_key1" + fip_signed_path[1]
        logging.debug("fip_signed_path=%s", fip_signed_path)
        assert os.path.exists(fip_signed_path)

        subprocess.run(
            ["python3", pack_fip_path, "--unpack", fip_signed_path],
            check=True,
        )

        bld_tar_path = os.path.splitext(bld_path)[0].replace("_key0", "") + "_key1.tar"
        logging.info("bld_tar_path=%s", bld_tar_path)
        members = [
            "BLD_CONTENT_CERT.bin",
            "BLD2_KEY_CERT.bin",
            "BLD1_KEY_CERT.bin",
            "BLD.bin",
        ]
        with tarfile.open(bld_tar_path, "w") as tf:
            for m in members:
                s = os.path.splitext(fip_signed_path)[0] + "_" + m
                logging.debug("Add %s", s)
                tf.add(s, arcname=m, recursive=False)


def main():
    args = parse_args()

    build_helper.init_logging(args.logfile, stdout_level=args.verbose)

    if args.sign_atf:
        sign_atf(args.sign_atf)

    if args.sign_bld:
        chip_arch = os.environ["CHIP_ARCH_L"]
        chip = os.environ["CHIP"]
        sign_bld(args.sign_bld, chip_arch, chip)

    logging.info("END")


if __name__ == "__main__":
    main()