def validate(self):
"""Normalizes and validates the data in the xml.
:raises: RuntimeError if config is determined to be invalid
"""
_BaseParseGen.validate(self)
CoreConfig.validate(self, OBJ_STRUCTURE)
def generate(self, file_path=None):
"""Generates the config file with the current configuration of the root
node.
:param str file_path: path to the config file that should be generated
with the current data
"""
logger.note('Generating config file...')
CoreConfig.generate(self, file_path, defines.XML_ROOTNODE,
defines.XML_NAMESPACE, defines.XML_PREPEND_LINES)
logger.note('Generated config file at: ' + file_path)
def set_config_vals(self, args):
# args have already been verified, so no need to check if the 5 config options
# were passed or not
if args.config_tag_name is not None:
conf_file_name = None
if args.config_file is not None:
conf_file_name = args.config_file
else:
conf_file_name = defines.MBNGEN_CONFIG_FILE
config = CoreConfig(auto_gen_xml_config, conf_file_name)
for conf in config.root.mbngen_conf.conf:
if conf.tag_name == args.config_tag_name:
self.parsed_args.image_id = conf.image_id
self.parsed_args.header_version = conf.header_version
self.parsed_args.image_src = conf.image_src
self.parsed_args.image_dest_ptr = conf.image_dest_ptr
self.parsed_args.header_length = conf.header_length
if conf.header_length != 40 and conf.header_length != 80:
raise RuntimeError(
"{0} is not a valid mbn header length".format(
conf.header_length))
return
raise RuntimeError(
"tag: {0} was not found in the mbngen configuration file".
format(args.config_tag_name))
def _decode_encryption_parameters_blob(self, encryption_params_blob,
private_key):
encryption_params_blob = self.extract_encryption_parameters(
encryption_params_blob)[1]
tmp_config_file_path = c_path.store_data_to_temp_file(
encryption_params_blob)
encryption_params_parser = CoreConfig(auto_gen_ssd_xml_config,
tmp_config_file_path).root
encrypted_image_encryption_key_base64 = encryption_params_parser.MD_SIGN[
0].IEK_ENC_INFO[0].IEK_CIPHER_VALUE
encrypted_image_encryption_key = binascii.a2b_base64(
encrypted_image_encryption_key_base64)
if self.iek_enc_algo == IEK_ENC_ALGO_RSA_2048:
private_key_pem = crypto.rsa.get_key_in_format(
private_key, crypto.utils.FORMAT_PEM)
image_encryption_key = crypto.rsa.decrypt(
encrypted_image_encryption_key,
private_key_pem,
padding=crypto.rsa.RSA_PAD_PKCS)
else:
image_encryption_iv_base64 = encryption_params_parser.MD_SIGN[
0].IEK_ENC_INFO[0].IEK_ENC_IV
image_encryption_iv_bin = binascii.a2b_base64(
image_encryption_iv_base64)
image_encryption_iv_hex = binascii.hexlify(image_encryption_iv_bin)
image_encryption_key = crypto.aes_cbc.decrypt(
encrypted_image_encryption_key, binascii.hexlify(private_key),
image_encryption_iv_hex)
image_encryption_iv_base64 = encryption_params_parser.MD_SIGN[
0].IMG_ENC_INFO[0].IMG_ENC_IV
image_encryption_iv = binascii.a2b_base64(image_encryption_iv_base64)
return image_encryption_key, image_encryption_iv
def _decode_encryption_parameters_blob(self, encryption_params_blob,
private_key):
encryption_params_blob = self.extract_encryption_parameters(
encryption_params_blob)[1]
tmp_config_file_path = utility_functions.store_data_to_temp_file(
encryption_params_blob)
encryption_params_parser = CoreConfig(auto_gen_ssd_xml_config,
tmp_config_file_path).root
encrypted_image_encryption_key_base64 = encryption_params_parser.MD_SIGN[
0].IEK_ENC_INFO[0].IEK_CIPHER_VALUE
encrypted_image_encryption_key = binascii.a2b_base64(
encrypted_image_encryption_key_base64)
if self.iek_enc_algo == IEK_ENC_ALGO_RSA_2048:
image_encryption_key = crypto_functions.decrypt_with_private_der_key(
encrypted_image_encryption_key, private_key)
else:
image_encryption_iv_base64 = encryption_params_parser.MD_SIGN[
0].IEK_ENC_INFO[0].IEK_ENC_IV
image_encryption_iv_bin = binascii.a2b_base64(
image_encryption_iv_base64)
image_encryption_iv_hex = binascii.hexlify(image_encryption_iv_bin)
image_encryption_key = crypto_functions.cbc_decrypt_binary(
encrypted_image_encryption_key, binascii.hexlify(private_key),
image_encryption_iv_hex)
image_encryption_iv_base64 = encryption_params_parser.MD_SIGN[
0].IMG_ENC_INFO[0].IMG_ENC_IV
image_encryption_iv = binascii.a2b_base64(image_encryption_iv_base64)
return image_encryption_key, image_encryption_iv
def get_supported_build_policies(policy_file):
logger.debug("Getting supported build policies...")
root = CoreConfig(policy_parser, policy_file).root
# get all the supported build policies
build_policies = root.build_policy.policy_enable
# loop through supported build policies and get their ids
supported_build_policies = []
for build_policy in build_policies:
supported_build_policies.append(build_policy.id)
return supported_build_policies
def get_supported_secimage_policies(policy_file):
logger.debug("Getting supported secimage policies...")
root = CoreConfig(policy_parser, policy_file).root
# get all the supported secimage policies
secimage_policies = root.sec_image_policy.policy
# loop through supported secimage policies and get their ids
supported_secimage_policies = []
for secimage_policy in secimage_policies:
supported_secimage_policies.append(secimage_policy.id)
return supported_secimage_policies
def __init__(self, policy_file, env=None):
self.env = env
self.policy = CoreConfig(policy_parser, policy_file).root
self.builderutil = BuilderUtil(env)
self.enabled_build_policy = self._get_enabled_build_policy()
self.enabled_sec_image_policies = self._get_enabled_sec_image_policies(
self.enabled_build_policy)
self.enabled_install_policies = self._get_enabled_install_policy(
self.enabled_build_policy)
def __init__(self, policy_file, build_policy_id, sign_id, install_base_dir, additional_secimage_policy_ids):
root = CoreConfig(policy_parser, policy_file).root
self.install_base_dir = install_base_dir
# get all the supported build policies
supported_build_policies = root.build_policy.policy_enable
# loop through supported build policies and check that build_policy_id corresponds to one of the supported build policies
self.policy = None
supported_build_policy_ids = []
# get build policy based on provided build_policy_id
for build_policy in supported_build_policies:
supported_build_policy_ids.append(build_policy.id)
if build_policy.id == build_policy_id or build_policy.feature_flag.lower() == build_policy_id or "sec_policy_" + build_policy.id == build_policy_id:
# found build policy matching specified policy
self.policy = build_policy
if self.policy is None:
# raise error because the provided build_policy_id is not one of the ids specified in the sectools_policy.xml file
error_message = "Provided build_policy_id \"{0}\" does not match one of the supported build policy ids: {1}".format(build_policy_id, ", ".join(supported_build_policy_ids))
logger.error(error_message)
raise RuntimeError(error_message)
# get the sec image policies
logger.debug("Getting secimage policies for \"{0}\" build policy...".format(build_policy_id))
self.sec_image_policies, self.sec_image_policy_ids = BuildPolicy._get_policies(root.sec_image_policy.policy, self.policy.sec_image_policy)
logger.debug("Secimage policies retrieved for \"{0}\" build policy: {1}".format(build_policy_id, ", ".join(self.sec_image_policy_ids)))
# get the sec image policies specified by additional_secimage_policy_ids
if additional_secimage_policy_ids:
logger.debug("Adding additional secimage policies specified in the environment to the build policy...")
additional_secimage_policies, additional_secimage_policy_ids = BuildPolicy._get_policies(root.sec_image_policy.policy, additional_secimage_policy_ids, self.sec_image_policy_ids)
# add the additional sec image policies and their ids to the existing sec image lists
if additional_secimage_policy_ids:
logger.debug("Additional secimage policies added to \"{0}\" build policy: {1}".format(build_policy_id, ", ".join(additional_secimage_policy_ids)))
self.sec_image_policies += additional_secimage_policies
self.sec_image_policy_ids += additional_secimage_policy_ids
# filter out sec image policies that specify an excluded sign_id that matches the provided sign_id
BuildPolicy._remove_policies_for_excluded_sign_ids(self.sec_image_policies, self.sec_image_policy_ids, sign_id)
# get the install policies
logger.debug("Getting install policies for \"{0}\" build policy...".format(build_policy_id))
self.install_policies, self.install_policy_ids = BuildPolicy._get_policies(root.install_policy.policy, self.policy.install_policy)
logger.debug("Install policies retrieved for \"{0}\" build policy: {1}".format(build_policy_id, ", ".join(self.install_policy_ids)))
# initialize install locations for sec image policies if installation should be performed
if self.install_base_dir:
BuildPolicy._set_install_locations_for_sec_image_policies(self.install_policies, self.sec_image_policies, self.install_base_dir)
def update_from_data_model(self, data_model):
return CoreConfig.transfer(self, data_model, self.root,
dm_defines.OBJ_STRUCTURE,
dm_defines.ROOTNODE_NAME,
self.config_module,
defines.XML_CLASSNAME_GEN)
def update_data_model(self, data_model):
return CoreConfig.transfer(self, self.root, data_model,
dm_defines.OBJ_STRUCTURE,
dm_defines.ROOTNODE_NAME, auto_gen_model,
dm_defines.OBJ_CLASSNAME_GEN)
def __init__(self, config_path):
import auto_gen_fb_config
self.config_module = auto_gen_fb_config
CoreConfig.__init__(self, auto_gen_fb_config, config_path)
self.validate()
