summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--conf/layer.conf1
-rw-r--r--recipes-sota/aktualizr/aktualizr-device-prov-creds.bb67
-rw-r--r--recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb1
-rw-r--r--recipes-sota/aktualizr/aktualizr-device-prov.bb1
-rw-r--r--recipes-test/images/secondary-image.bb1
-rwxr-xr-xscripts/find_aktualizr_dependencies.sh1
6 files changed, 0 insertions, 72 deletions
diff --git a/conf/layer.conf b/conf/layer.conf
index f25c5c9..225875b 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -16,7 +16,6 @@ LAYERSERIES_COMPAT_sota = "thud warrior zeus"
16 16
17SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS += " \ 17SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS += " \
18 aktualizr-device-prov->aktualizr \ 18 aktualizr-device-prov->aktualizr \
19 aktualizr-device-prov-creds->aktualizr \
20 aktualizr-device-prov-hsm->aktualizr \ 19 aktualizr-device-prov-hsm->aktualizr \
21 aktualizr-shared-prov->aktualizr \ 20 aktualizr-shared-prov->aktualizr \
22 aktualizr-shared-prov-creds->aktualizr \ 21 aktualizr-shared-prov-creds->aktualizr \
diff --git a/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb
deleted file mode 100644
index a3c7d66..0000000
--- a/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb
+++ /dev/null
@@ -1,67 +0,0 @@
1SUMMARY = "Credentials for device provisioning with fleet CA certificate"
2HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
3SECTION = "base"
4LICENSE = "MPL-2.0"
5LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
6
7inherit allarch
8
9# WARNING: This is NOT an ideal solution. The secure way to provision devices
10# is to create certificate request directly on the device (either with HSM/TPM
11# or with software) and then sign it with a CA stored on a disconnected machine.
12
13# We need to get the config files from the aktualizr-host-tools package built by
14# the aktualizr (target) recipe.
15DEPENDS = "aktualizr aktualizr-native openssl-native"
16ALLOW_EMPTY_${PN} = "1"
17
18# If the config file from aktualizr used here is changed, you will need to bump
19# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS!
20PV = "1.0"
21PR = "1"
22
23SRC_URI = " \
24 file://ca.cnf \
25 "
26
27require credentials.inc
28
29export SOTA_CACERT_PATH
30export SOTA_CAKEY_PATH
31
32do_install() {
33 if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then
34 if [ -z ${SOTA_CACERT_PATH} ]; then
35 SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem
36 SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem
37 mkdir -p ${DEPLOY_DIR_IMAGE}/CA
38 bbwarn "SOTA_CACERT_PATH is not specified, use default one at ${SOTA_CACERT_PATH}"
39
40 if [ ! -f ${SOTA_CACERT_PATH} ]; then
41 bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA"
42 SOTA_CACERT_DIR_PATH="$(dirname "${SOTA_CACERT_PATH}")"
43 openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096
44 openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert
45 bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server"
46 fi
47 fi
48
49 if [ -z ${SOTA_CAKEY_PATH} ]; then
50 bbfatal "SOTA_CAKEY_PATH should be set when using device credential provisioning"
51 fi
52
53 install -m 0700 -d ${D}${localstatedir}/sota
54 aktualizr-cert-provider --credentials ${SOTA_PACKED_CREDENTIALS} \
55 --fleet-ca ${SOTA_CACERT_PATH} \
56 --fleet-ca-key ${SOTA_CAKEY_PATH} \
57 --root-ca \
58 --server-url \
59 --local ${D} \
60 --config ${STAGING_DIR_HOST}${libdir}/sota/sota-device-cred.toml
61 fi
62}
63
64FILES_${PN} = " \
65 ${localstatedir}/sota/*"
66
67# vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb b/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb
index 8d4bc9c..4eadb77 100644
--- a/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb
+++ b/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb
@@ -10,7 +10,6 @@ inherit allarch
10# We need to get the config files from the aktualizr-host-tools package built by 10# We need to get the config files from the aktualizr-host-tools package built by
11# the aktualizr (target) recipe. 11# the aktualizr (target) recipe.
12DEPENDS = "aktualizr" 12DEPENDS = "aktualizr"
13RDEPENDS_${PN}_append = "${@' aktualizr-device-prov-creds softhsm-testtoken' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}"
14 13
15# If the config file from aktualizr used here is changed, you will need to bump 14# If the config file from aktualizr used here is changed, you will need to bump
16# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS! 15# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS!
diff --git a/recipes-sota/aktualizr/aktualizr-device-prov.bb b/recipes-sota/aktualizr/aktualizr-device-prov.bb
index e8c75bb..55f398d 100644
--- a/recipes-sota/aktualizr/aktualizr-device-prov.bb
+++ b/recipes-sota/aktualizr/aktualizr-device-prov.bb
@@ -10,7 +10,6 @@ inherit allarch
10# We need to get the config files from the aktualizr-host-tools package built by 10# We need to get the config files from the aktualizr-host-tools package built by
11# the aktualizr (target) recipe. 11# the aktualizr (target) recipe.
12DEPENDS = "aktualizr" 12DEPENDS = "aktualizr"
13RDEPENDS_${PN}_append = "${@' aktualizr-device-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}"
14 13
15# If the config file from aktualizr used here is changed, you will need to bump 14# If the config file from aktualizr used here is changed, you will need to bump
16# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS! 15# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS!
diff --git a/recipes-test/images/secondary-image.bb b/recipes-test/images/secondary-image.bb
index 27d1e3f..7db2c68 100644
--- a/recipes-test/images/secondary-image.bb
+++ b/recipes-test/images/secondary-image.bb
@@ -14,7 +14,6 @@ IMAGE_INSTALL_remove = " \
14 aktualizr-shared-prov \ 14 aktualizr-shared-prov \
15 aktualizr-shared-prov-creds \ 15 aktualizr-shared-prov-creds \
16 aktualizr-device-prov \ 16 aktualizr-device-prov \
17 aktualizr-device-prov-creds \
18 aktualizr-device-prov-hsm \ 17 aktualizr-device-prov-hsm \
19 aktualizr-uboot-env-rollback \ 18 aktualizr-uboot-env-rollback \
20 virtual/network-configuration \ 19 virtual/network-configuration \
diff --git a/scripts/find_aktualizr_dependencies.sh b/scripts/find_aktualizr_dependencies.sh
index 493df80..fcb2f97 100755
--- a/scripts/find_aktualizr_dependencies.sh
+++ b/scripts/find_aktualizr_dependencies.sh
@@ -13,7 +13,6 @@ ${parentdir}/find_dependencies.py aktualizr
13${parentdir}/find_dependencies.py aktualizr-shared-prov 13${parentdir}/find_dependencies.py aktualizr-shared-prov
14${parentdir}/find_dependencies.py aktualizr-shared-prov-creds 14${parentdir}/find_dependencies.py aktualizr-shared-prov-creds
15${parentdir}/find_dependencies.py aktualizr-device-prov 15${parentdir}/find_dependencies.py aktualizr-device-prov
16${parentdir}/find_dependencies.py aktualizr-device-prov-creds
17${parentdir}/find_dependencies.py aktualizr-device-prov-hsm 16${parentdir}/find_dependencies.py aktualizr-device-prov-hsm
18${parentdir}/find_dependencies.py aktualizr-auto-reboot 17${parentdir}/find_dependencies.py aktualizr-auto-reboot
19${parentdir}/find_dependencies.py aktualizr-disable-send-ip 18${parentdir}/find_dependencies.py aktualizr-disable-send-ip