diff mbox series

[meta-swupdate,12/12] swupdate: install key, cert

Message ID 20191023211101.16591-13-adrian.freihofer@siemens.com
State Changes Requested
Headers show
Series None | expand

Commit Message

Freihofer, Adrian Oct. 23, 2019, 9:11 p.m. UTC
In case of singed and/or encrypted images the corresponding keys and
certificates need to be installed into the image.

If the variables SWUPDATE_CMS_CERT and SWUPDATE_AES_FILE are set for
the image (not only for the image-update) as well, the required
certificate and key files get installed and the -k and the -K paramter
are added to the swupdate configuration.

Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
---
 README                       |  9 ++++++++-
 classes/swupdate-enc.bbclass | 26 ++++++++++++++++++++++++++
 2 files changed, 34 insertions(+), 1 deletion(-)

Comments

Stefan Herbrechtsmeier Oct. 24, 2019, 8:51 a.m. UTC | #1
Hi Adrian,

Am 23.10.19 um 23:11 schrieb Adrian Freihofer:
> In case of singed and/or encrypted images the corresponding keys and
> certificates need to be installed into the image.
> 
> If the variables SWUPDATE_CMS_CERT and SWUPDATE_AES_FILE are set for
> the image (not only for the image-update) as well, the required
> certificate and key files get installed and the -k and the -K paramter
> are added to the swupdate configuration.
> 
> Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
> ---
>   README                       |  9 ++++++++-
>   classes/swupdate-enc.bbclass | 26 ++++++++++++++++++++++++++
>   2 files changed, 34 insertions(+), 1 deletion(-)
> 
> diff --git a/README b/README
> index ffc8f33..eb8904e 100644
> --- a/README
> +++ b/README
> @@ -40,7 +40,14 @@ There are 3 signing mechanisms supported by meta-swupdate at the moment:
>   
>     * Set variable: `SWUPDATE_SIGNING = "CMS"`
>   
> -  * Set `SWUPDATE_CMS_CERT` to the full path of certificate file
> +  * Set `SWUPDATE_CMS_CERT` to the full path of certificate file.
> +    Settings this variable for the swu image (inherit swupdate) configures the
> +    build system to create signed images.
> +    Setting this variable for the image included in the swu archive, leads to
> +    an image which is ready to verify the signature of an image in a swu archive
> +    at run-time. The certificate gets installed and the -k parameter
> +    gets added to the command line arguments for swupdate. This requires to
> +    inherit swupdate-enc. This works with systemd but not with init scripts yet.
>   
>     * Set `SWUPDATE_CMS_KEY ` to the full path of private key file
>   
> diff --git a/classes/swupdate-enc.bbclass b/classes/swupdate-enc.bbclass
> index 198ae98..95ad636 100644
> --- a/classes/swupdate-enc.bbclass
> +++ b/classes/swupdate-enc.bbclass
> @@ -23,3 +23,29 @@ CONVERSIONTYPES += "enc"
>   
>   CONVERSION_DEPENDS_enc = "openssl-native coreutils-native"
>   CONVERSION_CMD_enc="swu_encrypt_file ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type} ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.enc"
> +
> +
> +# To get the keys and certificates installed the variables SWUPDATE_CMS_CERT
> +# and SWUPDATE_AES_FILE need to be defined for the image and the update-image.
> +install_key_and_cert() {
> +    # Install the image signature verification certificate
> +    if [ "x${SWUPDATE_CMS_CERT}" != "x" ]; then
> +        install -m 0600 ${SWUPDATE_CMS_CERT} ${IMAGE_ROOTFS}${libdir}/swupdate/image-signing.cert.pem

Is this the correct path for an certificate?

Regards
   Stefan
Adrian Freihofer Oct. 24, 2019, 11:38 a.m. UTC | #2
Hi Stefan,

May be yes, because it just works.

May be no, because a user has a reason to store the certificate somewhere 
else. This is still the default. This new way to installation the security 
relevant certificates is opt-in. The code here becomes active when the 
SWUPDATE_CMS_CERT variable is set for the image. It's up to the user to set 
this variable only for the swu recipe (as before) or for both (new opt-in), 
the swu and the image recipe. I tried to explain this in the README.

Providing a variable for the certificate path might be a potential 
improvement.

Regards,
Adrian

Am Donnerstag, 24. Oktober 2019 10:51:47 UTC+2 schrieb Stefan 
Herbrechtsmeier:
>
> Hi Adrian, 
>
> Am 23.10.19 um 23:11 schrieb Adrian Freihofer: 
> > In case of singed and/or encrypted images the corresponding keys and 
> > certificates need to be installed into the image. 
> > 
> > If the variables SWUPDATE_CMS_CERT and SWUPDATE_AES_FILE are set for 
> > the image (not only for the image-update) as well, the required 
> > certificate and key files get installed and the -k and the -K paramter 
> > are added to the swupdate configuration. 
> > 
> > Signed-off-by: Adrian Freihofer <adrian....@siemens.com <javascript:>> 
> > --- 
> >   README                       |  9 ++++++++- 
> >   classes/swupdate-enc.bbclass | 26 ++++++++++++++++++++++++++ 
> >   2 files changed, 34 insertions(+), 1 deletion(-) 
> > 
> > diff --git a/README b/README 
> > index ffc8f33..eb8904e 100644 
> > --- a/README 
> > +++ b/README 
> > @@ -40,7 +40,14 @@ There are 3 signing mechanisms supported by 
> meta-swupdate at the moment: 
> >   
> >     * Set variable: `SWUPDATE_SIGNING = "CMS"` 
> >   
> > -  * Set `SWUPDATE_CMS_CERT` to the full path of certificate file 
> > +  * Set `SWUPDATE_CMS_CERT` to the full path of certificate file. 
> > +    Settings this variable for the swu image (inherit swupdate) 
> configures the 
> > +    build system to create signed images. 
> > +    Setting this variable for the image included in the swu archive, 
> leads to 
> > +    an image which is ready to verify the signature of an image in a 
> swu archive 
> > +    at run-time. The certificate gets installed and the -k parameter 
> > +    gets added to the command line arguments for swupdate. This 
> requires to 
> > +    inherit swupdate-enc. This works with systemd but not with init 
> scripts yet. 
> >   
> >     * Set `SWUPDATE_CMS_KEY ` to the full path of private key file 
> >   
> > diff --git a/classes/swupdate-enc.bbclass b/classes/swupdate-enc.bbclass 
> > index 198ae98..95ad636 100644 
> > --- a/classes/swupdate-enc.bbclass 
> > +++ b/classes/swupdate-enc.bbclass 
> > @@ -23,3 +23,29 @@ CONVERSIONTYPES += "enc" 
> >   
> >   CONVERSION_DEPENDS_enc = "openssl-native coreutils-native" 
> >   CONVERSION_CMD_enc="swu_encrypt_file 
> ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type} 
> ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.enc" 
> > + 
> > + 
> > +# To get the keys and certificates installed the variables 
> SWUPDATE_CMS_CERT 
> > +# and SWUPDATE_AES_FILE need to be defined for the image and the 
> update-image. 
> > +install_key_and_cert() { 
> > +    # Install the image signature verification certificate 
> > +    if [ "x${SWUPDATE_CMS_CERT}" != "x" ]; then 
> > +        install -m 0600 ${SWUPDATE_CMS_CERT} 
> ${IMAGE_ROOTFS}${libdir}/swupdate/image-signing.cert.pem 
>
> Is this the correct path for an certificate? 
>
> Regards 
>    Stefan 
>
Stefan Herbrechtsmeier Oct. 24, 2019, 12:23 p.m. UTC | #3
Hi Adrian,

Am 24.10.19 um 13:38 schrieb adrian.freihofer@gmail.com:
> Hi Stefan,
> 
> May be yes, because it just works.

Every path will work but we should use a common one because most people 
will use it. I'm wonder why you use the libdir instead of the datadir.

Regards
   Stefan
diff mbox series

Patch

diff --git a/README b/README
index ffc8f33..eb8904e 100644
--- a/README
+++ b/README
@@ -40,7 +40,14 @@  There are 3 signing mechanisms supported by meta-swupdate at the moment:
 
   * Set variable: `SWUPDATE_SIGNING = "CMS"`
 
-  * Set `SWUPDATE_CMS_CERT` to the full path of certificate file
+  * Set `SWUPDATE_CMS_CERT` to the full path of certificate file.
+    Settings this variable for the swu image (inherit swupdate) configures the
+    build system to create signed images.
+    Setting this variable for the image included in the swu archive, leads to
+    an image which is ready to verify the signature of an image in a swu archive
+    at run-time. The certificate gets installed and the -k parameter
+    gets added to the command line arguments for swupdate. This requires to
+    inherit swupdate-enc. This works with systemd but not with init scripts yet.
 
   * Set `SWUPDATE_CMS_KEY ` to the full path of private key file
 
diff --git a/classes/swupdate-enc.bbclass b/classes/swupdate-enc.bbclass
index 198ae98..95ad636 100644
--- a/classes/swupdate-enc.bbclass
+++ b/classes/swupdate-enc.bbclass
@@ -23,3 +23,29 @@  CONVERSIONTYPES += "enc"
 
 CONVERSION_DEPENDS_enc = "openssl-native coreutils-native"
 CONVERSION_CMD_enc="swu_encrypt_file ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type} ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.enc"
+
+
+# To get the keys and certificates installed the variables SWUPDATE_CMS_CERT
+# and SWUPDATE_AES_FILE need to be defined for the image and the update-image.
+install_key_and_cert() {
+    # Install the image signature verification certificate
+    if [ "x${SWUPDATE_CMS_CERT}" != "x" ]; then
+        install -m 0600 ${SWUPDATE_CMS_CERT} ${IMAGE_ROOTFS}${libdir}/swupdate/image-signing.cert.pem
+        echo 'SWUPDATE_ARGS="${SWUPDATE_ARGS} -k /usr/lib/swupdate/image-signing.cert.pem"' > ${WORKDIR}/80-enable-sign-images
+        install -m 0644 ${WORKDIR}/80-enable-sign-images ${IMAGE_ROOTFS}${libdir}/swupdate/conf.d
+    fi
+
+    # Install the key to decrypt update images
+    if [ "x${SWUPDATE_AES_FILE}" != "x" ]; then
+        key=`grep ^key ${SWUPDATE_AES_FILE} | cut -d '=' -f 2`
+        iv=`grep ^iv ${SWUPDATE_AES_FILE} | cut -d '=' -f 2`
+        if [ -z ${key} ] || [ -z ${iv} ]; then
+            bbfatal "SWUPDATE_AES_FILE=$SWUPDATE_AES_FILE does not contain valid keys"
+        fi
+        echo "${key} ${iv}" > ${WORKDIR}/image-enc-aes.key
+        install -m 0600 ${WORKDIR}/image-enc-aes.key ${IMAGE_ROOTFS}${libdir}/swupdate
+        echo 'SWUPDATE_ARGS="${SWUPDATE_ARGS} -K /usr/lib/swupdate/image-enc-aes.key"' > ${WORKDIR}/81-enable-enc-images
+        install -m 0644 ${WORKDIR}/81-enable-enc-images ${IMAGE_ROOTFS}${libdir}/swupdate/conf.d
+    fi
+}
+ROOTFS_POSTPROCESS_COMMAND += 'install_key_and_cert;'