From patchwork Thu Jul 13 08:51:04 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13311579 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 44AC0C0015E for ; Thu, 13 Jul 2023 08:51:22 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.4094.1689238271339799295 for ; Thu, 13 Jul 2023 01:51:12 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=cH+Uvp6h; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-51332-20230713085108217d51b7eaca755c73-p7afe2@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20230713085108217d51b7eaca755c73 for ; Thu, 13 Jul 2023 10:51:08 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=esrtYuo6+8Xaawh4Tk03AhFw1vqT9q/U5gIER4rLr60=; b=cH+Uvp6h1hHz65djGhZ0TTic379vKnmRxHzVRmAGRnDQOuf/1uWC/ThuQJx0VfT0o8mOFu ijA26/1h4Xz/oqQK0LzNcSDA0Qb7xt8Et96wdyn5VAootp4lnlLmMKVNjSI+SZfcwZH3C9N7 PKsVlzc9XzDGCk1dl6SmnXRt1zWvE=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org Subject: [cip-dev][isar-cip-core][RFC 1/3] recipe-devtools: Add recipe to sign SWUpdate update binaries Date: Thu, 13 Jul 2023 10:51:04 +0200 Message-Id: <20230713085106.2062587-2-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230713085106.2062587-1-Quirin.Gylstorff@siemens.com> References: <20230713085106.2062587-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 13 Jul 2023 08:51:22 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/12332 From: Quirin Gylstorff This adds the necessary recipes to provide a snakeoil for testing sign updates and a recipe to for offical certificates. The certificates creation can be found at [1]. [1]: https://sbabic.github.io/swupdate/signed_images.html?highlight=signing#usage-with-certificates-and-cms Signed-off-by: Quirin Gylstorff --- .../files/cip-swupdate-snakeoil.cert.pem | 30 +++++++++++ .../files/cip-swupdate-snakeoil.key.pem | 52 +++++++++++++++++++ .../swupdate-certificates-key-snakeoil_0.1.bb | 17 ++++++ .../swupdate-certificates-key.inc | 31 +++++++++++ .../swupdate-certificates-key_0.1.bb | 15 ++++++ .../swupdate-certificates-snakeoil_0.1.bb | 16 ++++++ .../swupdate-certificates.inc | 31 +++++++++++ .../swupdate-certificates_0.1.bb | 14 +++++ 8 files changed, 206 insertions(+) create mode 100644 recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.cert.pem create mode 100644 recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.key.pem create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-key-snakeoil_0.1.bb create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-key_0.1.bb create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-snakeoil_0.1.bb create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates.inc create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates_0.1.bb diff --git a/recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.cert.pem b/recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.cert.pem new file mode 100644 index 0000000..a44cb7d --- /dev/null +++ b/recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.cert.pem @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFKzCCAxOgAwIBAgIUEA0euuQB7ulZBzoFaG+/Fps82oEwDQYJKoZIhvcNAQEL +BQAwJTESMBAGA1UECgwJU1dVcGRhdGUgMQ8wDQYDVQQDDAZ0YXJnZXQwHhcNMjMw +NjIzMDk1NDA4WhcNMjMwNzIzMDk1NDA4WjAlMRIwEAYDVQQKDAlTV1VwZGF0ZSAx +DzANBgNVBAMMBnRhcmdldDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB +ALO14EDb7Q/hXCJZbrl/UD2RytUb8Phh49iPpIOryJKqDEyGNhc03XzpkB5qMYEt +vMN+UXRTLFvBIfrtukLzrpEm5jTPaSAciKD+nIGqNFbPXWl+KIy2lMTEqD9Se7lQ +4u4fupZQp4adlsdjya0i9u9fnNbK25jCrPjQHf698eS1VR0YpXOqAqB9VFLeLdlj +BCCmVBkhMTF/z7CvF7XsL7rqBG8F1yTg9qKTf/2C9Odc9sCtjy0wGt8NBSV2Cua3 +ifPNQtYdxPLR9ohyariMEsS3s0WVclUvctD6SwCmP0RNvwmKDyzlWerRTSvODw+8 ++laD0vI2KIkgegzDiJGBF0DrfBrePqCHLeZztQHpHfTkcSAEP4hgg4ev2p5XV7lC +1ed9UTHjhW+mmKJuJODgfsS7sQs8CqRGHYj95RrK14CG5PHebRWpSH3KcmROpsSl +fUXQTSqth01welrL9/OEpO0vRlnL0FNrhjQFtgIR3djgxosoRuOL43g/ep1CtIwc +ypFDemhgMKoUzc7KnQvGpG5FeqUSqqAlqclAKEfFNs4pvpc5mz3LUwdNkyIGkgqL +Xuhnf1OkMDtMlZ5wvi+CTqYMX2KqXU8yz2Csf9uN54ojIGbWN73wCZA5JH7R8FqN +PoKJ8csQTayQK5XBYP7XQV1CgnAJDxa/pEnMf4zLotG/AgMBAAGjUzBRMB0GA1Ud +DgQWBBR2lBlS17x7xqB2kaLwEg1lJXpoLDAfBgNVHSMEGDAWgBR2lBlS17x7xqB2 +kaLwEg1lJXpoLDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCe +WK2TcfszS5EPeO4K6o7Zsr6tNkyAfP0oHm4gqAOfverfITctws/SIOdwLI79ljMq +vUuSEzWRnx16TfzqBlnFNFEUPBknnk/KeHCXgz4XdyyLdS8cga1lCHc+yRVIcq53 +Z9KaLjbg/OmyJwVTehlJGnDF4QCOIzMO4Ha+O6Eyxu3ARp/x2QrzsfQ1U3KtMhAy +NcBG/mupj8mwg3cfo10MmzzN4ioQUCIf5M6eg/8iDITgA51XqFpjf2fX1xusSBBe +zuoy4Rz+Df1rGsUabAd7jKVXghS1+AE22ZPy6bnmV810ONb1H8MExFbGgdulYhmo +zoH6H7h6LtKP0xVOZ6H87X4Hoi7YitQqCl+oaHUE2GzA97fm+rNXe84ekJvjUiEz +Js3q1wXaegMr4LFmu9MPBSycJw54KtLfg2U0tIW6SD7dFlvD2f/qo7RtyEiE/Wfu +Cm8ZvMUr+OuNAvQL/Ig08JgUKisTK3ARHFxMu9sEMsWoB7bTGvyiZ9mS/G2VIet4 +1pucvi89d9qXeZZ8PByHOEo0c7cu8lCmtIZoh0rdV3t8mxOZA1kFwYK2xahA6DT3 +J2me41iKb9l2aCbGBbUKiesu3CRLpPG8Ic8X5PPkbRlX5/Zza21AbM8jxX14ZAL8 +mkgMhzaLWIGo8ixvA8i7Fm/JunrIimDZaRjJrKuoMg== +-----END CERTIFICATE----- diff --git a/recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.key.pem b/recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.key.pem new file mode 100644 index 0000000..5dd3d3b --- /dev/null +++ b/recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.key.pem @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCzteBA2+0P4Vwi +WW65f1A9kcrVG/D4YePYj6SDq8iSqgxMhjYXNN186ZAeajGBLbzDflF0UyxbwSH6 +7bpC866RJuY0z2kgHIig/pyBqjRWz11pfiiMtpTExKg/Unu5UOLuH7qWUKeGnZbH +Y8mtIvbvX5zWytuYwqz40B3+vfHktVUdGKVzqgKgfVRS3i3ZYwQgplQZITExf8+w +rxe17C+66gRvBdck4Paik3/9gvTnXPbArY8tMBrfDQUldgrmt4nzzULWHcTy0faI +cmq4jBLEt7NFlXJVL3LQ+ksApj9ETb8Jig8s5Vnq0U0rzg8PvPpWg9LyNiiJIHoM +w4iRgRdA63wa3j6ghy3mc7UB6R305HEgBD+IYIOHr9qeV1e5QtXnfVEx44Vvppii +biTg4H7Eu7ELPAqkRh2I/eUayteAhuTx3m0VqUh9ynJkTqbEpX1F0E0qrYdNcHpa +y/fzhKTtL0ZZy9BTa4Y0BbYCEd3Y4MaLKEbji+N4P3qdQrSMHMqRQ3poYDCqFM3O +yp0LxqRuRXqlEqqgJanJQChHxTbOKb6XOZs9y1MHTZMiBpIKi17oZ39TpDA7TJWe +cL4vgk6mDF9iql1PMs9grH/bjeeKIyBm1je98AmQOSR+0fBajT6CifHLEE2skCuV +wWD+10FdQoJwCQ8Wv6RJzH+My6LRvwIDAQABAoICABWNlpuwxLnG2Xn1J+Zvcnwv +5BezBi+D7gOnFqAEFkYgxuDWp94YpQe6K2K6cb2Acscvey1sXEGU5DJoGJK3DxSx +iaKDzaPgSDKm1rZmZ2iR7i4cx1g4/Zarz1Ho3pXXMaBFhedJPQ5UECVRvnpZWyxS +V0kbg0LK9lvQ+gf3V++KH+8haZZ5qV7+KQLXSsBrs68Gw8dPx8qb/Zi/JyTWctME +BgwaszblFC9jaVJKRn0JFT7+kdFll5NwyFE52wzYrl7jG0T6xQgqTlsG/e2sPwQA +1CtgRRoaWrbdjelCBwx2FpdaS3+i8inLeGnsiLnmfE+r97y86heoIXsuaE6rINKg +8K3FF7LD3f6dbWWGC3IqE7/hYMPV2FOTFufXvyH7dzhosB7XBAMIXr9/bswW/5tH +mmCtFnXARqMirdwqf+oruuX8xhrlYBiVEe9E0qCG9iJBjtyqd/IJOHL9liD6+II2 +trdgJGaFlqXXWSVm2A91LrsETxRPepd+tPyARhszHkqnpdjMdoUGh2lVIPdPjP8f +SaBvQeoa83b2eOfI5RK4b7/TOe8W/YVN00hewaFS0YmDcfeNH8yIxuraU5xpwfKJ +QKz4zFSPTSYHTf+jCp450+LY8gwoaHKZ6J7IuCKbOke9iVHlOYsgQICCFSG/knPj +8vwiL9lUVIW5EqG7jyEhAoIBAQDd/4PPxPw0mL7i4F44uOwaVgtVcbCtsLbyje9V +YCGl0MS+jmIIRxXYPZWhmuUNE5I6gMXHsaawhFXkSPEWJ6DfNYV8HQLcix9vkrFs ++OK8vCVsAymoDpdkl8+k3i9Uu6+/EakU1badQGfNOqnQONRRO3ePoGK44583j8Wu +6XxkXETmNeYYZJc5HwcOS/r8Oh/1kWnJHysz64PoZ4d3h3oaLJJ3LzZ4q0+hVuk0 +5cCdzGqy5eLr+U6GnCTNhAqY0ZhlH3UJlYPNx3UsQ/nXxYsOtHZnvs7Q/s4quhF2 +lufzIf0ftPEtdY+7wFm1TIyf+AW4PhkdwvbJkpStGpL+KSZ1AoIBAQDPPEYYVCA7 +oO3e3i8bUqh2iLZ0KDehOv455Ylmk5x6t5+OaO8m1+JTtEvIjkxpHsdwuCTm5Ewv +L4/RAv3KLjkrO63Lk3Bbjy+L6ElD2TjBEAlXnZI9eNMw7wsmzbrFbIYHj46/twpv +yBihQoSupClCWKbYB0fwWR94VU57WJABmX5UIbWqcPWkK1USW1foG+uuVu+yNpmn +sXDsaBZcHjWGsjBvxGnIzJO8oaNzrRFfNqIFhSY6pVklv4M84I17dJNYt3PmDARW +xliHyg0w6c3zIahcEuOTn3CN/DAU5zbTA800hyEQ+0baCHUn6Aa2TYdGTCdULFow +w90RDVYZh9jjAoIBAEZnMjZCEnnbty3cWgVDIB16DD4cwBtVX6+ss6ovwnwDqWGF +ZjGZ2aOqZDnMFbf/7PAAxrh97o8saNDtEQglqS8gmiSyTqYCuQV5UCtvAvk38eY/ +WoahmgGc4401qW0F2MaPoz+oRzG3qzO61v/iBfN9GH3EL4rTJTtJrTe7dGefm3om +vcIepJbI8EPodMBo7pnCc/oEmH7uwfaCXsPZgy+p0wlZP70lFyvjlDHiayOgIHZ7 +0WtktTKbclB6/6FXVy06vLM9Z39rMg3HwQRc8azILoTYTl6ZcGi8ea1STl0c+lmD +2LjB/8NbTRfiHvbcgXPcvbpiikGC6wO62cMg6cECggEBALcvNVrOCkwLPhkyV3uU +fluBD57v6fS4W/87mlA1DS4g4IaW1UeFr4eEKTUYLA0D6xIFhIEgrwNKzJraRRKR +93Dy6Pa51qjokgPfCdxSyGtITKnJHHsAMdbghv/+/SkEfBl02Z84Ip6axsLNNNHX +RK1kBd+R2BJqBXpuFdjMeUcgsl2WCqql/UzoDOQUIEmJXLSYHntu7jYgkIw4mgNF +pNTy8APsIAIibDlivERFaMS8W03728YdYQcQGecXK5lEe/cA+w8P8knuPFWT0kM5 +eRaA2vzAqbBVUL4BfVMM6xZuFtdm12DWbVPQBBeJb114fKo0KNOr/PF8QQ6QtloN +DjcCggEBALumqFVF8eU236dz7jffdY1LEgxZQHXgOJcrNVpuqeLeD91NPEl8HoiO +PAYtXbrNM+PtYD8KBDG8Bv9MZgaZyEfww8zkqzYtMzIk/5Kb9wBhdeq36YHBC/1+ +cDGty0dfubELKw2L+bwalFgk0urnQzJW+11+nFh+g2q3PJpRUisvih4apE+dOdE8 +cdsgc58nZksyS2WusW8OG0XZeJTrCejEP1GP6svYm3mPOVAp5Y3e7CQP10WcDoQ9 +WUZp+JbefDrJ/+aVmtkQ1pMGbOCbSwa/xmn6bbCVeI/aD3Sr9t4wnKQzu4InD5PB +nFtyUBqMFy+r+QlyRfQbhfXxs7cW1/M= +-----END PRIVATE KEY----- diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-key-snakeoil_0.1.bb b/recipes-devtools/swupdate-certificates/swupdate-certificates-key-snakeoil_0.1.bb new file mode 100644 index 0000000..fa2ce23 --- /dev/null +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-key-snakeoil_0.1.bb @@ -0,0 +1,17 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Jan Kiszka +# +# SPDX-License-Identifier: MIT +# +DEBIAN_DEPENDS += "swupdate-certificates-snakeoil" + +require swupdate-certificates-key.inc + +SWU_SIGN_KEY = "cip-swupdate-snakeoil.key.pem" + +DEBIAN_CONFLICTS = "swupdate-certificates-key" diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc new file mode 100644 index 0000000..3fafce0 --- /dev/null +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc @@ -0,0 +1,31 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Jan Kiszka +# +# SPDX-License-Identifier: MIT +# + +inherit dpkg-raw + +PROVIDES += "swupdate-certificates-key" + +SWU_SIGN_KEY ??= "" + +SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_KEY') if d.getVar('SWU_SIGN_KEY') else '' }" + +do_install() { + if [ -z ${SWU_SIGN_KEY} ] ]; then + bbfatal "You must set SWU_SIGN_KEY and provide the required file as artifacts to this recipe" + fi + TARGET=${D}/usr/share/swupdate-signing/ + install -d -m 0700 ${TARGET} + install -m 0700 ${WORKDIR}/${SWU_SIGN_KEY} ${TARGET}/swupdate-sign.key +} + +do_prepare_build:append() { + echo "Provides: swupdate-certificates-key" >> ${S}/debian/control +} diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-key_0.1.bb b/recipes-devtools/swupdate-certificates/swupdate-certificates-key_0.1.bb new file mode 100644 index 0000000..45864fa --- /dev/null +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-key_0.1.bb @@ -0,0 +1,15 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Jan Kiszka +# +# SPDX-License-Identifier: MIT +# +DEBIAN_DEPENDS += "swupdate-certificates" + +require swupdate-certificates-key.inc + +DEBIAN_CONFLICTS = "swupdate-certificates-key-snakeoil" diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-snakeoil_0.1.bb b/recipes-devtools/swupdate-certificates/swupdate-certificates-snakeoil_0.1.bb new file mode 100644 index 0000000..4e45b6b --- /dev/null +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-snakeoil_0.1.bb @@ -0,0 +1,16 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Jan Kiszka +# +# SPDX-License-Identifier: MIT +# + +require swupdate-certificates.inc + +SWU_SIGN_CERT = "cip-swupdate-snakeoil.cert.pem" + +DEBIAN_CONFLICTS = "swupdate-certificates" diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates.inc b/recipes-devtools/swupdate-certificates/swupdate-certificates.inc new file mode 100644 index 0000000..92f9715 --- /dev/null +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates.inc @@ -0,0 +1,31 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Jan Kiszka +# +# SPDX-License-Identifier: MIT +# + +inherit dpkg-raw + +PROVIDES += "swupdate-certificates" + +SWU_SIGN_CERT ??= "" + +SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_CERT') if d.getVar('SWU_SIGN_CERT') else '' }" + +do_install() { + if [ -z ${SWU_SIGN_CERT} ] ]; then + bbfatal "You must set SWU_SIGN_CERT and provide the required file as artifacts to this recipe" + fi + TARGET=${D}/usr/share/swupdate-signing/ + install -d -m 0700 ${TARGET} + install -m 0700 ${WORKDIR}/${SWU_SIGN_CERT} ${TARGET}/swupdate-sign.crt +} + +do_prepare_build:append() { + echo "Provides: swupdate-certificates" >> ${S}/debian/control +} diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates_0.1.bb b/recipes-devtools/swupdate-certificates/swupdate-certificates_0.1.bb new file mode 100644 index 0000000..41d07a5 --- /dev/null +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates_0.1.bb @@ -0,0 +1,14 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Jan Kiszka +# +# SPDX-License-Identifier: MIT +# + +require swupdate-certificates.inc + +DEBIAN_CONFLICTS = "swupdate-certificates-snakeoil" From patchwork Thu Jul 13 08:51:05 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13311581 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 60292C001DC for ; Thu, 13 Jul 2023 08:51:22 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web11.4095.1689238271590396839 for ; Thu, 13 Jul 2023 01:51:12 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=NMLBPYDj; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-51332-20230713085108317ffe37f24197f3a0-jkmbqx@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 20230713085108317ffe37f24197f3a0 for ; Thu, 13 Jul 2023 10:51:09 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=azqtoWj18hkNbQpPOf7KJu/ncS90mZzx/uUI8onVz34=; b=NMLBPYDjKM1nbT2Tv5LHiXGrHw5DeeXEWSOyIm9sLzmPaLMNa4xCucVnT37iHqG6zb++Pm GP5i8w14XUpXCWY/YgCpq1Eh2uQgcaSvtriEUlNjjsBkh2/Scg/LFk7Bgv48J0+ttNxv1zUy I5N0IpgNx1xAVAwSoCwURarpw+HJc=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org Subject: [cip-dev][isar-cip-core][RFC 2/3] swupdate.bbclass: Use new swupdate-certificate Date: Thu, 13 Jul 2023 10:51:05 +0200 Message-Id: <20230713085106.2062587-3-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230713085106.2062587-1-Quirin.Gylstorff@siemens.com> References: <20230713085106.2062587-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 13 Jul 2023 08:51:22 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/12331 From: Quirin Gylstorff This also changes the signing type from RSA PKCS#1.5[1](SWUPDATE_SIGNATURE_TYPE="rsa") to certificates[2](SWUPDATE_SIGNATURE_TYPE="cms"). certificates are the default of the debian SWUpdate package. [1]: https://sbabic.github.io/swupdate/signed_images.html?highlight=signing#usage-with-rsa-pkcs-1-5-or-rsa-pss [2]:https://sbabic.github.io/swupdate/signed_images.html?highlight=signing#usage-with-certificates-and-cms Signed-off-by: Quirin Gylstorff --- classes/swupdate.bbclass | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass index 3d2b5f0..f5186de 100644 --- a/classes/swupdate.bbclass +++ b/classes/swupdate.bbclass @@ -27,12 +27,13 @@ SWU_DESCRIPTION_FILE ?= "sw-description" SWU_ADDITIONAL_FILES ?= "linux.efi ${SWU_ROOTFS_PARTITION_NAME}" SWU_SIGNED ?= "" SWU_SIGNATURE_EXT ?= "sig" -SWU_SIGNATURE_TYPE ?= "rsa" +SWU_SIGNATURE_TYPE ?= "cms" SWU_BUILDCHROOT_IMAGE_FILE ?= "${PP_DEPLOY}/${@os.path.basename(d.getVar('SWU_IMAGE_FILE'))}" IMAGE_TYPEDEP:swu = "${SWU_ROOTFS_TYPE}${@get_swu_compression_type(d)}" -IMAGER_INSTALL:swu += "cpio ${@'openssl' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" +IMAGER_BUILD_DEPS:swu += "${@'swupdate-certificates-key' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" +IMAGER_INSTALL:swu += "cpio ${@'openssl swupdate-certificates-key' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" IMAGE_SRC_URI:swu = "file://${SWU_DESCRIPTION_FILE}.tmpl" IMAGE_TEMPLATE_FILES:swu = "${SWU_DESCRIPTION_FILE}.tmpl" @@ -102,10 +103,6 @@ IMAGE_CMD:swu() { # Prepare for signing export sign='${@'x' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}' - if [ -n "$sign" ]; then - cp -f '${SIGN_KEY}' '${WORKDIR}/dev.key' - test -e '${SIGN_CRT}' && cp -f '${SIGN_CRT}' '${WORKDIR}/dev.crt' - fi sudo -E chroot ${BUILDCHROOT_DIR} sh -c ' \ # Fill in file check sums @@ -123,14 +120,14 @@ IMAGE_CMD:swu() { if [ -n "$sign" -a "${SWU_DESCRIPTION_FILE}" = "$file" ]; then if [ "${SWU_SIGNATURE_TYPE}" = "rsa" ]; then openssl dgst \ - -sha256 -sign "${PP_WORK}/dev.key" "$file" \ + -sha256 -sign "/usr/share/swupdate-signing/swupdate-sign.key" "$file" \ > "$file.${SWU_SIGNATURE_EXT}" elif [ "${SWU_SIGNATURE_TYPE}" = "cms" ]; then openssl cms \ -sign -in "$file" \ -out "$file"."${SWU_SIGNATURE_EXT}" \ - -signer "${PP_WORK}/dev.crt" \ - -inkey "${PP_WORK}/dev.key" \ + -signer "/usr/share/swupdate-signing/swupdate-sign.crt" \ + -inkey "/usr/share/swupdate-signing/swupdate-sign.key" \ -outform DER -nosmimecap -binary fi # Set file timestamps for reproducible builds From patchwork Thu Jul 13 08:51:06 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13311580 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 43DC0EB64DD for ; Thu, 13 Jul 2023 08:51:22 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web11.4097.1689238271741177397 for ; Thu, 13 Jul 2023 01:51:13 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=IQOLTbDB; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-51332-20230713085109ceb184d79551b16b55-orjno2@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 20230713085109ceb184d79551b16b55 for ; Thu, 13 Jul 2023 10:51:09 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=hYUMI+rZ6neIwQBPsxoq/+Dnjig+8wJHYm3OjRFvJRo=; b=IQOLTbDB8LlWUxcTZRY8BdOWxal6wmutwHdN2YxrZaVJS3iafFaqdzax9cvSqBbRwqanp8 Oy4F5MFHPfMpdOexF8goxlac4xUOCE/OYW4/bFKgegQTfHFUMOOUqvxaADRC65c49OfrJJ9f NO/HYE4fpgiG5j+TpT6mcq9qg1mpI=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org Subject: [cip-dev][isar-cip-core][RFC 3/3] swupdate: Enable signed updates Date: Thu, 13 Jul 2023 10:51:06 +0200 Message-Id: <20230713085106.2062587-4-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230713085106.2062587-1-Quirin.Gylstorff@siemens.com> References: <20230713085106.2062587-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 13 Jul 2023 08:51:22 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/12333 From: Quirin Gylstorff With this change SWUpdate requires signed binaries to update the system. An update without the correct signature will lead to the following error message: ``` Error: SWUpdate is built for signed images, provide a public key file. ``` If unsigned binaries are wanted readd the Build option ``` DEB_BUILD_PROFILES += "pkg.swupdate.nosigning" ``` to a swupdate_%.bbappend recipe Signed-off-by: Quirin Gylstorff --- conf/distro/cip-core-common.inc | 1 + kas/opt/swupdate.yml | 2 ++ recipes-core/customizations/files/swupdate.cfg | 1 + recipes-core/images/swupdate.inc | 4 ++++ recipes-core/swupdate/swupdate_2023.05.bb | 3 +-- 5 files changed, 9 insertions(+), 2 deletions(-) diff --git a/conf/distro/cip-core-common.inc b/conf/distro/cip-core-common.inc index 5d3ce10..a3d959f 100644 --- a/conf/distro/cip-core-common.inc +++ b/conf/distro/cip-core-common.inc @@ -14,3 +14,4 @@ KERNEL_NAME ?= "cip" WKS_FILE ?= "${MACHINE}.wks" CIP_IMAGE_OPTIONS ?= "" + diff --git a/kas/opt/swupdate.yml b/kas/opt/swupdate.yml index b0293ce..0e30e89 100644 --- a/kas/opt/swupdate.yml +++ b/kas/opt/swupdate.yml @@ -28,3 +28,5 @@ local_conf_header: INITRAMFS_INSTALL:append = " initramfs-squashfs-hook" ABROOTFS_PART_UUID_A ?= "fedcba98-7654-3210-cafe-5e0710000001" ABROOTFS_PART_UUID_B ?= "fedcba98-7654-3210-cafe-5e0710000002" + PREFERRED_PROVIDER_swupdate-certificates-key ??= "swupdate-certificates-key-snakeoil" + PREFERRED_PROVIDER_swupdate-certificates ??= "swupdate-certificates-snakeoil" diff --git a/recipes-core/customizations/files/swupdate.cfg b/recipes-core/customizations/files/swupdate.cfg index 9ee47c7..3e2b45c 100644 --- a/recipes-core/customizations/files/swupdate.cfg +++ b/recipes-core/customizations/files/swupdate.cfg @@ -1,4 +1,5 @@ globals : { bootloader = "ebg"; + public-key-file = "/usr/share/swupdate-signing/swupdate-sign.crt" }; diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc index 6a01abb..6b7da60 100644 --- a/recipes-core/images/swupdate.inc +++ b/recipes-core/images/swupdate.inc @@ -12,6 +12,10 @@ inherit image_uuid inherit read-only-rootfs +SWU_SIGNED = "1" +SWU_SIGNATURE_TYPE = "cms" +IMAGE_INSTALL += " swupdate-certificates" + IMAGE_INSTALL += " swupdate" IMAGE_INSTALL += " swupdate-handler-roundrobin" diff --git a/recipes-core/swupdate/swupdate_2023.05.bb b/recipes-core/swupdate/swupdate_2023.05.bb index 26c0e67..d744173 100644 --- a/recipes-core/swupdate/swupdate_2023.05.bb +++ b/recipes-core/swupdate/swupdate_2023.05.bb @@ -31,8 +31,7 @@ SRC_URI += "file://0001-d-rules-Add-option-for-suricatta_lua.patch \ file://0003-d-patches-Add-patch-to-add-the-build-version-to-swup.patch \ file://0004-d-rules-Add-option-to-enable-suricatta_wfx.patch" -# deactivate signing and hardware compability for simple a/b rootfs update -DEB_BUILD_PROFILES += "pkg.swupdate.nosigning" +# deactivate hardware compability for simple a/b rootfs update DEB_BUILD_PROFILES += "pkg.swupdate.nohwcompat" # suricatta wfx requires suricatta lua and the dependency