| Message ID | 20240909112309.1028531-4-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | Separate swu signing script from key | expand |
On 09.09.24 13:21, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > doc/README.swupdate.md | 16 ++++++++++++++-- > 1 file changed, 14 insertions(+), 2 deletions(-) > > diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md > index a5fbab9..421ca1c 100644 > --- a/doc/README.swupdate.md > +++ b/doc/README.swupdate.md > @@ -138,6 +138,7 @@ PREFERRED_PROVIDER_swupdate-certificates-key = "swupdate-certificates-key" > PREFERRED_PROVIDER_swupdate-certificates = "swupdate-certificates" > SWU_SIGN_CERT = "<sigining certificate file name>" > SWU_SIGN_KEY = "<siging key file name>" > +IMAGE_INSTALL += "${@'swupdate-certificates' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" > ``` > > The files `<sigining certificate file name>` and `<siging key file name>` need to be stored > @@ -145,8 +146,19 @@ in `recipes-devtools/swupdate-certificates/files/` or in a path defined by an bb > > ### signing script > > -The provided [cms signing script](./recipes-devtools/swupdate-certificates/files/sign-swu-cms) > -can be replaced by setting the variable `SWU_SIGN_SCRIPT`. > +The package [swupdate-signer](recipes-devtools/swupdate-signer/) provides a [cms signing script](./recipes-devtools/swupdate-certificates/files/sign-swu-cms). > +This script can be replaced by setting the variable `SWU_SIGN_SCRIPT`. "When reusing this recipe to inject a different signing tool, you may adjust `SWU_SIGN_SCRIPT` as needed." Just setting that variable will likely not help... > + > + One newline only here. > +Alternatively an own signing script can be used by adding the following lines: > +``` > +IMAGER_BUILD_DEPS:remove:swu = "swupdate-signer" > +IMAGER_INSTALL:remove:swu = "swupdate-signer" > +IMAGER_BUILD_DEPS:swu += "${@'<own signing package>' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" > +IMAGER_INSTALL:swu += "${@'<own signing package>' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" > +``` Ugly. An alternative package should simply PROVIDES swudpate-signer, and one should set the PREFERRED_PROIVDER_swupdate-signer then. That's more bitbake/OE/isar-like. > + > +The package `<own signing package>` needs to install a executable to `/usr/bin/sign-swu`. > > ## SWUpdate Hardware compatibility > Jan
On Mon, 2024-09-09 at 13:43 +0200, Jan Kiszka wrote: > On 09.09.24 13:21, Quirin Gylstorff wrote: > > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > --- > > doc/README.swupdate.md | 16 ++++++++++++++-- > > 1 file changed, 14 insertions(+), 2 deletions(-) > > > > diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md > > index a5fbab9..421ca1c 100644 > > --- a/doc/README.swupdate.md > > +++ b/doc/README.swupdate.md > > @@ -138,6 +138,7 @@ PREFERRED_PROVIDER_swupdate-certificates-key = > > "swupdate-certificates-key" > > PREFERRED_PROVIDER_swupdate-certificates = "swupdate-certificates" > > SWU_SIGN_CERT = "<sigining certificate file name>" > > SWU_SIGN_KEY = "<siging key file name>" > > +IMAGE_INSTALL += "${@'swupdate-certificates' if > > bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" > > ``` > > > > The files `<sigining certificate file name>` and `<siging key file > > name>` need to be stored > > @@ -145,8 +146,19 @@ in `recipes-devtools/swupdate- > > certificates/files/` or in a path defined by an bb > > > > ### signing script > > > > -The provided [cms signing script](./recipes-devtools/swupdate- > > certificates/files/sign-swu-cms) > > -can be replaced by setting the variable `SWU_SIGN_SCRIPT`. > > +The package [swupdate-signer](recipes-devtools/swupdate-signer/) > > provides a [cms signing script](./recipes-devtools/swupdate- > > certificates/files/sign-swu-cms). > > +This script can be replaced by setting the variable > > `SWU_SIGN_SCRIPT`. > > "When reusing this recipe to inject a different signing tool, you may > adjust `SWU_SIGN_SCRIPT` as needed." Just setting that variable will > likely not help... I propose to completely drop this interface. If you need to use a different script, provide it via a dedicated package. > > > + > > + > > One newline only here. > > > +Alternatively an own signing script can be used by adding the > > following lines: > > +``` > > +IMAGER_BUILD_DEPS:remove:swu = "swupdate-signer" > > +IMAGER_INSTALL:remove:swu = "swupdate-signer" > > +IMAGER_BUILD_DEPS:swu += "${@'<own signing package>' if > > bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" > > +IMAGER_INSTALL:swu += "${@'<own signing package>' if > > bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" > > +``` > > Ugly. An alternative package should simply PROVIDES swudpate-signer, > and > one should set the PREFERRED_PROIVDER_swupdate-signer then. That's > more > bitbake/OE/isar-like. Fully agree with Jan. Please implement is similar to the secure-boot signing pattern. Felix > > > + > > +The package `<own signing package>` needs to install a executable > > to `/usr/bin/sign-swu`. > > > > ## SWUpdate Hardware compatibility > > > > Jan >
On 9/11/24 9:51 AM, Moessbauer, Felix (T CED OES-DE) wrote: > On Mon, 2024-09-09 at 13:43 +0200, Jan Kiszka wrote: >> On 09.09.24 13:21, Quirin Gylstorff wrote: >>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >>> >>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> >>> --- >>> doc/README.swupdate.md | 16 ++++++++++++++-- >>> 1 file changed, 14 insertions(+), 2 deletions(-) >>> >>> diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md >>> index a5fbab9..421ca1c 100644 >>> --- a/doc/README.swupdate.md >>> +++ b/doc/README.swupdate.md >>> @@ -138,6 +138,7 @@ PREFERRED_PROVIDER_swupdate-certificates-key = >>> "swupdate-certificates-key" >>> PREFERRED_PROVIDER_swupdate-certificates = "swupdate-certificates" >>> SWU_SIGN_CERT = "<sigining certificate file name>" >>> SWU_SIGN_KEY = "<siging key file name>" >>> +IMAGE_INSTALL += "${@'swupdate-certificates' if >>> bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" >>> ``` >>> >>> The files `<sigining certificate file name>` and `<siging key file >>> name>` need to be stored >>> @@ -145,8 +146,19 @@ in `recipes-devtools/swupdate- >>> certificates/files/` or in a path defined by an bb >>> >>> ### signing script >>> >>> -The provided [cms signing script](./recipes-devtools/swupdate- >>> certificates/files/sign-swu-cms) >>> -can be replaced by setting the variable `SWU_SIGN_SCRIPT`. >>> +The package [swupdate-signer](recipes-devtools/swupdate-signer/) >>> provides a [cms signing script](./recipes-devtools/swupdate- >>> certificates/files/sign-swu-cms). >>> +This script can be replaced by setting the variable >>> `SWU_SIGN_SCRIPT`. >> >> "When reusing this recipe to inject a different signing tool, you may >> adjust `SWU_SIGN_SCRIPT` as needed." Just setting that variable will >> likely not help... > > I propose to completely drop this interface. If you need to use a > different script, provide it via a dedicated package. > Then i will also remove the swu-sign-rsa alternative from the package. Quirin: >> >>> + >>> + >> >> One newline only here. >> >>> +Alternatively an own signing script can be used by adding the >>> following lines: >>> +``` >>> +IMAGER_BUILD_DEPS:remove:swu = "swupdate-signer" >>> +IMAGER_INSTALL:remove:swu = "swupdate-signer" >>> +IMAGER_BUILD_DEPS:swu += "${@'<own signing package>' if >>> bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" >>> +IMAGER_INSTALL:swu += "${@'<own signing package>' if >>> bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" >>> +``` >> >> Ugly. An alternative package should simply PROVIDES swudpate-signer, >> and >> one should set the PREFERRED_PROIVDER_swupdate-signer then. That's >> more >> bitbake/OE/isar-like. > > Fully agree with Jan. Please implement is similar to the secure-boot > signing pattern. > > Felix > >> >>> + >>> +The package `<own signing package>` needs to install a executable >>> to `/usr/bin/sign-swu`. >>> >>> ## SWUpdate Hardware compatibility >>> >> >> Jan >> >
diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md index a5fbab9..421ca1c 100644 --- a/doc/README.swupdate.md +++ b/doc/README.swupdate.md @@ -138,6 +138,7 @@ PREFERRED_PROVIDER_swupdate-certificates-key = "swupdate-certificates-key" PREFERRED_PROVIDER_swupdate-certificates = "swupdate-certificates" SWU_SIGN_CERT = "<sigining certificate file name>" SWU_SIGN_KEY = "<siging key file name>" +IMAGE_INSTALL += "${@'swupdate-certificates' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" ``` The files `<sigining certificate file name>` and `<siging key file name>` need to be stored @@ -145,8 +146,19 @@ in `recipes-devtools/swupdate-certificates/files/` or in a path defined by an bb ### signing script -The provided [cms signing script](./recipes-devtools/swupdate-certificates/files/sign-swu-cms) -can be replaced by setting the variable `SWU_SIGN_SCRIPT`. +The package [swupdate-signer](recipes-devtools/swupdate-signer/) provides a [cms signing script](./recipes-devtools/swupdate-certificates/files/sign-swu-cms). +This script can be replaced by setting the variable `SWU_SIGN_SCRIPT`. + + +Alternatively an own signing script can be used by adding the following lines: +``` +IMAGER_BUILD_DEPS:remove:swu = "swupdate-signer" +IMAGER_INSTALL:remove:swu = "swupdate-signer" +IMAGER_BUILD_DEPS:swu += "${@'<own signing package>' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" +IMAGER_INSTALL:swu += "${@'<own signing package>' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" +``` + +The package `<own signing package>` needs to install a executable to `/usr/bin/sign-swu`. ## SWUpdate Hardware compatibility