diff mbox series

[isar-cip-core,RFC,3/3] Update README for swupdate signing

Message ID 20240909112309.1028531-4-Quirin.Gylstorff@siemens.com (mailing list archive)
State Superseded
Headers show
Series Separate swu signing script from key | expand

Commit Message

Quirin Gylstorff Sept. 9, 2024, 11:21 a.m. UTC
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 doc/README.swupdate.md | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

Comments

Jan Kiszka Sept. 9, 2024, 11:43 a.m. UTC | #1
On 09.09.24 13:21, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  doc/README.swupdate.md | 16 ++++++++++++++--
>  1 file changed, 14 insertions(+), 2 deletions(-)
> 
> diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md
> index a5fbab9..421ca1c 100644
> --- a/doc/README.swupdate.md
> +++ b/doc/README.swupdate.md
> @@ -138,6 +138,7 @@ PREFERRED_PROVIDER_swupdate-certificates-key = "swupdate-certificates-key"
>  PREFERRED_PROVIDER_swupdate-certificates = "swupdate-certificates"
>  SWU_SIGN_CERT = "<sigining certificate file name>"
>  SWU_SIGN_KEY  = "<siging key file name>"
> +IMAGE_INSTALL += "${@'swupdate-certificates' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"
>  ```
>  
>  The files `<sigining certificate file name>` and `<siging key file name>` need to be stored
> @@ -145,8 +146,19 @@ in `recipes-devtools/swupdate-certificates/files/` or in a path defined by an bb
>  
>  ### signing script
>  
> -The provided [cms signing script](./recipes-devtools/swupdate-certificates/files/sign-swu-cms)
> -can be replaced by setting the variable `SWU_SIGN_SCRIPT`.
> +The package [swupdate-signer](recipes-devtools/swupdate-signer/) provides a [cms signing script](./recipes-devtools/swupdate-certificates/files/sign-swu-cms).
> +This script can be replaced by setting the variable `SWU_SIGN_SCRIPT`.

"When reusing this recipe to inject a different signing tool, you may
adjust `SWU_SIGN_SCRIPT` as needed." Just setting that variable will
likely not help...

> +
> +

One newline only here.

> +Alternatively an own signing script can be used by adding the following lines:
> +```
> +IMAGER_BUILD_DEPS:remove:swu = "swupdate-signer"
> +IMAGER_INSTALL:remove:swu = "swupdate-signer"
> +IMAGER_BUILD_DEPS:swu += "${@'<own signing package>' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"
> +IMAGER_INSTALL:swu += "${@'<own signing package>' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"
> +```

Ugly. An alternative package should simply PROVIDES swudpate-signer, and
one should set the PREFERRED_PROIVDER_swupdate-signer then. That's more
bitbake/OE/isar-like.

> +
> +The package `<own signing package>` needs to install a executable to `/usr/bin/sign-swu`.
>  
>  ## SWUpdate Hardware compatibility
>  

Jan
Felix Moessbauer Sept. 11, 2024, 7:51 a.m. UTC | #2
On Mon, 2024-09-09 at 13:43 +0200, Jan Kiszka wrote:
> On 09.09.24 13:21, Quirin Gylstorff wrote:
> > From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> > 
> > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> > ---
> >  doc/README.swupdate.md | 16 ++++++++++++++--
> >  1 file changed, 14 insertions(+), 2 deletions(-)
> > 
> > diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md
> > index a5fbab9..421ca1c 100644
> > --- a/doc/README.swupdate.md
> > +++ b/doc/README.swupdate.md
> > @@ -138,6 +138,7 @@ PREFERRED_PROVIDER_swupdate-certificates-key =
> > "swupdate-certificates-key"
> >  PREFERRED_PROVIDER_swupdate-certificates = "swupdate-certificates"
> >  SWU_SIGN_CERT = "<sigining certificate file name>"
> >  SWU_SIGN_KEY  = "<siging key file name>"
> > +IMAGE_INSTALL += "${@'swupdate-certificates' if
> > bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"
> >  ```
> >  
> >  The files `<sigining certificate file name>` and `<siging key file
> > name>` need to be stored
> > @@ -145,8 +146,19 @@ in `recipes-devtools/swupdate-
> > certificates/files/` or in a path defined by an bb
> >  
> >  ### signing script
> >  
> > -The provided [cms signing script](./recipes-devtools/swupdate-
> > certificates/files/sign-swu-cms)
> > -can be replaced by setting the variable `SWU_SIGN_SCRIPT`.
> > +The package [swupdate-signer](recipes-devtools/swupdate-signer/)
> > provides a [cms signing script](./recipes-devtools/swupdate-
> > certificates/files/sign-swu-cms).
> > +This script can be replaced by setting the variable
> > `SWU_SIGN_SCRIPT`.
> 
> "When reusing this recipe to inject a different signing tool, you may
> adjust `SWU_SIGN_SCRIPT` as needed." Just setting that variable will
> likely not help...

I propose to completely drop this interface. If you need to use a
different script, provide it via a dedicated package.

> 
> > +
> > +
> 
> One newline only here.
> 
> > +Alternatively an own signing script can be used by adding the
> > following lines:
> > +```
> > +IMAGER_BUILD_DEPS:remove:swu = "swupdate-signer"
> > +IMAGER_INSTALL:remove:swu = "swupdate-signer"
> > +IMAGER_BUILD_DEPS:swu += "${@'<own signing package>' if
> > bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"
> > +IMAGER_INSTALL:swu += "${@'<own signing package>' if
> > bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"
> > +```
> 
> Ugly. An alternative package should simply PROVIDES swudpate-signer,
> and
> one should set the PREFERRED_PROIVDER_swupdate-signer then. That's
> more
> bitbake/OE/isar-like.

Fully agree with Jan. Please implement is similar to the secure-boot
signing pattern.

Felix

> 
> > +
> > +The package `<own signing package>` needs to install a executable
> > to `/usr/bin/sign-swu`.
> >  
> >  ## SWUpdate Hardware compatibility
> >  
> 
> Jan
>
Quirin Gylstorff Sept. 12, 2024, 8:30 a.m. UTC | #3
On 9/11/24 9:51 AM, Moessbauer, Felix (T CED OES-DE) wrote:
> On Mon, 2024-09-09 at 13:43 +0200, Jan Kiszka wrote:
>> On 09.09.24 13:21, Quirin Gylstorff wrote:
>>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>>
>>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>> ---
>>>   doc/README.swupdate.md | 16 ++++++++++++++--
>>>   1 file changed, 14 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md
>>> index a5fbab9..421ca1c 100644
>>> --- a/doc/README.swupdate.md
>>> +++ b/doc/README.swupdate.md
>>> @@ -138,6 +138,7 @@ PREFERRED_PROVIDER_swupdate-certificates-key =
>>> "swupdate-certificates-key"
>>>   PREFERRED_PROVIDER_swupdate-certificates = "swupdate-certificates"
>>>   SWU_SIGN_CERT = "<sigining certificate file name>"
>>>   SWU_SIGN_KEY  = "<siging key file name>"
>>> +IMAGE_INSTALL += "${@'swupdate-certificates' if
>>> bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"
>>>   ```
>>>   
>>>   The files `<sigining certificate file name>` and `<siging key file
>>> name>` need to be stored
>>> @@ -145,8 +146,19 @@ in `recipes-devtools/swupdate-
>>> certificates/files/` or in a path defined by an bb
>>>   
>>>   ### signing script
>>>   
>>> -The provided [cms signing script](./recipes-devtools/swupdate-
>>> certificates/files/sign-swu-cms)
>>> -can be replaced by setting the variable `SWU_SIGN_SCRIPT`.
>>> +The package [swupdate-signer](recipes-devtools/swupdate-signer/)
>>> provides a [cms signing script](./recipes-devtools/swupdate-
>>> certificates/files/sign-swu-cms).
>>> +This script can be replaced by setting the variable
>>> `SWU_SIGN_SCRIPT`.
>>
>> "When reusing this recipe to inject a different signing tool, you may
>> adjust `SWU_SIGN_SCRIPT` as needed." Just setting that variable will
>> likely not help...
> 
> I propose to completely drop this interface. If you need to use a
> different script, provide it via a dedicated package.
> 
Then i will also remove the swu-sign-rsa alternative from the package.

Quirin:

>>
>>> +
>>> +
>>
>> One newline only here.
>>
>>> +Alternatively an own signing script can be used by adding the
>>> following lines:
>>> +```
>>> +IMAGER_BUILD_DEPS:remove:swu = "swupdate-signer"
>>> +IMAGER_INSTALL:remove:swu = "swupdate-signer"
>>> +IMAGER_BUILD_DEPS:swu += "${@'<own signing package>' if
>>> bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"
>>> +IMAGER_INSTALL:swu += "${@'<own signing package>' if
>>> bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"
>>> +```
>>
>> Ugly. An alternative package should simply PROVIDES swudpate-signer,
>> and
>> one should set the PREFERRED_PROIVDER_swupdate-signer then. That's
>> more
>> bitbake/OE/isar-like.
> 
> Fully agree with Jan. Please implement is similar to the secure-boot
> signing pattern.
> 
> Felix
> 
>>
>>> +
>>> +The package `<own signing package>` needs to install a executable
>>> to `/usr/bin/sign-swu`.
>>>   
>>>   ## SWUpdate Hardware compatibility
>>>   
>>
>> Jan
>>
>
diff mbox series

Patch

diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md
index a5fbab9..421ca1c 100644
--- a/doc/README.swupdate.md
+++ b/doc/README.swupdate.md
@@ -138,6 +138,7 @@  PREFERRED_PROVIDER_swupdate-certificates-key = "swupdate-certificates-key"
 PREFERRED_PROVIDER_swupdate-certificates = "swupdate-certificates"
 SWU_SIGN_CERT = "<sigining certificate file name>"
 SWU_SIGN_KEY  = "<siging key file name>"
+IMAGE_INSTALL += "${@'swupdate-certificates' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"
 ```
 
 The files `<sigining certificate file name>` and `<siging key file name>` need to be stored
@@ -145,8 +146,19 @@  in `recipes-devtools/swupdate-certificates/files/` or in a path defined by an bb
 
 ### signing script
 
-The provided [cms signing script](./recipes-devtools/swupdate-certificates/files/sign-swu-cms)
-can be replaced by setting the variable `SWU_SIGN_SCRIPT`.
+The package [swupdate-signer](recipes-devtools/swupdate-signer/) provides a [cms signing script](./recipes-devtools/swupdate-certificates/files/sign-swu-cms).
+This script can be replaced by setting the variable `SWU_SIGN_SCRIPT`.
+
+
+Alternatively an own signing script can be used by adding the following lines:
+```
+IMAGER_BUILD_DEPS:remove:swu = "swupdate-signer"
+IMAGER_INSTALL:remove:swu = "swupdate-signer"
+IMAGER_BUILD_DEPS:swu += "${@'<own signing package>' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"
+IMAGER_INSTALL:swu += "${@'<own signing package>' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"
+```
+
+The package `<own signing package>` needs to install a executable to `/usr/bin/sign-swu`.
 
 ## SWUpdate Hardware compatibility