From patchwork Tue Oct 29 10:01:13 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Freihofer, Adrian" <adrian.freihofer@siemens.com>
X-Patchwork-Id: 1185944
Return-Path: <swupdate+bncBAABBZM44DWQKGQEB2VTKUY@googlegroups.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized)
	smtp.mailfrom=googlegroups.com
	(client-ip=2a00:1450:4864:20::23c;
	helo=mail-lj1-x23c.google.com;
	envelope-from=swupdate+bncbaabbzm44dwqkgqeb2vtkuy@googlegroups.com;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=siemens.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=googlegroups.com header.i=@googlegroups.com
	header.b="YbnlU47M"; dkim-atps=neutral
Received: from mail-lj1-x23c.google.com (mail-lj1-x23c.google.com
	[IPv6:2a00:1450:4864:20::23c])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 472Rx44KS6z9sPc
	for <incoming@patchwork.ozlabs.org>;
	Tue, 29 Oct 2019 21:03:20 +1100 (AEDT)
Received: by mail-lj1-x23c.google.com with SMTP id p1sf3054341ljg.3
	for <incoming@patchwork.ozlabs.org>;
	Tue, 29 Oct 2019 03:03:20 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1572343397; cv=pass;
	d=google.com; s=arc-20160816;
	b=gqrW6LaanEJqdEAh9Oga+Dfz9tZHF+oSVw1doQP8FQ4gIp4YaTLRoxjImIcVpb9F7x
	7lNqT8YeFZf9EDvYr2HKiExCDZInjWtt2uH63x7gciCSwIWjuX6WP3PxkLlaIb9aQGQT
	oCuZwZZGU0LYgcLeBqGDkKWrKFSefYrBjLl1LGcAORnGdypaOctUqJaKop7fqJLNa7x3
	r9OzbE/PmTk07VHqrurQ5XNWMNUMyVCeeZuYRfdO1Zvm8soYMSBTlR9uve3daPu9MIIV
	YFvkJ5X8pxuMY6bwyCIrcGWr78KFCAHXpqiqk9lGdxfNOdByUgt7xL0U29grP2n7Je/q
	bclA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
	:list-id:mailing-list:precedence:references:in-reply-to:message-id
	:date:subject:cc:to:from:mime-version:sender:dkim-signature;
	bh=OoEqA1l8KDSuvsiRWN4p9c9QmPiZSmEc1bKPmxYkbEQ=;
	b=NNRrpegdHeoS3dlTizJkyRYlpf9bFORQa4zdn5tYyWGDUPzrfDL/9JQEFEpcHIB6Z8
	UtsFyDAxOwqM53YtC1Weha6FgOVzuB+rEeBzPA/nprcHBuBTy7aO+vGGQTNGRe3lyA+l
	m76MSt/G6DDv5s53ZcIt/Lp+wZf5b+Ped2wIk1aIW8wLzzyqjY5QPAVjoTI2/X6Y4ohu
	MjrpkBtGgqpeCZG+pyZ7rbsW9fuf4fylIg9cqQok6OePh61gRusPzdm2cUZtrrKXqXEZ
	wGugsMJCwc9yit7UlxnnLyeffEVZiB2XJvqxr74cnjsLG8pJoAaLJ/DcQJ3s+9cSiT1v
	h9tg==
ARC-Authentication-Results: i=2; gmr-mx.google.com;
	spf=pass (google.com: domain of adrian.freihofer@siemens.com
	designates 192.35.17.28 as permitted sender)
	smtp.mailfrom=adrian.freihofer@siemens.com;
	dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=googlegroups.com; s=20161025;
	h=sender:mime-version:from:to:cc:subject:date:message-id:in-reply-to
	:references:x-original-sender:x-original-authentication-results
	:precedence:mailing-list:list-id:list-post:list-help:list-archive
	:list-subscribe:list-unsubscribe;
	bh=OoEqA1l8KDSuvsiRWN4p9c9QmPiZSmEc1bKPmxYkbEQ=;
	b=YbnlU47MEX0Qj3mcElNIFjg9wvEVI6JlYxU1Oj9uJDUbjJIR2nq2KvynhyPcj3KJb8
	cZQw1kHCNSLjYcc7ACQ3vnwAT1O9a3lEefDaQ3vsVrJw4d+PKWG/jor6TIBBsmla9fl/
	m96i8cQGywPg9nFCLIvG2vlNeaoFrwah+qnbzRvIqaflNK/mjfKHEZFf7Pt/iSVW7UtD
	tyqtpqhtq/P3A20/o3PxVrBzgnpm0wd5riWXD2f7f6YZh1JXo068UfAwjJZ514ubWc1r
	uapBaiyU8IPjAb9AKvKSvh2bfGOmPLebTL3P0WH6TZUwu4U2gGq1h+z1BJsji23wIgSb
	VKHQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=sender:x-gm-message-state:mime-version:from:to:cc:subject:date
	:message-id:in-reply-to:references:x-original-sender
	:x-original-authentication-results:precedence:mailing-list:list-id
	:x-spam-checked-in-group:list-post:list-help:list-archive
	:list-subscribe:list-unsubscribe;
	bh=OoEqA1l8KDSuvsiRWN4p9c9QmPiZSmEc1bKPmxYkbEQ=;
	b=tJ8rHxxcoGcuAMnyZMAuy0WbLgVDl45blKfk3cH9MI0+ZCdzBkHte+pFLZRHbx32en
	eLYUaCkkB0Ne8xiCPe6Vyikhufmei6iEkF8ZMJPHLDSFJCUPX2OPcvWWnqBt0yxwrqD0
	w/zV6PR2njs9vin7/ipAqcVVdvxyUW1st3bKxwMtcHfND4gxM974bF06KMDvGLg88Vbq
	sX+rbcsasVvFmprOWsCpmzMt+MeL4stI/q2TPw590W+LujiqXM0h3yQ3M4LbiZCHklux
	YiHJjC1aRTyeu9WzUU8/0g5+eHr/WjIT/7Gwi6RTZsx1c14QBntpOUBuHnl3qDRE7FlJ
	5rDw==
Sender: swupdate@googlegroups.com
X-Gm-Message-State: APjAAAU4JTqFUj8xApkbyaACaqWoC1yX4KcFljyOenxVjyiWmNBb/LKy
	PDrCmKjHQQ+uuIa5XPlI6Gw=
X-Google-Smtp-Source: 
 APXvYqxEQOwM2Gd63giYl/jSWi218j9fU130CHAbgfNP/gwl06FO7HjzUTmoc8hCW9wwCd+x/pLbkg==
X-Received: by 2002:a2e:95c5:: with SMTP id y5mr1953169ljh.118.1572343397353;
	Tue, 29 Oct 2019 03:03:17 -0700 (PDT)
MIME-Version: 1.0
X-BeenThere: swupdate@googlegroups.com
Received: by 2002:a2e:9786:: with SMTP id y6ls2975691lji.3.gmail; Tue, 29 Oct
	2019 03:03:16 -0700 (PDT)
X-Received: by 2002:a2e:7811:: with SMTP id
	t17mr1949462ljc.254.1572343396927;
	Tue, 29 Oct 2019 03:03:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1572343396; cv=none;
	d=google.com; s=arc-20160816;
	b=RaO6eqsxzFHDWsaIUQbIMk8mzwVVlAqMp5OYMUxqr9dTGYQFey8iwPBrfli7ywV13n
	EuXHW3kcbJovxgCtjO1ceqaaeXkbxVAjFPZDIvshGEmvmtRI1fijpm1buiZe/66hsIzC
	rM8FXGvMlVhV/WrsmWojgXu43mN1TOH6DA0VbkcAIlVAp2bflXeeady7xh/Hhz0JCzt1
	LyhbYdbzXoLpNufmB65vLRx3pMPtlVgeO4eu2c887y3sPHYLy3HJQ4reL4cMbc2+I1Bf
	z+z9z+YAcqcMoF3I8eX/D9tGmTa/+tapsqCaLTzap5MJX+bxOJa6hkhW5dRvPIopShne
	CzBQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=references:in-reply-to:message-id:date:subject:cc:to:from;
	bh=jKg9X134HMSkNZQz6L9WcQwhRfcPF2u0gP0KDcU+m3s=;
	b=zbylJmxIvAtqdxQ2pdO+13K3Luw9gHGXwQlykL1WVhB7wlEaiMzE16yez0H38O7qsC
	AJzOMVojdhQxikRsEZYU8TQir3SoHAUgzue3TUNn1g1ozqW+79jbiE8O/3rHUOuS2/tv
	mh84uDfvW82XzTL6AHEmc5+E+oXk+QRKTQbgfkTWUMAL76k7STnDgRpMWWcPuLkYa6XM
	t1eDS7DhGqXppYFn3r4kK0flhDRk2d+/2qovnZ4ucNWQAgL/ovCB87bASSqIJTWh8/Ut
	xNRI0tPuTy2Qp3mqEsuNfKCrPsgBJyMRkAYNF84frlvBwuI510DumeSpCUeB2NbGWACJ
	42eA==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
	spf=pass (google.com: domain of adrian.freihofer@siemens.com
	designates 192.35.17.28 as permitted sender)
	smtp.mailfrom=adrian.freihofer@siemens.com;
	dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Received: from goliath.siemens.de (goliath.siemens.de. [192.35.17.28])
	by gmr-mx.google.com with ESMTPS id
	s4si117877ljg.1.2019.10.29.03.03.16 for <swupdate@googlegroups.com>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 29 Oct 2019 03:03:16 -0700 (PDT)
Received-SPF: pass (google.com: domain of adrian.freihofer@siemens.com
	designates 192.35.17.28 as permitted sender)
	client-ip=192.35.17.28;
Received: from mail1.siemens.de (mail1.siemens.de [139.23.33.14])
	by goliath.siemens.de (8.15.2/8.15.2) with ESMTPS id x9TA3GoR018924
	(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK)
	for <swupdate@googlegroups.com>; Tue, 29 Oct 2019 11:03:16 +0100
Received: from dev.vm6.ccp.siemens.com (md1w1dqc.ad001.siemens.net
	[139.16.76.146] (may be forged))
	by mail1.siemens.de (8.15.2/8.15.2) with ESMTP id x9TA3EEj022488;
	Tue, 29 Oct 2019 11:03:14 +0100
Received: from dev.vm6.ccp.siemens.com (localhost [127.0.0.1])
	by dev.vm6.ccp.siemens.com (Postfix) with ESMTP id BD2DA2353A53;
	Tue, 29 Oct 2019 11:03:14 +0100 (CET)
From: Adrian Freihofer <adrian.freihofer@siemens.com>
To: swupdate@googlegroups.com
Cc: Adrian Freihofer <adrian.freihofer@siemens.com>
Subject: [swupdate] [PATCH v3 3/3] swupdate: install key, cert
Date: Tue, 29 Oct 2019 11:01:13 +0100
Message-Id: <20191029100113.27287-4-adrian.freihofer@siemens.com>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20191029100113.27287-1-adrian.freihofer@siemens.com>
References: <20191029100113.27287-1-adrian.freihofer@siemens.com>
X-Original-Sender: adrian.freihofer@siemens.com
X-Original-Authentication-Results: gmr-mx.google.com;       spf=pass
	(google.com: domain of adrian.freihofer@siemens.com designates
	192.35.17.28
	as permitted sender) smtp.mailfrom=adrian.freihofer@siemens.com;
	dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Precedence: list
Mailing-list: list swupdate@googlegroups.com;
	contact swupdate+owners@googlegroups.com
List-ID: <swupdate.googlegroups.com>
X-Spam-Checked-In-Group: swupdate@googlegroups.com
X-Google-Group-Id: 605343134186
List-Post: <https://groups.google.com/group/swupdate/post>,
	<mailto:swupdate@googlegroups.com>
List-Help: <https://groups.google.com/support/>,
	<mailto:swupdate+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/swupdate
List-Subscribe: <https://groups.google.com/group/swupdate/subscribe>,
	<mailto:swupdate+subscribe@googlegroups.com>
List-Unsubscribe: 
 <mailto:googlegroups-manage+605343134186+unsubscribe@googlegroups.com>,
	<https://groups.google.com/group/swupdate/subscribe>

In case of singed and/or encrypted images the corresponding keys and
certificates need to be installed into the image.

If the variables SWUPDATE_CMS_CERT and SWUPDATE_AES_FILE are set for
the image (not only for the image-update) as well, the required
certificate and key files get installed and the -k and the -K paramter
are added to the swupdate configuration.

This new class covers only one simple use case: Installing into rootfs.
There are several other use cases supported by swupdate whic are not
yet addressed by this new class.

Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
---
 classes/swupdate-img-add.bbclass | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 classes/swupdate-img-add.bbclass

diff --git a/classes/swupdate-img-add.bbclass b/classes/swupdate-img-add.bbclass
new file mode 100644
index 0000000..43c7464
--- /dev/null
+++ b/classes/swupdate-img-add.bbclass
@@ -0,0 +1,35 @@
+# This class might be inherited by an image which gets included into an swu archive.
+#
+# If the variable SWUPDATE_CMS_CERT is defined, the singing certificate gets installed
+# into the image and swupdate gets configured (-k) to verify the signature of swu updates.
+#
+# If the variable SWUPDATE_AES_FILE is defined, the AES key for decrypting encrypted
+# update images gets installed into the rootfs and swupdate gets configured (-K) to
+# use the key for decryting images.
+#
+# This works with systemd but not with init scripts yet.
+
+install_key_and_cert() {
+    # Install the image signature verification certificate
+    if [ "x${SWUPDATE_CMS_CERT}" != "x" ]; then
+        install -d ${IMAGE_ROOTFS}${datadir}/swupdate
+        install -m 0600 ${SWUPDATE_CMS_CERT} ${IMAGE_ROOTFS}${datadir}/swupdate/image-signing.cert.pem
+        echo "SWUPDATE_ARGS=\"\${SWUPDATE_ARGS} -k ${datadir}/swupdate/image-signing.cert.pem\"" > ${WORKDIR}/80-enable-sign-images
+        install -m 0644 ${WORKDIR}/80-enable-sign-images ${IMAGE_ROOTFS}${libdir}/swupdate/conf.d
+    fi
+
+    # Install the key to decrypt update images
+    if [ "x${SWUPDATE_AES_FILE}" != "x" ]; then
+        key=`grep ^key ${SWUPDATE_AES_FILE} | cut -d '=' -f 2`
+        iv=`grep ^iv ${SWUPDATE_AES_FILE} | cut -d '=' -f 2`
+        if [ -z ${key} ] || [ -z ${iv} ]; then
+            bbfatal "SWUPDATE_AES_FILE=$SWUPDATE_AES_FILE does not contain valid keys"
+        fi
+        install -d ${IMAGE_ROOTFS}${datadir}/swupdate
+        echo "${key} ${iv}" > ${WORKDIR}/image-enc-aes.key
+        install -m 0600 ${WORKDIR}/image-enc-aes.key ${IMAGE_ROOTFS}${datadir}/swupdate
+        echo "SWUPDATE_ARGS=\"\${SWUPDATE_ARGS} -K ${datadir}/swupdate/image-enc-aes.key\"" > ${WORKDIR}/81-enable-enc-images
+        install -m 0644 ${WORKDIR}/81-enable-enc-images ${IMAGE_ROOTFS}${libdir}/swupdate/conf.d
+    fi
+}
+ROOTFS_POSTPROCESS_COMMAND += 'install_key_and_cert;'