From patchwork Thu Sep 12 10:06:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13801859 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F0702EEB58C for ; Thu, 12 Sep 2024 10:07:21 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web11.44699.1726135633869371711 for ; Thu, 12 Sep 2024 03:07:14 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=gg4KsZ2r; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-51332-20240912100711fe5b1780d25fb19eba-mwahbx@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 20240912100711fe5b1780d25fb19eba for ; Thu, 12 Sep 2024 12:07:11 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=xqisQCkdJl0McIMgKitHVV+L88cQ6Y1kHXDjEl7MXEs=; b=gg4KsZ2rmfGFwaIu2Cu6vX05A+yvdnXRhIgfbmE78xRUV3uhv+UHEIEOt8I6xxofBYD7HK /pWQS7aMyjOr1icIYFael5kgqPdE4F2QdkPLP50c7svBV114dApuUoNwsxANcSiT+37cZp/i vToWn100gwJAMlk4XPizdJnq0Fes1tChvIgMxzTlvMffeEhjCdm3RafefPVP6IC1EKd0+81+ 9zS4Q2UdLm0lMzINmFlCXA53ws/TW3AM/pigtzL2N1NtLtfMXaCRa3w4RXrbFvfJo+UGrtyX ro9hnDgJMZduwftXos9FMPncIaAF8mr+lr7uSDKmQg13WAotwuboSkCQ==; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, felix.moessbauer@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v2 1/3] Move signing script to seperate package to better support HSM signing Date: Thu, 12 Sep 2024 12:06:40 +0200 Message-ID: <20240912100710.3183806-2-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240912100710.3183806-1-Quirin.Gylstorff@siemens.com> References: <20240912100710.3183806-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 12 Sep 2024 10:07:21 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/16894 From: Quirin Gylstorff If a Hardware security module(HSM) is used, the user needs to modify the swupdate-certificate-key package in multiple ways to remove the error message in case of a missing key. This changes decouples the signing key from the signing script to allow easier integration with HSM based signing. Signed-off-by: Quirin Gylstorff --- classes/swupdate.bbclass | 3 +-- recipes-core/images/swupdate.inc | 5 +++- .../swupdate-certificates/files/sign-swu-rsa | 6 ----- .../swupdate-certificates-key.inc | 9 +------ .../files/sign-swu-cms | 0 .../swupdate-signer-snakeoil_0.1.bb | 26 +++++++++++++++++++ 6 files changed, 32 insertions(+), 17 deletions(-) delete mode 100644 recipes-devtools/swupdate-certificates/files/sign-swu-rsa rename recipes-devtools/{swupdate-certificates => swupdate-signer}/files/sign-swu-cms (100%) create mode 100644 recipes-devtools/swupdate-signer/swupdate-signer-snakeoil_0.1.bb diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass index eeb05b2..06418e5 100644 --- a/classes/swupdate.bbclass +++ b/classes/swupdate.bbclass @@ -46,8 +46,7 @@ IMAGE_TYPEDEP:swu = "${@ '${SWU_DELTA_UPDATE_ARTIFACT_TYPE}' \ if d.getVar('DELTA_UPDATE_TYPE') == "rdiff" or d.getVar('DELTA_UPDATE_TYPE') == "zchunk" \ else '${SWU_UPDATE_ARTIFACT_TYPE}' }" -IMAGER_BUILD_DEPS:swu += "${@'swupdate-certificates-key' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" -IMAGER_INSTALL:swu += "cpio ${@'openssl swupdate-certificates-key' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" +IMAGER_INSTALL:swu += "cpio" IMAGE_INSTALL += "${@'swupdate-certificates' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc index 1d237f7..96994b5 100644 --- a/recipes-core/images/swupdate.inc +++ b/recipes-core/images/swupdate.inc @@ -1,7 +1,7 @@ # # CIP Core, generic profile # -# Copyright (c) Siemens AG, 2023 +# Copyright (c) Siemens AG, 2023-2024 # # Authors: # Quirin Gylstorff @@ -14,6 +14,9 @@ inherit read-only-rootfs SWU_SIGNED ?= "1" SWU_HW_COMPAT ?= "cip-core-1.0" +IMAGER_BUILD_DEPS:swu += "${@'swupdate-signer' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" +IMAGER_INSTALL:swu += "${@'swupdate-signer' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" +IMAGE_INSTALL += "${@'swupdate-certificates' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" IMAGE_INSTALL += " swupdate" IMAGE_INSTALL:remove:sid = "swupdate" diff --git a/recipes-devtools/swupdate-certificates/files/sign-swu-rsa b/recipes-devtools/swupdate-certificates/files/sign-swu-rsa deleted file mode 100644 index fad3004..0000000 --- a/recipes-devtools/swupdate-certificates/files/sign-swu-rsa +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh -in_file=$1 -out_file=$2 -openssl dgst \ - -sha256 -sign "/usr/share/swupdate-signing/swupdate-sign.key" "$in_file" \ - > "$out_file" diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc index 93cf255..bcc8e2a 100644 --- a/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc @@ -18,17 +18,10 @@ PROVIDES += "swupdate-certificates-key" DEBIAN_PROVIDES = "swupdate-certificates-key" SWU_SIGN_KEY ??= "" -SWU_SIGN_SCRIPT ??= "sign-swu-cms" SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_KEY') if d.getVar('SWU_SIGN_KEY') else '' }" -SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_SCRIPT') if d.getVar('SWU_SIGN_SCRIPT') else '' }" -do_install[cleandirs] = "${D}/usr/share/swupdate-signing/ \ - ${D}/usr/bin/" +do_install[cleandirs] = "${D}/usr/share/swupdate-signing" do_install() { - if [ ! -f ${WORKDIR}/${SWU_SIGN_SCRIPT} ]; then - bbfatal "You must add a '${SWU_SIGN_SCRIPT}' to execute the signing process" - fi - install -m 0700 ${WORKDIR}/${SWU_SIGN_SCRIPT} ${D}/usr/bin/sign-swu if [ -z ${SWU_SIGN_KEY} ]; then bbfatal "You must set SWU_SIGN_KEY and provide the required file as artifacts to this recipe" fi diff --git a/recipes-devtools/swupdate-certificates/files/sign-swu-cms b/recipes-devtools/swupdate-signer/files/sign-swu-cms similarity index 100% rename from recipes-devtools/swupdate-certificates/files/sign-swu-cms rename to recipes-devtools/swupdate-signer/files/sign-swu-cms diff --git a/recipes-devtools/swupdate-signer/swupdate-signer-snakeoil_0.1.bb b/recipes-devtools/swupdate-signer/swupdate-signer-snakeoil_0.1.bb new file mode 100644 index 0000000..3600c3d --- /dev/null +++ b/recipes-devtools/swupdate-signer/swupdate-signer-snakeoil_0.1.bb @@ -0,0 +1,26 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2024 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT + +inherit dpkg-raw +DPKG_ARCH = "all" +DEBIAN_MULTI_ARCH = "foreign" + +PROVIDES = "swupdate-signer" +DEBIAN_PROVIDES = "swupdate-signer" + +DEPENDS = "swupdate-certificates-key" +DEBIAN_DEPENDS += "openssl, swupdate-certificates-key" + +SRC_URI = "file://sign-swu-cms" + +do_install[cleandirs] = "${D}/usr/bin/" +do_install() { + install -m 0755 ${WORKDIR}/sign-swu-cms ${D}/usr/bin/sign-swu +} From patchwork Thu Sep 12 10:06:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13801857 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DEC31EEB58A for ; Thu, 12 Sep 2024 10:07:21 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web11.44698.1726135633814819386 for ; Thu, 12 Sep 2024 03:07:14 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=dsWMAY0v; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-51332-202409121007118d36ceed428781d2a3-oacfkg@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 202409121007118d36ceed428781d2a3 for ; Thu, 12 Sep 2024 12:07:11 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=tx07v4cInwgYmUJV02sK0TXWqX28jeuekqQ53scv5OU=; b=dsWMAY0vAs92zksMCwe2wBUdfIW8cDqDSlyBZ+8n6ao4bTJhgQUMItkcZ9SS5lonxN3mIB 4i9oNS+zVsHrXyWNDIdgn9uV44MzwVL6M9Z/De95oIpJi6SxMnDbwVLcSODYQ0rYIfm9tuPA gAEmNYnB+3yz9sx2M/K5OUhCn/rqKG8fqxzqJaA02hOV+LZz/6T/dn9RxLtRBov+TpJIV4m+ LKEf+NeUFsi6wNJXFg2YoPgJtj709814V9wwXDeMeZw3pa5HI6fUU540dFqS6ZjZvOS/xJJH +6ay1SySq/6M60VQl0pw0AKV5kX1XIYFDTmI3rmx0iMHZ9olCgKIHYsg==; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, felix.moessbauer@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v2 2/3] Add check for sign-swu executable Date: Thu, 12 Sep 2024 12:06:41 +0200 Message-ID: <20240912100710.3183806-3-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240912100710.3183806-1-Quirin.Gylstorff@siemens.com> References: <20240912100710.3183806-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 12 Sep 2024 10:07:21 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/16893 From: Quirin Gylstorff This ensure a clear error message in case of missing packages. Signed-off-by: Quirin Gylstorff --- classes/swupdate.bbclass | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass index 06418e5..642fd79 100644 --- a/classes/swupdate.bbclass +++ b/classes/swupdate.bbclass @@ -233,6 +233,10 @@ IMAGE_CMD:swu() { cpio_files="${SWU_DESCRIPTION_FILE}" if [ -n "$sign" ]; then + if [ ! -x /usr/bin/sign-swu ]; then + echo "Could not find the executable '/usr/bin/sign-swu'" 1>&2 + exit 1 + fi signature_file="${SWU_DESCRIPTION_FILE}.${SWU_SIGNATURE_EXT}" if ! /usr/bin/sign-swu "${SWU_DESCRIPTION_FILE}" "$signature_file" > /dev/null 2>&1 || \ [ ! -f "$signature_file" ]; then From patchwork Thu Sep 12 10:06:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13801856 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D8A57EEB585 for ; Thu, 12 Sep 2024 10:07:21 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web11.44700.1726135633978988625 for ; Thu, 12 Sep 2024 03:07:14 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=H72cN8ab; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-51332-20240912100711b206e80023b82dec3b-8qyfif@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 20240912100711b206e80023b82dec3b for ; Thu, 12 Sep 2024 12:07:11 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=DMGleDdvhHF2nzTXw6zBfR7UwAo9tBlcIR+wHOEC5cg=; b=H72cN8abYXoL6H2V4UVogeRHxhmJLzbmSPp1BzaWbi423NJC0KHnGFrGtiCFr+cVpycMLT HQ+bTNzG1LF1hOWifZYSFYGr3Z9NW2qfUEjYZaUIeOdgmfEiqPr5SzJ9KI8U8Mz2pyyRCn0v Ma1ewY72VE5XMjRtsdTs7fkTxWJdHgvk3d+9BghtNrhdyWsXuc2eapw5eWOkUS6sI3WGlghI S+HTJUzFCTLrfPoPSnZDykV1nJXmj2d+RHYX73cg4++nmj4TOlUgVt8xuAcZtg9W/Ci0HB5G n8X+/2VlQTNIDewCNy0EKafUEiqNl+gfdkVJR8JGIkIK29K9o8Fe0vAw==; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, felix.moessbauer@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v2 3/3] Update README for swupdate signing Date: Thu, 12 Sep 2024 12:06:42 +0200 Message-ID: <20240912100710.3183806-4-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240912100710.3183806-1-Quirin.Gylstorff@siemens.com> References: <20240912100710.3183806-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 12 Sep 2024 10:07:21 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/16892 From: Quirin Gylstorff Signed-off-by: Quirin Gylstorff --- doc/README.swupdate.md | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md index a5fbab9..d4d0851 100644 --- a/doc/README.swupdate.md +++ b/doc/README.swupdate.md @@ -136,8 +136,8 @@ To use other key and certificate the following variables must be set: ``` PREFERRED_PROVIDER_swupdate-certificates-key = "swupdate-certificates-key" PREFERRED_PROVIDER_swupdate-certificates = "swupdate-certificates" -SWU_SIGN_CERT = "" SWU_SIGN_KEY = "" +IMAGE_INSTALL += "${@'swupdate-certificates' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" ``` The files `` and `` need to be stored @@ -145,8 +145,15 @@ in `recipes-devtools/swupdate-certificates/files/` or in a path defined by an bb ### signing script -The provided [cms signing script](./recipes-devtools/swupdate-certificates/files/sign-swu-cms) -can be replaced by setting the variable `SWU_SIGN_SCRIPT`. +The package [swupdate-signer-snakeoil](recipes-devtools/swupdate-signer/) provides a [cms signing script](./recipes-devtools/swupdate-certificates/files/sign-swu-cms). +When signing requires a project specific signing script, +e.g. for using a hardware security module(HSM), an own package can be added. +The package can replace the default package by adding the following line: +``` +PREFERRED_PROVIDER_swupdate-signer = "" +``` + +The package `` needs to install a executable to `/usr/bin/sign-swu`. ## SWUpdate Hardware compatibility