release: security: add check routine for restrictive security files e…

…xist

this patch adds checking restrictive files exist in release.sh, build_uboot.sh
and build_ubuntu.sh

Change-Id: I006fde08416e784dde5e745f088700a517202604
Signed-off-by: Jae-young Hwang <[email protected]>

build_uboot.sh

@@ -138,10 +138,29 @@ gen_nexell_image()
 
 
 	if [ "$SECURE_BOOT" == "enable" ] && [ "$RSA_SIGN_TOOL" != "" ] ; then
+		chmod a+x ${RSA_SIGN_TOOL}
 		${RSA_SIGN_TOOL} -sign $TARGET_DIR/${output_file}
 	fi
 }
 
+check_rsa_sign_tool()
+{
+	if [ "${TARGET_BOARD}" == "artik530s" ] || [ "${TARGET_BOARD}" == "artik533s" ] || [ "${TARGET_BOARD}" == "artik710s" ]; then
+		test -e $SECURE_PREBUILT_DIR/${TARGET_BOARD}_codesigner && cp -f $SECURE_PREBUILT_DIR/${TARGET_BOARD}_codesigner ${RSA_SIGN_TOOL}
+		if [ ! -e ${RSA_SIGN_TOOL} ]; then
+			echo -e "\e[1;31mERROR: cannot find ${RSA_SIGN_TOOL}\e[0m"
+			echo -e "\e[1;31mBuild process has been terminated since the mandatory security binaries do not exist in your source code.\e[0m"
+			echo -e "\e[1;31mPlease download those files from artik.io with SLA agreement to continue to build.\e[0m"
+			echo -e "\e[1;31mOnce you download those files, please locate them to the following path.\e[0m"
+			echo -e ""
+			echo -e "\e[1;31m${TARGET_BOARD}_codesigner\e[0m"
+			echo -e "\e[1;31mcopy to ../boot-firmwares-${TARGET_BOARD}/\e[0m"
+
+			exit 1
+		fi
+	fi
+}
+
 trap 'error ${LINENO} ${?}' ERR
 parse_options "$@"
 
@@ -155,6 +174,8 @@ else
 	fi
 fi
 
+check_rsa_sign_tool
+
 test -d $TARGET_DIR || mkdir -p $TARGET_DIR
 
 pushd $UBOOT_DIR

build_ubuntu.sh

@@ -14,6 +14,7 @@ PREBUILT_MODULE_DIR=
 IMG_DIR=
 UBUNTU_NAME=
 PREBUILT_REPO_DIR=
+TARGET_BOARD=
 
 print_usage()
 {
@@ -30,6 +31,7 @@ print_usage()
 	echo "--use-prebuilt-repo	Use prebuilt repository"
 	echo "--img-dir		Image generation directory"
 	echo "-n|--ubuntu-name	Ubuntu image name"
+	echo "-b [TARGET_BOARD]	Target board ex) -b artik710|artik530|artik5|artik10"
 	exit 0
 }
 
@@ -77,6 +79,9 @@ parse_options()
 			-n|--ubuntu-name)
 				UBUNTU_NAME="$2"
 				shift ;;
+			-b)
+				TARGET_BOARD="$2"
+				shift ;;
 			*)
 				shift ;;
 		esac
@@ -186,6 +191,30 @@ find_unused_port()
 	done
 }
 
+restrictive_pkg_check()
+{
+	if [ "$SECURE_PREBUILT_DIR/debs" != "" ]; then
+		cp -f $SECURE_PREBUILT_DIR/debs/*.deb $DEST_DIR/debs
+	fi
+	if [ "${TARGET_BOARD}" == "artik530s" ] || [ "${TARGET_BOARD}" == "artik533s" ] || [ "${TARGET_BOARD}" == "artik710s" ]; then
+		RESTRICTIVE_PKG_LIST=`cat config/${TARGET_BOARD}_secure.list`
+		for l in $RESTRICTIVE_PKG_LIST
+		do
+			if [ "${l##*.}" == "deb" ] && [ ! -f $l ]; then
+				echo -e "\e[1;31mERROR: cannot find ${l}\e[0m"
+				echo -e "\e[1;31mBuild process has been terminated since the mandatory security binaries do not exist in your source code.\e[0m"
+				echo -e "\e[1;31mPlease download those files from artik.io with SLA agreement to continue to build.\e[0m"
+				echo -e "\e[1;31mOnce you download those files, please locate them to the following path.\e[0m"
+				echo -e ""
+				echo -e "\e[1;31mdeb files\e[0m"
+				echo -e "\e[1;31mcopy to ../ubuntu-build-service/prebuilt/${ARCH}/${TARGET_BOARD}/\e[0m"
+
+				exit 1
+			fi
+		done
+	fi
+}
+
 trap abnormal_exit INT ERR
 
 package_check sbuild sponge python3
@@ -202,6 +231,8 @@ if [ "$PREBUILT_REPO_DIR" != "" ]; then
 	cp -rf $PREBUILT_REPO_DIR/* $DEST_DIR/debs
 fi
 
+restrictive_pkg_check
+
 start_local_server $DEST_DIR/debs $PORT
 
 pushd ../

mksdboot.sh

@@ -39,6 +39,7 @@ gen_nexell_image_mon()
 		input_file=bl_mon.img
 
 		if [ "$RSA_SIGN_TOOL" != "" ]; then
+			chmod a+x ${RSA_SIGN_TOOL}
 			${RSA_SIGN_TOOL} -sign $TARGET_DIR/${input_file}
 		fi
 	fi
@@ -54,6 +55,7 @@ gen_nexell_image_secure()
 	fi
 
 	if [ "$RSA_SIGN_TOOL" != "" ]; then
+		chmod a+x ${RSA_SIGN_TOOL}
 		${RSA_SIGN_TOOL} -sign $TARGET_DIR/${input_file}
 	fi
 }

release.sh

@@ -121,6 +121,44 @@ parse_options()
 	done
 }
 
+check_restrictive_pkg()
+{
+	if [ "${TARGET_BOARD}" == "artik530s" ] || [ "${TARGET_BOARD}" == "artik533s" ] || [ "${TARGET_BOARD}" == "artik710s" ]; then
+		if [ "$SECURE_PREBUILT_DIR" != "" ]; then
+			cp -f $SECURE_PREBUILT_DIR/${TARGET_BOARD}_codesigner $PREBUILT_DIR
+			cp -f $SECURE_PREBUILT_DIR/secureos.img $PREBUILT_DIR
+
+			test ! -d $UBUNTU_MODULE_DEB_DIR && mkdir -p $UBUNTU_MODULE_DEB_DIR
+			cp -f $SECURE_PREBUILT_DIR/debs/*.deb $UBUNTU_MODULE_DEB_DIR
+		fi
+		RESTRICTIVE_PKG_LIST=`cat config/${TARGET_BOARD}_secure.list`
+		for l in $RESTRICTIVE_PKG_LIST
+		do
+			if [ $FULL_BUILD ]; then
+				if [ ! -f $l ]; then
+					echo -e "ERROR: cannot find ${l}-\e[0m"
+					echo -e "Build process has been terminated since the mandatory security binaries do not exist in your source code.\e[0m"
+					echo -e "Please download those files from artik.io with SLA agreement to continue to build.\e[0m"
+					echo -e "Once you download those files, please locate them to the following path."
+					echo -e ""
+					echo -e "1. secureos.img or fip-secure.img\e[0m"
+					echo -e "   copy to ../boot-firmwares-${TARGET_BOARD}/\e[0m"
+					echo -e "2. ${TARGET_BOARD}_codesigner"
+					echo -e "   copy to ../boot-firmwares-${TARGET_BOARD}/\e[0m"
+					echo -e "3. deb files\e[0m"
+					echo -e "   copy to ../ubuntu-build-service/prebuilt/${ARCH}/${TARGET_BOARD}/\e[0m"
+
+					exit 1
+				fi
+			else
+				if [ ! -f $l ] && [ "${l##*.}" == "deb" ]; then
+					continue
+				fi
+			fi
+		done
+	fi
+}
+
 package_check()
 {
 	command -v $1 >/dev/null 2>&1 || { echo >&2 "${1} not installed. Please install \"sudo apt-get install $2\""; exit 1; }
@@ -171,6 +209,8 @@ then
 	. $CONFIG_FILE
 fi
 
+check_restrictive_pkg
+
 if [ "$BUILD_DATE" == "" ]; then
 	BUILD_DATE=`date +"%Y%m%d.%H%M%S"`
 fi
@@ -240,7 +280,8 @@ if $FULL_BUILD ; then
 			--arch $BUILD_ARCH --chroot xenial-amd64-${BUILD_ARCH} \
 			--dest-dir $TARGET_DIR $SKIP_UBUNTU_BUILD \
 			--prebuilt-dir ../ubuntu-build-service/prebuilt/$BUILD_ARCH \
-			--img-dir $UBUNTU_IMG_DIR
+			--img-dir $UBUNTU_IMG_DIR \
+			-b ${BUILD_TARGET}
 	else
 		if [ "$FEDORA_PREBUILT_RPM_DIR" != "" ]; then
 			PREBUILD_ADD_CMD="-r $FEDORA_PREBUILT_RPM_DIR"