| Message ID | 20240909112309.1028531-2-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | Separate swu signing script from key | expand |
On 09.09.24 13:21, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > If a Hardware security module(HSM) is used, the user needs to modify the > swupdate-certificate-key package in multiple ways to remove the error > message in case of a missing key. > > This changes decouples the signing > key from the signing script to allow easier integration with HSM based > signing Strangely formatted sentence. > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > classes/swupdate.bbclass | 3 +-- > recipes-core/images/swupdate.inc | 5 +++- > .../swupdate-certificates-key.inc | 9 +------ > .../files/sign-swu-cms | 0 > .../files/sign-swu-rsa | 0 > .../swupdate-signer/swupdate-signer_0.1.bb | 25 +++++++++++++++++++ > 6 files changed, 31 insertions(+), 11 deletions(-) > rename recipes-devtools/{swupdate-certificates => swupdate-signer}/files/sign-swu-cms (100%) > rename recipes-devtools/{swupdate-certificates => swupdate-signer}/files/sign-swu-rsa (100%) > create mode 100644 recipes-devtools/swupdate-signer/swupdate-signer_0.1.bb > > diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass > index eeb05b2..06418e5 100644 > --- a/classes/swupdate.bbclass > +++ b/classes/swupdate.bbclass > @@ -46,8 +46,7 @@ IMAGE_TYPEDEP:swu = "${@ '${SWU_DELTA_UPDATE_ARTIFACT_TYPE}' \ > if d.getVar('DELTA_UPDATE_TYPE') == "rdiff" or d.getVar('DELTA_UPDATE_TYPE') == "zchunk" \ > else '${SWU_UPDATE_ARTIFACT_TYPE}' }" > > -IMAGER_BUILD_DEPS:swu += "${@'swupdate-certificates-key' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" > -IMAGER_INSTALL:swu += "cpio ${@'openssl swupdate-certificates-key' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" > +IMAGER_INSTALL:swu += "cpio" > IMAGE_INSTALL += "${@'swupdate-certificates' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" > > > diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc > index 1d237f7..96994b5 100644 > --- a/recipes-core/images/swupdate.inc > +++ b/recipes-core/images/swupdate.inc > @@ -1,7 +1,7 @@ > # > # CIP Core, generic profile > # > -# Copyright (c) Siemens AG, 2023 > +# Copyright (c) Siemens AG, 2023-2024 > # > # Authors: > # Quirin Gylstorff <quirin.gylstorff@siemens.com> > @@ -14,6 +14,9 @@ inherit read-only-rootfs > > SWU_SIGNED ?= "1" > SWU_HW_COMPAT ?= "cip-core-1.0" > +IMAGER_BUILD_DEPS:swu += "${@'swupdate-signer' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" > +IMAGER_INSTALL:swu += "${@'swupdate-signer' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" > +IMAGE_INSTALL += "${@'swupdate-certificates' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" Moving these dependencies here requires some explanation, at least for me. Not saying it is wrong, just like to read the reasoning somewhere. > IMAGE_INSTALL += " swupdate" > > IMAGE_INSTALL:remove:sid = "swupdate" > diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc > index 93cf255..bcc8e2a 100644 > --- a/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc > +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc > @@ -18,17 +18,10 @@ PROVIDES += "swupdate-certificates-key" > DEBIAN_PROVIDES = "swupdate-certificates-key" > > SWU_SIGN_KEY ??= "" > -SWU_SIGN_SCRIPT ??= "sign-swu-cms" > SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_KEY') if d.getVar('SWU_SIGN_KEY') else '' }" > -SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_SCRIPT') if d.getVar('SWU_SIGN_SCRIPT') else '' }" > > -do_install[cleandirs] = "${D}/usr/share/swupdate-signing/ \ > - ${D}/usr/bin/" > +do_install[cleandirs] = "${D}/usr/share/swupdate-signing" > do_install() { > - if [ ! -f ${WORKDIR}/${SWU_SIGN_SCRIPT} ]; then > - bbfatal "You must add a '${SWU_SIGN_SCRIPT}' to execute the signing process" > - fi > - install -m 0700 ${WORKDIR}/${SWU_SIGN_SCRIPT} ${D}/usr/bin/sign-swu > if [ -z ${SWU_SIGN_KEY} ]; then > bbfatal "You must set SWU_SIGN_KEY and provide the required file as artifacts to this recipe" > fi > diff --git a/recipes-devtools/swupdate-certificates/files/sign-swu-cms b/recipes-devtools/swupdate-signer/files/sign-swu-cms > similarity index 100% > rename from recipes-devtools/swupdate-certificates/files/sign-swu-cms > rename to recipes-devtools/swupdate-signer/files/sign-swu-cms > diff --git a/recipes-devtools/swupdate-certificates/files/sign-swu-rsa b/recipes-devtools/swupdate-signer/files/sign-swu-rsa > similarity index 100% > rename from recipes-devtools/swupdate-certificates/files/sign-swu-rsa > rename to recipes-devtools/swupdate-signer/files/sign-swu-rsa > diff --git a/recipes-devtools/swupdate-signer/swupdate-signer_0.1.bb b/recipes-devtools/swupdate-signer/swupdate-signer_0.1.bb > new file mode 100644 > index 0000000..71cc10c > --- /dev/null > +++ b/recipes-devtools/swupdate-signer/swupdate-signer_0.1.bb > @@ -0,0 +1,25 @@ > +# > +# CIP Core, generic profile > +# > +# Copyright (c) Siemens AG, 2024 > +# > +# Authors: > +# Quirin Gylstorff <quirin.gylstorff@siemens.com> > +# > +# SPDX-License-Identifier: MIT > + > +inherit dpkg-raw > +DPKG_ARCH = "all" > +DEBIAN_MULTI_ARCH = "foreign" > + > +DEPENDS = "swupdate-certificates-key" > +DEBIAN_DEPENDS += "openssl, swupdate-certificates-key" > + > +SWU_SIGN_SCRIPT ??= "sign-swu-cms" > + > +SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_SCRIPT') if d.getVar('SWU_SIGN_SCRIPT') else '' }" > + > +do_install[cleandirs] = "${D}/usr/bin/" > +do_install() { > + install -m 0700 ${WORKDIR}/${SWU_SIGN_SCRIPT} ${D}/usr/bin/sign-swu > +} Jan
diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass index eeb05b2..06418e5 100644 --- a/classes/swupdate.bbclass +++ b/classes/swupdate.bbclass @@ -46,8 +46,7 @@ IMAGE_TYPEDEP:swu = "${@ '${SWU_DELTA_UPDATE_ARTIFACT_TYPE}' \ if d.getVar('DELTA_UPDATE_TYPE') == "rdiff" or d.getVar('DELTA_UPDATE_TYPE') == "zchunk" \ else '${SWU_UPDATE_ARTIFACT_TYPE}' }" -IMAGER_BUILD_DEPS:swu += "${@'swupdate-certificates-key' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" -IMAGER_INSTALL:swu += "cpio ${@'openssl swupdate-certificates-key' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" +IMAGER_INSTALL:swu += "cpio" IMAGE_INSTALL += "${@'swupdate-certificates' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc index 1d237f7..96994b5 100644 --- a/recipes-core/images/swupdate.inc +++ b/recipes-core/images/swupdate.inc @@ -1,7 +1,7 @@ # # CIP Core, generic profile # -# Copyright (c) Siemens AG, 2023 +# Copyright (c) Siemens AG, 2023-2024 # # Authors: # Quirin Gylstorff <quirin.gylstorff@siemens.com> @@ -14,6 +14,9 @@ inherit read-only-rootfs SWU_SIGNED ?= "1" SWU_HW_COMPAT ?= "cip-core-1.0" +IMAGER_BUILD_DEPS:swu += "${@'swupdate-signer' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" +IMAGER_INSTALL:swu += "${@'swupdate-signer' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" +IMAGE_INSTALL += "${@'swupdate-certificates' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" IMAGE_INSTALL += " swupdate" IMAGE_INSTALL:remove:sid = "swupdate" diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc index 93cf255..bcc8e2a 100644 --- a/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc @@ -18,17 +18,10 @@ PROVIDES += "swupdate-certificates-key" DEBIAN_PROVIDES = "swupdate-certificates-key" SWU_SIGN_KEY ??= "" -SWU_SIGN_SCRIPT ??= "sign-swu-cms" SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_KEY') if d.getVar('SWU_SIGN_KEY') else '' }" -SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_SCRIPT') if d.getVar('SWU_SIGN_SCRIPT') else '' }" -do_install[cleandirs] = "${D}/usr/share/swupdate-signing/ \ - ${D}/usr/bin/" +do_install[cleandirs] = "${D}/usr/share/swupdate-signing" do_install() { - if [ ! -f ${WORKDIR}/${SWU_SIGN_SCRIPT} ]; then - bbfatal "You must add a '${SWU_SIGN_SCRIPT}' to execute the signing process" - fi - install -m 0700 ${WORKDIR}/${SWU_SIGN_SCRIPT} ${D}/usr/bin/sign-swu if [ -z ${SWU_SIGN_KEY} ]; then bbfatal "You must set SWU_SIGN_KEY and provide the required file as artifacts to this recipe" fi diff --git a/recipes-devtools/swupdate-certificates/files/sign-swu-cms b/recipes-devtools/swupdate-signer/files/sign-swu-cms similarity index 100% rename from recipes-devtools/swupdate-certificates/files/sign-swu-cms rename to recipes-devtools/swupdate-signer/files/sign-swu-cms diff --git a/recipes-devtools/swupdate-certificates/files/sign-swu-rsa b/recipes-devtools/swupdate-signer/files/sign-swu-rsa similarity index 100% rename from recipes-devtools/swupdate-certificates/files/sign-swu-rsa rename to recipes-devtools/swupdate-signer/files/sign-swu-rsa diff --git a/recipes-devtools/swupdate-signer/swupdate-signer_0.1.bb b/recipes-devtools/swupdate-signer/swupdate-signer_0.1.bb new file mode 100644 index 0000000..71cc10c --- /dev/null +++ b/recipes-devtools/swupdate-signer/swupdate-signer_0.1.bb @@ -0,0 +1,25 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2024 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@siemens.com> +# +# SPDX-License-Identifier: MIT + +inherit dpkg-raw +DPKG_ARCH = "all" +DEBIAN_MULTI_ARCH = "foreign" + +DEPENDS = "swupdate-certificates-key" +DEBIAN_DEPENDS += "openssl, swupdate-certificates-key" + +SWU_SIGN_SCRIPT ??= "sign-swu-cms" + +SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_SCRIPT') if d.getVar('SWU_SIGN_SCRIPT') else '' }" + +do_install[cleandirs] = "${D}/usr/bin/" +do_install() { + install -m 0700 ${WORKDIR}/${SWU_SIGN_SCRIPT} ${D}/usr/bin/sign-swu +}