| Message ID | 20240912100710.3183806-4-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Separate swu signing script from key | expand |
On 9/12/24 4:08 PM, Moessbauer, Felix (T CED OES-DE) wrote: > On Thu, 2024-09-12 at 12:06 +0200, Quirin Gylstorff wrote: >> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> >> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> --- >> doc/README.swupdate.md | 13 ++++++++++--- >> 1 file changed, 10 insertions(+), 3 deletions(-) >> >> diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md >> index a5fbab9..d4d0851 100644 >> --- a/doc/README.swupdate.md >> +++ b/doc/README.swupdate.md >> @@ -136,8 +136,8 @@ To use other key and certificate the following >> variables must be set: >> ``` >> PREFERRED_PROVIDER_swupdate-certificates-key = "swupdate- >> certificates-key" >> PREFERRED_PROVIDER_swupdate-certificates = "swupdate-certificates" >> -SWU_SIGN_CERT = "<sigining certificate file name>" >> SWU_SIGN_KEY = "<siging key file name>" >> +IMAGE_INSTALL += "${@'swupdate-certificates' if >> bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" >> ``` >> >> The files `<sigining certificate file name>` and `<siging key file >> name>` need to be stored >> @@ -145,8 +145,15 @@ in `recipes-devtools/swupdate- >> certificates/files/` or in a path defined by an bb >> >> ### signing script >> >> -The provided [cms signing script](./recipes-devtools/swupdate- >> certificates/files/sign-swu-cms) >> -can be replaced by setting the variable `SWU_SIGN_SCRIPT`. >> +The package [swupdate-signer-snakeoil](recipes-devtools/swupdate- >> signer/) provides a [cms signing script](./recipes-devtools/swupdate- >> certificates/files/sign-swu-cms). >> +When signing requires a project specific signing script, >> +e.g. for using a hardware security module(HSM), an own package can >> be added. >> +The package can replace the default package by adding the following >> line: >> +``` >> +PREFERRED_PROVIDER_swupdate-signer = "<own signing package>" > > If you just specify this, bitbake complains about not providing the > keys package: > > Consider defining a PREFERRED_PROVIDER entry to match swupdate- > certificates-key In the section above this own PREFERRED_PROVIDER_swupdate-certificates-key is already set. This should only happen if you set PREFERRED_PROVIDER_swupdate-signer = "swupdate-signer-snakeoil". I can add a code section where all the variables are collected for a snakeoil signing. Quirin > > This keys package is not available in the HSM case for obvious reasons. > > Felix > >> +``` >> + >> +The package `<own signing package>` needs to install a executable to >> `/usr/bin/sign-swu`. >> >> ## SWUpdate Hardware compatibility >> >
On 13.09.24 09:55, Gylstorff Quirin wrote: > > > On 9/12/24 4:08 PM, Moessbauer, Felix (T CED OES-DE) wrote: >> On Thu, 2024-09-12 at 12:06 +0200, Quirin Gylstorff wrote: >>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >>> >>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> >>> --- >>> doc/README.swupdate.md | 13 ++++++++++--- >>> 1 file changed, 10 insertions(+), 3 deletions(-) >>> >>> diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md >>> index a5fbab9..d4d0851 100644 >>> --- a/doc/README.swupdate.md >>> +++ b/doc/README.swupdate.md >>> @@ -136,8 +136,8 @@ To use other key and certificate the following >>> variables must be set: >>> ``` >>> PREFERRED_PROVIDER_swupdate-certificates-key = "swupdate- >>> certificates-key" >>> PREFERRED_PROVIDER_swupdate-certificates = "swupdate-certificates" >>> -SWU_SIGN_CERT = "<sigining certificate file name>" >>> SWU_SIGN_KEY = "<siging key file name>" >>> +IMAGE_INSTALL += "${@'swupdate-certificates' if >>> bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" >>> ``` >>> The files `<sigining certificate file name>` and `<siging key file >>> name>` need to be stored >>> @@ -145,8 +145,15 @@ in `recipes-devtools/swupdate- >>> certificates/files/` or in a path defined by an bb >>> ### signing script >>> -The provided [cms signing script](./recipes-devtools/swupdate- >>> certificates/files/sign-swu-cms) >>> -can be replaced by setting the variable `SWU_SIGN_SCRIPT`. >>> +The package [swupdate-signer-snakeoil](recipes-devtools/swupdate- >>> signer/) provides a [cms signing script](./recipes-devtools/swupdate- >>> certificates/files/sign-swu-cms). >>> +When signing requires a project specific signing script, >>> +e.g. for using a hardware security module(HSM), an own package can >>> be added. >>> +The package can replace the default package by adding the following >>> line: >>> +``` >>> +PREFERRED_PROVIDER_swupdate-signer = "<own signing package>" >> >> If you just specify this, bitbake complains about not providing the >> keys package: >> >> Consider defining a PREFERRED_PROVIDER entry to match swupdate- >> certificates-key > In the section above this own > PREFERRED_PROVIDER_swupdate-certificates-key is already set. > > This should only happen if you set PREFERRED_PROVIDER_swupdate-signer = > "swupdate-signer-snakeoil". I can add a code section where all the > variables are collected for a snakeoil signing. > So, there will be v3 coming? Jan
On 9/16/24 10:42 AM, Jan Kiszka wrote: > On 13.09.24 09:55, Gylstorff Quirin wrote: >> >> >> On 9/12/24 4:08 PM, Moessbauer, Felix (T CED OES-DE) wrote: >>> On Thu, 2024-09-12 at 12:06 +0200, Quirin Gylstorff wrote: >>>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >>>> >>>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> >>>> --- >>>> doc/README.swupdate.md | 13 ++++++++++--- >>>> 1 file changed, 10 insertions(+), 3 deletions(-) >>>> >>>> diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md >>>> index a5fbab9..d4d0851 100644 >>>> --- a/doc/README.swupdate.md >>>> +++ b/doc/README.swupdate.md >>>> @@ -136,8 +136,8 @@ To use other key and certificate the following >>>> variables must be set: >>>> ``` >>>> PREFERRED_PROVIDER_swupdate-certificates-key = "swupdate- >>>> certificates-key" >>>> PREFERRED_PROVIDER_swupdate-certificates = "swupdate-certificates" >>>> -SWU_SIGN_CERT = "<sigining certificate file name>" >>>> SWU_SIGN_KEY = "<siging key file name>" >>>> +IMAGE_INSTALL += "${@'swupdate-certificates' if >>>> bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" >>>> ``` >>>> The files `<sigining certificate file name>` and `<siging key file >>>> name>` need to be stored >>>> @@ -145,8 +145,15 @@ in `recipes-devtools/swupdate- >>>> certificates/files/` or in a path defined by an bb >>>> ### signing script >>>> -The provided [cms signing script](./recipes-devtools/swupdate- >>>> certificates/files/sign-swu-cms) >>>> -can be replaced by setting the variable `SWU_SIGN_SCRIPT`. >>>> +The package [swupdate-signer-snakeoil](recipes-devtools/swupdate- >>>> signer/) provides a [cms signing script](./recipes-devtools/swupdate- >>>> certificates/files/sign-swu-cms). >>>> +When signing requires a project specific signing script, >>>> +e.g. for using a hardware security module(HSM), an own package can >>>> be added. >>>> +The package can replace the default package by adding the following >>>> line: >>>> +``` >>>> +PREFERRED_PROVIDER_swupdate-signer = "<own signing package>" >>> >>> If you just specify this, bitbake complains about not providing the >>> keys package: >>> >>> Consider defining a PREFERRED_PROVIDER entry to match swupdate- >>> certificates-key >> In the section above this own >> PREFERRED_PROVIDER_swupdate-certificates-key is already set. >> >> This should only happen if you set PREFERRED_PROVIDER_swupdate-signer = >> "swupdate-signer-snakeoil". I can add a code section where all the >> variables are collected for a snakeoil signing. >> > > So, there will be v3 coming? I will prepare a v3 with: +``` +PREFERRED_PROVIDER_swupdate-signer = "<own signing package>" +PREFERRED_PROVIDER_swupdate-certificates-key = "<own key package>" +PREFERRED_PROVIDER_swupdate-certificates = "<own certificate package>" +``` Quirin > > Jan >
diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md index a5fbab9..d4d0851 100644 --- a/doc/README.swupdate.md +++ b/doc/README.swupdate.md @@ -136,8 +136,8 @@ To use other key and certificate the following variables must be set: ``` PREFERRED_PROVIDER_swupdate-certificates-key = "swupdate-certificates-key" PREFERRED_PROVIDER_swupdate-certificates = "swupdate-certificates" -SWU_SIGN_CERT = "<sigining certificate file name>" SWU_SIGN_KEY = "<siging key file name>" +IMAGE_INSTALL += "${@'swupdate-certificates' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" ``` The files `<sigining certificate file name>` and `<siging key file name>` need to be stored @@ -145,8 +145,15 @@ in `recipes-devtools/swupdate-certificates/files/` or in a path defined by an bb ### signing script -The provided [cms signing script](./recipes-devtools/swupdate-certificates/files/sign-swu-cms) -can be replaced by setting the variable `SWU_SIGN_SCRIPT`. +The package [swupdate-signer-snakeoil](recipes-devtools/swupdate-signer/) provides a [cms signing script](./recipes-devtools/swupdate-certificates/files/sign-swu-cms). +When signing requires a project specific signing script, +e.g. for using a hardware security module(HSM), an own package can be added. +The package can replace the default package by adding the following line: +``` +PREFERRED_PROVIDER_swupdate-signer = "<own signing package>" +``` + +The package `<own signing package>` needs to install a executable to `/usr/bin/sign-swu`. ## SWUpdate Hardware compatibility