swupdate: add sign and hash support to swupdate packages generation

- Enabled signing support while generating the swupdate packages for 'core-image-base' and 'dey-image-qt'. The signing support is only enabled when 'TUSTFENCE_SIGN=1' and requires the recipe to set the private key that will be used to generate the signature. - Enabled hash support while generating the swupdate packages for 'core-image-base' and 'dey-image-qt'. The hash support requires the sw-description files to include a new line for each image and/or file that will be added to the update package. The hash is automatically calculated and replaced in the sw-description files. https://jira.digi.com/browse/DEL-3774 Signed-off-by: David Escalona <david.escalona@digi.com>
2017-03-02 14:02:26 +01:00 · 2017-03-02 14:02:26 +01:00 · 319576805a
parent 68430b1297
commit 319576805a
3 changed files with 25 additions and 0 deletions
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@ -35,6 +35,7 @@ python () {
    import binascii
    import hashlib
    import os
+    import glob

    # Secure console configuration
    if (d.getVar("TRUSTFENCE_CONSOLE_DISABLE", True) == "1"):
@ -64,4 +65,24 @@ python () {
            d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_DEK_PATH=\\"%s\\" ' % d.getVar("TRUSTFENCE_DEK_PATH", True))
    if (d.getVar("TRUSTFENCE_ENCRYPT_ENVIRONMENT", True) == "1"):
        d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_ENV_AES=y CONFIG_ENV_AES_CAAM_KEY=y')
+
+    # Provide sane default values for SWUPDATE class in case Trustfence is enabled
+    if (d.getVar("TRUSTFENCE_SIGN", True) == "1"):
+        # Enable package signing.
+        d.setVar("SWUPDATE_SIGNING", "1")
+
+        # Retrieve the keys path to use.
+        keys_path = d.getVar("TRUSTFENCE_SIGN_KEYS_PATH", True)
+
+        # Retrieve the key index to use.
+        key_index = 0
+        if (d.getVar("TRUSTFENCE_KEY_INDEX", True)):
+            key_index = int(d.getVar("TRUSTFENCE_KEY_INDEX", True))
+        key_index_1 = key_index + 1
+
+        # Set the private key.
+        d.setVar("SWUPDATE_PRIVATE_KEY", glob.glob(keys_path + "/keys/IMG" + str(key_index_1) + "*key.pem")[0])
+
+        # Set the key password.
+        d.setVar("SWUPDATE_PASSWORD_FILE", keys_path + "/keys/key_pass.txt")
 }
--- a/meta-digi-dey/recipes-digi/swu-images/files/ccimx6/sw-description
+++ b/meta-digi-dey/recipes-digi/swu-images/files/ccimx6/sw-description
@ -7,11 +7,13 @@ software =
            filename = "##BOOTIMG_NAME##";
            device = "/dev/mmcblk0p1";
            type = "raw";
+            sha256 = "@##BOOTIMG_NAME##";
        },
        {
            filename = "##ROOTIMG_NAME##";
            device = "/dev/mmcblk0p3";
            type = "raw";
+            sha256 = "@##ROOTIMG_NAME##";
        }
    );
 }
--- a/meta-digi-dey/recipes-digi/swu-images/files/ccimx6ul/sw-description
+++ b/meta-digi-dey/recipes-digi/swu-images/files/ccimx6ul/sw-description
@ -7,11 +7,13 @@ software =
            filename = "##BOOTIMG_NAME##";
            volume = "linux";
            type = "ubivol"
+            sha256 = "@##BOOTIMG_NAME##";
        },
        {
            filename = "##ROOTIMG_NAME##";
            volume = "rootfs";
            type = "ubivol"
+            sha256 = "@##ROOTIMG_NAME##";
        }
    );
 }