From patchwork Thu Aug 17 08:25:26 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maciej Pijanowski X-Patchwork-Id: 802425 X-Patchwork-Delegate: sbabic@denx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=googlegroups.com (client-ip=2a00:1450:400c:c0c::23b; helo=mail-wr0-x23b.google.com; envelope-from=swupdate+bncbdil3gp4wumrbzvf2xgakgqerftbgmq@googlegroups.com; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=googlegroups.com header.i=@googlegroups.com header.b="VIQwWXQS"; dkim-atps=neutral Received: from mail-wr0-x23b.google.com (mail-wr0-x23b.google.com [IPv6:2a00:1450:400c:c0c::23b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3xXzmV3rQPz9t41 for ; Thu, 17 Aug 2017 18:25:13 +1000 (AEST) Received: by mail-wr0-x23b.google.com with SMTP id y44sf27007wrd.8 for ; Thu, 17 Aug 2017 01:25:13 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1502958310; cv=pass; d=google.com; s=arc-20160816; b=U8wyXSAtT4fxNzvaSk3Dy8GtqubAbkLvhYkkmSuNneKBHRNQSVzBv1Psr6oU+ZYSmq y5nYIkYXXxHJ7ISSRMsQS0rok42maQbPOibbGEkvtsRBqWNGJbZ+DlxUjjUAH6FyUmm8 x/+PX8gN6HioqcIpq7V7kNBWBTqMgspv0T7vO9BrlvT2fA8hVx7YxlO6k5sOFCHeDL7E UGjlxVkVIFNEbF80JkJXqRdamx+6uaVna0I5xkKXQJ61wBgbqjAtG8tIbPOouXggllZ3 JqfGRdEgxdcBqNqor00653EZxCkEXTRobzC5eHpVtnJcq9qhaLnt5scTkp0i+CWuJMTG ymPQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:message-id:date:subject:cc:to:from :arc-authentication-results:arc-message-signature:mime-version :sender:dkim-signature:arc-authentication-results; bh=3yH9h/EpIdyxsO3EandodqwxA9Vcrfq2FulOmaA6X5Q=; b=rgq9GEH+xNTYXau+rB92C8pJcxGBVSTu3R7ZfHCRpFi1gVESYWNF68q/KEVc/RbfXx FiNs9QG0XcoBfq7s4qsdK4nrVzOuHwCswe1Z3Zn6Eudj0gfl8ILhDCZyTpA059pOaDal 9c31uUODYTh8sICpB0vJdjKxDyb9cMdVyK8rmZbIXey03Que9iicvbUQMFtyWNNVqzr1 M3xh5TyEiYKoqJtjaQyulcNV6Za8QfRElL6qaywmhbNwrKjidbYWfLOyRz6X0stZmoR2 iItGyEz5c2uWRM3ctZQdPNesjpe6cpYjmn2qwQvk5PHYqGj5MAxCZ/diwniBON8FCNaK IHTg== ARC-Authentication-Results: i=2; gmr-mx.google.com; spf=neutral (google.com: 79.96.179.35 is neither permitted nor denied by best guess record for domain of maciej.pijanowski@3mdeb.com) smtp.mailfrom=maciej.pijanowski@3mdeb.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20161025; h=sender:mime-version:from:to:cc:subject:date:message-id :x-original-sender:x-original-authentication-results:precedence :mailing-list:list-id:list-post:list-help:list-archive :list-subscribe:list-unsubscribe; bh=3yH9h/EpIdyxsO3EandodqwxA9Vcrfq2FulOmaA6X5Q=; b=VIQwWXQS1dLODR/ySkX8SJXDnNLsFyIqxyY09NZZ8CodcN51klEI08IWSd0dAZ7naZ AaaMps+jk5YBwFFelUV1YPEeDSFG3x6oIOgQM/mrLNtpRWuSdKT8ZKRvbRIG6xgGmO5D HcGOCmALoAkx/gyKrR85eR+iEeAaDJesZQZWiHwv2f5gNjtHrIAxmP37XH2jA1XibeEh jJewqu0OVGzotKa0eB7cEEwV4FqBNKf3CySbtDdUZEKFeZxAAzlrdzhAQX/vLMoTKBII b4fEUBiPVu29+4DWiIi4royBLwgntCfNVFkClmoeBkij/cmbeZ1MfTmzQyCHSjzD02el 98SA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=sender:x-gm-message-state:mime-version:from:to:cc:subject:date :message-id:x-original-sender:x-original-authentication-results :precedence:mailing-list:list-id:x-spam-checked-in-group:list-post :list-help:list-archive:list-subscribe:list-unsubscribe; bh=3yH9h/EpIdyxsO3EandodqwxA9Vcrfq2FulOmaA6X5Q=; b=IbHWkW2K4nM+2u/OSbDjyA/ucRrd1kGDlSlT7azHushfA0RagbQm5phwlLvdXBWbqt DHwCSgx9vo88P8pKB2wn2mFewZ8JxVQSU5AGf+H+2UfuSQiIR3mMLyHrJ+Kiae46L9n5 WEp9v1XSK/5/eZWYBXpEImM8Spuq+YX+aJUoqZmOh7ch9aWwyEYYERb4zS/UcYlE2hjg KPAAx4MsKn3ck2Ph5S9Tyv/akEmCeBDtM1N58+Z+/D58ohShnT1Fovvur/g4gzu/bNm4 xGJxSa+UyLooT/AGZYx+wTEFVOpJIpXAERIHsHE2Tl5nX3bsJc/xTYgOW/csdgjAL0u8 tZGg== Sender: swupdate@googlegroups.com X-Gm-Message-State: AHYfb5gleEEgc/tvoRuYlhPTyKwGG2gEygV7i4WFIcAIoRkk4UGwvuGA pVsYNndrlA6uBw== X-Received: by 10.28.134.207 with SMTP id i198mr3259wmd.1.1502958310657; Thu, 17 Aug 2017 01:25:10 -0700 (PDT) MIME-Version: 1.0 X-BeenThere: swupdate@googlegroups.com Received: by 10.28.4.141 with SMTP id 135ls656780wme.9.gmail; Thu, 17 Aug 2017 01:25:10 -0700 (PDT) X-Received: by 10.223.157.28 with SMTP id k28mr470581wre.14.1502958310265; Thu, 17 Aug 2017 01:25:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1502958310; cv=none; d=google.com; s=arc-20160816; b=xf3lptesJiTTSD+CdwW2Ajhcah981w70IMaGWoucY91L0/+Oq07/WvPmBBXGXXIqUS n1IqVkbebNnTZzHgE8y/+y6AJc7sFKe584ouZUBKw08ssqejkVCABSo/eBgdqlB6MvJA AM912C0vjsMOsrxkpD8Ir3M7LpNDGGBsXG/fb6BWX1bdwvpIv/nJLApT+J3xVwV1AVky 4LfoB3UhupVrIfxaL2aydSqgg7sA/ni06Q+p46QfY0wZPVUg2qCkfaFRXNJWBCSkKPyG zXGf52dDdoUWi5dQxJqwvETlHfv8aK42M/587KQeOUpxx39bTmzSrMDxXkY55ZLOQNxE imkA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=message-id:date:subject:cc:to:from:arc-authentication-results; bh=/2thfMFkGLl0b3NRmAIyD8+YZ4tIE9kFf4/3YIieElw=; b=WF23nc9sIA4YOgTqL+OrcI6qfY5I+NXAunw3mi1W8tjISUhJznnUnGFR17rpfOt27B sr9JnK+wt6q7Olm6x7r9jCL2nydECHnsyPK2BSge0xZB78+2fAn8x2C8WkIunjAaoBX7 SAvyxNRYJ/kLB+HM+1GcGD/ghtDu3viPWUQTdE2HHtAQU47wkoi84XsZbvCZ+DQeBPC2 iJnP3dFqIbq6uh+sjiqymEU+hRGSCLXuMV4FRDdTp7i83iftRKMHIfuLw9IDJuOamwFd TLNSVfeiPpKSB93YTn5BnQbZhGGvVnDEciCQs3R+Wc2wM/ceJfczfIPOwF5puNXKOjdK cJcA== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=neutral (google.com: 79.96.179.35 is neither permitted nor denied by best guess record for domain of maciej.pijanowski@3mdeb.com) smtp.mailfrom=maciej.pijanowski@3mdeb.com Received: from cloudserver096301.home.net.pl (cloudserver096301.home.net.pl. [79.96.179.35]) by gmr-mx.google.com with ESMTPS id v202si917374wmv.3.2017.08.17.01.25.09 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 17 Aug 2017 01:25:10 -0700 (PDT) Received-SPF: neutral (google.com: 79.96.179.35 is neither permitted nor denied by best guess record for domain of maciej.pijanowski@3mdeb.com) client-ip=79.96.179.35; Received: from 81-95-197-197.metrolink.pl (81.95.197.197) (HELO localhost.localdomain) by serwer1539010.home.pl (79.96.179.35) with SMTP (IdeaSmtpServer 0.82) id 39348c2738fffc14; Thu, 17 Aug 2017 10:25:08 +0200 From: Maciej Pijanowski To: swupdate@googlegroups.com Cc: piotr.krol@3mdeb.com, Maciej Pijanowski Subject: [swupdate] [meta-swupdate][PATCH] add CMS signing support Date: Thu, 17 Aug 2017 10:25:26 +0200 Message-Id: <1502958326-1780-1-git-send-email-maciej.pijanowski@3mdeb.com> X-Mailer: git-send-email 2.7.4 X-Original-Sender: maciej.pijanowski@3mdeb.com X-Original-Authentication-Results: gmr-mx.google.com; spf=neutral (google.com: 79.96.179.35 is neither permitted nor denied by best guess record for domain of maciej.pijanowski@3mdeb.com) smtp.mailfrom=maciej.pijanowski@3mdeb.com Precedence: list Mailing-list: list swupdate@googlegroups.com; contact swupdate+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: swupdate@googlegroups.com X-Google-Group-Id: 605343134186 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , Signed-off-by: Maciej Pijanowski Acked-by: Stefano Babic --- classes/swupdate.bbclass | 46 +++++++++++++++++++++++++++++++++++++--------- 1 file changed, 37 insertions(+), 9 deletions(-) diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass index 44e45461401c..28297ca41a1c 100644 --- a/classes/swupdate.bbclass +++ b/classes/swupdate.bbclass @@ -1,5 +1,5 @@ # Copyright (C) 2015 Stefano Babic -# +# # Some parts from the patch class # # swupdate allows to generate a compound image for the @@ -14,7 +14,7 @@ S = "${WORKDIR}/${PN}" -DEPENDS += "${@ 'openssl-native' if d.getVar('SWUPDATE_SIGNING', True) == '1' else ''}" +DEPENDS += "${@ 'openssl-native' if d.getVar('SWUPDATE_SIGNING', True) else ''}" IMAGE_DEPENDS ?= "" def swupdate_is_hash_needed(s, filename): @@ -101,7 +101,7 @@ python do_swuimage () { fetch = bb.fetch2.Fetch([], d) list_for_cpio = ["sw-description"] - if d.getVar('SWUPDATE_SIGNING', True) == '1': + if d.getVar('SWUPDATE_SIGNING', True): list_for_cpio.append('sw-description.sig') for url in fetch.urls: @@ -140,12 +140,20 @@ python do_swuimage () { hash = swupdate_get_sha256(s, file) swupdate_write_sha256(s, file, hash) - if d.getVar('SWUPDATE_SIGNING', True) == '1': - sign_tool = d.getVar('SWUPDATE_SIGN_TOOL', True) - if sign_tool: - if os.system(sign_tool) != 0: - bb.fatal("Failed to sign with %s" % (sign_tool)) - else: + signing = d.getVar('SWUPDATE_SIGNING', True) + if signing == "1": + bb.warn('SWUPDATE_SIGNING = "1" is deprecated, falling back to "RSA". It is advised to set it to "RSA" if using RSA signing.') + signing = "RSA" + if signing: + if signing == "CUSTOM": + sign_tool = d.getVar('SWUPDATE_SIGN_TOOL', True) + if sign_tool: + ret = os.system(sign_tool) + if ret != 0: + bb.fatal("Failed to sign with %s" % (sign_tool)) + else: + bb.fatal("Custom SWUPDATE_SIGN_TOOL is not given") + elif signing == "RSA": privkey = d.getVar('SWUPDATE_PRIVATE_KEY', True) if not privkey: bb.fatal("SWUPDATE_PRIVATE_KEY isn't set") @@ -163,6 +171,26 @@ python do_swuimage () { os.path.join(s, 'sw-description')) if os.system(signcmd) != 0: bb.fatal("Failed to sign sw-description with %s" % (privkey)) + elif signing == "CMS": + cms_cert = d.getVar('SWUPDATE_CMS_CERT', True) + if not cms_cert: + bb.fatal("SWUPDATE_CMS_CERT is not set") + if not os.path.exists(cms_cert): + bb.fatal("SWUPDATE_CMS_CERT %s doesn't exist" % (cms_cert)) + cms_key = d.getVar('SWUPDATE_CMS_KEY', True) + if not cms_key: + bb.fatal("SWUPDATE_CMS_KEY isn't set") + if not os.path.exists(cms_key): + bb.fatal("SWUPDATE_CMS_KEY %s doesn't exist" % (cms_key)) + signcmd = "openssl cms -sign -in '%s' -out '%s' -signer '%s' -inkey '%s' -outform DER -nosmimecap -binary" % ( + os.path.join(s, 'sw-description'), + os.path.join(s, 'sw-description.sig'), + cms_cert, + cms_key) + if os.system(signcmd) != 0: + bb.fatal("Failed to sign sw-description with %s" % (privkey)) + else: + bb.fatal("Unrecognized SWUPDATE_SIGNING mechanism."); line = 'for i in ' + ' '.join(list_for_cpio) + '; do echo $i;done | cpio -ov -H crc >' + os.path.join(deploydir,d.getVar('IMAGE_NAME', True) + '.swu') os.system("cd " + s + ";" + line)