def handle_sign_cmd(args, key_store, tmpdir):
"""Entry point for the sign command."""
key_store.connect(args.backend_url)
NEW_KEYS_DIR = tmpdir / "new_certs"
NEW_KEYS_DIR.mkdir(exist_ok=True)
FIP_COMPONENTS_DIR = tmpdir / "fip_components"
FIP_COMPONENTS_DIR.mkdir(exist_ok=True)
fip_specs = {}
pub_keys = fetch_keys(key_store, tbbr_defs.cot_keys)
imgs_to_patch = list()
rotpk = hashlib.sha256(pub_keys["rot-key"]).digest()
if args.rpi_vc4_fw:
UNPACKED_BIN_DIR = tmpdir / "armstub8_components"
UNPACKED_BIN_DIR.mkdir(exist_ok=True)
print("Splitting bl1.bin and fip1.bin from {}".format(
args.rpi_vc4_fw.name))
bl1_path = pathlib.Path(UNPACKED_BIN_DIR, "bl1.bin").absolute()
fip1_path = pathlib.Path(UNPACKED_BIN_DIR, "fip1.bin").absolute()
split_unified_binary(args.rpi_vc4_fw, bl1_path, fip1_path)
args.fip.append(fip1_path)
imgs_to_patch.append(bl1_path)
if args.bl2:
imgs_to_patch.append(args.bl2)
fip_specs = unpack_fips(args.fip, FIP_COMPONENTS_DIR)
if imgs_to_patch:
for spec in fip_specs.values():
if "tb-fw" in spec:
imgs_to_patch.append(spec["tb-fw"]["path"])
rotpk = hashlib.sha256(pub_keys["rot-key"]).digest()
for img in imgs_to_patch:
print("Patching root-of-trust public key hash in image: {}".format(
str(pathlib.Path(img).name)))
replace_bl_rotkey(rotpk, pathlib.Path(img))
if fip_specs:
for name, spec in fip_specs.items():
print("Creating certificates for FIP image: {}".format(name))
make_cert_chain(FIP_COMPONENTS_DIR, spec, key_store, pub_keys,
NEW_KEYS_DIR)
resolve_fip_certificate_paths(spec, NEW_KEYS_DIR)
for fip_path in args.fip:
spec = fip_specs[fip_path.name]
print("Creating signed FIP at path: {}".format(str(fip_path)))
fiptool.create(spec, fip_path)
if args.rpi_vc4_fw:
print("Creating VC4 firmware binary at path: {}".format(
str(args.rpi_vc4_fw)))
regen_unified_binary(bl1_path, fip1_path, args.rpi_vc4_fw)
def test_create(mock_subprocess):
img_spec = fiptool.ImageSpec({
"tb-fw": {
"path": "bl1.bin"
},
"trusted-key-cert": {
"path": "rotkey.pem"
},
})
output = fiptool.create(img_spec, pathlib.Path("fip.bin"))
assert isinstance(output, subprocess.CompletedProcess)
mock_subprocess.run.assert_called_once_with(
[fiptool.ToolPaths.FIPTOOL_BIN, "create",
str(img_spec), "fip.bin"],
check=True,
capture_output=True,
text=True,
)
def test_create(mock_subprocess):
img_spec = fiptool.ImageSpec({
"tb-fw": {
"path": "bl1.bin"
},
"trusted-key-cert": {
"path": "rotkey.pem"
},
})
output = fiptool.create(img_spec, pathlib.Path("fip.bin"))
assert isinstance(output, subprocess.CompletedProcess)
mock_subprocess.run.assert_called_once_with(
[
fiptool.ToolPaths.FIPTOOL_BIN,
"create",
*str(img_spec).split(" "),
"fip.bin",
],
check=True,
stdout=mock_subprocess.PIPE,
stderr=mock_subprocess.PIPE,
universal_newlines=True,
)
def test_raises_correct_exception_on_invalid_command(tmp_path):
with pytest.raises(fiputils.FiptoolCommandError) as err:
fiptool.create(fiptool.ImageSpec(), tmp_path)
assert err.return_code is not 0
assert err.stderr is not None
assert str(err) != ""