[meta-swupdate,v2,12/12] swupdate: install key, cert
diff mbox series

Message ID 20191024185635.31754-13-adrian.freihofer@siemens.com
State Changes Requested
Headers show
Series
  • Untitled series #138474
Related show

Commit Message

Freihofer, Adrian Oct. 24, 2019, 6:56 p.m. UTC
In case of singed and/or encrypted images the corresponding keys and
certificates need to be installed into the image.

If the variables SWUPDATE_CMS_CERT and SWUPDATE_AES_FILE are set for
the image (not only for the image-update) as well, the required
certificate and key files get installed and the -k and the -K paramter
are added to the swupdate configuration.

Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
---
 README                       |  9 ++++++++-
 classes/swupdate-enc.bbclass | 28 ++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+), 1 deletion(-)

Comments

Stefano Babic Oct. 28, 2019, 2:49 p.m. UTC | #1
Hi Adrian,

On 24/10/19 20:56, Adrian Freihofer wrote:
> In case of singed and/or encrypted images the corresponding keys and
> certificates need to be installed into the image.
> 
> If the variables SWUPDATE_CMS_CERT and SWUPDATE_AES_FILE are set for
> the image (not only for the image-update) as well, the required
> certificate and key files get installed and the -k and the -K paramter
> are added to the swupdate configuration.

Of course, when we use encrypted artifacts and or signed image, the next
step is where the keys must be stored.

Your proposal covers just one use case. In fact, the keys (CMS
certificate or RSA public key and AES symmetric key) are stored into the
rootfs. However, there are a lot of cases where the keys are not part of
the rootfs. Let's start with another use case. Someone wants to be able
to upgrade the certificate, someone not. For the frst case, putting them
into rootfs is ok, because each update will mean to renew the
certificates. Someone else wants to fix the certificate and push it on a
read-only device, that are set by the factory. For example, on I2C or
SPI Eprom, and the write pin of the chip is not connected. This case
will be forbidden with your changes, because certificate and AES key are
part of rootfs. So yes, this patch makes life easier for one use case,
but it makes much difficult for some other cases. So I cannot say if
keys should be part of rootfs, it depends on requirements. It looks to
me easier if CMS / RSA / AES are put into a separate package and this
can be installed into rootfs or into another image.

Best regards,
Stefano Babic


> 
> Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
> ---
>  README                       |  9 ++++++++-
>  classes/swupdate-enc.bbclass | 28 ++++++++++++++++++++++++++++
>  2 files changed, 36 insertions(+), 1 deletion(-)
> 
> diff --git a/README b/README
> index ffc8f33..eb8904e 100644
> --- a/README
> +++ b/README
> @@ -40,7 +40,14 @@ There are 3 signing mechanisms supported by meta-swupdate at the moment:
>  
>    * Set variable: `SWUPDATE_SIGNING = "CMS"`
>  
> -  * Set `SWUPDATE_CMS_CERT` to the full path of certificate file
> +  * Set `SWUPDATE_CMS_CERT` to the full path of certificate file.
> +    Settings this variable for the swu image (inherit swupdate) configures the
> +    build system to create signed images.
> +    Setting this variable for the image included in the swu archive, leads to
> +    an image which is ready to verify the signature of an image in a swu archive
> +    at run-time. The certificate gets installed and the -k parameter
> +    gets added to the command line arguments for swupdate. This requires to
> +    inherit swupdate-enc. This works with systemd but not with init scripts yet.
>  
>    * Set `SWUPDATE_CMS_KEY ` to the full path of private key file
>  
> diff --git a/classes/swupdate-enc.bbclass b/classes/swupdate-enc.bbclass
> index 198ae98..a7c4916 100644
> --- a/classes/swupdate-enc.bbclass
> +++ b/classes/swupdate-enc.bbclass
> @@ -23,3 +23,31 @@ CONVERSIONTYPES += "enc"
>  
>  CONVERSION_DEPENDS_enc = "openssl-native coreutils-native"
>  CONVERSION_CMD_enc="swu_encrypt_file ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type} ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.enc"
> +
> +
> +# To get the keys and certificates installed the variables SWUPDATE_CMS_CERT
> +# and SWUPDATE_AES_FILE need to be defined for the image and the update-image.
> +install_key_and_cert() {
> +    # Install the image signature verification certificate
> +    if [ "x${SWUPDATE_CMS_CERT}" != "x" ]; then
> +        install -d ${IMAGE_ROOTFS}${datadir}/swupdate
> +        install -m 0600 ${SWUPDATE_CMS_CERT} ${IMAGE_ROOTFS}${datadir}/swupdate/image-signing.cert.pem
> +        echo "SWUPDATE_ARGS=\"\${SWUPDATE_ARGS} -k ${datadir}/swupdate/image-signing.cert.pem\"" > ${WORKDIR}/80-enable-sign-images
> +        install -m 0644 ${WORKDIR}/80-enable-sign-images ${IMAGE_ROOTFS}${libdir}/swupdate/conf.d
> +    fi
> +
> +    # Install the key to decrypt update images
> +    if [ "x${SWUPDATE_AES_FILE}" != "x" ]; then
> +        key=`grep ^key ${SWUPDATE_AES_FILE} | cut -d '=' -f 2`
> +        iv=`grep ^iv ${SWUPDATE_AES_FILE} | cut -d '=' -f 2`
> +        if [ -z ${key} ] || [ -z ${iv} ]; then
> +            bbfatal "SWUPDATE_AES_FILE=$SWUPDATE_AES_FILE does not contain valid keys"
> +        fi
> +        install -d ${IMAGE_ROOTFS}${datadir}/swupdate
> +        echo "${key} ${iv}" > ${WORKDIR}/image-enc-aes.key
> +        install -m 0600 ${WORKDIR}/image-enc-aes.key ${IMAGE_ROOTFS}${datadir}/swupdate
> +        echo "SWUPDATE_ARGS=\"\${SWUPDATE_ARGS} -K ${datadir}/swupdate/image-enc-aes.key\"" > ${WORKDIR}/81-enable-enc-images
> +        install -m 0644 ${WORKDIR}/81-enable-enc-images ${IMAGE_ROOTFS}${libdir}/swupdate/conf.d
> +    fi
> +}
> +ROOTFS_POSTPROCESS_COMMAND += 'install_key_and_cert;'
>
Adrian Freihofer Oct. 28, 2019, 8:54 p.m. UTC | #2
Hi Stefano

Am Montag, 28. Oktober 2019 15:49:40 UTC+1 schrieb Stefano Babic:
>
> Hi Adrian, 
>
> On 24/10/19 20:56, Adrian Freihofer wrote: 
> > In case of singed and/or encrypted images the corresponding keys and 
> > certificates need to be installed into the image. 
> > 
> > If the variables SWUPDATE_CMS_CERT and SWUPDATE_AES_FILE are set for 
> > the image (not only for the image-update) as well, the required 
> > certificate and key files get installed and the -k and the -K paramter 
> > are added to the swupdate configuration. 
>
> Of course, when we use encrypted artifacts and or signed image, the next 
> step is where the keys must be stored. 
>
> Your proposal covers just one use case. In fact, the keys (CMS 
> certificate or RSA public key and AES symmetric key) are stored into the 
> rootfs. However, there are a lot of cases where the keys are not part of 
> the rootfs. Let's start with another use case. Someone wants to be able 
> to upgrade the certificate, someone not. For the frst case, putting them 
> into rootfs is ok, because each update will mean to renew the 
> certificates. Someone else wants to fix the certificate and push it on a 
> read-only device, that are set by the factory. For example, on I2C or 
> SPI Eprom, and the write pin of the chip is not connected. This case 
> will be forbidden with your changes, because certificate and AES key are 
> part of rootfs. So yes, this patch makes life easier for one use case, 
> but it makes much difficult for some other cases. So I cannot say if 
> keys should be part of rootfs, it depends on requirements. It looks to 
> me easier if CMS / RSA / AES are put into a separate package and this 
> can be installed into rootfs or into another image.
>
 
Of course, there are different ways to store the keys and certificates on 
the device.
Would you like to add this, if I would move it to a separate class? This 
would enable the user to inherit the class only if it is beneficial. 
Further, the class might serve as an example. Otherwise I'm totally fine 
with adding this to my own layer.

Regarding deploying keys in packages: I do not like to have image specific 
stuff deployed as packages. Packages should be compiled per DISTRO. From 
one DISTRO we can compile several different images. Each image might have a 
separate key but contains the same binary packages.

Best regards,
Adrian
 

> Best regards, 
> Stefano Babic 
>
>
> > 
> > Signed-off-by: Adrian Freihofer <adrian....@siemens.com <javascript:>> 
> > --- 
> >  README                       |  9 ++++++++- 
> >  classes/swupdate-enc.bbclass | 28 ++++++++++++++++++++++++++++ 
> >  2 files changed, 36 insertions(+), 1 deletion(-) 
> > 
> > diff --git a/README b/README 
> > index ffc8f33..eb8904e 100644 
> > --- a/README 
> > +++ b/README 
> > @@ -40,7 +40,14 @@ There are 3 signing mechanisms supported by 
> meta-swupdate at the moment: 
> >   
> >    * Set variable: `SWUPDATE_SIGNING = "CMS"` 
> >   
> > -  * Set `SWUPDATE_CMS_CERT` to the full path of certificate file 
> > +  * Set `SWUPDATE_CMS_CERT` to the full path of certificate file. 
> > +    Settings this variable for the swu image (inherit swupdate) 
> configures the 
> > +    build system to create signed images. 
> > +    Setting this variable for the image included in the swu archive, 
> leads to 
> > +    an image which is ready to verify the signature of an image in a 
> swu archive 
> > +    at run-time. The certificate gets installed and the -k parameter 
> > +    gets added to the command line arguments for swupdate. This 
> requires to 
> > +    inherit swupdate-enc. This works with systemd but not with init 
> scripts yet. 
> >   
> >    * Set `SWUPDATE_CMS_KEY ` to the full path of private key file 
> >   
> > diff --git a/classes/swupdate-enc.bbclass b/classes/swupdate-enc.bbclass 
> > index 198ae98..a7c4916 100644 
> > --- a/classes/swupdate-enc.bbclass 
> > +++ b/classes/swupdate-enc.bbclass 
> > @@ -23,3 +23,31 @@ CONVERSIONTYPES += "enc" 
> >   
> >  CONVERSION_DEPENDS_enc = "openssl-native coreutils-native" 
> >  CONVERSION_CMD_enc="swu_encrypt_file 
> ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type} 
> ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.enc" 
> > + 
> > + 
> > +# To get the keys and certificates installed the variables 
> SWUPDATE_CMS_CERT 
> > +# and SWUPDATE_AES_FILE need to be defined for the image and the 
> update-image. 
> > +install_key_and_cert() { 
> > +    # Install the image signature verification certificate 
> > +    if [ "x${SWUPDATE_CMS_CERT}" != "x" ]; then 
> > +        install -d ${IMAGE_ROOTFS}${datadir}/swupdate 
> > +        install -m 0600 ${SWUPDATE_CMS_CERT} 
> ${IMAGE_ROOTFS}${datadir}/swupdate/image-signing.cert.pem 
> > +        echo "SWUPDATE_ARGS=\"\${SWUPDATE_ARGS} -k 
> ${datadir}/swupdate/image-signing.cert.pem\"" > 
> ${WORKDIR}/80-enable-sign-images 
> > +        install -m 0644 ${WORKDIR}/80-enable-sign-images 
> ${IMAGE_ROOTFS}${libdir}/swupdate/conf.d 
> > +    fi 
> > + 
> > +    # Install the key to decrypt update images 
> > +    if [ "x${SWUPDATE_AES_FILE}" != "x" ]; then 
> > +        key=`grep ^key ${SWUPDATE_AES_FILE} | cut -d '=' -f 2` 
> > +        iv=`grep ^iv ${SWUPDATE_AES_FILE} | cut -d '=' -f 2` 
> > +        if [ -z ${key} ] || [ -z ${iv} ]; then 
> > +            bbfatal "SWUPDATE_AES_FILE=$SWUPDATE_AES_FILE does not 
> contain valid keys" 
> > +        fi 
> > +        install -d ${IMAGE_ROOTFS}${datadir}/swupdate 
> > +        echo "${key} ${iv}" > ${WORKDIR}/image-enc-aes.key 
> > +        install -m 0600 ${WORKDIR}/image-enc-aes.key 
> ${IMAGE_ROOTFS}${datadir}/swupdate 
> > +        echo "SWUPDATE_ARGS=\"\${SWUPDATE_ARGS} -K 
> ${datadir}/swupdate/image-enc-aes.key\"" > ${WORKDIR}/81-enable-enc-images 
> > +        install -m 0644 ${WORKDIR}/81-enable-enc-images 
> ${IMAGE_ROOTFS}${libdir}/swupdate/conf.d 
> > +    fi 
> > +} 
> > +ROOTFS_POSTPROCESS_COMMAND += 'install_key_and_cert;' 
> > 
>
>
> -- 
> ===================================================================== 
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk 
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany 
> Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sba...@denx.de 
> <javascript:> 
> ===================================================================== 
>

Patch
diff mbox series

diff --git a/README b/README
index ffc8f33..eb8904e 100644
--- a/README
+++ b/README
@@ -40,7 +40,14 @@  There are 3 signing mechanisms supported by meta-swupdate at the moment:
 
   * Set variable: `SWUPDATE_SIGNING = "CMS"`
 
-  * Set `SWUPDATE_CMS_CERT` to the full path of certificate file
+  * Set `SWUPDATE_CMS_CERT` to the full path of certificate file.
+    Settings this variable for the swu image (inherit swupdate) configures the
+    build system to create signed images.
+    Setting this variable for the image included in the swu archive, leads to
+    an image which is ready to verify the signature of an image in a swu archive
+    at run-time. The certificate gets installed and the -k parameter
+    gets added to the command line arguments for swupdate. This requires to
+    inherit swupdate-enc. This works with systemd but not with init scripts yet.
 
   * Set `SWUPDATE_CMS_KEY ` to the full path of private key file
 
diff --git a/classes/swupdate-enc.bbclass b/classes/swupdate-enc.bbclass
index 198ae98..a7c4916 100644
--- a/classes/swupdate-enc.bbclass
+++ b/classes/swupdate-enc.bbclass
@@ -23,3 +23,31 @@  CONVERSIONTYPES += "enc"
 
 CONVERSION_DEPENDS_enc = "openssl-native coreutils-native"
 CONVERSION_CMD_enc="swu_encrypt_file ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type} ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.enc"
+
+
+# To get the keys and certificates installed the variables SWUPDATE_CMS_CERT
+# and SWUPDATE_AES_FILE need to be defined for the image and the update-image.
+install_key_and_cert() {
+    # Install the image signature verification certificate
+    if [ "x${SWUPDATE_CMS_CERT}" != "x" ]; then
+        install -d ${IMAGE_ROOTFS}${datadir}/swupdate
+        install -m 0600 ${SWUPDATE_CMS_CERT} ${IMAGE_ROOTFS}${datadir}/swupdate/image-signing.cert.pem
+        echo "SWUPDATE_ARGS=\"\${SWUPDATE_ARGS} -k ${datadir}/swupdate/image-signing.cert.pem\"" > ${WORKDIR}/80-enable-sign-images
+        install -m 0644 ${WORKDIR}/80-enable-sign-images ${IMAGE_ROOTFS}${libdir}/swupdate/conf.d
+    fi
+
+    # Install the key to decrypt update images
+    if [ "x${SWUPDATE_AES_FILE}" != "x" ]; then
+        key=`grep ^key ${SWUPDATE_AES_FILE} | cut -d '=' -f 2`
+        iv=`grep ^iv ${SWUPDATE_AES_FILE} | cut -d '=' -f 2`
+        if [ -z ${key} ] || [ -z ${iv} ]; then
+            bbfatal "SWUPDATE_AES_FILE=$SWUPDATE_AES_FILE does not contain valid keys"
+        fi
+        install -d ${IMAGE_ROOTFS}${datadir}/swupdate
+        echo "${key} ${iv}" > ${WORKDIR}/image-enc-aes.key
+        install -m 0600 ${WORKDIR}/image-enc-aes.key ${IMAGE_ROOTFS}${datadir}/swupdate
+        echo "SWUPDATE_ARGS=\"\${SWUPDATE_ARGS} -K ${datadir}/swupdate/image-enc-aes.key\"" > ${WORKDIR}/81-enable-enc-images
+        install -m 0644 ${WORKDIR}/81-enable-enc-images ${IMAGE_ROOTFS}${libdir}/swupdate/conf.d
+    fi
+}
+ROOTFS_POSTPROCESS_COMMAND += 'install_key_and_cert;'