Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

swupdate: add public key to the recovery initramfs 

- The swupdate binary included in the recovery partition when the
  images to build are trustfence enabled performs a verification
  of the swupdate package. For this verification to suceed, it is
  mandatory to provide to the swupdate binary the public key that
  will be used to verify the swupdate package. This public key must be
  included in the recovery initramfs only when 'TRUSTFENCE_SIGN=1'.

https://jira.digi.com/browse/DEL-3772

Signed-off-by: David Escalona <david.escalona@digi.com>
This commit is contained in:
David Escalona 2017-03-01 17:25:11 +01:00
parent 7222c1d5bb
commit 6362b99205
1 changed files with 35 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb
View File

@ -4,6 +4,8 @@ SUMMARY = "Recovery initramfs files"
LICENSE = "GPL-2.0"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
DEPENDS += "${@base_conditional('TRUSTFENCE_SIGN', '1', 'trustfence-cst-native openssl-native', '', d)}"
SRC_URI = " \
file://recovery-initramfs-init \
file://swupdate.cfg \
@ -15,6 +17,39 @@ do_install() {
install -d ${D}${sysconfdir}
install -m 0755 ${WORKDIR}/recovery-initramfs-init ${D}/init
install -m 0644 ${WORKDIR}/swupdate.cfg ${D}${sysconfdir}
# If Trustfence is enabled, copy the public key that is going to be used into the
# initramfs '/etc/ssl/certs' folder in order to verify swupdate packages.
if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
# Retrieve the key index to use.
KEY_INDEX="0"
if [ -n "${TRUSTFENCE_KEY_INDEX}" ]; then
KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
fi
KEY_INDEX_1=$(expr ${KEY_INDEX} + 1)
# Check if keys are already generated or not. If keys do not exist, generate them.
SRK_KEYS="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)"
CERT_CSF="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/CSF${KEY_INDEX_1}*crt.pem)"
CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX_1}*crt.pem)"
n_commas="$(echo ${SRK_KEYS} | grep -o "," | wc -l)"
if [ "${n_commas}" -eq 3 ] && [ -f "${CERT_CSF}" ] && [ -f "${CERT_IMG}" ]; then
# PKI tree already exists. Do nothing
echo "Using existing PKI tree for recovery."
elif [ "${n_commas}" -eq 0 ] || [ ! -f "${CERT_CSF}" ] || [ ! -f "${CERT_IMG}" ]; then
# Generate PKI
mkdir -p "${TRUSTFENCE_SIGN_KEYS_PATH}"
trustfence-gen-pki.sh "${TRUSTFENCE_SIGN_KEYS_PATH}"
CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX_1}*crt.pem)"
else
echo "Inconsistent CST folder."
exit 1
fi
# Extract the public key.
install -d ${D}${sysconfdir}/ssl/certs
openssl x509 -pubkey -noout -in "${CERT_IMG}" > ${D}${sysconfdir}/ssl/certs/key.pub
fi
}
# Do not create debug/devel packages