From 6362b992055ad178ebef40560022e6ee59a75a03 Mon Sep 17 00:00:00 2001 From: David Escalona Date: Wed, 1 Mar 2017 17:25:11 +0100 Subject: [PATCH] swupdate: add public key to the recovery initramfs - The swupdate binary included in the recovery partition when the images to build are trustfence enabled performs a verification of the swupdate package. For this verification to suceed, it is mandatory to provide to the swupdate binary the public key that will be used to verify the swupdate package. This public key must be included in the recovery initramfs only when 'TRUSTFENCE_SIGN=1'. https://jira.digi.com/browse/DEL-3772 Signed-off-by: David Escalona --- .../recovery/recovery-initramfs.bb | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb b/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb index ea706465c..0b0db0435 100644 --- a/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb +++ b/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb @@ -4,6 +4,8 @@ SUMMARY = "Recovery initramfs files" LICENSE = "GPL-2.0" LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" +DEPENDS += "${@base_conditional('TRUSTFENCE_SIGN', '1', 'trustfence-cst-native openssl-native', '', d)}" + SRC_URI = " \ file://recovery-initramfs-init \ file://swupdate.cfg \ @@ -15,6 +17,39 @@ do_install() { install -d ${D}${sysconfdir} install -m 0755 ${WORKDIR}/recovery-initramfs-init ${D}/init install -m 0644 ${WORKDIR}/swupdate.cfg ${D}${sysconfdir} + + # If Trustfence is enabled, copy the public key that is going to be used into the + # initramfs '/etc/ssl/certs' folder in order to verify swupdate packages. + if [ "${TRUSTFENCE_SIGN}" = "1" ]; then + # Retrieve the key index to use. + KEY_INDEX="0" + if [ -n "${TRUSTFENCE_KEY_INDEX}" ]; then + KEY_INDEX="${TRUSTFENCE_KEY_INDEX}" + fi + KEY_INDEX_1=$(expr ${KEY_INDEX} + 1) + + # Check if keys are already generated or not. If keys do not exist, generate them. + SRK_KEYS="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)" + CERT_CSF="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/CSF${KEY_INDEX_1}*crt.pem)" + CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX_1}*crt.pem)" + n_commas="$(echo ${SRK_KEYS} | grep -o "," | wc -l)" + if [ "${n_commas}" -eq 3 ] && [ -f "${CERT_CSF}" ] && [ -f "${CERT_IMG}" ]; then + # PKI tree already exists. Do nothing + echo "Using existing PKI tree for recovery." + elif [ "${n_commas}" -eq 0 ] || [ ! -f "${CERT_CSF}" ] || [ ! -f "${CERT_IMG}" ]; then + # Generate PKI + mkdir -p "${TRUSTFENCE_SIGN_KEYS_PATH}" + trustfence-gen-pki.sh "${TRUSTFENCE_SIGN_KEYS_PATH}" + CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX_1}*crt.pem)" + else + echo "Inconsistent CST folder." + exit 1 + fi + + # Extract the public key. + install -d ${D}${sysconfdir}/ssl/certs + openssl x509 -pubkey -noout -in "${CERT_IMG}" > ${D}${sysconfdir}/ssl/certs/key.pub + fi } # Do not create debug/devel packages