Add SWU image signing support

If SWUPDATE_SIGNING is set to "1" use openssl to sign sw-description
with SWUPDATE_PRIVATE_KEY and write the signature to sw-description.sig.
Include sw-description.sig in the SWU archive.

Encrypted private keys are not currently supported since a secure
mechanism must exist to provide the passphrase. The best solution may be
to use a smartcard compatible hardware module rather than storing the
key on the filesystem. Expect patches to add support for this in the
future.

Signed-off-by: George McCollister <george.mccollister@gmail.com>

README

@@ -18,6 +18,19 @@ Image hashing
 During creation of the update file, occurrences of @IMAGE (where IMAGE is an
 image filename) are replaced with the sha256 hash of the image.
 
+SWU image signing
+------------
+
+To enable signing:
+    Set SWUPDATE_SIGNING = "1"
+    Set SWUPDATE_PRIVATE_KEY to the full path of private key file
+
+sw-description is signed with the private key and the signature is writen to
+sw-description.sig which is included in the SWU file.
+
+Encrypted private keys are not currently supported since a secure 
+mechanism must exist to provide the passphrase.
+
 Maintainer
 ----------
 

classes/swupdate.bbclass

@@ -14,6 +14,7 @@
 
 S = "${WORKDIR}/${PN}"
 
+DEPENDS += "${@ 'openssl-native' if d.getVar('SWUPDATE_SIGNING', True) == '1' else ''}"
 IMAGE_DEPENDS ?= ""
 
 def swupdate_is_hash_needed(s, filename):
@@ -109,6 +110,9 @@ python do_swuimage () {
 
     deploydir = d.getVar('DEPLOY_DIR_IMAGE', True)
 
+    if d.getVar('SWUPDATE_SIGNING', True) == '1':
+        list_for_cpio.append('sw-description.sig')
+
     for image in images:
         imagename = image + '-' + d.getVar('MACHINE', True)
         fstypes = (d.getVarFlag("SWUPDATE_IMAGES_FSTYPES", image, True) or "").split()
@@ -125,6 +129,19 @@ python do_swuimage () {
             hash = swupdate_get_sha256(s, file)
             swupdate_write_sha256(s, file, hash)
 
+    if d.getVar('SWUPDATE_SIGNING', True) == '1':
+        privkey = d.getVar('SWUPDATE_PRIVATE_KEY', True)
+        if not privkey:
+            bb.fatal("SWUPDATE_PRIVATE_KEY isn't set")
+        if not os.path.exists(privkey):
+            bb.fatal("SWUPDATE_PRIVATE_KEY %s doesn't exist" % (privkey))
+        signcmd = "openssl dgst -sha256 -sign '%s' -out '%s' '%s'" % (
+            privkey,
+            os.path.join(s, 'sw-description.sig'),
+            os.path.join(s, 'sw-description'))
+        if os.system(signcmd) != 0:
+            bb.fatal("Failed to sign sw-description with %s" % (privkey))
+
     line = 'for i in ' + ' '.join(list_for_cpio) + '; do echo $i;done | cpio -ov -H crc >' + os.path.join(deploydir,d.getVar('IMAGE_NAME', True) + '.swu')
     os.system("cd " + s + ";" + line)
 }