@@ -626,6 +626,7 @@ board_config() {
626626 DASHARO_REL_VER=" q35/v0.2.0"
627627 # TODO: wait till the binaries will be uploaded to the server.
628628 BIOS_LINK_COMM=" ${FW_STORE_URL} /${DASHARO_REL_NAME} /${DASHARO_REL_VER} /"
629+ BIOS_LINK_COMM_CAP=" ${FW_STORE_URL} /${DASHARO_REL_NAME} /${DASHARO_REL_VER} /"
629630 ;;
630631 * )
631632 print_error " Board model $BOARD_MODEL is currently not supported"
@@ -654,6 +655,14 @@ board_config() {
654655 [ -z " $BIOS_SIGN_LINK_DPP_SEABIOS " && BIOS_SIGN_LINK_DPP_SEABIOS=" ${BIOS_HASH_LINK_DPP_SEABIOS} .sig"
655656 [ -z " $EC_HASH_LINK_COMM " && EC_HASH_LINK_COMM=" ${EC_LINK_COMM} .sha256"
656657 [ -z " $EC_SIGN_LINK_COMM " && EC_SIGN_LINK_COMM=" ${EC_HASH_LINK_COMM} .sig"
658+
659+ # And for capsules as well:
660+ [ -z " $BIOS_HASH_LINK_COMM_CAP " && BIOS_HASH_LINK_COMM_CAP=" ${BIOS_LINK_COMM_CAP} .sha256"
661+ [ -z " $BIOS_SIGN_LINK_COMM_CAP " && BIOS_SIGN_LINK_COMM_CAP=" ${BIOS_SIGN_LINK_COMM_CAP} .sig"
662+ [ -z " $BIOS_HASH_LINK_DPP_CAP " && BIOS_HASH_LINK_DPP_CAP=" ${BIOS_LINK_DPP_CAP} .sha256"
663+ [ -z " $BIOS_SIGN_LINK_DPP_CAP " && BIOS_SIGN_LINK_DPP_CAP=" ${BIOS_HASH_LINK_DPP_CAP} .sig"
664+ [ -z " $EC_HASH_LINK_COMM_CAP " && EC_HASH_LINK_COMM_CAP=" ${EC_LINK_COMM_CAP} .sha256"
665+ [ -z " $EC_SIGN_LINK_COMM_CAP " && EC_SIGN_LINK_COMM_CAP=" ${EC_HASH_LINK_COMM_CAP} .sig"
657666}
658667
659668check_flash_lock () {
@@ -812,40 +821,55 @@ get_signing_keys() {
812821}
813822
814823verify_artifacts () {
824+ # This function checks downloaded files, the files that are being downloaded
825+ # should have hashes provided on the server too. The hashes will ben downloaded
826+ # and the binaries will be verified upon them.
827+ #
828+ # In case of .rom files it will be enough but capsules have additional
829+ # protection layer built in, the binaries they provide will be verified by
830+ # drivers, so no need to implement it here.
815831 local _type=" $1 "
816832 local _update_file=" "
817833 local _hash_file=" "
818834 local _sign_file=" "
819835 local _name=" "
820836 local _sig_result=" "
821837
822- case ${_type} in
823- ec)
824- _update_file=$EC_UPDATE_FILE
825- _hash_file=$EC_HASH_FILE
826- _sign_file=$EC_SIGN_FILE
827- _name=" Dasharo EC"
828- ;;
829- bios)
830- _update_file=$BIOS_UPDATE_FILE
831- _hash_file=$BIOS_HASH_FILE
832- _sign_file=$BIOS_SIGN_FILE
833- _name=" Dasharo"
834- ;;
835- * )
836- ;;
837- esac
838- echo -n " Checking $_name firmware checksum... "
839- sha256sum --check <( echo " $( cat $_hash_file | cut -d ' ' ) " $_update_file ) >> $ERR_LOG_FILE 2>&1
840- error_check " Failed to verify $_name firmware checksum"
841- print_ok " Verified."
842- if [ -n " $PLATFORM_SIGN_KEY " ; then
843- echo -n " Checking $_name firmware signature... "
844- _sig_result=" $( cat $_hash_file | gpg --verify $_sign_file - >> $ERR_LOG_FILE 2>&1 ) "
845- error_check " Failed to verify $_name firmware signature.$'\n'$_sig_result "
838+ while [[ $# -gt 0 ]]; do
839+ case ${_type} in
840+ ec)
841+ _update_file=$EC_UPDATE_FILE
842+ _hash_file=$EC_HASH_FILE
843+ _sign_file=$EC_SIGN_FILE
844+ _name=" Dasharo EC"
845+ shift
846+ ;;
847+ bios)
848+ _update_file=$BIOS_UPDATE_FILE
849+ _hash_file=$BIOS_HASH_FILE
850+ _sign_file=$BIOS_SIGN_FILE
851+ _name=" Dasharo"
852+ shift
853+ ;;
854+ * )
855+ ;;
856+ esac
857+
858+ echo -n " Checking $_name firmware checksum... "
859+ sha256sum --check <( echo " $( cat $_hash_file | cut -d ' ' ) " $_update_file ) >> $ERR_LOG_FILE 2>&1
860+ error_check " Failed to verify $_name firmware checksum"
846861 print_ok " Verified."
847- fi
848- echo " $_sig_result "
862+
863+ if [ -n " $PLATFORM_SIGN_KEY " ; then
864+ echo -n " Checking $_name firmware signature... "
865+ _sig_result=" $( cat $_hash_file | gpg --verify $_sign_file - >> $ERR_LOG_FILE 2>&1 ) "
866+ error_check " Failed to verify $_name firmware signature.$'\n'$_sig_result "
867+ print_ok " Verified."
868+ fi
869+ echo " $_sig_result "
870+ done
871+
872+ return 0
849873}
850874
851875check_intel_regions () {
0 commit comments