Message ID | 20191029100113.27287-4-adrian.freihofer@siemens.com |
---|---|
State | Changes Requested |
Headers | show |
Series | simplify swupdate config | expand |
Hi Adrian, On 29/10/19 11:01, Adrian Freihofer wrote: > In case of singed and/or encrypted images the corresponding keys and > certificates need to be installed into the image. > > If the variables SWUPDATE_CMS_CERT and SWUPDATE_AES_FILE are set for > the image (not only for the image-update) as well, the required > certificate and key files get installed and the -k and the -K paramter > are added to the swupdate configuration. > SWUpdate supports RSA and CMS verification - the RSA case is not touched by this class. > This new class covers only one simple use case: Installing into rootfs. > There are several other use cases supported by swupdate whic are not > yet addressed by this new class. Right - at least with PKI, it works different. On the target the CA public certificate must be installed, not the own certificate. > > Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> > --- > classes/swupdate-img-add.bbclass | 35 +++++++++++++++++++++++++++++++++++ > 1 file changed, 35 insertions(+) > create mode 100644 classes/swupdate-img-add.bbclass > > diff --git a/classes/swupdate-img-add.bbclass b/classes/swupdate-img-add.bbclass > new file mode 100644 > index 0000000..43c7464 > --- /dev/null > +++ b/classes/swupdate-img-add.bbclass > @@ -0,0 +1,35 @@ > +# This class might be inherited by an image which gets included into an swu archive. > +# > +# If the variable SWUPDATE_CMS_CERT is defined, the singing certificate gets installed > +# into the image and swupdate gets configured (-k) to verify the signature of swu updates. > +# > +# If the variable SWUPDATE_AES_FILE is defined, the AES key for decrypting encrypted > +# update images gets installed into the rootfs and swupdate gets configured (-K) to > +# use the key for decryting images. > +# > +# This works with systemd but not with init scripts yet. > + > +install_key_and_cert() { > + # Install the image signature verification certificate > + if [ "x${SWUPDATE_CMS_CERT}" != "x" ]; then > + install -d ${IMAGE_ROOTFS}${datadir}/swupdate > + install -m 0600 ${SWUPDATE_CMS_CERT} ${IMAGE_ROOTFS}${datadir}/swupdate/image-signing.cert.pem > + echo "SWUPDATE_ARGS=\"\${SWUPDATE_ARGS} -k ${datadir}/swupdate/image-signing.cert.pem\"" > ${WORKDIR}/80-enable-sign-images > + install -m 0644 ${WORKDIR}/80-enable-sign-images ${IMAGE_ROOTFS}${libdir}/swupdate/conf.d > + fi > + > + # Install the key to decrypt update images > + if [ "x${SWUPDATE_AES_FILE}" != "x" ]; then > + key=`grep ^key ${SWUPDATE_AES_FILE} | cut -d '=' -f 2` > + iv=`grep ^iv ${SWUPDATE_AES_FILE} | cut -d '=' -f 2` > + if [ -z ${key} ] || [ -z ${iv} ]; then > + bbfatal "SWUPDATE_AES_FILE=$SWUPDATE_AES_FILE does not contain valid keys" > + fi > + install -d ${IMAGE_ROOTFS}${datadir}/swupdate > + echo "${key} ${iv}" > ${WORKDIR}/image-enc-aes.key > + install -m 0600 ${WORKDIR}/image-enc-aes.key ${IMAGE_ROOTFS}${datadir}/swupdate > + echo "SWUPDATE_ARGS=\"\${SWUPDATE_ARGS} -K ${datadir}/swupdate/image-enc-aes.key\"" > ${WORKDIR}/81-enable-enc-images > + install -m 0644 ${WORKDIR}/81-enable-enc-images ${IMAGE_ROOTFS}${libdir}/swupdate/conf.d > + fi > +} > +ROOTFS_POSTPROCESS_COMMAND += 'install_key_and_cert;' > Best regards, Stefano
diff --git a/classes/swupdate-img-add.bbclass b/classes/swupdate-img-add.bbclass new file mode 100644 index 0000000..43c7464 --- /dev/null +++ b/classes/swupdate-img-add.bbclass @@ -0,0 +1,35 @@ +# This class might be inherited by an image which gets included into an swu archive. +# +# If the variable SWUPDATE_CMS_CERT is defined, the singing certificate gets installed +# into the image and swupdate gets configured (-k) to verify the signature of swu updates. +# +# If the variable SWUPDATE_AES_FILE is defined, the AES key for decrypting encrypted +# update images gets installed into the rootfs and swupdate gets configured (-K) to +# use the key for decryting images. +# +# This works with systemd but not with init scripts yet. + +install_key_and_cert() { + # Install the image signature verification certificate + if [ "x${SWUPDATE_CMS_CERT}" != "x" ]; then + install -d ${IMAGE_ROOTFS}${datadir}/swupdate + install -m 0600 ${SWUPDATE_CMS_CERT} ${IMAGE_ROOTFS}${datadir}/swupdate/image-signing.cert.pem + echo "SWUPDATE_ARGS=\"\${SWUPDATE_ARGS} -k ${datadir}/swupdate/image-signing.cert.pem\"" > ${WORKDIR}/80-enable-sign-images + install -m 0644 ${WORKDIR}/80-enable-sign-images ${IMAGE_ROOTFS}${libdir}/swupdate/conf.d + fi + + # Install the key to decrypt update images + if [ "x${SWUPDATE_AES_FILE}" != "x" ]; then + key=`grep ^key ${SWUPDATE_AES_FILE} | cut -d '=' -f 2` + iv=`grep ^iv ${SWUPDATE_AES_FILE} | cut -d '=' -f 2` + if [ -z ${key} ] || [ -z ${iv} ]; then + bbfatal "SWUPDATE_AES_FILE=$SWUPDATE_AES_FILE does not contain valid keys" + fi + install -d ${IMAGE_ROOTFS}${datadir}/swupdate + echo "${key} ${iv}" > ${WORKDIR}/image-enc-aes.key + install -m 0600 ${WORKDIR}/image-enc-aes.key ${IMAGE_ROOTFS}${datadir}/swupdate + echo "SWUPDATE_ARGS=\"\${SWUPDATE_ARGS} -K ${datadir}/swupdate/image-enc-aes.key\"" > ${WORKDIR}/81-enable-enc-images + install -m 0644 ${WORKDIR}/81-enable-enc-images ${IMAGE_ROOTFS}${libdir}/swupdate/conf.d + fi +} +ROOTFS_POSTPROCESS_COMMAND += 'install_key_and_cert;'
In case of singed and/or encrypted images the corresponding keys and certificates need to be installed into the image. If the variables SWUPDATE_CMS_CERT and SWUPDATE_AES_FILE are set for the image (not only for the image-update) as well, the required certificate and key files get installed and the -k and the -K paramter are added to the swupdate configuration. This new class covers only one simple use case: Installing into rootfs. There are several other use cases supported by swupdate whic are not yet addressed by this new class. Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> --- classes/swupdate-img-add.bbclass | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 classes/swupdate-img-add.bbclass