scripts/brillo_update_payload

#!/bin/bash

# Copyright 2015 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

# Script to generate a Brillo update for use by the update engine.
#
# usage: brillo_update_payload COMMAND [ARGS]
# The following commands are supported:
#  generate    generate an unsigned payload
#  hash        generate a payload or metadata hash
#  sign        generate a signed payload
#
#  Generate command arguments:
#  --payload             generated unsigned payload output file
#  --source_image        if defined, generate a delta payload from the specified
#                        image to the target_image
#  --target_image        the target image that should be sent to clients
#  --metadata_size_file  if defined, generate a file containing the size of the payload
#                        metadata in bytes to the specified file
#
#  Hash command arguments:
#  --unsigned_payload    the input unsigned payload to generate the hash from
#  --signature_size      signature sizes in bytes in the following format:
#                        "size1:size2[:...]"
#  --payload_hash_file   if defined, generate a payload hash and output to the
#                        specified file
#  --metadata_hash_file  if defined, generate a metadata hash and output to the
#                        specified file
#
#  Sign command arguments:
#  --unsigned_payload        the input unsigned payload to insert the signatures
#  --payload                 the output signed payload
#  --signature_size          signature sizes in bytes in the following format:
#                            "size1:size2[:...]"
#  --payload_signature_file  the payload signature files in the following
#                            format:
#                            "payload_signature1:payload_signature2[:...]"
#  --metadata_signature_file the metadata signature files in the following
#                            format:
#                            "metadata_signature1:metadata_signature2[:...]"
#  --metadata_size_file      if defined, generate a file containing the size of
#                            the signed payload metadata in bytes to the
#                            specified file
#  Note that the number of signature sizes and payload signatures have to match.

# Load common CrOS utilities.  Inside the chroot this file is installed in
# /usr/lib/crosutils.  This script may also be called from a zipfile, in which
# case common.sh will be in the current directory.
find_common_sh() {
  local thisdir="$(dirname "$(readlink -f "$0")")"
  local common_paths=(/usr/lib/crosutils "${thisdir}")
  local path

  SCRIPT_ROOT="${common_paths[0]}"
  for path in "${common_paths[@]}"; do
    if [[ -r "${path}/common.sh" ]]; then
      SCRIPT_ROOT="${path}"
      break
    fi
  done

  # We have to fake GCLIENT_ROOT in case we're running inside
  # au_zip enviroment. GCLIENT_ROOT detection became fatal.
  [[ "${SCRIPT_ROOT}" == "${thisdir}" ]] && export GCLIENT_ROOT="."
}

find_common_sh
. "${SCRIPT_ROOT}/common.sh" || exit 1

HELP_GENERATE="generate: Generate an unsigned update payload."
HELP_HASH="hash: Generate the hashes of the unsigned payload and metadata used \
for signing."
HELP_SIGN="sign: Insert the signatures into the unsigned payload."

usage() {
  echo "Supported commands:"
  echo
  echo "${HELP_GENERATE}"
  echo "${HELP_HASH}"
  echo "${HELP_SIGN}"
  echo
  echo "Use: \"$0 <command> --help\" for more options."
}

# Check that a command is specified.
if [[ $# -lt 1 ]]; then
  echo "Please specify a command [generate|hash|sign]"
  exit 1
fi

# Parse command.
COMMAND="${1:-}"
shift

case "${COMMAND}" in
  generate)
    FLAGS_HELP="${HELP_GENERATE}"
    ;;

  hash)
    FLAGS_HELP="${HELP_HASH}"
    ;;

  sign)
    FLAGS_HELP="${HELP_SIGN}"
    ;;
  *)
    echo "Unrecognized command: \"${COMMAND}\"" >&2
    usage >&2
    exit 1
    ;;
esac

# Flags
FLAGS_HELP="Usage: $0 ${COMMAND} [flags]
${FLAGS_HELP}"

if [[ "${COMMAND}" == "generate" ]]; then
  DEFINE_string payload "" \
    "Path to output the generated unsigned payload file."
  DEFINE_string target_image "" \
    "Path to the target image that should be sent to clients."
  DEFINE_string source_image "" \
    "Optional: Path to a source image. If specified, this makes a delta update."
  DEFINE_string metadata_size_file "" \
    "Optional: Path to output metadata size."
fi
if [[ "${COMMAND}" == "hash" || "${COMMAND}" == "sign" ]]; then
  DEFINE_string unsigned_payload "" "Path to the input unsigned payload."
  DEFINE_string signature_size "" \
    "Signature sizes in bytes in the following format: size1:size2[:...]"
fi
if [[ "${COMMAND}" == "hash" ]]; then
  DEFINE_string metadata_hash_file "" \
    "Optional: Path to output metadata hash file."
  DEFINE_string payload_hash_file "" \
    "Optional: Path to output payload hash file."
fi
if [[ "${COMMAND}" == "sign" ]]; then
  DEFINE_string payload "" \
    "Path to output the generated unsigned payload file."
  DEFINE_string metadata_signature_file "" \
    "The metatada signatures in the following format: \
metadata_signature1:metadata_signature2[:...]"
  DEFINE_string payload_signature_file "" \
    "The payload signatures in the following format: \
payload_signature1:payload_signature2[:...]"
  DEFINE_string metadata_size_file "" \
    "Optional: Path to output metadata size."
fi
DEFINE_string work_dir "/tmp" "Where to dump temporary files."

# Parse command line flag arguments
FLAGS "$@" || exit 1
eval set -- "${FLAGS_ARGV}"
set -e

# Associative arrays from partition name to file in the source and target
# images. The size of the updated area must be the size of the file.
declare -A SRC_PARTITIONS
declare -A DST_PARTITIONS

# A list of temporary files to remove during cleanup.
CLEANUP_FILES=()

# Global options to force the version of the payload.
FORCE_MAJOR_VERSION=""
FORCE_MINOR_VERSION=""

# read_option_int <file.txt> <option_key> [default_value]
#
# Reads the unsigned integer value associated with |option_key| in a key=value
# file |file.txt|. Prints the read value if found and valid, otherwise prints
# the |default_value|.
read_option_uint() {
  local file_txt="$1"
  local option_key="$2"
  local default_value="${3:-}"
  local value
  if value=$(look "${option_key}=" "${file_txt}" | tail -n 1); then
    if value=$(echo "${value}" | cut -f 2- -d "=" | grep -E "^[0-9]+$"); then
      echo "${value}"
      return
    fi
  fi
  echo "${default_value}"
}

# Create a temporary file in the work_dir with an optional pattern name.
# Prints the name of the newly created file.
create_tempfile() {
  local pattern="${1:-tempfile.XXXXXX}"
  mktemp --tmpdir="${FLAGS_work_dir}" "${pattern}"
}

cleanup() {
  local err=""
  rm -f "${CLEANUP_FILES[@]}" || err=1

  # If we are cleaning up after an error, or if we got an error during
  # cleanup (even if we eventually succeeded) return a non-zero exit
  # code. This triggers additional logging in most environments that call
  # this script.
  if [[ -n "${err}" ]]; then
    die "Cleanup encountered an error."
  fi
}

cleanup_on_error() {
  trap - INT TERM ERR EXIT
  cleanup
  die "Cleanup success after an error."
}

cleanup_on_exit() {
  trap - INT TERM ERR EXIT
  cleanup
}

trap cleanup_on_error INT TERM ERR
trap cleanup_on_exit EXIT


# extract_image <image> <partitions_array>
#
# Detect the format of the |image| file and extract its updatable partitions
# into new temporary files. Add the list of partition names and its files to the
# associative array passed in |partitions_array|.
extract_image() {
  local image="$1"

  # Brillo images are zip files. We detect the 4-byte magic header of the zip
  # file.
  local magic=$(head --bytes=4 "${image}" | hexdump -e '1/1 "%.2x"')
  if [[ "${magic}" == "504b0304" ]]; then
    echo "Detected .zip file, extracting Brillo image."
    extract_image_brillo "$@"
    return
  fi

  # Chrome OS images are GPT partitioned disks. We should have the cgpt binary
  # bundled here and we will use it to extract the partitions, so the GPT
  # headers must be valid.
  if cgpt show -q -n "${image}" >/dev/null; then
    echo "Detected GPT image, extracting Chrome OS image."
    extract_image_cros "$@"
    return
  fi

  die "Couldn't detect the image format of ${image}"
}

# extract_image_cros <image.bin> <partitions_array>
#
# Extract Chromium OS recovery images into new temporary files.
extract_image_cros() {
  local image="$1"
  local partitions_array="$2"

  local kernel root
  kernel=$(create_tempfile "kernel.bin.XXXXXX")
  CLEANUP_FILES+=("${kernel}")
  root=$(create_tempfile "root.bin.XXXXXX")
  CLEANUP_FILES+=("${root}")

  cros_generate_update_payload --extract \
    --image "${image}" \
    --kern_path "${kernel}" --root_path "${root}" \
    --work_dir "${FLAGS_work_dir}" --outside_chroot

  # When generating legacy Chrome OS images, we need to use "boot" and "system"
  # for the partition names to be compatible with updating Brillo devices with
  # Chrome OS images.
  eval ${partitions_array}[boot]=\""${kernel}"\"
  eval ${partitions_array}[system]=\""${root}"\"

  local part varname
  for part in boot system; do
    varname="${partitions_array}[${part}]"
    printf "md5sum of %s: " "${varname}"
    md5sum "${!varname}"
  done
}

# extract_image_brillo <target_files.zip> <partitions_array>
#
# Extract the A/B updated partitions from a Brillo target_files zip file into
# new temporary files.
extract_image_brillo() {
  local image="$1"
  local partitions_array="$2"

  # TODO(deymo): Read the list of partitions from the metadata. We should
  # sanitize the list of partition names to be in [a-zA-Z0-9-]+.
  local partitions=( "boot" "system" )

  if [[ "${partitions_array}" == "SRC_PARTITIONS" ]]; then
    ue_config=$(create_tempfile "ue_config.XXXXXX")
    CLEANUP_FILES+=("${ue_config}")
    if ! unzip -p "${image}" "META/update_engine_config.txt" \
        >"${ue_config}"; then
      warn "No update_engine_config.txt found. Assuming pre-release image, \
using payload minor version 2"
    fi
    FORCE_MINOR_VERSION=$(read_option_uint "${ue_config}" \
      "PAYLOAD_MINOR_VERSION" 2)
  fi

  local part part_file temp_raw filesize
  for part in "${partitions[@]}"; do
    part_file=$(create_tempfile "${part}.img.XXXXXX")
    CLEANUP_FILES+=("${part_file}")
    unzip -p "${image}" "IMAGES/${part}.img" >"${part_file}"

    # If the partition is stored as an Android sparse image file, we need to
    # convert them to a raw image for the update.
    local magic=$(head --bytes=4 "${part_file}" | hexdump -e '1/1 "%.2x"')
    if [[ "${magic}" == "3aff26ed" ]]; then
      temp_raw=$(create_tempfile "${part}.raw.XXXXXX")
      CLEANUP_FILES+=("${temp_raw}")
      echo "Converting Android sparse image ${part}.img to RAW."
      simg2img "${part_file}" "${temp_raw}"
      # At this point, we can drop the contents of the old part_file file, but
      # we can't delete the file because it will be deleted in cleanup.
      true >"${part_file}"
      part_file="${temp_raw}"
    fi

    # delta_generator only supports images multiple of 4 KiB, so we pad with
    # zeros if needed.
    filesize=$(stat -c%s "${part_file}")
    if [[ $(( filesize % 4096 )) -ne 0 ]]; then
      echo "Rounding up partition ${part}.img to multiple of 4 KiB."
      : $(( filesize = (filesize + 4095) & -4096 ))
      truncate --size="${filesize}" "${part_file}"
    fi

    eval "${partitions_array}[\"${part}\"]=\"${part_file}\""
    echo "Extracted ${partitions_array}[${part}]: ${filesize} bytes"
  done
}

validate_generate() {
  [[ -n "${FLAGS_payload}" ]] ||
    die "Error: you must specify an output filename with --payload FILENAME"

  [[ -n "${FLAGS_target_image}" ]] ||
    die "Error: you must specify a target image with --target_image FILENAME"
}

cmd_generate() {
  local payload_type="delta"
  if [[ -z "${FLAGS_source_image}" ]]; then
    payload_type="full"
  fi

  echo "Extracting images for ${payload_type} update."

  extract_image "${FLAGS_target_image}" DST_PARTITIONS
  if [[ "${payload_type}" == "delta" ]]; then
    extract_image "${FLAGS_source_image}" SRC_PARTITIONS
  fi

  echo "Generating ${payload_type} update."
  GENERATOR_ARGS=(
    # Common payload args:
    -out_file="${FLAGS_payload}"
    # Target image args:
    # TODO(deymo): Pass the list of partitions to the generator.
    -new_image="${DST_PARTITIONS[system]}"
    -new_kernel="${DST_PARTITIONS[boot]}"
  )

  if [[ "${payload_type}" == "delta" ]]; then
    GENERATOR_ARGS+=(
      # Source image args:
      -old_image="${SRC_PARTITIONS[system]}"
      -old_kernel="${SRC_PARTITIONS[boot]}"
    )
    if [[ -n "${FORCE_MINOR_VERSION}" ]]; then
      GENERATOR_ARGS+=( --minor_version="${FORCE_MINOR_VERSION}" )
    fi
  fi

  if [[ -n "${FORCE_MAJOR_VERSION}" ]]; then
    GENERATOR_ARGS+=( --major_version="${FORCE_MAJOR_VERSION}" )
  fi

  if [[ -n "${FLAGS_metadata_size_file}" ]]; then
    GENERATOR_ARGS+=( --out_metadata_size_file="${FLAGS_metadata_size_file}" )
  fi

  echo "Running delta_generator with args: ${GENERATOR_ARGS[@]}"
  "${GENERATOR}" "${GENERATOR_ARGS[@]}"

  echo "Done generating ${payload_type} update."
}

validate_hash() {
  [[ -n "${FLAGS_signature_size}" ]] ||
    die "Error: you must specify signature size with --signature_size SIZES"

  [[ -n "${FLAGS_unsigned_payload}" ]] ||
    die "Error: you must specify the input unsigned payload with \
--unsigned_payload FILENAME"

  [[ -n "${FLAGS_metadata_hash_file}" ]] ||
  [[ -n "${FLAGS_payload_hash_file}" ]] ||
    die "Error: you must specify --metadata_hash_file FILENAME \
or --payload_hash_file FILENAME"
}

cmd_hash() {
  if [[ -n "${FLAGS_metadata_hash_file}" ]]; then
    "${GENERATOR}" \
        -in_file="${FLAGS_unsigned_payload}" \
        -signature_size="${FLAGS_signature_size}" \
        -out_metadata_hash_file="${FLAGS_metadata_hash_file}"
  fi

  if [[ -n "${FLAGS_payload_hash_file}" ]]; then
    "${GENERATOR}" \
        -in_file="${FLAGS_unsigned_payload}" \
        -signature_size="${FLAGS_signature_size}" \
        -out_hash_file="${FLAGS_payload_hash_file}"
  fi
  echo "Done generating hash."
}

validate_sign() {
  [[ -n "${FLAGS_signature_size}" ]] ||
    die "Error: you must specify signature size with --signature_size SIZES"

  [[ -n "${FLAGS_unsigned_payload}" ]] ||
    die "Error: you must specify the input unsigned payload with \
--unsigned_payload FILENAME"

  [[ -n "${FLAGS_payload}" ]] ||
    die "Error: you must specify the output signed payload with \
--payload FILENAME"

  [[ -n "${FLAGS_payload_signature_file}" ]] ||
    die "Error: you must specify the payload signature file with \
--payload_signature_file SIGNATURES"

  [[ -n "${FLAGS_metadata_signature_file}" ]] ||
    die "Error: you must specify the metadata signature file with \
--metadata_signature_file SIGNATURES"
}

cmd_sign() {
  GENERATOR_ARGS=(
    -in_file="${FLAGS_unsigned_payload}"
    -signature_size="${FLAGS_signature_size}"
    -signature_file="${FLAGS_payload_signature_file}"
    -metadata_signature_file="${FLAGS_metadata_signature_file}"
    -out_file="${FLAGS_payload}"
  )

  if [[ -n "${FLAGS_metadata_size_file}" ]]; then
    GENERATOR_ARGS+=( --out_metadata_size_file="${FLAGS_metadata_size_file}" )
  fi

  "${GENERATOR}" "${GENERATOR_ARGS[@]}"
  echo "Done signing payload."
}

# TODO: Extract the input zip files once the format is finalized

# Sanity check that the real generator exists:
GENERATOR="$(which delta_generator)"
[[ -x "${GENERATOR}" ]] || die "can't find delta_generator"

case "$COMMAND" in
  generate) validate_generate
            cmd_generate
            ;;
  hash) validate_hash
        cmd_hash
        ;;
  sign) validate_sign
        cmd_sign
        ;;
esac