[isar-cip-core,v3,1/3] Move signing script to seperate package to better support HSM signing

Commit Message

Quirin Gylstorff Sept. 16, 2024, 12:54 p.m. UTC

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

If a Hardware security module(HSM) is used, the user needs to modify the
swupdate-certificate-key package in multiple ways to remove the error
message in case of a missing key.

This changes decouples the signing key from the signing script to allow
easier integration with HSM based signing.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 classes/swupdate.bbclass                      |  3 +--
 kas/opt/swupdate.yml                          |  1 +
 recipes-core/images/swupdate.inc              |  5 +++-
 .../swupdate-certificates/files/sign-swu-rsa  |  6 -----
 .../swupdate-certificates-key.inc             |  9 +------
 .../files/sign-swu-cms                        |  0
 .../swupdate-signer-cms_0.1.bb                | 26 +++++++++++++++++++
 7 files changed, 33 insertions(+), 17 deletions(-)
 delete mode 100644 recipes-devtools/swupdate-certificates/files/sign-swu-rsa
 rename recipes-devtools/{swupdate-certificates => swupdate-signer}/files/sign-swu-cms (100%)
 create mode 100644 recipes-devtools/swupdate-signer/swupdate-signer-cms_0.1.bb

Patch

diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass
index eeb05b2..06418e5 100644
--- a/classes/swupdate.bbclass
+++ b/classes/swupdate.bbclass
@@ -46,8 +46,7 @@  IMAGE_TYPEDEP:swu = "${@ '${SWU_DELTA_UPDATE_ARTIFACT_TYPE}' \
     if d.getVar('DELTA_UPDATE_TYPE') == "rdiff" or d.getVar('DELTA_UPDATE_TYPE') == "zchunk" \
     else '${SWU_UPDATE_ARTIFACT_TYPE}' }"
 
-IMAGER_BUILD_DEPS:swu += "${@'swupdate-certificates-key' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"
-IMAGER_INSTALL:swu += "cpio ${@'openssl swupdate-certificates-key' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"
+IMAGER_INSTALL:swu += "cpio"
 IMAGE_INSTALL += "${@'swupdate-certificates' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"
 
 
diff --git a/kas/opt/swupdate.yml b/kas/opt/swupdate.yml
index ef61e4e..7398200 100644
--- a/kas/opt/swupdate.yml
+++ b/kas/opt/swupdate.yml
@@ -30,3 +30,4 @@  local_conf_header:
     ABROOTFS_PART_UUID_B ?= "fedcba98-7654-3210-cafe-5e0710000002"
     PREFERRED_PROVIDER_swupdate-certificates-key ??= "swupdate-certificates-key-snakeoil"
     PREFERRED_PROVIDER_swupdate-certificates ??= "swupdate-certificates-snakeoil"
+    PREFERRED_PROVIDER_swupdate-signer ??= "swupdate-signer-cms"
diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc
index 1d237f7..96994b5 100644
--- a/recipes-core/images/swupdate.inc
+++ b/recipes-core/images/swupdate.inc
@@ -1,7 +1,7 @@ 
 #
 # CIP Core, generic profile
 #
-# Copyright (c) Siemens AG, 2023
+# Copyright (c) Siemens AG, 2023-2024
 #
 # Authors:
 #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
@@ -14,6 +14,9 @@  inherit read-only-rootfs
 
 SWU_SIGNED ?= "1"
 SWU_HW_COMPAT ?= "cip-core-1.0"
+IMAGER_BUILD_DEPS:swu += "${@'swupdate-signer' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"
+IMAGER_INSTALL:swu += "${@'swupdate-signer' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"
+IMAGE_INSTALL += "${@'swupdate-certificates' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"
 IMAGE_INSTALL += " swupdate"
 
 IMAGE_INSTALL:remove:sid = "swupdate"
diff --git a/recipes-devtools/swupdate-certificates/files/sign-swu-rsa b/recipes-devtools/swupdate-certificates/files/sign-swu-rsa
deleted file mode 100644
index fad3004..0000000
--- a/recipes-devtools/swupdate-certificates/files/sign-swu-rsa
+++ /dev/null
@@ -1,6 +0,0 @@ 
-#!/bin/sh
-in_file=$1
-out_file=$2
-openssl dgst \
-	-sha256 -sign "/usr/share/swupdate-signing/swupdate-sign.key" "$in_file" \
-	> "$out_file"
diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc
index 93cf255..bcc8e2a 100644
--- a/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc
+++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc
@@ -18,17 +18,10 @@  PROVIDES += "swupdate-certificates-key"
 DEBIAN_PROVIDES = "swupdate-certificates-key"
 
 SWU_SIGN_KEY ??= ""
-SWU_SIGN_SCRIPT ??= "sign-swu-cms"
 SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_KEY') if d.getVar('SWU_SIGN_KEY') else '' }"
-SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_SCRIPT') if d.getVar('SWU_SIGN_SCRIPT') else '' }"
 
-do_install[cleandirs] = "${D}/usr/share/swupdate-signing/ \
-                         ${D}/usr/bin/"
+do_install[cleandirs] = "${D}/usr/share/swupdate-signing"
 do_install() {
-    if [ ! -f ${WORKDIR}/${SWU_SIGN_SCRIPT} ]; then
-        bbfatal "You must add a '${SWU_SIGN_SCRIPT}' to execute the signing process"
-    fi
-    install -m 0700 ${WORKDIR}/${SWU_SIGN_SCRIPT} ${D}/usr/bin/sign-swu
     if [ -z ${SWU_SIGN_KEY} ]; then
         bbfatal "You must set SWU_SIGN_KEY and provide the required file as artifacts to this recipe"
     fi
diff --git a/recipes-devtools/swupdate-certificates/files/sign-swu-cms b/recipes-devtools/swupdate-signer/files/sign-swu-cms
similarity index 100%
rename from recipes-devtools/swupdate-certificates/files/sign-swu-cms
rename to recipes-devtools/swupdate-signer/files/sign-swu-cms
diff --git a/recipes-devtools/swupdate-signer/swupdate-signer-cms_0.1.bb b/recipes-devtools/swupdate-signer/swupdate-signer-cms_0.1.bb
new file mode 100644
index 0000000..3600c3d
--- /dev/null
+++ b/recipes-devtools/swupdate-signer/swupdate-signer-cms_0.1.bb
@@ -0,0 +1,26 @@ 
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2024
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg-raw
+DPKG_ARCH = "all"
+DEBIAN_MULTI_ARCH = "foreign"
+
+PROVIDES = "swupdate-signer"
+DEBIAN_PROVIDES = "swupdate-signer"
+
+DEPENDS = "swupdate-certificates-key"
+DEBIAN_DEPENDS += "openssl, swupdate-certificates-key"
+
+SRC_URI = "file://sign-swu-cms"
+
+do_install[cleandirs] = "${D}/usr/bin/"
+do_install() {
+    install -m 0755 ${WORKDIR}/sign-swu-cms ${D}/usr/bin/sign-swu
+}