From patchwork Tue Mar  5 16:10:54 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>
X-Patchwork-Id: 13582660
Return-Path: <quirin.gylstorff@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 76EA6C54E41
	for <webhook@archiver.kernel.org>; Tue,  5 Mar 2024 16:11:55 +0000 (UTC)
Received: from mta-65-225.siemens.flowmailer.net
 (mta-65-225.siemens.flowmailer.net [185.136.65.225])
 by mx.groups.io with SMTP id smtpd.web11.27689.1709655109573685301
 for <cip-dev@lists.cip-project.org>;
 Tue, 05 Mar 2024 08:11:49 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1
 header.b=CgSE6XKT;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225,
 mailfrom:
 fm-51332-20240305161129e96c24ba3dd5dd319a-rg6tsd@rts-flowmailer.siemens.com)
Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id
 20240305161129e96c24ba3dd5dd319a
        for <cip-dev@lists.cip-project.org>;
        Tue, 05 Mar 2024 17:11:29 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=Quirin.Gylstorff@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To;
 bh=M3VaBtuxVVlWDnDM8ZEH+CoQA02CfbLyeBKbA2kKFiE=;
 b=CgSE6XKTWpqpS4vbqN+aGCyltd9Gj64jd2dYuhGwxLYlPZ4JD3CXm2aysLntntvbxTc/OD
 QMxFRPQ6DWEBiNzGJmtUzqoaWTXvflGIDQoUMvbplf3TGQdGqSOzJjFvhmorMTpTakme8B2F
 D/z8CVtunSV2hloQlg/riXKi5OOQs=;
From: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>
To: cip-dev@lists.cip-project.org,
	felix.moessbauer@siemens.com,
	jan.kiszka@siemens.com
Subject: [cip-dev][isar-cip-core][PATCH v3 1/6] swupdate: check output of
 sign-swu
Date: Tue,  5 Mar 2024 17:10:54 +0100
Message-ID: <20240305161128.2777211-2-Quirin.Gylstorff@siemens.com>
In-Reply-To: <20240305161128.2777211-1-Quirin.Gylstorff@siemens.com>
References: <20240305161128.2777211-1-Quirin.Gylstorff@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-51332:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Tue, 05 Mar 2024 16:11:55 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15236

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Check for signing errors to avoid an unusable swu file.

This also moves the siging out of the loop to generate
the cpio archive *.swu as the Messages from the signing
can lead to errors in the archive generation. The cpio
options are no longer using the short form.

Use local variables to increase readability.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 classes/swupdate.bbclass | 44 ++++++++++++++++++++++++++++------------
 1 file changed, 31 insertions(+), 13 deletions(-)

diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass
index aaff072..31cfc4e 100644
--- a/classes/swupdate.bbclass
+++ b/classes/swupdate.bbclass
@@ -191,24 +191,42 @@ IMAGE_CMD:swu() {
                     "${PP_WORK}/$swu_file_base/${SWU_DESCRIPTION_FILE}"
             done
             cd "${PP_WORK}/$swu_file_base"
-            for file in "${SWU_DESCRIPTION_FILE}" ${SWU_ADDITIONAL_FILES}; do
-                if [ "$file" = "${SWU_DESCRIPTION_FILE}" ] || \
-                    grep -q "$file" "${PP_WORK}/$swu_file_base/${SWU_DESCRIPTION_FILE}"; then
+            cpio_files="${SWU_DESCRIPTION_FILE}"
+
+            if [ -n "$sign" ]; then
+                signature_file="${SWU_DESCRIPTION_FILE}.${SWU_SIGNATURE_EXT}"
+                if ! /usr/bin/sign-swu \
+                    "${SWU_DESCRIPTION_FILE}" "$signature_file" \
+                    > /dev/null 2>&1 || \
+                    [ ! -f "$signature_file" ]; then
+                    echo "Could not create swupdate signature file '$signature_file'" 1>&2
+                    exit 1
+                fi
+                cpio_files="$cpio_files $signature_file"
+            fi
+
+            # sw-description must be first file in *.swu
+            for cpio_file in $cpio_files ${SWU_ADDITIONAL_FILES}; do
+                if [ -f "$cpio_file" ]; then
                     # Set file timestamps for reproducible builds
                     if [ -n "${SOURCE_DATE_EPOCH}" ]; then
                         touch -d@"${SOURCE_DATE_EPOCH}" "$file"
                     fi
-                    echo "$file"
-                    if [ -n "$sign" -a "${SWU_DESCRIPTION_FILE}" = "$file" ]; then
-                        sign-swu "$file" "$file.${SWU_SIGNATURE_EXT}"
-                        # Set file timestamps for reproducible builds
-                        if [ -n "${SOURCE_DATE_EPOCH}" ]; then
-                            touch -d@"${SOURCE_DATE_EPOCH}" "$file.${SWU_SIGNATURE_EXT}"
-                        fi
-                        echo "$file.${SWU_SIGNATURE_EXT}"
-                    fi
+                    case "$cpio_file" in
+                        sw-description*)
+                            echo "$cpio_file"
+                            ;;
+                        *)
+                            if grep -q "$cpio_file" \
+                                "${WORKDIR}/$swu_file_base/${SWU_DESCRIPTION_FILE}"; then
+                                echo "$cpio_file"
+                            fi
+                            ;;
+                    esac
                 fi
-            done | cpio -ovL --reproducible -H crc > "${PP_DEPLOY}/${SWU_IMAGE_FILE}$swu_file_extension.swu"
+            done | cpio \
+                --verbose --dereference --create --reproducible --format=crc \
+                > "${PP_DEPLOY}/${SWU_IMAGE_FILE}$swu_file_extension.swu"
 EOIMAGER
     done
 }

From patchwork Tue Mar  5 16:10:55 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>
X-Patchwork-Id: 13582658
Return-Path: <quirin.gylstorff@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 75F3CC54E58
	for <webhook@archiver.kernel.org>; Tue,  5 Mar 2024 16:11:55 +0000 (UTC)
Received: from mta-65-225.siemens.flowmailer.net
 (mta-65-225.siemens.flowmailer.net [185.136.65.225])
 by mx.groups.io with SMTP id smtpd.web10.27151.1709655103980415330
 for <cip-dev@lists.cip-project.org>;
 Tue, 05 Mar 2024 08:11:49 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1
 header.b=Oo5jkEBv;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225,
 mailfrom:
 fm-51332-202403051611297cab36d2a853923a5b-zqqbk0@rts-flowmailer.siemens.com)
Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id
 202403051611297cab36d2a853923a5b
        for <cip-dev@lists.cip-project.org>;
        Tue, 05 Mar 2024 17:11:29 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=Quirin.Gylstorff@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To;
 bh=IpKQdYiT4JWOQuVEpHZfqCJaRO2XpZXV4eGeeGhrp1c=;
 b=Oo5jkEBv5TywY08e73nkt6ScAQE0wLYr+rt74enuro0X8fwS4q9/OxTGfW9VRxYWlyRPng
 i8lN+j/86BDgcZ3xGf2kFhSXgHrL6PpsdEMVUdsNvESjOIQbmzEWT78/Ldm6LAWvPq1TdZ/c
 A/fXrbbEJ+oIfvoknSpfdarwaFOx4=;
From: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>
To: cip-dev@lists.cip-project.org,
	felix.moessbauer@siemens.com,
	jan.kiszka@siemens.com
Subject: [cip-dev][isar-cip-core][PATCH v3 2/6] sign-swu-cms: check if key and
 cert are valid
Date: Tue,  5 Mar 2024 17:10:55 +0100
Message-ID: <20240305161128.2777211-3-Quirin.Gylstorff@siemens.com>
In-Reply-To: <20240305161128.2777211-1-Quirin.Gylstorff@siemens.com>
References: <20240305161128.2777211-1-Quirin.Gylstorff@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-51332:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Tue, 05 Mar 2024 16:11:55 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15234

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This avoids a broken update binary.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../swupdate-certificates/files/sign-swu-cms  | 29 +++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/recipes-devtools/swupdate-certificates/files/sign-swu-cms b/recipes-devtools/swupdate-certificates/files/sign-swu-cms
index 7bd04ef..d844e01 100644
--- a/recipes-devtools/swupdate-certificates/files/sign-swu-cms
+++ b/recipes-devtools/swupdate-certificates/files/sign-swu-cms
@@ -1,9 +1,34 @@
 #!/bin/sh
 in_file=$1
 out_file=$2
+inkey="/usr/share/swupdate-signing/swupdate-sign.key"
+cert="/usr/share/swupdate-signing/swupdate-sign.crt"
+
+error_msg() {
+	echo "$1" 1>&2
+	exit 1
+}
+
+if ! openssl rsa -check -noout -in "$inkey"; then
+	error_msg "key '$inkey' is not a rsa key "
+fi
+
+# if openssl > 3.0 we have the x509 check option
+if openssl version | grep -q "3.[0-9].[0-9]"; then
+	if ! openssl x509 -check -noout -in "$cert"; then
+		error_msg  "certificate '$cert' is not a certificate"
+	fi
+fi
+
+key_md5=$(openssl rsa -modulus -noout -in "$inkey" | openssl md5)
+cert_md5=$(openssl x509 -modulus -noout -in "$cert" | openssl md5)
+if [ "$key_md5" != "$cert_md5" ]; then
+	error_msg "key '$inkey' does not match certificate '$cert' "
+fi
+
 openssl cms \
 	-sign -in "$in_file" \
 	-out "$out_file" \
-	-signer "/usr/share/swupdate-signing/swupdate-sign.crt" \
-	-inkey "/usr/share/swupdate-signing/swupdate-sign.key" \
+	-signer "$cert" \
+	-inkey "$inkey" \
 	-outform DER -noattr -binary

From patchwork Tue Mar  5 16:10:56 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>
X-Patchwork-Id: 13582655
Return-Path: <quirin.gylstorff@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7A97FC54798
	for <webhook@archiver.kernel.org>; Tue,  5 Mar 2024 16:11:35 +0000 (UTC)
Received: from mta-64-226.siemens.flowmailer.net
 (mta-64-226.siemens.flowmailer.net [185.136.64.226])
 by mx.groups.io with SMTP id smtpd.web11.27678.1709655092447762967
 for <cip-dev@lists.cip-project.org>;
 Tue, 05 Mar 2024 08:11:33 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1
 header.b=BP7z+G69;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226,
 mailfrom:
 fm-51332-20240305161129625b0ba62d31f10a14-ulvovx@rts-flowmailer.siemens.com)
Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id
 20240305161129625b0ba62d31f10a14
        for <cip-dev@lists.cip-project.org>;
        Tue, 05 Mar 2024 17:11:29 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=Quirin.Gylstorff@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To;
 bh=ltOB0YWZr1jOxXIJIJcK6JqHzwNf9a8zcL/oZfohUIQ=;
 b=BP7z+G69cWFJG1/KMozlBjKM82GSFNO87BEHUCYCwU/6L9m4SlGSaVEXpn+A4sPmT4mIxg
 z9V408eCPSjBWiwB8GTADgemK9uTOhy9NaOKaRbwfTBtegOMElCwdrlHOOayZyGVXM0K8mRi
 KIEY8vFh9emAxvKsYQAZUyK0RaRls=;
From: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>
To: cip-dev@lists.cip-project.org,
	felix.moessbauer@siemens.com,
	jan.kiszka@siemens.com
Subject: [cip-dev][isar-cip-core][PATCH v3 3/6] doc: Add section about
 SWUpdate signing to README.swupdate.md
Date: Tue,  5 Mar 2024 17:10:56 +0100
Message-ID: <20240305161128.2777211-4-Quirin.Gylstorff@siemens.com>
In-Reply-To: <20240305161128.2777211-1-Quirin.Gylstorff@siemens.com>
References: <20240305161128.2777211-1-Quirin.Gylstorff@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-51332:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Tue, 05 Mar 2024 16:11:35 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15231

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 doc/README.swupdate.md | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md
index 5877882..b7e13f7 100644
--- a/doc/README.swupdate.md
+++ b/doc/README.swupdate.md
@@ -110,6 +110,27 @@ The sw-description will contain the following section:
           sha256 = "<sha256 of luascript.lua>";
         }):
 ```
+## SWUpdate Signing
+
+The ISAR layer isar-cip-core provides templates to sign the swu binaries with
+a CMS certificate.
+
+By default the insecure [Debian snake-oil keys](./recipes-devtools/secure-boot-secrets/files/bookworm/) are used.
+To use other key and certificate the following variables must be set:
+```
+PREFERRED_PROVIDER_swupdate-certificates-key = "swupdate-certificates-key"
+PREFERRED_PROVIDER_swupdate-certificates = "swupdate-certificates"
+SWU_SIGN_CERT = "<sigining certificate file name>"
+SWU_SIGN_KEY  = "<siging key file name>"
+```
+
+The files `<sigining certificate file name>` and `<siging key file name>` need to be stored
+in `recipes-devtools/swupdate-certificates/files/` or in a path defined by an bbappend file, e.g.`swupdate-certificates-key_%.bbappend`
+
+### signing script
+
+The provided [cms signing script](./recipes-devtools/swupdate-certificates/files/sign-swu-cms)
+can be replaced by setting the variable `SWU_SIGN_SCRIPT`.
 
 ## SWUpdate Hardware compatibility
 

From patchwork Tue Mar  5 16:10:57 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>
X-Patchwork-Id: 13582657
Return-Path: <quirin.gylstorff@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7BFC1C54E41
	for <webhook@archiver.kernel.org>; Tue,  5 Mar 2024 16:11:35 +0000 (UTC)
Received: from mta-64-228.siemens.flowmailer.net
 (mta-64-228.siemens.flowmailer.net [185.136.64.228])
 by mx.groups.io with SMTP id smtpd.web10.27143.1709655092714554114
 for <cip-dev@lists.cip-project.org>;
 Tue, 05 Mar 2024 08:11:33 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1
 header.b=We9CKcvq;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228,
 mailfrom:
 fm-51332-20240305161130bbb8824ceaa6b10d8b-cr_oxf@rts-flowmailer.siemens.com)
Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id
 20240305161130bbb8824ceaa6b10d8b
        for <cip-dev@lists.cip-project.org>;
        Tue, 05 Mar 2024 17:11:30 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=Quirin.Gylstorff@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To;
 bh=h8OXe8s4TLQOq1jtmct45VE12+dKioUhOLoAnURsplU=;
 b=We9CKcvqjlcq0KL6xaCs/TDwMBk373l/t2CaA5d79WOtcJ/CrmK5rRW0PmFqkmQGy9VwkD
 b4zjhu8HGW9iXGZ5bEYMgoI0dXZ7RX/c8m0JFr3mJYppgQfXd5xbetHyzQwJH3W7xl6iAdeB
 4WXOxzgcyBXPs+58BLvdOxcUvrVYQ=;
From: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>
To: cip-dev@lists.cip-project.org,
	felix.moessbauer@siemens.com,
	jan.kiszka@siemens.com
Subject: [cip-dev][isar-cip-core][PATCH v3 4/6] fix do not add files to each
 image recipe
Date: Tue,  5 Mar 2024 17:10:57 +0100
Message-ID: <20240305161128.2777211-5-Quirin.Gylstorff@siemens.com>
In-Reply-To: <20240305161128.2777211-1-Quirin.Gylstorff@siemens.com>
References: <20240305161128.2777211-1-Quirin.Gylstorff@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-51332:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Tue, 05 Mar 2024 16:11:35 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15230

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Due to the use of an anonymous python function each image recipe was
partial built even if not requested.
To avoid this remove the anonymous image function by adding
it as an prefunc to do_image_swu and do_transform_template.

The SRC_URI is appended with a function.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 classes/efibootguard.bbclass |  1 -
 classes/swupdate.bbclass     | 42 ++++++++++++++++++++++++------------
 2 files changed, 28 insertions(+), 15 deletions(-)

diff --git a/classes/efibootguard.bbclass b/classes/efibootguard.bbclass
index 31fcdcc..2b4f09e 100644
--- a/classes/efibootguard.bbclass
+++ b/classes/efibootguard.bbclass
@@ -67,5 +67,4 @@ python add_ebg_update(){
    ebg_update = d.getVar('SWU_EBG_UPDATE') or ""
    if ebg_update:
      d.appendVar('SWU_FILE_NODES', "," + swu_ebg_update_node)
-   d.appendVar('SWU_ADDITIONAL_FILES', " " + efi_boot_loader_file)
 }
diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass
index 31cfc4e..3bd0cbd 100644
--- a/classes/swupdate.bbclass
+++ b/classes/swupdate.bbclass
@@ -63,7 +63,7 @@ IMAGE_TEMPLATE_VARS:swu = " \
 # TARGET_IMAGE_UUID needs to be generated before completing the template
 addtask do_transform_template after do_generate_image_uuid
 
-python(){
+python do_extend_sw_description(){
     cmds = d.getVar("SWU_EXTEND_SW_DESCRIPTION")
     if cmds is None or not cmds.strip():
         return
@@ -71,6 +71,7 @@ python(){
     for cmd in cmds:
         bb.build.exec_func(cmd, d)
 }
+do_transform_template[prefuncs] += "do_extend_sw_description"
 
 SWU_EXTEND_SW_DESCRIPTION += "add_swu_hw_compat"
 python add_swu_hw_compat(){
@@ -94,9 +95,22 @@ python add_swu_compression(){
         d.setVar('SWU_COMPRESSION_NODE', '')
 }
 
+def add_scripts_to_src_uri(d):
+    swu_scripts = d.getVar('SWU_SCRIPTS')
+    if not swu_scripts:
+        return ""
+    swu_script_entries = swu_scripts.split()
+    script_file_list = []
+    for entry in swu_script_entries:
+        script_entry = f"SWU_SCRIPT_{entry}"
+        script_file = d.getVarFlag(script_entry, "file")
+        script_file_list.append(f" file://{script_file}")
+    return ' '.join([n for n in script_file_list])
 
-SWU_EXTEND_SW_DESCRIPTION += "add_scripts"
-python add_scripts(){
+SRC_URI += "${@add_scripts_to_src_uri(d)}"
+
+SWU_EXTEND_SW_DESCRIPTION += "add_scripts_node"
+python add_scripts_node(){
     swu_scripts = d.getVar('SWU_SCRIPTS')
     if not swu_scripts:
         return
@@ -129,8 +143,6 @@ python add_scripts(){
           sha256 = "{script_file}-sha256";
         }}"""
         script_node_list.append(node)
-        d.appendVar('SWU_ADDITIONAL_FILES', " " + script_file)
-        d.appendVar('SRC_URI', f" file://{script_file}")
 
     swu_scripts_node = "scripts: (" + ','.join([n for n in script_node_list]) + ");"
     d.appendVar('SWU_SCRIPTS_NODE', swu_scripts_node)
@@ -155,6 +167,7 @@ FILESEXTRAPATHS:append = ":${LAYERDIR_cip-core}/recipes-core/images/swu"
 do_image_swu[depends] += "${PN}:do_transform_template"
 do_image_swu[stamp-extra-info] = "${DISTRO}-${MACHINE}"
 do_image_swu[cleandirs] += "${WORKDIR}/swu ${WORKDIR}/swu-${SWU_BOOTLOADER}"
+do_image_swu[prefuncs] = "do_extend_sw_description"
 IMAGE_CMD:swu() {
     rm -f '${DEPLOY_DIR_IMAGE}/${SWU_IMAGE_FILE}'*.swu
     cp '${WORKDIR}/${SWU_DESCRIPTION_FILE}' '${WORKDIR}/swu/${SWU_DESCRIPTION_FILE}'
@@ -165,13 +178,14 @@ IMAGE_CMD:swu() {
     for swu_file in "${WORKDIR}"/swu*; do
         swu_file_base=$(basename $swu_file)
         # Create symlinks for files used in the update image
-        for file in ${SWU_ADDITIONAL_FILES}; do
-            if grep -q "$file" "${WORKDIR}/$swu_file_base/${SWU_DESCRIPTION_FILE}"; then
-                if [ -e "${WORKDIR}/$file" ]; then
-                    ln -s "${PP_WORK}/$file" "${WORKDIR}/$swu_file_base/$file"
-                else
-                    ln -s "${PP_DEPLOY}/$file" "${WORKDIR}/$swu_file_base/$file"
-                fi
+        swu_files=$(awk '$1=="filename"{gsub(/[",;]/, "", $3); print $3}' \
+            "${WORKDIR}/$swu_file_base/${SWU_DESCRIPTION_FILE}")
+        export swu_files
+        for file in $swu_files; do
+            if [ -e "${WORKDIR}/$file" ]; then
+                ln -s "${PP_WORK}/$file" "${WORKDIR}/$swu_file_base/$file"
+            else
+                ln -s "${PP_DEPLOY}/$file" "${WORKDIR}/$swu_file_base/$file"
             fi
         done
 
@@ -186,7 +200,7 @@ IMAGE_CMD:swu() {
         export swu_file_extension
         imager_run -p -d ${PP_WORK} -u root <<'EOIMAGER'
             # Fill in file check sums
-            for file in ${SWU_ADDITIONAL_FILES}; do
+            for file in $swu_files; do
                 sed -i "s:$file-sha256:$(sha256sum "${PP_WORK}/$swu_file_base/"$file | cut -f 1 -d " "):g" \
                     "${PP_WORK}/$swu_file_base/${SWU_DESCRIPTION_FILE}"
             done
@@ -206,7 +220,7 @@ IMAGE_CMD:swu() {
             fi
 
             # sw-description must be first file in *.swu
-            for cpio_file in $cpio_files ${SWU_ADDITIONAL_FILES}; do
+            for cpio_file in $cpio_files $swu_files; do
                 if [ -f "$cpio_file" ]; then
                     # Set file timestamps for reproducible builds
                     if [ -n "${SOURCE_DATE_EPOCH}" ]; then

From patchwork Tue Mar  5 16:10:58 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>
X-Patchwork-Id: 13582659
Return-Path: <quirin.gylstorff@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 75EF9C54E55
	for <webhook@archiver.kernel.org>; Tue,  5 Mar 2024 16:11:55 +0000 (UTC)
Received: from mta-64-228.siemens.flowmailer.net
 (mta-64-228.siemens.flowmailer.net [185.136.64.228])
 by mx.groups.io with SMTP id smtpd.web11.27683.1709655103149760485
 for <cip-dev@lists.cip-project.org>;
 Tue, 05 Mar 2024 08:11:49 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1
 header.b=qCjoV8op;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228,
 mailfrom:
 fm-51332-20240305161130e6752cb9d84f55164a-n_6azn@rts-flowmailer.siemens.com)
Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id
 20240305161130e6752cb9d84f55164a
        for <cip-dev@lists.cip-project.org>;
        Tue, 05 Mar 2024 17:11:30 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=Quirin.Gylstorff@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To;
 bh=atqhpUKn6xgCqbVkczgdWqkVHnEliAq7sYxzPhLF94c=;
 b=qCjoV8opbS00it2mScWQxz5N51XW07Qp0L2jc6N1ScWuVlHJNVR9G4BZusuBIl8gyLnul5
 EG6phoQQrMVzBHESHpg32DFgThlLcYbAGQTILMZgN0w/DMl5O7gBlKPuXxPV3sfWI9HLsB4s
 LXzLyIdYRvvECS7lqkd2IqefLXflU=;
From: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>
To: cip-dev@lists.cip-project.org,
	felix.moessbauer@siemens.com,
	jan.kiszka@siemens.com
Subject: [cip-dev][isar-cip-core][PATCH v3 5/6] format: classes/efibootguard
 fix spacing
Date: Tue,  5 Mar 2024 17:10:58 +0100
Message-ID: <20240305161128.2777211-6-Quirin.Gylstorff@siemens.com>
In-Reply-To: <20240305161128.2777211-1-Quirin.Gylstorff@siemens.com>
References: <20240305161128.2777211-1-Quirin.Gylstorff@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-51332:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Tue, 05 Mar 2024 16:11:55 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15235

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 classes/efibootguard.bbclass | 38 ++++++++++++++++++------------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/classes/efibootguard.bbclass b/classes/efibootguard.bbclass
index 2b4f09e..b130968 100644
--- a/classes/efibootguard.bbclass
+++ b/classes/efibootguard.bbclass
@@ -47,24 +47,24 @@ def efi_bootloader_name(d):
     return "boot{}.efi".format(efi_arch)
 
 SWU_EXTEND_SW_DESCRIPTION += "add_ebg_update"
-python add_ebg_update(){
-   efi_boot_loader_file = efi_bootloader_name(d)
-   efi_boot_device = d.getVar('SWU_EFI_BOOT_DEVICE')
-   swu_ebg_update_node = f"""
-   {{
-          filename = "{efi_boot_loader_file}";
-          path = "EFI/BOOT/{efi_boot_loader_file}";
-          device = "{efi_boot_device}";
-          filesystem = "vfat";
-          sha256 = "{efi_boot_loader_file}-sha256";
-          properties: {{
-               atomic-install = "true";
-          }};
-   }}
-   """
+python add_ebg_update() {
+    efi_boot_loader_file = efi_bootloader_name(d)
+    efi_boot_device = d.getVar('SWU_EFI_BOOT_DEVICE')
+    swu_ebg_update_node = f"""
+    {{
+        filename = "{efi_boot_loader_file}";
+        path = "EFI/BOOT/{efi_boot_loader_file}";
+        device = "{efi_boot_device}";
+        filesystem = "vfat";
+        sha256 = "{efi_boot_loader_file}-sha256";
+        properties: {{
+            atomic-install = "true";
+        }};
+    }}
+    """
 
-   d.setVar('SWU_BOOTLOADER_FILE_NODE', swu_ebg_update_node)
-   ebg_update = d.getVar('SWU_EBG_UPDATE') or ""
-   if ebg_update:
-     d.appendVar('SWU_FILE_NODES', "," + swu_ebg_update_node)
+    d.setVar('SWU_BOOTLOADER_FILE_NODE', swu_ebg_update_node)
+    ebg_update = d.getVar('SWU_EBG_UPDATE') or ""
+    if ebg_update:
+        d.appendVar('SWU_FILE_NODES', "," + swu_ebg_update_node)
 }

From patchwork Tue Mar  5 16:10:59 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>
X-Patchwork-Id: 13582654
Return-Path: <quirin.gylstorff@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 81F96C54E58
	for <webhook@archiver.kernel.org>; Tue,  5 Mar 2024 16:11:35 +0000 (UTC)
Received: from mta-65-228.siemens.flowmailer.net
 (mta-65-228.siemens.flowmailer.net [185.136.65.228])
 by mx.groups.io with SMTP id smtpd.web10.27144.1709655093636691668
 for <cip-dev@lists.cip-project.org>;
 Tue, 05 Mar 2024 08:11:33 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1
 header.b=dsCYpTk1;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.228,
 mailfrom:
 fm-51332-20240305161131df98f0ef117ad34e79-ekoybt@rts-flowmailer.siemens.com)
Received: by mta-65-228.siemens.flowmailer.net with ESMTPSA id
 20240305161131df98f0ef117ad34e79
        for <cip-dev@lists.cip-project.org>;
        Tue, 05 Mar 2024 17:11:31 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=Quirin.Gylstorff@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To;
 bh=ck7Cebh16C7TNNM9oid2HHrpKkLwz1tnSuLl9M2541Y=;
 b=dsCYpTk1cz+bP2Vx2frypLfOeR/B3g6050DkBI6pRFRAfuBk1vUk3twyhfeqd2vQgjZrjb
 dIFfjcRQ5kW7yM7HvcFJYZOw68csw59jsJ0orZ2Z05h6MqaQhaB0mjOaT6ZTlpMyfnNSUZ0M
 F4ATFE0BF2cU8V71yOUSfEhfROgBw=;
From: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>
To: cip-dev@lists.cip-project.org,
	felix.moessbauer@siemens.com,
	jan.kiszka@siemens.com
Subject: [cip-dev][isar-cip-core][PATCH v3 6/6] format: classes/swupdate fix
 parenthesis
Date: Tue,  5 Mar 2024 17:10:59 +0100
Message-ID: <20240305161128.2777211-7-Quirin.Gylstorff@siemens.com>
In-Reply-To: <20240305161128.2777211-1-Quirin.Gylstorff@siemens.com>
References: <20240305161128.2777211-1-Quirin.Gylstorff@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-51332:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Tue, 05 Mar 2024 16:11:35 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15232

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 classes/swupdate.bbclass | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass
index 3bd0cbd..01295b0 100644
--- a/classes/swupdate.bbclass
+++ b/classes/swupdate.bbclass
@@ -63,7 +63,7 @@ IMAGE_TEMPLATE_VARS:swu = " \
 # TARGET_IMAGE_UUID needs to be generated before completing the template
 addtask do_transform_template after do_generate_image_uuid
 
-python do_extend_sw_description(){
+python do_extend_sw_description() {
     cmds = d.getVar("SWU_EXTEND_SW_DESCRIPTION")
     if cmds is None or not cmds.strip():
         return
@@ -74,7 +74,7 @@ python do_extend_sw_description(){
 do_transform_template[prefuncs] += "do_extend_sw_description"
 
 SWU_EXTEND_SW_DESCRIPTION += "add_swu_hw_compat"
-python add_swu_hw_compat(){
+python add_swu_hw_compat() {
     # create SWU_HW_COMPAT_NODE based on list of supported hw
     hw_compat = d.getVar('SWU_HW_COMPAT')
     if hw_compat:
@@ -86,7 +86,7 @@ python add_swu_hw_compat(){
 }
 
 SWU_EXTEND_SW_DESCRIPTION += "add_swu_compression"
-python add_swu_compression(){
+python add_swu_compression() {
     # create SWU_COMPRESSION_NODE node if compression is enabled
     calgo = d.getVar('SWU_COMPRESSION_TYPE')
     if calgo:
@@ -110,7 +110,7 @@ def add_scripts_to_src_uri(d):
 SRC_URI += "${@add_scripts_to_src_uri(d)}"
 
 SWU_EXTEND_SW_DESCRIPTION += "add_scripts_node"
-python add_scripts_node(){
+python add_scripts_node() {
     swu_scripts = d.getVar('SWU_SCRIPTS')
     if not swu_scripts:
         return