Compare commits
2 Commits
HEAD
...
feat/signe
| Author | SHA1 | Date |
|---|---|---|
Peter Kindler
|
659eef6750 | |
|
Peter Kindler
|
0216462568 |
|
|
@ -4,11 +4,13 @@ WKS_PART_EFIBOOTGUARD_A ??= 'part --source efibootguard-boot --label ebg0 --part
|
|||
WKS_PART_EFIBOOTGUARD_B ??= 'part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI"'
|
||||
WKS_PART_ROOT_A ??= 'part / --source rootfs --fstype=ext4 --label rootfs0'
|
||||
WKS_PART_ROOT_B ??= 'part --fstype=ext4 --label rootfs1'
|
||||
WKS_PART_FACTORY ??= 'part --label factory'
|
||||
WKS_PART_USERDATA ??= 'part /usr/local/data --fstype=btrfs --label userdata'
|
||||
|
||||
PART_EFI_SIZE ??= '64M'
|
||||
PART_ROOT_SIZE ??= '1G'
|
||||
PART_EFIBG_SIZE ??= '128M'
|
||||
PART_FACTORY_SIZE ??= '5M'
|
||||
PART_USERDATA_SIZE ??= '1G'
|
||||
|
||||
# Variables used in SFDISK file
|
||||
|
|
@ -17,4 +19,5 @@ SFDISK_PART_EFIBOOTGUARD_A ??= 'type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, name=
|
|||
SFDISK_PART_EFIBOOTGUARD_B ??= 'type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, name="ebg1"'
|
||||
SFDISK_PART_ROOT_A ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="rootfs0"'
|
||||
SFDISK_PART_ROOT_B ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="rootfs1"'
|
||||
SFDISK_PART_FACTORY ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="factory"'
|
||||
SFDISK_PART_USERDATA ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="userdata"'
|
||||
|
|
|
|||
|
|
@ -10,4 +10,5 @@ sector-size: 512
|
|||
/dev/mmcblk2p3 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_B}
|
||||
/dev/mmcblk2p4 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_A}
|
||||
/dev/mmcblk2p5 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_B}
|
||||
/dev/mmcblk2p6 : size= ${PART_USERDATA_SIZE}, ${SFDISK_PART_USERDATA}
|
||||
/dev/mmcblk2p6 : size= ${PART_FACTORY_SIZE}, ${SFDISK_PART_FACTORY}
|
||||
/dev/mmcblk2p7 : size= ${PART_USERDATA_SIZE}, ${SFDISK_PART_USERDATA}
|
||||
|
|
|
|||
|
|
@ -6,6 +6,7 @@ ${WKS_PART_ROOT_A} --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
|
|||
${WKS_PART_ROOT_B} --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
|
||||
${WKS_PART_EFIBOOTGUARD_A} --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
|
||||
${WKS_PART_EFIBOOTGUARD_B} --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
|
||||
${WKS_PART_FACTORY} --align 1024 --size ${PART_FACTORY_SIZE} --extra-space 0 --overhead-factor 1
|
||||
${WKS_PART_USERDATA} --size ${PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1
|
||||
|
||||
bootloader --ptable gpt
|
||||
|
|
|
|||
|
|
@ -2,6 +2,10 @@
|
|||
# ==============================================================================
|
||||
|
||||
ROOT_PART=$(swupdate -g)
|
||||
if [ "${ROOT_PART}" == "" ]; then
|
||||
# In case we are running on a installer image
|
||||
SWUPDATE_ARGS="${SWUPDATE_ARGS} -e stable,copy0"
|
||||
else
|
||||
echo "Root partition is ${ROOT_PART}"
|
||||
|
||||
# Get the partition label of the root partition
|
||||
|
|
@ -26,17 +30,15 @@ echo "Root partition label is ${ROOT_PARTLABEL}"
|
|||
case $ROOT_PARTLABEL in
|
||||
rootfs0 )
|
||||
echo "We are running copy0 -> Use copy1 in the SWU file"
|
||||
SWUPDATE_ARGS="${SWUPDATE_ARGS} -e stable,copy1"
|
||||
SWUPDATE_ARGS="${SWUPDATE_ARGS} -q stable,copy1"
|
||||
;;
|
||||
rootfs1 )
|
||||
echo "We are running copy1 -> Use copy0 in the SWU file"
|
||||
SWUPDATE_ARGS="${SWUPDATE_ARGS} -e stable,copy0"
|
||||
SWUPDATE_ARGS="${SWUPDATE_ARGS} -q stable,copy0"
|
||||
;;
|
||||
* )
|
||||
>&2 echo "Root partition label ${ROOT_PARTLABEL} is invalid"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
echo "Public key used to verify software image is /usr/lib/swupdate/swupdate.crt"
|
||||
SWUPDATE_ARGS="${SWUPDATE_ARGS} -k /usr/lib/swupdate/swupdate.crt"
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -0,0 +1,39 @@
|
|||
|
||||
touch /tmp/combinedcert.pem
|
||||
chmod 600 /tmp/combinedcert.pem
|
||||
|
||||
# If we are running on a released device with a factory partition, add the five certs from PKI
|
||||
if [ -f /etc/certificates.sha256sum ] && [ -d /mnt/factory/ ]; then
|
||||
if ! mountpoint -q /mnt/factory; then
|
||||
fct_part_was_mounted=0
|
||||
mount -o ro,noload /dev/disk/by-partlabel/factory /mnt/factory
|
||||
else
|
||||
fct_part_was_mounted=1
|
||||
fi
|
||||
|
||||
if mountpoint -q /mnt/factory; then
|
||||
numcerts_found=$(find /mnt/factory/certificates/*.pem -type f | wc -l)
|
||||
numcerts_expected=$(wc -l < /etc/certificates.sha256sum)
|
||||
if [ "$numcerts_found" -eq "$numcerts_expected" ]; then
|
||||
|
||||
numfails=$(sha256sum -c /etc/certificates.sha256sum | grep -c 'FAILED')
|
||||
if [ "$numfails" -eq 0 ]; then
|
||||
|
||||
# in sha256sum file there are two spaces between hash and filename. Hence, the filename is the third word.
|
||||
cut -f 3 -d " " < /etc/certificates.sha256sum | xargs cat > /tmp/combinedcert.pem
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ $fct_part_was_mounted -eq 0 ]; then
|
||||
umount /mnt/factory
|
||||
fi
|
||||
fi
|
||||
|
||||
# If there is a developer or CI certificate, append it
|
||||
if [ -f /usr/lib/swupdate/swupdate.crt ]; then
|
||||
echo "The developer public key used to verify software image is /usr/lib/swupdate/swupdate.crt"
|
||||
cat /usr/lib/swupdate/swupdate.crt >> /tmp/combinedcert.pem
|
||||
fi
|
||||
|
||||
SWUPDATE_ARGS="${SWUPDATE_ARGS} -k /tmp/combinedcert.pem"
|
||||
|
|
@ -10,6 +10,7 @@ DEPENDS += "cos-certificates-and-keys-native"
|
|||
SRC_URI += "\
|
||||
file://50-webserver-config.sh \
|
||||
file://25-sw-collections-config.sh \
|
||||
file://26-multicert-config.sh \
|
||||
"
|
||||
|
||||
PACKAGES =+ "${PN}-coreos-config ${PN}-coreos-installer-config"
|
||||
|
|
@ -24,7 +25,10 @@ FILES:${PN} += "${sysconfdir}/hwrevision"
|
|||
# If we install the webserver package, it should be started automatically
|
||||
FILES:${PN}-www += "${libdir}/swupdate/conf.d/50-webserver-config.sh"
|
||||
|
||||
FILES:${PN}-coreos-config += "${libdir}/swupdate/conf.d/25-sw-collections-config.sh"
|
||||
FILES:${PN}-coreos-config += "\
|
||||
${libdir}/swupdate/conf.d/25-sw-collections-config.sh \
|
||||
${libdir}/swupdate/conf.d/26-multicert-config.sh \
|
||||
"
|
||||
|
||||
RDEPENDS:${PN}:append = " efibootguard"
|
||||
|
||||
|
|
@ -45,6 +49,7 @@ do_install:append() {
|
|||
# Probably replace revision with the value of the device tree
|
||||
install -m 755 ${WORKDIR}/50-webserver-config.sh ${D}${libdir}/swupdate/conf.d/
|
||||
install -m 755 ${WORKDIR}/25-sw-collections-config.sh ${D}${libdir}/swupdate/conf.d/
|
||||
install -m 755 ${WORKDIR}/26-multicert-config.sh ${D}${libdir}/swupdate/conf.d/
|
||||
install -m 755 ${COREOS_EFI_SECUREBOOT_KEYDIR}/swupdate.crt ${D}${libdir}/swupdate/
|
||||
echo "${MACHINE} 1.0" > ${D}${sysconfdir}/hwrevision
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue