Message ID | 1594210792-22999-1-git-send-email-jacopo.dallaglio@kynetics.com |
---|---|
State | Rejected |
Headers | show |
Series | [meta-swupdate] swupdate.bbclass: exclude priv key and passphrase from .swu | expand |
Hi Jacopo, On 08.07.20 14:19, Jacopo Dall'Aglio wrote: > The private key and the corresponding passphrase need to be included in > SRC_URI ???????? This does not seem a great idea because what is in SRC_URI will flow into the SWU. >in order to sign the sw-description file, Not correct. SWUPDATE_PRIVATE_KEY and SWUPDATE_PASSWORD_FILE should be hidden and it is better they are not part of repo at all. Not only, meta-swupdate allows to sign with HSM, too. You just need to set both variable in a configuration file (local.conf, ...), but the two files can be everywhere in the filesystem. This allows also to publish your meta without your keys. But of course, if you put them into SRC_URI.... > but they shouldn't be > included in the .swu CPIO archive. The error is to put them into SRC_URI. > Use bitbake variables SWUPDATE_PRIVATE_KEY and SWUPDATE_PASSWORD_FILE to > exclude private key and passphrase from the .swu. > Best regards, Stefano Babic > Signed-off-by: Jacopo Dall'Aglio <jacopo.dallaglio@kynetics.com> > --- > classes/swupdate.bbclass | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass > index 1d74eef..b797dd5 100644 > --- a/classes/swupdate.bbclass > +++ b/classes/swupdate.bbclass > @@ -66,6 +66,8 @@ python do_swuimage () { > > workdir = d.getVar('WORKDIR', True) > images = (d.getVar('SWUPDATE_IMAGES', True) or "").split() > + swu_priv_key = (d.getVar('SWUPDATE_PRIVATE_KEY', True) or "") > + swu_pass_key = (d.getVar('SWUPDATE_PASSWORD_FILE', True) or "") > s = d.getVar('S', True) > shutil.copyfile(os.path.join(workdir, "sw-description"), os.path.join(s, "sw-description")) > fetch = bb.fetch2.Fetch([], d) > @@ -77,7 +79,7 @@ python do_swuimage () { > for url in fetch.urls: > local = fetch.localpath(url) > filename = os.path.basename(local) > - if (filename != 'sw-description'): > + if filename not in ('sw-description',os.path.basename(swu_priv_key), os.path.basename(swu_pass_key)): > shutil.copyfile(local, os.path.join(s, "%s" % filename )) > list_for_cpio.append(filename) > >
Hi Stefano, Thanks for your clarification, I wrongly presumed that the keys had to be included in SRC_URI but this is not stated anywhere in the documentation. It's safer to exclude the keys from the meta layer as you pointed out. Regards, On Wed, Jul 8, 2020 at 2:50 PM Stefano Babic <sbabic@denx.de> wrote: > Hi Jacopo, > > On 08.07.20 14:19, Jacopo Dall'Aglio wrote: > > The private key and the corresponding passphrase need to be included in > > SRC_URI > > ???????? > > This does not seem a great idea because what is in SRC_URI will flow > into the SWU. > > >in order to sign the sw-description file, > > Not correct. > > SWUPDATE_PRIVATE_KEY and SWUPDATE_PASSWORD_FILE should be hidden and it > is better they are not part of repo at all. Not only, meta-swupdate > allows to sign with HSM, too. > > You just need to set both variable in a configuration file (local.conf, > ...), but the two files can be everywhere in the filesystem. This allows > also to publish your meta without your keys. > > But of course, if you put them into SRC_URI.... > > > but they shouldn't be > > included in the .swu CPIO archive. > > The error is to put them into SRC_URI. > > > Use bitbake variables SWUPDATE_PRIVATE_KEY and SWUPDATE_PASSWORD_FILE to > > exclude private key and passphrase from the .swu. > > > > Best regards, > Stefano Babic > > > Signed-off-by: Jacopo Dall'Aglio <jacopo.dallaglio@kynetics.com> > > --- > > classes/swupdate.bbclass | 4 +++- > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass > > index 1d74eef..b797dd5 100644 > > --- a/classes/swupdate.bbclass > > +++ b/classes/swupdate.bbclass > > @@ -66,6 +66,8 @@ python do_swuimage () { > > > > workdir = d.getVar('WORKDIR', True) > > images = (d.getVar('SWUPDATE_IMAGES', True) or "").split() > > + swu_priv_key = (d.getVar('SWUPDATE_PRIVATE_KEY', True) or "") > > + swu_pass_key = (d.getVar('SWUPDATE_PASSWORD_FILE', True) or "") > > s = d.getVar('S', True) > > shutil.copyfile(os.path.join(workdir, "sw-description"), > os.path.join(s, "sw-description")) > > fetch = bb.fetch2.Fetch([], d) > > @@ -77,7 +79,7 @@ python do_swuimage () { > > for url in fetch.urls: > > local = fetch.localpath(url) > > filename = os.path.basename(local) > > - if (filename != 'sw-description'): > > + if filename not in > ('sw-description',os.path.basename(swu_priv_key), > os.path.basename(swu_pass_key)): > > shutil.copyfile(local, os.path.join(s, "%s" % filename )) > > list_for_cpio.append(filename) > > > > > > > -- > ===================================================================== > DENX Software Engineering GmbH, Managing Director: Wolfgang Denk > HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany > Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sbabic@denx.de > ===================================================================== >
diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass index 1d74eef..b797dd5 100644 --- a/classes/swupdate.bbclass +++ b/classes/swupdate.bbclass @@ -66,6 +66,8 @@ python do_swuimage () { workdir = d.getVar('WORKDIR', True) images = (d.getVar('SWUPDATE_IMAGES', True) or "").split() + swu_priv_key = (d.getVar('SWUPDATE_PRIVATE_KEY', True) or "") + swu_pass_key = (d.getVar('SWUPDATE_PASSWORD_FILE', True) or "") s = d.getVar('S', True) shutil.copyfile(os.path.join(workdir, "sw-description"), os.path.join(s, "sw-description")) fetch = bb.fetch2.Fetch([], d) @@ -77,7 +79,7 @@ python do_swuimage () { for url in fetch.urls: local = fetch.localpath(url) filename = os.path.basename(local) - if (filename != 'sw-description'): + if filename not in ('sw-description',os.path.basename(swu_priv_key), os.path.basename(swu_pass_key)): shutil.copyfile(local, os.path.join(s, "%s" % filename )) list_for_cpio.append(filename)
The private key and the corresponding passphrase need to be included in SRC_URI in order to sign the sw-description file, but they shouldn't be included in the .swu CPIO archive. Use bitbake variables SWUPDATE_PRIVATE_KEY and SWUPDATE_PASSWORD_FILE to exclude private key and passphrase from the .swu. Signed-off-by: Jacopo Dall'Aglio <jacopo.dallaglio@kynetics.com> --- classes/swupdate.bbclass | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)