[v3,3/3] swupdate: install key, cert
diff mbox series

Message ID 20191029100113.27287-4-adrian.freihofer@siemens.com
State Changes Requested
Headers show
Series
  • simplify swupdate config
Related show

Commit Message

Freihofer, Adrian Oct. 29, 2019, 10:01 a.m. UTC
In case of singed and/or encrypted images the corresponding keys and
certificates need to be installed into the image.

If the variables SWUPDATE_CMS_CERT and SWUPDATE_AES_FILE are set for
the image (not only for the image-update) as well, the required
certificate and key files get installed and the -k and the -K paramter
are added to the swupdate configuration.

This new class covers only one simple use case: Installing into rootfs.
There are several other use cases supported by swupdate whic are not
yet addressed by this new class.

Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
---
 classes/swupdate-img-add.bbclass | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 classes/swupdate-img-add.bbclass

Comments

Stefano Babic Nov. 2, 2019, 12:43 p.m. UTC | #1
Hi Adrian,

On 29/10/19 11:01, Adrian Freihofer wrote:
> In case of singed and/or encrypted images the corresponding keys and
> certificates need to be installed into the image.
> 
> If the variables SWUPDATE_CMS_CERT and SWUPDATE_AES_FILE are set for
> the image (not only for the image-update) as well, the required
> certificate and key files get installed and the -k and the -K paramter
> are added to the swupdate configuration.
> 

SWUpdate supports RSA and CMS verification - the RSA case is not touched
by this class.

> This new class covers only one simple use case: Installing into rootfs.
> There are several other use cases supported by swupdate whic are not
> yet addressed by this new class.

Right - at least with PKI, it works different. On the target the CA
public certificate must be installed, not the own certificate.

> 
> Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
> ---
>  classes/swupdate-img-add.bbclass | 35 +++++++++++++++++++++++++++++++++++
>  1 file changed, 35 insertions(+)
>  create mode 100644 classes/swupdate-img-add.bbclass
> 
> diff --git a/classes/swupdate-img-add.bbclass b/classes/swupdate-img-add.bbclass
> new file mode 100644
> index 0000000..43c7464
> --- /dev/null
> +++ b/classes/swupdate-img-add.bbclass
> @@ -0,0 +1,35 @@
> +# This class might be inherited by an image which gets included into an swu archive.
> +#
> +# If the variable SWUPDATE_CMS_CERT is defined, the singing certificate gets installed
> +# into the image and swupdate gets configured (-k) to verify the signature of swu updates.
> +#
> +# If the variable SWUPDATE_AES_FILE is defined, the AES key for decrypting encrypted
> +# update images gets installed into the rootfs and swupdate gets configured (-K) to
> +# use the key for decryting images.
> +#
> +# This works with systemd but not with init scripts yet.
> +
> +install_key_and_cert() {
> +    # Install the image signature verification certificate
> +    if [ "x${SWUPDATE_CMS_CERT}" != "x" ]; then
> +        install -d ${IMAGE_ROOTFS}${datadir}/swupdate
> +        install -m 0600 ${SWUPDATE_CMS_CERT} ${IMAGE_ROOTFS}${datadir}/swupdate/image-signing.cert.pem
> +        echo "SWUPDATE_ARGS=\"\${SWUPDATE_ARGS} -k ${datadir}/swupdate/image-signing.cert.pem\"" > ${WORKDIR}/80-enable-sign-images
> +        install -m 0644 ${WORKDIR}/80-enable-sign-images ${IMAGE_ROOTFS}${libdir}/swupdate/conf.d
> +    fi
> +
> +    # Install the key to decrypt update images
> +    if [ "x${SWUPDATE_AES_FILE}" != "x" ]; then
> +        key=`grep ^key ${SWUPDATE_AES_FILE} | cut -d '=' -f 2`
> +        iv=`grep ^iv ${SWUPDATE_AES_FILE} | cut -d '=' -f 2`
> +        if [ -z ${key} ] || [ -z ${iv} ]; then
> +            bbfatal "SWUPDATE_AES_FILE=$SWUPDATE_AES_FILE does not contain valid keys"
> +        fi
> +        install -d ${IMAGE_ROOTFS}${datadir}/swupdate
> +        echo "${key} ${iv}" > ${WORKDIR}/image-enc-aes.key
> +        install -m 0600 ${WORKDIR}/image-enc-aes.key ${IMAGE_ROOTFS}${datadir}/swupdate
> +        echo "SWUPDATE_ARGS=\"\${SWUPDATE_ARGS} -K ${datadir}/swupdate/image-enc-aes.key\"" > ${WORKDIR}/81-enable-enc-images
> +        install -m 0644 ${WORKDIR}/81-enable-enc-images ${IMAGE_ROOTFS}${libdir}/swupdate/conf.d
> +    fi
> +}
> +ROOTFS_POSTPROCESS_COMMAND += 'install_key_and_cert;'
> 

Best regards,
Stefano

Patch
diff mbox series

diff --git a/classes/swupdate-img-add.bbclass b/classes/swupdate-img-add.bbclass
new file mode 100644
index 0000000..43c7464
--- /dev/null
+++ b/classes/swupdate-img-add.bbclass
@@ -0,0 +1,35 @@ 
+# This class might be inherited by an image which gets included into an swu archive.
+#
+# If the variable SWUPDATE_CMS_CERT is defined, the singing certificate gets installed
+# into the image and swupdate gets configured (-k) to verify the signature of swu updates.
+#
+# If the variable SWUPDATE_AES_FILE is defined, the AES key for decrypting encrypted
+# update images gets installed into the rootfs and swupdate gets configured (-K) to
+# use the key for decryting images.
+#
+# This works with systemd but not with init scripts yet.
+
+install_key_and_cert() {
+    # Install the image signature verification certificate
+    if [ "x${SWUPDATE_CMS_CERT}" != "x" ]; then
+        install -d ${IMAGE_ROOTFS}${datadir}/swupdate
+        install -m 0600 ${SWUPDATE_CMS_CERT} ${IMAGE_ROOTFS}${datadir}/swupdate/image-signing.cert.pem
+        echo "SWUPDATE_ARGS=\"\${SWUPDATE_ARGS} -k ${datadir}/swupdate/image-signing.cert.pem\"" > ${WORKDIR}/80-enable-sign-images
+        install -m 0644 ${WORKDIR}/80-enable-sign-images ${IMAGE_ROOTFS}${libdir}/swupdate/conf.d
+    fi
+
+    # Install the key to decrypt update images
+    if [ "x${SWUPDATE_AES_FILE}" != "x" ]; then
+        key=`grep ^key ${SWUPDATE_AES_FILE} | cut -d '=' -f 2`
+        iv=`grep ^iv ${SWUPDATE_AES_FILE} | cut -d '=' -f 2`
+        if [ -z ${key} ] || [ -z ${iv} ]; then
+            bbfatal "SWUPDATE_AES_FILE=$SWUPDATE_AES_FILE does not contain valid keys"
+        fi
+        install -d ${IMAGE_ROOTFS}${datadir}/swupdate
+        echo "${key} ${iv}" > ${WORKDIR}/image-enc-aes.key
+        install -m 0600 ${WORKDIR}/image-enc-aes.key ${IMAGE_ROOTFS}${datadir}/swupdate
+        echo "SWUPDATE_ARGS=\"\${SWUPDATE_ARGS} -K ${datadir}/swupdate/image-enc-aes.key\"" > ${WORKDIR}/81-enable-enc-images
+        install -m 0644 ${WORKDIR}/81-enable-enc-images ${IMAGE_ROOTFS}${libdir}/swupdate/conf.d
+    fi
+}
+ROOTFS_POSTPROCESS_COMMAND += 'install_key_and_cert;'