WIP

Hope I will eventually lend somewhere with this, because adding UEFI Capsule Update support into existing code is difficult because of the code not being eassy extendable. Signed-off-by: Daniil Klimuk <[email protected]>
Dasharo · Aug 21, 2024 · 56449a3 · 56449a3
1 parent 17fa22d
commit 56449a3
Show file tree

Hide file tree

Showing 3 changed files with 515 additions and 118 deletions.
diff --git a/include/dts-environment.sh b/include/dts-environment.sh
@@ -122,6 +122,16 @@ declare EC_LINK_COMM
 declare EC_HASH_LINK_COMM
 declare EC_SIGN_LINK_COMM
 declare HEADS_LINK_DPP
+# Links to capsules:
+declare BIOS_LINK_COMM_CAP
+declare BIOS_HASH_LINK_COMM_CAP
+declare BIOS_SIGN_LINK_COMM_CAP
+declare BIOS_LINK_DPP_CAP
+declare BIOS_HASH_LINK_DPP_CAP
+declare BIOS_SIGN_LINK_DPP_CAP
+declare EC_LINK_COMM_CAP
+declare EC_HASH_LINK_COMM_CAP
+declare EC_SIGN_LINK_COMM_CAP
 # Configs, are used in dasharo-deploy script:
 CAN_INSTALL_BIOS="false"
 HAVE_HEADS_FW="false"

diff --git a/include/dts-functions.sh b/include/dts-functions.sh
@@ -626,6 +626,7 @@ board_config() {
               DASHARO_REL_VER="q35/v0.2.0"
               # TODO: wait till the binaries will be uploaded to the server.
               BIOS_LINK_COMM="${FW_STORE_URL}/${DASHARO_REL_NAME}/${DASHARO_REL_VER}/"
+	      BIOS_LINK_COMM_CAP="${FW_STORE_URL}/${DASHARO_REL_NAME}/${DASHARO_REL_VER}/"
               ;;
             *)
               print_error "Board model $BOARD_MODEL is currently not supported"
@@ -654,6 +655,14 @@ board_config() {
   [ -z "$BIOS_SIGN_LINK_DPP_SEABIOS" ] && BIOS_SIGN_LINK_DPP_SEABIOS="${BIOS_HASH_LINK_DPP_SEABIOS}.sig"
   [ -z "$EC_HASH_LINK_COMM" ] && EC_HASH_LINK_COMM="${EC_LINK_COMM}.sha256"
   [ -z "$EC_SIGN_LINK_COMM" ] && EC_SIGN_LINK_COMM="${EC_HASH_LINK_COMM}.sig"
+
+  # And for capsules as well:
+  [ -z "$BIOS_HASH_LINK_COMM_CAP" ] && BIOS_HASH_LINK_COMM_CAP="${BIOS_LINK_COMM_CAP}.sha256"
+  [ -z "$BIOS_SIGN_LINK_COMM_CAP" ] && BIOS_SIGN_LINK_COMM_CAP="${BIOS_SIGN_LINK_COMM_CAP}.sig"
+  [ -z "$BIOS_HASH_LINK_DPP_CAP" ] && BIOS_HASH_LINK_DPP_CAP="${BIOS_LINK_DPP_CAP}.sha256"
+  [ -z "$BIOS_SIGN_LINK_DPP_CAP" ] && BIOS_SIGN_LINK_DPP_CAP="${BIOS_HASH_LINK_DPP_CAP}.sig"
+  [ -z "$EC_HASH_LINK_COMM_CAP" ] && EC_HASH_LINK_COMM_CAP="${EC_LINK_COMM_CAP}.sha256"
+  [ -z "$EC_SIGN_LINK_COMM_CAP" ] && EC_SIGN_LINK_COMM_CAP="${EC_HASH_LINK_COMM_CAP}.sig"
 }
 
 check_flash_lock() {
@@ -812,40 +821,55 @@ get_signing_keys() {
 }
 
 verify_artifacts() {
+# This function checks downloaded files, the files that are being downloaded
+# should have hashes provided on the server too. The hashes will ben downloaded
+# and the binaries will be verified upon them.
+#
+# In case of .rom files it will be enough but capsules have additional
+# protection layer built in, the binaries they provide will be verified by
+# drivers, so no need to implement it here.
   local _type="$1"
   local _update_file=""
   local _hash_file=""
   local _sign_file=""
   local _name=""
   local _sig_result=""
 
-  case ${_type} in
-    ec)
-    _update_file=$EC_UPDATE_FILE
-    _hash_file=$EC_HASH_FILE
-    _sign_file=$EC_SIGN_FILE
-    _name="Dasharo EC"
-    ;;
-    bios)
-    _update_file=$BIOS_UPDATE_FILE
-    _hash_file=$BIOS_HASH_FILE
-    _sign_file=$BIOS_SIGN_FILE
-    _name="Dasharo"
-    ;;
-    *)
-    ;;
-  esac
-  echo -n "Checking $_name firmware checksum... "
-  sha256sum --check <(echo "$(cat $_hash_file | cut -d ' ' -f 1)" $_update_file) >> $ERR_LOG_FILE 2>&1
-  error_check "Failed to verify $_name firmware checksum"
-  print_ok "Verified."
-  if [ -n "$PLATFORM_SIGN_KEY" ]; then
-    echo -n "Checking $_name firmware signature... "
-    _sig_result="$(cat $_hash_file | gpg --verify $_sign_file - >> $ERR_LOG_FILE 2>&1)"
-    error_check "Failed to verify $_name firmware signature.$'\n'$_sig_result"
+  while [[ $# -gt 0 ]]; do
+    case ${_type} in
+      ec)
+        _update_file=$EC_UPDATE_FILE
+        _hash_file=$EC_HASH_FILE
+        _sign_file=$EC_SIGN_FILE
+        _name="Dasharo EC"
+	shift
+        ;;
+      bios)
+        _update_file=$BIOS_UPDATE_FILE
+        _hash_file=$BIOS_HASH_FILE
+        _sign_file=$BIOS_SIGN_FILE
+        _name="Dasharo"
+	shift
+        ;;
+      *)
+        ;;
+    esac
+
+    echo -n "Checking $_name firmware checksum... "
+    sha256sum --check <(echo "$(cat $_hash_file | cut -d ' ' -f 1)" $_update_file) >> $ERR_LOG_FILE 2>&1
+    error_check "Failed to verify $_name firmware checksum"
     print_ok "Verified."
-  fi
-  echo "$_sig_result"
+
+    if [ -n "$PLATFORM_SIGN_KEY" ]; then
+      echo -n "Checking $_name firmware signature... "
+      _sig_result="$(cat $_hash_file | gpg --verify $_sign_file - >> $ERR_LOG_FILE 2>&1)"
+      error_check "Failed to verify $_name firmware signature.$'\n'$_sig_result"
+      print_ok "Verified."
+    fi
+    echo "$_sig_result"
+  done
+
+  return 0
 }
 
 check_intel_regions() {