Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

swupdate: add sign and hash support to swupdate packages generation 

- Enabled signing support while generating the swupdate
  packages for 'core-image-base' and 'dey-image-qt'. The
  signing support is only enabled when 'TUSTFENCE_SIGN=1'
  and requires the recipe to set the private key that will
  be used to generate the signature.
- Enabled hash support while generating the swupdate
  packages for 'core-image-base' and 'dey-image-qt'. The
  hash support requires the sw-description files to include
  a new line for each image and/or file that will be added
  to the update package. The hash is automatically calculated
  and replaced in the sw-description files.

https://jira.digi.com/browse/DEL-3774

Signed-off-by: David Escalona <david.escalona@digi.com>
This commit is contained in:
David Escalona 2017-03-02 14:02:26 +01:00
parent 68430b1297
commit 319576805a
3 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
meta-digi-dey/classes/trustfence.bbclass
View File

@ -35,6 +35,7 @@ python () {
import binascii import binascii
import hashlib import hashlib
import os import os
import glob
# Secure console configuration # Secure console configuration
if (d.getVar("TRUSTFENCE_CONSOLE_DISABLE", True) == "1"): if (d.getVar("TRUSTFENCE_CONSOLE_DISABLE", True) == "1"):
@ -64,4 +65,24 @@ python () {
d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_DEK_PATH=\\"%s\\" ' % d.getVar("TRUSTFENCE_DEK_PATH", True)) d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_DEK_PATH=\\"%s\\" ' % d.getVar("TRUSTFENCE_DEK_PATH", True))
if (d.getVar("TRUSTFENCE_ENCRYPT_ENVIRONMENT", True) == "1"): if (d.getVar("TRUSTFENCE_ENCRYPT_ENVIRONMENT", True) == "1"):
d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_ENV_AES=y CONFIG_ENV_AES_CAAM_KEY=y') d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_ENV_AES=y CONFIG_ENV_AES_CAAM_KEY=y')
# Provide sane default values for SWUPDATE class in case Trustfence is enabled
if (d.getVar("TRUSTFENCE_SIGN", True) == "1"):
# Enable package signing.
d.setVar("SWUPDATE_SIGNING", "1")
# Retrieve the keys path to use.
keys_path = d.getVar("TRUSTFENCE_SIGN_KEYS_PATH", True)
# Retrieve the key index to use.
key_index = 0
if (d.getVar("TRUSTFENCE_KEY_INDEX", True)):
key_index = int(d.getVar("TRUSTFENCE_KEY_INDEX", True))
key_index_1 = key_index + 1
# Set the private key.
d.setVar("SWUPDATE_PRIVATE_KEY", glob.glob(keys_path + "/keys/IMG" + str(key_index_1) + "*key.pem")[0])
# Set the key password.
d.setVar("SWUPDATE_PASSWORD_FILE", keys_path + "/keys/key_pass.txt")
} }

2
meta-digi-dey/recipes-digi/swu-images/files/ccimx6/sw-description
View File

@ -7,11 +7,13 @@ software =
filename = "##BOOTIMG_NAME##"; filename = "##BOOTIMG_NAME##";
device = "/dev/mmcblk0p1"; device = "/dev/mmcblk0p1";
type = "raw"; type = "raw";
sha256 = "@##BOOTIMG_NAME##";
}, },
{ {
filename = "##ROOTIMG_NAME##"; filename = "##ROOTIMG_NAME##";
device = "/dev/mmcblk0p3"; device = "/dev/mmcblk0p3";
type = "raw"; type = "raw";
sha256 = "@##ROOTIMG_NAME##";
} }
); );
} }

2
meta-digi-dey/recipes-digi/swu-images/files/ccimx6ul/sw-description
View File

@ -7,11 +7,13 @@ software =
filename = "##BOOTIMG_NAME##"; filename = "##BOOTIMG_NAME##";
volume = "linux"; volume = "linux";
type = "ubivol" type = "ubivol"
sha256 = "@##BOOTIMG_NAME##";
}, },
{ {
filename = "##ROOTIMG_NAME##"; filename = "##ROOTIMG_NAME##";
volume = "rootfs"; volume = "rootfs";
type = "ubivol" type = "ubivol"
sha256 = "@##ROOTIMG_NAME##";
} }
); );
} }