summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--README.adoc42
-rw-r--r--classes/image_types_ota.bbclass2
-rw-r--r--lib/oeqa/selftest/cases/updater.py345
-rw-r--r--recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb72
-rw-r--r--recipes-sota/aktualizr/aktualizr_git.bb10
-rw-r--r--recipes-sota/aktualizr/files/ca.cnf10
-rw-r--r--recipes-support/libp11/files/0001-Workaround-for-a-buggy-version-of-openssl-1.0.2m.patch2
-rw-r--r--recipes-support/libp11/libp11_0.4.7.bb1
8 files changed, 411 insertions, 73 deletions
diff --git a/README.adoc b/README.adoc
index 403e0f8..c87bd01 100644
--- a/README.adoc
+++ b/README.adoc
@@ -17,10 +17,10 @@ If you don't already have a Yocto project that you want to add OTA to, you can u
17If you already have a Yocto-based project and you want to add atomic filesystem updates to it, you just need to do three things: 17If you already have a Yocto-based project and you want to add atomic filesystem updates to it, you just need to do three things:
18 18
191. Clone the `meta-updater` layer and add it to your https://www.yoctoproject.org/docs/2.1/ref-manual/ref-manual.html#structure-build-conf-bblayers.conf[bblayers.conf]. 191. Clone the `meta-updater` layer and add it to your https://www.yoctoproject.org/docs/2.1/ref-manual/ref-manual.html#structure-build-conf-bblayers.conf[bblayers.conf].
202. Clone BSP integration layer (meta-updater-$\{PLATFORM}, e.g. https://github.com/advancedtelematic/meta-updater-raspberrypi[meta-updater-raspberrypi]) and add it to your conf/bblayers.conf. If your board isn't supported yet, you could write a BSP integration for it yourself. See the <<Adding support for your board>> section for the details. 202. Clone BSP integration layer (`meta-updater-$\{PLATFORM}`, e.g. https://github.com/advancedtelematic/meta-updater-raspberrypi[meta-updater-raspberrypi]) and add it to your `conf/bblayers.conf`. If your board isn't supported yet, you could write a BSP integration for it yourself. See the <<Adding support for your board>> section for the details.
213. Set up your https://www.yoctoproject.org/docs/2.1/ref-manual/ref-manual.html#var-DISTRO[distro]. If you are using "poky", the default distro in Yocto, you can change it in your conf/local.conf to "poky-sota". Alternatively, if you are using your own or third party distro configuration, you can add 'INHERIT += " sota"' to it, thus combining capabilities of your distro with meta-updater features. 213. Set up your https://www.yoctoproject.org/docs/2.1/ref-manual/ref-manual.html#var-DISTRO[distro]. If you are using "poky", the default distro in Yocto, you can change it in your `conf/local.conf` to "poky-sota". Alternatively, if you are using your own or third party distro configuration, you can add `INHERIT += " sota"` to it, thus combining capabilities of your distro with meta-updater features.
22 22
23You can then build your image as usual, with bitbake. After building the root file system, bitbake will then create an https://ostree.readthedocs.io/en/latest/manual/adapting-existing/[OSTree-enabled version] of it, commit it to your local OSTree repo and (optionally) push it to a remote server. Additionally, a live disk image will be created (normally named $\{IMAGE_NAME}.-sdimg-ota e.g. core-image-raspberrypi3.rpi-sdimg-ota). You can control this behaviour through <<variables in your local.conf,OSTree-related variables in your local.conf>>. 23You can then build your image as usual, with bitbake. After building the root file system, bitbake will then create an https://ostree.readthedocs.io/en/latest/manual/adapting-existing/[OSTree-enabled version] of it, commit it to your local OSTree repo and (optionally) push it to a remote server. Additionally, a live disk image will be created (normally named `$\{IMAGE_NAME}.-sdimg-ota` e.g. `core-image-raspberrypi3.rpi-sdimg-ota`). You can control this behaviour through <<variables in your local.conf,OSTree-related variables in your local.conf>>.
24 24
25=== Build in AGL 25=== Build in AGL
26 26
@@ -30,19 +30,19 @@ With AGL you can just add agl-sota feature while configuring your build environm
30source meta-agl/scripts/aglsetup.sh -m porter agl-demo agl-appfw-smack agl-devel agl-sota 30source meta-agl/scripts/aglsetup.sh -m porter agl-demo agl-appfw-smack agl-devel agl-sota
31.... 31....
32 32
33you can then run 33You can then run:
34 34
35.... 35....
36bitbake agl-demo-platform 36bitbake agl-demo-platform
37.... 37....
38 38
39and get as a result an "ostree_repo" folder in your images directory (tmp/deploy/images/$\{MACHINE}/ostree_repo). It will contain 39and get as a result an `ostree_repo` folder in your images directory (`tmp/deploy/images/$\{MACHINE}/ostree_repo`). It will contain:
40 40
41* your OSTree repository, with the rootfs committed as an OSTree deployment, 41* your OSTree repository, with the rootfs committed as an OSTree deployment,
42* an 'otaimg' bootstrap image, which is an OSTree physical sysroot as a burnable filesystem image, and optionally 42* an `otaimg` bootstrap image, which is an OSTree physical sysroot as a burnable filesystem image, and optionally
43* some machine-dependent live images (e.g. '_.rpi-sdimg-ota' for Raspberry Pi or '_.porter-sdimg-ota' Renesas Porter board). 43* some machine-dependent live images (e.g. `.rpi-sdimg-ota` for Raspberry Pi or `.porter-sdimg-ota` Renesas Porter board).
44 44
45Although aglsetup.sh hooks provide reasonable defaults for SOTA-related variables, you may want to tune some of them. 45Although `aglsetup.sh` hooks provide reasonable defaults for SOTA-related variables, you may want to tune some of them.
46 46
47=== Build problems 47=== Build problems
48 48
@@ -73,7 +73,7 @@ You may take a look into https://github.com/advancedtelematic/meta-updater-minno
73 73
74Although we have used U-Boot so far, other boot loaders can be configured work with OSTree as well. 74Although we have used U-Boot so far, other boot loaders can be configured work with OSTree as well.
75 75
76== SOTA-related variables in local.conf 76== SOTA-related variables in `local.conf`
77 77
78* `OSTREE_REPO` - path to your OSTree repository. Defaults to `$\{DEPLOY_DIR_IMAGE}/ostree_repo` 78* `OSTREE_REPO` - path to your OSTree repository. Defaults to `$\{DEPLOY_DIR_IMAGE}/ostree_repo`
79* `OSTREE_OSNAME` - OS deployment name on your target device. For more information about deployments and osnames see the https://ostree.readthedocs.io/en/latest/manual/deployment/[OSTree documentation]. Defaults to "poky". 79* `OSTREE_OSNAME` - OS deployment name on your target device. For more information about deployments and osnames see the https://ostree.readthedocs.io/en/latest/manual/deployment/[OSTree documentation]. Defaults to "poky".
@@ -133,20 +133,34 @@ The https://github.com/advancedtelematic/aktualizr[aktualizr repo] contains a to
133garage-push --repo=/path/to/ostree-repo --ref=mybranch --credentials=/path/to/credentials.zip 133garage-push --repo=/path/to/ostree-repo --ref=mybranch --credentials=/path/to/credentials.zip
134.... 134....
135 135
136You can set SOTA_PACKED_CREDENTIALS in your local.conf to make your build results be automatically synchronized with a remote server. Credentials are stored in the JSON format described in the https://github.com/advancedtelematic/aktualizr/blob/master/README.sotatools.adoc[garage-push README]. This JSON file can be optionally stored inside a zip file, although if it is stored this way, the JSON file must be named treehub.json. 136You can set `SOTA_PACKED_CREDENTIALS` in your `local.conf` to automatically synchronize your build results with a remote server. Credentials are stored in an archive as described in the https://github.com/advancedtelematic/aktualizr/blob/master/docs/credentials.adoc[aktualizr documentation].
137 137
138=== QA 138== QA with `oe-selftest`
139 139
140This layer relies on the test framework oe-selftest for quality assurance. Follow the steps below to run the tests: 140This layer relies on the test framework oe-selftest for quality assurance. Follow the steps below to run the tests:
141 141
142* Append the line below to conf/local.conf 1421. Append the line below to `conf/local.conf` to disable the warning about supported operating systems:
143+
144```
145SANITY_TESTED_DISTROS = ""
146```
143 147
1482. If your image does not already include an ssh daemon such as dropbear or openssh, add this line to `conf/local.conf` as well:
149+
144``` 150```
145SANITY_TESTED_DISTROS="" 151IMAGE_INSTALL_append = " dropbear "
146``` 152```
147 153
148* Run oe-selftest: 1543. To be able to build an image for the grub tests, you will need to install https://github.com/tianocore/tianocore.github.io/wiki/OVMF[TianoCore's ovmf] package on your host system. On Debian-like systems, you can do so with this command:
155+
156```
157sudo apt install ovmf
158```
149 159
1604. Run oe-selftest:
161+
150``` 162```
151oe-selftest --run-tests updater 163oe-selftest --run-tests updater
152``` 164```
165
166For more information about oe-selftest, including details about how to run individual test modules or classes, please refer to the https://wiki.yoctoproject.org/wiki/Oe-selftest[Yocto Project wiki].
diff --git a/classes/image_types_ota.bbclass b/classes/image_types_ota.bbclass
index e753e0e..d21441d 100644
--- a/classes/image_types_ota.bbclass
+++ b/classes/image_types_ota.bbclass
@@ -32,7 +32,7 @@ calculate_size () {
32 fi 32 fi
33 33
34 if [ "$SIZE" -lt "$MIN" ]; then 34 if [ "$SIZE" -lt "$MIN" ]; then
35 $SIZE=$MIN 35 SIZE=$MIN
36 fi 36 fi
37 37
38 SIZE=`expr $SIZE \+ $EXTRA` 38 SIZE=`expr $SIZE \+ $EXTRA`
diff --git a/lib/oeqa/selftest/cases/updater.py b/lib/oeqa/selftest/cases/updater.py
index 91ac9fc..b544762 100644
--- a/lib/oeqa/selftest/cases/updater.py
+++ b/lib/oeqa/selftest/cases/updater.py
@@ -1,6 +1,7 @@
1# pylint: disable=C0111,C0325 1# pylint: disable=C0111,C0325
2import os 2import os
3import logging 3import logging
4import re
4import subprocess 5import subprocess
5import unittest 6import unittest
6from time import sleep 7from time import sleep
@@ -20,32 +21,13 @@ class SotaToolsTests(OESelftestTestCase):
20 bitbake('aktualizr-native') 21 bitbake('aktualizr-native')
21 22
22 def test_push_help(self): 23 def test_push_help(self):
23 bb_vars = get_bb_vars(['SYSROOT_DESTDIR', 'bindir'], 'aktualizr-native') 24 akt_native_run(self, 'garage-push --help')
24 p = bb_vars['SYSROOT_DESTDIR'] + bb_vars['bindir'] + "/" + "garage-push"
25 self.assertTrue(os.path.isfile(p), msg = "No garage-push found (%s)" % p)
26 result = runCmd('%s --help' % p, ignore_status=True)
27 self.assertEqual(result.status, 0, "Status not equal to 0. output: %s" % result.output)
28 25
29 def test_deploy_help(self): 26 def test_deploy_help(self):
30 bb_vars = get_bb_vars(['SYSROOT_DESTDIR', 'bindir'], 'aktualizr-native') 27 akt_native_run(self, 'garage-deploy --help')
31 p = bb_vars['SYSROOT_DESTDIR'] + bb_vars['bindir'] + "/" + "garage-deploy"
32 self.assertTrue(os.path.isfile(p), msg = "No garage-deploy found (%s)" % p)
33 result = runCmd('%s --help' % p, ignore_status=True)
34 self.assertEqual(result.status, 0, "Status not equal to 0. output: %s" % result.output)
35 28
36 def test_garagesign_help(self): 29 def test_garagesign_help(self):
37 bb_vars = get_bb_vars(['SYSROOT_DESTDIR', 'bindir'], 'aktualizr-native') 30 akt_native_run(self, 'garage-sign --help')
38 p = bb_vars['SYSROOT_DESTDIR'] + bb_vars['bindir'] + "/" + "garage-sign"
39 self.assertTrue(os.path.isfile(p), msg = "No garage-sign found (%s)" % p)
40 result = runCmd('%s --help' % p, ignore_status=True)
41 self.assertEqual(result.status, 0, "Status not equal to 0. output: %s" % result.output)
42
43
44class HsmTests(OESelftestTestCase):
45
46 def test_hsm(self):
47 self.write_config('SOTA_CLIENT_FEATURES="hsm"')
48 bitbake('core-image-minimal')
49 31
50 32
51class GeneralTests(OESelftestTestCase): 33class GeneralTests(OESelftestTestCase):
@@ -59,6 +41,9 @@ class GeneralTests(OESelftestTestCase):
59 self.assertNotEqual(result, -1, 'Feature "systemd" not set at DISTRO_FEATURES') 41 self.assertNotEqual(result, -1, 'Feature "systemd" not set at DISTRO_FEATURES')
60 42
61 def test_credentials(self): 43 def test_credentials(self):
44 logger = logging.getLogger("selftest")
45 logger.info('Running bitbake to build core-image-minimal')
46 self.append_config('SOTA_CLIENT_PROV = "aktualizr-auto-prov"')
62 bitbake('core-image-minimal') 47 bitbake('core-image-minimal')
63 credentials = get_bb_var('SOTA_PACKED_CREDENTIALS') 48 credentials = get_bb_var('SOTA_PACKED_CREDENTIALS')
64 # skip the test if the variable SOTA_PACKED_CREDENTIALS is not set 49 # skip the test if the variable SOTA_PACKED_CREDENTIALS is not set
@@ -75,7 +60,8 @@ class GeneralTests(OESelftestTestCase):
75 60
76 def test_java(self): 61 def test_java(self):
77 result = runCmd('which java', ignore_status=True) 62 result = runCmd('which java', ignore_status=True)
78 self.assertEqual(result.status, 0, "Java not found.") 63 self.assertEqual(result.status, 0,
64 "Java not found. Do you have a JDK installed on your host machine?")
79 65
80 def test_add_package(self): 66 def test_add_package(self):
81 print('') 67 print('')
@@ -85,7 +71,7 @@ class GeneralTests(OESelftestTestCase):
85 logger = logging.getLogger("selftest") 71 logger = logging.getLogger("selftest")
86 72
87 logger.info('Running bitbake with man in the image package list') 73 logger.info('Running bitbake with man in the image package list')
88 self.write_config('IMAGE_INSTALL_append = " man "') 74 self.append_config('IMAGE_INSTALL_append = " man "')
89 bitbake('-c cleanall man') 75 bitbake('-c cleanall man')
90 bitbake('core-image-minimal') 76 bitbake('core-image-minimal')
91 result = runCmd('oe-pkgdata-util find-path /usr/bin/man') 77 result = runCmd('oe-pkgdata-util find-path /usr/bin/man')
@@ -95,7 +81,7 @@ class GeneralTests(OESelftestTestCase):
95 logger.info('First image %s has size %i' % (path1, size1)) 81 logger.info('First image %s has size %i' % (path1, size1))
96 82
97 logger.info('Running bitbake without man in the image package list') 83 logger.info('Running bitbake without man in the image package list')
98 self.write_config('IMAGE_INSTALL_remove = " man "') 84 self.append_config('IMAGE_INSTALL_remove = " man "')
99 bitbake('-c cleanall man') 85 bitbake('-c cleanall man')
100 bitbake('core-image-minimal') 86 bitbake('core-image-minimal')
101 result = runCmd('oe-pkgdata-util find-path /usr/bin/man', ignore_status=True) 87 result = runCmd('oe-pkgdata-util find-path /usr/bin/man', ignore_status=True)
@@ -108,6 +94,46 @@ class GeneralTests(OESelftestTestCase):
108 self.assertNotEqual(size1, size2, "Image sizes are identical; image was not rebuilt.") 94 self.assertNotEqual(size1, size2, "Image sizes are identical; image was not rebuilt.")
109 95
110 96
97class AktualizrToolsTests(OESelftestTestCase):
98
99 @classmethod
100 def setUpClass(cls):
101 super(AktualizrToolsTests, cls).setUpClass()
102 logger = logging.getLogger("selftest")
103 logger.info('Running bitbake to build aktualizr-native tools')
104 bitbake('aktualizr-native')
105
106 def test_implicit_writer_help(self):
107 akt_native_run(self, 'aktualizr_implicit_writer --help')
108
109 def test_cert_provider_help(self):
110 akt_native_run(self, 'aktualizr_cert_provider --help')
111
112 def test_cert_provider_local_output(self):
113 logger = logging.getLogger("selftest")
114 logger.info('Running bitbake to build aktualizr-implicit-prov')
115 bitbake('aktualizr-implicit-prov')
116 bb_vars = get_bb_vars(['SOTA_PACKED_CREDENTIALS', 'T'], 'aktualizr-native')
117 creds = bb_vars['SOTA_PACKED_CREDENTIALS']
118 temp_dir = bb_vars['T']
119 bb_vars_prov = get_bb_vars(['STAGING_DIR_NATIVE', 'libdir'], 'aktualizr-implicit-prov')
120 config = bb_vars_prov['STAGING_DIR_NATIVE'] + bb_vars_prov['libdir'] + '/sota/sota_implicit_prov.toml'
121
122 akt_native_run(self, 'aktualizr_cert_provider -c {creds} -r -l {temp} -g {config}'
123 .format(creds=creds, temp=temp_dir, config=config))
124
125 # Might be nice if these names weren't hardcoded.
126 cert_path = temp_dir + '/client.pem'
127 self.assertTrue(os.path.isfile(cert_path), "Client certificate not found at %s." % cert_path)
128 self.assertTrue(os.path.getsize(cert_path) > 0, "Client certificate at %s is empty." % cert_path)
129 pkey_path = temp_dir + '/pkey.pem'
130 self.assertTrue(os.path.isfile(pkey_path), "Private key not found at %s." % pkey_path)
131 self.assertTrue(os.path.getsize(pkey_path) > 0, "Private key at %s is empty." % pkey_path)
132 ca_path = temp_dir + '/root.crt'
133 self.assertTrue(os.path.isfile(ca_path), "Client certificate not found at %s." % ca_path)
134 self.assertTrue(os.path.getsize(ca_path) > 0, "Client certificate at %s is empty." % ca_path)
135
136
111class QemuTests(OESelftestTestCase): 137class QemuTests(OESelftestTestCase):
112 138
113 @classmethod 139 @classmethod
@@ -118,14 +144,16 @@ class QemuTests(OESelftestTestCase):
118 @classmethod 144 @classmethod
119 def tearDownClass(cls): 145 def tearDownClass(cls):
120 qemu_terminate(cls.s) 146 qemu_terminate(cls.s)
147 super(QemuTests, cls).tearDownClass()
121 148
122 def run_command(self, command): 149 def qemu_command(self, command):
123 return qemu_send_command(self.qemu.ssh_port, command) 150 return qemu_send_command(self.qemu.ssh_port, command)
124 151
125 def test_hostname(self): 152 def test_qemu(self):
126 print('')
127 print('Checking machine name (hostname) of device:') 153 print('Checking machine name (hostname) of device:')
128 stdout, stderr, retcode = self.run_command('hostname') 154 stdout, stderr, retcode = self.qemu_command('hostname')
155 self.assertEqual(retcode, 0, "Unable to check hostname. " +
156 "Is an ssh daemon (such as dropbear or openssh) installed on the device?")
129 machine = get_bb_var('MACHINE', 'core-image-minimal') 157 machine = get_bb_var('MACHINE', 'core-image-minimal')
130 self.assertEqual(stderr, b'', 'Error: ' + stderr.decode()) 158 self.assertEqual(stderr, b'', 'Error: ' + stderr.decode())
131 # Strip off line ending. 159 # Strip off line ending.
@@ -133,30 +161,15 @@ class QemuTests(OESelftestTestCase):
133 self.assertEqual(value_str, machine, 161 self.assertEqual(value_str, machine,
134 'MACHINE does not match hostname: ' + machine + ', ' + value_str) 162 'MACHINE does not match hostname: ' + machine + ', ' + value_str)
135 print(value_str) 163 print(value_str)
136
137 def test_var_sota(self):
138 print('')
139 print('Checking contents of /var/sota:')
140 stdout, stderr, retcode = self.run_command('ls /var/sota')
141 self.assertEqual(stderr, b'', 'Error: ' + stderr.decode())
142 self.assertEqual(retcode, 0)
143 print(stdout.decode())
144
145 def test_aktualizr_info(self):
146 print('Checking output of aktualizr-info:') 164 print('Checking output of aktualizr-info:')
147 ran_ok = False 165 ran_ok = False
148 for delay in [0, 1, 2, 5, 10, 15]: 166 for delay in [0, 1, 2, 5, 10, 15]:
149 sleep(delay) 167 sleep(delay)
150 try: 168 stdout, stderr, retcode = self.qemu_command('aktualizr-info')
151 stdout, stderr, retcode = self.run_command('aktualizr-info') 169 if retcode == 0 and stderr == b'':
152 if retcode == 0 and stderr == b'': 170 ran_ok = True
153 ran_ok = True 171 break
154 break 172 self.assertTrue(ran_ok, 'aktualizr-info failed: ' + stderr.decode() + stdout.decode())
155 except IOError as e:
156 print(e)
157 if not ran_ok:
158 print(stdout.decode())
159 print(stderr.decode())
160 173
161 174
162class GrubTests(OESelftestTestCase): 175class GrubTests(OESelftestTestCase):
@@ -178,19 +191,220 @@ class GrubTests(OESelftestTestCase):
178 runCmd('bitbake-layers remove-layer "%s"' % self.meta_intel, ignore_status=True) 191 runCmd('bitbake-layers remove-layer "%s"' % self.meta_intel, ignore_status=True)
179 runCmd('bitbake-layers remove-layer "%s"' % self.meta_minnow, ignore_status=True) 192 runCmd('bitbake-layers remove-layer "%s"' % self.meta_minnow, ignore_status=True)
180 193
194 def qemu_command(self, command):
195 return qemu_send_command(self.qemu.ssh_port, command)
196
181 def test_grub(self): 197 def test_grub(self):
182 print('') 198 print('')
183 print('Checking machine name (hostname) of device:') 199 print('Checking machine name (hostname) of device:')
184 value, err, retcode = qemu_send_command(self.qemu.ssh_port, 'hostname') 200 stdout, stderr, retcode = self.qemu_command('hostname')
201 self.assertEqual(retcode, 0, "Unable to check hostname. " +
202 "Is an ssh daemon (such as dropbear or openssh) installed on the device?")
203 machine = get_bb_var('MACHINE', 'core-image-minimal')
204 self.assertEqual(stderr, b'', 'Error: ' + stderr.decode())
205 # Strip off line ending.
206 value = stdout.decode()[:-1]
207 self.assertEqual(value, machine,
208 'MACHINE does not match hostname: ' + machine + ', ' + value +
209 '\nIs TianoCore ovmf installed on your host machine?')
210 print(value)
211 print('Checking output of aktualizr-info:')
212 ran_ok = False
213 for delay in [0, 1, 2, 5, 10, 15]:
214 sleep(delay)
215 stdout, stderr, retcode = self.qemu_command('aktualizr-info')
216 if retcode == 0 and stderr == b'':
217 ran_ok = True
218 break
219 self.assertTrue(ran_ok, 'aktualizr-info failed: ' + stderr.decode() + stdout.decode())
220
221
222class ImplProvTests(OESelftestTestCase):
223
224 def setUpLocal(self):
225 self.append_config('SOTA_CLIENT_PROV = " aktualizr-implicit-prov "')
226 # note: this will build aktualizr-native as a side-effect
227 self.qemu, self.s = qemu_launch(machine='qemux86-64')
228
229 def tearDownLocal(self):
230 qemu_terminate(self.s)
231
232 def qemu_command(self, command):
233 return qemu_send_command(self.qemu.ssh_port, command)
234
235 def test_provisioning(self):
236 print('Checking machine name (hostname) of device:')
237 stdout, stderr, retcode = self.qemu_command('hostname')
238 self.assertEqual(retcode, 0, "Unable to check hostname. " +
239 "Is an ssh daemon (such as dropbear or openssh) installed on the device?")
240 machine = get_bb_var('MACHINE', 'core-image-minimal')
241 self.assertEqual(stderr, b'', 'Error: ' + stderr.decode())
242 # Strip off line ending.
243 value_str = stdout.decode()[:-1]
244 self.assertEqual(value_str, machine,
245 'MACHINE does not match hostname: ' + machine + ', ' + value_str)
246 print(value_str)
247 print('Checking output of aktualizr-info:')
248 ran_ok = False
249 for delay in [0, 1, 2, 5, 10, 15]:
250 stdout, stderr, retcode = self.qemu_command('aktualizr-info')
251 if retcode == 0 and stderr == b'':
252 ran_ok = True
253 break
254 self.assertTrue(ran_ok, 'aktualizr-info failed: ' + stderr.decode() + stdout.decode())
255 # Verify that device has NOT yet provisioned.
256 self.assertIn(b'Couldn\'t load device ID', stdout,
257 'Device already provisioned!? ' + stderr.decode() + stdout.decode())
258 self.assertIn(b'Couldn\'t load ECU serials', stdout,
259 'Device already provisioned!? ' + stderr.decode() + stdout.decode())
260 self.assertIn(b'Provisioned on server: no', stdout,
261 'Device already provisioned!? ' + stderr.decode() + stdout.decode())
262 self.assertIn(b'Fetched metadata: no', stdout,
263 'Device already provisioned!? ' + stderr.decode() + stdout.decode())
264
265 # Run cert_provider.
266 bb_vars = get_bb_vars(['SOTA_PACKED_CREDENTIALS'], 'aktualizr-native')
267 creds = bb_vars['SOTA_PACKED_CREDENTIALS']
268 bb_vars_prov = get_bb_vars(['STAGING_DIR_NATIVE', 'libdir'], 'aktualizr-implicit-prov')
269 config = bb_vars_prov['STAGING_DIR_NATIVE'] + bb_vars_prov['libdir'] + '/sota/sota_implicit_prov.toml'
270
271 akt_native_run(self, 'aktualizr_cert_provider -c {creds} -t root@localhost -p {port} -s -g {config}'
272 .format(creds=creds, port=self.qemu.ssh_port, config=config))
273
274 # Verify that device HAS provisioned.
275 ran_ok = False
276 for delay in [5, 5, 5, 5, 10]:
277 sleep(delay)
278 stdout, stderr, retcode = self.qemu_command('aktualizr-info')
279 if retcode == 0 and stderr == b'' and stdout.decode().find('Fetched metadata: yes') >= 0:
280 ran_ok = True
281 break
282 self.assertIn(b'Device ID: ', stdout, 'Provisioning failed: ' + stderr.decode() + stdout.decode())
283 self.assertIn(b'Primary ecu hardware ID: qemux86-64', stdout,
284 'Provisioning failed: ' + stderr.decode() + stdout.decode())
285 self.assertIn(b'Fetched metadata: yes', stdout, 'Provisioning failed: ' + stderr.decode() + stdout.decode())
286 p = re.compile(r'Device ID: ([a-z0-9-]*)\n')
287 m = p.search(stdout.decode())
288 self.assertTrue(m, 'Device ID could not be read: ' + stderr.decode() + stdout.decode())
289 self.assertGreater(m.lastindex, 0, 'Device ID could not be read: ' + stderr.decode() + stdout.decode())
290 logger = logging.getLogger("selftest")
291 logger.info('Device successfully provisioned with ID: ' + m.group(1))
292
293
294class HsmTests(OESelftestTestCase):
295
296 def setUpLocal(self):
297 self.append_config('SOTA_CLIENT_PROV = "aktualizr-hsm-prov"')
298 self.append_config('SOTA_CLIENT_FEATURES = "hsm"')
299 # note: this will build aktualizr-native as a side-effect
300 self.qemu, self.s = qemu_launch(machine='qemux86-64')
301
302 def tearDownLocal(self):
303 qemu_terminate(self.s)
304
305 def qemu_command(self, command):
306 return qemu_send_command(self.qemu.ssh_port, command)
307
308 def test_provisioning(self):
309 print('Checking machine name (hostname) of device:')
310 stdout, stderr, retcode = self.qemu_command('hostname')
311 self.assertEqual(retcode, 0, "Unable to check hostname. " +
312 "Is an ssh daemon (such as dropbear or openssh) installed on the device?")
185 machine = get_bb_var('MACHINE', 'core-image-minimal') 313 machine = get_bb_var('MACHINE', 'core-image-minimal')
186 self.assertEqual(err, b'', 'Error: ' + err.decode()) 314 self.assertEqual(stderr, b'', 'Error: ' + stderr.decode())
187 self.assertEqual(retcode, 0)
188 # Strip off line ending. 315 # Strip off line ending.
189 value_str = value.decode()[:-1] 316 value_str = stdout.decode()[:-1]
190 self.assertEqual(value_str, machine, 317 self.assertEqual(value_str, machine,
191 'MACHINE does not match hostname: ' + machine + ', ' + value_str + 318 'MACHINE does not match hostname: ' + machine + ', ' + value_str +
192 '\nIs tianocore ovmf installed?') 319 '\nIs tianocore ovmf installed?')
193 print(value_str) 320 print(value_str)
321 print('Checking output of aktualizr-info:')
322 ran_ok = False
323 for delay in [0, 1, 2, 5, 10, 15]:
324 stdout, stderr, retcode = self.qemu_command('aktualizr-info')
325 if retcode == 0 and stderr == b'':
326 ran_ok = True
327 break
328 self.assertTrue(ran_ok, 'aktualizr-info failed: ' + stderr.decode() + stdout.decode())
329 # Verify that device has NOT yet provisioned.
330 self.assertIn(b'Couldn\'t load device ID', stdout,
331 'Device already provisioned!? ' + stderr.decode() + stdout.decode())
332 self.assertIn(b'Couldn\'t load ECU serials', stdout,
333 'Device already provisioned!? ' + stderr.decode() + stdout.decode())
334 self.assertIn(b'Provisioned on server: no', stdout,
335 'Device already provisioned!? ' + stderr.decode() + stdout.decode())
336 self.assertIn(b'Fetched metadata: no', stdout,
337 'Device already provisioned!? ' + stderr.decode() + stdout.decode())
338
339 # Verify that HSM is not yet initialized.
340 pkcs11_command = 'pkcs11-tool --module=/usr/lib/softhsm/libsofthsm2.so -O'
341 stdout, stderr, retcode = self.qemu_command(pkcs11_command)
342 self.assertNotEqual(retcode, 0, 'pkcs11-tool succeeded before initialization: ' +
343 stdout.decode() + stderr.decode())
344 softhsm2_command = 'softhsm2-util --show-slots'
345 stdout, stderr, retcode = self.qemu_command(softhsm2_command)
346 self.assertNotEqual(retcode, 0, 'softhsm2-tool succeeded before initialization: ' +
347 stdout.decode() + stderr.decode())
348
349 # Run cert_provider.
350 bb_vars = get_bb_vars(['SOTA_PACKED_CREDENTIALS'], 'aktualizr-native')
351 creds = bb_vars['SOTA_PACKED_CREDENTIALS']
352 bb_vars_prov = get_bb_vars(['STAGING_DIR_NATIVE', 'libdir'], 'aktualizr-hsm-prov')
353 config = bb_vars_prov['STAGING_DIR_NATIVE'] + bb_vars_prov['libdir'] + '/sota/sota_hsm_prov.toml'
354
355 akt_native_run(self, 'aktualizr_cert_provider -c {creds} -t root@localhost -p {port} -r -s -g {config}'
356 .format(creds=creds, port=self.qemu.ssh_port, config=config))
357
358 # Verify that HSM is able to initialize.
359 ran_ok = False
360 for delay in [5, 5, 5, 5, 10]:
361 sleep(delay)
362 p11_out, p11_err, p11_ret = self.qemu_command(pkcs11_command)
363 hsm_out, hsm_err, hsm_ret = self.qemu_command(softhsm2_command)
364 if p11_ret == 0 and hsm_ret == 0 and hsm_err == b'':
365 ran_ok = True
366 break
367 self.assertTrue(ran_ok, 'pkcs11-tool or softhsm2-tool failed: ' + p11_err.decode() +
368 p11_out.decode() + hsm_err.decode() + hsm_out.decode())
369 self.assertIn(b'present token', p11_err, 'pkcs11-tool failed: ' + p11_err.decode() + p11_out.decode())
370 self.assertIn(b'X.509 cert', p11_out, 'pkcs11-tool failed: ' + p11_err.decode() + p11_out.decode())
371 self.assertIn(b'Initialized: yes', hsm_out, 'softhsm2-tool failed: ' +
372 hsm_err.decode() + hsm_out.decode())
373 self.assertIn(b'User PIN init.: yes', hsm_out, 'softhsm2-tool failed: ' +
374 hsm_err.decode() + hsm_out.decode())
375
376 # Check that pkcs11 output matches sofhsm output.
377 p11_p = re.compile(r'Using slot [0-9] with a present token \((0x[0-9a-f]*)\)\s')
378 p11_m = p11_p.search(p11_err.decode())
379 self.assertTrue(p11_m, 'Slot number not found with pkcs11-tool: ' + p11_err.decode() + p11_out.decode())
380 self.assertGreater(p11_m.lastindex, 0, 'Slot number not found with pkcs11-tool: ' +
381 p11_err.decode() + p11_out.decode())
382 hsm_p = re.compile(r'Description:\s*SoftHSM slot ID (0x[0-9a-f]*)\s')
383 hsm_m = hsm_p.search(hsm_out.decode())
384 self.assertTrue(hsm_m, 'Slot number not found with softhsm2-tool: ' + hsm_err.decode() + hsm_out.decode())
385 self.assertGreater(hsm_m.lastindex, 0, 'Slot number not found with softhsm2-tool: ' +
386 hsm_err.decode() + hsm_out.decode())
387 self.assertEqual(p11_m.group(1), hsm_m.group(1), 'Slot number does not match: ' +
388 p11_err.decode() + p11_out.decode() + hsm_err.decode() + hsm_out.decode())
389
390 # Verify that device HAS provisioned.
391 ran_ok = False
392 for delay in [5, 5, 5, 5, 10]:
393 sleep(delay)
394 stdout, stderr, retcode = self.qemu_command('aktualizr-info')
395 if retcode == 0 and stderr == b'' and stdout.decode().find('Fetched metadata: yes') >= 0:
396 ran_ok = True
397 break
398 self.assertIn(b'Device ID: ', stdout, 'Provisioning failed: ' + stderr.decode() + stdout.decode())
399 self.assertIn(b'Primary ecu hardware ID: qemux86-64', stdout,
400 'Provisioning failed: ' + stderr.decode() + stdout.decode())
401 self.assertIn(b'Fetched metadata: yes', stdout, 'Provisioning failed: ' + stderr.decode() + stdout.decode())
402 p = re.compile(r'Device ID: ([a-z0-9-]*)\n')
403 m = p.search(stdout.decode())
404 self.assertTrue(m, 'Device ID could not be read: ' + stderr.decode() + stdout.decode())
405 self.assertGreater(m.lastindex, 0, 'Device ID could not be read: ' + stderr.decode() + stdout.decode())
406 logger = logging.getLogger("selftest")
407 logger.info('Device successfully provisioned with ID: ' + m.group(1))
194 408
195 409
196def qemu_launch(efi=False, machine=None): 410def qemu_launch(efi=False, machine=None):
@@ -220,12 +434,14 @@ def qemu_launch(efi=False, machine=None):
220 sleep(10) 434 sleep(10)
221 return qemu, s 435 return qemu, s
222 436
437
223def qemu_terminate(s): 438def qemu_terminate(s):
224 try: 439 try:
225 s.terminate() 440 s.terminate()
226 except KeyboardInterrupt: 441 except KeyboardInterrupt:
227 pass 442 pass
228 443
444
229def qemu_send_command(port, command): 445def qemu_send_command(port, command):
230 command = ['ssh -q -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@localhost -p ' + 446 command = ['ssh -q -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@localhost -p ' +
231 str(port) + ' "' + command + '"'] 447 str(port) + ' "' + command + '"']
@@ -233,4 +449,27 @@ def qemu_send_command(port, command):
233 stdout, stderr = s2.communicate() 449 stdout, stderr = s2.communicate()
234 return stdout, stderr, s2.returncode 450 return stdout, stderr, s2.returncode
235 451
452
453def akt_native_run(testInst, cmd, **kwargs):
454 # run a command supplied by aktualizr-native and checks that:
455 # - the executable exists
456 # - the command runs without error
457 # NOTE: the base test class must have built aktualizr-native (in
458 # setUpClass, for example)
459 bb_vars = get_bb_vars(['SYSROOT_DESTDIR', 'base_prefix', 'libdir', 'bindir'],
460 'aktualizr-native')
461 sysroot = bb_vars['SYSROOT_DESTDIR'] + bb_vars['base_prefix']
462 sysrootbin = bb_vars['SYSROOT_DESTDIR'] + bb_vars['bindir']
463 libdir = bb_vars['libdir']
464
465 program, *_ = cmd.split(' ')
466 p = '{}/{}'.format(sysrootbin, program)
467 testInst.assertTrue(os.path.isfile(p), msg="No {} found ({})".format(program, p))
468 env = dict(os.environ)
469 env['LD_LIBRARY_PATH'] = libdir
470 result = runCmd(cmd, env=env, native_sysroot=sysroot, ignore_status=True, **kwargs)
471 testInst.assertEqual(result.status, 0, "Status not equal to 0. output: %s" % result.output)
472
473
474
236# vim:set ts=4 sw=4 sts=4 expandtab: 475# vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb
new file mode 100644
index 0000000..51e313d
--- /dev/null
+++ b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb
@@ -0,0 +1,72 @@
1SUMMARY = "Aktualizr configuration for implicit provisioning with CA"
2DESCRIPTION = "Systemd service and configurations for implicitly provisioning Aktualizr using externally provided or generated CA"
3
4# WARNING: it is NOT a production solution. The secure way to provision devices is to create certificate request directly on the device
5# (either with HSM/TPM or with software) and then sign it with a CA stored on a disconnected machine
6
7HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
8SECTION = "base"
9LICENSE = "MPL-2.0"
10LIC_FILES_CHKSUM = "file://${WORKDIR}/LICENSE;md5=9741c346eef56131163e13b9db1241b3"
11
12DEPENDS = "aktualizr-native openssl-native"
13RDEPENDS_${PN} = "aktualizr"
14
15SRC_URI = " \
16 file://LICENSE \
17 file://ca.cnf \
18 "
19PV = "1.0"
20PR = "1"
21
22require environment.inc
23require credentials.inc
24
25export SOTA_CACERT_PATH
26export SOTA_CAKEY_PATH
27
28do_install() {
29 install -d ${D}${libdir}/sota
30
31 if [ -z "${SOTA_PACKED_CREDENTIALS}" ]; then
32 bberror "SOTA_PACKED_CREDENTIALS are required for implicit provisioning"
33 fi
34
35 if [ -z ${SOTA_CACERT_PATH} ]; then
36 SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem
37 SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem
38 mkdir -p ${DEPLOY_DIR_IMAGE}/CA
39 bbwarn "SOTA_CACERT_PATH is not specified, use default one at $SOTA_CACERT_PATH"
40
41 if [ ! -f ${SOTA_CACERT_PATH} ]; then
42 bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA"
43 SOTA_CACERT_DIR_PATH="$(dirname "$SOTA_CACERT_PATH")"
44 openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096
45 openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert
46 bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server"
47 fi
48 fi
49
50 if [ -z ${SOTA_CAKEY_PATH} ]; then
51 bberror "SOTA_CAKEY_PATH should be set when using implicit provisioning"
52 fi
53
54 install -d ${D}${libdir}/sota
55 install -d ${D}${localstatedir}/sota
56 install -m 0644 ${STAGING_DIR_NATIVE}${libdir}/sota/sota_implicit_prov_ca.toml ${D}${libdir}/sota/sota.toml
57 aktualizr_cert_provider --credentials ${SOTA_PACKED_CREDENTIALS} \
58 --device-ca ${SOTA_CACERT_PATH} \
59 --device-ca-key ${SOTA_CAKEY_PATH} \
60 --root-ca \
61 --server-url \
62 --local ${D}${localstatedir}/sota \
63 --config ${D}${libdir}/sota/sota.toml
64}
65
66FILES_${PN} = " \
67 ${localstatedir}/sota/* \
68 ${libdir}/sota/sota.toml \
69 ${libdir}/sota/root.crt \
70 "
71
72# vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/recipes-sota/aktualizr/aktualizr_git.bb b/recipes-sota/aktualizr/aktualizr_git.bb
index bed656a..4c4e975 100644
--- a/recipes-sota/aktualizr/aktualizr_git.bb
+++ b/recipes-sota/aktualizr/aktualizr_git.bb
@@ -6,11 +6,10 @@ LICENSE = "MPL-2.0"
6LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=9741c346eef56131163e13b9db1241b3" 6LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=9741c346eef56131163e13b9db1241b3"
7 7
8DEPENDS = "boost curl openssl libarchive libsodium asn1c-native " 8DEPENDS = "boost curl openssl libarchive libsodium asn1c-native "
9DEPENDS_append_class-target = "jansson ostree ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'hsm', ' libp11', '', d)} " 9DEPENDS_append_class-target = "ostree ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'hsm', ' libp11', '', d)} "
10DEPENDS_append_class-native = "glib-2.0-native " 10DEPENDS_append_class-native = "glib-2.0-native "
11 11
12RDEPENDS_${PN}_class-target = "lshw " 12RDEPENDS_${PN}_class-target = "lshw "
13RDEPENDS_${PN}_append_class-target = "${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'hsm', ' engine-pkcs11', '', d)} "
14RDEPENDS_${PN}_append_class-target = " ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'serialcan', ' slcand-start', '', d)} " 13RDEPENDS_${PN}_append_class-target = " ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'serialcan', ' slcand-start', '', d)} "
15 14
16PV = "1.0+git${SRCPV}" 15PV = "1.0+git${SRCPV}"
@@ -21,7 +20,7 @@ SRC_URI = " \
21 file://aktualizr.service \ 20 file://aktualizr.service \
22 file://aktualizr-serialcan.service \ 21 file://aktualizr-serialcan.service \
23 " 22 "
24SRCREV = "32a04532c1b7434b9cab89b78df389059ac45d40" 23SRCREV = "1a6432175b9fb7326173e8db35d326cc1a1011a1"
25BRANCH ?= "master" 24BRANCH ?= "master"
26 25
27S = "${WORKDIR}/git" 26S = "${WORKDIR}/git"
@@ -38,10 +37,10 @@ EXTRA_OECMAKE_append_class-target = " -DBUILD_OSTREE=ON -DBUILD_ISOTP=ON ${@bb.u
38EXTRA_OECMAKE_append_class-native = " -DBUILD_SOTA_TOOLS=ON -DBUILD_OSTREE=OFF " 37EXTRA_OECMAKE_append_class-native = " -DBUILD_SOTA_TOOLS=ON -DBUILD_OSTREE=OFF "
39 38
40do_install_append () { 39do_install_append () {
41 rm -f ${D}${bindir}/aktualizr_cert_provider
42 rm -fr ${D}${libdir}/systemd 40 rm -fr ${D}${libdir}/systemd
43} 41}
44do_install_append_class-target () { 42do_install_append_class-target () {
43 rm -f ${D}${bindir}/aktualizr_cert_provider
45 rm -f ${D}${bindir}/aktualizr_implicit_writer 44 rm -f ${D}${bindir}/aktualizr_implicit_writer
46 rm -f ${D}${libdir}/sota/sota.toml 45 rm -f ${D}${libdir}/sota/sota.toml
47 ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-example', '', 'rm -f ${D}${bindir}/example-interface', d)} 46 ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-example', '', 'rm -f ${D}${bindir}/example-interface', d)}
@@ -51,6 +50,7 @@ do_install_append_class-target () {
51 aktualizr_service=${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'serialcan', '${WORKDIR}/aktualizr-serialcan.service', '${WORKDIR}/aktualizr.service', d)} 50 aktualizr_service=${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'serialcan', '${WORKDIR}/aktualizr-serialcan.service', '${WORKDIR}/aktualizr.service', d)}
52 install -m 0644 ${aktualizr_service} ${D}${systemd_unitdir}/system/aktualizr.service 51 install -m 0644 ${aktualizr_service} ${D}${systemd_unitdir}/system/aktualizr.service
53} 52}
53
54do_install_append_class-native () { 54do_install_append_class-native () {
55 rm -f ${D}${bindir}/aktualizr 55 rm -f ${D}${bindir}/aktualizr
56 rm -f ${D}${bindir}/aktualizr-info 56 rm -f ${D}${bindir}/aktualizr-info
@@ -59,6 +59,7 @@ do_install_append_class-native () {
59 install -m 0644 ${S}/config/sota_autoprov.toml ${D}/${libdir}/sota/sota_autoprov.toml 59 install -m 0644 ${S}/config/sota_autoprov.toml ${D}/${libdir}/sota/sota_autoprov.toml
60 install -m 0644 ${S}/config/sota_hsm_prov.toml ${D}/${libdir}/sota/sota_hsm_prov.toml 60 install -m 0644 ${S}/config/sota_hsm_prov.toml ${D}/${libdir}/sota/sota_hsm_prov.toml
61 install -m 0644 ${S}/config/sota_implicit_prov.toml ${D}/${libdir}/sota/sota_implicit_prov.toml 61 install -m 0644 ${S}/config/sota_implicit_prov.toml ${D}/${libdir}/sota/sota_implicit_prov.toml
62 install -m 0644 ${S}/config/sota_implicit_prov_ca.toml ${D}/${libdir}/sota/sota_implicit_prov_ca.toml
62 63
63 install -m 0755 ${B}/src/sota_tools/garage-sign-prefix/src/garage-sign/bin/* ${D}${bindir} 64 install -m 0755 ${B}/src/sota_tools/garage-sign-prefix/src/garage-sign/bin/* ${D}${bindir}
64 install -m 0644 ${B}/src/sota_tools/garage-sign-prefix/src/garage-sign/lib/* ${D}${libdir} 65 install -m 0644 ${B}/src/sota_tools/garage-sign-prefix/src/garage-sign/lib/* ${D}${libdir}
@@ -77,6 +78,7 @@ FILES_${PN}_class-target = " \
77FILES_${PN}_append_class-target = " ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-example', ' ${bindir}/example-interface', '', d)} " 78FILES_${PN}_append_class-target = " ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-example', ' ${bindir}/example-interface', '', d)} "
78FILES_${PN}_append_class-target = " ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-isotp-example', ' ${bindir}/isotp-test-interface', '', d)} " 79FILES_${PN}_append_class-target = " ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-isotp-example', ' ${bindir}/isotp-test-interface', '', d)} "
79FILES_${PN}_class-native = " \ 80FILES_${PN}_class-native = " \
81 ${bindir}/aktualizr_cert_provider \
80 ${bindir}/aktualizr_implicit_writer \ 82 ${bindir}/aktualizr_implicit_writer \
81 ${bindir}/garage-deploy \ 83 ${bindir}/garage-deploy \
82 ${bindir}/garage-push \ 84 ${bindir}/garage-push \
diff --git a/recipes-sota/aktualizr/files/ca.cnf b/recipes-sota/aktualizr/files/ca.cnf
new file mode 100644
index 0000000..352ec38
--- /dev/null
+++ b/recipes-sota/aktualizr/files/ca.cnf
@@ -0,0 +1,10 @@
1[req]
2req_extensions = cacert
3distinguished_name = req_distinguished_name
4
5[req_distinguished_name]
6
7[cacert]
8basicConstraints = critical,CA:true
9keyUsage = keyCertSign
10
diff --git a/recipes-support/libp11/files/0001-Workaround-for-a-buggy-version-of-openssl-1.0.2m.patch b/recipes-support/libp11/files/0001-Workaround-for-a-buggy-version-of-openssl-1.0.2m.patch
index 0538eff..bd233ee 100644
--- a/recipes-support/libp11/files/0001-Workaround-for-a-buggy-version-of-openssl-1.0.2m.patch
+++ b/recipes-support/libp11/files/0001-Workaround-for-a-buggy-version-of-openssl-1.0.2m.patch
@@ -17,7 +17,7 @@ index 45d5ad3..75625e6 100644
17 17
18-#if OPENSSL_VERSION_NUMBER < 0x100020d0L || defined(LIBRESSL_VERSION_NUMBER) 18-#if OPENSSL_VERSION_NUMBER < 0x100020d0L || defined(LIBRESSL_VERSION_NUMBER)
19-static void EVP_PKEY_meth_get_sign(EVP_PKEY_METHOD *pmeth, 19-static void EVP_PKEY_meth_get_sign(EVP_PKEY_METHOD *pmeth,
20+#if OPENSSL_VERSION_NUMBER <= 0x100020e0L || defined(LIBRESSL_VERSION_NUMBER) 20+#if OPENSSL_VERSION_NUMBER < 0x100020f0L || defined(LIBRESSL_VERSION_NUMBER)
21+ 21+
22+# if (OPENSSL_VERSION_NUMBER & 0xFFFFFFF0) == 0x100020d0L 22+# if (OPENSSL_VERSION_NUMBER & 0xFFFFFFF0) == 0x100020d0L
23+# undef EVP_PKEY_meth_get_sign 23+# undef EVP_PKEY_meth_get_sign
diff --git a/recipes-support/libp11/libp11_0.4.7.bb b/recipes-support/libp11/libp11_0.4.7.bb
index 7a93102..02d9e50 100644
--- a/recipes-support/libp11/libp11_0.4.7.bb
+++ b/recipes-support/libp11/libp11_0.4.7.bb
@@ -7,6 +7,7 @@ SECTION = "Development/Libraries"
7LICENSE = "LGPLv2+" 7LICENSE = "LGPLv2+"
8LIC_FILES_CHKSUM = "file://COPYING;md5=fad9b3332be894bab9bc501572864b29" 8LIC_FILES_CHKSUM = "file://COPYING;md5=fad9b3332be894bab9bc501572864b29"
9DEPENDS = "libtool openssl" 9DEPENDS = "libtool openssl"
10RDEPENDS_${PN} += " opensc"
10 11
11SRC_URI = "git://github.com/OpenSC/libp11.git \ 12SRC_URI = "git://github.com/OpenSC/libp11.git \
12 file://0001-Workaround-for-a-buggy-version-of-openssl-1.0.2m.patch" 13 file://0001-Workaround-for-a-buggy-version-of-openssl-1.0.2m.patch"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-09-23 00:29:33 +0000