feat(swupdate): add signature support

BREAKING CHANGE: Unsigned .swu file will now be rejected by swupdate

(cherry picked from commit 52531c53c9)

bitbake

@@ -1 +1 @@
-Subproject commit 907416ee1062f87f5844ab0638b54616abfc1a22
+Subproject commit 41b6684489d0261753344956042be2cc4adb0159

external-layers/meta-openembedded

@@ -1 +1 @@
-Subproject commit 346753705e49a2486867dc150181a1c7f4d69377
+Subproject commit 4da92ed9be41734f6ced46b981958e2e868cbff2

external-layers/openembedded-core

@@ -1 +1 @@
-Subproject commit 8ce2b1a3083f61e5a3df3a80c3de7d294bc71bb5
+Subproject commit 2b05f5c1608206cf423f6cc34d6718c7532fa025

layers/meta-belden-coreos-bsp/recipes-bsp/efibootguard/efibootguard_%.bbappend

@@ -1,11 +0,0 @@
-# Add signature support
-
-inherit coreos-efi-sbsign
-require conf/image-uefi.conf
-
-do_deploy:append() {
-
-    if [ -f "${DEPLOYDIR}/efibootguard${EFI_ARCH}.efi" ]; then
-        coreos_efi_secureboot_sign_app "${DEPLOYDIR}/efibootguard${EFI_ARCH}.efi"
-    fi
-}

layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos.inc

@@ -9,4 +9,4 @@ SRC_URI += " \
     ${@bb.utils.contains("IMAGE_FEATURES", "debug-tweaks", "file://debug-tweaks.cfg", "", d)} \
 "
 
-require u-boot-coreos-efi.inc
+require ${@bb.utils.contains("COMBINED_FEATURES", "efi", "u-boot-coreos-efi.inc", "", d)}

layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto_5.15.bbappend

@@ -10,4 +10,4 @@ SRCREV_machine:beaglebone ?= "9aabbaa89fcb21af7028e814c1f5b61171314d5a"
 COMPATIBLE_MACHINE:beaglebone = "beaglebone"
 LINUX_VERSION:beaglebone = "5.15.54"
 
-require linux-yocto-coreos-efi.inc
+require ${@bb.utils.contains("COMBINED_FEATURES", "efi", "linux-yocto-coreos-efi.inc", "", d)}

layers/meta-belden-coreos/classes/coreos-image-swupdate.bbclass

@@ -69,5 +69,11 @@ def coreos_swupdate_extends(d, s, key):
 
     return text
 
+# Signature support
+inherit coreos-efi-secureboot
+SWUPDATE_SIGNING = "CMS"
+SWUPDATE_CMS_KEY  = "${COREOS_EFI_SECUREBOOT_KEYDIR}/swupdate.key"
+SWUPDATE_CMS_CERT = "${COREOS_EFI_SECUREBOOT_KEYDIR}/swupdate.crt"
+
 COREOS_IMAGE_SWUPDATE_EXTRACLASSES ?= ""
 inherit ${COREOS_IMAGE_SWUPDATE_EXTRACLASSES}

layers/meta-belden-coreos/classes/coreos-image.bbclass

@@ -90,9 +90,9 @@ IMAGE_ROOTFS_EXTRA_SPACE:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'sys
 # ==============================================================================
 
 # Support for Unified Kernel Image and Swupdate are optional
-COREOS_IMAGE_GENERATE_INSTALLER ?= "1"
-COREOS_IMAGE_GENERATE_UKI ?= "1"
-COREOS_IMAGE_GENERATE_SWU ?= "1"
+COREOS_IMAGE_GENERATE_INSTALLER ?= "${@bb.utils.contains("DISTRO_FEATURES", "swupdate", "1", "0", d)}"
+COREOS_IMAGE_GENERATE_UKI ?= "${@bb.utils.contains("COMBINED_FEATURES", "efi", "1", "0", d)}"
+COREOS_IMAGE_GENERATE_SWU ?= "${@bb.utils.contains("DISTRO_FEATURES", "swupdate", "1", "0", d)}"
 
 # Generate the installer image if needed
 do_build[depends] += "${@'coreos-image-installer:do_build' if d.getVar('COREOS_IMAGE_GENERATE_INSTALLER') == '1' else ''}"

layers/meta-belden-coreos/conf/distro/belden-coreos-base.conf

@@ -0,0 +1,8 @@
+require conf/distro/include/belden-coreos-base.inc
+
+DISTRO = "belden-coreos-base"
+DISTRO_NAME = "Belden CoreOS (Base)"
+MAINTAINER = "Belden CoreOS Team"
+
+DISTRO_VERSION = "0.0.1"
+DISTRO_CODENAME = "kirkstone"

layers/meta-belden-coreos/conf/distro/belden-coreos.conf

@@ -1,87 +1,9 @@
+require conf/distro/include/belden-coreos-base.inc
+require conf/distro/include/belden-coreos-extra.inc
+
 DISTRO = "belden-coreos"
 DISTRO_NAME = "Belden CoreOS"
 MAINTAINER = "Belden CoreOS Team"
 
-INHERIT += "coreos_metadata_scm"
-
 DISTRO_VERSION = "0.0.1"
 DISTRO_CODENAME = "kirkstone"
-
-# Distro features and policies
-# ==============================================================================
-
-PACKAGE_CLASSES = "package_ipk"
-INIT_MANAGER = "systemd"
-
-# CoreOS use journald from the systemd package to handle log
-# https://docs.yoctoproject.org/singleindex.html#using-systemd-journald-without-a-traditional-syslog-daemon
-# This remove syslog from packagegroup-core-boot
-VIRTUAL-RUNTIME_syslog = ""
-VIRTUAL-RUNTIME_base-utils-syslog = ""
-
-DISTRO_FEATURES_DEFAULT ?= "bluetooth usbhost pci ipv4 ipv6 wifi multiarch usrmerge ptest efi pam"
-DISTRO_FEATURES ?= "${DISTRO_FEATURES_DEFAULT}"
-DISTRO_FEATURES_BACKFILL_CONSIDERED = "pulseaudio ldconfig"
-DISTRO_EXTRA_RDEPENDS += "packagegroup-core-boot"
-
-# Build configuration
-# ==============================================================================
-
-TARGET_VENDOR = "-belden"
-
-# We don't support multiple libc, so we don't need to append the libc name to
-# the tmp directory: ie use build/tmp instead of build/tmp-glibc
-TCLIBCAPPEND = ""
-
-SANITY_TESTED_DISTROS ?= " \
-            debian-11 \n \
-            ubuntu-22.04 \n \
-            "
-
-# This variable is used to ensure that any distribution using the CoreOS layer
-# include this file. This is checked by the coreos-sanity class
-SANITY_COREOS_COMPATIBLE ?= "1"
-
-require conf/distro/include/no-static-libs.inc
-require conf/distro/include/yocto-uninative.inc
-require conf/distro/include/security_flags.inc
-
-# uninative is need to share the sstates between multiple host distrubtion
-INHERIT += "uninative"
-
-# Bitbake configuration
-# ==============================================================================
-
-BB_SIGNATURE_HANDLER ?= "OEBasicHash"
-
-# SDK Configuration
-# ==============================================================================
-
-SDK_VENDOR = "-coreossdk"
-SDK_VERSION = "${DISTRO_VERSION}"
-SDK_VERSION[vardepvalue] = "${SDK_VERSION}"
-SDK_NAME = "${DISTRO}-${TCLIBC}-${SDKMACHINE}-${IMAGE_BASENAME}-${TUNE_PKGARCH}-${MACHINE}"
-SDKPATHINSTALL = "/opt/${DISTRO}/${SDK_VERSION}"
-
-# EFI and Secure boot
-# ==============================================================================
-
-EFI_PROVIDER = "efibootguard"
-EFIBOOTGUARD_TIMEOUT ??= "60"
-INHERIT += "coreos-efi-secureboot"
-
-# Virtualization configuration
-# ==============================================================================
-
-# Use crun insted of runc as a OCI runtime. crun is faster and need less memory
-# than runc so it's a better fit for embedded
-#PREFERRED_PROVIDER_virtual/runc = "crun"
-PACKAGECONFIG:append:pn-podman = " rootless"
-DISTRO_FEATURES_DEFAULT += "virtualization seccomp ipv6"
-
-# CoreOS specific options
-# ==============================================================================
-
-# Distro based on CoreOS can provide their own configuration files for the
-# CoreOS installer by overriding this variable
-PREFERRED_PROVIDER_coreos-installer-config ??= "coreos-installer-config"

layers/meta-belden-coreos/conf/distro/include/belden-coreos-base.inc

@@ -0,0 +1,108 @@
+# This is the base include file for all coreos based distro
+# it should support the most basic distro without optional coreos
+# features
+
+INHERIT += "coreos_metadata_scm"
+
+# Distro features and policies
+# ==============================================================================
+
+PACKAGE_CLASSES = "package_ipk"
+INIT_MANAGER = "systemd"
+
+# CoreOS use journald from the systemd package to handle log
+# https://docs.yoctoproject.org/singleindex.html#using-systemd-journald-without-a-traditional-syslog-daemon
+# This remove syslog from packagegroup-core-boot
+VIRTUAL-RUNTIME_syslog = ""
+VIRTUAL-RUNTIME_base-utils-syslog = ""
+
+DISTRO_FEATURES ?= "usbhost pci ipv4 ipv6 wifi multiarch usrmerge efi pam"
+
+# CoreOS wasn't compatible with older Yocto version, so we should not have any
+# features backfilled. Value are from DISTRO_FEATURES_BACKFILL
+# with the exception of gobject-introspection-data that are backfilled on
+# purpose, this allow to use C library based on gobject in python or javascript
+DISTRO_FEATURES_BACKFILL_CONSIDERED = "pulseaudio sysvinit ldconfig"
+
+DISTRO_EXTRA_RDEPENDS += "packagegroup-core-boot"
+
+# Build configuration
+# ==============================================================================
+
+TARGET_VENDOR = "-belden"
+
+# We don't support multiple libc, so we don't need to append the libc name to
+# the tmp directory: ie use build/tmp instead of build/tmp-glibc
+TCLIBCAPPEND = ""
+
+SANITY_TESTED_DISTROS ?= " \
+            debian-11 \n \
+            ubuntu-22.04 \n \
+            "
+
+# This variable is used to ensure that any distribution using the CoreOS layer
+# include this file. This is checked by the coreos-sanity class
+SANITY_COREOS_COMPATIBLE ?= "1"
+
+require conf/distro/include/no-static-libs.inc
+require conf/distro/include/yocto-uninative.inc
+require conf/distro/include/security_flags.inc
+
+# uninative is need to share the sstates between multiple host distrubtion
+INHERIT += "uninative"
+
+# Bitbake configuration
+# ==============================================================================
+
+BB_SIGNATURE_HANDLER ?= "OEBasicHash"
+
+# SDK Configuration
+# ==============================================================================
+
+SDK_VENDOR = "-coreossdk"
+SDK_VERSION = "${DISTRO_VERSION}"
+SDK_VERSION[vardepvalue] = "${SDK_VERSION}"
+SDK_NAME = "${DISTRO}-${TCLIBC}-${SDKMACHINE}-${IMAGE_BASENAME}-${TUNE_PKGARCH}-${MACHINE}"
+SDKPATHINSTALL = "/opt/${DISTRO}/${SDK_VERSION}"
+
+# EFI and Secure boot
+# ==============================================================================
+
+EFI_PROVIDER = "efibootguard"
+EFIBOOTGUARD_TIMEOUT ??= "60"
+INHERIT += "coreos-efi-secureboot"
+
+
+# PACKAGECONFIG
+# ==============================================================================
+# Reduce the size of some package by disabling some feature by default
+
+# Distro using coreos can re-enabled a disabled config by changing
+# the COREOS_DISABLED_PACKAGECONFIG variable
+
+PACKAGECONFIG:pn-systemd ?= " \
+    ${@bb.utils.filter('DISTRO_FEATURES', 'acl audit efi ldconfig pam selinux smack usrmerge polkit seccomp', d)} \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'wifi', 'rfkill', '', d)} \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'xkbcommon', '', d)} \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', '', 'link-udev-shared', d)} \
+    hostnamed \
+    kmod \
+    localed \
+    logind \
+    set-time-epoch \
+    sysusers \
+    userdb \
+    vconsole \
+    wheel-group \
+    zstd \
+"
+
+# DNS Configuration
+
+
+# CoreOS specific options
+# ==============================================================================
+
+# Distro based on CoreOS can provide their own configuration files for the
+# CoreOS installer by overriding this variable
+PREFERRED_PROVIDER_coreos-installer-config ??= "coreos-installer-config"

layers/meta-belden-coreos/conf/distro/include/belden-coreos-extra.inc

@@ -0,0 +1,30 @@
+# This is the include all the CoreOS feature that are optional
+
+# Virtualization configuration
+# ==============================================================================
+
+PACKAGECONFIG:append:pn-podman = " rootless"
+DISTRO_FEATURES += "virtualization seccomp"
+
+# swupdate configuration
+# ==============================================================================
+
+# Enable the generation of .swu file for images
+DISTRO_FEATURES += "swupdate"
+
+# Networking configuration
+# ==============================================================================
+
+# Add networking support to systemd. This allow systemd to handle
+# network/dhcp/dns/time
+PACKAGECONFIG:pn-systemd += " \
+    hostnamed \
+    idn \
+    myhostname \
+    nss \
+    nss-resolve \
+    resolved \
+    networkd \
+    timedated \
+    timesyncd \
+"

layers/meta-belden-coreos/recipes-bsp/efibootguard/efibootguard_%.bbappend

@@ -1,4 +1,20 @@
+
+# Add CoreOS A/B Switching support
+# ==============================================================================
+
 FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
 
 SRC_URI += "file://0001-coreos-add-a-coreos-specific-rootfs-switch-to-the-UK.patch"
 
+# Add signature support
+# ==============================================================================
+
+inherit coreos-efi-sbsign
+require conf/image-uefi.conf
+
+do_deploy:append() {
+
+    if [ -f "${DEPLOYDIR}/efibootguard${EFI_ARCH}.efi" ]; then
+        coreos_efi_secureboot_sign_app "${DEPLOYDIR}/efibootguard${EFI_ARCH}.efi"
+    fi
+}

layers/meta-belden-coreos/recipes-support/swupdate/swupdate/25-sw-collections-config.sh

@@ -37,3 +37,6 @@ case $ROOT_PARTLABEL in
         exit 1
         ;;
 esac
+
+echo "Public key used to verify software image is /usr/lib/swupdate/swupdate.crt"
+SWUPDATE_ARGS="${SWUPDATE_ARGS} -k /usr/lib/swupdate/swupdate.crt"

layers/meta-belden-coreos/recipes-support/swupdate/swupdate/defconfig

@@ -24,3 +24,7 @@ CONFIG_DISKPART=y
 CONFIG_DISKPART_FORMAT=y
 CONFIG_FAT_FILESYSTEM=y
 CONFIG_EXT_FILESYSTEM=y
+CONFIG_SIGNED_IMAGES=y
+CONFIG_SIGALG_RAWRSA=n
+CONFIG_SIGALG_CMS=y
+CONFIG_CMS_IGNORE_CERTIFICATE_PURPOSE=y

layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend

@@ -1,3 +1,6 @@
+inherit features_check
+REQUIRED_DISTRO_FEATURES = "swupdate"
+
 # File in the swupdate subdirectory of this recipe should overwrite the
 # same file in meta-swupdate
 FILESEXTRAPATHS:prepend := "${THISDIR}/swupdate:"
@@ -9,7 +12,6 @@ SRC_URI += "\
 
 PACKAGES =+ "${PN}-coreos-config ${PN}-coreos-installer-config"
 
-
 # Don't use /www as the web root
 wwwdir = "${datadir}/swupdate-www"
 
@@ -35,9 +37,12 @@ RRECOMMENDS:${PN} += "${PN}-coreos-config"
 # configuration to be installed
 RCONFLICTS:${PN}-coreos-installer-config = "${PN}-coreos-config"
 
+inherit coreos-efi-secureboot
+
 do_install:append() {
     # Probably replace revision with the value of the device tree
     install -m 755 ${WORKDIR}/50-webserver-config.sh ${D}${libdir}/swupdate/conf.d/
     install -m 755 ${WORKDIR}/25-sw-collections-config.sh ${D}${libdir}/swupdate/conf.d/
+    install -m 755 ${COREOS_EFI_SECUREBOOT_KEYDIR}/swupdate.crt ${D}${libdir}/swupdate/
     echo "${MACHINE} 1.0" > ${D}${sysconfdir}/hwrevision
 }

scripts/coreos-keygen

@@ -108,3 +108,7 @@ echo "Generatic DER files with PK, KEK et db public key"
 check_files_exist PK.der || openssl x509 -in PK.crt -outform der -out PK.der
 check_files_exist KEK.der || openssl x509 -in KEK.crt -outform der -out KEK.der
 check_files_exist db.der || openssl x509 -in db.crt -outform der -out db.der
+
+# keys needed to sign and verify SWUpdate
+check_files_exist swupdate.key swupdate.crt || openssl req -x509 -newkey rsa:4096 -nodes -keyout swupdate.key \
+    -out swupdate.crt -subj "/O=SWUpdate /CN=target"