Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

recovery-initramfs: do not generate TrustFence keys in this recipe 

- Instead of trying to generate the TrustFence keys in this recipe
  when they are not present, depend on the 'virtual/kernel' to
  ensure they are already generated. This solves a concurrency problem
  when two recipes try to generate TrustFence keys at the same time.

https://jira.digi.com/browse/DEL-3913

Signed-off-by: David Escalona <david.escalona@digi.com>
This commit is contained in:
David Escalona 2017-03-14 09:23:34 +01:00
parent f510a438df
commit e3ce215f67
1 changed files with 7 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb
View File

@ -4,7 +4,11 @@ SUMMARY = "Recovery initramfs files"
LICENSE = "GPL-2.0"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
DEPENDS += "${@base_conditional('TRUSTFENCE_SIGN', '1', 'trustfence-cst-native openssl-native', '', d)}"
# When building a TrustFence enabled recovery initramfs, we need the TrustFence PKI tree to
# be already generated in order to copy the public key. Forcing a dependence against
# 'virtual/kernel' ensures that the keys are already generated as they are needed to sign the
# kernel artifacts.
DEPENDS += "${@base_conditional('TRUSTFENCE_SIGN', '1', 'virtual/kernel openssl-native', '', d)}"
SRC_URI = " \
file://recovery-initramfs-init \
@ -28,25 +32,10 @@ do_install() {
fi
KEY_INDEX_1=$(expr ${KEY_INDEX} + 1)
# Check if keys are already generated or not. If keys do not exist, generate them.
SRK_KEYS="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)"
CERT_CSF="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/CSF${KEY_INDEX_1}*crt.pem)"
# Find the certificate to use.
CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX_1}*crt.pem)"
n_commas="$(echo ${SRK_KEYS} | grep -o "," | wc -l)"
if [ "${n_commas}" -eq 3 ] && [ -f "${CERT_CSF}" ] && [ -f "${CERT_IMG}" ]; then
# PKI tree already exists. Do nothing
echo "Using existing PKI tree for recovery."
elif [ "${n_commas}" -eq 0 ] || [ ! -f "${CERT_CSF}" ] || [ ! -f "${CERT_IMG}" ]; then
# Generate PKI
mkdir -p "${TRUSTFENCE_SIGN_KEYS_PATH}"
trustfence-gen-pki.sh "${TRUSTFENCE_SIGN_KEYS_PATH}"
CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX_1}*crt.pem)"
else
echo "Inconsistent CST folder."
exit 1
fi
# Extract the public key.
# Extract the public key from the certificate.
install -d ${D}${sysconfdir}/ssl/certs
openssl x509 -pubkey -noout -in "${CERT_IMG}" > ${D}${sysconfdir}/ssl/certs/key.pub
fi