Compare commits
2 Commits
HEAD
...
feat/signe
| Author | SHA1 | Date |
|---|---|---|
Peter Kindler
|
659eef6750 | |
|
Peter Kindler
|
0216462568 |
|
|
@ -4,11 +4,13 @@ WKS_PART_EFIBOOTGUARD_A ??= 'part --source efibootguard-boot --label ebg0 --part
|
||||||
WKS_PART_EFIBOOTGUARD_B ??= 'part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI"'
|
WKS_PART_EFIBOOTGUARD_B ??= 'part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI"'
|
||||||
WKS_PART_ROOT_A ??= 'part / --source rootfs --fstype=ext4 --label rootfs0'
|
WKS_PART_ROOT_A ??= 'part / --source rootfs --fstype=ext4 --label rootfs0'
|
||||||
WKS_PART_ROOT_B ??= 'part --fstype=ext4 --label rootfs1'
|
WKS_PART_ROOT_B ??= 'part --fstype=ext4 --label rootfs1'
|
||||||
|
WKS_PART_FACTORY ??= 'part --label factory'
|
||||||
WKS_PART_USERDATA ??= 'part /usr/local/data --fstype=btrfs --label userdata'
|
WKS_PART_USERDATA ??= 'part /usr/local/data --fstype=btrfs --label userdata'
|
||||||
|
|
||||||
PART_EFI_SIZE ??= '64M'
|
PART_EFI_SIZE ??= '64M'
|
||||||
PART_ROOT_SIZE ??= '1G'
|
PART_ROOT_SIZE ??= '1G'
|
||||||
PART_EFIBG_SIZE ??= '128M'
|
PART_EFIBG_SIZE ??= '128M'
|
||||||
|
PART_FACTORY_SIZE ??= '5M'
|
||||||
PART_USERDATA_SIZE ??= '1G'
|
PART_USERDATA_SIZE ??= '1G'
|
||||||
|
|
||||||
# Variables used in SFDISK file
|
# Variables used in SFDISK file
|
||||||
|
|
@ -17,4 +19,5 @@ SFDISK_PART_EFIBOOTGUARD_A ??= 'type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, name=
|
||||||
SFDISK_PART_EFIBOOTGUARD_B ??= 'type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, name="ebg1"'
|
SFDISK_PART_EFIBOOTGUARD_B ??= 'type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, name="ebg1"'
|
||||||
SFDISK_PART_ROOT_A ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="rootfs0"'
|
SFDISK_PART_ROOT_A ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="rootfs0"'
|
||||||
SFDISK_PART_ROOT_B ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="rootfs1"'
|
SFDISK_PART_ROOT_B ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="rootfs1"'
|
||||||
|
SFDISK_PART_FACTORY ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="factory"'
|
||||||
SFDISK_PART_USERDATA ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="userdata"'
|
SFDISK_PART_USERDATA ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="userdata"'
|
||||||
|
|
|
||||||
|
|
@ -10,4 +10,5 @@ sector-size: 512
|
||||||
/dev/mmcblk2p3 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_B}
|
/dev/mmcblk2p3 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_B}
|
||||||
/dev/mmcblk2p4 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_A}
|
/dev/mmcblk2p4 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_A}
|
||||||
/dev/mmcblk2p5 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_B}
|
/dev/mmcblk2p5 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_B}
|
||||||
/dev/mmcblk2p6 : size= ${PART_USERDATA_SIZE}, ${SFDISK_PART_USERDATA}
|
/dev/mmcblk2p6 : size= ${PART_FACTORY_SIZE}, ${SFDISK_PART_FACTORY}
|
||||||
|
/dev/mmcblk2p7 : size= ${PART_USERDATA_SIZE}, ${SFDISK_PART_USERDATA}
|
||||||
|
|
|
||||||
|
|
@ -6,6 +6,7 @@ ${WKS_PART_ROOT_A} --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
|
||||||
${WKS_PART_ROOT_B} --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
|
${WKS_PART_ROOT_B} --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
|
||||||
${WKS_PART_EFIBOOTGUARD_A} --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
|
${WKS_PART_EFIBOOTGUARD_A} --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
|
||||||
${WKS_PART_EFIBOOTGUARD_B} --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
|
${WKS_PART_EFIBOOTGUARD_B} --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
|
||||||
|
${WKS_PART_FACTORY} --align 1024 --size ${PART_FACTORY_SIZE} --extra-space 0 --overhead-factor 1
|
||||||
${WKS_PART_USERDATA} --size ${PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1
|
${WKS_PART_USERDATA} --size ${PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1
|
||||||
|
|
||||||
bootloader --ptable gpt
|
bootloader --ptable gpt
|
||||||
|
|
|
||||||
|
|
@ -2,41 +2,43 @@
|
||||||
# ==============================================================================
|
# ==============================================================================
|
||||||
|
|
||||||
ROOT_PART=$(swupdate -g)
|
ROOT_PART=$(swupdate -g)
|
||||||
echo "Root partition is ${ROOT_PART}"
|
if [ "${ROOT_PART}" == "" ]; then
|
||||||
|
# In case we are running on a installer image
|
||||||
# Get the partition label of the root partition
|
SWUPDATE_ARGS="${SWUPDATE_ARGS} -e stable,copy0"
|
||||||
# ==============================================================================
|
|
||||||
|
|
||||||
DISK_DEVICE_NAME=$(lsblk -ndo pkname "${ROOT_PART}")
|
|
||||||
DISK_PARTITION_TYPE=$(lsblk -dno PTTYPE "/dev/${DISK_DEVICE_NAME}")
|
|
||||||
|
|
||||||
echo "Root partition is on device ${DISK_DEVICE_NAME} - type ${DISK_PARTITION_TYPE}"
|
|
||||||
|
|
||||||
# Use partlabel for GPT disk, as it's more reliable than the filesystem label
|
|
||||||
# Fallback to label for legacy DOS/MBR disk
|
|
||||||
if [ "${DISK_PARTITION_TYPE}" == "gpt" ]; then
|
|
||||||
ROOT_PARTLABEL=$(lsblk -dno PARTLABEL "${ROOT_PART}")
|
|
||||||
else
|
else
|
||||||
echo "Using MBR is not supported"
|
echo "Root partition is ${ROOT_PART}"
|
||||||
exit 1
|
|
||||||
|
# Get the partition label of the root partition
|
||||||
|
# ==============================================================================
|
||||||
|
|
||||||
|
DISK_DEVICE_NAME=$(lsblk -ndo pkname "${ROOT_PART}")
|
||||||
|
DISK_PARTITION_TYPE=$(lsblk -dno PTTYPE "/dev/${DISK_DEVICE_NAME}")
|
||||||
|
|
||||||
|
echo "Root partition is on device ${DISK_DEVICE_NAME} - type ${DISK_PARTITION_TYPE}"
|
||||||
|
|
||||||
|
# Use partlabel for GPT disk, as it's more reliable than the filesystem label
|
||||||
|
# Fallback to label for legacy DOS/MBR disk
|
||||||
|
if [ "${DISK_PARTITION_TYPE}" == "gpt" ]; then
|
||||||
|
ROOT_PARTLABEL=$(lsblk -dno PARTLABEL "${ROOT_PART}")
|
||||||
|
else
|
||||||
|
echo "Using MBR is not supported"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Root partition label is ${ROOT_PARTLABEL}"
|
||||||
|
|
||||||
|
case $ROOT_PARTLABEL in
|
||||||
|
rootfs0 )
|
||||||
|
echo "We are running copy0 -> Use copy1 in the SWU file"
|
||||||
|
SWUPDATE_ARGS="${SWUPDATE_ARGS} -q stable,copy1"
|
||||||
|
;;
|
||||||
|
rootfs1 )
|
||||||
|
echo "We are running copy1 -> Use copy0 in the SWU file"
|
||||||
|
SWUPDATE_ARGS="${SWUPDATE_ARGS} -q stable,copy0"
|
||||||
|
;;
|
||||||
|
* )
|
||||||
|
>&2 echo "Root partition label ${ROOT_PARTLABEL} is invalid"
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "Root partition label is ${ROOT_PARTLABEL}"
|
|
||||||
|
|
||||||
case $ROOT_PARTLABEL in
|
|
||||||
rootfs0 )
|
|
||||||
echo "We are running copy0 -> Use copy1 in the SWU file"
|
|
||||||
SWUPDATE_ARGS="${SWUPDATE_ARGS} -e stable,copy1"
|
|
||||||
;;
|
|
||||||
rootfs1 )
|
|
||||||
echo "We are running copy1 -> Use copy0 in the SWU file"
|
|
||||||
SWUPDATE_ARGS="${SWUPDATE_ARGS} -e stable,copy0"
|
|
||||||
;;
|
|
||||||
* )
|
|
||||||
>&2 echo "Root partition label ${ROOT_PARTLABEL} is invalid"
|
|
||||||
exit 1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
echo "Public key used to verify software image is /usr/lib/swupdate/swupdate.crt"
|
|
||||||
SWUPDATE_ARGS="${SWUPDATE_ARGS} -k /usr/lib/swupdate/swupdate.crt"
|
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,39 @@
|
||||||
|
|
||||||
|
touch /tmp/combinedcert.pem
|
||||||
|
chmod 600 /tmp/combinedcert.pem
|
||||||
|
|
||||||
|
# If we are running on a released device with a factory partition, add the five certs from PKI
|
||||||
|
if [ -f /etc/certificates.sha256sum ] && [ -d /mnt/factory/ ]; then
|
||||||
|
if ! mountpoint -q /mnt/factory; then
|
||||||
|
fct_part_was_mounted=0
|
||||||
|
mount -o ro,noload /dev/disk/by-partlabel/factory /mnt/factory
|
||||||
|
else
|
||||||
|
fct_part_was_mounted=1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if mountpoint -q /mnt/factory; then
|
||||||
|
numcerts_found=$(find /mnt/factory/certificates/*.pem -type f | wc -l)
|
||||||
|
numcerts_expected=$(wc -l < /etc/certificates.sha256sum)
|
||||||
|
if [ "$numcerts_found" -eq "$numcerts_expected" ]; then
|
||||||
|
|
||||||
|
numfails=$(sha256sum -c /etc/certificates.sha256sum | grep -c 'FAILED')
|
||||||
|
if [ "$numfails" -eq 0 ]; then
|
||||||
|
|
||||||
|
# in sha256sum file there are two spaces between hash and filename. Hence, the filename is the third word.
|
||||||
|
cut -f 3 -d " " < /etc/certificates.sha256sum | xargs cat > /tmp/combinedcert.pem
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ $fct_part_was_mounted -eq 0 ]; then
|
||||||
|
umount /mnt/factory
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# If there is a developer or CI certificate, append it
|
||||||
|
if [ -f /usr/lib/swupdate/swupdate.crt ]; then
|
||||||
|
echo "The developer public key used to verify software image is /usr/lib/swupdate/swupdate.crt"
|
||||||
|
cat /usr/lib/swupdate/swupdate.crt >> /tmp/combinedcert.pem
|
||||||
|
fi
|
||||||
|
|
||||||
|
SWUPDATE_ARGS="${SWUPDATE_ARGS} -k /tmp/combinedcert.pem"
|
||||||
|
|
@ -10,6 +10,7 @@ DEPENDS += "cos-certificates-and-keys-native"
|
||||||
SRC_URI += "\
|
SRC_URI += "\
|
||||||
file://50-webserver-config.sh \
|
file://50-webserver-config.sh \
|
||||||
file://25-sw-collections-config.sh \
|
file://25-sw-collections-config.sh \
|
||||||
|
file://26-multicert-config.sh \
|
||||||
"
|
"
|
||||||
|
|
||||||
PACKAGES =+ "${PN}-coreos-config ${PN}-coreos-installer-config"
|
PACKAGES =+ "${PN}-coreos-config ${PN}-coreos-installer-config"
|
||||||
|
|
@ -24,7 +25,10 @@ FILES:${PN} += "${sysconfdir}/hwrevision"
|
||||||
# If we install the webserver package, it should be started automatically
|
# If we install the webserver package, it should be started automatically
|
||||||
FILES:${PN}-www += "${libdir}/swupdate/conf.d/50-webserver-config.sh"
|
FILES:${PN}-www += "${libdir}/swupdate/conf.d/50-webserver-config.sh"
|
||||||
|
|
||||||
FILES:${PN}-coreos-config += "${libdir}/swupdate/conf.d/25-sw-collections-config.sh"
|
FILES:${PN}-coreos-config += "\
|
||||||
|
${libdir}/swupdate/conf.d/25-sw-collections-config.sh \
|
||||||
|
${libdir}/swupdate/conf.d/26-multicert-config.sh \
|
||||||
|
"
|
||||||
|
|
||||||
RDEPENDS:${PN}:append = " efibootguard"
|
RDEPENDS:${PN}:append = " efibootguard"
|
||||||
|
|
||||||
|
|
@ -45,6 +49,7 @@ do_install:append() {
|
||||||
# Probably replace revision with the value of the device tree
|
# Probably replace revision with the value of the device tree
|
||||||
install -m 755 ${WORKDIR}/50-webserver-config.sh ${D}${libdir}/swupdate/conf.d/
|
install -m 755 ${WORKDIR}/50-webserver-config.sh ${D}${libdir}/swupdate/conf.d/
|
||||||
install -m 755 ${WORKDIR}/25-sw-collections-config.sh ${D}${libdir}/swupdate/conf.d/
|
install -m 755 ${WORKDIR}/25-sw-collections-config.sh ${D}${libdir}/swupdate/conf.d/
|
||||||
|
install -m 755 ${WORKDIR}/26-multicert-config.sh ${D}${libdir}/swupdate/conf.d/
|
||||||
install -m 755 ${COREOS_EFI_SECUREBOOT_KEYDIR}/swupdate.crt ${D}${libdir}/swupdate/
|
install -m 755 ${COREOS_EFI_SECUREBOOT_KEYDIR}/swupdate.crt ${D}${libdir}/swupdate/
|
||||||
echo "${MACHINE} 1.0" > ${D}${sysconfdir}/hwrevision
|
echo "${MACHINE} 1.0" > ${D}${sysconfdir}/hwrevision
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue