bitfrost device-tree patch

Martin Langhoff Wed, 31 Aug 2011 12:15:11 -0700

Here's my patch -- trivial, tested, works correctly.

If you feel like bikeshedding, olpc-utils' olpc-test-devkey has
perhaps a better take on it, keeping less state and trying /ofw and
/proc/device-tree each time. Easier maintenance, a tad more runtime.




m
-- 
 [email protected] -- Software Architect - OLPC
 - ask interesting questions
 - don't get distracted with shiny stuff  - working code first
 - http://wiki.laptop.org/go/User:Martinlanghoff

diff --git a/bitfrost/leases/keys.py b/bitfrost/leases/keys.py
index 468e875..ad5e3ca 100644
--- a/bitfrost/leases/keys.py
+++ b/bitfrost/leases/keys.py
@@ -17,8 +17,14 @@ from __future__ import with_statement
 import binascii
 import os
 
-def _get_ofw_key (keyname):
-    path = os.path.join("/ofw/mfg-data", keyname)
+def _find_dt():
+    for path in ('/proc/device-tree', '/ofw'):
+        if os.path.exists(path):
+            return path
+    return None
+
+def _get_ofw_key (dt, keyname):
+    path = os.path.join(dt, "mfg-data", keyname)
     if not os.path.exists(path):
         return None
     with open(path) as f:
@@ -27,9 +33,9 @@ def _get_ofw_key (keyname):
         keystr += "\n"
         return keystr
 
-def _update_from_ofw (prefix, keys):
+def _update_from_ofw (dt, prefix, keys):
     # the x0 key overrides the OLPC one
-    override_key = _get_ofw_key(prefix + "0")
+    override_key = _get_ofw_key(dt, prefix + "0")
     if override_key is not None:
         # remove OLPC key (in-place)
         keys.pop(0)
@@ -39,7 +45,7 @@ def _update_from_ofw (prefix, keys):
 
     # add the augment keys (x1...x9)
     for x in range(1, 10):
-        key = _get_ofw_key(prefix + str(x))
+        key = _get_ofw_key(dt, prefix + str(x))
         if key is not None:
             keys.append(key)
 
@@ -47,8 +53,9 @@ def _update_from_ofw (prefix, keys):
 # On import, we run _update_from_ofw() for each key type to optionally add
 # augment keys, and optionally override the OLPC root key.
 
-# First, a crude check to ensure that OFW is available.
-if not os.path.exists("/ofw/mfg-data"):
+# First, a quick check to ensure that the device tree showing OFW data is available.
+dt = _find_dt()
+if dt is None:
     raise Exception("OFW is not mounted, cannot read deployment keys")
 
 """OLPC's root trusted public keys."""
@@ -56,30 +63,30 @@ if not os.path.exists("/ofw/mfg-data"):
 DEVELOPER_KEYS = [ 'key01: 3082010a0282010100c80495c05c33b4fa5effd0281082540c0192f764e95ac77ea71f69583fc4ce1e0688c785a5b4f6a8697b8cac3e98b228dcf13d0da476bb8735903c8091c5eee9e229d85640cbfcf01206ab0b79d156b5a6abf8d2e4cb8e595c7218ef6d684aadefd194eb8beeebf2692085853aa1ee601f0bc2e28164c963cf1737e107e4c93ea85b215c51076a49cc83a58f51ee229d150825cf2df5ab5f5eff6736d1a8624433d2b200c05172042789f7f19e4d9e73b4fce1b2649aedb1fdf6fa95e200995c990eb19847b6dd3de64376b8a98964ca6bb4bf880616d9648bb515bc125be7e10bfabecf74807b41cf2a824253897ed564940947928655614f898400f8a503ad0203010001\n' ]
 """Authorized key(s) for signing developer keys."""
 
-_update_from_ofw('d', DEVELOPER_KEYS)
+_update_from_ofw(dt, 'd', DEVELOPER_KEYS)
 
 LEASE_KEYS = [ 'key01: 3082010a0282010100ca8cdf76bf9ce5006f45b20cbd6ad37d0064d6dcca5042bb8cda7db6bdb631fd545ba346918f536d8df2242687e22ec48e0f469a03800506d624b46c6aa3d6a8266cb22a06d485e307c65f08468f3f5f38a19cfff6f43b73d75ac6fa7ec060f846d92582cf953f8dadb048460536c7d95a8f8c174ea54bd950b8a58948ee75dca35d90499414321ba981d5039abfce7031da34f1068138f6dcbb3fb97060f73c0a95d3f8165fda29bbcc2f98005ec4a8496d89ce7ac2e2b70e441e077fceb465471e6539b94f72477fa6fa49c530fae99966a1472f44e91a65441dcc68db92b80a08eb8c9499c44526580ffa6b4738a8e636735bfd29482c309db486fc1e5da90203010001\n' ]
 """Authorized key(s) for signing activation leases."""
 
-_update_from_ofw('a', LEASE_KEYS)
+_update_from_ofw(dt, 'a', LEASE_KEYS)
 
 OS_KEYS = [ 'key01: 3082010a0282010100ad924c04cc4b912c0365ce7764caa2800756ffea5d6dcc2103a0f856c465dfbb068ac5829470484d18f8fabf6af64608a047d3b5f73ed3ea9ee0d0d50198a11f7b500077d91f95c280eecf8e80b5ea86994d9d6886c6aba95b1b73944ded3bb35a78eb8713708be728a1bae3af029ae7f96417eda700ca09f041c36793d905427c1a2fd947060d8a3a1c0174a6ee4c84ea21091d4331b00e37f1488681d859658c99824454c7c0a55facd1635743a540d3ba902a88e3c997ec329ddd20909da3e8885ceae2485e7c43c9ee2ae13babc36f54913e8fe22bbef5b3477ad9034dfbaeb23129587ed1f5d16e6428072c032e06dcf496d904bb35e71bcea598c7a9870203010001\n' ]
 """Authorized key(s) for signing OS images."""
 
-_update_from_ofw('o', OS_KEYS)
+_update_from_ofw(dt, 'o', OS_KEYS)
 
 FW_KEYS = [ 'key01: 3082010a0282010100b330c05b77da52d97251b49a0f86b90e1544c4e5205cf03dc23a426cdde482fce417082801f57234c612f81ee12abe4091b6fe37f0f796cd776b40a515a89768499c22d295b7d9981a9e133a38b2819747c587af962969c21421cb4407aa026927db2aec682da63b6658bdebed155b98fe5ae35e62994aa925f6957e9eba2fc43e5a562979dc212a7ea972e7da3e8f874ef88a88369fd72c96630d04212a4bc9eb8a2cfa3e3c67a4d25eb3809c2f22803667dab2e7a0d9cb9e5b959552c63f1b011a925aede5ab50ff0e18ebd8731493b3550f7303888a0e84aada4fcfc64616f2019c9597e72984cfee4157d1b18330e5f6b9219c6ddf0e699764a87c7f684d0203010001\n' ]
 """Authorized key(s) for signing firmware images."""
 
-_update_from_ofw('w', FW_KEYS)
+_update_from_ofw(dt, 'w', FW_KEYS)
 
 FS_KEYS = [ 'key01: 3082010a0282010100b901f5b4aefe024036c781735d4a1b593f480a84ad9267734dcca5b346d15257f76ed05e9fc011a1d5a00c23f07b5eb45219936d24ce9aabbd8f2f26e9133bd8ccc2ee71c79c977cf8510ab1d38a8a553b103ec9e30388c35ee2b00b167c2288ba76170a968287396606f64b4f1dd40bd223a552421fd9be4ad4f6729187145ebf6827da378bdb5644c873703cd793e735761bb7214008991d909dc72abb6bdc07548f98303e470351f7fddac9ec0d989e20cd350414d8eaa82196eb5c89a5555879ae6c785d1c0ee1fb85e0b8012db2424ff3e3c3bfb75db9a607b79c7dcd80697788b0c549db67e9a6f198be22b03e84dedd69b834ba67d42e017d2f1ef08f0203010001\n' ]
 """Authorized key(s) for signing filesystem reflash images."""
 
-_update_from_ofw('s', FS_KEYS)
+_update_from_ofw(dt, 's', FS_KEYS)
 
 OATS_KEYS = [ 'key01: 3082010a0282010100be54bad485ae2d2c16c37f118ddec6f891ddea69a18505d9c663b6b0f6c6412e6873d14b09ce67e79e31ca92227e2a916f423e81612e47dc2f9f661338f3414f0a809e97a5022a52948e78d7db449d431f637c5119b3ca44fbc70f7c51ca969fd9e7bd6af5f1ac459571f453518e16551950140fc28f677b5e0283c8bddd39b28820dc01875cf513f53f630430c4d261950b22dff46930fb91f832bee8cad224f7f028f435c1ea1be9046fb1c02fca10235fb81af7f65548af7330b0e2c0e096c9101d4301ad078bf50b0190e7981642f22d48a17c5098cadf0a42bafb51b77ff216306a7d1b390f392066987f9189b9f019f5bca998865007674e53d9413b3b0203010001\n' ]
 """Authorized key(s) for theft-deterrence/update server replies."""
 
-_update_from_ofw('t', OATS_KEYS)
+_update_from_ofw(dt, 't', OATS_KEYS)
 
diff --git a/bitfrost/update/actutils.py b/bitfrost/update/actutils.py
index 1d9e18f..fda558d 100644
--- a/bitfrost/update/actutils.py
+++ b/bitfrost/update/actutils.py
@@ -142,11 +142,11 @@ class BundleHelper(object):
             # activity was a favorite.
             ainfo = registry.get_activity(self.bundle.get_bundle_id())
             favorite = ainfo.favorite
-            registry.upgrade(self.bundle)
+            self.bundle.upgrade()
         else:
             # newly installed activities will be favorites
             favorite = True
-            registry.install(self.bundle)
+            self.bundle.install()
         # set favorites flag for the new bundle-id/version.
         registry.set_bundle_favorite(self.bundle.get_bundle_id(),
                                      self.bundle.get_activity_version(),
diff --git a/bitfrost/update/setup.py b/bitfrost/update/setup.py
index 9800a14..5817940 100644
--- a/bitfrost/update/setup.py
+++ b/bitfrost/update/setup.py
@@ -281,14 +281,22 @@ def check_signature(data, signature, valid_keys, sn):
     # signature is good!
     return True
 
+def find_dt():
+    for path in ('/proc/device-tree', '/ofw'):
+        if os.path.exists(path):
+            return path
+    return None
+
 def check_signed_build(new_root):
     """Check that either the user has a developer key, or the
     downloaded build has a signed OS."""
-    if not os.path.exists('/ofw/mfg-data/wp'): return True # security disabled
-    if os.path.exists('/ofw/mfg-data/dk'): return True # perma-dev key
+
+    dt = find_dt()
+    if not os.path.exists(dt+'/mfg-data/wp'): return True # security disabled
+    if os.path.exists(dt+'/mfg-data/dk'): return True # perma-dev key
     # read serial number & UUID, so we can check the signature / dev key.
-    sn = open('/ofw/mfg-data/SN').read().rstrip("\n\0")
-    uuid = open('/ofw/mfg-data/U#').read().rstrip("\n\0")
+    sn = open(dt+'/mfg-data/SN').read().rstrip("\n\0")
+    uuid = open(dt+'/mfg-data/U#').read().rstrip("\n\0")
     if os.path.exists('/security/develop.sig'):
         for devkey in open('/security/develop.sig'):
             try:
diff --git a/setup.py b/setup.py
index 9fbfbee..1e06bea 100644
--- a/setup.py
+++ b/setup.py
@@ -1,6 +1,6 @@
 from distutils.core import setup
 setup(name='bitfrost',
-      version="1.0.10",
+      version="1.0.14",
       description='OLPC bitfrost security modules',
       author='C. Scott Ananian',
       author_email='[email protected]',

_______________________________________________
Devel mailing list
[email protected]
http://lists.laptop.org/listinfo/devel

bitfrost device-tree patch

Reply via email to