Message ID | 20191024185635.31754-13-adrian.freihofer@siemens.com |
---|---|
State | Changes Requested |
Headers | show |
Series | None | expand |
Hi Adrian, On 24/10/19 20:56, Adrian Freihofer wrote: > In case of singed and/or encrypted images the corresponding keys and > certificates need to be installed into the image. > > If the variables SWUPDATE_CMS_CERT and SWUPDATE_AES_FILE are set for > the image (not only for the image-update) as well, the required > certificate and key files get installed and the -k and the -K paramter > are added to the swupdate configuration. Of course, when we use encrypted artifacts and or signed image, the next step is where the keys must be stored. Your proposal covers just one use case. In fact, the keys (CMS certificate or RSA public key and AES symmetric key) are stored into the rootfs. However, there are a lot of cases where the keys are not part of the rootfs. Let's start with another use case. Someone wants to be able to upgrade the certificate, someone not. For the frst case, putting them into rootfs is ok, because each update will mean to renew the certificates. Someone else wants to fix the certificate and push it on a read-only device, that are set by the factory. For example, on I2C or SPI Eprom, and the write pin of the chip is not connected. This case will be forbidden with your changes, because certificate and AES key are part of rootfs. So yes, this patch makes life easier for one use case, but it makes much difficult for some other cases. So I cannot say if keys should be part of rootfs, it depends on requirements. It looks to me easier if CMS / RSA / AES are put into a separate package and this can be installed into rootfs or into another image. Best regards, Stefano Babic > > Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> > --- > README | 9 ++++++++- > classes/swupdate-enc.bbclass | 28 ++++++++++++++++++++++++++++ > 2 files changed, 36 insertions(+), 1 deletion(-) > > diff --git a/README b/README > index ffc8f33..eb8904e 100644 > --- a/README > +++ b/README > @@ -40,7 +40,14 @@ There are 3 signing mechanisms supported by meta-swupdate at the moment: > > * Set variable: `SWUPDATE_SIGNING = "CMS"` > > - * Set `SWUPDATE_CMS_CERT` to the full path of certificate file > + * Set `SWUPDATE_CMS_CERT` to the full path of certificate file. > + Settings this variable for the swu image (inherit swupdate) configures the > + build system to create signed images. > + Setting this variable for the image included in the swu archive, leads to > + an image which is ready to verify the signature of an image in a swu archive > + at run-time. The certificate gets installed and the -k parameter > + gets added to the command line arguments for swupdate. This requires to > + inherit swupdate-enc. This works with systemd but not with init scripts yet. > > * Set `SWUPDATE_CMS_KEY ` to the full path of private key file > > diff --git a/classes/swupdate-enc.bbclass b/classes/swupdate-enc.bbclass > index 198ae98..a7c4916 100644 > --- a/classes/swupdate-enc.bbclass > +++ b/classes/swupdate-enc.bbclass > @@ -23,3 +23,31 @@ CONVERSIONTYPES += "enc" > > CONVERSION_DEPENDS_enc = "openssl-native coreutils-native" > CONVERSION_CMD_enc="swu_encrypt_file ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type} ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.enc" > + > + > +# To get the keys and certificates installed the variables SWUPDATE_CMS_CERT > +# and SWUPDATE_AES_FILE need to be defined for the image and the update-image. > +install_key_and_cert() { > + # Install the image signature verification certificate > + if [ "x${SWUPDATE_CMS_CERT}" != "x" ]; then > + install -d ${IMAGE_ROOTFS}${datadir}/swupdate > + install -m 0600 ${SWUPDATE_CMS_CERT} ${IMAGE_ROOTFS}${datadir}/swupdate/image-signing.cert.pem > + echo "SWUPDATE_ARGS=\"\${SWUPDATE_ARGS} -k ${datadir}/swupdate/image-signing.cert.pem\"" > ${WORKDIR}/80-enable-sign-images > + install -m 0644 ${WORKDIR}/80-enable-sign-images ${IMAGE_ROOTFS}${libdir}/swupdate/conf.d > + fi > + > + # Install the key to decrypt update images > + if [ "x${SWUPDATE_AES_FILE}" != "x" ]; then > + key=`grep ^key ${SWUPDATE_AES_FILE} | cut -d '=' -f 2` > + iv=`grep ^iv ${SWUPDATE_AES_FILE} | cut -d '=' -f 2` > + if [ -z ${key} ] || [ -z ${iv} ]; then > + bbfatal "SWUPDATE_AES_FILE=$SWUPDATE_AES_FILE does not contain valid keys" > + fi > + install -d ${IMAGE_ROOTFS}${datadir}/swupdate > + echo "${key} ${iv}" > ${WORKDIR}/image-enc-aes.key > + install -m 0600 ${WORKDIR}/image-enc-aes.key ${IMAGE_ROOTFS}${datadir}/swupdate > + echo "SWUPDATE_ARGS=\"\${SWUPDATE_ARGS} -K ${datadir}/swupdate/image-enc-aes.key\"" > ${WORKDIR}/81-enable-enc-images > + install -m 0644 ${WORKDIR}/81-enable-enc-images ${IMAGE_ROOTFS}${libdir}/swupdate/conf.d > + fi > +} > +ROOTFS_POSTPROCESS_COMMAND += 'install_key_and_cert;' >
Hi Stefano Am Montag, 28. Oktober 2019 15:49:40 UTC+1 schrieb Stefano Babic: > > Hi Adrian, > > On 24/10/19 20:56, Adrian Freihofer wrote: > > In case of singed and/or encrypted images the corresponding keys and > > certificates need to be installed into the image. > > > > If the variables SWUPDATE_CMS_CERT and SWUPDATE_AES_FILE are set for > > the image (not only for the image-update) as well, the required > > certificate and key files get installed and the -k and the -K paramter > > are added to the swupdate configuration. > > Of course, when we use encrypted artifacts and or signed image, the next > step is where the keys must be stored. > > Your proposal covers just one use case. In fact, the keys (CMS > certificate or RSA public key and AES symmetric key) are stored into the > rootfs. However, there are a lot of cases where the keys are not part of > the rootfs. Let's start with another use case. Someone wants to be able > to upgrade the certificate, someone not. For the frst case, putting them > into rootfs is ok, because each update will mean to renew the > certificates. Someone else wants to fix the certificate and push it on a > read-only device, that are set by the factory. For example, on I2C or > SPI Eprom, and the write pin of the chip is not connected. This case > will be forbidden with your changes, because certificate and AES key are > part of rootfs. So yes, this patch makes life easier for one use case, > but it makes much difficult for some other cases. So I cannot say if > keys should be part of rootfs, it depends on requirements. It looks to > me easier if CMS / RSA / AES are put into a separate package and this > can be installed into rootfs or into another image. > Of course, there are different ways to store the keys and certificates on the device. Would you like to add this, if I would move it to a separate class? This would enable the user to inherit the class only if it is beneficial. Further, the class might serve as an example. Otherwise I'm totally fine with adding this to my own layer. Regarding deploying keys in packages: I do not like to have image specific stuff deployed as packages. Packages should be compiled per DISTRO. From one DISTRO we can compile several different images. Each image might have a separate key but contains the same binary packages. Best regards, Adrian > Best regards, > Stefano Babic > > > > > > Signed-off-by: Adrian Freihofer <adrian....@siemens.com <javascript:>> > > --- > > README | 9 ++++++++- > > classes/swupdate-enc.bbclass | 28 ++++++++++++++++++++++++++++ > > 2 files changed, 36 insertions(+), 1 deletion(-) > > > > diff --git a/README b/README > > index ffc8f33..eb8904e 100644 > > --- a/README > > +++ b/README > > @@ -40,7 +40,14 @@ There are 3 signing mechanisms supported by > meta-swupdate at the moment: > > > > * Set variable: `SWUPDATE_SIGNING = "CMS"` > > > > - * Set `SWUPDATE_CMS_CERT` to the full path of certificate file > > + * Set `SWUPDATE_CMS_CERT` to the full path of certificate file. > > + Settings this variable for the swu image (inherit swupdate) > configures the > > + build system to create signed images. > > + Setting this variable for the image included in the swu archive, > leads to > > + an image which is ready to verify the signature of an image in a > swu archive > > + at run-time. The certificate gets installed and the -k parameter > > + gets added to the command line arguments for swupdate. This > requires to > > + inherit swupdate-enc. This works with systemd but not with init > scripts yet. > > > > * Set `SWUPDATE_CMS_KEY ` to the full path of private key file > > > > diff --git a/classes/swupdate-enc.bbclass b/classes/swupdate-enc.bbclass > > index 198ae98..a7c4916 100644 > > --- a/classes/swupdate-enc.bbclass > > +++ b/classes/swupdate-enc.bbclass > > @@ -23,3 +23,31 @@ CONVERSIONTYPES += "enc" > > > > CONVERSION_DEPENDS_enc = "openssl-native coreutils-native" > > CONVERSION_CMD_enc="swu_encrypt_file > ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type} > ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.enc" > > + > > + > > +# To get the keys and certificates installed the variables > SWUPDATE_CMS_CERT > > +# and SWUPDATE_AES_FILE need to be defined for the image and the > update-image. > > +install_key_and_cert() { > > + # Install the image signature verification certificate > > + if [ "x${SWUPDATE_CMS_CERT}" != "x" ]; then > > + install -d ${IMAGE_ROOTFS}${datadir}/swupdate > > + install -m 0600 ${SWUPDATE_CMS_CERT} > ${IMAGE_ROOTFS}${datadir}/swupdate/image-signing.cert.pem > > + echo "SWUPDATE_ARGS=\"\${SWUPDATE_ARGS} -k > ${datadir}/swupdate/image-signing.cert.pem\"" > > ${WORKDIR}/80-enable-sign-images > > + install -m 0644 ${WORKDIR}/80-enable-sign-images > ${IMAGE_ROOTFS}${libdir}/swupdate/conf.d > > + fi > > + > > + # Install the key to decrypt update images > > + if [ "x${SWUPDATE_AES_FILE}" != "x" ]; then > > + key=`grep ^key ${SWUPDATE_AES_FILE} | cut -d '=' -f 2` > > + iv=`grep ^iv ${SWUPDATE_AES_FILE} | cut -d '=' -f 2` > > + if [ -z ${key} ] || [ -z ${iv} ]; then > > + bbfatal "SWUPDATE_AES_FILE=$SWUPDATE_AES_FILE does not > contain valid keys" > > + fi > > + install -d ${IMAGE_ROOTFS}${datadir}/swupdate > > + echo "${key} ${iv}" > ${WORKDIR}/image-enc-aes.key > > + install -m 0600 ${WORKDIR}/image-enc-aes.key > ${IMAGE_ROOTFS}${datadir}/swupdate > > + echo "SWUPDATE_ARGS=\"\${SWUPDATE_ARGS} -K > ${datadir}/swupdate/image-enc-aes.key\"" > ${WORKDIR}/81-enable-enc-images > > + install -m 0644 ${WORKDIR}/81-enable-enc-images > ${IMAGE_ROOTFS}${libdir}/swupdate/conf.d > > + fi > > +} > > +ROOTFS_POSTPROCESS_COMMAND += 'install_key_and_cert;' > > > > > -- > ===================================================================== > DENX Software Engineering GmbH, Managing Director: Wolfgang Denk > HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany > Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sba...@denx.de > <javascript:> > ===================================================================== >
diff --git a/README b/README index ffc8f33..eb8904e 100644 --- a/README +++ b/README @@ -40,7 +40,14 @@ There are 3 signing mechanisms supported by meta-swupdate at the moment: * Set variable: `SWUPDATE_SIGNING = "CMS"` - * Set `SWUPDATE_CMS_CERT` to the full path of certificate file + * Set `SWUPDATE_CMS_CERT` to the full path of certificate file. + Settings this variable for the swu image (inherit swupdate) configures the + build system to create signed images. + Setting this variable for the image included in the swu archive, leads to + an image which is ready to verify the signature of an image in a swu archive + at run-time. The certificate gets installed and the -k parameter + gets added to the command line arguments for swupdate. This requires to + inherit swupdate-enc. This works with systemd but not with init scripts yet. * Set `SWUPDATE_CMS_KEY ` to the full path of private key file diff --git a/classes/swupdate-enc.bbclass b/classes/swupdate-enc.bbclass index 198ae98..a7c4916 100644 --- a/classes/swupdate-enc.bbclass +++ b/classes/swupdate-enc.bbclass @@ -23,3 +23,31 @@ CONVERSIONTYPES += "enc" CONVERSION_DEPENDS_enc = "openssl-native coreutils-native" CONVERSION_CMD_enc="swu_encrypt_file ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type} ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.enc" + + +# To get the keys and certificates installed the variables SWUPDATE_CMS_CERT +# and SWUPDATE_AES_FILE need to be defined for the image and the update-image. +install_key_and_cert() { + # Install the image signature verification certificate + if [ "x${SWUPDATE_CMS_CERT}" != "x" ]; then + install -d ${IMAGE_ROOTFS}${datadir}/swupdate + install -m 0600 ${SWUPDATE_CMS_CERT} ${IMAGE_ROOTFS}${datadir}/swupdate/image-signing.cert.pem + echo "SWUPDATE_ARGS=\"\${SWUPDATE_ARGS} -k ${datadir}/swupdate/image-signing.cert.pem\"" > ${WORKDIR}/80-enable-sign-images + install -m 0644 ${WORKDIR}/80-enable-sign-images ${IMAGE_ROOTFS}${libdir}/swupdate/conf.d + fi + + # Install the key to decrypt update images + if [ "x${SWUPDATE_AES_FILE}" != "x" ]; then + key=`grep ^key ${SWUPDATE_AES_FILE} | cut -d '=' -f 2` + iv=`grep ^iv ${SWUPDATE_AES_FILE} | cut -d '=' -f 2` + if [ -z ${key} ] || [ -z ${iv} ]; then + bbfatal "SWUPDATE_AES_FILE=$SWUPDATE_AES_FILE does not contain valid keys" + fi + install -d ${IMAGE_ROOTFS}${datadir}/swupdate + echo "${key} ${iv}" > ${WORKDIR}/image-enc-aes.key + install -m 0600 ${WORKDIR}/image-enc-aes.key ${IMAGE_ROOTFS}${datadir}/swupdate + echo "SWUPDATE_ARGS=\"\${SWUPDATE_ARGS} -K ${datadir}/swupdate/image-enc-aes.key\"" > ${WORKDIR}/81-enable-enc-images + install -m 0644 ${WORKDIR}/81-enable-enc-images ${IMAGE_ROOTFS}${libdir}/swupdate/conf.d + fi +} +ROOTFS_POSTPROCESS_COMMAND += 'install_key_and_cert;'
In case of singed and/or encrypted images the corresponding keys and certificates need to be installed into the image. If the variables SWUPDATE_CMS_CERT and SWUPDATE_AES_FILE are set for the image (not only for the image-update) as well, the required certificate and key files get installed and the -k and the -K paramter are added to the swupdate configuration. Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> --- README | 9 ++++++++- classes/swupdate-enc.bbclass | 28 ++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-)