diff options
| author | Patrick Vacek <patrickvacek@gmail.com> | 2018-10-01 16:49:31 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-10-01 16:49:31 +0200 |
| commit | a9d43a87ed1cc6b61257299d534b7922644c6ecd (patch) | |
| tree | 0dfbf98077d7701343bdda2f61532f5d4b27db43 | |
| parent | 9476fa542cc7bc7695c58b54398b104f8e7023b6 (diff) | |
| parent | e689954dc9a07f1ceef65c797056f805daad90a9 (diff) | |
| download | meta-updater-a9d43a87ed1cc6b61257299d534b7922644c6ecd.tar.gz | |
Merge pull request #383 from advancedtelematic/feat/OTA-719/nodeploy
Add SOTA_DEPLOY_CREDENTIALS variable to control whether the built image should be provisioned
| -rw-r--r-- | README.adoc | 16 | ||||
| -rw-r--r-- | classes/sota.bbclass | 2 | ||||
| -rw-r--r-- | lib/oeqa/selftest/cases/updater.py | 30 | ||||
| -rw-r--r-- | recipes-sota/aktualizr/aktualizr-auto-prov-creds.bb | 24 | ||||
| -rw-r--r-- | recipes-sota/aktualizr/aktualizr-auto-prov.bb | 19 | ||||
| -rw-r--r-- | recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb | 51 | ||||
| -rw-r--r-- | recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb | 41 | ||||
| -rw-r--r-- | recipes-sota/aktualizr/aktualizr-hsm-prov.bb | 6 | ||||
| -rw-r--r-- | recipes-sota/aktualizr/aktualizr-implicit-prov.bb | 34 | ||||
| -rwxr-xr-x | recipes-sota/aktualizr/aktualizr_git.bb | 5 | ||||
| -rw-r--r-- | recipes-support/softhsm-testtoken/files/createtoken.sh | 3 |
11 files changed, 119 insertions, 112 deletions
diff --git a/README.adoc b/README.adoc index 7ffdde2..a2b0e3d 100644 --- a/README.adoc +++ b/README.adoc | |||
| @@ -80,7 +80,8 @@ Although we have used U-Boot so far, other boot loaders can be configured work w | |||
| 80 | * `OSTREE_OSNAME` - OS deployment name on your target device. For more information about deployments and osnames see the https://ostree.readthedocs.io/en/latest/manual/deployment/[OSTree documentation]. Defaults to "poky". | 80 | * `OSTREE_OSNAME` - OS deployment name on your target device. For more information about deployments and osnames see the https://ostree.readthedocs.io/en/latest/manual/deployment/[OSTree documentation]. Defaults to "poky". |
| 81 | * `INITRAMFS_IMAGE` - initramfs/initrd image that is used as a proxy while booting into OSTree deployment. Do not change this setting unless you are sure that your initramfs can serve as such a proxy. | 81 | * `INITRAMFS_IMAGE` - initramfs/initrd image that is used as a proxy while booting into OSTree deployment. Do not change this setting unless you are sure that your initramfs can serve as such a proxy. |
| 82 | * `SOTA_PACKED_CREDENTIALS` - when set, your ostree commit will be pushed to a remote repo as a bitbake step. This should be the path to a zipped credentials file in https://github.com/advancedtelematic/aktualizr/blob/master/docs/credentials.adoc[the format accepted by garage-push]. | 82 | * `SOTA_PACKED_CREDENTIALS` - when set, your ostree commit will be pushed to a remote repo as a bitbake step. This should be the path to a zipped credentials file in https://github.com/advancedtelematic/aktualizr/blob/master/docs/credentials.adoc[the format accepted by garage-push]. |
| 83 | * `SOTA_CLIENT_PROV` - which provisioning method to use. Valid options are https://github.com/advancedtelematic/aktualizr/blob/master/docs/automatic-provisioning.adoc[`aktualizr-auto-prov`], https://github.com/advancedtelematic/aktualizr/blob/master/docs/implicit-provisioning.adoc[`aktualizr-implicit-prov`], and https://github.com/advancedtelematic/aktualizr/blob/master/docs/hsm-provisioning.adoc[`aktualizr-hsm-prov`]. The default is `aktualizr-auto-prov`. This can also be set to an empty string to avoid using a provisioning recipe. | 83 | * `SOTA_DEPLOY_CREDENTIALS` - when set to '1' (default value), deploys credentials to the built image. Override it in `local.conf` to built a generic image that can be provisioned manually after the build. |
| 84 | * `SOTA_CLIENT_PROV` - which provisioning method to use. Valid options are https://github.com/advancedtelematic/aktualizr/blob/master/docs/automatic-provisioning.adoc[`aktualizr-auto-prov`], https://github.com/advancedtelematic/aktualizr/blob/master/docs/implicit-provisioning.adoc[`aktualizr-ca-implicit-prov`], and https://github.com/advancedtelematic/aktualizr/blob/master/docs/hsm-provisioning.adoc[`aktualizr-hsm-prov`]. The default is `aktualizr-auto-prov`. This can also be set to an empty string to avoid using a provisioning recipe. | ||
| 84 | * `SOTA_CLIENT_FEATURES` - extensions to aktualizr. The only valid options are `hsm` (to build with HSM support) and `secondary-network` (to set up a simulated 'in-vehicle' network with support for a primary node with a DHCP server and a secondary node with a DHCP client). | 85 | * `SOTA_CLIENT_FEATURES` - extensions to aktualizr. The only valid options are `hsm` (to build with HSM support) and `secondary-network` (to set up a simulated 'in-vehicle' network with support for a primary node with a DHCP server and a secondary node with a DHCP client). |
| 85 | * `SOTA_SECONDARY_ECUS` - a list of paths separated by spaces of JSON configuration files for virtual secondaries on the host. These will be installed into `/var/sota/ecus` on the device. | 86 | * `SOTA_SECONDARY_ECUS` - a list of paths separated by spaces of JSON configuration files for virtual secondaries on the host. These will be installed into `/var/sota/ecus` on the device. |
| 86 | * `SOTA_VIRTUAL_SECONDARIES` - a list of paths separated by spaces of JSON configuration files for virtual secondaries installed on the device. If `SOTA_SECONDARY_ECUS` is used to install them, then you can expect them to be installed in `/var/sota/ecus`. | 87 | * `SOTA_VIRTUAL_SECONDARIES` - a list of paths separated by spaces of JSON configuration files for virtual secondaries installed on the device. If `SOTA_SECONDARY_ECUS` is used to install them, then you can expect them to be installed in `/var/sota/ecus`. |
| @@ -197,3 +198,16 @@ oe-selftest --run-tests updater | |||
| 197 | ``` | 198 | ``` |
| 198 | 199 | ||
| 199 | For more information about oe-selftest, including details about how to run individual test modules or classes, please refer to the https://wiki.yoctoproject.org/wiki/Oe-selftest[Yocto Project wiki]. | 200 | For more information about oe-selftest, including details about how to run individual test modules or classes, please refer to the https://wiki.yoctoproject.org/wiki/Oe-selftest[Yocto Project wiki]. |
| 201 | |||
| 202 | == Manual provisoning | ||
| 203 | As described in <<sota-related-variables-in-localconf,SOTA-related variables in local.conf>> section you can set `SOTA_DEPLOY_CREDENTIALS` to `0` to prevent deploying credentials to the built `wic` image. In this case you get a generic image that you can use e.g. on a production line to flash a series of devices. The cost of this approach is that this image is half-baked and should be provisioned before it can connect to the backend. | ||
| 204 | |||
| 205 | Provisioning procedure depends on your provisioning recipe, i.e. the value of `SOTA_CLIENT_PROV` (equal to `aktualizr-auto-prov` by default). | ||
| 206 | * For `aktualizr-auto-prov` put your `credentials.zip` to `/var/sota/sota_provisioning_credentials.zip` on the filesystem of a running device. If you have the filesystem of our device mounted to your build machine, prefix all paths with `/ostree/deploy/poky` as in `/ostree/deploy/poky/var/sota/sota_provisioning_credentials.zip`. | ||
| 207 | * For `aktualizr-ca-implicit-prov` | ||
| 208 | ** put URL to the used backend (together with protocol prefix and port number) to `/var/sota/gateway.url`. If you're using HERE OTA Connect, you can find the URL in `autoprov.url` file in your credentials archive. | ||
| 209 | ** put client certificate, private key and root CA certificate (for the *server*, not for the *device*) to `/var/sota/import/client.pem`, `/var/sota/import/pkey.pem` and `/var/sota/import/root.crt` respectively. | ||
| 210 | * For `aktualizr-hsm-prov` | ||
| 211 | ** put URL to the used backend (together with protocol prefix and port number) to `/var/sota/gateway.url`. If you're using HERE OTA Connect, you can find the URL in `autoprov.url` file in your credentials archive. | ||
| 212 | ** put root CA certificate (for the *server*, not for the *device*) to `/var/sota/import/root.crt`. | ||
| 213 | ** put client certificate and private key to slots 1 and 2 of the PKCS#11-compatible device. | ||
diff --git a/classes/sota.bbclass b/classes/sota.bbclass index f5c6247..98cc3de 100644 --- a/classes/sota.bbclass +++ b/classes/sota.bbclass | |||
| @@ -10,6 +10,8 @@ HOSTTOOLS_NONFATAL += "java" | |||
| 10 | 10 | ||
| 11 | SOTA_CLIENT ??= "aktualizr" | 11 | SOTA_CLIENT ??= "aktualizr" |
| 12 | SOTA_CLIENT_PROV ??= "aktualizr-auto-prov" | 12 | SOTA_CLIENT_PROV ??= "aktualizr-auto-prov" |
| 13 | SOTA_DEPLOY_CREDENTIALS ?= "1" | ||
| 14 | |||
| 13 | IMAGE_INSTALL_append_sota = " ostree os-release ${SOTA_CLIENT} ${SOTA_CLIENT_PROV}" | 15 | IMAGE_INSTALL_append_sota = " ostree os-release ${SOTA_CLIENT} ${SOTA_CLIENT_PROV}" |
| 14 | IMAGE_CLASSES += " image_types_ostree image_types_ota" | 16 | IMAGE_CLASSES += " image_types_ostree image_types_ota" |
| 15 | 17 | ||
diff --git a/lib/oeqa/selftest/cases/updater.py b/lib/oeqa/selftest/cases/updater.py index a3fe407..38bdcbf 100644 --- a/lib/oeqa/selftest/cases/updater.py +++ b/lib/oeqa/selftest/cases/updater.py | |||
| @@ -110,25 +110,25 @@ class AktualizrToolsTests(OESelftestTestCase): | |||
| 110 | 110 | ||
| 111 | def test_cert_provider_local_output(self): | 111 | def test_cert_provider_local_output(self): |
| 112 | logger = logging.getLogger("selftest") | 112 | logger = logging.getLogger("selftest") |
| 113 | logger.info('Running bitbake to build aktualizr-implicit-prov') | 113 | logger.info('Running bitbake to build aktualizr-ca-implicit-prov') |
| 114 | bitbake('aktualizr-implicit-prov') | 114 | bitbake('aktualizr-ca-implicit-prov') |
| 115 | bb_vars = get_bb_vars(['SOTA_PACKED_CREDENTIALS', 'T'], 'aktualizr-native') | 115 | bb_vars = get_bb_vars(['SOTA_PACKED_CREDENTIALS', 'T'], 'aktualizr-native') |
| 116 | creds = bb_vars['SOTA_PACKED_CREDENTIALS'] | 116 | creds = bb_vars['SOTA_PACKED_CREDENTIALS'] |
| 117 | temp_dir = bb_vars['T'] | 117 | temp_dir = bb_vars['T'] |
| 118 | bb_vars_prov = get_bb_vars(['STAGING_DIR_HOST', 'libdir'], 'aktualizr-implicit-prov') | 118 | bb_vars_prov = get_bb_vars(['STAGING_DIR_HOST', 'libdir'], 'aktualizr-ca-implicit-prov') |
| 119 | config = bb_vars_prov['STAGING_DIR_HOST'] + bb_vars_prov['libdir'] + '/sota/sota_implicit_prov.toml' | 119 | config = bb_vars_prov['STAGING_DIR_HOST'] + bb_vars_prov['libdir'] + '/sota/sota_implicit_prov_ca.toml' |
| 120 | 120 | ||
| 121 | akt_native_run(self, 'aktualizr_cert_provider -c {creds} -r -l {temp} -g {config}' | 121 | akt_native_run(self, 'aktualizr_cert_provider -c {creds} -r -l {temp} -g {config}' |
| 122 | .format(creds=creds, temp=temp_dir, config=config)) | 122 | .format(creds=creds, temp=temp_dir, config=config)) |
| 123 | 123 | ||
| 124 | # Might be nice if these names weren't hardcoded. | 124 | # Might be nice if these names weren't hardcoded. |
| 125 | cert_path = temp_dir + '/client.pem' | 125 | cert_path = temp_dir + '/var/sota/import/client.pem' |
| 126 | self.assertTrue(os.path.isfile(cert_path), "Client certificate not found at %s." % cert_path) | 126 | self.assertTrue(os.path.isfile(cert_path), "Client certificate not found at %s." % cert_path) |
| 127 | self.assertTrue(os.path.getsize(cert_path) > 0, "Client certificate at %s is empty." % cert_path) | 127 | self.assertTrue(os.path.getsize(cert_path) > 0, "Client certificate at %s is empty." % cert_path) |
| 128 | pkey_path = temp_dir + '/pkey.pem' | 128 | pkey_path = temp_dir + '/var/sota/import/pkey.pem' |
| 129 | self.assertTrue(os.path.isfile(pkey_path), "Private key not found at %s." % pkey_path) | 129 | self.assertTrue(os.path.isfile(pkey_path), "Private key not found at %s." % pkey_path) |
| 130 | self.assertTrue(os.path.getsize(pkey_path) > 0, "Private key at %s is empty." % pkey_path) | 130 | self.assertTrue(os.path.getsize(pkey_path) > 0, "Private key at %s is empty." % pkey_path) |
| 131 | ca_path = temp_dir + '/root.crt' | 131 | ca_path = temp_dir + '/var/sota/import/root.crt' |
| 132 | self.assertTrue(os.path.isfile(ca_path), "Client certificate not found at %s." % ca_path) | 132 | self.assertTrue(os.path.isfile(ca_path), "Client certificate not found at %s." % ca_path) |
| 133 | self.assertTrue(os.path.getsize(ca_path) > 0, "Client certificate at %s is empty." % ca_path) | 133 | self.assertTrue(os.path.getsize(ca_path) > 0, "Client certificate at %s is empty." % ca_path) |
| 134 | 134 | ||
| @@ -390,8 +390,9 @@ class ImplProvTests(OESelftestTestCase): | |||
| 390 | else: | 390 | else: |
| 391 | self.meta_qemu = None | 391 | self.meta_qemu = None |
| 392 | self.append_config('MACHINE = "qemux86-64"') | 392 | self.append_config('MACHINE = "qemux86-64"') |
| 393 | self.append_config('SOTA_CLIENT_PROV = " aktualizr-implicit-prov "') | 393 | self.append_config('SOTA_CLIENT_PROV = " aktualizr-ca-implicit-prov "') |
| 394 | runCmd('bitbake -c cleanall aktualizr aktualizr-implicit-prov') | 394 | self.append_config('SOTA_DEPLOY_CREDENTIALS = "0"') |
| 395 | runCmd('bitbake -c cleanall aktualizr aktualizr-ca-implicit-prov') | ||
| 395 | self.qemu, self.s = qemu_launch(machine='qemux86-64') | 396 | self.qemu, self.s = qemu_launch(machine='qemux86-64') |
| 396 | 397 | ||
| 397 | def tearDownLocal(self): | 398 | def tearDownLocal(self): |
| @@ -436,10 +437,11 @@ class ImplProvTests(OESelftestTestCase): | |||
| 436 | # Run cert_provider. | 437 | # Run cert_provider. |
| 437 | bb_vars = get_bb_vars(['SOTA_PACKED_CREDENTIALS'], 'aktualizr-native') | 438 | bb_vars = get_bb_vars(['SOTA_PACKED_CREDENTIALS'], 'aktualizr-native') |
| 438 | creds = bb_vars['SOTA_PACKED_CREDENTIALS'] | 439 | creds = bb_vars['SOTA_PACKED_CREDENTIALS'] |
| 439 | bb_vars_prov = get_bb_vars(['STAGING_DIR_HOST', 'libdir'], 'aktualizr-implicit-prov') | 440 | bb_vars_prov = get_bb_vars(['STAGING_DIR_HOST', 'libdir'], 'aktualizr-ca-implicit-prov') |
| 440 | config = bb_vars_prov['STAGING_DIR_HOST'] + bb_vars_prov['libdir'] + '/sota/sota_implicit_prov.toml' | 441 | config = bb_vars_prov['STAGING_DIR_HOST'] + bb_vars_prov['libdir'] + '/sota/sota_implicit_prov_ca.toml' |
| 441 | 442 | ||
| 442 | akt_native_run(self, 'aktualizr_cert_provider -c {creds} -t root@localhost -p {port} -s -g {config}' | 443 | print('Provisining at root@localhost:%d' % self.qemu.ssh_port) |
| 444 | akt_native_run(self, 'aktualizr_cert_provider -c {creds} -t root@localhost -p {port} -s -u -r -g {config}' | ||
| 443 | .format(creds=creds, port=self.qemu.ssh_port, config=config)) | 445 | .format(creds=creds, port=self.qemu.ssh_port, config=config)) |
| 444 | 446 | ||
| 445 | verifyProvisioned(self, machine) | 447 | verifyProvisioned(self, machine) |
| @@ -462,7 +464,9 @@ class HsmTests(OESelftestTestCase): | |||
| 462 | self.meta_qemu = None | 464 | self.meta_qemu = None |
| 463 | self.append_config('MACHINE = "qemux86-64"') | 465 | self.append_config('MACHINE = "qemux86-64"') |
| 464 | self.append_config('SOTA_CLIENT_PROV = "aktualizr-hsm-prov"') | 466 | self.append_config('SOTA_CLIENT_PROV = "aktualizr-hsm-prov"') |
| 467 | self.append_config('SOTA_DEPLOY_CREDENTIALS = "0"') | ||
| 465 | self.append_config('SOTA_CLIENT_FEATURES = "hsm"') | 468 | self.append_config('SOTA_CLIENT_FEATURES = "hsm"') |
| 469 | self.append_config('IMAGE_INSTALL_append = " softhsm-testtoken"') | ||
| 466 | runCmd('bitbake -c cleanall aktualizr aktualizr-hsm-prov') | 470 | runCmd('bitbake -c cleanall aktualizr aktualizr-hsm-prov') |
| 467 | self.qemu, self.s = qemu_launch(machine='qemux86-64') | 471 | self.qemu, self.s = qemu_launch(machine='qemux86-64') |
| 468 | 472 | ||
| @@ -521,7 +525,7 @@ class HsmTests(OESelftestTestCase): | |||
| 521 | bb_vars_prov = get_bb_vars(['STAGING_DIR_HOST', 'libdir'], 'aktualizr-hsm-prov') | 525 | bb_vars_prov = get_bb_vars(['STAGING_DIR_HOST', 'libdir'], 'aktualizr-hsm-prov') |
| 522 | config = bb_vars_prov['STAGING_DIR_HOST'] + bb_vars_prov['libdir'] + '/sota/sota_hsm_prov.toml' | 526 | config = bb_vars_prov['STAGING_DIR_HOST'] + bb_vars_prov['libdir'] + '/sota/sota_hsm_prov.toml' |
| 523 | 527 | ||
| 524 | akt_native_run(self, 'aktualizr_cert_provider -c {creds} -t root@localhost -p {port} -r -s -g {config}' | 528 | akt_native_run(self, 'aktualizr_cert_provider -c {creds} -t root@localhost -p {port} -r -s -u -g {config}' |
| 525 | .format(creds=creds, port=self.qemu.ssh_port, config=config)) | 529 | .format(creds=creds, port=self.qemu.ssh_port, config=config)) |
| 526 | 530 | ||
| 527 | # Verify that HSM is able to initialize. | 531 | # Verify that HSM is able to initialize. |
diff --git a/recipes-sota/aktualizr/aktualizr-auto-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-auto-prov-creds.bb new file mode 100644 index 0000000..34460af --- /dev/null +++ b/recipes-sota/aktualizr/aktualizr-auto-prov-creds.bb | |||
| @@ -0,0 +1,24 @@ | |||
| 1 | SUMMARY = "Credentials for autoprovisioning scenario" | ||
| 2 | SECTION = "base" | ||
| 3 | LICENSE = "MPL-2.0" | ||
| 4 | LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" | ||
| 5 | |||
| 6 | DEPENDS = "aktualizr-native zip-native" | ||
| 7 | ALLOW_EMPTY_${PN} = "1" | ||
| 8 | |||
| 9 | require credentials.inc | ||
| 10 | |||
| 11 | do_install() { | ||
| 12 | if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then | ||
| 13 | install -m 0700 -d ${D}${localstatedir}/sota | ||
| 14 | cp ${SOTA_PACKED_CREDENTIALS} ${D}${localstatedir}/sota/sota_provisioning_credentials.zip | ||
| 15 | # Device should not be able to push data to treehub | ||
| 16 | zip -d ${D}${localstatedir}/sota/sota_provisioning_credentials.zip treehub.json | ||
| 17 | fi | ||
| 18 | } | ||
| 19 | |||
| 20 | FILES_${PN} = " \ | ||
| 21 | ${localstatedir}/sota/sota_provisioning_credentials.zip \ | ||
| 22 | " | ||
| 23 | |||
| 24 | # vim:set ts=4 sw=4 sts=4 expandtab: | ||
diff --git a/recipes-sota/aktualizr/aktualizr-auto-prov.bb b/recipes-sota/aktualizr/aktualizr-auto-prov.bb index 9fa95ed..01f21fa 100644 --- a/recipes-sota/aktualizr/aktualizr-auto-prov.bb +++ b/recipes-sota/aktualizr/aktualizr-auto-prov.bb | |||
| @@ -6,7 +6,7 @@ LICENSE = "MPL-2.0" | |||
| 6 | LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" | 6 | LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" |
| 7 | 7 | ||
| 8 | DEPENDS = "aktualizr-native zip-native" | 8 | DEPENDS = "aktualizr-native zip-native" |
| 9 | RDEPENDS_${PN} = "aktualizr" | 9 | RDEPENDS_${PN}_append = "${@' aktualizr-auto-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS', True) == '1' else ''}" |
| 10 | PV = "1.0" | 10 | PV = "1.0" |
| 11 | PR = "6" | 11 | PR = "6" |
| 12 | 12 | ||
| @@ -31,19 +31,10 @@ do_install() { | |||
| 31 | 31 | ||
| 32 | install -m 0700 -d ${D}${libdir}/sota/conf.d | 32 | install -m 0700 -d ${D}${libdir}/sota/conf.d |
| 33 | install -m 0700 -d ${D}${localstatedir}/sota | 33 | install -m 0700 -d ${D}${localstatedir}/sota |
| 34 | if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then | 34 | aktualizr_toml=${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-network', 'sota_autoprov_primary.toml', 'sota_autoprov.toml', d)} |
| 35 | aktualizr_toml=${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-network', 'sota_autoprov_primary.toml', 'sota_autoprov.toml', d)} | 35 | |
| 36 | 36 | install -m 0644 ${STAGING_DIR_NATIVE}${libdir}/sota/${aktualizr_toml} \ | |
| 37 | install -m 0644 ${STAGING_DIR_NATIVE}${libdir}/sota/${aktualizr_toml} \ | 37 | ${D}${libdir}/sota/conf.d/20-${aktualizr_toml} |
| 38 | ${D}${libdir}/sota/conf.d/20-${aktualizr_toml} | ||
| 39 | |||
| 40 | # deploy SOTA credentials | ||
| 41 | if [ -e ${SOTA_PACKED_CREDENTIALS} ]; then | ||
| 42 | cp ${SOTA_PACKED_CREDENTIALS} ${D}${localstatedir}/sota/sota_provisioning_credentials.zip | ||
| 43 | # Device should not be able to push data to treehub | ||
| 44 | zip -d ${D}${localstatedir}/sota/sota_provisioning_credentials.zip treehub.json | ||
| 45 | fi | ||
| 46 | fi | ||
| 47 | } | 38 | } |
| 48 | 39 | ||
| 49 | FILES_${PN} = " \ | 40 | FILES_${PN} = " \ |
diff --git a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb new file mode 100644 index 0000000..a729e6b --- /dev/null +++ b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb | |||
| @@ -0,0 +1,51 @@ | |||
| 1 | SUMMARY = "Credentials for implicit provisioning with CA certificate" | ||
| 2 | SECTION = "base" | ||
| 3 | LICENSE = "MPL-2.0" | ||
| 4 | LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" | ||
| 5 | |||
| 6 | DEPENDS = "aktualizr aktualizr-native" | ||
| 7 | ALLOW_EMPTY_${PN} = "1" | ||
| 8 | |||
| 9 | SRC_URI = " \ | ||
| 10 | file://ca.cnf \ | ||
| 11 | " | ||
| 12 | |||
| 13 | require credentials.inc | ||
| 14 | |||
| 15 | export SOTA_CACERT_PATH | ||
| 16 | export SOTA_CAKEY_PATH | ||
| 17 | |||
| 18 | do_install() { | ||
| 19 | if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then | ||
| 20 | if [ -z ${SOTA_CACERT_PATH} ]; then | ||
| 21 | SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem | ||
| 22 | SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem | ||
| 23 | mkdir -p ${DEPLOY_DIR_IMAGE}/CA | ||
| 24 | bbwarn "SOTA_CACERT_PATH is not specified, use default one at $SOTA_CACERT_PATH" | ||
| 25 | |||
| 26 | if [ ! -f ${SOTA_CACERT_PATH} ]; then | ||
| 27 | bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA" | ||
| 28 | SOTA_CACERT_DIR_PATH="$(dirname "$SOTA_CACERT_PATH")" | ||
| 29 | openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096 | ||
| 30 | openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert | ||
| 31 | bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server" | ||
| 32 | fi | ||
| 33 | fi | ||
| 34 | |||
| 35 | if [ -z ${SOTA_CAKEY_PATH} ]; then | ||
| 36 | bberror "SOTA_CAKEY_PATH should be set when using implicit provisioning" | ||
| 37 | fi | ||
| 38 | |||
| 39 | install -m 0700 -d ${D}${localstatedir}/sota | ||
| 40 | aktualizr_cert_provider --credentials ${SOTA_PACKED_CREDENTIALS} \ | ||
| 41 | --device-ca ${SOTA_CACERT_PATH} \ | ||
| 42 | --device-ca-key ${SOTA_CAKEY_PATH} \ | ||
| 43 | --root-ca \ | ||
| 44 | --server-url \ | ||
| 45 | --local ${D} \ | ||
| 46 | --config ${STAGING_DIR_HOST}${libdir}/sota/sota_implicit_prov_ca.toml | ||
| 47 | fi | ||
| 48 | } | ||
| 49 | |||
| 50 | FILES_${PN} = " \ | ||
| 51 | ${localstatedir}/sota/*" | ||
diff --git a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb index 83504f1..2763185 100644 --- a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb +++ b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb | |||
| @@ -10,62 +10,23 @@ LICENSE = "MPL-2.0" | |||
| 10 | LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" | 10 | LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" |
| 11 | 11 | ||
| 12 | DEPENDS = "aktualizr aktualizr-native openssl-native" | 12 | DEPENDS = "aktualizr aktualizr-native openssl-native" |
| 13 | RDEPENDS_${PN}_append = "${@' aktualizr-ca-implicit-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS', True) == '1' else ''}" | ||
| 13 | 14 | ||
| 14 | SRC_URI = " \ | ||
| 15 | file://ca.cnf \ | ||
| 16 | " | ||
| 17 | PV = "1.0" | 15 | PV = "1.0" |
| 18 | PR = "1" | 16 | PR = "1" |
| 19 | 17 | ||
| 20 | require environment.inc | 18 | require environment.inc |
| 21 | require credentials.inc | 19 | require credentials.inc |
| 22 | 20 | ||
| 23 | export SOTA_CACERT_PATH | ||
| 24 | export SOTA_CAKEY_PATH | ||
| 25 | |||
| 26 | do_install() { | 21 | do_install() { |
| 27 | install -m 0700 -d ${D}${libdir}/sota/conf.d | 22 | install -m 0700 -d ${D}${libdir}/sota/conf.d |
| 28 | 23 | ||
| 29 | if [ -z "${SOTA_PACKED_CREDENTIALS}" ]; then | ||
| 30 | bberror "SOTA_PACKED_CREDENTIALS are required for implicit provisioning" | ||
| 31 | fi | ||
| 32 | |||
| 33 | if [ -z ${SOTA_CACERT_PATH} ]; then | ||
| 34 | SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem | ||
| 35 | SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem | ||
| 36 | mkdir -p ${DEPLOY_DIR_IMAGE}/CA | ||
| 37 | bbwarn "SOTA_CACERT_PATH is not specified, use default one at $SOTA_CACERT_PATH" | ||
| 38 | |||
| 39 | if [ ! -f ${SOTA_CACERT_PATH} ]; then | ||
| 40 | bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA" | ||
| 41 | SOTA_CACERT_DIR_PATH="$(dirname "$SOTA_CACERT_PATH")" | ||
| 42 | openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096 | ||
| 43 | openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert | ||
| 44 | bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server" | ||
| 45 | fi | ||
| 46 | fi | ||
| 47 | |||
| 48 | if [ -z ${SOTA_CAKEY_PATH} ]; then | ||
| 49 | bberror "SOTA_CAKEY_PATH should be set when using implicit provisioning" | ||
| 50 | fi | ||
| 51 | |||
| 52 | install -m 0700 -d ${D}${localstatedir}/sota | ||
| 53 | install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota_implicit_prov_ca.toml \ | 24 | install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota_implicit_prov_ca.toml \ |
| 54 | ${D}${libdir}/sota/conf.d/20-sota_implicit_prov_ca.toml | 25 | ${D}${libdir}/sota/conf.d/20-sota_implicit_prov_ca.toml |
| 55 | aktualizr_cert_provider --credentials ${SOTA_PACKED_CREDENTIALS} \ | ||
| 56 | --device-ca ${SOTA_CACERT_PATH} \ | ||
| 57 | --device-ca-key ${SOTA_CAKEY_PATH} \ | ||
| 58 | --root-ca \ | ||
| 59 | --server-url \ | ||
| 60 | --local ${D}${localstatedir}/sota \ | ||
| 61 | --config ${STAGING_DIR_HOST}${libdir}/sota/sota_implicit_prov_ca.toml | ||
| 62 | } | 26 | } |
| 63 | 27 | ||
| 64 | FILES_${PN} = " \ | 28 | FILES_${PN} = " \ |
| 65 | ${libdir}/sota/conf.d \ | ||
| 66 | ${libdir}/sota/conf.d/20-sota_implicit_prov_ca.toml \ | 29 | ${libdir}/sota/conf.d/20-sota_implicit_prov_ca.toml \ |
| 67 | ${libdir}/sota/root.crt \ | ||
| 68 | ${localstatedir}/sota/* \ | ||
| 69 | " | 30 | " |
| 70 | 31 | ||
| 71 | # vim:set ts=4 sw=4 sts=4 expandtab: | 32 | # vim:set ts=4 sw=4 sts=4 expandtab: |
diff --git a/recipes-sota/aktualizr/aktualizr-hsm-prov.bb b/recipes-sota/aktualizr/aktualizr-hsm-prov.bb index 0450138..e915046 100644 --- a/recipes-sota/aktualizr/aktualizr-hsm-prov.bb +++ b/recipes-sota/aktualizr/aktualizr-hsm-prov.bb | |||
| @@ -6,6 +6,7 @@ LICENSE = "MPL-2.0" | |||
| 6 | LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" | 6 | LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" |
| 7 | 7 | ||
| 8 | DEPENDS = "aktualizr aktualizr-native" | 8 | DEPENDS = "aktualizr aktualizr-native" |
| 9 | RDEPENDS_${PN}_append = "${@' aktualizr-ca-implicit-prov-creds softhsm-testtoken' if d.getVar('SOTA_DEPLOY_CREDENTIALS', True) == '1' else ''}" | ||
| 9 | 10 | ||
| 10 | SRC_URI = "" | 11 | SRC_URI = "" |
| 11 | PV = "1.0" | 12 | PV = "1.0" |
| @@ -18,16 +19,11 @@ do_install() { | |||
| 18 | install -m 0700 -d ${D}${libdir}/sota/conf.d | 19 | install -m 0700 -d ${D}${libdir}/sota/conf.d |
| 19 | install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota_hsm_prov.toml \ | 20 | install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota_hsm_prov.toml \ |
| 20 | ${D}${libdir}/sota/conf.d/20-sota_hsm_prov.toml | 21 | ${D}${libdir}/sota/conf.d/20-sota_hsm_prov.toml |
| 21 | if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then | ||
| 22 | aktualizr_implicit_writer -c ${SOTA_PACKED_CREDENTIALS} --no-root-ca \ | ||
| 23 | -o ${D}${libdir}/sota/conf.d/30-implicit_server.toml -p ${D} | ||
| 24 | fi | ||
| 25 | } | 22 | } |
| 26 | 23 | ||
| 27 | FILES_${PN} = " \ | 24 | FILES_${PN} = " \ |
| 28 | ${libdir}/sota/conf.d \ | 25 | ${libdir}/sota/conf.d \ |
| 29 | ${libdir}/sota/conf.d/20-sota_hsm_prov.toml \ | 26 | ${libdir}/sota/conf.d/20-sota_hsm_prov.toml \ |
| 30 | ${libdir}/sota/conf.d/30-implicit_server.toml \ | ||
| 31 | " | 27 | " |
| 32 | 28 | ||
| 33 | # vim:set ts=4 sw=4 sts=4 expandtab: | 29 | # vim:set ts=4 sw=4 sts=4 expandtab: |
diff --git a/recipes-sota/aktualizr/aktualizr-implicit-prov.bb b/recipes-sota/aktualizr/aktualizr-implicit-prov.bb deleted file mode 100644 index 5c54e8a..0000000 --- a/recipes-sota/aktualizr/aktualizr-implicit-prov.bb +++ /dev/null | |||
| @@ -1,34 +0,0 @@ | |||
| 1 | SUMMARY = "Aktualizr configuration for implicit provisioning" | ||
| 2 | DESCRIPTION = "Configuration for implicitly provisioning Aktualizr, the SOTA Client application written in C++" | ||
| 3 | HOMEPAGE = "https://github.com/advancedtelematic/aktualizr" | ||
| 4 | SECTION = "base" | ||
| 5 | LICENSE = "MPL-2.0" | ||
| 6 | LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" | ||
| 7 | |||
| 8 | DEPENDS = "aktualizr aktualizr-native" | ||
| 9 | |||
| 10 | SRC_URI = "" | ||
| 11 | PV = "1.0" | ||
| 12 | PR = "1" | ||
| 13 | |||
| 14 | require environment.inc | ||
| 15 | require credentials.inc | ||
| 16 | |||
| 17 | do_install() { | ||
| 18 | install -m 0700 -d ${D}${libdir}/sota/conf.d | ||
| 19 | install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota_implicit_prov.toml \ | ||
| 20 | ${D}${libdir}/sota/conf.d/20-sota_implicit_prov.toml | ||
| 21 | if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then | ||
| 22 | aktualizr_implicit_writer -c ${SOTA_PACKED_CREDENTIALS} \ | ||
| 23 | -o ${D}${libdir}/sota/conf.d/30-implicit_server.toml -p ${D} | ||
| 24 | fi | ||
| 25 | } | ||
| 26 | |||
| 27 | FILES_${PN} = " \ | ||
| 28 | ${libdir}/sota/conf.d \ | ||
| 29 | ${libdir}/sota/conf.d/20-implicit_prov.toml \ | ||
| 30 | ${libdir}/sota/conf.d/30-implicit_server.toml \ | ||
| 31 | ${libdir}/sota/root.crt \ | ||
| 32 | " | ||
| 33 | |||
| 34 | # vim:set ts=4 sw=4 sts=4 expandtab: | ||
diff --git a/recipes-sota/aktualizr/aktualizr_git.bb b/recipes-sota/aktualizr/aktualizr_git.bb index 7a0641d..ccaf475 100755 --- a/recipes-sota/aktualizr/aktualizr_git.bb +++ b/recipes-sota/aktualizr/aktualizr_git.bb | |||
| @@ -11,7 +11,6 @@ DEPENDS_append_class-native = "glib-2.0-native " | |||
| 11 | 11 | ||
| 12 | RDEPENDS_${PN}_class-target = "lshw " | 12 | RDEPENDS_${PN}_class-target = "lshw " |
| 13 | RDEPENDS_${PN}_append_class-target = "${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'serialcan', ' slcand-start', '', d)} " | 13 | RDEPENDS_${PN}_append_class-target = "${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'serialcan', ' slcand-start', '', d)} " |
| 14 | RDEPENDS_${PN}_append_class-target = "${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'hsm', ' softhsm softhsm-testtoken', '', d)}" | ||
| 15 | RDEPENDS_${PN}_append_class-target = " ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'ubootenv', ' u-boot-fw-utils aktualizr-uboot-env-rollback', '', d)} " | 14 | RDEPENDS_${PN}_append_class-target = " ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'ubootenv', ' u-boot-fw-utils aktualizr-uboot-env-rollback', '', d)} " |
| 16 | 15 | ||
| 17 | RDEPENDS_${PN}_append_class-target = " ${PN}-tools " | 16 | RDEPENDS_${PN}_append_class-target = " ${PN}-tools " |
| @@ -27,7 +26,7 @@ SRC_URI = " \ | |||
| 27 | file://aktualizr-secondary.socket \ | 26 | file://aktualizr-secondary.socket \ |
| 28 | file://aktualizr-serialcan.service \ | 27 | file://aktualizr-serialcan.service \ |
| 29 | " | 28 | " |
| 30 | SRCREV = "090c463c6f1ec7a7ceae963cd7b4ba99aa74e1f5" | 29 | SRCREV = "803fa9f75ed96993775dc0aa5e65e71920125157" |
| 31 | BRANCH ?= "master" | 30 | BRANCH ?= "master" |
| 32 | 31 | ||
| 33 | S = "${WORKDIR}/git" | 32 | S = "${WORKDIR}/git" |
| @@ -64,7 +63,6 @@ do_install_append () { | |||
| 64 | install -m 0644 ${S}/config/sota_autoprov.toml ${D}/${libdir}/sota/sota_autoprov.toml | 63 | install -m 0644 ${S}/config/sota_autoprov.toml ${D}/${libdir}/sota/sota_autoprov.toml |
| 65 | install -m 0644 ${S}/config/sota_autoprov_primary.toml ${D}/${libdir}/sota/sota_autoprov_primary.toml | 64 | install -m 0644 ${S}/config/sota_autoprov_primary.toml ${D}/${libdir}/sota/sota_autoprov_primary.toml |
| 66 | install -m 0644 ${S}/config/sota_hsm_prov.toml ${D}/${libdir}/sota/sota_hsm_prov.toml | 65 | install -m 0644 ${S}/config/sota_hsm_prov.toml ${D}/${libdir}/sota/sota_hsm_prov.toml |
| 67 | install -m 0644 ${S}/config/sota_implicit_prov.toml ${D}/${libdir}/sota/sota_implicit_prov.toml | ||
| 68 | install -m 0644 ${S}/config/sota_implicit_prov_ca.toml ${D}/${libdir}/sota/sota_implicit_prov_ca.toml | 66 | install -m 0644 ${S}/config/sota_implicit_prov_ca.toml ${D}/${libdir}/sota/sota_implicit_prov_ca.toml |
| 69 | install -m 0644 ${S}/config/sota_secondary.toml ${D}/${libdir}/sota/sota_secondary.toml | 67 | install -m 0644 ${S}/config/sota_secondary.toml ${D}/${libdir}/sota/sota_secondary.toml |
| 70 | install -m 0644 ${S}/config/sota_uboot_env.toml ${D}/${libdir}/sota/sota_uboot_env.toml | 68 | install -m 0644 ${S}/config/sota_uboot_env.toml ${D}/${libdir}/sota/sota_uboot_env.toml |
| @@ -113,7 +111,6 @@ FILES_${PN}-host-tools = " \ | |||
| 113 | ${libdir}/sota/sota_autoprov.toml \ | 111 | ${libdir}/sota/sota_autoprov.toml \ |
| 114 | ${libdir}/sota/sota_autoprov_primary.toml \ | 112 | ${libdir}/sota/sota_autoprov_primary.toml \ |
| 115 | ${libdir}/sota/sota_hsm_prov.toml \ | 113 | ${libdir}/sota/sota_hsm_prov.toml \ |
| 116 | ${libdir}/sota/sota_implicit_prov.toml \ | ||
| 117 | ${libdir}/sota/sota_implicit_prov_ca.toml \ | 114 | ${libdir}/sota/sota_implicit_prov_ca.toml \ |
| 118 | ${libdir}/sota/sota_uboot_env.toml \ | 115 | ${libdir}/sota/sota_uboot_env.toml \ |
| 119 | " | 116 | " |
diff --git a/recipes-support/softhsm-testtoken/files/createtoken.sh b/recipes-support/softhsm-testtoken/files/createtoken.sh index b142945..fa4569d 100644 --- a/recipes-support/softhsm-testtoken/files/createtoken.sh +++ b/recipes-support/softhsm-testtoken/files/createtoken.sh | |||
| @@ -13,7 +13,8 @@ fi | |||
| 13 | mkdir -p /var/lib/softhsm/tokens | 13 | mkdir -p /var/lib/softhsm/tokens |
| 14 | softhsm2-util --init-token --slot 0 --label "Virtual token" --pin 1234 --so-pin 1234 | 14 | softhsm2-util --init-token --slot 0 --label "Virtual token" --pin 1234 --so-pin 1234 |
| 15 | 15 | ||
| 16 | softhsm2-util --import /var/sota/import/pkey.pem --label "pkey" --id 02 --token 'Virtual token' --pin 1234 | 16 | openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in /var/sota/import/pkey.pem -out /var/sota/import/pkey.p8 |
| 17 | softhsm2-util --import /var/sota/import/pkey.p8 --label "pkey" --id 02 --token 'Virtual token' --pin 1234 | ||
| 17 | openssl x509 -outform der -in /var/sota/import/client.pem -out /var/sota/import/client.der | 18 | openssl x509 -outform der -in /var/sota/import/client.pem -out /var/sota/import/client.der |
| 18 | pkcs11-tool --module=/usr/lib/softhsm/libsofthsm2.so --id 1 --write-object /var/sota/import/client.der --type cert --login --pin 1234 | 19 | pkcs11-tool --module=/usr/lib/softhsm/libsofthsm2.so --id 1 --write-object /var/sota/import/client.der --type cert --login --pin 1234 |
| 19 | 20 | ||