diff options
| author | Bastian Krause <bst@pengutronix.de> | 2020-05-15 16:26:39 +0200 |
|---|---|---|
| committer | Michael Olbrich <m.olbrich@pengutronix.de> | 2020-05-15 17:22:07 +0200 |
| commit | c420c0745b568fbf2ab2d0f7394c27935ed7faf2 (patch) | |
| tree | 3bbddb3be682c7171f3a3d2346bdd69b538d11c8 /rules | |
| parent | c691a61e4b244d30b046289655228981d27adc2c (diff) | |
| download | ptxdist-c420c0745b568fbf2ab2d0f7394c27935ed7faf2.tar.gz ptxdist-c420c0745b568fbf2ab2d0f7394c27935ed7faf2.tar.xz | |
rauc/image-rauc: use code signing infrastructure for key retrieval
Use the keys provided by the currently active key provider via PKCS#11
instead of key files placed in the platform config directory. In order
to make sure the new mechanics are used after a BSP update the rauc.key
file is no longer allowed to exist in the platformconfig directory.
Note: requires genimage v13 or later and ptx-code-signing-dev 0.4 or
later
Signed-off-by: Bastian Krause <bst@pengutronix.de>
Message-Id: <20200515142641.812-14-bst@pengutronix.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
Diffstat (limited to 'rules')
| -rw-r--r-- | rules/image-rauc.make | 36 | ||||
| -rw-r--r-- | rules/rauc.in | 1 | ||||
| -rw-r--r-- | rules/rauc.make | 11 |
3 files changed, 16 insertions, 32 deletions
diff --git a/rules/image-rauc.make b/rules/image-rauc.make index 839cb400b..d85b88cc2 100644 --- a/rules/image-rauc.make +++ b/rules/image-rauc.make @@ -26,46 +26,20 @@ IMAGE_RAUC_CONFIG := rauc.config ifdef PTXCONF_IMAGE_RAUC -IMAGE_RAUC_KEY := $(call ptx/in-platformconfigdir, config/rauc/rauc.key.pem) -IMAGE_RAUC_CERT := $(call ptx/in-platformconfigdir, config/rauc/rauc.cert.pem) - -IMAGE_RAUC_ENV := \ +IMAGE_RAUC_ENV = \ + $(CODE_SIGNING_ENV) \ RAUC_BUNDLE_COMPATIBLE="$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))" \ RAUC_BUNDLE_VERSION="$(call remove_quotes, $(PTXCONF_RAUC_BUNDLE_VERSION))" \ RAUC_BUNDLE_BUILD=$(call ptx/sh, date +%FT%T%z) \ RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \ - RAUC_KEY=$(IMAGE_RAUC_KEY) \ - RAUC_CERT=$(IMAGE_RAUC_CERT) + RAUC_KEY="$(shell cs_get_uri update)" \ + RAUC_CERT="$(shell cs_get_uri update)" -$(IMAGE_RAUC_IMAGE): $(IMAGE_RAUC_KEY) $(IMAGE_RAUC_CERT) +$(IMAGE_RAUC_IMAGE): @$(call targetinfo) @$(call image/genimage, IMAGE_RAUC) @$(call finish) -$(IMAGE_RAUC_KEY): - @echo - @echo "****************************************************************************" - @echo "******** Please place your signing key in config/rauc/rauc.key.pem. ********" - @echo "* *" - @echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh *" - @echo "* from the scripts/ folder of your PTXdist installation *" - @echo "****************************************************************************" - @echo - @echo - @exit 1 - -$(IMAGE_RAUC_CERT): - @echo - @echo "****************************************************************************" - @echo "**** Please place your signing certificate in config/rauc/rauc.cert.pem. ***" - @echo "* *" - @echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh *" - @echo "* from the scripts/ folder of your PTXdist installation *" - @echo "****************************************************************************" - @echo - @echo - @exit 1 - endif # vim: syntax=make diff --git a/rules/rauc.in b/rules/rauc.in index d712bc7b9..56fc3ae3b 100644 --- a/rules/rauc.in +++ b/rules/rauc.in @@ -7,6 +7,7 @@ menuconfig RAUC select GLIB select GLIB_LIBMOUNT select HOST_GLIB + select CODE_SIGNING select BUSYBOX_FEATURE_TAR_LONG_OPTIONS if BUSYBOX_TAR select BUSYBOX_FEATURE_TAR_AUTODETECT if BUSYBOX_TAR select BUSYBOX_FEATURE_SEAMLESS_XZ if BUSYBOX_TAR diff --git a/rules/rauc.make b/rules/rauc.make index ade9bd5dd..f9a10fbbc 100644 --- a/rules/rauc.make +++ b/rules/rauc.make @@ -46,6 +46,14 @@ RAUC_CONF_OPT := \ --with-dbuspolicydir=/usr/share/dbus-1/system.d \ --with-dbussystemservicedir=/usr/share/dbus-1/system-services +$(STATEDIR)/rauc.prepare: + @$(call targetinfo) + @test ! -e "$(call ptx/in-platformconfigdir, config/rauc/rauc.key)" || \ + ptxd_bailout "Please use the key provider infrastructure desribed in:" \ + "scripts/lib/ptxd_lib_code_signing.sh" + @$(call world/prepare, RAUC) + @$(call touch) + # ---------------------------------------------------------------------------- # Target-Install # ---------------------------------------------------------------------------- @@ -66,7 +74,8 @@ ifdef PTXCONF_RAUC_CONFIGURATION @$(call install_replace, rauc, /etc/rauc/system.conf, \ @RAUC_BUNDLE_COMPATIBLE@, \ "$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))") - @$(call install_alternative, rauc, 0, 0, 0644, /etc/rauc/ca.cert.pem) + @$(call install_copy, rauc, 0, 0, 0644, $(shell cs_get_ca update), \ + /etc/rauc/ca.cert.pem) endif ifdef PTXCONF_RAUC_SERVICE |