From patchwork Mon Jul 17 10:54:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13315447 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 72A4FC001DE for ; Mon, 17 Jul 2023 10:54:26 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.web10.5350.1689591261648138508 for ; Mon, 17 Jul 2023 03:54:22 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=oPBc9kL+; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-51332-20230717105418dd1532cbf3f217ed4c-iouf2_@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 20230717105418dd1532cbf3f217ed4c for ; Mon, 17 Jul 2023 12:54:18 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=10z4h3JcZ7iGiL7dgMQCQn41u4ud2wUVz2gYJRsCmm4=; b=oPBc9kL+v7CUDwPZWq73oD4fSWeFndc2hm6K4Wqi/WaVRFjjyHr8sd8CAWVcUQgZX1YA7Q ImJM3ue5Z9P9ksac3ZSrUcKPQ5mdjlLI0Qb6PD0ysINGV2q8i03Y3VYnEas60h2XLdHztdFt l2ZPTBsJ2QK4jQHlyHv/KJvtayw38=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][RFC v2 1/3] recipe-devtools: Add recipe to sign SWUpdate update binaries Date: Mon, 17 Jul 2023 12:54:15 +0200 Message-Id: <20230717105417.27761-2-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230717105417.27761-1-Quirin.Gylstorff@siemens.com> References: <20230717105417.27761-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 17 Jul 2023 10:54:26 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/12366 From: Quirin Gylstorff This also adds recipes with the Debian snakeoil key and certificate to test signed updates. For in-production new keys and certificates must be created. [1] descripes the creation of keys and certificates. To use non snakeoil certificates copy the certificates and keys to recipes-devtools/swupdate-certificates/files/. The following settings are necessary: ``` PREFERRED_PROVIDER_swupdate-certificates-key = "swupdate-certificates-key" PREFERRED_PROVIDER_swupdate-certificates = "swupdate-certificates" SWU_SIGN_KEY = "" SWU_SIGN_CERT = "" ``` [1]: https://sbabic.github.io/swupdate/signed_images.html?highlight=signing#usage-with-certificates-and-cms Signed-off-by: Quirin Gylstorff --- recipes-core/images/swupdate.inc | 2 ++ .../secure-boot-secrets/files/buster/bookworm | 1 + .../secure-boot-secrets/files/buster/bullseye | 1 + .../swupdate-certificates/files/bookworm | 1 + .../swupdate-certificates/files/bullseye | 1 + .../swupdate-certificates/files/buster | 1 + .../swupdate-certificates-key-snakeoil_0.1.bb | 18 +++++++++++ .../swupdate-certificates-key.inc | 31 +++++++++++++++++++ .../swupdate-certificates-key_0.1.bb | 17 ++++++++++ .../swupdate-certificates-snakeoil_0.1.bb | 16 ++++++++++ .../swupdate-certificates.inc | 31 +++++++++++++++++++ .../swupdate-certificates_0.1.bb | 14 +++++++++ 12 files changed, 134 insertions(+) create mode 120000 recipes-devtools/secure-boot-secrets/files/buster/bookworm create mode 120000 recipes-devtools/secure-boot-secrets/files/buster/bullseye create mode 120000 recipes-devtools/swupdate-certificates/files/bookworm create mode 120000 recipes-devtools/swupdate-certificates/files/bullseye create mode 120000 recipes-devtools/swupdate-certificates/files/buster create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-key-snakeoil_0.1.bb create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-key_0.1.bb create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-snakeoil_0.1.bb create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates.inc create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates_0.1.bb diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc index 6a01abb..5d9cd58 100644 --- a/recipes-core/images/swupdate.inc +++ b/recipes-core/images/swupdate.inc @@ -12,6 +12,8 @@ inherit image_uuid inherit read-only-rootfs +SWU_SIGNED ?= "1" + IMAGE_INSTALL += " swupdate" IMAGE_INSTALL += " swupdate-handler-roundrobin" diff --git a/recipes-devtools/secure-boot-secrets/files/buster/bookworm b/recipes-devtools/secure-boot-secrets/files/buster/bookworm new file mode 120000 index 0000000..b7dbeb4 --- /dev/null +++ b/recipes-devtools/secure-boot-secrets/files/buster/bookworm @@ -0,0 +1 @@ +../../secure-boot-secrets/files/bookworm \ No newline at end of file diff --git a/recipes-devtools/secure-boot-secrets/files/buster/bullseye b/recipes-devtools/secure-boot-secrets/files/buster/bullseye new file mode 120000 index 0000000..3c7fe4f --- /dev/null +++ b/recipes-devtools/secure-boot-secrets/files/buster/bullseye @@ -0,0 +1 @@ +../../secure-boot-secrets/files/bullseye \ No newline at end of file diff --git a/recipes-devtools/swupdate-certificates/files/bookworm b/recipes-devtools/swupdate-certificates/files/bookworm new file mode 120000 index 0000000..b7dbeb4 --- /dev/null +++ b/recipes-devtools/swupdate-certificates/files/bookworm @@ -0,0 +1 @@ +../../secure-boot-secrets/files/bookworm \ No newline at end of file diff --git a/recipes-devtools/swupdate-certificates/files/bullseye b/recipes-devtools/swupdate-certificates/files/bullseye new file mode 120000 index 0000000..3c7fe4f --- /dev/null +++ b/recipes-devtools/swupdate-certificates/files/bullseye @@ -0,0 +1 @@ +../../secure-boot-secrets/files/bullseye \ No newline at end of file diff --git a/recipes-devtools/swupdate-certificates/files/buster b/recipes-devtools/swupdate-certificates/files/buster new file mode 120000 index 0000000..67d1534 --- /dev/null +++ b/recipes-devtools/swupdate-certificates/files/buster @@ -0,0 +1 @@ +../../secure-boot-secrets/files/buster \ No newline at end of file diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-key-snakeoil_0.1.bb b/recipes-devtools/swupdate-certificates/swupdate-certificates-key-snakeoil_0.1.bb new file mode 100644 index 0000000..a0bbd50 --- /dev/null +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-key-snakeoil_0.1.bb @@ -0,0 +1,18 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# +DEPENDS += "swupdate-certificates-snakeoil" +DEBIAN_DEPENDS += "swupdate-certificates-snakeoil" + +require swupdate-certificates-key.inc + +SWU_SIGN_KEY = "${BASE_DISTRO_CODENAME}/PkKek-1-snakeoil.key" + +DEBIAN_CONFLICTS = "swupdate-certificates-key" diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc new file mode 100644 index 0000000..1b6b6dd --- /dev/null +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc @@ -0,0 +1,31 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +inherit dpkg-raw + +PROVIDES += "swupdate-certificates-key" + +SWU_SIGN_KEY ??= "" + +SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_KEY') if d.getVar('SWU_SIGN_KEY') else '' }" + +do_install() { + if [ -z ${SWU_SIGN_KEY} ] ]; then + bbfatal "You must set SWU_SIGN_KEY and provide the required file as artifacts to this recipe" + fi + TARGET=${D}/usr/share/swupdate-signing/ + install -d -m 0700 ${TARGET} + install -m 0700 ${WORKDIR}/${SWU_SIGN_KEY} ${TARGET}/swupdate-sign.key +} + +do_prepare_build:append() { + echo "Provides: swupdate-certificates-key" >> ${S}/debian/control +} diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-key_0.1.bb b/recipes-devtools/swupdate-certificates/swupdate-certificates-key_0.1.bb new file mode 100644 index 0000000..2e99617 --- /dev/null +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-key_0.1.bb @@ -0,0 +1,17 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +DEPENDS += "swupdate-certificates" +DEBIAN_DEPENDS += "swupdate-certificates" + +require swupdate-certificates-key.inc + +DEBIAN_CONFLICTS = "swupdate-certificates-key-snakeoil" diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-snakeoil_0.1.bb b/recipes-devtools/swupdate-certificates/swupdate-certificates-snakeoil_0.1.bb new file mode 100644 index 0000000..22c7ce2 --- /dev/null +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-snakeoil_0.1.bb @@ -0,0 +1,16 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +require swupdate-certificates.inc + +SWU_SIGN_CERT = "${BASE_DISTRO_CODENAME}/PkKek-1-snakeoil.pem" + +DEBIAN_CONFLICTS = "swupdate-certificates" diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates.inc b/recipes-devtools/swupdate-certificates/swupdate-certificates.inc new file mode 100644 index 0000000..0553c25 --- /dev/null +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates.inc @@ -0,0 +1,31 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +inherit dpkg-raw + +PROVIDES += "swupdate-certificates" + +SWU_SIGN_CERT ??= "" + +SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_CERT') if d.getVar('SWU_SIGN_CERT') else '' }" + +do_install() { + if [ -z ${SWU_SIGN_CERT} ] ]; then + bbfatal "You must set SWU_SIGN_CERT and provide the required file as artifacts to this recipe" + fi + TARGET=${D}/usr/share/swupdate-signing/ + install -d -m 0700 ${TARGET} + install -m 0700 ${WORKDIR}/${SWU_SIGN_CERT} ${TARGET}/swupdate-sign.crt +} + +do_prepare_build:append() { + echo "Provides: swupdate-certificates" >> ${S}/debian/control +} diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates_0.1.bb b/recipes-devtools/swupdate-certificates/swupdate-certificates_0.1.bb new file mode 100644 index 0000000..2643aad --- /dev/null +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates_0.1.bb @@ -0,0 +1,14 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +require swupdate-certificates.inc + +DEBIAN_CONFLICTS = "swupdate-certificates-snakeoil" From patchwork Mon Jul 17 10:54:16 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13315445 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 712B3EB64DC for ; Mon, 17 Jul 2023 10:54:26 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web11.5437.1689591261839731870 for ; Mon, 17 Jul 2023 03:54:22 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=QM9tvlcL; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-51332-20230717105418d6d64f57e9505d54cd-yc2jsa@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 20230717105418d6d64f57e9505d54cd for ; Mon, 17 Jul 2023 12:54:18 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=m8OBolpevL7PvW3Dq2QFx35sDEymra301zA6z9lMbVo=; b=QM9tvlcLqPIK2JHu+gLJBDaCyQpJiLfyNEKTq49MHKqyyWvBSOh/mxxhXzlMNIrYRySMZR cxRQge/0j/+a99uuiQLNgWrXNoRW+K0ZSv5kFRK34gcyhJl7pBA4I4KeBkASlbJ2duqw5YuP fw0izINdHeWkv+LKI7c9IC3mGrPJo=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][RFC v2 2/3] swupdate.bbclass: Use new swupdate-certificate Date: Mon, 17 Jul 2023 12:54:16 +0200 Message-Id: <20230717105417.27761-3-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230717105417.27761-1-Quirin.Gylstorff@siemens.com> References: <20230717105417.27761-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 17 Jul 2023 10:54:26 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/12368 From: Quirin Gylstorff This also changes the signing type from RSA PKCS#1.5[1](SWUPDATE_SIGNATURE_TYPE="rsa") to certificates[2](SWUPDATE_SIGNATURE_TYPE="cms"). certificates are the default of the debian SWUpdate package. [1]: https://sbabic.github.io/swupdate/signed_images.html?highlight=signing#usage-with-rsa-pkcs-1-5-or-rsa-pss [2]:https://sbabic.github.io/swupdate/signed_images.html?highlight=signing#usage-with-certificates-and-cms Signed-off-by: Quirin Gylstorff --- classes/swupdate.bbclass | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass index 3d2b5f0..aedaf02 100644 --- a/classes/swupdate.bbclass +++ b/classes/swupdate.bbclass @@ -1,7 +1,7 @@ # # CIP Core, generic profile # -# Copyright (c) Siemens AG, 2020 +# Copyright (c) Siemens AG, 2020-2023 # # Authors: # Christian Storm @@ -25,14 +25,17 @@ SWU_HW_COMPAT ?= "" SWU_IMAGE_FILE ?= "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.swu" SWU_DESCRIPTION_FILE ?= "sw-description" SWU_ADDITIONAL_FILES ?= "linux.efi ${SWU_ROOTFS_PARTITION_NAME}" -SWU_SIGNED ?= "" +SWU_SIGNED ??= "" SWU_SIGNATURE_EXT ?= "sig" -SWU_SIGNATURE_TYPE ?= "rsa" +SWU_SIGNATURE_TYPE ?= "cms" SWU_BUILDCHROOT_IMAGE_FILE ?= "${PP_DEPLOY}/${@os.path.basename(d.getVar('SWU_IMAGE_FILE'))}" IMAGE_TYPEDEP:swu = "${SWU_ROOTFS_TYPE}${@get_swu_compression_type(d)}" -IMAGER_INSTALL:swu += "cpio ${@'openssl' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" +IMAGER_BUILD_DEPS:swu += "${@'swupdate-certificates-key' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" +IMAGER_INSTALL:swu += "cpio ${@'openssl swupdate-certificates-key' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" +IMAGE_INSTALL += "${@'swupdate-certificates' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" + IMAGE_SRC_URI:swu = "file://${SWU_DESCRIPTION_FILE}.tmpl" IMAGE_TEMPLATE_FILES:swu = "${SWU_DESCRIPTION_FILE}.tmpl" @@ -102,10 +105,6 @@ IMAGE_CMD:swu() { # Prepare for signing export sign='${@'x' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}' - if [ -n "$sign" ]; then - cp -f '${SIGN_KEY}' '${WORKDIR}/dev.key' - test -e '${SIGN_CRT}' && cp -f '${SIGN_CRT}' '${WORKDIR}/dev.crt' - fi sudo -E chroot ${BUILDCHROOT_DIR} sh -c ' \ # Fill in file check sums @@ -123,14 +122,14 @@ IMAGE_CMD:swu() { if [ -n "$sign" -a "${SWU_DESCRIPTION_FILE}" = "$file" ]; then if [ "${SWU_SIGNATURE_TYPE}" = "rsa" ]; then openssl dgst \ - -sha256 -sign "${PP_WORK}/dev.key" "$file" \ + -sha256 -sign "/usr/share/swupdate-signing/swupdate-sign.key" "$file" \ > "$file.${SWU_SIGNATURE_EXT}" elif [ "${SWU_SIGNATURE_TYPE}" = "cms" ]; then openssl cms \ -sign -in "$file" \ -out "$file"."${SWU_SIGNATURE_EXT}" \ - -signer "${PP_WORK}/dev.crt" \ - -inkey "${PP_WORK}/dev.key" \ + -signer "/usr/share/swupdate-signing/swupdate-sign.crt" \ + -inkey "/usr/share/swupdate-signing/swupdate-sign.key" \ -outform DER -nosmimecap -binary fi # Set file timestamps for reproducible builds From patchwork Mon Jul 17 10:54:17 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13315444 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 73E9BC001E0 for ; Mon, 17 Jul 2023 10:54:26 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web11.5436.1689591261810284541 for ; Mon, 17 Jul 2023 03:54:23 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=h9ODb9Ae; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-51332-202307171054190d0137a4842e36f025-whmh_0@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 202307171054190d0137a4842e36f025 for ; Mon, 17 Jul 2023 12:54:19 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=IwVlV7k3RdFrJQS/Cst5e/if2rZDqfznrOoEGdM4Sco=; b=h9ODb9AeAe9XrJ0LIqb4d4jW/C40C3no8QHKzdLgCHHfIwT3uhFJY1/Bb31G3cyOEaPoSz xFCYFq0tDpdwyDRVjONd2urrQhtnd9EoLz95hLSJj2S2h+57JNHsbedwImzZDjCBxFVztVb6 MRjpZoaHO4/Zua2hbyqEB6WWTICu0=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][RFC v2 3/3] swupdate: Enable signed updates Date: Mon, 17 Jul 2023 12:54:17 +0200 Message-Id: <20230717105417.27761-4-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230717105417.27761-1-Quirin.Gylstorff@siemens.com> References: <20230717105417.27761-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 17 Jul 2023 10:54:26 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/12369 From: Quirin Gylstorff With this change SWUpdate requires signed binaries to update the system. An update without the correct signature will lead to the following error message: ``` Error: SWUpdate is built for signed images, provide a public key file. ``` If unsigned binaries are wanted readd the Build option ``` DEB_BUILD_PROFILES += "pkg.swupdate.nosigning" ``` to a swupdate_%.bbappend recipe Signed-off-by: Quirin Gylstorff --- kas/opt/swupdate.yml | 2 ++ recipes-core/customizations/files/swupdate.cfg | 1 + recipes-core/images/swupdate.inc | 2 +- recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb | 9 ++++++--- recipes-core/swupdate/swupdate_2023.05.bb | 8 ++++++-- 5 files changed, 16 insertions(+), 6 deletions(-) diff --git a/kas/opt/swupdate.yml b/kas/opt/swupdate.yml index b0293ce..0e30e89 100644 --- a/kas/opt/swupdate.yml +++ b/kas/opt/swupdate.yml @@ -28,3 +28,5 @@ local_conf_header: INITRAMFS_INSTALL:append = " initramfs-squashfs-hook" ABROOTFS_PART_UUID_A ?= "fedcba98-7654-3210-cafe-5e0710000001" ABROOTFS_PART_UUID_B ?= "fedcba98-7654-3210-cafe-5e0710000002" + PREFERRED_PROVIDER_swupdate-certificates-key ??= "swupdate-certificates-key-snakeoil" + PREFERRED_PROVIDER_swupdate-certificates ??= "swupdate-certificates-snakeoil" diff --git a/recipes-core/customizations/files/swupdate.cfg b/recipes-core/customizations/files/swupdate.cfg index 9ee47c7..3e2b45c 100644 --- a/recipes-core/customizations/files/swupdate.cfg +++ b/recipes-core/customizations/files/swupdate.cfg @@ -1,4 +1,5 @@ globals : { bootloader = "ebg"; + public-key-file = "/usr/share/swupdate-signing/swupdate-sign.crt" }; diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc index 5d9cd58..4983f7c 100644 --- a/recipes-core/images/swupdate.inc +++ b/recipes-core/images/swupdate.inc @@ -1,7 +1,7 @@ # # CIP Core, generic profile # -# Copyright (c) Siemens AG, 2020 +# Copyright (c) Siemens AG, 2023 # # Authors: # Quirin Gylstorff diff --git a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb index 2384f41..8f7a97d 100644 --- a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb +++ b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb @@ -1,7 +1,7 @@ # # CIP Core, generic profile # -# Copyright (c) Siemens AG, 2021 +# Copyright (c) Siemens AG, 2021-2023 # # Authors: # Quirin Gylstorff @@ -29,8 +29,11 @@ SRC_URI += "file://0001-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch # end patching for dm-verity based images -# deactivate signing and hardware compability for simple a/b rootfs update -DEB_BUILD_PROFILES += "pkg.swupdate.nosigning" +# The option: "pkg.swupdate.nosigning" disables the required signing +# of update binaries +# DEB_BUILD_PROFILES += "pkg.swupdate.nosigning" + +# deactivate hardware compability for simple a/b rootfs update DEB_BUILD_PROFILES += "pkg.swupdate.nohwcompat" # add cross build and deactivate testing for arm based builds diff --git a/recipes-core/swupdate/swupdate_2023.05.bb b/recipes-core/swupdate/swupdate_2023.05.bb index 26c0e67..762fac2 100644 --- a/recipes-core/swupdate/swupdate_2023.05.bb +++ b/recipes-core/swupdate/swupdate_2023.05.bb @@ -31,8 +31,12 @@ SRC_URI += "file://0001-d-rules-Add-option-for-suricatta_lua.patch \ file://0003-d-patches-Add-patch-to-add-the-build-version-to-swup.patch \ file://0004-d-rules-Add-option-to-enable-suricatta_wfx.patch" -# deactivate signing and hardware compability for simple a/b rootfs update -DEB_BUILD_PROFILES += "pkg.swupdate.nosigning" + +# The option: "pkg.swupdate.nosigning" disables the required signing +# of update binaries +# DEB_BUILD_PROFILES += "pkg.swupdate.nosigning" + +# deactivate hardware compability for simple a/b rootfs update DEB_BUILD_PROFILES += "pkg.swupdate.nohwcompat" # suricatta wfx requires suricatta lua and the dependency