diff options
-rw-r--r-- | conf/layer.conf | 1 | ||||
-rw-r--r-- | recipes-sota/aktualizr/aktualizr-device-prov-creds.bb | 67 | ||||
-rw-r--r-- | recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb | 1 | ||||
-rw-r--r-- | recipes-sota/aktualizr/aktualizr-device-prov.bb | 1 | ||||
-rw-r--r-- | recipes-test/images/secondary-image.bb | 1 | ||||
-rwxr-xr-x | scripts/find_aktualizr_dependencies.sh | 1 |
6 files changed, 0 insertions, 72 deletions
diff --git a/conf/layer.conf b/conf/layer.conf index f25c5c9..225875b 100644 --- a/conf/layer.conf +++ b/conf/layer.conf | |||
@@ -16,7 +16,6 @@ LAYERSERIES_COMPAT_sota = "thud warrior zeus" | |||
16 | 16 | ||
17 | SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS += " \ | 17 | SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS += " \ |
18 | aktualizr-device-prov->aktualizr \ | 18 | aktualizr-device-prov->aktualizr \ |
19 | aktualizr-device-prov-creds->aktualizr \ | ||
20 | aktualizr-device-prov-hsm->aktualizr \ | 19 | aktualizr-device-prov-hsm->aktualizr \ |
21 | aktualizr-shared-prov->aktualizr \ | 20 | aktualizr-shared-prov->aktualizr \ |
22 | aktualizr-shared-prov-creds->aktualizr \ | 21 | aktualizr-shared-prov-creds->aktualizr \ |
diff --git a/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb deleted file mode 100644 index a3c7d66..0000000 --- a/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb +++ /dev/null | |||
@@ -1,67 +0,0 @@ | |||
1 | SUMMARY = "Credentials for device provisioning with fleet CA certificate" | ||
2 | HOMEPAGE = "https://github.com/advancedtelematic/aktualizr" | ||
3 | SECTION = "base" | ||
4 | LICENSE = "MPL-2.0" | ||
5 | LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" | ||
6 | |||
7 | inherit allarch | ||
8 | |||
9 | # WARNING: This is NOT an ideal solution. The secure way to provision devices | ||
10 | # is to create certificate request directly on the device (either with HSM/TPM | ||
11 | # or with software) and then sign it with a CA stored on a disconnected machine. | ||
12 | |||
13 | # We need to get the config files from the aktualizr-host-tools package built by | ||
14 | # the aktualizr (target) recipe. | ||
15 | DEPENDS = "aktualizr aktualizr-native openssl-native" | ||
16 | ALLOW_EMPTY_${PN} = "1" | ||
17 | |||
18 | # If the config file from aktualizr used here is changed, you will need to bump | ||
19 | # the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS! | ||
20 | PV = "1.0" | ||
21 | PR = "1" | ||
22 | |||
23 | SRC_URI = " \ | ||
24 | file://ca.cnf \ | ||
25 | " | ||
26 | |||
27 | require credentials.inc | ||
28 | |||
29 | export SOTA_CACERT_PATH | ||
30 | export SOTA_CAKEY_PATH | ||
31 | |||
32 | do_install() { | ||
33 | if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then | ||
34 | if [ -z ${SOTA_CACERT_PATH} ]; then | ||
35 | SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem | ||
36 | SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem | ||
37 | mkdir -p ${DEPLOY_DIR_IMAGE}/CA | ||
38 | bbwarn "SOTA_CACERT_PATH is not specified, use default one at ${SOTA_CACERT_PATH}" | ||
39 | |||
40 | if [ ! -f ${SOTA_CACERT_PATH} ]; then | ||
41 | bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA" | ||
42 | SOTA_CACERT_DIR_PATH="$(dirname "${SOTA_CACERT_PATH}")" | ||
43 | openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096 | ||
44 | openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert | ||
45 | bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server" | ||
46 | fi | ||
47 | fi | ||
48 | |||
49 | if [ -z ${SOTA_CAKEY_PATH} ]; then | ||
50 | bbfatal "SOTA_CAKEY_PATH should be set when using device credential provisioning" | ||
51 | fi | ||
52 | |||
53 | install -m 0700 -d ${D}${localstatedir}/sota | ||
54 | aktualizr-cert-provider --credentials ${SOTA_PACKED_CREDENTIALS} \ | ||
55 | --fleet-ca ${SOTA_CACERT_PATH} \ | ||
56 | --fleet-ca-key ${SOTA_CAKEY_PATH} \ | ||
57 | --root-ca \ | ||
58 | --server-url \ | ||
59 | --local ${D} \ | ||
60 | --config ${STAGING_DIR_HOST}${libdir}/sota/sota-device-cred.toml | ||
61 | fi | ||
62 | } | ||
63 | |||
64 | FILES_${PN} = " \ | ||
65 | ${localstatedir}/sota/*" | ||
66 | |||
67 | # vim:set ts=4 sw=4 sts=4 expandtab: | ||
diff --git a/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb b/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb index 8d4bc9c..4eadb77 100644 --- a/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb +++ b/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb | |||
@@ -10,7 +10,6 @@ inherit allarch | |||
10 | # We need to get the config files from the aktualizr-host-tools package built by | 10 | # We need to get the config files from the aktualizr-host-tools package built by |
11 | # the aktualizr (target) recipe. | 11 | # the aktualizr (target) recipe. |
12 | DEPENDS = "aktualizr" | 12 | DEPENDS = "aktualizr" |
13 | RDEPENDS_${PN}_append = "${@' aktualizr-device-prov-creds softhsm-testtoken' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}" | ||
14 | 13 | ||
15 | # If the config file from aktualizr used here is changed, you will need to bump | 14 | # If the config file from aktualizr used here is changed, you will need to bump |
16 | # the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS! | 15 | # the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS! |
diff --git a/recipes-sota/aktualizr/aktualizr-device-prov.bb b/recipes-sota/aktualizr/aktualizr-device-prov.bb index e8c75bb..55f398d 100644 --- a/recipes-sota/aktualizr/aktualizr-device-prov.bb +++ b/recipes-sota/aktualizr/aktualizr-device-prov.bb | |||
@@ -10,7 +10,6 @@ inherit allarch | |||
10 | # We need to get the config files from the aktualizr-host-tools package built by | 10 | # We need to get the config files from the aktualizr-host-tools package built by |
11 | # the aktualizr (target) recipe. | 11 | # the aktualizr (target) recipe. |
12 | DEPENDS = "aktualizr" | 12 | DEPENDS = "aktualizr" |
13 | RDEPENDS_${PN}_append = "${@' aktualizr-device-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}" | ||
14 | 13 | ||
15 | # If the config file from aktualizr used here is changed, you will need to bump | 14 | # If the config file from aktualizr used here is changed, you will need to bump |
16 | # the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS! | 15 | # the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS! |
diff --git a/recipes-test/images/secondary-image.bb b/recipes-test/images/secondary-image.bb index 27d1e3f..7db2c68 100644 --- a/recipes-test/images/secondary-image.bb +++ b/recipes-test/images/secondary-image.bb | |||
@@ -14,7 +14,6 @@ IMAGE_INSTALL_remove = " \ | |||
14 | aktualizr-shared-prov \ | 14 | aktualizr-shared-prov \ |
15 | aktualizr-shared-prov-creds \ | 15 | aktualizr-shared-prov-creds \ |
16 | aktualizr-device-prov \ | 16 | aktualizr-device-prov \ |
17 | aktualizr-device-prov-creds \ | ||
18 | aktualizr-device-prov-hsm \ | 17 | aktualizr-device-prov-hsm \ |
19 | aktualizr-uboot-env-rollback \ | 18 | aktualizr-uboot-env-rollback \ |
20 | virtual/network-configuration \ | 19 | virtual/network-configuration \ |
diff --git a/scripts/find_aktualizr_dependencies.sh b/scripts/find_aktualizr_dependencies.sh index 493df80..fcb2f97 100755 --- a/scripts/find_aktualizr_dependencies.sh +++ b/scripts/find_aktualizr_dependencies.sh | |||
@@ -13,7 +13,6 @@ ${parentdir}/find_dependencies.py aktualizr | |||
13 | ${parentdir}/find_dependencies.py aktualizr-shared-prov | 13 | ${parentdir}/find_dependencies.py aktualizr-shared-prov |
14 | ${parentdir}/find_dependencies.py aktualizr-shared-prov-creds | 14 | ${parentdir}/find_dependencies.py aktualizr-shared-prov-creds |
15 | ${parentdir}/find_dependencies.py aktualizr-device-prov | 15 | ${parentdir}/find_dependencies.py aktualizr-device-prov |
16 | ${parentdir}/find_dependencies.py aktualizr-device-prov-creds | ||
17 | ${parentdir}/find_dependencies.py aktualizr-device-prov-hsm | 16 | ${parentdir}/find_dependencies.py aktualizr-device-prov-hsm |
18 | ${parentdir}/find_dependencies.py aktualizr-auto-reboot | 17 | ${parentdir}/find_dependencies.py aktualizr-auto-reboot |
19 | ${parentdir}/find_dependencies.py aktualizr-disable-send-ip | 18 | ${parentdir}/find_dependencies.py aktualizr-disable-send-ip |