| Message ID | 20250505165257.107414-1-perezmeyer@gmail.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | Add Yocto instructions for encryption | expand |
On Mon, May 5, 2025 at 1:53 PM Lisandro Damián Nicanor Pérez Meyer < lpmeyer@ics.com> wrote: > From: Lisandro Perez Meyer <lpmeyer@ics.com> > > Signed-off-by: Lisandro Perez Meyer <lpmeyer@ics.com> > --- > doc/source/building-with-yocto.rst | 63 ++++++++++++++++++++++++++++++ > 1 file changed, 63 insertions(+) > > diff --git a/doc/source/building-with-yocto.rst > b/doc/source/building-with-yocto.rst > index f55b83ad..eeeeee31 100644 > --- a/doc/source/building-with-yocto.rst > +++ b/doc/source/building-with-yocto.rst > @@ -265,6 +265,69 @@ In the simple way, your recipe looks like > SWUPDATE_IMAGES_FSTYPES[<name of your image>] = <fstype to be put > into SWU> > inherit swupdate-image > > + > +SWU image content's encryption > +----------------------------- > + > +The swupdate class is able to encrypt the contents of the SWU image. In > order to do > +so first check that SWUpdate is compiled with > ``CONFIG_ENCRYPTED_IMAGES=y`` > +enabled. Then set ``SWUPDATE_AES_FILE`` to the full path of the key. > Finally, > +for each content you want to encrypt, on your SWU image recipe add: > + > +:: > + > + > + SWUPDATE_IMAGES_ENCRYPTED[content] = "1" > + > + > +Where ``content`` matches the files described on ``sw-description``. > + > +If you want to encrypt sw-description check that SWUpdate is being > compiled with > +``CONFIG_ENCRYPTED_SW_DESCRIPTION=y`` and then set the following on your > SWU > +image recipe: > + > +:: > + > + > + SWUPDATE_ENCRYPT_SWDESC = "1" > + > + > +Do not forget to add ``encrypted = true;`` on each of the contents that > will require > +decryption on the ``sw-description`` file. > + > +Expanding on the previous example: > + > +:: > + > + DESCRIPTION = "Example recipe generating SWU image" > + SECTION = "" > + > + LICENSE = "" > + > + # Add all local files to be added to the SWU > + # sw-description must always be in the list. > + # You can extend with scripts or whatever you need > + SRC_URI = " \ > + file://sw-description \ > + " > + > + # images to build before building swupdate image > + IMAGE_DEPENDS = "core-image-full-cmdline virtual/kernel" > + > + # images and files that will be included in the .swu image > + SWUPDATE_IMAGES = "core-image-full-cmdline uImage" > + > + # a deployable image can have multiple format, choose one > + SWUPDATE_IMAGES_FSTYPES[core-image-full-cmdline] = ".ubifs" > + SWUPDATE_IMAGES_FSTYPES[uImage] = ".bin" > + > + SWUPDATE_IMAGES_ENCRYPTED[core-image-full-cmdline.ubifs] = "1" > + SWUPDATE_IMAGES_ENCRYPTED[uImage] = "1" > + SWUPDATE_ENCRYPT_SWDESC = "1" > + > + inherit swupdate > + > + > What about grub ? > ================= > In order to use swupdate with grub, swupdate needs to be configured to > use grub. Some of > -- > 2.49.0 > > Here I added instructions to check that the right compile-time configuration options are set.
Hi Lisandro, On 5/5/25 18:52, 'Lisandro Damián Nicanor Pérez Meyer' via swupdate wrote: > From: Lisandro Perez Meyer <lpmeyer@ics.com> > > Signed-off-by: Lisandro Perez Meyer <lpmeyer@ics.com> > --- > doc/source/building-with-yocto.rst | 63 ++++++++++++++++++++++++++++++ > 1 file changed, 63 insertions(+) > > diff --git a/doc/source/building-with-yocto.rst b/doc/source/building-with-yocto.rst > index f55b83ad..eeeeee31 100644 > --- a/doc/source/building-with-yocto.rst > +++ b/doc/source/building-with-yocto.rst > @@ -265,6 +265,69 @@ In the simple way, your recipe looks like > SWUPDATE_IMAGES_FSTYPES[<name of your image>] = <fstype to be put into SWU> > inherit swupdate-image > > + > +SWU image content's encryption > +----------------------------- > + > +The swupdate class is able to encrypt the contents of the SWU image. In order to do > +so first check that SWUpdate is compiled with ``CONFIG_ENCRYPTED_IMAGES=y`` > +enabled. Then set ``SWUPDATE_AES_FILE`` to the full path of the key. Finally, > +for each content you want to encrypt, on your SWU image recipe add: > + > +:: > + > + > + SWUPDATE_IMAGES_ENCRYPTED[content] = "1" > + > + > +Where ``content`` matches the files described on ``sw-description``. > + > +If you want to encrypt sw-description check that SWUpdate is being compiled with > +``CONFIG_ENCRYPTED_SW_DESCRIPTION=y`` and then set the following on your SWU > +image recipe: > + > +:: > + > + > + SWUPDATE_ENCRYPT_SWDESC = "1" > + > + > +Do not forget to add ``encrypted = true;`` on each of the contents that will require > +decryption on the ``sw-description`` file. > + > +Expanding on the previous example: > + > +:: > + > + DESCRIPTION = "Example recipe generating SWU image" > + SECTION = "" > + > + LICENSE = "" > + > + # Add all local files to be added to the SWU > + # sw-description must always be in the list. > + # You can extend with scripts or whatever you need > + SRC_URI = " \ > + file://sw-description \ > + " > + > + # images to build before building swupdate image > + IMAGE_DEPENDS = "core-image-full-cmdline virtual/kernel" > + > + # images and files that will be included in the .swu image > + SWUPDATE_IMAGES = "core-image-full-cmdline uImage" > + > + # a deployable image can have multiple format, choose one > + SWUPDATE_IMAGES_FSTYPES[core-image-full-cmdline] = ".ubifs" > + SWUPDATE_IMAGES_FSTYPES[uImage] = ".bin" > + > + SWUPDATE_IMAGES_ENCRYPTED[core-image-full-cmdline.ubifs] = "1" > + SWUPDATE_IMAGES_ENCRYPTED[uImage] = "1" > + SWUPDATE_ENCRYPT_SWDESC = "1" > + > + inherit swupdate > + > + > What about grub ? > ================= > In order to use swupdate with grub, swupdate needs to be configured to use grub. Some of Reviewed-by: Stefano Babic <stefano.babic@swupdate.org> Best regards, Stefano
Hi, On Mon, May 5, 2025 at 1:59 PM Stefano Babic <stefano.babic@swupdate.org> wrote: > Hi Lisandro, > > On 5/5/25 18:52, 'Lisandro Damián Nicanor Pérez Meyer' via swupdate wrote: > > From: Lisandro Perez Meyer <lpmeyer@ics.com> > > > > Signed-off-by: Lisandro Perez Meyer <lpmeyer@ics.com> > > --- > > doc/source/building-with-yocto.rst | 63 ++++++++++++++++++++++++++++++ > > 1 file changed, 63 insertions(+) > > > > diff --git a/doc/source/building-with-yocto.rst > b/doc/source/building-with-yocto.rst > > index f55b83ad..eeeeee31 100644 > > --- a/doc/source/building-with-yocto.rst > > +++ b/doc/source/building-with-yocto.rst > > @@ -265,6 +265,69 @@ In the simple way, your recipe looks like > > SWUPDATE_IMAGES_FSTYPES[<name of your image>] = <fstype to be > put into SWU> > > inherit swupdate-image > > > > + > > +SWU image content's encryption > > +----------------------------- > > + > > +The swupdate class is able to encrypt the contents of the SWU image. In > order to do > > +so first check that SWUpdate is compiled with > ``CONFIG_ENCRYPTED_IMAGES=y`` > > +enabled. Then set ``SWUPDATE_AES_FILE`` to the full path of the key. > Finally, > > +for each content you want to encrypt, on your SWU image recipe add: > > + > > +:: > > + > > + > > + SWUPDATE_IMAGES_ENCRYPTED[content] = "1" > > + > > + > > +Where ``content`` matches the files described on ``sw-description``. > > + > > +If you want to encrypt sw-description check that SWUpdate is being > compiled with > > +``CONFIG_ENCRYPTED_SW_DESCRIPTION=y`` and then set the following on > your SWU > > +image recipe: > > + > > +:: > > + > > + > > + SWUPDATE_ENCRYPT_SWDESC = "1" > > + > > + > > +Do not forget to add ``encrypted = true;`` on each of the contents that > will require > > +decryption on the ``sw-description`` file. > > + > > +Expanding on the previous example: > > + > > +:: > > + > > + DESCRIPTION = "Example recipe generating SWU image" > > + SECTION = "" > > + > > + LICENSE = "" > > + > > + # Add all local files to be added to the SWU > > + # sw-description must always be in the list. > > + # You can extend with scripts or whatever you need > > + SRC_URI = " \ > > + file://sw-description \ > > + " > > + > > + # images to build before building swupdate image > > + IMAGE_DEPENDS = "core-image-full-cmdline virtual/kernel" > > + > > + # images and files that will be included in the .swu image > > + SWUPDATE_IMAGES = "core-image-full-cmdline uImage" > > + > > + # a deployable image can have multiple format, choose one > > + SWUPDATE_IMAGES_FSTYPES[core-image-full-cmdline] = ".ubifs" > > + SWUPDATE_IMAGES_FSTYPES[uImage] = ".bin" > > + > > + SWUPDATE_IMAGES_ENCRYPTED[core-image-full-cmdline.ubifs] = "1" > > + SWUPDATE_IMAGES_ENCRYPTED[uImage] = "1" > > + SWUPDATE_ENCRYPT_SWDESC = "1" > > + > > + inherit swupdate > > + > > + > > What about grub ? > > ================= > > In order to use swupdate with grub, swupdate needs to be configured to > use grub. Some of > > Reviewed-by: Stefano Babic <stefano.babic@swupdate.org> > Thanks! Now I sincerely don't know if I should be doing something else here.
Hi Lisandro,
On Mon, May 5, 2025 at 6:45 PM 'Lisandro Pérez Meyer' via swupdate
<swupdate@googlegroups.com> wrote:
> Thanks! Now I sincerely don't know if I should be doing something else here.
You don't need to do anything for now.
Most likely, Stefano will apply it soon.
If someone else provides some feedback, then you may send a v2.
On Mon, May 5, 2025 at 6:56 PM Fabio Estevam <festevam@gmail.com> wrote: > Hi Lisandro, > > On Mon, May 5, 2025 at 6:45 PM 'Lisandro Pérez Meyer' via swupdate > <swupdate@googlegroups.com> wrote: > > > Thanks! Now I sincerely don't know if I should be doing something else > here. > > You don't need to do anything for now. > > Most likely, Stefano will apply it soon. > > If someone else provides some feedback, then you may send a v2. > Thanks a lot Fabio, much appreciated :)
diff --git a/doc/source/building-with-yocto.rst b/doc/source/building-with-yocto.rst index f55b83ad..eeeeee31 100644 --- a/doc/source/building-with-yocto.rst +++ b/doc/source/building-with-yocto.rst @@ -265,6 +265,69 @@ In the simple way, your recipe looks like SWUPDATE_IMAGES_FSTYPES[<name of your image>] = <fstype to be put into SWU> inherit swupdate-image + +SWU image content's encryption +----------------------------- + +The swupdate class is able to encrypt the contents of the SWU image. In order to do +so first check that SWUpdate is compiled with ``CONFIG_ENCRYPTED_IMAGES=y`` +enabled. Then set ``SWUPDATE_AES_FILE`` to the full path of the key. Finally, +for each content you want to encrypt, on your SWU image recipe add: + +:: + + + SWUPDATE_IMAGES_ENCRYPTED[content] = "1" + + +Where ``content`` matches the files described on ``sw-description``. + +If you want to encrypt sw-description check that SWUpdate is being compiled with +``CONFIG_ENCRYPTED_SW_DESCRIPTION=y`` and then set the following on your SWU +image recipe: + +:: + + + SWUPDATE_ENCRYPT_SWDESC = "1" + + +Do not forget to add ``encrypted = true;`` on each of the contents that will require +decryption on the ``sw-description`` file. + +Expanding on the previous example: + +:: + + DESCRIPTION = "Example recipe generating SWU image" + SECTION = "" + + LICENSE = "" + + # Add all local files to be added to the SWU + # sw-description must always be in the list. + # You can extend with scripts or whatever you need + SRC_URI = " \ + file://sw-description \ + " + + # images to build before building swupdate image + IMAGE_DEPENDS = "core-image-full-cmdline virtual/kernel" + + # images and files that will be included in the .swu image + SWUPDATE_IMAGES = "core-image-full-cmdline uImage" + + # a deployable image can have multiple format, choose one + SWUPDATE_IMAGES_FSTYPES[core-image-full-cmdline] = ".ubifs" + SWUPDATE_IMAGES_FSTYPES[uImage] = ".bin" + + SWUPDATE_IMAGES_ENCRYPTED[core-image-full-cmdline.ubifs] = "1" + SWUPDATE_IMAGES_ENCRYPTED[uImage] = "1" + SWUPDATE_ENCRYPT_SWDESC = "1" + + inherit swupdate + + What about grub ? ================= In order to use swupdate with grub, swupdate needs to be configured to use grub. Some of