Etusivu Tutki Apua
Kirjaudu sisään
vdd
/
meta-swupdate
peilaus alkaen https://github.com/sbabic/meta-swupdate
1
0
Fork 0
Tiedostot Ongelmat 0 Wiki
Selaa lähdekoodia

swupdate_class: Add support for engine signing

Add support for hardware signing of the SWU image via openssl engine

SWUPDATE_SIGNING_ENGINE will be used as the engine if it is set

SWUPDATE_SIGNING_ENGINE_PATH will be passed to openssl as
OPENSSL_ENGINES if set.

Signed-off-by: George McCollister <george.mccollister@gmail.com>
George McCollister 8 vuotta sitten
vanhempi
cff58596ed
commit
3ba81db806
2 muutettua tiedostoa jossa 47 lisäystä ja 2 poistoa
Jaettu näkymä Näytä diff tilastot
  1. 27 0
      README
  2. 20 2
      classes/swupdate.bbclass

+ 27 - 0
README
Näytä tiedosto 

@@ -31,6 +31,33 @@ sw-description.sig which is included in the SWU file.
 
 Encrypted private keys are not currently supported since a secure 
 mechanism must exist to provide the passphrase.
 
 
+SWU image hardware signing
 
+--------------------------
 
+
 
+One may prefer to sign the SWU image with a hardware token or hardware security
 
+module (HSM) which doesn't expose the private key.
 
+
 
+To enable, SWUPDATE_SIGNING_ENGINE must be set to an available openssl engine.
 
+
 
+Example:
 
+    SWUPDATE_SIGNING_ENGINE = "pkcs11"
 
+
 
+SWUPDATE_SIGNING_ENGINE_PATH may need to be set so that openssl can locate the
 
+engine.
 
+
 
+Example:
 
+    SWUPDATE_SIGNING_ENGINE_PATH = "/usr/lib"
 
+
 
+Instead of setting SWUPDATE_PRIVATE_KEY to the full path of a file, set it to
 
+a key string recognized by the engine used.
 
+
 
+Example:
 
+    SWUPDATE_PRIVATE_KEY = "pkcs11:model=SoftHSM%20v2;" \
 
+                           "manufacturer=SoftHSM%20project;" \
 
+                           "serial=1234567890;" \
 
+                           "token=test-token;pin-value=123456;" \
 
+                           "object=swupdate-test"
 
+
 
 Maintainer
 
 ----------

+ 20 - 2
classes/swupdate.bbclass
Näytä tiedosto 

@@ -144,16 +144,34 @@ python do_swuimage () {
 
         privkey = d.getVar('SWUPDATE_PRIVATE_KEY', True)
 
         if not privkey:
 
             bb.fatal("SWUPDATE_PRIVATE_KEY isn't set")
 
-        if not os.path.exists(privkey):
 
+
 
+        engine = d.getVar('SWUPDATE_SIGNING_ENGINE', True)
 
+        if engine:
 
+            engine = "-engine '%s' -keyform engine " % (engine)
 
+        elif not os.path.exists(privkey):
 
             bb.fatal("SWUPDATE_PRIVATE_KEY %s doesn't exist" % (privkey))
 
+        else:
 
+            engine = ""
 
+
 
+        engine_path = d.getVar('SWUPDATE_SIGNING_ENGINE_PATH', True)
 
+        if engine and engine_path:
 
+            engine_path = 'OPENSSL_ENGINES="%s" ' % (engine_path)
 
+        else:
 
+            engine_path = ""
 
+
 
         passout = d.getVar('SWUPDATE_PASSWORD_FILE', True)
 
         if passout:
 
             passout = "-passin file:'%s' " % (passout)
 
         else:
 
             passout = ""
 
-        signcmd = "openssl dgst -sha256 -sign '%s' %s -out '%s' '%s'" % (
 
+
 
+        # Sign with openssl.real, provided by openssl-native so OPENSSL_ENGINES
 
+        # can be overridden
 
+        signcmd = "%sopenssl.real dgst -sha256 -sign '%s' %s%s -out '%s' '%s'" % (
 
+            engine_path,
 
             privkey,
 
             passout,
 
+            engine,
 
             os.path.join(s, 'sw-description.sig'),
 
             os.path.join(s, 'sw-description'))
 
         if os.system(signcmd) != 0: