mbox series

[isar-cip-core,RFC,v2,0/3] Enable signed Software Update Binaries

Message ID 20230717105417.27761-1-Quirin.Gylstorff@siemens.com (mailing list archive)
Headers show
Series Enable signed Software Update Binaries | expand

Message

Quirin Gylstorff July 17, 2023, 10:54 a.m. UTC 
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

With this patch series SWUpdate applies only signed update binaries.
Also the signing will switch from RSA PKCS#1.5 or RSA PSS signing to
a certificate based signing.

Changes v2:
 - use Debian snakeoil keys and certificates
   from secure-boot-secrets for signing
 - fix typos in commit messages
 - fix author name in recipe-devtools/swupdate-certificates/*
 - enabled signing in swupdate.bbclass instead of image recipe
 - moved dependency to swupdate-certificates to swupdate.bbclass


Quirin Gylstorff (3):
  recipe-devtools: Add recipe to sign SWUpdate update binaries
  swupdate.bbclass: Use new swupdate-certificate
  swupdate: Enable signed updates

 classes/swupdate.bbclass                      | 21 ++++++-------
 kas/opt/swupdate.yml                          |  2 ++
 .../customizations/files/swupdate.cfg         |  1 +
 recipes-core/images/swupdate.inc              |  4 ++-
 .../swupdate/swupdate_2021.11-1+debian-gbp.bb |  9 ++++--
 recipes-core/swupdate/swupdate_2023.05.bb     |  8 +++--
 .../secure-boot-secrets/files/buster/bookworm |  1 +
 .../secure-boot-secrets/files/buster/bullseye |  1 +
 .../swupdate-certificates/files/bookworm      |  1 +
 .../swupdate-certificates/files/bullseye      |  1 +
 .../swupdate-certificates/files/buster        |  1 +
 .../swupdate-certificates-key-snakeoil_0.1.bb | 18 +++++++++++
 .../swupdate-certificates-key.inc             | 31 +++++++++++++++++++
 .../swupdate-certificates-key_0.1.bb          | 17 ++++++++++
 .../swupdate-certificates-snakeoil_0.1.bb     | 16 ++++++++++
 .../swupdate-certificates.inc                 | 31 +++++++++++++++++++
 .../swupdate-certificates_0.1.bb              | 14 +++++++++
 17 files changed, 160 insertions(+), 17 deletions(-)
 create mode 120000 recipes-devtools/secure-boot-secrets/files/buster/bookworm
 create mode 120000 recipes-devtools/secure-boot-secrets/files/buster/bullseye
 create mode 120000 recipes-devtools/swupdate-certificates/files/bookworm
 create mode 120000 recipes-devtools/swupdate-certificates/files/bullseye
 create mode 120000 recipes-devtools/swupdate-certificates/files/buster
 create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-key-snakeoil_0.1.bb
 create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc
 create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-key_0.1.bb
 create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-snakeoil_0.1.bb
 create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates.inc
 create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates_0.1.bb

Comments

Jan Kiszka July 18, 2023, 7:35 p.m. UTC | #1 
On 17.07.23 12:54, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> With this patch series SWUpdate applies only signed update binaries.
> Also the signing will switch from RSA PKCS#1.5 or RSA PSS signing to
> a certificate based signing.
> 
> Changes v2:
>  - use Debian snakeoil keys and certificates
>    from secure-boot-secrets for signing
>  - fix typos in commit messages
>  - fix author name in recipe-devtools/swupdate-certificates/*
>  - enabled signing in swupdate.bbclass instead of image recipe
>  - moved dependency to swupdate-certificates to swupdate.bbclass
> 
> 
> Quirin Gylstorff (3):
>   recipe-devtools: Add recipe to sign SWUpdate update binaries
>   swupdate.bbclass: Use new swupdate-certificate
>   swupdate: Enable signed updates
> 
>  classes/swupdate.bbclass                      | 21 ++++++-------
>  kas/opt/swupdate.yml                          |  2 ++
>  .../customizations/files/swupdate.cfg         |  1 +
>  recipes-core/images/swupdate.inc              |  4 ++-
>  .../swupdate/swupdate_2021.11-1+debian-gbp.bb |  9 ++++--
>  recipes-core/swupdate/swupdate_2023.05.bb     |  8 +++--
>  .../secure-boot-secrets/files/buster/bookworm |  1 +
>  .../secure-boot-secrets/files/buster/bullseye |  1 +
>  .../swupdate-certificates/files/bookworm      |  1 +
>  .../swupdate-certificates/files/bullseye      |  1 +
>  .../swupdate-certificates/files/buster        |  1 +
>  .../swupdate-certificates-key-snakeoil_0.1.bb | 18 +++++++++++
>  .../swupdate-certificates-key.inc             | 31 +++++++++++++++++++
>  .../swupdate-certificates-key_0.1.bb          | 17 ++++++++++
>  .../swupdate-certificates-snakeoil_0.1.bb     | 16 ++++++++++
>  .../swupdate-certificates.inc                 | 31 +++++++++++++++++++
>  .../swupdate-certificates_0.1.bb              | 14 +++++++++
>  17 files changed, 160 insertions(+), 17 deletions(-)
>  create mode 120000 recipes-devtools/secure-boot-secrets/files/buster/bookworm
>  create mode 120000 recipes-devtools/secure-boot-secrets/files/buster/bullseye
>  create mode 120000 recipes-devtools/swupdate-certificates/files/bookworm
>  create mode 120000 recipes-devtools/swupdate-certificates/files/bullseye
>  create mode 120000 recipes-devtools/swupdate-certificates/files/buster
>  create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-key-snakeoil_0.1.bb
>  create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc
>  create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-key_0.1.bb
>  create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-snakeoil_0.1.bb
>  create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates.inc
>  create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates_0.1.bb
> 

Looks good, but I will have to dig deeper into this, trying it out maybe
also with a downstream user after the upcoming 1.1 release.

Jan
Jan Kiszka Aug. 11, 2023, 4:58 a.m. UTC | #2 
On 17.07.23 12:54, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> With this patch series SWUpdate applies only signed update binaries.
> Also the signing will switch from RSA PKCS#1.5 or RSA PSS signing to
> a certificate based signing.
> 
> Changes v2:
>  - use Debian snakeoil keys and certificates
>    from secure-boot-secrets for signing
>  - fix typos in commit messages
>  - fix author name in recipe-devtools/swupdate-certificates/*
>  - enabled signing in swupdate.bbclass instead of image recipe
>  - moved dependency to swupdate-certificates to swupdate.bbclass
> 
> 
> Quirin Gylstorff (3):
>   recipe-devtools: Add recipe to sign SWUpdate update binaries
>   swupdate.bbclass: Use new swupdate-certificate
>   swupdate: Enable signed updates
> 
>  classes/swupdate.bbclass                      | 21 ++++++-------
>  kas/opt/swupdate.yml                          |  2 ++
>  .../customizations/files/swupdate.cfg         |  1 +
>  recipes-core/images/swupdate.inc              |  4 ++-
>  .../swupdate/swupdate_2021.11-1+debian-gbp.bb |  9 ++++--
>  recipes-core/swupdate/swupdate_2023.05.bb     |  8 +++--
>  .../secure-boot-secrets/files/buster/bookworm |  1 +
>  .../secure-boot-secrets/files/buster/bullseye |  1 +
>  .../swupdate-certificates/files/bookworm      |  1 +
>  .../swupdate-certificates/files/bullseye      |  1 +
>  .../swupdate-certificates/files/buster        |  1 +
>  .../swupdate-certificates-key-snakeoil_0.1.bb | 18 +++++++++++
>  .../swupdate-certificates-key.inc             | 31 +++++++++++++++++++
>  .../swupdate-certificates-key_0.1.bb          | 17 ++++++++++
>  .../swupdate-certificates-snakeoil_0.1.bb     | 16 ++++++++++
>  .../swupdate-certificates.inc                 | 31 +++++++++++++++++++
>  .../swupdate-certificates_0.1.bb              | 14 +++++++++
>  17 files changed, 160 insertions(+), 17 deletions(-)
>  create mode 120000 recipes-devtools/secure-boot-secrets/files/buster/bookworm
>  create mode 120000 recipes-devtools/secure-boot-secrets/files/buster/bullseye
>  create mode 120000 recipes-devtools/swupdate-certificates/files/bookworm
>  create mode 120000 recipes-devtools/swupdate-certificates/files/bullseye
>  create mode 120000 recipes-devtools/swupdate-certificates/files/buster
>  create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-key-snakeoil_0.1.bb
>  create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc
>  create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-key_0.1.bb
>  create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-snakeoil_0.1.bb
>  create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates.inc
>  create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates_0.1.bb
> 

Ok, other than minor details I adjusted, this seems to work fine. Merged
into next.

Thanks,
Jan