From patchwork Thu Oct 24 18:56:35 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Freihofer, Adrian" X-Patchwork-Id: 1183475 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=googlegroups.com (client-ip=2a00:1450:4864:20::538; helo=mail-ed1-x538.google.com; envelope-from=swupdate+bncbaabb27hy7wqkgqet3viu3q@googlegroups.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=siemens.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=googlegroups.com header.i=@googlegroups.com header.b="cacgdNp8"; dkim-atps=neutral Received: from mail-ed1-x538.google.com (mail-ed1-x538.google.com [IPv6:2a00:1450:4864:20::538]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46zc0t5whHz9sQw for ; Fri, 25 Oct 2019 05:56:46 +1100 (AEDT) Received: by mail-ed1-x538.google.com with SMTP id f22sf10447457edj.14 for ; Thu, 24 Oct 2019 11:56:46 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1571943403; cv=pass; d=google.com; s=arc-20160816; b=tg6kD+lHY0nadW0meEo6ZGKItRnXf4f9TRBAscQgL2j1U5v80V/9NU1qcrsZmYYEBN qrP7XvY3V6YXCs0RnnTPHjIw2jR73RecRJ/6+4dBmnSCTwazYtsMJrYlvCwenTP5VswF w/aGBlQgZbi0FTybkEXSFZA2ie9HXDnx+ZgQo/H6D/bmbAemumtIM37ShhJsj5QDYrRA 7sl8Z6kmux3kLD+aAoZxwXEd82oxXOrNJ973dNq2c5L6ijbWekmfk2Llcsb3wccNaXPS LR3NWK7BD9Dfpv+9XyyzyocdMWvK8qOGtPwZc8gqhCxrFuvQ58Ot7hFTzNgdDGOcecde HuYQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:mime-version:sender:dkim-signature; bh=BgzN7XdSPBJO5F3xP5c/U0k8NBgGJLQzWRsogSo7Djw=; b=eBE5/K3xIZ7tjb/EtHg06Gv0HO8HuVTpkH+ZGMZQn/6pUc7rELSEZSype54SIb1sW1 NS1FDwVud4SKS30yNutGAtgSMmWqalaCD3pt/O/KauXeBzapz4VqTWZP8lKWsPwD/gdm h0cXyhRA0T/3VdMdO6g58Gz7uitCgFtIRplF9caIWgDiFUK0V7UG7XPw77xPlHZ79duc kDtMW4qDV05DZcJh8TJkfZsQe1iSjP3Iq1ML/FpZbDqToZlh+Zl2sE9LTp3QXfVNeNqj g2qobRduDqumGui+qIBk2D/HocfvbX1hGBpVNTbrhIELm/XK3OLn/teXAzv+q7rHOdEG kBaw== ARC-Authentication-Results: i=2; gmr-mx.google.com; spf=pass (google.com: domain of adrian.freihofer@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=adrian.freihofer@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20161025; h=sender:mime-version:from:to:cc:subject:date:message-id:in-reply-to :references:x-original-sender:x-original-authentication-results :precedence:mailing-list:list-id:list-post:list-help:list-archive :list-subscribe:list-unsubscribe; bh=BgzN7XdSPBJO5F3xP5c/U0k8NBgGJLQzWRsogSo7Djw=; b=cacgdNp8f6VP/hUFlQISIE1sirFns/gTEIGK3vpZWFya6WzvH2ixd0Bbc25+jCGrCd o5CV0HO4Zbr+5TV/K3zsCAUZ087QceMJHbA1dlXTuq5SjUIJNTWBj1LBjZ6j4GPrHN06 SQwcl5vzaSPDoyZUihN+QDeAJR0aEjSep1N0zS/wVDy2bUzl7EAmPpbND3zvhOAjTijz nLGs5vuWR/5TvuhyfntM/YAUCBm7zjtcmB4N9esn4fdwx31CW+HfbaUwd3xMIjwiERK7 hReN9TkFYNZJwHTNiiIaDDaEEDIS6jkIb9lV/fpJFfghZy3l6WgCwnFfNB1wtOWZdFSi DDTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=sender:x-gm-message-state:mime-version:from:to:cc:subject:date :message-id:in-reply-to:references:x-original-sender :x-original-authentication-results:precedence:mailing-list:list-id :x-spam-checked-in-group:list-post:list-help:list-archive :list-subscribe:list-unsubscribe; bh=BgzN7XdSPBJO5F3xP5c/U0k8NBgGJLQzWRsogSo7Djw=; b=YuC7atAJrfNKN3Izn3c0wyl4JBTgUSLXonZBUkQIuLIrGaiJLeI00TZw660jX5BBqL uDFH7ctXitm08enoM91uxSjDPZ2QN1OjGy1nv1Ug7Yfs5uPfw5ySDN5U/MpqUoTOi1b6 qyABmWKQxzjvXBdRzKr2m8ij+uPvC9+7n2eEXtUmMrLrs1M1EmdQ2WAn6o3L7ybJgcRk nwjROQr/0IOHJ/bURfyLBdt2d6A5Rk7gSchUSW/8tVFGa2GTFud99yp4CJWrKN6SqTlH t+zaEd/RfN00bwX3Q+1TRNbkB5vlYQ2Ees5msXbG91l04WqX2bPDtzof+ykBGocFabAv oS6g== Sender: swupdate@googlegroups.com X-Gm-Message-State: APjAAAWMKhly/TyINMkuRFrqJdS9IB49Y2OnmLB57ptT42i9Xi4RgpiT 4cwFVIVXbLcSQuyGkdXRmko= X-Google-Smtp-Source: APXvYqxYsAeIFktk7LJ+KHMXIfre4q5OaZr0j4VifTcmN6F9OR7upRdNFtGtivBEBoY77pL4xjmGVA== X-Received: by 2002:a50:9fc1:: with SMTP id c59mr19092576edf.305.1571943403240; Thu, 24 Oct 2019 11:56:43 -0700 (PDT) MIME-Version: 1.0 X-BeenThere: swupdate@googlegroups.com Received: by 2002:a50:af86:: with SMTP id h6ls1639224edd.3.gmail; Thu, 24 Oct 2019 11:56:42 -0700 (PDT) X-Received: by 2002:aa7:d305:: with SMTP id p5mr3818484edq.80.1571943402890; Thu, 24 Oct 2019 11:56:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1571943402; cv=none; d=google.com; s=arc-20160816; b=EIumAI4bSRpJAZ9W74/uXKVzB4d82g+aOvr6ag1zKsH8WmgTm+d2GPbMbDlqJl7aE4 ZVfF5y/B9HAwUl415O3VF+sf0y/nU2JjyaqlHlXU6jYfpeQMlanFdKJJBNgjfG3KFkgG GCYN2DeSMZEi9tMbNEibwYkamsC+utTc7SZ87TAzSMujwrsTZeJnPXc9dII+6F6+I/iZ acYvRdWVdAWoQIUTahn59wcYYOPpi0IhJfD6GJsILVIagH7E1BL31l2gGsDRnMPBzEmP DdfiLc4gtJIyAfNC/LJ/c7dFtIGlwYhpjtU5q+ZbUxb+o4YB+CmewJ1w9LelVzFxBCyp YnBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=references:in-reply-to:message-id:date:subject:cc:to:from; bh=Z15TsUbAYMZ3UH5wgi+gZaP+/GU1OjZ/7dGuFT98GMw=; b=a+S/gvBf815Fk6AbAfGvQDhs8d5kBQJLQCCBaiN76tsX2VBaRl/7oJ0Q10E1dHPWFi xdaRCwXVZUNHy8fedzvn2CkIQdHg9AmzJ2/vT6sXgFCcNQSiHQDbon5fqVvcvorPALt7 93xMH81BXpLIw2tIA8lDN6sbOv9a9OotvB+BwDsnrGNgA3jOO2kcfDHDdqQdugSk5H2R T+nVOznVCLF2lPlMx79PL+Z3IagnWXB9ZUgUDqZXb3lHs34a0x70b3tYuYY3cGjw70Oi 4mjlV1FO+KnWcvqmlVfk73mNypoXTYfhZkZi7e8lDA3pFmQcpZ5EE+2FczLqfEqOY86T wQ6w== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of adrian.freihofer@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=adrian.freihofer@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from david.siemens.de (david.siemens.de. [192.35.17.14]) by gmr-mx.google.com with ESMTPS id b25si462356ejb.1.2019.10.24.11.56.42 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 24 Oct 2019 11:56:42 -0700 (PDT) Received-SPF: pass (google.com: domain of adrian.freihofer@siemens.com designates 192.35.17.14 as permitted sender) client-ip=192.35.17.14; Received: from mail1.siemens.de (mail1.siemens.de [139.23.33.14]) by david.siemens.de (8.15.2/8.15.2) with ESMTPS id x9OIugZv021261 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Thu, 24 Oct 2019 20:56:42 +0200 Received: from dev.vm6.ccp.siemens.com ([139.22.33.162]) by mail1.siemens.de (8.15.2/8.15.2) with ESMTP id x9OIufxU003777; Thu, 24 Oct 2019 20:56:41 +0200 Received: from dev.localdomain (localhost [127.0.0.1]) by dev.vm6.ccp.siemens.com (Postfix) with ESMTP id C92FC2353A51; Thu, 24 Oct 2019 20:56:40 +0200 (CEST) From: Adrian Freihofer To: swupdate@googlegroups.com Cc: Adrian Freihofer Subject: [swupdate] [meta-swupdate][PATCH v2 12/12] swupdate: install key, cert Date: Thu, 24 Oct 2019 20:56:35 +0200 Message-Id: <20191024185635.31754-13-adrian.freihofer@siemens.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20191024185635.31754-1-adrian.freihofer@siemens.com> References: <20191024185635.31754-1-adrian.freihofer@siemens.com> X-Original-Sender: adrian.freihofer@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of adrian.freihofer@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=adrian.freihofer@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Precedence: list Mailing-list: list swupdate@googlegroups.com; contact swupdate+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: swupdate@googlegroups.com X-Google-Group-Id: 605343134186 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , In case of singed and/or encrypted images the corresponding keys and certificates need to be installed into the image. If the variables SWUPDATE_CMS_CERT and SWUPDATE_AES_FILE are set for the image (not only for the image-update) as well, the required certificate and key files get installed and the -k and the -K paramter are added to the swupdate configuration. Signed-off-by: Adrian Freihofer --- README | 9 ++++++++- classes/swupdate-enc.bbclass | 28 ++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/README b/README index ffc8f33..eb8904e 100644 --- a/README +++ b/README @@ -40,7 +40,14 @@ There are 3 signing mechanisms supported by meta-swupdate at the moment: * Set variable: `SWUPDATE_SIGNING = "CMS"` - * Set `SWUPDATE_CMS_CERT` to the full path of certificate file + * Set `SWUPDATE_CMS_CERT` to the full path of certificate file. + Settings this variable for the swu image (inherit swupdate) configures the + build system to create signed images. + Setting this variable for the image included in the swu archive, leads to + an image which is ready to verify the signature of an image in a swu archive + at run-time. The certificate gets installed and the -k parameter + gets added to the command line arguments for swupdate. This requires to + inherit swupdate-enc. This works with systemd but not with init scripts yet. * Set `SWUPDATE_CMS_KEY ` to the full path of private key file diff --git a/classes/swupdate-enc.bbclass b/classes/swupdate-enc.bbclass index 198ae98..a7c4916 100644 --- a/classes/swupdate-enc.bbclass +++ b/classes/swupdate-enc.bbclass @@ -23,3 +23,31 @@ CONVERSIONTYPES += "enc" CONVERSION_DEPENDS_enc = "openssl-native coreutils-native" CONVERSION_CMD_enc="swu_encrypt_file ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type} ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.enc" + + +# To get the keys and certificates installed the variables SWUPDATE_CMS_CERT +# and SWUPDATE_AES_FILE need to be defined for the image and the update-image. +install_key_and_cert() { + # Install the image signature verification certificate + if [ "x${SWUPDATE_CMS_CERT}" != "x" ]; then + install -d ${IMAGE_ROOTFS}${datadir}/swupdate + install -m 0600 ${SWUPDATE_CMS_CERT} ${IMAGE_ROOTFS}${datadir}/swupdate/image-signing.cert.pem + echo "SWUPDATE_ARGS=\"\${SWUPDATE_ARGS} -k ${datadir}/swupdate/image-signing.cert.pem\"" > ${WORKDIR}/80-enable-sign-images + install -m 0644 ${WORKDIR}/80-enable-sign-images ${IMAGE_ROOTFS}${libdir}/swupdate/conf.d + fi + + # Install the key to decrypt update images + if [ "x${SWUPDATE_AES_FILE}" != "x" ]; then + key=`grep ^key ${SWUPDATE_AES_FILE} | cut -d '=' -f 2` + iv=`grep ^iv ${SWUPDATE_AES_FILE} | cut -d '=' -f 2` + if [ -z ${key} ] || [ -z ${iv} ]; then + bbfatal "SWUPDATE_AES_FILE=$SWUPDATE_AES_FILE does not contain valid keys" + fi + install -d ${IMAGE_ROOTFS}${datadir}/swupdate + echo "${key} ${iv}" > ${WORKDIR}/image-enc-aes.key + install -m 0600 ${WORKDIR}/image-enc-aes.key ${IMAGE_ROOTFS}${datadir}/swupdate + echo "SWUPDATE_ARGS=\"\${SWUPDATE_ARGS} -K ${datadir}/swupdate/image-enc-aes.key\"" > ${WORKDIR}/81-enable-enc-images + install -m 0644 ${WORKDIR}/81-enable-enc-images ${IMAGE_ROOTFS}${libdir}/swupdate/conf.d + fi +} +ROOTFS_POSTPROCESS_COMMAND += 'install_key_and_cert;'