Add SOTA_DEPLOY_CREDENTIALS variable to control whether the built image should be provisioned

author: Anton Gerasimov <anton@advancedtelematic.com> 2018-09-05 16:22:07 +0200
committer: Anton Gerasimov <tossel@gmail.com> 2018-10-01 10:44:50 +0200
commit: 673a4b91d1794b7c89265ba3dd62febf8826e14f (patch)
tree: 49de996c62afdc0d8719588bc8a67981a808f20a
parent: 9476fa542cc7bc7695c58b54398b104f8e7023b6 (diff)
download: meta-updater-673a4b91d1794b7c89265ba3dd62febf8826e14f.tar.gz
9 files changed, 88 insertions, 98 deletions
diff --git a/README.adoc b/README.adoc
index 7ffdde2..322831f 100644
--- a/README.adoc
+++ b/README.adoc
@@ -80,6 +80,7 @@ Although we have used U-Boot so far, other boot loaders can be configured work w
 * `OSTREE_OSNAME` - OS deployment name on your target device. For more information about deployments and osnames see the https://ostree.readthedocs.io/en/latest/manual/deployment/[OSTree documentation]. Defaults to "poky".
 * `INITRAMFS_IMAGE` - initramfs/initrd image that is used as a proxy while booting into OSTree deployment. Do not change this setting unless you are sure that your initramfs can serve as such a proxy.
 * `SOTA_PACKED_CREDENTIALS` - when set, your ostree commit will be pushed to a remote repo as a bitbake step. This should be the path to a zipped credentials file in https://github.com/advancedtelematic/aktualizr/blob/master/docs/credentials.adoc[the format accepted by garage-push].
+* `SOTA_DEPLOY_CREDENTIALS` - when set to '1' (default value), deploys credentials to the built image. Override it in `local.conf` to built a generic image that can be provisioned manually after the build.
 * `SOTA_CLIENT_PROV` - which provisioning method to use. Valid options are https://github.com/advancedtelematic/aktualizr/blob/master/docs/automatic-provisioning.adoc[`aktualizr-auto-prov`], https://github.com/advancedtelematic/aktualizr/blob/master/docs/implicit-provisioning.adoc[`aktualizr-implicit-prov`], and https://github.com/advancedtelematic/aktualizr/blob/master/docs/hsm-provisioning.adoc[`aktualizr-hsm-prov`]. The default is `aktualizr-auto-prov`. This can also be set to an empty string to avoid using a provisioning recipe.
 * `SOTA_CLIENT_FEATURES` - extensions to aktualizr. The only valid options are `hsm` (to build with HSM support) and `secondary-network` (to set up a simulated 'in-vehicle' network with support for a primary node with a DHCP server and a secondary node with a DHCP client).
 * `SOTA_SECONDARY_ECUS` - a list of paths separated by spaces of JSON configuration files for virtual secondaries on the host. These will be installed into `/var/sota/ecus` on the device.
diff --git a/classes/sota.bbclass b/classes/sota.bbclass
index f5c6247..98cc3de 100644
--- a/classes/sota.bbclass
+++ b/classes/sota.bbclass
@@ -10,6 +10,8 @@ HOSTTOOLS_NONFATAL += "java"
 SOTA_CLIENT ??= "aktualizr"
 SOTA_CLIENT_PROV ??= "aktualizr-auto-prov"
+SOTA_DEPLOY_CREDENTIALS ?= "1"
 IMAGE_INSTALL_append_sota = " ostree os-release ${SOTA_CLIENT} ${SOTA_CLIENT_PROV}"
 IMAGE_CLASSES += " image_types_ostree image_types_ota"
diff --git a/recipes-sota/aktualizr/aktualizr-auto-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-auto-prov-creds.bb
new file mode 100644
index 0000000..d964a0a
--- /dev/null
+++ b/recipes-sota/aktualizr/aktualizr-auto-prov-creds.bb
@@ -0,0 +1,23 @@
+SUMMARY = "Credentials for autoprovisioning scenario"
+SECTION = "base"
+LICENSE = "MPL-2.0"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
+DEPENDS = "aktualizr-native zip-native"
+require credentials.inc
+do_install() {
+    if [ -n ${SOTA_PACKED_CREDENTIALS} ]; then
+        install -m 0700 -d ${D}${localstatedir}/sota
+        cp ${SOTA_PACKED_CREDENTIALS} ${D}${localstatedir}/sota/sota_provisioning_credentials.zip
+        # Device should not be able to push data to treehub
+        zip -d ${D}${localstatedir}/sota/sota_provisioning_credentials.zip treehub.json
+    fi
+}
+FILES_${PN} = " \
+                ${localstatedir}/sota/sota_provisioning_credentials.zip \
+                "
+# vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/recipes-sota/aktualizr/aktualizr-auto-prov.bb b/recipes-sota/aktualizr/aktualizr-auto-prov.bb
index 9fa95ed..65e89bd 100644
--- a/recipes-sota/aktualizr/aktualizr-auto-prov.bb
+++ b/recipes-sota/aktualizr/aktualizr-auto-prov.bb
@@ -6,7 +6,8 @@ LICENSE = "MPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
 DEPENDS = "aktualizr-native zip-native"
-RDEPENDS_${PN} = "aktualizr"
+RDEPENDS_${PN}_append = "${@' aktualizr-auto-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS', True) == '1' else ''}"
+RDEPENDS_${PN} = " aktualizr"
 PV = "1.0"
 PR = "6"
@@ -31,19 +32,10 @@ do_install() {
    install -m 0700 -d ${D}${libdir}/sota/conf.d
    install -m 0700 -d ${D}${localstatedir}/sota
-    if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then
+    aktualizr_toml=${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-network', 'sota_autoprov_primary.toml', 'sota_autoprov.toml', d)}
-        aktualizr_toml=${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-network', 'sota_autoprov_primary.toml', 'sota_autoprov.toml', d)}
+    install -m 0644 ${STAGING_DIR_NATIVE}${libdir}/sota/${aktualizr_toml} \
-        install -m 0644 ${STAGING_DIR_NATIVE}${libdir}/sota/${aktualizr_toml} \
+        ${D}${libdir}/sota/conf.d/20-${aktualizr_toml}
-            ${D}${libdir}/sota/conf.d/20-${aktualizr_toml}
-        # deploy SOTA credentials
-        if [ -e ${SOTA_PACKED_CREDENTIALS} ]; then
-            cp ${SOTA_PACKED_CREDENTIALS} ${D}${localstatedir}/sota/sota_provisioning_credentials.zip
-            # Device should not be able to push data to treehub
-            zip -d ${D}${localstatedir}/sota/sota_provisioning_credentials.zip treehub.json
-        fi
-    fi
 }
 FILES_${PN} = " \
diff --git a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb
new file mode 100644
index 0000000..5debc19
--- /dev/null
+++ b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb
@@ -0,0 +1,50 @@
+SUMMARY = "Credentials for implicit provisioning with CA certificate"
+SECTION = "base"
+LICENSE = "MPL-2.0"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
+DEPENDS = "aktualizr aktualizr-native"
+SRC_URI = " \
+  file://ca.cnf \
+  "
+require credentials.inc
+export SOTA_CACERT_PATH
+export SOTA_CAKEY_PATH
+do_install() {
+    if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then
+        if [ -z ${SOTA_CACERT_PATH} ]; then
+            SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem
+            SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem
+            mkdir -p ${DEPLOY_DIR_IMAGE}/CA
+            bbwarn "SOTA_CACERT_PATH is not specified, use default one at $SOTA_CACERT_PATH"
+            if [ ! -f ${SOTA_CACERT_PATH} ]; then
+                bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA"
+                SOTA_CACERT_DIR_PATH="$(dirname "$SOTA_CACERT_PATH")"
+                openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096
+                openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert
+                bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server"
+            fi
+        fi
+        if [ -z ${SOTA_CAKEY_PATH} ]; then
+            bberror "SOTA_CAKEY_PATH should be set when using implicit provisioning"
+        fi
+        install -m 0700 -d ${D}${localstatedir}/sota
+        aktualizr_cert_provider --credentials ${SOTA_PACKED_CREDENTIALS} \
+                                --device-ca ${SOTA_CACERT_PATH} \
+                                --device-ca-key ${SOTA_CAKEY_PATH} \
+                                --root-ca \
+                                --server-url \
+                                --local ${D} \
+                                --config ${STAGING_DIR_HOST}${libdir}/sota/sota_implicit_prov_ca.toml
+    fi
+}
+FILES_${PN} = " \
+                ${localstatedir}/sota/*"
diff --git a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb
index 83504f1..2763185 100644
--- a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb
+++ b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb
@@ -10,62 +10,23 @@ LICENSE = "MPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
 DEPENDS = "aktualizr aktualizr-native openssl-native"
+RDEPENDS_${PN}_append = "${@' aktualizr-ca-implicit-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS', True) == '1' else ''}"
-SRC_URI = " \
-  file://ca.cnf \
-  "
 PV = "1.0"
 PR = "1"
 require environment.inc
 require credentials.inc
-export SOTA_CACERT_PATH
-export SOTA_CAKEY_PATH
 do_install() {
    install -m 0700 -d ${D}${libdir}/sota/conf.d
-    if [ -z "${SOTA_PACKED_CREDENTIALS}" ]; then
-        bberror "SOTA_PACKED_CREDENTIALS are required for implicit provisioning"
-    fi
-    if [ -z ${SOTA_CACERT_PATH} ]; then
-        SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem
-        SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem
-        mkdir -p ${DEPLOY_DIR_IMAGE}/CA
-        bbwarn "SOTA_CACERT_PATH is not specified, use default one at $SOTA_CACERT_PATH"
-        if [ ! -f ${SOTA_CACERT_PATH} ]; then
-            bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA"
-            SOTA_CACERT_DIR_PATH="$(dirname "$SOTA_CACERT_PATH")"
-            openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096
-            openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert
-            bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server"
-        fi
-    fi
-    if [ -z ${SOTA_CAKEY_PATH} ]; then
-        bberror "SOTA_CAKEY_PATH should be set when using implicit provisioning"
-    fi
-    install -m 0700 -d ${D}${localstatedir}/sota
    install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota_implicit_prov_ca.toml \
        ${D}${libdir}/sota/conf.d/20-sota_implicit_prov_ca.toml
-    aktualizr_cert_provider --credentials ${SOTA_PACKED_CREDENTIALS} \
-                            --device-ca ${SOTA_CACERT_PATH} \
-                            --device-ca-key ${SOTA_CAKEY_PATH} \
-                            --root-ca \
-                            --server-url \
-                            --local ${D}${localstatedir}/sota \
-                            --config ${STAGING_DIR_HOST}${libdir}/sota/sota_implicit_prov_ca.toml
 }
 FILES_${PN} = " \
-                ${libdir}/sota/conf.d \
                ${libdir}/sota/conf.d/20-sota_implicit_prov_ca.toml \
-                ${libdir}/sota/root.crt \
-                ${localstatedir}/sota/* \
                "
 # vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/recipes-sota/aktualizr/aktualizr-hsm-prov.bb b/recipes-sota/aktualizr/aktualizr-hsm-prov.bb
index 0450138..e915046 100644
--- a/recipes-sota/aktualizr/aktualizr-hsm-prov.bb
+++ b/recipes-sota/aktualizr/aktualizr-hsm-prov.bb
@@ -6,6 +6,7 @@ LICENSE = "MPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
 DEPENDS = "aktualizr aktualizr-native"
+RDEPENDS_${PN}_append = "${@' aktualizr-ca-implicit-prov-creds softhsm-testtoken' if d.getVar('SOTA_DEPLOY_CREDENTIALS', True) == '1' else ''}"
 SRC_URI = ""
 PV = "1.0"
@@ -18,16 +19,11 @@ do_install() {
    install -m 0700 -d ${D}${libdir}/sota/conf.d
    install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota_hsm_prov.toml \
        ${D}${libdir}/sota/conf.d/20-sota_hsm_prov.toml
-    if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then
-        aktualizr_implicit_writer -c ${SOTA_PACKED_CREDENTIALS} --no-root-ca \
-            -o ${D}${libdir}/sota/conf.d/30-implicit_server.toml -p ${D}
-    fi
 }
 FILES_${PN} = " \
                ${libdir}/sota/conf.d \
                ${libdir}/sota/conf.d/20-sota_hsm_prov.toml \
-                ${libdir}/sota/conf.d/30-implicit_server.toml \
                "
 # vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/recipes-sota/aktualizr/aktualizr-implicit-prov.bb b/recipes-sota/aktualizr/aktualizr-implicit-prov.bb
deleted file mode 100644
index 5c54e8a..0000000
--- a/recipes-sota/aktualizr/aktualizr-implicit-prov.bb
+++ /dev/null
@@ -1,34 +0,0 @@
-SUMMARY = "Aktualizr configuration for implicit provisioning"
-DESCRIPTION = "Configuration for implicitly provisioning Aktualizr, the SOTA Client application written in C++"
-HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
-SECTION = "base"
-LICENSE = "MPL-2.0"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
-DEPENDS = "aktualizr aktualizr-native"
-SRC_URI = ""
-PV = "1.0"
-PR = "1"
-require environment.inc
-require credentials.inc
-do_install() {
-    install -m 0700 -d ${D}${libdir}/sota/conf.d
-    install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota_implicit_prov.toml \
-        ${D}${libdir}/sota/conf.d/20-sota_implicit_prov.toml
-    if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then
-        aktualizr_implicit_writer -c ${SOTA_PACKED_CREDENTIALS} \
-            -o ${D}${libdir}/sota/conf.d/30-implicit_server.toml -p ${D}
-    fi
-}
-FILES_${PN} = " \
-                ${libdir}/sota/conf.d \
-                ${libdir}/sota/conf.d/20-implicit_prov.toml \
-                ${libdir}/sota/conf.d/30-implicit_server.toml \
-                ${libdir}/sota/root.crt \
-                "
-# vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/recipes-sota/aktualizr/aktualizr_git.bb b/recipes-sota/aktualizr/aktualizr_git.bb
index 7a0641d..3c91386 100755
--- a/recipes-sota/aktualizr/aktualizr_git.bb
+++ b/recipes-sota/aktualizr/aktualizr_git.bb
@@ -11,12 +11,13 @@ DEPENDS_append_class-native = "glib-2.0-native "
 RDEPENDS_${PN}_class-target = "lshw "
 RDEPENDS_${PN}_append_class-target = "${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'serialcan', ' slcand-start', '', d)} "
-RDEPENDS_${PN}_append_class-target = "${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'hsm', ' softhsm softhsm-testtoken', '', d)}"
 RDEPENDS_${PN}_append_class-target = " ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'ubootenv', ' u-boot-fw-utils aktualizr-uboot-env-rollback', '', d)} "
 RDEPENDS_${PN}_append_class-target = " ${PN}-tools "
 RDEPENDS_${PN}-secondary_append_class-target = " ${PN}-tools "
+RDEPENDS_${PN}_class-target = " openssl-bin "
 PV = "1.0+git${SRCPV}"
 PR = "7"
@@ -27,8 +28,8 @@ SRC_URI = " \
  file://aktualizr-secondary.socket \
  file://aktualizr-serialcan.service \
  "
-SRCREV = "090c463c6f1ec7a7ceae963cd7b4ba99aa74e1f5"
+SRCREV = "097c763ab4b4b057fa6bedfdac2049e53df93539"
-BRANCH ?= "master"
+BRANCH ?= "feat/OTA-719/split-provision"
 S = "${WORKDIR}/git"
@@ -64,7 +65,6 @@ do_install_append () {
    install -m 0644 ${S}/config/sota_autoprov.toml ${D}/${libdir}/sota/sota_autoprov.toml
    install -m 0644 ${S}/config/sota_autoprov_primary.toml ${D}/${libdir}/sota/sota_autoprov_primary.toml
    install -m 0644 ${S}/config/sota_hsm_prov.toml ${D}/${libdir}/sota/sota_hsm_prov.toml
-    install -m 0644 ${S}/config/sota_implicit_prov.toml ${D}/${libdir}/sota/sota_implicit_prov.toml
    install -m 0644 ${S}/config/sota_implicit_prov_ca.toml ${D}/${libdir}/sota/sota_implicit_prov_ca.toml
    install -m 0644 ${S}/config/sota_secondary.toml ${D}/${libdir}/sota/sota_secondary.toml
    install -m 0644 ${S}/config/sota_uboot_env.toml ${D}/${libdir}/sota/sota_uboot_env.toml
@@ -113,7 +113,6 @@ FILES_${PN}-host-tools = " \
                ${libdir}/sota/sota_autoprov.toml \
                ${libdir}/sota/sota_autoprov_primary.toml \
                ${libdir}/sota/sota_hsm_prov.toml \
-                ${libdir}/sota/sota_implicit_prov.toml \
                ${libdir}/sota/sota_implicit_prov_ca.toml \
                ${libdir}/sota/sota_uboot_env.toml \
                "
author	Anton Gerasimov <anton@advancedtelematic.com>	2018-09-05 16:22:07 +0200
committer	Anton Gerasimov <tossel@gmail.com>	2018-10-01 10:44:50 +0200
commit	673a4b91d1794b7c89265ba3dd62febf8826e14f (patch)
tree	49de996c62afdc0d8719588bc8a67981a808f20a
parent	9476fa542cc7bc7695c58b54398b104f8e7023b6 (diff)
download	meta-updater-673a4b91d1794b7c89265ba3dd62febf8826e14f.tar.gz

diff --git a/README.adoc b/README.adoc index 7ffdde2..322831f 100644 --- a/README.adoc +++ b/README.adoc
@@ -80,6 +80,7 @@ Although we have used U-Boot so far, other boot loaders can be configured work w
80	* `OSTREE_OSNAME` - OS deployment name on your target device. For more information about deployments and osnames see the https://ostree.readthedocs.io/en/latest/manual/deployment/[OSTree documentation]. Defaults to "poky".	80	* `OSTREE_OSNAME` - OS deployment name on your target device. For more information about deployments and osnames see the https://ostree.readthedocs.io/en/latest/manual/deployment/[OSTree documentation]. Defaults to "poky".
81	* `INITRAMFS_IMAGE` - initramfs/initrd image that is used as a proxy while booting into OSTree deployment. Do not change this setting unless you are sure that your initramfs can serve as such a proxy.	81	* `INITRAMFS_IMAGE` - initramfs/initrd image that is used as a proxy while booting into OSTree deployment. Do not change this setting unless you are sure that your initramfs can serve as such a proxy.
82	* `SOTA_PACKED_CREDENTIALS` - when set, your ostree commit will be pushed to a remote repo as a bitbake step. This should be the path to a zipped credentials file in https://github.com/advancedtelematic/aktualizr/blob/master/docs/credentials.adoc[the format accepted by garage-push].	82	* `SOTA_PACKED_CREDENTIALS` - when set, your ostree commit will be pushed to a remote repo as a bitbake step. This should be the path to a zipped credentials file in https://github.com/advancedtelematic/aktualizr/blob/master/docs/credentials.adoc[the format accepted by garage-push].
		83	* `SOTA_DEPLOY_CREDENTIALS` - when set to '1' (default value), deploys credentials to the built image. Override it in `local.conf` to built a generic image that can be provisioned manually after the build.
83	* `SOTA_CLIENT_PROV` - which provisioning method to use. Valid options are https://github.com/advancedtelematic/aktualizr/blob/master/docs/automatic-provisioning.adoc[`aktualizr-auto-prov`], https://github.com/advancedtelematic/aktualizr/blob/master/docs/implicit-provisioning.adoc[`aktualizr-implicit-prov`], and https://github.com/advancedtelematic/aktualizr/blob/master/docs/hsm-provisioning.adoc[`aktualizr-hsm-prov`]. The default is `aktualizr-auto-prov`. This can also be set to an empty string to avoid using a provisioning recipe.	84	* `SOTA_CLIENT_PROV` - which provisioning method to use. Valid options are https://github.com/advancedtelematic/aktualizr/blob/master/docs/automatic-provisioning.adoc[`aktualizr-auto-prov`], https://github.com/advancedtelematic/aktualizr/blob/master/docs/implicit-provisioning.adoc[`aktualizr-implicit-prov`], and https://github.com/advancedtelematic/aktualizr/blob/master/docs/hsm-provisioning.adoc[`aktualizr-hsm-prov`]. The default is `aktualizr-auto-prov`. This can also be set to an empty string to avoid using a provisioning recipe.
84	* `SOTA_CLIENT_FEATURES` - extensions to aktualizr. The only valid options are `hsm` (to build with HSM support) and `secondary-network` (to set up a simulated 'in-vehicle' network with support for a primary node with a DHCP server and a secondary node with a DHCP client).	85	* `SOTA_CLIENT_FEATURES` - extensions to aktualizr. The only valid options are `hsm` (to build with HSM support) and `secondary-network` (to set up a simulated 'in-vehicle' network with support for a primary node with a DHCP server and a secondary node with a DHCP client).
85	* `SOTA_SECONDARY_ECUS` - a list of paths separated by spaces of JSON configuration files for virtual secondaries on the host. These will be installed into `/var/sota/ecus` on the device.	86	* `SOTA_SECONDARY_ECUS` - a list of paths separated by spaces of JSON configuration files for virtual secondaries on the host. These will be installed into `/var/sota/ecus` on the device.


diff --git a/classes/sota.bbclass b/classes/sota.bbclass index f5c6247..98cc3de 100644 --- a/classes/sota.bbclass +++ b/classes/sota.bbclass
@@ -10,6 +10,8 @@ HOSTTOOLS_NONFATAL += "java"
10		10
11	SOTA_CLIENT ??= "aktualizr"	11	SOTA_CLIENT ??= "aktualizr"
12	SOTA_CLIENT_PROV ??= "aktualizr-auto-prov"	12	SOTA_CLIENT_PROV ??= "aktualizr-auto-prov"
		13	SOTA_DEPLOY_CREDENTIALS ?= "1"
		14
13	IMAGE_INSTALL_append_sota = " ostree os-release ${SOTA_CLIENT} ${SOTA_CLIENT_PROV}"	15	IMAGE_INSTALL_append_sota = " ostree os-release ${SOTA_CLIENT} ${SOTA_CLIENT_PROV}"
14	IMAGE_CLASSES += " image_types_ostree image_types_ota"	16	IMAGE_CLASSES += " image_types_ostree image_types_ota"
15		17


diff --git a/recipes-sota/aktualizr/aktualizr-auto-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-auto-prov-creds.bb new file mode 100644 index 0000000..d964a0a --- /dev/null +++ b/recipes-sota/aktualizr/aktualizr-auto-prov-creds.bb
@@ -0,0 +1,23 @@
		1	SUMMARY = "Credentials for autoprovisioning scenario"
		2	SECTION = "base"
		3	LICENSE = "MPL-2.0"
		4	LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
		5
		6	DEPENDS = "aktualizr-native zip-native"
		7
		8	require credentials.inc
		9
		10	do_install() {
		11	if [ -n ${SOTA_PACKED_CREDENTIALS} ]; then
		12	install -m 0700 -d ${D}${localstatedir}/sota
		13	cp ${SOTA_PACKED_CREDENTIALS} ${D}${localstatedir}/sota/sota_provisioning_credentials.zip
		14	# Device should not be able to push data to treehub
		15	zip -d ${D}${localstatedir}/sota/sota_provisioning_credentials.zip treehub.json
		16	fi
		17	}
		18
		19	FILES_${PN} = " \
		20	${localstatedir}/sota/sota_provisioning_credentials.zip \
		21	"
		22
		23	# vim:set ts=4 sw=4 sts=4 expandtab:


diff --git a/recipes-sota/aktualizr/aktualizr-auto-prov.bb b/recipes-sota/aktualizr/aktualizr-auto-prov.bb index 9fa95ed..65e89bd 100644 --- a/recipes-sota/aktualizr/aktualizr-auto-prov.bb +++ b/recipes-sota/aktualizr/aktualizr-auto-prov.bb
@@ -6,7 +6,8 @@ LICENSE = "MPL-2.0"
6	LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"	6	LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
7		7
8	DEPENDS = "aktualizr-native zip-native"	8	DEPENDS = "aktualizr-native zip-native"
9	RDEPENDS_${PN} = "aktualizr"	9	RDEPENDS_${PN}_append = "${@' aktualizr-auto-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS', True) == '1' else ''}"
		10	RDEPENDS_${PN} = " aktualizr"
10	PV = "1.0"	11	PV = "1.0"
11	PR = "6"	12	PR = "6"
12		13
@@ -31,19 +32,10 @@ do_install() {
31		32
32	install -m 0700 -d ${D}${libdir}/sota/conf.d	33	install -m 0700 -d ${D}${libdir}/sota/conf.d
33	install -m 0700 -d ${D}${localstatedir}/sota	34	install -m 0700 -d ${D}${localstatedir}/sota
34	if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then	35	aktualizr_toml=${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-network', 'sota_autoprov_primary.toml', 'sota_autoprov.toml', d)}
35	aktualizr_toml=${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-network', 'sota_autoprov_primary.toml', 'sota_autoprov.toml', d)}	36
36		37	install -m 0644 ${STAGING_DIR_NATIVE}${libdir}/sota/${aktualizr_toml} \
37	install -m 0644 ${STAGING_DIR_NATIVE}${libdir}/sota/${aktualizr_toml} \	38	${D}${libdir}/sota/conf.d/20-${aktualizr_toml}
38	${D}${libdir}/sota/conf.d/20-${aktualizr_toml}
39
40	# deploy SOTA credentials
41	if [ -e ${SOTA_PACKED_CREDENTIALS} ]; then
42	cp ${SOTA_PACKED_CREDENTIALS} ${D}${localstatedir}/sota/sota_provisioning_credentials.zip
43	# Device should not be able to push data to treehub
44	zip -d ${D}${localstatedir}/sota/sota_provisioning_credentials.zip treehub.json
45	fi
46	fi
47	}	39	}
48		40
49	FILES_${PN} = " \	41	FILES_${PN} = " \


diff --git a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb new file mode 100644 index 0000000..5debc19 --- /dev/null +++ b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb
@@ -0,0 +1,50 @@
		1	SUMMARY = "Credentials for implicit provisioning with CA certificate"
		2	SECTION = "base"
		3	LICENSE = "MPL-2.0"
		4	LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
		5
		6	DEPENDS = "aktualizr aktualizr-native"
		7
		8	SRC_URI = " \
		9	file://ca.cnf \
		10	"
		11
		12	require credentials.inc
		13
		14	export SOTA_CACERT_PATH
		15	export SOTA_CAKEY_PATH
		16
		17	do_install() {
		18	if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then
		19	if [ -z ${SOTA_CACERT_PATH} ]; then
		20	SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem
		21	SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem
		22	mkdir -p ${DEPLOY_DIR_IMAGE}/CA
		23	bbwarn "SOTA_CACERT_PATH is not specified, use default one at $SOTA_CACERT_PATH"
		24
		25	if [ ! -f ${SOTA_CACERT_PATH} ]; then
		26	bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA"
		27	SOTA_CACERT_DIR_PATH="$(dirname "$SOTA_CACERT_PATH")"
		28	openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096
		29	openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert
		30	bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server"
		31	fi
		32	fi
		33
		34	if [ -z ${SOTA_CAKEY_PATH} ]; then
		35	bberror "SOTA_CAKEY_PATH should be set when using implicit provisioning"
		36	fi
		37
		38	install -m 0700 -d ${D}${localstatedir}/sota
		39	aktualizr_cert_provider --credentials ${SOTA_PACKED_CREDENTIALS} \
		40	--device-ca ${SOTA_CACERT_PATH} \
		41	--device-ca-key ${SOTA_CAKEY_PATH} \
		42	--root-ca \
		43	--server-url \
		44	--local ${D} \
		45	--config ${STAGING_DIR_HOST}${libdir}/sota/sota_implicit_prov_ca.toml
		46	fi
		47	}
		48
		49	FILES_${PN} = " \
		50	${localstatedir}/sota/*"


diff --git a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb index 83504f1..2763185 100644 --- a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb +++ b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb
@@ -10,62 +10,23 @@ LICENSE = "MPL-2.0"
10	LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"	10	LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
11		11
12	DEPENDS = "aktualizr aktualizr-native openssl-native"	12	DEPENDS = "aktualizr aktualizr-native openssl-native"
		13	RDEPENDS_${PN}_append = "${@' aktualizr-ca-implicit-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS', True) == '1' else ''}"
13		14
14	SRC_URI = " \
15	file://ca.cnf \
16	"
17	PV = "1.0"	15	PV = "1.0"
18	PR = "1"	16	PR = "1"
19		17
20	require environment.inc	18	require environment.inc
21	require credentials.inc	19	require credentials.inc
22		20
23	export SOTA_CACERT_PATH
24	export SOTA_CAKEY_PATH
25
26	do_install() {	21	do_install() {
27	install -m 0700 -d ${D}${libdir}/sota/conf.d	22	install -m 0700 -d ${D}${libdir}/sota/conf.d
28		23
29	if [ -z "${SOTA_PACKED_CREDENTIALS}" ]; then
30	bberror "SOTA_PACKED_CREDENTIALS are required for implicit provisioning"
31	fi
32
33	if [ -z ${SOTA_CACERT_PATH} ]; then
34	SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem
35	SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem
36	mkdir -p ${DEPLOY_DIR_IMAGE}/CA
37	bbwarn "SOTA_CACERT_PATH is not specified, use default one at $SOTA_CACERT_PATH"
38
39	if [ ! -f ${SOTA_CACERT_PATH} ]; then
40	bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA"
41	SOTA_CACERT_DIR_PATH="$(dirname "$SOTA_CACERT_PATH")"
42	openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096
43	openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert
44	bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server"
45	fi
46	fi
47
48	if [ -z ${SOTA_CAKEY_PATH} ]; then
49	bberror "SOTA_CAKEY_PATH should be set when using implicit provisioning"
50	fi
51
52	install -m 0700 -d ${D}${localstatedir}/sota
53	install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota_implicit_prov_ca.toml \	24	install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota_implicit_prov_ca.toml \
54	${D}${libdir}/sota/conf.d/20-sota_implicit_prov_ca.toml	25	${D}${libdir}/sota/conf.d/20-sota_implicit_prov_ca.toml
55	aktualizr_cert_provider --credentials ${SOTA_PACKED_CREDENTIALS} \
56	--device-ca ${SOTA_CACERT_PATH} \
57	--device-ca-key ${SOTA_CAKEY_PATH} \
58	--root-ca \
59	--server-url \
60	--local ${D}${localstatedir}/sota \
61	--config ${STAGING_DIR_HOST}${libdir}/sota/sota_implicit_prov_ca.toml
62	}	26	}
63		27
64	FILES_${PN} = " \	28	FILES_${PN} = " \
65	${libdir}/sota/conf.d \
66	${libdir}/sota/conf.d/20-sota_implicit_prov_ca.toml \	29	${libdir}/sota/conf.d/20-sota_implicit_prov_ca.toml \
67	${libdir}/sota/root.crt \
68	${localstatedir}/sota/* \
69	"	30	"
70		31
71	# vim:set ts=4 sw=4 sts=4 expandtab:	32	# vim:set ts=4 sw=4 sts=4 expandtab:


diff --git a/recipes-sota/aktualizr/aktualizr-hsm-prov.bb b/recipes-sota/aktualizr/aktualizr-hsm-prov.bb index 0450138..e915046 100644 --- a/recipes-sota/aktualizr/aktualizr-hsm-prov.bb +++ b/recipes-sota/aktualizr/aktualizr-hsm-prov.bb
@@ -6,6 +6,7 @@ LICENSE = "MPL-2.0"
6	LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"	6	LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
7		7
8	DEPENDS = "aktualizr aktualizr-native"	8	DEPENDS = "aktualizr aktualizr-native"
		9	RDEPENDS_${PN}_append = "${@' aktualizr-ca-implicit-prov-creds softhsm-testtoken' if d.getVar('SOTA_DEPLOY_CREDENTIALS', True) == '1' else ''}"
9		10
10	SRC_URI = ""	11	SRC_URI = ""
11	PV = "1.0"	12	PV = "1.0"
@@ -18,16 +19,11 @@ do_install() {
18	install -m 0700 -d ${D}${libdir}/sota/conf.d	19	install -m 0700 -d ${D}${libdir}/sota/conf.d
19	install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota_hsm_prov.toml \	20	install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota_hsm_prov.toml \
20	${D}${libdir}/sota/conf.d/20-sota_hsm_prov.toml	21	${D}${libdir}/sota/conf.d/20-sota_hsm_prov.toml
21	if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then
22	aktualizr_implicit_writer -c ${SOTA_PACKED_CREDENTIALS} --no-root-ca \
23	-o ${D}${libdir}/sota/conf.d/30-implicit_server.toml -p ${D}
24	fi
25	}	22	}
26		23
27	FILES_${PN} = " \	24	FILES_${PN} = " \
28	${libdir}/sota/conf.d \	25	${libdir}/sota/conf.d \
29	${libdir}/sota/conf.d/20-sota_hsm_prov.toml \	26	${libdir}/sota/conf.d/20-sota_hsm_prov.toml \
30	${libdir}/sota/conf.d/30-implicit_server.toml \
31	"	27	"
32		28
33	# vim:set ts=4 sw=4 sts=4 expandtab:	29	# vim:set ts=4 sw=4 sts=4 expandtab:


diff --git a/recipes-sota/aktualizr/aktualizr-implicit-prov.bb b/recipes-sota/aktualizr/aktualizr-implicit-prov.bb deleted file mode 100644 index 5c54e8a..0000000 --- a/recipes-sota/aktualizr/aktualizr-implicit-prov.bb +++ /dev/null
@@ -1,34 +0,0 @@
1	SUMMARY = "Aktualizr configuration for implicit provisioning"
2	DESCRIPTION = "Configuration for implicitly provisioning Aktualizr, the SOTA Client application written in C++"
3	HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
4	SECTION = "base"
5	LICENSE = "MPL-2.0"
6	LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
7
8	DEPENDS = "aktualizr aktualizr-native"
9
10	SRC_URI = ""
11	PV = "1.0"
12	PR = "1"
13
14	require environment.inc
15	require credentials.inc
16
17	do_install() {
18	install -m 0700 -d ${D}${libdir}/sota/conf.d
19	install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota_implicit_prov.toml \
20	${D}${libdir}/sota/conf.d/20-sota_implicit_prov.toml
21	if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then
22	aktualizr_implicit_writer -c ${SOTA_PACKED_CREDENTIALS} \
23	-o ${D}${libdir}/sota/conf.d/30-implicit_server.toml -p ${D}
24	fi
25	}
26
27	FILES_${PN} = " \
28	${libdir}/sota/conf.d \
29	${libdir}/sota/conf.d/20-implicit_prov.toml \
30	${libdir}/sota/conf.d/30-implicit_server.toml \
31	${libdir}/sota/root.crt \
32	"
33
34	# vim:set ts=4 sw=4 sts=4 expandtab:


diff --git a/recipes-sota/aktualizr/aktualizr_git.bb b/recipes-sota/aktualizr/aktualizr_git.bb index 7a0641d..3c91386 100755 --- a/recipes-sota/aktualizr/aktualizr_git.bb +++ b/recipes-sota/aktualizr/aktualizr_git.bb
@@ -11,12 +11,13 @@ DEPENDS_append_class-native = "glib-2.0-native "
11		11
12	RDEPENDS_${PN}_class-target = "lshw "	12	RDEPENDS_${PN}_class-target = "lshw "
13	RDEPENDS_${PN}_append_class-target = "${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'serialcan', ' slcand-start', '', d)} "	13	RDEPENDS_${PN}_append_class-target = "${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'serialcan', ' slcand-start', '', d)} "
14	RDEPENDS_${PN}_append_class-target = "${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'hsm', ' softhsm softhsm-testtoken', '', d)}"
15	RDEPENDS_${PN}_append_class-target = " ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'ubootenv', ' u-boot-fw-utils aktualizr-uboot-env-rollback', '', d)} "	14	RDEPENDS_${PN}_append_class-target = " ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'ubootenv', ' u-boot-fw-utils aktualizr-uboot-env-rollback', '', d)} "
16		15
17	RDEPENDS_${PN}_append_class-target = " ${PN}-tools "	16	RDEPENDS_${PN}_append_class-target = " ${PN}-tools "
18	RDEPENDS_${PN}-secondary_append_class-target = " ${PN}-tools "	17	RDEPENDS_${PN}-secondary_append_class-target = " ${PN}-tools "
19		18
		19	RDEPENDS_${PN}_class-target = " openssl-bin "
		20
20	PV = "1.0+git${SRCPV}"	21	PV = "1.0+git${SRCPV}"
21	PR = "7"	22	PR = "7"
22		23
@@ -27,8 +28,8 @@ SRC_URI = " \
27	file://aktualizr-secondary.socket \	28	file://aktualizr-secondary.socket \
28	file://aktualizr-serialcan.service \	29	file://aktualizr-serialcan.service \
29	"	30	"
30	SRCREV = "090c463c6f1ec7a7ceae963cd7b4ba99aa74e1f5"	31	SRCREV = "097c763ab4b4b057fa6bedfdac2049e53df93539"
31	BRANCH ?= "master"	32	BRANCH ?= "feat/OTA-719/split-provision"
32		33
33	S = "${WORKDIR}/git"	34	S = "${WORKDIR}/git"
34		35
@@ -64,7 +65,6 @@ do_install_append () {
64	install -m 0644 ${S}/config/sota_autoprov.toml ${D}/${libdir}/sota/sota_autoprov.toml	65	install -m 0644 ${S}/config/sota_autoprov.toml ${D}/${libdir}/sota/sota_autoprov.toml
65	install -m 0644 ${S}/config/sota_autoprov_primary.toml ${D}/${libdir}/sota/sota_autoprov_primary.toml	66	install -m 0644 ${S}/config/sota_autoprov_primary.toml ${D}/${libdir}/sota/sota_autoprov_primary.toml
66	install -m 0644 ${S}/config/sota_hsm_prov.toml ${D}/${libdir}/sota/sota_hsm_prov.toml	67	install -m 0644 ${S}/config/sota_hsm_prov.toml ${D}/${libdir}/sota/sota_hsm_prov.toml
67	install -m 0644 ${S}/config/sota_implicit_prov.toml ${D}/${libdir}/sota/sota_implicit_prov.toml
68	install -m 0644 ${S}/config/sota_implicit_prov_ca.toml ${D}/${libdir}/sota/sota_implicit_prov_ca.toml	68	install -m 0644 ${S}/config/sota_implicit_prov_ca.toml ${D}/${libdir}/sota/sota_implicit_prov_ca.toml
69	install -m 0644 ${S}/config/sota_secondary.toml ${D}/${libdir}/sota/sota_secondary.toml	69	install -m 0644 ${S}/config/sota_secondary.toml ${D}/${libdir}/sota/sota_secondary.toml
70	install -m 0644 ${S}/config/sota_uboot_env.toml ${D}/${libdir}/sota/sota_uboot_env.toml	70	install -m 0644 ${S}/config/sota_uboot_env.toml ${D}/${libdir}/sota/sota_uboot_env.toml
@@ -113,7 +113,6 @@ FILES_${PN}-host-tools = " \
113	${libdir}/sota/sota_autoprov.toml \	113	${libdir}/sota/sota_autoprov.toml \
114	${libdir}/sota/sota_autoprov_primary.toml \	114	${libdir}/sota/sota_autoprov_primary.toml \
115	${libdir}/sota/sota_hsm_prov.toml \	115	${libdir}/sota/sota_hsm_prov.toml \
116	${libdir}/sota/sota_implicit_prov.toml \
117	${libdir}/sota/sota_implicit_prov_ca.toml \	116	${libdir}/sota/sota_implicit_prov_ca.toml \
118	${libdir}/sota/sota_uboot_env.toml \	117	${libdir}/sota/sota_uboot_env.toml \
119	"	118	"