src/cmd/cos_gpu_installer_v1/cos-gpu-installer-docker/driver_signature_lib.sh - cos/tools - Git at Google

 #!/bin/bash
 #
 # Copyright 2019 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #    https://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.


 readonly GPU_DRIVER_SIGNATURE="gpu-driver-signature.tar.gz"
 readonly GPU_PRECOMPILED_DRIVER_SIGNATURE="gpu-precompiled-driver-signature.tar.gz"
 readonly GPU_DRIVER_PUBLIC_KEY_PEM="gpu-driver-cert.pem"
 readonly GPU_DRIVER_PUBLIC_KEY_DER="gpu-driver-cert.der"
 readonly GPU_DRIVER_PRIVATE_KEY="dummy-key"
 readonly GPU_DRIVER_SIGNING_DIR="/build/sign-gpu-driver"

 download_artifact_from_gcs() {
   local -r gcs_url_prefix="$1"
   local -r filename="$2"
   local -r download_url="${gcs_url_prefix}/${filename}"
   local -r output_path="${GPU_DRIVER_SIGNING_DIR}/${filename}"

   download_content_from_url "${download_url}" "${output_path}" "${filename}"
 }

 download_driver_signature() {
   local -r gcs_url_prefix="$1"

   mkdir -p "${GPU_DRIVER_SIGNING_DIR}"
   # Try to Download GPU driver signature. If fail then return immediately to
   # reduce latency because in such case precompiled GPU driver signature must
   # not exist.
   download_artifact_from_gcs "${gcs_url_prefix}" "${GPU_DRIVER_SIGNATURE}" || return 0
   # Try to download precompiled GPU driver signature
   download_artifact_from_gcs "${gcs_url_prefix}" "${GPU_PRECOMPILED_DRIVER_SIGNATURE}" || true
 }

 has_driver_signature() {
   [[ -f "${GPU_DRIVER_SIGNING_DIR}/${GPU_DRIVER_SIGNATURE}" ]]
 }

 has_precompiled_driver_signature() {
   [[ -f "${GPU_DRIVER_SIGNING_DIR}/${GPU_PRECOMPILED_DRIVER_SIGNATURE}" ]]
 }

 decompress_driver_signature() {
   if ! has_driver_signature && ! has_precompiled_driver_signature; then
     return 1
   fi

   pushd "${GPU_DRIVER_SIGNING_DIR}" || return 1
   if has_precompiled_driver_signature; then
     tar xzf "${GPU_PRECOMPILED_DRIVER_SIGNATURE}"
   elif has_driver_signature; then
     tar xzf "${GPU_DRIVER_SIGNATURE}"
   fi
   popd || return 1

   # Create a dummy private key. We don't need private key to sign the driver
   # because we already have the signature.
   touch "${GPU_DRIVER_SIGNING_DIR}/${GPU_DRIVER_PRIVATE_KEY}"
 }

 get_private_key() {
   echo "${GPU_DRIVER_SIGNING_DIR}/${GPU_DRIVER_PRIVATE_KEY}"
 }

 get_public_key_pem() {
   echo "${GPU_DRIVER_SIGNING_DIR}/${GPU_DRIVER_PUBLIC_KEY_PEM}"
 }

 load_public_key() {
   info "Loading GPU driver public key to system keyring."
   /bin/keyctl padd asymmetric "gpu_key" \
     %keyring:.secondary_trusted_keys < \
     "${GPU_DRIVER_SIGNING_DIR}/${GPU_DRIVER_PUBLIC_KEY_DER}"
 }
	#!/bin/bash
	#
	# Copyright 2019 Google LLC
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# https://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.


	readonly GPU_DRIVER_SIGNATURE="gpu-driver-signature.tar.gz"
	readonly GPU_PRECOMPILED_DRIVER_SIGNATURE="gpu-precompiled-driver-signature.tar.gz"
	readonly GPU_DRIVER_PUBLIC_KEY_PEM="gpu-driver-cert.pem"
	readonly GPU_DRIVER_PUBLIC_KEY_DER="gpu-driver-cert.der"
	readonly GPU_DRIVER_PRIVATE_KEY="dummy-key"
	readonly GPU_DRIVER_SIGNING_DIR="/build/sign-gpu-driver"

	download_artifact_from_gcs() {
	local -r gcs_url_prefix="$1"
	local -r filename="$2"
	local -r download_url="${gcs_url_prefix}/${filename}"
	local -r output_path="${GPU_DRIVER_SIGNING_DIR}/${filename}"

	download_content_from_url "${download_url}" "${output_path}" "${filename}"
	}

	download_driver_signature() {
	local -r gcs_url_prefix="$1"

	mkdir -p "${GPU_DRIVER_SIGNING_DIR}"
	# Try to Download GPU driver signature. If fail then return immediately to
	# reduce latency because in such case precompiled GPU driver signature must
	# not exist.
	download_artifact_from_gcs "${gcs_url_prefix}" "${GPU_DRIVER_SIGNATURE}" \|\| return 0
	# Try to download precompiled GPU driver signature
	download_artifact_from_gcs "${gcs_url_prefix}" "${GPU_PRECOMPILED_DRIVER_SIGNATURE}" \|\| true
	}

	has_driver_signature() {
	[[ -f "${GPU_DRIVER_SIGNING_DIR}/${GPU_DRIVER_SIGNATURE}" ]]
	}

	has_precompiled_driver_signature() {
	[[ -f "${GPU_DRIVER_SIGNING_DIR}/${GPU_PRECOMPILED_DRIVER_SIGNATURE}" ]]
	}

	decompress_driver_signature() {
	if ! has_driver_signature && ! has_precompiled_driver_signature; then
	return 1
	fi

	pushd "${GPU_DRIVER_SIGNING_DIR}" \|\| return 1
	if has_precompiled_driver_signature; then
	tar xzf "${GPU_PRECOMPILED_DRIVER_SIGNATURE}"
	elif has_driver_signature; then
	tar xzf "${GPU_DRIVER_SIGNATURE}"
	fi
	popd \|\| return 1

	# Create a dummy private key. We don't need private key to sign the driver
	# because we already have the signature.
	touch "${GPU_DRIVER_SIGNING_DIR}/${GPU_DRIVER_PRIVATE_KEY}"
	}

	get_private_key() {
	echo "${GPU_DRIVER_SIGNING_DIR}/${GPU_DRIVER_PRIVATE_KEY}"
	}

	get_public_key_pem() {
	echo "${GPU_DRIVER_SIGNING_DIR}/${GPU_DRIVER_PUBLIC_KEY_PEM}"
	}

	load_public_key() {
	info "Loading GPU driver public key to system keyring."
	/bin/keyctl padd asymmetric "gpu_key" \
	%keyring:.secondary_trusted_keys < \
	"${GPU_DRIVER_SIGNING_DIR}/${GPU_DRIVER_PUBLIC_KEY_DER}"
	}