From patchwork Mon Sep 9 11:21:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13796662 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9057DECE585 for ; Mon, 9 Sep 2024 11:23:23 +0000 (UTC) Received: from mta-65-228.siemens.flowmailer.net (mta-65-228.siemens.flowmailer.net [185.136.65.228]) by mx.groups.io with SMTP id smtpd.web10.50638.1725880993254381473 for ; Mon, 09 Sep 2024 04:23:14 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=ONuPOfqr; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.228, mailfrom: fm-51332-20240909112310b9b3bbbd86f95e2c14-wid_5y@rts-flowmailer.siemens.com) Received: by mta-65-228.siemens.flowmailer.net with ESMTPSA id 20240909112310b9b3bbbd86f95e2c14 for ; Mon, 09 Sep 2024 13:23:10 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=Nf6WztQS3u8r0HDeIbo8ZjZzjPs7+kJgk+J85Yp7uOg=; b=ONuPOfqrc+Nl6gEZ3xUNOcxEWdos+oOLX//eM56fzPrqY8RX6lUzExTOqQt4UeaAlwvrUI FKUA8CWNN04RXrmLHkcdfe2ml3x06QoGVK/m7cVCxBgWblGLcQGDxxpIi762kChTKhK4/u3l ZAKM57XWp9Qg6zWfdJr+HpPg+WrPvlrceRVAUel4M1r7RHv3TP2ARIDRbGxXO34Akd+P0x8K 2ICjPkbqABAirxhQ4ggHuAL6FfkVgQ6FLk1VJLGFK0fH0FqUs//+BFup9XI4UiAxnrrStRGT CkQ8FKnYb6OYHi+SBKYThnh49a7nEFuf3zV/5/Sq5WQrOln/K9ZMKmVQ==; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org Subject: [cip-dev][isar-cip-core][RFC 1/3] Move signing script to seperate package to better support HSM signing Date: Mon, 9 Sep 2024 13:21:38 +0200 Message-ID: <20240909112309.1028531-2-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240909112309.1028531-1-Quirin.Gylstorff@siemens.com> References: <20240909112309.1028531-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Sep 2024 11:23:23 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/16868 From: Quirin Gylstorff If a Hardware security module(HSM) is used, the user needs to modify the swupdate-certificate-key package in multiple ways to remove the error message in case of a missing key. This changes decouples the signing key from the signing script to allow easier integration with HSM based signing Signed-off-by: Quirin Gylstorff --- classes/swupdate.bbclass | 3 +-- recipes-core/images/swupdate.inc | 5 +++- .../swupdate-certificates-key.inc | 9 +------ .../files/sign-swu-cms | 0 .../files/sign-swu-rsa | 0 .../swupdate-signer/swupdate-signer_0.1.bb | 25 +++++++++++++++++++ 6 files changed, 31 insertions(+), 11 deletions(-) rename recipes-devtools/{swupdate-certificates => swupdate-signer}/files/sign-swu-cms (100%) rename recipes-devtools/{swupdate-certificates => swupdate-signer}/files/sign-swu-rsa (100%) create mode 100644 recipes-devtools/swupdate-signer/swupdate-signer_0.1.bb diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass index eeb05b2..06418e5 100644 --- a/classes/swupdate.bbclass +++ b/classes/swupdate.bbclass @@ -46,8 +46,7 @@ IMAGE_TYPEDEP:swu = "${@ '${SWU_DELTA_UPDATE_ARTIFACT_TYPE}' \ if d.getVar('DELTA_UPDATE_TYPE') == "rdiff" or d.getVar('DELTA_UPDATE_TYPE') == "zchunk" \ else '${SWU_UPDATE_ARTIFACT_TYPE}' }" -IMAGER_BUILD_DEPS:swu += "${@'swupdate-certificates-key' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" -IMAGER_INSTALL:swu += "cpio ${@'openssl swupdate-certificates-key' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" +IMAGER_INSTALL:swu += "cpio" IMAGE_INSTALL += "${@'swupdate-certificates' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc index 1d237f7..96994b5 100644 --- a/recipes-core/images/swupdate.inc +++ b/recipes-core/images/swupdate.inc @@ -1,7 +1,7 @@ # # CIP Core, generic profile # -# Copyright (c) Siemens AG, 2023 +# Copyright (c) Siemens AG, 2023-2024 # # Authors: # Quirin Gylstorff @@ -14,6 +14,9 @@ inherit read-only-rootfs SWU_SIGNED ?= "1" SWU_HW_COMPAT ?= "cip-core-1.0" +IMAGER_BUILD_DEPS:swu += "${@'swupdate-signer' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" +IMAGER_INSTALL:swu += "${@'swupdate-signer' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" +IMAGE_INSTALL += "${@'swupdate-certificates' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" IMAGE_INSTALL += " swupdate" IMAGE_INSTALL:remove:sid = "swupdate" diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc index 93cf255..bcc8e2a 100644 --- a/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc @@ -18,17 +18,10 @@ PROVIDES += "swupdate-certificates-key" DEBIAN_PROVIDES = "swupdate-certificates-key" SWU_SIGN_KEY ??= "" -SWU_SIGN_SCRIPT ??= "sign-swu-cms" SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_KEY') if d.getVar('SWU_SIGN_KEY') else '' }" -SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_SCRIPT') if d.getVar('SWU_SIGN_SCRIPT') else '' }" -do_install[cleandirs] = "${D}/usr/share/swupdate-signing/ \ - ${D}/usr/bin/" +do_install[cleandirs] = "${D}/usr/share/swupdate-signing" do_install() { - if [ ! -f ${WORKDIR}/${SWU_SIGN_SCRIPT} ]; then - bbfatal "You must add a '${SWU_SIGN_SCRIPT}' to execute the signing process" - fi - install -m 0700 ${WORKDIR}/${SWU_SIGN_SCRIPT} ${D}/usr/bin/sign-swu if [ -z ${SWU_SIGN_KEY} ]; then bbfatal "You must set SWU_SIGN_KEY and provide the required file as artifacts to this recipe" fi diff --git a/recipes-devtools/swupdate-certificates/files/sign-swu-cms b/recipes-devtools/swupdate-signer/files/sign-swu-cms similarity index 100% rename from recipes-devtools/swupdate-certificates/files/sign-swu-cms rename to recipes-devtools/swupdate-signer/files/sign-swu-cms diff --git a/recipes-devtools/swupdate-certificates/files/sign-swu-rsa b/recipes-devtools/swupdate-signer/files/sign-swu-rsa similarity index 100% rename from recipes-devtools/swupdate-certificates/files/sign-swu-rsa rename to recipes-devtools/swupdate-signer/files/sign-swu-rsa diff --git a/recipes-devtools/swupdate-signer/swupdate-signer_0.1.bb b/recipes-devtools/swupdate-signer/swupdate-signer_0.1.bb new file mode 100644 index 0000000..71cc10c --- /dev/null +++ b/recipes-devtools/swupdate-signer/swupdate-signer_0.1.bb @@ -0,0 +1,25 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2024 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT + +inherit dpkg-raw +DPKG_ARCH = "all" +DEBIAN_MULTI_ARCH = "foreign" + +DEPENDS = "swupdate-certificates-key" +DEBIAN_DEPENDS += "openssl, swupdate-certificates-key" + +SWU_SIGN_SCRIPT ??= "sign-swu-cms" + +SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_SCRIPT') if d.getVar('SWU_SIGN_SCRIPT') else '' }" + +do_install[cleandirs] = "${D}/usr/bin/" +do_install() { + install -m 0700 ${WORKDIR}/${SWU_SIGN_SCRIPT} ${D}/usr/bin/sign-swu +} From patchwork Mon Sep 9 11:21:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13796661 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 82063ECE57E for ; Mon, 9 Sep 2024 11:23:23 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.web10.50637.1725880993047816682 for ; Mon, 09 Sep 2024 04:23:14 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=ftutU1lT; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-51332-2024090911231012af5f9cd700fd8457-hjiv6x@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 2024090911231012af5f9cd700fd8457 for ; Mon, 09 Sep 2024 13:23:10 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=4O0pwurYfHkAfv9MlJ1f5/Q0BZHl2LaiJ4pBRaRLGBY=; b=ftutU1lTPuKH414HSsti6sQhrgm1Ggj2spSikP9SKWFKYbtVBgmaVH36AzPhOmBcP4JfbW P7Zk31s++/eyuluaa/oe4LVdMeyT2wsYL9f9WNnY54g5gEXBpQA3BNQvw/74jouQLA+MF6OP VV4ZJKnW+s+dbLOQwRyOrV+Za9s2GWL7vxQZGMYl/NpP7qbvUlpFfEw5Llvbswrq+qOj4u5k zhTMNaZdEuIp1TBSnu7Vi8+oF2ZayEA1hquPkKlIeDxdBpuXqAeC/6hrQMn0VzGrRH202IhH vdraFl541qXPxLIpWSDbdMCNGTe8/YUKTTZaSjWpVnQ3GWgbDMBzELow==; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org Subject: [cip-dev][isar-cip-core][RFC 2/3] Add check for sign-swu executable Date: Mon, 9 Sep 2024 13:21:39 +0200 Message-ID: <20240909112309.1028531-3-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240909112309.1028531-1-Quirin.Gylstorff@siemens.com> References: <20240909112309.1028531-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Sep 2024 11:23:23 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/16870 From: Quirin Gylstorff This es ensure a clear error message in case of missing packages. Signed-off-by: Quirin Gylstorff --- classes/swupdate.bbclass | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass index 06418e5..f1af1ff 100644 --- a/classes/swupdate.bbclass +++ b/classes/swupdate.bbclass @@ -233,6 +233,10 @@ IMAGE_CMD:swu() { cpio_files="${SWU_DESCRIPTION_FILE}" if [ -n "$sign" ]; then + if [ -x /usr/bin/sign-swu ]; then + echo "Could not find the executable '/usr/bin/sign-swu'" 1>&2 + exit 1 + fi signature_file="${SWU_DESCRIPTION_FILE}.${SWU_SIGNATURE_EXT}" if ! /usr/bin/sign-swu "${SWU_DESCRIPTION_FILE}" "$signature_file" > /dev/null 2>&1 || \ [ ! -f "$signature_file" ]; then From patchwork Mon Sep 9 11:21:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13796660 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7EED2ECE579 for ; Mon, 9 Sep 2024 11:23:23 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web11.50555.1725880993281526578 for ; Mon, 09 Sep 2024 04:23:14 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=PC4uyjve; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-51332-202409091123105d46f53e270cc1b08c-clga_h@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 202409091123105d46f53e270cc1b08c for ; Mon, 09 Sep 2024 13:23:11 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=hk2QfxxIhDtZoSgE9n0ycDjlMN0nJmIDxkWj7Tb4zkU=; b=PC4uyjveCmwXYvAOBqUqngVAIYdPgVb6sE5l693UVXK5HZ1MU8E61Xri/u2p+8TGogB05z hwX8AU2NGhdNWSII5ESZQvy6xhszYacsfu0WzdwywoYP4d94E575z8JDT6iarJ10j8ZVYsUl QWym75vVx6T9dMvIeJLDbpEl8vBLeNQR9rMIJDNegUqJeyT/rHpWnxuQUORWP6IFyTxmPHYw mN5f1g2aFE4r/YPQSvqCS7zsJZ3gud43XcU7kJ0F1a4QVDhvKJ2o7Avx7FT/xvVEuQGgU7rB C5bsBJhBPhtGp3KeTI2FuQCTiDFVuXolV4S50H7tGVcSwi0WfQH28gCA==; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org Subject: [cip-dev][isar-cip-core][RFC 3/3] Update README for swupdate signing Date: Mon, 9 Sep 2024 13:21:40 +0200 Message-ID: <20240909112309.1028531-4-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240909112309.1028531-1-Quirin.Gylstorff@siemens.com> References: <20240909112309.1028531-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Sep 2024 11:23:23 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/16869 From: Quirin Gylstorff Signed-off-by: Quirin Gylstorff --- doc/README.swupdate.md | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md index a5fbab9..421ca1c 100644 --- a/doc/README.swupdate.md +++ b/doc/README.swupdate.md @@ -138,6 +138,7 @@ PREFERRED_PROVIDER_swupdate-certificates-key = "swupdate-certificates-key" PREFERRED_PROVIDER_swupdate-certificates = "swupdate-certificates" SWU_SIGN_CERT = "" SWU_SIGN_KEY = "" +IMAGE_INSTALL += "${@'swupdate-certificates' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" ``` The files `` and `` need to be stored @@ -145,8 +146,19 @@ in `recipes-devtools/swupdate-certificates/files/` or in a path defined by an bb ### signing script -The provided [cms signing script](./recipes-devtools/swupdate-certificates/files/sign-swu-cms) -can be replaced by setting the variable `SWU_SIGN_SCRIPT`. +The package [swupdate-signer](recipes-devtools/swupdate-signer/) provides a [cms signing script](./recipes-devtools/swupdate-certificates/files/sign-swu-cms). +This script can be replaced by setting the variable `SWU_SIGN_SCRIPT`. + + +Alternatively an own signing script can be used by adding the following lines: +``` +IMAGER_BUILD_DEPS:remove:swu = "swupdate-signer" +IMAGER_INSTALL:remove:swu = "swupdate-signer" +IMAGER_BUILD_DEPS:swu += "${@'' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" +IMAGER_INSTALL:swu += "${@'' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" +``` + +The package `` needs to install a executable to `/usr/bin/sign-swu`. ## SWUpdate Hardware compatibility