From 36984a531b3495bc8dc92d01ec3c99b79073d9c9 Mon Sep 17 00:00:00 2001 From: Michael Olbrich Date: Thu, 25 Nov 2021 16:26:39 +0100 Subject: image-rauc: add support for intermediate certificates Signed-off-by: Michael Olbrich --- config/images/rauc.config | 5 +++-- platforms/image-rauc.in | 8 ++++++++ rules/image-rauc.make | 3 ++- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/config/images/rauc.config b/config/images/rauc.config index ddf40fb17..e4169cc8c 100644 --- a/config/images/rauc.config +++ b/config/images/rauc.config @@ -7,15 +7,16 @@ image @IMAGE@ { version=@RAUC_BUNDLE_VERSION@ build=@RAUC_BUNDLE_BUILD@ description=@RAUC_BUNDLE_DESCRIPTION@ - + [bundle] format=@RAUC_BUNDLE_FORMAT@ - + [image.rootfs] filename=root.tar.gz " cert = "@RAUC_CERT@" key = "@RAUC_KEY@" keyring = "@RAUC_KEYRING@" + intermediate = @RAUC_INTERMEDIATE@ } } diff --git a/platforms/image-rauc.in b/platforms/image-rauc.in index 1c5967092..3835e0718 100644 --- a/platforms/image-rauc.in +++ b/platforms/image-rauc.in @@ -41,4 +41,12 @@ config IMAGE_RAUC_BUNDLE_FORMAT_VERITY endchoice +config IMAGE_RAUC_INTERMEDIATE + bool "include intermediate certificates" + help + Include intermediate certificates in the bundle signature that + can be used to close the trust chain during bundle signature + verification. The certificates must be stored in the CA of the + "update-intermediate" role of the code signing provider. + endif diff --git a/rules/image-rauc.make b/rules/image-rauc.make index d70114aa2..f7bed6e49 100644 --- a/rules/image-rauc.make +++ b/rules/image-rauc.make @@ -35,7 +35,8 @@ IMAGE_RAUC_ENV = \ RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \ RAUC_KEY="$(shell cs_get_uri update)" \ RAUC_CERT="$(shell cs_get_uri update)" \ - RAUC_KEYRING="$(shell cs_get_ca update)" + RAUC_KEYRING="$(shell cs_get_ca update)" \ + RAUC_INTERMEDIATE=$(call ptx/ifdef, PTXCONF_IMAGE_RAUC_INTERMEDIATE,'"$(shell cs_get_ca update-intermediate)"','{}') $(IMAGE_RAUC_IMAGE): @$(call targetinfo) -- cgit v1.2.3