image-rauc: add support for intermediate certificates

Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>

3 files changed, 13 insertions, 3 deletions

diff --git a/config/images/rauc.config b/config/images/rauc.config
index ddf40fb17..e4169cc8c 100644
--- a/config/images/rauc.config
+++ b/config/images/rauc.config
@@ -7,15 +7,16 @@ image @IMAGE@ {
 			version=@RAUC_BUNDLE_VERSION@
 			build=@RAUC_BUNDLE_BUILD@
 			description=@RAUC_BUNDLE_DESCRIPTION@
-			
+
 			[bundle]
 			format=@RAUC_BUNDLE_FORMAT@
-			
+
 			[image.rootfs]
 			filename=root.tar.gz
 			"
 		cert = "@RAUC_CERT@"
 		key = "@RAUC_KEY@"
 		keyring = "@RAUC_KEYRING@"
+		intermediate = @RAUC_INTERMEDIATE@
 	}
 }
diff --git a/platforms/image-rauc.in b/platforms/image-rauc.in
index 1c5967092..3835e0718 100644
--- a/platforms/image-rauc.in
+++ b/platforms/image-rauc.in
@@ -41,4 +41,12 @@ config IMAGE_RAUC_BUNDLE_FORMAT_VERITY
 
 endchoice
 
+config IMAGE_RAUC_INTERMEDIATE
+	bool "include intermediate certificates"
+	help
+	  Include intermediate certificates in the bundle signature that
+	  can be used to close the trust chain during bundle signature
+	  verification. The certificates must be stored in the CA of the
+	  "update-intermediate" role of the code signing provider.
+
 endif
diff --git a/rules/image-rauc.make b/rules/image-rauc.make
index d70114aa2..f7bed6e49 100644
--- a/rules/image-rauc.make
+++ b/rules/image-rauc.make
@@ -35,7 +35,8 @@ IMAGE_RAUC_ENV	= \
 	RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \
 	RAUC_KEY="$(shell cs_get_uri update)" \
 	RAUC_CERT="$(shell cs_get_uri update)" \
-	RAUC_KEYRING="$(shell cs_get_ca update)"
+	RAUC_KEYRING="$(shell cs_get_ca update)" \
+	RAUC_INTERMEDIATE=$(call ptx/ifdef, PTXCONF_IMAGE_RAUC_INTERMEDIATE,'"$(shell cs_get_ca update-intermediate)"','{}')
 
 $(IMAGE_RAUC_IMAGE):
 	@$(call targetinfo)