diff mbox series

[isar-cip-core,RFC,3/3] swupdate: Enable signed updates

Message ID 20230713085106.2062587-4-Quirin.Gylstorff@siemens.com (mailing list archive)
State Superseded
Headers show
Series Enable signed Software Update Binaries | expand

Commit Message

Quirin Gylstorff July 13, 2023, 8:51 a.m. UTC 
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

With this change SWUpdate requires signed binaries to update
the system. An update without the correct signature will lead to the
following error message:
```
Error: SWUpdate is built for signed images, provide a public key file.
```

If unsigned binaries are wanted readd the Build option
```
DEB_BUILD_PROFILES += "pkg.swupdate.nosigning"
```
to a swupdate_%.bbappend recipe

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 conf/distro/cip-core-common.inc                | 1 +
 kas/opt/swupdate.yml                           | 2 ++
 recipes-core/customizations/files/swupdate.cfg | 1 +
 recipes-core/images/swupdate.inc               | 4 ++++
 recipes-core/swupdate/swupdate_2023.05.bb      | 3 +--
 5 files changed, 9 insertions(+), 2 deletions(-)
diff mbox series

Patch

diff --git a/conf/distro/cip-core-common.inc b/conf/distro/cip-core-common.inc
index 5d3ce10..a3d959f 100644
--- a/conf/distro/cip-core-common.inc
+++ b/conf/distro/cip-core-common.inc
@@ -14,3 +14,4 @@  KERNEL_NAME ?= "cip"
 WKS_FILE ?= "${MACHINE}.wks"
 
 CIP_IMAGE_OPTIONS ?= ""
+
diff --git a/kas/opt/swupdate.yml b/kas/opt/swupdate.yml
index b0293ce..0e30e89 100644
--- a/kas/opt/swupdate.yml
+++ b/kas/opt/swupdate.yml
@@ -28,3 +28,5 @@  local_conf_header:
     INITRAMFS_INSTALL:append = " initramfs-squashfs-hook"
     ABROOTFS_PART_UUID_A ?= "fedcba98-7654-3210-cafe-5e0710000001"
     ABROOTFS_PART_UUID_B ?= "fedcba98-7654-3210-cafe-5e0710000002"
+    PREFERRED_PROVIDER_swupdate-certificates-key ??= "swupdate-certificates-key-snakeoil"
+    PREFERRED_PROVIDER_swupdate-certificates ??= "swupdate-certificates-snakeoil"
diff --git a/recipes-core/customizations/files/swupdate.cfg b/recipes-core/customizations/files/swupdate.cfg
index 9ee47c7..3e2b45c 100644
--- a/recipes-core/customizations/files/swupdate.cfg
+++ b/recipes-core/customizations/files/swupdate.cfg
@@ -1,4 +1,5 @@ 
 globals :
 {
     bootloader = "ebg";
+    public-key-file = "/usr/share/swupdate-signing/swupdate-sign.crt"
 };
diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc
index 6a01abb..6b7da60 100644
--- a/recipes-core/images/swupdate.inc
+++ b/recipes-core/images/swupdate.inc
@@ -12,6 +12,10 @@ 
 inherit image_uuid
 inherit read-only-rootfs
 
+SWU_SIGNED = "1"
+SWU_SIGNATURE_TYPE = "cms"
+IMAGE_INSTALL += " swupdate-certificates"
+
 IMAGE_INSTALL += " swupdate"
 
 IMAGE_INSTALL += " swupdate-handler-roundrobin"
diff --git a/recipes-core/swupdate/swupdate_2023.05.bb b/recipes-core/swupdate/swupdate_2023.05.bb
index 26c0e67..d744173 100644
--- a/recipes-core/swupdate/swupdate_2023.05.bb
+++ b/recipes-core/swupdate/swupdate_2023.05.bb
@@ -31,8 +31,7 @@  SRC_URI += "file://0001-d-rules-Add-option-for-suricatta_lua.patch \
             file://0003-d-patches-Add-patch-to-add-the-build-version-to-swup.patch \
             file://0004-d-rules-Add-option-to-enable-suricatta_wfx.patch"
 
-# deactivate signing and hardware compability for simple a/b rootfs update
-DEB_BUILD_PROFILES += "pkg.swupdate.nosigning"
+# deactivate hardware compability for simple a/b rootfs update
 DEB_BUILD_PROFILES += "pkg.swupdate.nohwcompat"
 
 # suricatta wfx requires suricatta lua and the dependency