| Message ID | 20230713164055.2786350-4-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Enable signed Software Update Binaries | expand |
On 13.07.23 18:40, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > With this change SWUpdate requires signed binaries to update > the system. An update without the correct signature will lead to the > following error message: > ``` > Error: SWUpdate is built for signed images, provide a public key file. > ``` > > If unsigned binaries are wanted readd the Build option > ``` > DEB_BUILD_PROFILES += "pkg.swupdate.nosigning" > ``` > to a swupdate_%.bbappend recipe > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > conf/distro/cip-core-common.inc | 1 + > kas/opt/swupdate.yml | 2 ++ > recipes-core/customizations/files/swupdate.cfg | 1 + > recipes-core/images/swupdate.inc | 4 ++++ > recipes-core/swupdate/swupdate_2023.05.bb | 3 +-- > 5 files changed, 9 insertions(+), 2 deletions(-) > > diff --git a/conf/distro/cip-core-common.inc b/conf/distro/cip-core-common.inc > index 5d3ce10..a3d959f 100644 > --- a/conf/distro/cip-core-common.inc > +++ b/conf/distro/cip-core-common.inc > @@ -14,3 +14,4 @@ KERNEL_NAME ?= "cip" > WKS_FILE ?= "${MACHINE}.wks" > > CIP_IMAGE_OPTIONS ?= "" > + Stray whitespace change. > diff --git a/kas/opt/swupdate.yml b/kas/opt/swupdate.yml > index b0293ce..0e30e89 100644 > --- a/kas/opt/swupdate.yml > +++ b/kas/opt/swupdate.yml > @@ -28,3 +28,5 @@ local_conf_header: > INITRAMFS_INSTALL:append = " initramfs-squashfs-hook" > ABROOTFS_PART_UUID_A ?= "fedcba98-7654-3210-cafe-5e0710000001" > ABROOTFS_PART_UUID_B ?= "fedcba98-7654-3210-cafe-5e0710000002" > + PREFERRED_PROVIDER_swupdate-certificates-key ??= "swupdate-certificates-key-snakeoil" > + PREFERRED_PROVIDER_swupdate-certificates ??= "swupdate-certificates-snakeoil" > diff --git a/recipes-core/customizations/files/swupdate.cfg b/recipes-core/customizations/files/swupdate.cfg > index 9ee47c7..3e2b45c 100644 > --- a/recipes-core/customizations/files/swupdate.cfg > +++ b/recipes-core/customizations/files/swupdate.cfg > @@ -1,4 +1,5 @@ > globals : > { > bootloader = "ebg"; > + public-key-file = "/usr/share/swupdate-signing/swupdate-sign.crt" > }; > diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc > index 6a01abb..6b7da60 100644 > --- a/recipes-core/images/swupdate.inc > +++ b/recipes-core/images/swupdate.inc > @@ -12,6 +12,10 @@ > inherit image_uuid > inherit read-only-rootfs > > +SWU_SIGNED = "1" Shouldn't this be a weak assignment? > +SWU_SIGNATURE_TYPE = "cms" > +IMAGE_INSTALL += " swupdate-certificates" ...and this installation depend on SWU_SIGNED? > + > IMAGE_INSTALL += " swupdate" > > IMAGE_INSTALL += " swupdate-handler-roundrobin" > diff --git a/recipes-core/swupdate/swupdate_2023.05.bb b/recipes-core/swupdate/swupdate_2023.05.bb > index 26c0e67..d744173 100644 > --- a/recipes-core/swupdate/swupdate_2023.05.bb > +++ b/recipes-core/swupdate/swupdate_2023.05.bb > @@ -31,8 +31,7 @@ SRC_URI += "file://0001-d-rules-Add-option-for-suricatta_lua.patch \ > file://0003-d-patches-Add-patch-to-add-the-build-version-to-swup.patch \ > file://0004-d-rules-Add-option-to-enable-suricatta_wfx.patch" > > -# deactivate signing and hardware compability for simple a/b rootfs update > -DEB_BUILD_PROFILES += "pkg.swupdate.nosigning" > +# deactivate hardware compability for simple a/b rootfs update > DEB_BUILD_PROFILES += "pkg.swupdate.nohwcompat" > > # suricatta wfx requires suricatta lua and the dependency Jan
On 7/13/23 19:06, Jan Kiszka wrote: > On 13.07.23 18:40, Quirin Gylstorff wrote: >> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> >> With this change SWUpdate requires signed binaries to update >> the system. An update without the correct signature will lead to the >> following error message: >> ``` >> Error: SWUpdate is built for signed images, provide a public key file. >> ``` >> >> If unsigned binaries are wanted readd the Build option >> ``` >> DEB_BUILD_PROFILES += "pkg.swupdate.nosigning" >> ``` >> to a swupdate_%.bbappend recipe >> >> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> --- >> conf/distro/cip-core-common.inc | 1 + >> kas/opt/swupdate.yml | 2 ++ >> recipes-core/customizations/files/swupdate.cfg | 1 + >> recipes-core/images/swupdate.inc | 4 ++++ >> recipes-core/swupdate/swupdate_2023.05.bb | 3 +-- >> 5 files changed, 9 insertions(+), 2 deletions(-) >> >> diff --git a/conf/distro/cip-core-common.inc b/conf/distro/cip-core-common.inc >> index 5d3ce10..a3d959f 100644 >> --- a/conf/distro/cip-core-common.inc >> +++ b/conf/distro/cip-core-common.inc >> @@ -14,3 +14,4 @@ KERNEL_NAME ?= "cip" >> WKS_FILE ?= "${MACHINE}.wks" >> >> CIP_IMAGE_OPTIONS ?= "" >> + > > Stray whitespace change. Will fix. > >> diff --git a/kas/opt/swupdate.yml b/kas/opt/swupdate.yml >> index b0293ce..0e30e89 100644 >> --- a/kas/opt/swupdate.yml >> +++ b/kas/opt/swupdate.yml >> @@ -28,3 +28,5 @@ local_conf_header: >> INITRAMFS_INSTALL:append = " initramfs-squashfs-hook" >> ABROOTFS_PART_UUID_A ?= "fedcba98-7654-3210-cafe-5e0710000001" >> ABROOTFS_PART_UUID_B ?= "fedcba98-7654-3210-cafe-5e0710000002" >> + PREFERRED_PROVIDER_swupdate-certificates-key ??= "swupdate-certificates-key-snakeoil" >> + PREFERRED_PROVIDER_swupdate-certificates ??= "swupdate-certificates-snakeoil" >> diff --git a/recipes-core/customizations/files/swupdate.cfg b/recipes-core/customizations/files/swupdate.cfg >> index 9ee47c7..3e2b45c 100644 >> --- a/recipes-core/customizations/files/swupdate.cfg >> +++ b/recipes-core/customizations/files/swupdate.cfg >> @@ -1,4 +1,5 @@ >> globals : >> { >> bootloader = "ebg"; >> + public-key-file = "/usr/share/swupdate-signing/swupdate-sign.crt" >> }; >> diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc >> index 6a01abb..6b7da60 100644 >> --- a/recipes-core/images/swupdate.inc >> +++ b/recipes-core/images/swupdate.inc >> @@ -12,6 +12,10 @@ >> inherit image_uuid >> inherit read-only-rootfs >> >> +SWU_SIGNED = "1" > > Shouldn't this be a weak assignment? As signing is a compiled into SWUpdate and cannot deactivated I have decided against a weak assignment. If we want to switch it on off again. We to add an overwrite for the signed SWUpdate binaries. Quirin > >> +SWU_SIGNATURE_TYPE = "cms" >> +IMAGE_INSTALL += " swupdate-certificates" > > ...and this installation depend on SWU_SIGNED? > >> + >> IMAGE_INSTALL += " swupdate" >> >> IMAGE_INSTALL += " swupdate-handler-roundrobin" >> diff --git a/recipes-core/swupdate/swupdate_2023.05.bb b/recipes-core/swupdate/swupdate_2023.05.bb >> index 26c0e67..d744173 100644 >> --- a/recipes-core/swupdate/swupdate_2023.05.bb >> +++ b/recipes-core/swupdate/swupdate_2023.05.bb >> @@ -31,8 +31,7 @@ SRC_URI += "file://0001-d-rules-Add-option-for-suricatta_lua.patch \ >> file://0003-d-patches-Add-patch-to-add-the-build-version-to-swup.patch \ >> file://0004-d-rules-Add-option-to-enable-suricatta_wfx.patch" >> >> -# deactivate signing and hardware compability for simple a/b rootfs update >> -DEB_BUILD_PROFILES += "pkg.swupdate.nosigning" >> +# deactivate hardware compability for simple a/b rootfs update >> DEB_BUILD_PROFILES += "pkg.swupdate.nohwcompat" >> >> # suricatta wfx requires suricatta lua and the dependency > > Jan >
On 14.07.23 09:18, Gylstorff Quirin wrote: > > > On 7/13/23 19:06, Jan Kiszka wrote: >> On 13.07.23 18:40, Quirin Gylstorff wrote: >>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >>> >>> With this change SWUpdate requires signed binaries to update >>> the system. An update without the correct signature will lead to the >>> following error message: >>> ``` >>> Error: SWUpdate is built for signed images, provide a public key file. >>> ``` >>> >>> If unsigned binaries are wanted readd the Build option >>> ``` >>> DEB_BUILD_PROFILES += "pkg.swupdate.nosigning" >>> ``` >>> to a swupdate_%.bbappend recipe >>> >>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> >>> --- >>> conf/distro/cip-core-common.inc | 1 + >>> kas/opt/swupdate.yml | 2 ++ >>> recipes-core/customizations/files/swupdate.cfg | 1 + >>> recipes-core/images/swupdate.inc | 4 ++++ >>> recipes-core/swupdate/swupdate_2023.05.bb | 3 +-- >>> 5 files changed, 9 insertions(+), 2 deletions(-) >>> >>> diff --git a/conf/distro/cip-core-common.inc >>> b/conf/distro/cip-core-common.inc >>> index 5d3ce10..a3d959f 100644 >>> --- a/conf/distro/cip-core-common.inc >>> +++ b/conf/distro/cip-core-common.inc >>> @@ -14,3 +14,4 @@ KERNEL_NAME ?= "cip" >>> WKS_FILE ?= "${MACHINE}.wks" >>> CIP_IMAGE_OPTIONS ?= "" >>> + >> >> Stray whitespace change. > > Will fix. >> >>> diff --git a/kas/opt/swupdate.yml b/kas/opt/swupdate.yml >>> index b0293ce..0e30e89 100644 >>> --- a/kas/opt/swupdate.yml >>> +++ b/kas/opt/swupdate.yml >>> @@ -28,3 +28,5 @@ local_conf_header: >>> INITRAMFS_INSTALL:append = " initramfs-squashfs-hook" >>> ABROOTFS_PART_UUID_A ?= "fedcba98-7654-3210-cafe-5e0710000001" >>> ABROOTFS_PART_UUID_B ?= "fedcba98-7654-3210-cafe-5e0710000002" >>> + PREFERRED_PROVIDER_swupdate-certificates-key ??= >>> "swupdate-certificates-key-snakeoil" >>> + PREFERRED_PROVIDER_swupdate-certificates ??= >>> "swupdate-certificates-snakeoil" >>> diff --git a/recipes-core/customizations/files/swupdate.cfg >>> b/recipes-core/customizations/files/swupdate.cfg >>> index 9ee47c7..3e2b45c 100644 >>> --- a/recipes-core/customizations/files/swupdate.cfg >>> +++ b/recipes-core/customizations/files/swupdate.cfg >>> @@ -1,4 +1,5 @@ >>> globals : >>> { >>> bootloader = "ebg"; >>> + public-key-file = "/usr/share/swupdate-signing/swupdate-sign.crt" >>> }; >>> diff --git a/recipes-core/images/swupdate.inc >>> b/recipes-core/images/swupdate.inc >>> index 6a01abb..6b7da60 100644 >>> --- a/recipes-core/images/swupdate.inc >>> +++ b/recipes-core/images/swupdate.inc >>> @@ -12,6 +12,10 @@ >>> inherit image_uuid >>> inherit read-only-rootfs >>> +SWU_SIGNED = "1" >> >> Shouldn't this be a weak assignment? > > As signing is a compiled into SWUpdate and cannot deactivated I have > decided against a weak assignment. > > If we want to switch it on off again. We to add an overwrite for the > signed SWUpdate binaries. Then why do we still have SWU_SIGNED at all if it is always "1"? Jan
diff --git a/conf/distro/cip-core-common.inc b/conf/distro/cip-core-common.inc index 5d3ce10..a3d959f 100644 --- a/conf/distro/cip-core-common.inc +++ b/conf/distro/cip-core-common.inc @@ -14,3 +14,4 @@ KERNEL_NAME ?= "cip" WKS_FILE ?= "${MACHINE}.wks" CIP_IMAGE_OPTIONS ?= "" + diff --git a/kas/opt/swupdate.yml b/kas/opt/swupdate.yml index b0293ce..0e30e89 100644 --- a/kas/opt/swupdate.yml +++ b/kas/opt/swupdate.yml @@ -28,3 +28,5 @@ local_conf_header: INITRAMFS_INSTALL:append = " initramfs-squashfs-hook" ABROOTFS_PART_UUID_A ?= "fedcba98-7654-3210-cafe-5e0710000001" ABROOTFS_PART_UUID_B ?= "fedcba98-7654-3210-cafe-5e0710000002" + PREFERRED_PROVIDER_swupdate-certificates-key ??= "swupdate-certificates-key-snakeoil" + PREFERRED_PROVIDER_swupdate-certificates ??= "swupdate-certificates-snakeoil" diff --git a/recipes-core/customizations/files/swupdate.cfg b/recipes-core/customizations/files/swupdate.cfg index 9ee47c7..3e2b45c 100644 --- a/recipes-core/customizations/files/swupdate.cfg +++ b/recipes-core/customizations/files/swupdate.cfg @@ -1,4 +1,5 @@ globals : { bootloader = "ebg"; + public-key-file = "/usr/share/swupdate-signing/swupdate-sign.crt" }; diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc index 6a01abb..6b7da60 100644 --- a/recipes-core/images/swupdate.inc +++ b/recipes-core/images/swupdate.inc @@ -12,6 +12,10 @@ inherit image_uuid inherit read-only-rootfs +SWU_SIGNED = "1" +SWU_SIGNATURE_TYPE = "cms" +IMAGE_INSTALL += " swupdate-certificates" + IMAGE_INSTALL += " swupdate" IMAGE_INSTALL += " swupdate-handler-roundrobin" diff --git a/recipes-core/swupdate/swupdate_2023.05.bb b/recipes-core/swupdate/swupdate_2023.05.bb index 26c0e67..d744173 100644 --- a/recipes-core/swupdate/swupdate_2023.05.bb +++ b/recipes-core/swupdate/swupdate_2023.05.bb @@ -31,8 +31,7 @@ SRC_URI += "file://0001-d-rules-Add-option-for-suricatta_lua.patch \ file://0003-d-patches-Add-patch-to-add-the-build-version-to-swup.patch \ file://0004-d-rules-Add-option-to-enable-suricatta_wfx.patch" -# deactivate signing and hardware compability for simple a/b rootfs update -DEB_BUILD_PROFILES += "pkg.swupdate.nosigning" +# deactivate hardware compability for simple a/b rootfs update DEB_BUILD_PROFILES += "pkg.swupdate.nohwcompat" # suricatta wfx requires suricatta lua and the dependency