LM
/
coreos
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(swupdate): add signature support 

BREAKING CHANGE: Unsigned .swu file will now be rejected by swupdate

(cherry picked from commit 52531c53c9)
This commit is contained in:
Samuel Dolt 2023-10-16 09:41:22 +02:00 committed by Patrick Vogelaar
parent 4c005345d9
commit 9ba1cc2162
5 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
layers/meta-belden-coreos/classes/coreos-image-swupdate.bbclass
View File

@ -69,5 +69,11 @@ def coreos_swupdate_extends(d, s, key):
return text return text
# Signature support
inherit coreos-efi-secureboot
SWUPDATE_SIGNING = "CMS"
SWUPDATE_CMS_KEY = "${COREOS_EFI_SECUREBOOT_KEYDIR}/swupdate.key"
SWUPDATE_CMS_CERT = "${COREOS_EFI_SECUREBOOT_KEYDIR}/swupdate.crt"
COREOS_IMAGE_SWUPDATE_EXTRACLASSES ?= "" COREOS_IMAGE_SWUPDATE_EXTRACLASSES ?= ""
inherit ${COREOS_IMAGE_SWUPDATE_EXTRACLASSES} inherit ${COREOS_IMAGE_SWUPDATE_EXTRACLASSES}

3
layers/meta-belden-coreos/recipes-support/swupdate/swupdate/25-sw-collections-config.sh
View File

@ -37,3 +37,6 @@ case $ROOT_PARTLABEL in
exit 1 exit 1
;; ;;
esac esac
echo "Public key used to verify software image is /usr/lib/swupdate/swupdate.crt"
SWUPDATE_ARGS="${SWUPDATE_ARGS} -k /usr/lib/swupdate/swupdate.crt"

4
layers/meta-belden-coreos/recipes-support/swupdate/swupdate/defconfig
View File

@ -24,3 +24,7 @@ CONFIG_DISKPART=y
CONFIG_DISKPART_FORMAT=y CONFIG_DISKPART_FORMAT=y
CONFIG_FAT_FILESYSTEM=y CONFIG_FAT_FILESYSTEM=y
CONFIG_EXT_FILESYSTEM=y CONFIG_EXT_FILESYSTEM=y
CONFIG_SIGNED_IMAGES=y
CONFIG_SIGALG_RAWRSA=n
CONFIG_SIGALG_CMS=y
CONFIG_CMS_IGNORE_CERTIFICATE_PURPOSE=y

3
layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend
View File

@ -37,9 +37,12 @@ RRECOMMENDS:${PN} += "${PN}-coreos-config"
# configuration to be installed # configuration to be installed
RCONFLICTS:${PN}-coreos-installer-config = "${PN}-coreos-config" RCONFLICTS:${PN}-coreos-installer-config = "${PN}-coreos-config"
inherit coreos-efi-secureboot
do_install:append() { do_install:append() {
# Probably replace revision with the value of the device tree # Probably replace revision with the value of the device tree
install -m 755 ${WORKDIR}/50-webserver-config.sh ${D}${libdir}/swupdate/conf.d/ install -m 755 ${WORKDIR}/50-webserver-config.sh ${D}${libdir}/swupdate/conf.d/
install -m 755 ${WORKDIR}/25-sw-collections-config.sh ${D}${libdir}/swupdate/conf.d/ install -m 755 ${WORKDIR}/25-sw-collections-config.sh ${D}${libdir}/swupdate/conf.d/
install -m 755 ${COREOS_EFI_SECUREBOOT_KEYDIR}/swupdate.crt ${D}${libdir}/swupdate/
echo "${MACHINE} 1.0" > ${D}${sysconfdir}/hwrevision echo "${MACHINE} 1.0" > ${D}${sysconfdir}/hwrevision
} }

4
scripts/coreos-keygen
View File

@ -108,3 +108,7 @@ echo "Generatic DER files with PK, KEK et db public key"
check_files_exist PK.der || openssl x509 -in PK.crt -outform der -out PK.der check_files_exist PK.der || openssl x509 -in PK.crt -outform der -out PK.der
check_files_exist KEK.der || openssl x509 -in KEK.crt -outform der -out KEK.der check_files_exist KEK.der || openssl x509 -in KEK.crt -outform der -out KEK.der
check_files_exist db.der || openssl x509 -in db.crt -outform der -out db.der check_files_exist db.der || openssl x509 -in db.crt -outform der -out db.der
# keys needed to sign and verify SWUpdate
check_files_exist swupdate.key swupdate.crt || openssl req -x509 -newkey rsa:4096 -nodes -keyout swupdate.key \
-out swupdate.crt -subj "/O=SWUpdate /CN=target"