Message ID | 20191023211101.16591-13-adrian.freihofer@siemens.com |
---|---|
State | Changes Requested |
Headers | show |
Series | None | expand |
Hi Adrian, Am 23.10.19 um 23:11 schrieb Adrian Freihofer: > In case of singed and/or encrypted images the corresponding keys and > certificates need to be installed into the image. > > If the variables SWUPDATE_CMS_CERT and SWUPDATE_AES_FILE are set for > the image (not only for the image-update) as well, the required > certificate and key files get installed and the -k and the -K paramter > are added to the swupdate configuration. > > Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> > --- > README | 9 ++++++++- > classes/swupdate-enc.bbclass | 26 ++++++++++++++++++++++++++ > 2 files changed, 34 insertions(+), 1 deletion(-) > > diff --git a/README b/README > index ffc8f33..eb8904e 100644 > --- a/README > +++ b/README > @@ -40,7 +40,14 @@ There are 3 signing mechanisms supported by meta-swupdate at the moment: > > * Set variable: `SWUPDATE_SIGNING = "CMS"` > > - * Set `SWUPDATE_CMS_CERT` to the full path of certificate file > + * Set `SWUPDATE_CMS_CERT` to the full path of certificate file. > + Settings this variable for the swu image (inherit swupdate) configures the > + build system to create signed images. > + Setting this variable for the image included in the swu archive, leads to > + an image which is ready to verify the signature of an image in a swu archive > + at run-time. The certificate gets installed and the -k parameter > + gets added to the command line arguments for swupdate. This requires to > + inherit swupdate-enc. This works with systemd but not with init scripts yet. > > * Set `SWUPDATE_CMS_KEY ` to the full path of private key file > > diff --git a/classes/swupdate-enc.bbclass b/classes/swupdate-enc.bbclass > index 198ae98..95ad636 100644 > --- a/classes/swupdate-enc.bbclass > +++ b/classes/swupdate-enc.bbclass > @@ -23,3 +23,29 @@ CONVERSIONTYPES += "enc" > > CONVERSION_DEPENDS_enc = "openssl-native coreutils-native" > CONVERSION_CMD_enc="swu_encrypt_file ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type} ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.enc" > + > + > +# To get the keys and certificates installed the variables SWUPDATE_CMS_CERT > +# and SWUPDATE_AES_FILE need to be defined for the image and the update-image. > +install_key_and_cert() { > + # Install the image signature verification certificate > + if [ "x${SWUPDATE_CMS_CERT}" != "x" ]; then > + install -m 0600 ${SWUPDATE_CMS_CERT} ${IMAGE_ROOTFS}${libdir}/swupdate/image-signing.cert.pem Is this the correct path for an certificate? Regards Stefan
Hi Stefan, May be yes, because it just works. May be no, because a user has a reason to store the certificate somewhere else. This is still the default. This new way to installation the security relevant certificates is opt-in. The code here becomes active when the SWUPDATE_CMS_CERT variable is set for the image. It's up to the user to set this variable only for the swu recipe (as before) or for both (new opt-in), the swu and the image recipe. I tried to explain this in the README. Providing a variable for the certificate path might be a potential improvement. Regards, Adrian Am Donnerstag, 24. Oktober 2019 10:51:47 UTC+2 schrieb Stefan Herbrechtsmeier: > > Hi Adrian, > > Am 23.10.19 um 23:11 schrieb Adrian Freihofer: > > In case of singed and/or encrypted images the corresponding keys and > > certificates need to be installed into the image. > > > > If the variables SWUPDATE_CMS_CERT and SWUPDATE_AES_FILE are set for > > the image (not only for the image-update) as well, the required > > certificate and key files get installed and the -k and the -K paramter > > are added to the swupdate configuration. > > > > Signed-off-by: Adrian Freihofer <adrian....@siemens.com <javascript:>> > > --- > > README | 9 ++++++++- > > classes/swupdate-enc.bbclass | 26 ++++++++++++++++++++++++++ > > 2 files changed, 34 insertions(+), 1 deletion(-) > > > > diff --git a/README b/README > > index ffc8f33..eb8904e 100644 > > --- a/README > > +++ b/README > > @@ -40,7 +40,14 @@ There are 3 signing mechanisms supported by > meta-swupdate at the moment: > > > > * Set variable: `SWUPDATE_SIGNING = "CMS"` > > > > - * Set `SWUPDATE_CMS_CERT` to the full path of certificate file > > + * Set `SWUPDATE_CMS_CERT` to the full path of certificate file. > > + Settings this variable for the swu image (inherit swupdate) > configures the > > + build system to create signed images. > > + Setting this variable for the image included in the swu archive, > leads to > > + an image which is ready to verify the signature of an image in a > swu archive > > + at run-time. The certificate gets installed and the -k parameter > > + gets added to the command line arguments for swupdate. This > requires to > > + inherit swupdate-enc. This works with systemd but not with init > scripts yet. > > > > * Set `SWUPDATE_CMS_KEY ` to the full path of private key file > > > > diff --git a/classes/swupdate-enc.bbclass b/classes/swupdate-enc.bbclass > > index 198ae98..95ad636 100644 > > --- a/classes/swupdate-enc.bbclass > > +++ b/classes/swupdate-enc.bbclass > > @@ -23,3 +23,29 @@ CONVERSIONTYPES += "enc" > > > > CONVERSION_DEPENDS_enc = "openssl-native coreutils-native" > > CONVERSION_CMD_enc="swu_encrypt_file > ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type} > ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.enc" > > + > > + > > +# To get the keys and certificates installed the variables > SWUPDATE_CMS_CERT > > +# and SWUPDATE_AES_FILE need to be defined for the image and the > update-image. > > +install_key_and_cert() { > > + # Install the image signature verification certificate > > + if [ "x${SWUPDATE_CMS_CERT}" != "x" ]; then > > + install -m 0600 ${SWUPDATE_CMS_CERT} > ${IMAGE_ROOTFS}${libdir}/swupdate/image-signing.cert.pem > > Is this the correct path for an certificate? > > Regards > Stefan >
Hi Adrian, Am 24.10.19 um 13:38 schrieb adrian.freihofer@gmail.com: > Hi Stefan, > > May be yes, because it just works. Every path will work but we should use a common one because most people will use it. I'm wonder why you use the libdir instead of the datadir. Regards Stefan
diff --git a/README b/README index ffc8f33..eb8904e 100644 --- a/README +++ b/README @@ -40,7 +40,14 @@ There are 3 signing mechanisms supported by meta-swupdate at the moment: * Set variable: `SWUPDATE_SIGNING = "CMS"` - * Set `SWUPDATE_CMS_CERT` to the full path of certificate file + * Set `SWUPDATE_CMS_CERT` to the full path of certificate file. + Settings this variable for the swu image (inherit swupdate) configures the + build system to create signed images. + Setting this variable for the image included in the swu archive, leads to + an image which is ready to verify the signature of an image in a swu archive + at run-time. The certificate gets installed and the -k parameter + gets added to the command line arguments for swupdate. This requires to + inherit swupdate-enc. This works with systemd but not with init scripts yet. * Set `SWUPDATE_CMS_KEY ` to the full path of private key file diff --git a/classes/swupdate-enc.bbclass b/classes/swupdate-enc.bbclass index 198ae98..95ad636 100644 --- a/classes/swupdate-enc.bbclass +++ b/classes/swupdate-enc.bbclass @@ -23,3 +23,29 @@ CONVERSIONTYPES += "enc" CONVERSION_DEPENDS_enc = "openssl-native coreutils-native" CONVERSION_CMD_enc="swu_encrypt_file ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type} ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.enc" + + +# To get the keys and certificates installed the variables SWUPDATE_CMS_CERT +# and SWUPDATE_AES_FILE need to be defined for the image and the update-image. +install_key_and_cert() { + # Install the image signature verification certificate + if [ "x${SWUPDATE_CMS_CERT}" != "x" ]; then + install -m 0600 ${SWUPDATE_CMS_CERT} ${IMAGE_ROOTFS}${libdir}/swupdate/image-signing.cert.pem + echo 'SWUPDATE_ARGS="${SWUPDATE_ARGS} -k /usr/lib/swupdate/image-signing.cert.pem"' > ${WORKDIR}/80-enable-sign-images + install -m 0644 ${WORKDIR}/80-enable-sign-images ${IMAGE_ROOTFS}${libdir}/swupdate/conf.d + fi + + # Install the key to decrypt update images + if [ "x${SWUPDATE_AES_FILE}" != "x" ]; then + key=`grep ^key ${SWUPDATE_AES_FILE} | cut -d '=' -f 2` + iv=`grep ^iv ${SWUPDATE_AES_FILE} | cut -d '=' -f 2` + if [ -z ${key} ] || [ -z ${iv} ]; then + bbfatal "SWUPDATE_AES_FILE=$SWUPDATE_AES_FILE does not contain valid keys" + fi + echo "${key} ${iv}" > ${WORKDIR}/image-enc-aes.key + install -m 0600 ${WORKDIR}/image-enc-aes.key ${IMAGE_ROOTFS}${libdir}/swupdate + echo 'SWUPDATE_ARGS="${SWUPDATE_ARGS} -K /usr/lib/swupdate/image-enc-aes.key"' > ${WORKDIR}/81-enable-enc-images + install -m 0644 ${WORKDIR}/81-enable-enc-images ${IMAGE_ROOTFS}${libdir}/swupdate/conf.d + fi +} +ROOTFS_POSTPROCESS_COMMAND += 'install_key_and_cert;'
In case of singed and/or encrypted images the corresponding keys and certificates need to be installed into the image. If the variables SWUPDATE_CMS_CERT and SWUPDATE_AES_FILE are set for the image (not only for the image-update) as well, the required certificate and key files get installed and the -k and the -K paramter are added to the swupdate configuration. Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> --- README | 9 ++++++++- classes/swupdate-enc.bbclass | 26 ++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 1 deletion(-)