diff mbox series

[isar-cip-core,v2,3/3] Update README for swupdate signing

Message ID 20240912100710.3183806-4-Quirin.Gylstorff@siemens.com (mailing list archive)
State Superseded
Headers show
Series Separate swu signing script from key | expand

Commit Message

Quirin Gylstorff Sept. 12, 2024, 10:06 a.m. UTC
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 doc/README.swupdate.md | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

Comments

Quirin Gylstorff Sept. 13, 2024, 7:55 a.m. UTC | #1
On 9/12/24 4:08 PM, Moessbauer, Felix (T CED OES-DE) wrote:
> On Thu, 2024-09-12 at 12:06 +0200, Quirin Gylstorff wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>>   doc/README.swupdate.md | 13 ++++++++++---
>>   1 file changed, 10 insertions(+), 3 deletions(-)
>>
>> diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md
>> index a5fbab9..d4d0851 100644
>> --- a/doc/README.swupdate.md
>> +++ b/doc/README.swupdate.md
>> @@ -136,8 +136,8 @@ To use other key and certificate the following
>> variables must be set:
>>   ```
>>   PREFERRED_PROVIDER_swupdate-certificates-key = "swupdate-
>> certificates-key"
>>   PREFERRED_PROVIDER_swupdate-certificates = "swupdate-certificates"
>> -SWU_SIGN_CERT = "<sigining certificate file name>"
>>   SWU_SIGN_KEY  = "<siging key file name>"
>> +IMAGE_INSTALL += "${@'swupdate-certificates' if
>> bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"
>>   ```
>>   
>>   The files `<sigining certificate file name>` and `<siging key file
>> name>` need to be stored
>> @@ -145,8 +145,15 @@ in `recipes-devtools/swupdate-
>> certificates/files/` or in a path defined by an bb
>>   
>>   ### signing script
>>   
>> -The provided [cms signing script](./recipes-devtools/swupdate-
>> certificates/files/sign-swu-cms)
>> -can be replaced by setting the variable `SWU_SIGN_SCRIPT`.
>> +The package [swupdate-signer-snakeoil](recipes-devtools/swupdate-
>> signer/) provides a [cms signing script](./recipes-devtools/swupdate-
>> certificates/files/sign-swu-cms).
>> +When signing requires a project specific signing script,
>> +e.g. for using a hardware security module(HSM), an own package can
>> be added.
>> +The package can replace the default package by adding the following
>> line:
>> +```
>> +PREFERRED_PROVIDER_swupdate-signer = "<own signing package>"
> 
> If you just specify this, bitbake complains about not providing the
> keys package:
> 
> Consider defining a PREFERRED_PROVIDER entry to match swupdate-
> certificates-key
In the section above this own 
PREFERRED_PROVIDER_swupdate-certificates-key is already set.

This should only happen if you set PREFERRED_PROVIDER_swupdate-signer = 
"swupdate-signer-snakeoil". I can add a code section where all the 
variables are collected for a snakeoil signing.

Quirin

> 
> This keys package is not available in the HSM case for obvious reasons.
> 
> Felix
> 
>> +```
>> +
>> +The package `<own signing package>` needs to install a executable to
>> `/usr/bin/sign-swu`.
>>   
>>   ## SWUpdate Hardware compatibility
>>   
>
Jan Kiszka Sept. 16, 2024, 8:42 a.m. UTC | #2
On 13.09.24 09:55, Gylstorff Quirin wrote:
> 
> 
> On 9/12/24 4:08 PM, Moessbauer, Felix (T CED OES-DE) wrote:
>> On Thu, 2024-09-12 at 12:06 +0200, Quirin Gylstorff wrote:
>>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>>
>>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>> ---
>>>   doc/README.swupdate.md | 13 ++++++++++---
>>>   1 file changed, 10 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md
>>> index a5fbab9..d4d0851 100644
>>> --- a/doc/README.swupdate.md
>>> +++ b/doc/README.swupdate.md
>>> @@ -136,8 +136,8 @@ To use other key and certificate the following
>>> variables must be set:
>>>   ```
>>>   PREFERRED_PROVIDER_swupdate-certificates-key = "swupdate-
>>> certificates-key"
>>>   PREFERRED_PROVIDER_swupdate-certificates = "swupdate-certificates"
>>> -SWU_SIGN_CERT = "<sigining certificate file name>"
>>>   SWU_SIGN_KEY  = "<siging key file name>"
>>> +IMAGE_INSTALL += "${@'swupdate-certificates' if
>>> bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"
>>>   ```
>>>     The files `<sigining certificate file name>` and `<siging key file
>>> name>` need to be stored
>>> @@ -145,8 +145,15 @@ in `recipes-devtools/swupdate-
>>> certificates/files/` or in a path defined by an bb
>>>     ### signing script
>>>   -The provided [cms signing script](./recipes-devtools/swupdate-
>>> certificates/files/sign-swu-cms)
>>> -can be replaced by setting the variable `SWU_SIGN_SCRIPT`.
>>> +The package [swupdate-signer-snakeoil](recipes-devtools/swupdate-
>>> signer/) provides a [cms signing script](./recipes-devtools/swupdate-
>>> certificates/files/sign-swu-cms).
>>> +When signing requires a project specific signing script,
>>> +e.g. for using a hardware security module(HSM), an own package can
>>> be added.
>>> +The package can replace the default package by adding the following
>>> line:
>>> +```
>>> +PREFERRED_PROVIDER_swupdate-signer = "<own signing package>"
>>
>> If you just specify this, bitbake complains about not providing the
>> keys package:
>>
>> Consider defining a PREFERRED_PROVIDER entry to match swupdate-
>> certificates-key
> In the section above this own
> PREFERRED_PROVIDER_swupdate-certificates-key is already set.
> 
> This should only happen if you set PREFERRED_PROVIDER_swupdate-signer =
> "swupdate-signer-snakeoil". I can add a code section where all the
> variables are collected for a snakeoil signing.
> 

So, there will be v3 coming?

Jan
Quirin Gylstorff Sept. 16, 2024, 8:47 a.m. UTC | #3
On 9/16/24 10:42 AM, Jan Kiszka wrote:
> On 13.09.24 09:55, Gylstorff Quirin wrote:
>>
>>
>> On 9/12/24 4:08 PM, Moessbauer, Felix (T CED OES-DE) wrote:
>>> On Thu, 2024-09-12 at 12:06 +0200, Quirin Gylstorff wrote:
>>>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>>>
>>>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>>> ---
>>>>    doc/README.swupdate.md | 13 ++++++++++---
>>>>    1 file changed, 10 insertions(+), 3 deletions(-)
>>>>
>>>> diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md
>>>> index a5fbab9..d4d0851 100644
>>>> --- a/doc/README.swupdate.md
>>>> +++ b/doc/README.swupdate.md
>>>> @@ -136,8 +136,8 @@ To use other key and certificate the following
>>>> variables must be set:
>>>>    ```
>>>>    PREFERRED_PROVIDER_swupdate-certificates-key = "swupdate-
>>>> certificates-key"
>>>>    PREFERRED_PROVIDER_swupdate-certificates = "swupdate-certificates"
>>>> -SWU_SIGN_CERT = "<sigining certificate file name>"
>>>>    SWU_SIGN_KEY  = "<siging key file name>"
>>>> +IMAGE_INSTALL += "${@'swupdate-certificates' if
>>>> bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"
>>>>    ```
>>>>      The files `<sigining certificate file name>` and `<siging key file
>>>> name>` need to be stored
>>>> @@ -145,8 +145,15 @@ in `recipes-devtools/swupdate-
>>>> certificates/files/` or in a path defined by an bb
>>>>      ### signing script
>>>>    -The provided [cms signing script](./recipes-devtools/swupdate-
>>>> certificates/files/sign-swu-cms)
>>>> -can be replaced by setting the variable `SWU_SIGN_SCRIPT`.
>>>> +The package [swupdate-signer-snakeoil](recipes-devtools/swupdate-
>>>> signer/) provides a [cms signing script](./recipes-devtools/swupdate-
>>>> certificates/files/sign-swu-cms).
>>>> +When signing requires a project specific signing script,
>>>> +e.g. for using a hardware security module(HSM), an own package can
>>>> be added.
>>>> +The package can replace the default package by adding the following
>>>> line:
>>>> +```
>>>> +PREFERRED_PROVIDER_swupdate-signer = "<own signing package>"
>>>
>>> If you just specify this, bitbake complains about not providing the
>>> keys package:
>>>
>>> Consider defining a PREFERRED_PROVIDER entry to match swupdate-
>>> certificates-key
>> In the section above this own
>> PREFERRED_PROVIDER_swupdate-certificates-key is already set.
>>
>> This should only happen if you set PREFERRED_PROVIDER_swupdate-signer =
>> "swupdate-signer-snakeoil". I can add a code section where all the
>> variables are collected for a snakeoil signing.
>>
> 
> So, there will be v3 coming?

I will prepare a v3 with:


+```
+PREFERRED_PROVIDER_swupdate-signer = "<own signing package>"
+PREFERRED_PROVIDER_swupdate-certificates-key = "<own key package>"
+PREFERRED_PROVIDER_swupdate-certificates = "<own certificate package>"
+```


Quirin

> 
> Jan
>
diff mbox series

Patch

diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md
index a5fbab9..d4d0851 100644
--- a/doc/README.swupdate.md
+++ b/doc/README.swupdate.md
@@ -136,8 +136,8 @@  To use other key and certificate the following variables must be set:
 ```
 PREFERRED_PROVIDER_swupdate-certificates-key = "swupdate-certificates-key"
 PREFERRED_PROVIDER_swupdate-certificates = "swupdate-certificates"
-SWU_SIGN_CERT = "<sigining certificate file name>"
 SWU_SIGN_KEY  = "<siging key file name>"
+IMAGE_INSTALL += "${@'swupdate-certificates' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"
 ```
 
 The files `<sigining certificate file name>` and `<siging key file name>` need to be stored
@@ -145,8 +145,15 @@  in `recipes-devtools/swupdate-certificates/files/` or in a path defined by an bb
 
 ### signing script
 
-The provided [cms signing script](./recipes-devtools/swupdate-certificates/files/sign-swu-cms)
-can be replaced by setting the variable `SWU_SIGN_SCRIPT`.
+The package [swupdate-signer-snakeoil](recipes-devtools/swupdate-signer/) provides a [cms signing script](./recipes-devtools/swupdate-certificates/files/sign-swu-cms).
+When signing requires a project specific signing script,
+e.g. for using a hardware security module(HSM), an own package can be added.
+The package can replace the default package by adding the following line:
+```
+PREFERRED_PROVIDER_swupdate-signer = "<own signing package>"
+```
+
+The package `<own signing package>` needs to install a executable to `/usr/bin/sign-swu`.
 
 ## SWUpdate Hardware compatibility