From patchwork Tue Mar 5 11:02:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13582118 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 22A8FC54E49 for ; Tue, 5 Mar 2024 11:03:24 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web11.20091.1709636595988226617 for ; Tue, 05 Mar 2024 03:03:16 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=P31K0azD; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-51332-20240305110312e526a575e72f269590-hr_vtg@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 20240305110312e526a575e72f269590 for ; Tue, 05 Mar 2024 12:03:12 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=PobW7/TOjsSmnAVRB4B34bIqRqG9Ur0ytM39fxRYyrg=; b=P31K0azDA0UTV57yEtU9MJ++CVsGGiO9P+euJ2/xrv+PT2ZP/lNifv3HHVMMr86PIauK9E x4XibI4NMMP0qNFW9d/3p1+tHHHJW5UJP1VcDEi+ykb5oA+a5Iqa65vmLGhg8aDHNOHguTkp GG7RkaCKxgO+g+pH/0XgEf6Elh8Fk=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, felix.moessbauer@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v2 1/4] swupdate: check output of sign-swu Date: Tue, 5 Mar 2024 12:02:43 +0100 Message-ID: <20240305110311.2073425-2-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240305110311.2073425-1-Quirin.Gylstorff@siemens.com> References: <20240305110311.2073425-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 05 Mar 2024 11:03:24 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15217 From: Quirin Gylstorff Check for signing errors to avoid an unusable swu file. This also moves the siging out of the loop to generate the cpio archive *.swu as the Messages from the signing can lead to errors in the archive generation. The cpio options are no longer using the short form. Signed-off-by: Quirin Gylstorff --- classes/swupdate.bbclass | 43 ++++++++++++++++++++++++++++------------ 1 file changed, 30 insertions(+), 13 deletions(-) diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass index aaff072..c62f43f 100644 --- a/classes/swupdate.bbclass +++ b/classes/swupdate.bbclass @@ -191,24 +191,41 @@ IMAGE_CMD:swu() { "${PP_WORK}/$swu_file_base/${SWU_DESCRIPTION_FILE}" done cd "${PP_WORK}/$swu_file_base" - for file in "${SWU_DESCRIPTION_FILE}" ${SWU_ADDITIONAL_FILES}; do - if [ "$file" = "${SWU_DESCRIPTION_FILE}" ] || \ - grep -q "$file" "${PP_WORK}/$swu_file_base/${SWU_DESCRIPTION_FILE}"; then + cpio_files="${SWU_DESCRIPTION_FILE}" + + if [ -n "$sign" ]; then + if ! /usr/bin/sign-swu \ + "${SWU_DESCRIPTION_FILE}" "${SWU_DESCRIPTION_FILE}.${SWU_SIGNATURE_EXT}" \ + > /dev/null 2>&1 || \ + [ ! -f "${SWU_DESCRIPTION_FILE}.${SWU_SIGNATURE_EXT}" ]; then + echo "Could not create swupdate signature file '${SWU_DESCRIPTION_FILE}.${SWU_SIGNATURE_EXT}'" 1>&2 + exit 1 + fi + cpio_files="$cpio_files ${SWU_DESCRIPTION_FILE}.${SWU_SIGNATURE_EXT}" + fi + + # sw-description must be first file in *.swu + for cpio_file in $cpio_files ${SWU_ADDITIONAL_FILES}; do + if [ -f "$cpio_file" ]; then # Set file timestamps for reproducible builds if [ -n "${SOURCE_DATE_EPOCH}" ]; then touch -d@"${SOURCE_DATE_EPOCH}" "$file" fi - echo "$file" - if [ -n "$sign" -a "${SWU_DESCRIPTION_FILE}" = "$file" ]; then - sign-swu "$file" "$file.${SWU_SIGNATURE_EXT}" - # Set file timestamps for reproducible builds - if [ -n "${SOURCE_DATE_EPOCH}" ]; then - touch -d@"${SOURCE_DATE_EPOCH}" "$file.${SWU_SIGNATURE_EXT}" - fi - echo "$file.${SWU_SIGNATURE_EXT}" - fi + case "$cpio_file" in + sw-description*) + echo "$cpio_file" + ;; + *) + if grep -q "$cpio_file" \ + "${WORKDIR}/$swu_file_base/${SWU_DESCRIPTION_FILE}"; then + echo "$cpio_file" + fi + ;; + esac fi - done | cpio -ovL --reproducible -H crc > "${PP_DEPLOY}/${SWU_IMAGE_FILE}$swu_file_extension.swu" + done | cpio \ + --verbose --dereference --create --reproducible --format=crc \ + > "${PP_DEPLOY}/${SWU_IMAGE_FILE}$swu_file_extension.swu" EOIMAGER done } From patchwork Tue Mar 5 11:02:44 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13582119 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 127DBC54798 for ; Tue, 5 Mar 2024 11:03:24 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.web10.19722.1709636595644170336 for ; Tue, 05 Mar 2024 03:03:16 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=qF4Bmsje; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-51332-20240305110312b230621281171d66d1-3dfqbb@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 20240305110312b230621281171d66d1 for ; Tue, 05 Mar 2024 12:03:12 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=IpKQdYiT4JWOQuVEpHZfqCJaRO2XpZXV4eGeeGhrp1c=; b=qF4Bmsjezic2IUbKYJ7MfZR/35fOGZ6ZOl8DL1zJ1obcvYamPDTC3nB6H5BkNDvkit054I goKebytrgwfdhBWbUylVs0mnZvv4EoH7aDWFeDubFt4ztx7LNc/R8zvVvT+f9kGw+kDMz3jG dUOOeNELfWAFj+KkMUvybyP+P9F+w=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, felix.moessbauer@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v2 2/4] sign-swu-cms: check if key and cert are valid Date: Tue, 5 Mar 2024 12:02:44 +0100 Message-ID: <20240305110311.2073425-3-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240305110311.2073425-1-Quirin.Gylstorff@siemens.com> References: <20240305110311.2073425-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 05 Mar 2024 11:03:24 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15218 From: Quirin Gylstorff This avoids a broken update binary. Signed-off-by: Quirin Gylstorff --- .../swupdate-certificates/files/sign-swu-cms | 29 +++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/recipes-devtools/swupdate-certificates/files/sign-swu-cms b/recipes-devtools/swupdate-certificates/files/sign-swu-cms index 7bd04ef..d844e01 100644 --- a/recipes-devtools/swupdate-certificates/files/sign-swu-cms +++ b/recipes-devtools/swupdate-certificates/files/sign-swu-cms @@ -1,9 +1,34 @@ #!/bin/sh in_file=$1 out_file=$2 +inkey="/usr/share/swupdate-signing/swupdate-sign.key" +cert="/usr/share/swupdate-signing/swupdate-sign.crt" + +error_msg() { + echo "$1" 1>&2 + exit 1 +} + +if ! openssl rsa -check -noout -in "$inkey"; then + error_msg "key '$inkey' is not a rsa key " +fi + +# if openssl > 3.0 we have the x509 check option +if openssl version | grep -q "3.[0-9].[0-9]"; then + if ! openssl x509 -check -noout -in "$cert"; then + error_msg "certificate '$cert' is not a certificate" + fi +fi + +key_md5=$(openssl rsa -modulus -noout -in "$inkey" | openssl md5) +cert_md5=$(openssl x509 -modulus -noout -in "$cert" | openssl md5) +if [ "$key_md5" != "$cert_md5" ]; then + error_msg "key '$inkey' does not match certificate '$cert' " +fi + openssl cms \ -sign -in "$in_file" \ -out "$out_file" \ - -signer "/usr/share/swupdate-signing/swupdate-sign.crt" \ - -inkey "/usr/share/swupdate-signing/swupdate-sign.key" \ + -signer "$cert" \ + -inkey "$inkey" \ -outform DER -noattr -binary From patchwork Tue Mar 5 11:02:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13582142 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EC78AC54E41 for ; Tue, 5 Mar 2024 11:07:33 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web10.19793.1709636829567737105 for ; Tue, 05 Mar 2024 03:07:28 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=hFHYIt7k; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-51332-2024030511031301934f2ec04b2b9f84-niwsou@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 2024030511031301934f2ec04b2b9f84 for ; Tue, 05 Mar 2024 12:03:13 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=ltOB0YWZr1jOxXIJIJcK6JqHzwNf9a8zcL/oZfohUIQ=; b=hFHYIt7k/tzOvbcmpStMOwTiFSWd2QyuOatE+bRfbdzN9Ox+sT4MLEXJ7LeiKlSyERC0tn jstgsjD6DfSZDSKxVeWfbLf5XB3HKwpqCNjIZltRz49vNRruBZhVCIadYN6BhoIzPasxMYu1 rHJ88k6S+lMmk3rLMEMQ01Ggn+Ics=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, felix.moessbauer@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v2 3/4] doc: Add section about SWUpdate signing to README.swupdate.md Date: Tue, 5 Mar 2024 12:02:45 +0100 Message-ID: <20240305110311.2073425-4-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240305110311.2073425-1-Quirin.Gylstorff@siemens.com> References: <20240305110311.2073425-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 05 Mar 2024 11:07:33 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15220 From: Quirin Gylstorff Signed-off-by: Quirin Gylstorff --- doc/README.swupdate.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md index 5877882..b7e13f7 100644 --- a/doc/README.swupdate.md +++ b/doc/README.swupdate.md @@ -110,6 +110,27 @@ The sw-description will contain the following section: sha256 = ""; }): ``` +## SWUpdate Signing + +The ISAR layer isar-cip-core provides templates to sign the swu binaries with +a CMS certificate. + +By default the insecure [Debian snake-oil keys](./recipes-devtools/secure-boot-secrets/files/bookworm/) are used. +To use other key and certificate the following variables must be set: +``` +PREFERRED_PROVIDER_swupdate-certificates-key = "swupdate-certificates-key" +PREFERRED_PROVIDER_swupdate-certificates = "swupdate-certificates" +SWU_SIGN_CERT = "" +SWU_SIGN_KEY = "" +``` + +The files `` and `` need to be stored +in `recipes-devtools/swupdate-certificates/files/` or in a path defined by an bbappend file, e.g.`swupdate-certificates-key_%.bbappend` + +### signing script + +The provided [cms signing script](./recipes-devtools/swupdate-certificates/files/sign-swu-cms) +can be replaced by setting the variable `SWU_SIGN_SCRIPT`. ## SWUpdate Hardware compatibility From patchwork Tue Mar 5 11:02:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13582120 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 15DD7C54798 for ; Tue, 5 Mar 2024 11:05:44 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web11.20145.1709636736840194343 for ; Tue, 05 Mar 2024 03:05:37 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=On7jnOKV; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-51332-20240305110313f80ebd3b307855f1b3-3pjoup@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 20240305110313f80ebd3b307855f1b3 for ; Tue, 05 Mar 2024 12:05:35 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=YNpxQQAUr5Cj+pSMthy93Vwi95vCRXnuxZe+zA2F49I=; b=On7jnOKVdxm/ygjfJ+K74ixl3Zu23HbBRl3MvsfTXYDK1m2LFTkif7v+5SvH/vdF3sw8pj +H0BND95Rqc6FnLeYU7Gj9zgINbOTK0H9kDYXgAfdUs0oBN/7mYYRJdH7vjRQQLNyWHsNbYD 97BJeXvklutJ1QES2ecKcWVcvk2p4=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, felix.moessbauer@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v2 4/4] fix do not add files to each image recipe Date: Tue, 5 Mar 2024 12:02:46 +0100 Message-ID: <20240305110311.2073425-5-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240305110311.2073425-1-Quirin.Gylstorff@siemens.com> References: <20240305110311.2073425-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 05 Mar 2024 11:05:44 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15219 From: Quirin Gylstorff Due to the use of an anonym python function each image recipe was partial build even if not requested. To avoid this remove the anonym image function by adding it as an prefunc to do_image_swu and do_transform_template. The SRC_URI is appended with a function. Signed-off-by: Quirin Gylstorff --- classes/efibootguard.bbclass | 1 - classes/swupdate.bbclass | 42 ++++++++++++++++++++++++------------ 2 files changed, 28 insertions(+), 15 deletions(-) diff --git a/classes/efibootguard.bbclass b/classes/efibootguard.bbclass index 31fcdcc..2b4f09e 100644 --- a/classes/efibootguard.bbclass +++ b/classes/efibootguard.bbclass @@ -67,5 +67,4 @@ python add_ebg_update(){ ebg_update = d.getVar('SWU_EBG_UPDATE') or "" if ebg_update: d.appendVar('SWU_FILE_NODES', "," + swu_ebg_update_node) - d.appendVar('SWU_ADDITIONAL_FILES', " " + efi_boot_loader_file) } diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass index c62f43f..c82d20c 100644 --- a/classes/swupdate.bbclass +++ b/classes/swupdate.bbclass @@ -63,7 +63,7 @@ IMAGE_TEMPLATE_VARS:swu = " \ # TARGET_IMAGE_UUID needs to be generated before completing the template addtask do_transform_template after do_generate_image_uuid -python(){ +python do_extend_sw_description(){ cmds = d.getVar("SWU_EXTEND_SW_DESCRIPTION") if cmds is None or not cmds.strip(): return @@ -71,6 +71,7 @@ python(){ for cmd in cmds: bb.build.exec_func(cmd, d) } +do_transform_template[prefuncs] += "do_extend_sw_description" SWU_EXTEND_SW_DESCRIPTION += "add_swu_hw_compat" python add_swu_hw_compat(){ @@ -94,9 +95,22 @@ python add_swu_compression(){ d.setVar('SWU_COMPRESSION_NODE', '') } +def add_scripts_to_src_uri(d): + swu_scripts = d.getVar('SWU_SCRIPTS') + if not swu_scripts: + return "" + swu_script_entries = swu_scripts.split() + script_file_list = [] + for entry in swu_script_entries: + script_entry = f"SWU_SCRIPT_{entry}" + script_file = d.getVarFlag(script_entry, "file") + script_file_list.append(f" file://{script_file}") + return ' '.join([n for n in script_file_list]) -SWU_EXTEND_SW_DESCRIPTION += "add_scripts" -python add_scripts(){ +SRC_URI += "${@add_scripts_to_src_uri(d)}" + +SWU_EXTEND_SW_DESCRIPTION += "add_scripts_node" +python add_scripts_node(){ swu_scripts = d.getVar('SWU_SCRIPTS') if not swu_scripts: return @@ -129,8 +143,6 @@ python add_scripts(){ sha256 = "{script_file}-sha256"; }}""" script_node_list.append(node) - d.appendVar('SWU_ADDITIONAL_FILES', " " + script_file) - d.appendVar('SRC_URI', f" file://{script_file}") swu_scripts_node = "scripts: (" + ','.join([n for n in script_node_list]) + ");" d.appendVar('SWU_SCRIPTS_NODE', swu_scripts_node) @@ -155,6 +167,7 @@ FILESEXTRAPATHS:append = ":${LAYERDIR_cip-core}/recipes-core/images/swu" do_image_swu[depends] += "${PN}:do_transform_template" do_image_swu[stamp-extra-info] = "${DISTRO}-${MACHINE}" do_image_swu[cleandirs] += "${WORKDIR}/swu ${WORKDIR}/swu-${SWU_BOOTLOADER}" +do_image_swu[prefuncs] = "do_extend_sw_description" IMAGE_CMD:swu() { rm -f '${DEPLOY_DIR_IMAGE}/${SWU_IMAGE_FILE}'*.swu cp '${WORKDIR}/${SWU_DESCRIPTION_FILE}' '${WORKDIR}/swu/${SWU_DESCRIPTION_FILE}' @@ -165,13 +178,14 @@ IMAGE_CMD:swu() { for swu_file in "${WORKDIR}"/swu*; do swu_file_base=$(basename $swu_file) # Create symlinks for files used in the update image - for file in ${SWU_ADDITIONAL_FILES}; do - if grep -q "$file" "${WORKDIR}/$swu_file_base/${SWU_DESCRIPTION_FILE}"; then - if [ -e "${WORKDIR}/$file" ]; then - ln -s "${PP_WORK}/$file" "${WORKDIR}/$swu_file_base/$file" - else - ln -s "${PP_DEPLOY}/$file" "${WORKDIR}/$swu_file_base/$file" - fi + swu_files=$(awk '$1=="filename"{gsub(/[",;]/, "", $3); print $3}' \ + "${WORKDIR}/$swu_file_base/${SWU_DESCRIPTION_FILE}") + export swu_files + for file in $swu_files; do + if [ -e "${WORKDIR}/$file" ]; then + ln -s "${PP_WORK}/$file" "${WORKDIR}/$swu_file_base/$file" + else + ln -s "${PP_DEPLOY}/$file" "${WORKDIR}/$swu_file_base/$file" fi done @@ -186,7 +200,7 @@ IMAGE_CMD:swu() { export swu_file_extension imager_run -p -d ${PP_WORK} -u root <<'EOIMAGER' # Fill in file check sums - for file in ${SWU_ADDITIONAL_FILES}; do + for file in $swu_files; do sed -i "s:$file-sha256:$(sha256sum "${PP_WORK}/$swu_file_base/"$file | cut -f 1 -d " "):g" \ "${PP_WORK}/$swu_file_base/${SWU_DESCRIPTION_FILE}" done @@ -205,7 +219,7 @@ IMAGE_CMD:swu() { fi # sw-description must be first file in *.swu - for cpio_file in $cpio_files ${SWU_ADDITIONAL_FILES}; do + for cpio_file in $cpio_files $swu_files; do if [ -f "$cpio_file" ]; then # Set file timestamps for reproducible builds if [ -n "${SOURCE_DATE_EPOCH}" ]; then