* [cip-dev][isar-cip-core][PATCH 0/4] Make swupdate signing more
@ 2024-03-04 10:08 Quirin Gylstorff
2024-03-04 10:08 ` [cip-dev][isar-cip-core][PATCH 1/4] swupdate: check output of sign-swu Quirin Gylstorff
` (5 more replies)
0 siblings, 6 replies; 11+ messages in thread
From: Quirin Gylstorff @ 2024-03-04 10:08 UTC (permalink / raw)
To: jan.kiszka, cip-dev, felix.moessbauer
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This patchset adds checks to validate the certificate and key before
used in the signing process.
Add also adds the missing Documentation about swu signing in cip-core
and fixes two issues:
- an error in the build logs of do_image_swu
- Creating all existing image recipes by touching SRC_URI in a anonym
python function.
Quirin Gylstorff (4):
swupdate: check output of sign-swu
sign-swu-cms: check if key and cert are valid
doc: Add section about SWUpdate signing to README.swupdate.md
fix do not add files to each image recipe
classes/efibootguard.bbclass | 1 -
classes/swupdate.bbclass | 83 +++++++++++++------
doc/README.swupdate.md | 21 +++++
.../swupdate-certificates/files/sign-swu-cms | 29 ++++++-
4 files changed, 105 insertions(+), 29 deletions(-)
--
2.43.0
^ permalink raw reply [flat|nested] 11+ messages in thread
* [cip-dev][isar-cip-core][PATCH 1/4] swupdate: check output of sign-swu
2024-03-04 10:08 [cip-dev][isar-cip-core][PATCH 0/4] Make swupdate signing more Quirin Gylstorff
@ 2024-03-04 10:08 ` Quirin Gylstorff
2024-03-04 13:42 ` MOESSBAUER, Felix
2024-03-04 10:08 ` [cip-dev][isar-cip-core][PATCH 2/4] sign-swu-cms: check if key and cert are valid Quirin Gylstorff
` (4 subsequent siblings)
5 siblings, 1 reply; 11+ messages in thread
From: Quirin Gylstorff @ 2024-03-04 10:08 UTC (permalink / raw)
To: jan.kiszka, cip-dev, felix.moessbauer
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Check for signing errors to avoid an unusable swu file.
This also moves the siging out of the loop to generate
the cpio archive *.swu as the Messages from the signing
can lead to errors in the archive generation.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
classes/swupdate.bbclass | 43 ++++++++++++++++++++++++++++------------
1 file changed, 30 insertions(+), 13 deletions(-)
diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass
index 2c69892..be6a07f 100644
--- a/classes/swupdate.bbclass
+++ b/classes/swupdate.bbclass
@@ -191,24 +191,41 @@ IMAGE_CMD:swu() {
"${PP_WORK}/$swu_file_base/${SWU_DESCRIPTION_FILE}"
done
cd "${PP_WORK}/$swu_file_base"
- for file in "${SWU_DESCRIPTION_FILE}" ${SWU_ADDITIONAL_FILES}; do
- if [ "$file" = "${SWU_DESCRIPTION_FILE}" ] || \
- grep -q "$file" "${PP_WORK}/$swu_file_base/${SWU_DESCRIPTION_FILE}"; then
+ cpio_files="${SWU_DESCRIPTION_FILE}"
+
+ if [ -n "$sign" ]; then
+ if ! /usr/bin/sign-swu \
+ "${SWU_DESCRIPTION_FILE}" "${SWU_DESCRIPTION_FILE}.${SWU_SIGNATURE_EXT}" \
+ > /dev/null 2>&1 || \
+ [ ! -f "${SWU_DESCRIPTION_FILE}.${SWU_SIGNATURE_EXT}" ]; then
+ echo "Could not create swupdate signature file '${SWU_DESCRIPTION_FILE}.${SWU_SIGNATURE_EXT}'" 1>&2
+ exit 1
+ fi
+ cpio_files="$cpio_files ${SWU_DESCRIPTION_FILE}.${SWU_SIGNATURE_EXT}"
+ fi
+
+ # sw-description must be first file in *.swu
+ for cpio_file in $cpio_files ${SWU_ADDITIONAL_FILES}; do
+ if [ -f "$cpio_file" ]; then
# Set file timestamps for reproducible builds
if [ -n "${SOURCE_DATE_EPOCH}" ]; then
touch -d@"${SOURCE_DATE_EPOCH}" "$file"
fi
- echo "$file"
- if [ -n "$sign" -a "${SWU_DESCRIPTION_FILE}" = "$file" ]; then
- sign-swu "$file" "$file.${SWU_SIGNATURE_EXT}"
- # Set file timestamps for reproducible builds
- if [ -n "${SOURCE_DATE_EPOCH}" ]; then
- touch -d@"${SOURCE_DATE_EPOCH}" "$file.${SWU_SIGNATURE_EXT}"
- fi
- echo "$file.${SWU_SIGNATURE_EXT}"
- fi
+ case "$cpio_file" in
+ sw-description*)
+ echo "$cpio_file"
+ ;;
+ *)
+ if grep -q "$cpio_file" \
+ "${WORKDIR}/$swu_file_base/${SWU_DESCRIPTION_FILE}"; then
+ echo "$cpio_file"
+ fi
+ ;;
+ esac
fi
- done | cpio -ovL --reproducible -H crc > "${PP_DEPLOY}/${SWU_IMAGE_FILE}$swu_file_extension.swu"
+ done | cpio \
+ --verbose --dereference --create --reproducible -H crc \
+ > "${PP_DEPLOY}/${SWU_IMAGE_FILE}$swu_file_extension.swu"
EOIMAGER
done
}
--
2.43.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [cip-dev][isar-cip-core][PATCH 2/4] sign-swu-cms: check if key and cert are valid
2024-03-04 10:08 [cip-dev][isar-cip-core][PATCH 0/4] Make swupdate signing more Quirin Gylstorff
2024-03-04 10:08 ` [cip-dev][isar-cip-core][PATCH 1/4] swupdate: check output of sign-swu Quirin Gylstorff
@ 2024-03-04 10:08 ` Quirin Gylstorff
2024-03-04 13:38 ` MOESSBAUER, Felix
2024-03-04 10:08 ` [cip-dev][isar-cip-core][PATCH 3/4] doc: Add section about SWUpdate signing to README.swupdate.md Quirin Gylstorff
` (3 subsequent siblings)
5 siblings, 1 reply; 11+ messages in thread
From: Quirin Gylstorff @ 2024-03-04 10:08 UTC (permalink / raw)
To: jan.kiszka, cip-dev, felix.moessbauer
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This avoids a broken update binary.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../swupdate-certificates/files/sign-swu-cms | 29 +++++++++++++++++--
1 file changed, 27 insertions(+), 2 deletions(-)
diff --git a/recipes-devtools/swupdate-certificates/files/sign-swu-cms b/recipes-devtools/swupdate-certificates/files/sign-swu-cms
index 7bd04ef..d844e01 100644
--- a/recipes-devtools/swupdate-certificates/files/sign-swu-cms
+++ b/recipes-devtools/swupdate-certificates/files/sign-swu-cms
@@ -1,9 +1,34 @@
#!/bin/sh
in_file=$1
out_file=$2
+inkey="/usr/share/swupdate-signing/swupdate-sign.key"
+cert="/usr/share/swupdate-signing/swupdate-sign.crt"
+
+error_msg() {
+ echo "$1" 1>&2
+ exit 1
+}
+
+if ! openssl rsa -check -noout -in "$inkey"; then
+ error_msg "key '$inkey' is not a rsa key "
+fi
+
+# if openssl > 3.0 we have the x509 check option
+if openssl version | grep -q "3.[0-9].[0-9]"; then
+ if ! openssl x509 -check -noout -in "$cert"; then
+ error_msg "certificate '$cert' is not a certificate"
+ fi
+fi
+
+key_md5=$(openssl rsa -modulus -noout -in "$inkey" | openssl md5)
+cert_md5=$(openssl x509 -modulus -noout -in "$cert" | openssl md5)
+if [ "$key_md5" != "$cert_md5" ]; then
+ error_msg "key '$inkey' does not match certificate '$cert' "
+fi
+
openssl cms \
-sign -in "$in_file" \
-out "$out_file" \
- -signer "/usr/share/swupdate-signing/swupdate-sign.crt" \
- -inkey "/usr/share/swupdate-signing/swupdate-sign.key" \
+ -signer "$cert" \
+ -inkey "$inkey" \
-outform DER -noattr -binary
--
2.43.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [cip-dev][isar-cip-core][PATCH 3/4] doc: Add section about SWUpdate signing to README.swupdate.md
2024-03-04 10:08 [cip-dev][isar-cip-core][PATCH 0/4] Make swupdate signing more Quirin Gylstorff
2024-03-04 10:08 ` [cip-dev][isar-cip-core][PATCH 1/4] swupdate: check output of sign-swu Quirin Gylstorff
2024-03-04 10:08 ` [cip-dev][isar-cip-core][PATCH 2/4] sign-swu-cms: check if key and cert are valid Quirin Gylstorff
@ 2024-03-04 10:08 ` Quirin Gylstorff
2024-03-04 13:36 ` [cip-dev][isar-cip-core][PATCH 0/4] Make swupdate signing more MOESSBAUER, Felix
` (2 subsequent siblings)
5 siblings, 0 replies; 11+ messages in thread
From: Quirin Gylstorff @ 2024-03-04 10:08 UTC (permalink / raw)
To: jan.kiszka, cip-dev, felix.moessbauer
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
doc/README.swupdate.md | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md
index cf1bcfb..e61f001 100644
--- a/doc/README.swupdate.md
+++ b/doc/README.swupdate.md
@@ -110,6 +110,27 @@ The sw-description will contain the following section:
sha256 = "<sha256 of luascript.lua>";
}):
```
+## SWUpdate Signing
+
+The ISAR layer isar-cip-core provides templates to sign the swu binaries with
+a CMS certificate.
+
+By default the insecure [Debian snake-oil keys](./recipes-devtools/secure-boot-secrets/files/bookworm/) are used.
+To use other key and certificate the following variables must be set:
+```
+PREFERRED_PROVIDER_swupdate-certificates-key = "swupdate-certificates-key"
+PREFERRED_PROVIDER_swupdate-certificates = "swupdate-certificates"
+SWU_SIGN_CERT = "<sigining certificate file name>"
+SWU_SIGN_KEY = "<siging key file name>"
+```
+
+The files `<sigining certificate file name>` and `<siging key file name>` need to be stored
+in `recipes-devtools/swupdate-certificates/files/` or in a path defined by an bbappend file, e.g.`swupdate-certificates-key_%.bbappend`
+
+### signing script
+
+The provided [cms signing script](./recipes-devtools/swupdate-certificates/files/sign-swu-cms)
+can be replaced by setting the variable `SWU_SIGN_SCRIPT`.
# Building and testing the CIP Core image
--
2.43.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [cip-dev][isar-cip-core][PATCH 0/4] Make swupdate signing more
2024-03-04 10:08 [cip-dev][isar-cip-core][PATCH 0/4] Make swupdate signing more Quirin Gylstorff
` (2 preceding siblings ...)
2024-03-04 10:08 ` [cip-dev][isar-cip-core][PATCH 3/4] doc: Add section about SWUpdate signing to README.swupdate.md Quirin Gylstorff
@ 2024-03-04 13:36 ` MOESSBAUER, Felix
2024-03-04 16:26 ` Gylstorff Quirin
2024-03-04 16:27 ` [cip-dev][isar-cip-core][PATCH 4/4] fix do not add files to each image recipe Quirin Gylstorff
2024-03-05 6:23 ` [cip-dev][isar-cip-core][PATCH 0/4] Make swupdate signing more Jan Kiszka
5 siblings, 1 reply; 11+ messages in thread
From: MOESSBAUER, Felix @ 2024-03-04 13:36 UTC (permalink / raw)
To: cip-dev, quirin.gylstorff, Kiszka, Jan
On Mon, 2024-03-04 at 11:08 +0100, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> This patchset adds checks to validate the certificate and key before
> used in the signing process.
>
> Add also adds the missing Documentation about swu signing in cip-core
> and fixes two issues:
> - an error in the build logs of do_image_swu
> - Creating all existing image recipes by touching SRC_URI in a
> anonym
> python function.
>
> Quirin Gylstorff (4):
> swupdate: check output of sign-swu
> sign-swu-cms: check if key and cert are valid
> doc: Add section about SWUpdate signing to README.swupdate.md
> fix do not add files to each image recipe
Where is this patch? Looks like it did not make it onto the list.
Felix
>
> classes/efibootguard.bbclass | 1 -
> classes/swupdate.bbclass | 83 +++++++++++++----
> --
> doc/README.swupdate.md | 21 +++++
> .../swupdate-certificates/files/sign-swu-cms | 29 ++++++-
> 4 files changed, 105 insertions(+), 29 deletions(-)
>
--
Siemens AG, Technology
Linux Expert Center
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [cip-dev][isar-cip-core][PATCH 2/4] sign-swu-cms: check if key and cert are valid
2024-03-04 10:08 ` [cip-dev][isar-cip-core][PATCH 2/4] sign-swu-cms: check if key and cert are valid Quirin Gylstorff
@ 2024-03-04 13:38 ` MOESSBAUER, Felix
0 siblings, 0 replies; 11+ messages in thread
From: MOESSBAUER, Felix @ 2024-03-04 13:38 UTC (permalink / raw)
To: cip-dev, quirin.gylstorff, Kiszka, Jan
On Mon, 2024-03-04 at 11:08 +0100, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> This avoids a broken update binary.
Thanks!
Tested-by: Felix Moessbauer <felix.moessbauer@siemens.com>
Felix
>
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> .../swupdate-certificates/files/sign-swu-cms | 29
> +++++++++++++++++--
> 1 file changed, 27 insertions(+), 2 deletions(-)
>
> diff --git a/recipes-devtools/swupdate-certificates/files/sign-swu-
> cms b/recipes-devtools/swupdate-certificates/files/sign-swu-cms
> index 7bd04ef..d844e01 100644
> --- a/recipes-devtools/swupdate-certificates/files/sign-swu-cms
> +++ b/recipes-devtools/swupdate-certificates/files/sign-swu-cms
> @@ -1,9 +1,34 @@
> #!/bin/sh
> in_file=$1
> out_file=$2
> +inkey="/usr/share/swupdate-signing/swupdate-sign.key"
> +cert="/usr/share/swupdate-signing/swupdate-sign.crt"
> +
> +error_msg() {
> + echo "$1" 1>&2
> + exit 1
> +}
> +
> +if ! openssl rsa -check -noout -in "$inkey"; then
> + error_msg "key '$inkey' is not a rsa key "
> +fi
> +
> +# if openssl > 3.0 we have the x509 check option
> +if openssl version | grep -q "3.[0-9].[0-9]"; then
> + if ! openssl x509 -check -noout -in "$cert"; then
> + error_msg "certificate '$cert' is not a certificate"
> + fi
> +fi
> +
> +key_md5=$(openssl rsa -modulus -noout -in "$inkey" | openssl md5)
> +cert_md5=$(openssl x509 -modulus -noout -in "$cert" | openssl md5)
> +if [ "$key_md5" != "$cert_md5" ]; then
> + error_msg "key '$inkey' does not match certificate '$cert' "
> +fi
> +
> openssl cms \
> -sign -in "$in_file" \
> -out "$out_file" \
> - -signer "/usr/share/swupdate-signing/swupdate-sign.crt" \
> - -inkey "/usr/share/swupdate-signing/swupdate-sign.key" \
> + -signer "$cert" \
> + -inkey "$inkey" \
> -outform DER -noattr -binary
--
Siemens AG, Technology
Linux Expert Center
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [cip-dev][isar-cip-core][PATCH 1/4] swupdate: check output of sign-swu
2024-03-04 10:08 ` [cip-dev][isar-cip-core][PATCH 1/4] swupdate: check output of sign-swu Quirin Gylstorff
@ 2024-03-04 13:42 ` MOESSBAUER, Felix
2024-03-04 16:30 ` Gylstorff Quirin
0 siblings, 1 reply; 11+ messages in thread
From: MOESSBAUER, Felix @ 2024-03-04 13:42 UTC (permalink / raw)
To: cip-dev, quirin.gylstorff, Kiszka, Jan
On Mon, 2024-03-04 at 11:08 +0100, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> Check for signing errors to avoid an unusable swu file.
>
> This also moves the siging out of the loop to generate
> the cpio archive *.swu as the Messages from the signing
> can lead to errors in the archive generation.
>
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> classes/swupdate.bbclass | 43 ++++++++++++++++++++++++++++----------
> --
> 1 file changed, 30 insertions(+), 13 deletions(-)
>
> diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass
> index 2c69892..be6a07f 100644
> --- a/classes/swupdate.bbclass
> +++ b/classes/swupdate.bbclass
> @@ -191,24 +191,41 @@ IMAGE_CMD:swu() {
>
> "${PP_WORK}/$swu_file_base/${SWU_DESCRIPTION_FILE}"
> done
> cd "${PP_WORK}/$swu_file_base"
> - for file in "${SWU_DESCRIPTION_FILE}"
> ${SWU_ADDITIONAL_FILES}; do
> - if [ "$file" = "${SWU_DESCRIPTION_FILE}" ] || \
> - grep -q "$file"
> "${PP_WORK}/$swu_file_base/${SWU_DESCRIPTION_FILE}"; then
> + cpio_files="${SWU_DESCRIPTION_FILE}"
> +
> + if [ -n "$sign" ]; then
> + if ! /usr/bin/sign-swu \
> + "${SWU_DESCRIPTION_FILE}"
> "${SWU_DESCRIPTION_FILE}.${SWU_SIGNATURE_EXT}" \
> + > /dev/null 2>&1 || \
> + [ ! -f
> "${SWU_DESCRIPTION_FILE}.${SWU_SIGNATURE_EXT}" ]; then
> + echo "Could not create swupdate signature file
> '${SWU_DESCRIPTION_FILE}.${SWU_SIGNATURE_EXT}'" 1>&2
> + exit 1
> + fi
> + cpio_files="$cpio_files
> ${SWU_DESCRIPTION_FILE}.${SWU_SIGNATURE_EXT}"
> + fi
> +
> + # sw-description must be first file in *.swu
> + for cpio_file in $cpio_files ${SWU_ADDITIONAL_FILES}; do
> + if [ -f "$cpio_file" ]; then
> # Set file timestamps for reproducible builds
> if [ -n "${SOURCE_DATE_EPOCH}" ]; then
> touch -d@"${SOURCE_DATE_EPOCH}" "$file"
> fi
> - echo "$file"
> - if [ -n "$sign" -a "${SWU_DESCRIPTION_FILE}" =
> "$file" ]; then
> - sign-swu "$file"
> "$file.${SWU_SIGNATURE_EXT}"
> - # Set file timestamps for reproducible
> builds
> - if [ -n "${SOURCE_DATE_EPOCH}" ]; then
> - touch -d@"${SOURCE_DATE_EPOCH}"
> "$file.${SWU_SIGNATURE_EXT}"
> - fi
> - echo "$file.${SWU_SIGNATURE_EXT}"
> - fi
> + case "$cpio_file" in
> + sw-description*)
> + echo "$cpio_file"
> + ;;
> + *)
> + if grep -q "$cpio_file" \
> +
> "${WORKDIR}/$swu_file_base/${SWU_DESCRIPTION_FILE}"; then
> + echo "$cpio_file"
> + fi
> + ;;
> + esac
> fi
> - done | cpio -ovL --reproducible -H crc >
> "${PP_DEPLOY}/${SWU_IMAGE_FILE}$swu_file_extension.swu"
> + done | cpio \
> + --verbose --dereference --create --reproducible -H
We now have more options like --dereference. Does this have any effect
on the cpio file, or is it just an expansion of -ovL (which would be
appreciated anyways)?
Please also add a note about this to the commit message.
Felix
> crc \
> + >
> "${PP_DEPLOY}/${SWU_IMAGE_FILE}$swu_file_extension.swu"
> EOIMAGER
> done
> }
--
Siemens AG, Technology
Linux Expert Center
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [cip-dev][isar-cip-core][PATCH 0/4] Make swupdate signing more
2024-03-04 13:36 ` [cip-dev][isar-cip-core][PATCH 0/4] Make swupdate signing more MOESSBAUER, Felix
@ 2024-03-04 16:26 ` Gylstorff Quirin
0 siblings, 0 replies; 11+ messages in thread
From: Gylstorff Quirin @ 2024-03-04 16:26 UTC (permalink / raw)
To: Moessbauer, Felix (T CED OES-DE), cip-dev, Kiszka, Jan (T CED)
On 3/4/24 2:36 PM, Moessbauer, Felix (T CED OES-DE) wrote:
> On Mon, 2024-03-04 at 11:08 +0100, Quirin Gylstorff wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> This patchset adds checks to validate the certificate and key before
>> used in the signing process.
>>
>> Add also adds the missing Documentation about swu signing in cip-core
>> and fixes two issues:
>> - an error in the build logs of do_image_swu
>> - Creating all existing image recipes by touching SRC_URI in a
>> anonym
>> python function.
>>
>> Quirin Gylstorff (4):
>> swupdate: check output of sign-swu
>> sign-swu-cms: check if key and cert are valid
>> doc: Add section about SWUpdate signing to README.swupdate.md
>> fix do not add files to each image recipe
>
> Where is this patch? Looks like it did not make it onto the list.
Should have I will resend it.
Quirin
>
> Felix
>
>>
>> classes/efibootguard.bbclass | 1 -
>> classes/swupdate.bbclass | 83 +++++++++++++----
>> --
>> doc/README.swupdate.md | 21 +++++
>> .../swupdate-certificates/files/sign-swu-cms | 29 ++++++-
>> 4 files changed, 105 insertions(+), 29 deletions(-)
>>
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* [cip-dev][isar-cip-core][PATCH 4/4] fix do not add files to each image recipe
2024-03-04 10:08 [cip-dev][isar-cip-core][PATCH 0/4] Make swupdate signing more Quirin Gylstorff
` (3 preceding siblings ...)
2024-03-04 13:36 ` [cip-dev][isar-cip-core][PATCH 0/4] Make swupdate signing more MOESSBAUER, Felix
@ 2024-03-04 16:27 ` Quirin Gylstorff
2024-03-05 6:23 ` [cip-dev][isar-cip-core][PATCH 0/4] Make swupdate signing more Jan Kiszka
5 siblings, 0 replies; 11+ messages in thread
From: Quirin Gylstorff @ 2024-03-04 16:27 UTC (permalink / raw)
To: jan.kiszka, cip-dev, felix.moessbauer
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Due to the use of a anonym python function each image recipe was
partial build even if not request. To avoid this remove the
anynom image function by adding it as an prefunc to do_image_swu
and do_transform_template.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
classes/efibootguard.bbclass | 1 -
classes/swupdate.bbclass | 42 ++++++++++++++++++++++++------------
2 files changed, 28 insertions(+), 15 deletions(-)
diff --git a/classes/efibootguard.bbclass b/classes/efibootguard.bbclass
index 31fcdcc..2b4f09e 100644
--- a/classes/efibootguard.bbclass
+++ b/classes/efibootguard.bbclass
@@ -67,5 +67,4 @@ python add_ebg_update(){
ebg_update = d.getVar('SWU_EBG_UPDATE') or ""
if ebg_update:
d.appendVar('SWU_FILE_NODES', "," + swu_ebg_update_node)
- d.appendVar('SWU_ADDITIONAL_FILES', " " + efi_boot_loader_file)
}
diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass
index be6a07f..f0df216 100644
--- a/classes/swupdate.bbclass
+++ b/classes/swupdate.bbclass
@@ -63,7 +63,7 @@ IMAGE_TEMPLATE_VARS:swu = " \
# TARGET_IMAGE_UUID needs to be generated before completing the template
addtask do_transform_template after do_generate_image_uuid
-python(){
+python do_extend_sw_description(){
cmds = d.getVar("SWU_EXTEND_SW_DESCRIPTION")
if cmds is None or not cmds.strip():
return
@@ -71,6 +71,7 @@ python(){
for cmd in cmds:
bb.build.exec_func(cmd, d)
}
+do_transform_template[prefuncs] += "do_extend_sw_description"
SWU_EXTEND_SW_DESCRIPTION += "add_swu_hw_compat"
python add_swu_hw_compat(){
@@ -94,9 +95,22 @@ python add_swu_compression(){
d.setVar('SWU_COMPRESSION_NODE', '')
}
+def add_scripts_to_src_uri(d):
+ swu_scripts = d.getVar('SWU_SCRIPTS')
+ if not swu_scripts:
+ return ""
+ swu_script_entries = swu_scripts.split()
+ script_file_list = []
+ for entry in swu_script_entries:
+ script_entry = f"SWU_SCRIPT_{entry}"
+ script_file = d.getVarFlag(script_entry, "file")
+ script_file_list.append(f" file://{script_file}")
+ return ' '.join([n for n in script_file_list])
-SWU_EXTEND_SW_DESCRIPTION += "add_scripts"
-python add_scripts(){
+SRC_URI += "${@add_scripts_to_src_uri(d)}"
+
+SWU_EXTEND_SW_DESCRIPTION += "add_scripts_node"
+python add_scripts_node(){
swu_scripts = d.getVar('SWU_SCRIPTS')
if not swu_scripts:
return
@@ -129,8 +143,6 @@ python add_scripts(){
sha256 = "{script_file}-sha256";
}}"""
script_node_list.append(node)
- d.appendVar('SWU_ADDITIONAL_FILES', " " + script_file)
- d.appendVar('SRC_URI', f" file://{script_file}")
swu_scripts_node = "scripts: (" + ','.join([n for n in script_node_list]) + ");"
d.appendVar('SWU_SCRIPTS_NODE', swu_scripts_node)
@@ -155,6 +167,7 @@ FILESEXTRAPATHS:append = ":${LAYERDIR_cip-core}/recipes-core/images/swu"
do_image_swu[depends] += "${PN}:do_transform_template"
do_image_swu[stamp-extra-info] = "${DISTRO}-${MACHINE}"
do_image_swu[cleandirs] += "${WORKDIR}/swu ${WORKDIR}/swu-${SWU_BOOTLOADER}"
+do_image_swu[prefuncs] = "do_extend_sw_description"
IMAGE_CMD:swu() {
rm -f '${DEPLOY_DIR_IMAGE}/${SWU_IMAGE_FILE}'*.swu
cp '${WORKDIR}/${SWU_DESCRIPTION_FILE}' '${WORKDIR}/swu/${SWU_DESCRIPTION_FILE}'
@@ -165,13 +178,14 @@ IMAGE_CMD:swu() {
for swu_file in "${WORKDIR}"/swu*; do
swu_file_base=$(basename $swu_file)
# Create symlinks for files used in the update image
- for file in ${SWU_ADDITIONAL_FILES}; do
- if grep -q "$file" "${WORKDIR}/$swu_file_base/${SWU_DESCRIPTION_FILE}"; then
- if [ -e "${WORKDIR}/$file" ]; then
- ln -s "${PP_WORK}/$file" "${WORKDIR}/$swu_file_base/$file"
- else
- ln -s "${PP_DEPLOY}/$file" "${WORKDIR}/$swu_file_base/$file"
- fi
+ swu_files=$(awk '$1=="filename"{gsub(/[",;]/, "", $3); print $3}' \
+ "${WORKDIR}/$swu_file_base/${SWU_DESCRIPTION_FILE}")
+ export swu_files
+ for file in $swu_files; do
+ if [ -e "${WORKDIR}/$file" ]; then
+ ln -s "${PP_WORK}/$file" "${WORKDIR}/$swu_file_base/$file"
+ else
+ ln -s "${PP_DEPLOY}/$file" "${WORKDIR}/$swu_file_base/$file"
fi
done
@@ -186,7 +200,7 @@ IMAGE_CMD:swu() {
export swu_file_extension
imager_run -p -d ${PP_WORK} -u root <<'EOIMAGER'
# Fill in file check sums
- for file in ${SWU_ADDITIONAL_FILES}; do
+ for file in $swu_files; do
sed -i "s:$file-sha256:$(sha256sum "${PP_WORK}/$swu_file_base/"$file | cut -f 1 -d " "):g" \
"${PP_WORK}/$swu_file_base/${SWU_DESCRIPTION_FILE}"
done
@@ -205,7 +219,7 @@ IMAGE_CMD:swu() {
fi
# sw-description must be first file in *.swu
- for cpio_file in $cpio_files ${SWU_ADDITIONAL_FILES}; do
+ for cpio_file in $cpio_files $swu_files; do
if [ -f "$cpio_file" ]; then
# Set file timestamps for reproducible builds
if [ -n "${SOURCE_DATE_EPOCH}" ]; then
--
2.43.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [cip-dev][isar-cip-core][PATCH 1/4] swupdate: check output of sign-swu
2024-03-04 13:42 ` MOESSBAUER, Felix
@ 2024-03-04 16:30 ` Gylstorff Quirin
0 siblings, 0 replies; 11+ messages in thread
From: Gylstorff Quirin @ 2024-03-04 16:30 UTC (permalink / raw)
To: Moessbauer, Felix (T CED OES-DE), cip-dev, Kiszka, Jan (T CED)
On 3/4/24 2:42 PM, Moessbauer, Felix (T CED OES-DE) wrote:
> On Mon, 2024-03-04 at 11:08 +0100, Quirin Gylstorff wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> Check for signing errors to avoid an unusable swu file.
>>
>> This also moves the siging out of the loop to generate
>> the cpio archive *.swu as the Messages from the signing
>> can lead to errors in the archive generation.
>>
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>> classes/swupdate.bbclass | 43 ++++++++++++++++++++++++++++----------
>> --
>> 1 file changed, 30 insertions(+), 13 deletions(-)
>>
>> diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass
>> index 2c69892..be6a07f 100644
>> --- a/classes/swupdate.bbclass
>> +++ b/classes/swupdate.bbclass
>> @@ -191,24 +191,41 @@ IMAGE_CMD:swu() {
>>
>> "${PP_WORK}/$swu_file_base/${SWU_DESCRIPTION_FILE}"
>> done
>> cd "${PP_WORK}/$swu_file_base"
>> - for file in "${SWU_DESCRIPTION_FILE}"
>> ${SWU_ADDITIONAL_FILES}; do
>> - if [ "$file" = "${SWU_DESCRIPTION_FILE}" ] || \
>> - grep -q "$file"
>> "${PP_WORK}/$swu_file_base/${SWU_DESCRIPTION_FILE}"; then
>> + cpio_files="${SWU_DESCRIPTION_FILE}"
>> +
>> + if [ -n "$sign" ]; then
>> + if ! /usr/bin/sign-swu \
>> + "${SWU_DESCRIPTION_FILE}"
>> "${SWU_DESCRIPTION_FILE}.${SWU_SIGNATURE_EXT}" \
>> + > /dev/null 2>&1 || \
>> + [ ! -f
>> "${SWU_DESCRIPTION_FILE}.${SWU_SIGNATURE_EXT}" ]; then
>> + echo "Could not create swupdate signature file
>> '${SWU_DESCRIPTION_FILE}.${SWU_SIGNATURE_EXT}'" 1>&2
>> + exit 1
>> + fi
>> + cpio_files="$cpio_files
>> ${SWU_DESCRIPTION_FILE}.${SWU_SIGNATURE_EXT}"
>> + fi
>> +
>> + # sw-description must be first file in *.swu
>> + for cpio_file in $cpio_files ${SWU_ADDITIONAL_FILES}; do
>> + if [ -f "$cpio_file" ]; then
>> # Set file timestamps for reproducible builds
>> if [ -n "${SOURCE_DATE_EPOCH}" ]; then
>> touch -d@"${SOURCE_DATE_EPOCH}" "$file"
>> fi
>> - echo "$file"
>> - if [ -n "$sign" -a "${SWU_DESCRIPTION_FILE}" =
>> "$file" ]; then
>> - sign-swu "$file"
>> "$file.${SWU_SIGNATURE_EXT}"
>> - # Set file timestamps for reproducible
>> builds
>> - if [ -n "${SOURCE_DATE_EPOCH}" ]; then
>> - touch -d@"${SOURCE_DATE_EPOCH}"
>> "$file.${SWU_SIGNATURE_EXT}"
>> - fi
>> - echo "$file.${SWU_SIGNATURE_EXT}"
>> - fi
>> + case "$cpio_file" in
>> + sw-description*)
>> + echo "$cpio_file"
>> + ;;
>> + *)
>> + if grep -q "$cpio_file" \
>> +
>> "${WORKDIR}/$swu_file_base/${SWU_DESCRIPTION_FILE}"; then
>> + echo "$cpio_file"
>> + fi
>> + ;;
>> + esac
>> fi
>> - done | cpio -ovL --reproducible -H crc >
>> "${PP_DEPLOY}/${SWU_IMAGE_FILE}$swu_file_extension.swu"
>> + done | cpio \
>> + --verbose --dereference --create --reproducible -H
>
> We now have more options like --dereference. Does this have any effect
> on the cpio file, or is it just an expansion of -ovL (which would be
> appreciated anyways)?
>
Its just an expansion of -ovL as I expanded them during testing. I will
send a v2 with an apended commit message.
Quirin
> Please also add a note about this to the commit message.
>
> Felix
>
>> crc \
>> + >
>> "${PP_DEPLOY}/${SWU_IMAGE_FILE}$swu_file_extension.swu"
>> EOIMAGER
>> done
>> }
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [cip-dev][isar-cip-core][PATCH 0/4] Make swupdate signing more
2024-03-04 10:08 [cip-dev][isar-cip-core][PATCH 0/4] Make swupdate signing more Quirin Gylstorff
` (4 preceding siblings ...)
2024-03-04 16:27 ` [cip-dev][isar-cip-core][PATCH 4/4] fix do not add files to each image recipe Quirin Gylstorff
@ 2024-03-05 6:23 ` Jan Kiszka
5 siblings, 0 replies; 11+ messages in thread
From: Jan Kiszka @ 2024-03-05 6:23 UTC (permalink / raw)
To: Quirin Gylstorff, cip-dev, felix.moessbauer
On 04.03.24 11:08, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> This patchset adds checks to validate the certificate and key before
> used in the signing process.
>
> Add also adds the missing Documentation about swu signing in cip-core
> and fixes two issues:
> - an error in the build logs of do_image_swu
> - Creating all existing image recipes by touching SRC_URI in a anonym
> python function.
>
> Quirin Gylstorff (4):
> swupdate: check output of sign-swu
> sign-swu-cms: check if key and cert are valid
> doc: Add section about SWUpdate signing to README.swupdate.md
> fix do not add files to each image recipe
>
> classes/efibootguard.bbclass | 1 -
> classes/swupdate.bbclass | 83 +++++++++++++------
> doc/README.swupdate.md | 21 +++++
> .../swupdate-certificates/files/sign-swu-cms | 29 ++++++-
> 4 files changed, 105 insertions(+), 29 deletions(-)
>
"Make swupdate signing more"... more what? :)
Jan
--
Siemens AG, Technology
Linux Expert Center
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2024-03-05 6:24 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-03-04 10:08 [cip-dev][isar-cip-core][PATCH 0/4] Make swupdate signing more Quirin Gylstorff
2024-03-04 10:08 ` [cip-dev][isar-cip-core][PATCH 1/4] swupdate: check output of sign-swu Quirin Gylstorff
2024-03-04 13:42 ` MOESSBAUER, Felix
2024-03-04 16:30 ` Gylstorff Quirin
2024-03-04 10:08 ` [cip-dev][isar-cip-core][PATCH 2/4] sign-swu-cms: check if key and cert are valid Quirin Gylstorff
2024-03-04 13:38 ` MOESSBAUER, Felix
2024-03-04 10:08 ` [cip-dev][isar-cip-core][PATCH 3/4] doc: Add section about SWUpdate signing to README.swupdate.md Quirin Gylstorff
2024-03-04 13:36 ` [cip-dev][isar-cip-core][PATCH 0/4] Make swupdate signing more MOESSBAUER, Felix
2024-03-04 16:26 ` Gylstorff Quirin
2024-03-04 16:27 ` [cip-dev][isar-cip-core][PATCH 4/4] fix do not add files to each image recipe Quirin Gylstorff
2024-03-05 6:23 ` [cip-dev][isar-cip-core][PATCH 0/4] Make swupdate signing more Jan Kiszka
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.