aktualizr-device-prov-creds: remove it.fix/603/arch-deps

Originally I was just trying to remove the reference to DEPLOY_DIR_IMAGE because it depends on MACHINE, but then I realized that this recipe is just plain not worth keeping. It isn't viable for anything except the most limited testing, since it bakes device-specific credentials into an image, but we weren't even using it for testing. Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
author: Patrick Vacek <patrickvacek@gmail.com> 2019-10-17 17:01:18 +0200
committer: Patrick Vacek <patrickvacek@gmail.com> 2019-10-18 13:34:13 +0200
commit: 3f70b2d2f4a3a2fb50be4b8c395d9d09b0853f1a (patch)
tree: 19142fbffd36781ea011d386e1977ba6c6411c6c
parent: b9658f86850b7f66680ee79e7d876f2dba044c4d (diff)
download: meta-updater-fix/603/arch-deps.tar.gz
6 files changed, 0 insertions, 72 deletions
diff --git a/conf/layer.conf b/conf/layer.conf
index f25c5c9..225875b 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -16,7 +16,6 @@ LAYERSERIES_COMPAT_sota = "thud warrior zeus"
 SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS += " \
  aktualizr-device-prov->aktualizr \
-  aktualizr-device-prov-creds->aktualizr \
  aktualizr-device-prov-hsm->aktualizr \
  aktualizr-shared-prov->aktualizr \
  aktualizr-shared-prov-creds->aktualizr \
diff --git a/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb
deleted file mode 100644
index a3c7d66..0000000
--- a/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb
+++ /dev/null
@@ -1,67 +0,0 @@
-SUMMARY = "Credentials for device provisioning with fleet CA certificate"
-HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
-SECTION = "base"
-LICENSE = "MPL-2.0"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
-inherit allarch
-# WARNING: This is NOT an ideal solution. The secure way to provision devices
-# is to create certificate request directly on the device (either with HSM/TPM
-# or with software) and then sign it with a CA stored on a disconnected machine.
-# We need to get the config files from the aktualizr-host-tools package built by
-# the aktualizr (target) recipe.
-DEPENDS = "aktualizr aktualizr-native openssl-native"
-ALLOW_EMPTY_${PN} = "1"
-# If the config file from aktualizr used here is changed, you will need to bump
-# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS!
-PV = "1.0"
-PR = "1"
-SRC_URI = " \
-            file://ca.cnf \
-            "
-require credentials.inc
-export SOTA_CACERT_PATH
-export SOTA_CAKEY_PATH
-do_install() {
-    if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then
-        if [ -z ${SOTA_CACERT_PATH} ]; then
-            SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem
-            SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem
-            mkdir -p ${DEPLOY_DIR_IMAGE}/CA
-            bbwarn "SOTA_CACERT_PATH is not specified, use default one at ${SOTA_CACERT_PATH}"
-            if [ ! -f ${SOTA_CACERT_PATH} ]; then
-                bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA"
-                SOTA_CACERT_DIR_PATH="$(dirname "${SOTA_CACERT_PATH}")"
-                openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096
-                openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert
-                bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server"
-            fi
-        fi
-        if [ -z ${SOTA_CAKEY_PATH} ]; then
-            bbfatal "SOTA_CAKEY_PATH should be set when using device credential provisioning"
-        fi
-        install -m 0700 -d ${D}${localstatedir}/sota
-        aktualizr-cert-provider --credentials ${SOTA_PACKED_CREDENTIALS} \
-                                --fleet-ca ${SOTA_CACERT_PATH} \
-                                --fleet-ca-key ${SOTA_CAKEY_PATH} \
-                                --root-ca \
-                                --server-url \
-                                --local ${D} \
-                                --config ${STAGING_DIR_HOST}${libdir}/sota/sota-device-cred.toml
-    fi
-}
-FILES_${PN} = " \
-                ${localstatedir}/sota/*"
-# vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb b/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb
index 8d4bc9c..4eadb77 100644
--- a/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb
+++ b/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb
@@ -10,7 +10,6 @@ inherit allarch
 # We need to get the config files from the aktualizr-host-tools package built by
 # the aktualizr (target) recipe.
 DEPENDS = "aktualizr"
-RDEPENDS_${PN}_append = "${@' aktualizr-device-prov-creds softhsm-testtoken' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}"
 # If the config file from aktualizr used here is changed, you will need to bump
 # the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS!
diff --git a/recipes-sota/aktualizr/aktualizr-device-prov.bb b/recipes-sota/aktualizr/aktualizr-device-prov.bb
index e8c75bb..55f398d 100644
--- a/recipes-sota/aktualizr/aktualizr-device-prov.bb
+++ b/recipes-sota/aktualizr/aktualizr-device-prov.bb
@@ -10,7 +10,6 @@ inherit allarch
 # We need to get the config files from the aktualizr-host-tools package built by
 # the aktualizr (target) recipe.
 DEPENDS = "aktualizr"
-RDEPENDS_${PN}_append = "${@' aktualizr-device-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}"
 # If the config file from aktualizr used here is changed, you will need to bump
 # the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS!
diff --git a/recipes-test/images/secondary-image.bb b/recipes-test/images/secondary-image.bb
index 27d1e3f..7db2c68 100644
--- a/recipes-test/images/secondary-image.bb
+++ b/recipes-test/images/secondary-image.bb
@@ -14,7 +14,6 @@ IMAGE_INSTALL_remove = " \
                        aktualizr-shared-prov \
                        aktualizr-shared-prov-creds \
                        aktualizr-device-prov \
-                        aktualizr-device-prov-creds \
                        aktualizr-device-prov-hsm \
                        aktualizr-uboot-env-rollback \
                        virtual/network-configuration \
diff --git a/scripts/find_aktualizr_dependencies.sh b/scripts/find_aktualizr_dependencies.sh
index 493df80..fcb2f97 100755
--- a/scripts/find_aktualizr_dependencies.sh
+++ b/scripts/find_aktualizr_dependencies.sh
@@ -13,7 +13,6 @@ ${parentdir}/find_dependencies.py aktualizr
 ${parentdir}/find_dependencies.py aktualizr-shared-prov
 ${parentdir}/find_dependencies.py aktualizr-shared-prov-creds
 ${parentdir}/find_dependencies.py aktualizr-device-prov
-${parentdir}/find_dependencies.py aktualizr-device-prov-creds
 ${parentdir}/find_dependencies.py aktualizr-device-prov-hsm
 ${parentdir}/find_dependencies.py aktualizr-auto-reboot
 ${parentdir}/find_dependencies.py aktualizr-disable-send-ip
author	Patrick Vacek <patrickvacek@gmail.com>	2019-10-17 17:01:18 +0200
committer	Patrick Vacek <patrickvacek@gmail.com>	2019-10-18 13:34:13 +0200
commit	3f70b2d2f4a3a2fb50be4b8c395d9d09b0853f1a (patch)
tree	19142fbffd36781ea011d386e1977ba6c6411c6c
parent	b9658f86850b7f66680ee79e7d876f2dba044c4d (diff)
download	meta-updater-fix/603/arch-deps.tar.gz

diff --git a/conf/layer.conf b/conf/layer.conf index f25c5c9..225875b 100644 --- a/conf/layer.conf +++ b/conf/layer.conf
@@ -16,7 +16,6 @@ LAYERSERIES_COMPAT_sota = "thud warrior zeus"
16		16
17	SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS += " \	17	SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS += " \
18	aktualizr-device-prov->aktualizr \	18	aktualizr-device-prov->aktualizr \
19	aktualizr-device-prov-creds->aktualizr \
20	aktualizr-device-prov-hsm->aktualizr \	19	aktualizr-device-prov-hsm->aktualizr \
21	aktualizr-shared-prov->aktualizr \	20	aktualizr-shared-prov->aktualizr \
22	aktualizr-shared-prov-creds->aktualizr \	21	aktualizr-shared-prov-creds->aktualizr \


diff --git a/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb deleted file mode 100644 index a3c7d66..0000000 --- a/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb +++ /dev/null
@@ -1,67 +0,0 @@
1	SUMMARY = "Credentials for device provisioning with fleet CA certificate"
2	HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
3	SECTION = "base"
4	LICENSE = "MPL-2.0"
5	LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
6
7	inherit allarch
8
9	# WARNING: This is NOT an ideal solution. The secure way to provision devices
10	# is to create certificate request directly on the device (either with HSM/TPM
11	# or with software) and then sign it with a CA stored on a disconnected machine.
12
13	# We need to get the config files from the aktualizr-host-tools package built by
14	# the aktualizr (target) recipe.
15	DEPENDS = "aktualizr aktualizr-native openssl-native"
16	ALLOW_EMPTY_${PN} = "1"
17
18	# If the config file from aktualizr used here is changed, you will need to bump
19	# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS!
20	PV = "1.0"
21	PR = "1"
22
23	SRC_URI = " \
24	file://ca.cnf \
25	"
26
27	require credentials.inc
28
29	export SOTA_CACERT_PATH
30	export SOTA_CAKEY_PATH
31
32	do_install() {
33	if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then
34	if [ -z ${SOTA_CACERT_PATH} ]; then
35	SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem
36	SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem
37	mkdir -p ${DEPLOY_DIR_IMAGE}/CA
38	bbwarn "SOTA_CACERT_PATH is not specified, use default one at ${SOTA_CACERT_PATH}"
39
40	if [ ! -f ${SOTA_CACERT_PATH} ]; then
41	bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA"
42	SOTA_CACERT_DIR_PATH="$(dirname "${SOTA_CACERT_PATH}")"
43	openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096
44	openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert
45	bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server"
46	fi
47	fi
48
49	if [ -z ${SOTA_CAKEY_PATH} ]; then
50	bbfatal "SOTA_CAKEY_PATH should be set when using device credential provisioning"
51	fi
52
53	install -m 0700 -d ${D}${localstatedir}/sota
54	aktualizr-cert-provider --credentials ${SOTA_PACKED_CREDENTIALS} \
55	--fleet-ca ${SOTA_CACERT_PATH} \
56	--fleet-ca-key ${SOTA_CAKEY_PATH} \
57	--root-ca \
58	--server-url \
59	--local ${D} \
60	--config ${STAGING_DIR_HOST}${libdir}/sota/sota-device-cred.toml
61	fi
62	}
63
64	FILES_${PN} = " \
65	${localstatedir}/sota/*"
66
67	# vim:set ts=4 sw=4 sts=4 expandtab:


diff --git a/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb b/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb index 8d4bc9c..4eadb77 100644 --- a/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb +++ b/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb
@@ -10,7 +10,6 @@ inherit allarch
10	# We need to get the config files from the aktualizr-host-tools package built by	10	# We need to get the config files from the aktualizr-host-tools package built by
11	# the aktualizr (target) recipe.	11	# the aktualizr (target) recipe.
12	DEPENDS = "aktualizr"	12	DEPENDS = "aktualizr"
13	RDEPENDS_${PN}_append = "${@' aktualizr-device-prov-creds softhsm-testtoken' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}"
14		13
15	# If the config file from aktualizr used here is changed, you will need to bump	14	# If the config file from aktualizr used here is changed, you will need to bump
16	# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS!	15	# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS!


diff --git a/recipes-sota/aktualizr/aktualizr-device-prov.bb b/recipes-sota/aktualizr/aktualizr-device-prov.bb index e8c75bb..55f398d 100644 --- a/recipes-sota/aktualizr/aktualizr-device-prov.bb +++ b/recipes-sota/aktualizr/aktualizr-device-prov.bb
@@ -10,7 +10,6 @@ inherit allarch
10	# We need to get the config files from the aktualizr-host-tools package built by	10	# We need to get the config files from the aktualizr-host-tools package built by
11	# the aktualizr (target) recipe.	11	# the aktualizr (target) recipe.
12	DEPENDS = "aktualizr"	12	DEPENDS = "aktualizr"
13	RDEPENDS_${PN}_append = "${@' aktualizr-device-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}"
14		13
15	# If the config file from aktualizr used here is changed, you will need to bump	14	# If the config file from aktualizr used here is changed, you will need to bump
16	# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS!	15	# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS!


diff --git a/recipes-test/images/secondary-image.bb b/recipes-test/images/secondary-image.bb index 27d1e3f..7db2c68 100644 --- a/recipes-test/images/secondary-image.bb +++ b/recipes-test/images/secondary-image.bb
@@ -14,7 +14,6 @@ IMAGE_INSTALL_remove = " \
14	aktualizr-shared-prov \	14	aktualizr-shared-prov \
15	aktualizr-shared-prov-creds \	15	aktualizr-shared-prov-creds \
16	aktualizr-device-prov \	16	aktualizr-device-prov \
17	aktualizr-device-prov-creds \
18	aktualizr-device-prov-hsm \	17	aktualizr-device-prov-hsm \
19	aktualizr-uboot-env-rollback \	18	aktualizr-uboot-env-rollback \
20	virtual/network-configuration \	19	virtual/network-configuration \


diff --git a/scripts/find_aktualizr_dependencies.sh b/scripts/find_aktualizr_dependencies.sh index 493df80..fcb2f97 100755 --- a/scripts/find_aktualizr_dependencies.sh +++ b/scripts/find_aktualizr_dependencies.sh
@@ -13,7 +13,6 @@ ${parentdir}/find_dependencies.py aktualizr
13	${parentdir}/find_dependencies.py aktualizr-shared-prov	13	${parentdir}/find_dependencies.py aktualizr-shared-prov
14	${parentdir}/find_dependencies.py aktualizr-shared-prov-creds	14	${parentdir}/find_dependencies.py aktualizr-shared-prov-creds
15	${parentdir}/find_dependencies.py aktualizr-device-prov	15	${parentdir}/find_dependencies.py aktualizr-device-prov
16	${parentdir}/find_dependencies.py aktualizr-device-prov-creds
17	${parentdir}/find_dependencies.py aktualizr-device-prov-hsm	16	${parentdir}/find_dependencies.py aktualizr-device-prov-hsm
18	${parentdir}/find_dependencies.py aktualizr-auto-reboot	17	${parentdir}/find_dependencies.py aktualizr-auto-reboot
19	${parentdir}/find_dependencies.py aktualizr-disable-send-ip	18	${parentdir}/find_dependencies.py aktualizr-disable-send-ip