[isar-cip-core,v3,1/6] swupdate: check output of sign-swu

Message ID	20240305161128.2777211-2-Quirin.Gylstorff@siemens.com (mailing list archive)
State	Accepted
Headers	show Return-Path: <quirin.gylstorff@siemens.com> ip: 185.136.65.225, mailfrom: fm-51332-20240305161129e96c24ba3dd5dd319a-rg6tsd@rts-flowmailer.siemens.com) From: Quirin Gylstorff <Quirin.Gylstorff@siemens.com> To: cip-dev@lists.cip-project.org, felix.moessbauer@siemens.com, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v3 1/6] swupdate: check output of sign-swu Date: Tue, 5 Mar 2024 17:10:54 +0100 Message-ID: <20240305161128.2777211-2-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240305161128.2777211-1-Quirin.Gylstorff@siemens.com> References: <20240305161128.2777211-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Feedback-ID: 519:519-51332:519-21489:flowmailer
Series	Make swupdate signing more robust \| expand [isar-cip-core,v3,0/6] Make swupdate signing more robust [isar-cip-core,v3,1/6] swupdate: check output of sign-swu [isar-cip-core,v3,2/6] sign-swu-cms: check if key and cert are valid [isar-cip-core,v3,3/6] doc: Add section about SWUpdate signing to README.swupdate.md [isar-cip-core,v3,4/6] fix do not add files to each image recipe [isar-cip-core,v3,5/6] format: classes/efibootguard fix spacing [isar-cip-core,v3,6/6] format: classes/swupdate fix parenthesis

Message ID

20240305161128.2777211-2-Quirin.Gylstorff@siemens.com (mailing list archive)

State

Accepted

Headers

From: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>
To: cip-dev@lists.cip-project.org,
	felix.moessbauer@siemens.com,
	jan.kiszka@siemens.com
Subject: [cip-dev][isar-cip-core][PATCH v3 1/6] swupdate: check output of
 sign-swu
Date: Tue,  5 Mar 2024 17:10:54 +0100
Message-ID: <20240305161128.2777211-2-Quirin.Gylstorff@siemens.com>
In-Reply-To: <20240305161128.2777211-1-Quirin.Gylstorff@siemens.com>
References: <20240305161128.2777211-1-Quirin.Gylstorff@siemens.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Feedback-ID: 519:519-51332:519-21489:flowmailer

Series

Make swupdate signing more robust | expand

Commit Message

Gylstorff Quirin March 5, 2024, 4:10 p.m. UTC

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Check for signing errors to avoid an unusable swu file.

This also moves the siging out of the loop to generate
the cpio archive *.swu as the Messages from the signing
can lead to errors in the archive generation. The cpio
options are no longer using the short form.

Use local variables to increase readability.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 classes/swupdate.bbclass | 44 ++++++++++++++++++++++++++++------------
 1 file changed, 31 insertions(+), 13 deletions(-)

diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass
index aaff072..31cfc4e 100644
--- a/classes/swupdate.bbclass
+++ b/classes/swupdate.bbclass
@@ -191,24 +191,42 @@  IMAGE_CMD:swu() {
                     "${PP_WORK}/$swu_file_base/${SWU_DESCRIPTION_FILE}"
             done
             cd "${PP_WORK}/$swu_file_base"
-            for file in "${SWU_DESCRIPTION_FILE}" ${SWU_ADDITIONAL_FILES}; do
-                if [ "$file" = "${SWU_DESCRIPTION_FILE}" ] || \
-                    grep -q "$file" "${PP_WORK}/$swu_file_base/${SWU_DESCRIPTION_FILE}"; then
+            cpio_files="${SWU_DESCRIPTION_FILE}"
+
+            if [ -n "$sign" ]; then
+                signature_file="${SWU_DESCRIPTION_FILE}.${SWU_SIGNATURE_EXT}"
+                if ! /usr/bin/sign-swu \
+                    "${SWU_DESCRIPTION_FILE}" "$signature_file" \
+                    > /dev/null 2>&1 || \
+                    [ ! -f "$signature_file" ]; then
+                    echo "Could not create swupdate signature file '$signature_file'" 1>&2
+                    exit 1
+                fi
+                cpio_files="$cpio_files $signature_file"
+            fi
+
+            # sw-description must be first file in *.swu
+            for cpio_file in $cpio_files ${SWU_ADDITIONAL_FILES}; do
+                if [ -f "$cpio_file" ]; then
                     # Set file timestamps for reproducible builds
                     if [ -n "${SOURCE_DATE_EPOCH}" ]; then
                         touch -d@"${SOURCE_DATE_EPOCH}" "$file"
                     fi
-                    echo "$file"
-                    if [ -n "$sign" -a "${SWU_DESCRIPTION_FILE}" = "$file" ]; then
-                        sign-swu "$file" "$file.${SWU_SIGNATURE_EXT}"
-                        # Set file timestamps for reproducible builds
-                        if [ -n "${SOURCE_DATE_EPOCH}" ]; then
-                            touch -d@"${SOURCE_DATE_EPOCH}" "$file.${SWU_SIGNATURE_EXT}"
-                        fi
-                        echo "$file.${SWU_SIGNATURE_EXT}"
-                    fi
+                    case "$cpio_file" in
+                        sw-description*)
+                            echo "$cpio_file"
+                            ;;
+                        *)
+                            if grep -q "$cpio_file" \
+                                "${WORKDIR}/$swu_file_base/${SWU_DESCRIPTION_FILE}"; then
+                                echo "$cpio_file"
+                            fi
+                            ;;
+                    esac
                 fi
-            done | cpio -ovL --reproducible -H crc > "${PP_DEPLOY}/${SWU_IMAGE_FILE}$swu_file_extension.swu"
+            done | cpio \
+                --verbose --dereference --create --reproducible --format=crc \
+                > "${PP_DEPLOY}/${SWU_IMAGE_FILE}$swu_file_extension.swu"
 EOIMAGER
     done
 }

[isar-cip-core,v3,1/6] swupdate: check output of sign-swu

Commit Message

Patch