dey-image: generate public key after rootfs install

When TrustFence is enabled, a PKI tree is generated. In the case of NXP platforms, the PKI contains public certificates from which the public key needs to be extracted using an openssl command. In the case of STM platforms, the PKI contains directly the public key. In all cases, we need the public key to be installed in the rootfs /etc/ssl/certs/ folder, so that it can be used by swupdate to authenticate signed SWU packages. Up to now, this was being done on the dualboot recipe, but the installation of the public key should really be only dependant on the fact of TF being enabled. This commit: - Removes the generation of the public key from dualboot.bb. - Generates a patch to extract the public key from the certificate as part of the PKI tree generation (on NXP platforms). - Installs the public key during a post install function after the final rootfs has been created. - For NXP platforms, extracts the public key using openssl if it does not exist (for backwards compatibility). Signed-off-by: Hector Palacios <hector.palacios@digi.com>
2023-08-07 11:54:58 +02:00 · 2023-08-07 11:54:58 +02:00 · 998598415a
parent e369f71019
commit 998598415a
4 changed files with 76 additions and 38 deletions
--- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.1.inc
+++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.1.inc
@ -21,6 +21,7 @@ SRC_URI = " \
    file://0005-ahab_pki_tree.sh-automate-script.patch \
    file://0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch \
    file://0007-rules.mk-weaken-specific-function-err_msg.patch \
+    file://0008-pki_tree.sh-extract-public-keys-from-certificates.patch \
 "

 SRC_URI[cst.md5sum] = "27ba9c8bc0b8a7f14d23185775c53794"
--- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0008-pki_tree.sh-extract-public-keys-from-certificates.patch
+++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0008-pki_tree.sh-extract-public-keys-from-certificates.patch
@ -0,0 +1,42 @@
+From: Hector Palacios <hector.palacios@digi.com>
+Date: Thu, 3 Aug 2023 16:25:36 +0200
+Subject: [PATCH] pki_tree.sh: extract public keys from certificates
+
+The public key needs to be available on the rootfs so that signed SWU
+packages can be authenticated.
+Do this on the PKI generation script so that recipes don't need to do it.
+
+Signed-off-by: Hector Palacios <hector.palacios@digi.com>
+---
+ keys/ahab_pki_tree.sh | 3 +++
+ keys/hab4_pki_tree.sh | 3 +++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh
+index 7f10c5388146..63b5ce58ade7 100755
+--- a/keys/ahab_pki_tree.sh
+++ b/keys/ahab_pki_tree.sh
+@@ -632,6 +632,9 @@ do
+                   -in temp_sgk.pem \
+                   -out ${sgk_key}.pem
+ 
+    # Extract public key from the certificate
+    openssl x509 -pubkey -noout -in "${srk_crt_i}" > ../crts/key${i}.pub
+
+     # Cleanup
+     rm ./temp_sgk.pem ./temp_sgk_req.pem
+ 
+diff --git a/keys/hab4_pki_tree.sh b/keys/hab4_pki_tree.sh
+index ac6fb29b7f91..e76f22f40643 100755
+--- a/keys/hab4_pki_tree.sh
+++ b/keys/hab4_pki_tree.sh
+@@ -682,6 +682,9 @@ do
+                   -in temp_img.pem \
+                   -out ${img_key}.pem
+ 
+    # Extract public key from the certificate
+    openssl x509 -pubkey -noout -in "${img_crt}.pem" > ../crts/key${i}.pub
+
+     # Cleanup
+     rm ./temp_img.pem ./temp_img_req.pem
+ 
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@ -69,6 +69,39 @@ check_gen_pki_tree() {
 	fi
 }

+copy_public_key() {
+	if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
+		KEY_INDEX="$(expr $TRUSTFENCE_KEY_INDEX + 1)"
+		PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/crts/key${KEY_INDEX}.pub"
+		# The new hab/ahab_pki_tree.sh script extracts the public keys after the PKI
+		# generation and leaves them in the crts/ folder. However, the PKI tree may
+		# already exist, the PKI generation script not called, and then the public
+		# keys may not be available. This is a fall-back to generate at least the
+		# selected public key.
+		if [ ! -f "${PUBLIC_KEY}" ]; then
+			if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
+				CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX}*crt.pem)"
+			elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
+				CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK${KEY_INDEX}*_ca_crt.pem)"
+			else
+				bberror "Unknown TRUSTFENCE_SIGN_MODE value"
+				exit 1
+			fi
+			# Extract the public key from the certificate.
+			openssl x509 -pubkey -noout -in "${CERT_IMG}" > "${PUBLIC_KEY}"
+		fi
+	elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then
+		PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/keys/publicKey0${TRUSTFENCE_KEY_INDEX}.pem"
+	else
+		echo "ERROR: Cannot determine the public key"
+		exit 1
+	fi
+	# Copy the public key to the rootfs
+	install -d ${D}${sysconfdir}/ssl/certs
+	cp -f "${PUBLIC_KEY}" "${IMAGE_ROOTFS}${sysconfdir}/ssl/certs/key.pub"
+}
+ROOTFS_POSTINSTALL_COMMAND:append = " copy_public_key;"
+
 python () {
    import binascii
    import hashlib
--- a/meta-digi-dey/recipes-digi/dualboot/dualboot.bb
+++ b/meta-digi-dey/recipes-digi/dualboot/dualboot.bb
@ -36,44 +36,6 @@ do_install() {

 	install -d ${D}${systemd_unitdir}/system/
 	install -m 0644 ${WORKDIR}/firmware-update-check.service ${D}${systemd_unitdir}/system/
-
-	# If Trustfence is enabled, copy the public key that is going to be used into the
-	# initramfs '/etc/ssl/certs' folder in order to verify swupdate packages.
-	if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
-		# Retrieve the key index to use.
-		KEY_INDEX="0"
-		if [ -n "${TRUSTFENCE_KEY_INDEX}" ]; then
-			KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
-		fi
-		KEY_INDEX_1=$(expr ${KEY_INDEX} + 1)
-
-		# Find the certificate to use.
-		if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
-			if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
-				CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX_1}*crt.pem)"
-			elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
-				CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK${KEY_INDEX_1}*_ca_crt.pem)"
-			else
-				bberror "Unknown TRUSTFENCE_SIGN_MODE value"
-				exit 1
-			fi
-			# Extract the public key from the certificate.
-			install -d ${D}${sysconfdir}/ssl/certs
-			openssl x509 -pubkey -noout -in "${CERT_IMG}" > ${D}${sysconfdir}/ssl/certs/key.pub
-		elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then
-			# Copy the public key to the rootfs
-			if [ "${DIGI_SOM}" = "ccmp15" ]; then
-				PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/keys/publicKey00.pem"
-			elif [ "${DIGI_SOM}" = "ccmp13" ]; then
-				PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/keys/publicKey0${KEY_INDEX}.pem"
-			else
-				bberror "Unknown DIGI_SOM"
-				exit 1
-			fi
-			install -d ${D}${sysconfdir}/ssl/certs
-			cp ${PUBLIC_KEY} ${D}${sysconfdir}/ssl/certs/key.pub
-		fi
-	fi
 }

 FILES:${PN} += " \