diff options
-rw-r--r-- | README.adoc | 42 | ||||
-rw-r--r-- | classes/image_types_ota.bbclass | 2 | ||||
-rw-r--r-- | lib/oeqa/selftest/cases/updater.py | 345 | ||||
-rw-r--r-- | recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb | 72 | ||||
-rw-r--r-- | recipes-sota/aktualizr/aktualizr_git.bb | 10 | ||||
-rw-r--r-- | recipes-sota/aktualizr/files/ca.cnf | 10 | ||||
-rw-r--r-- | recipes-support/libp11/files/0001-Workaround-for-a-buggy-version-of-openssl-1.0.2m.patch | 2 | ||||
-rw-r--r-- | recipes-support/libp11/libp11_0.4.7.bb | 1 |
8 files changed, 411 insertions, 73 deletions
diff --git a/README.adoc b/README.adoc index 403e0f8..c87bd01 100644 --- a/README.adoc +++ b/README.adoc | |||
@@ -17,10 +17,10 @@ If you don't already have a Yocto project that you want to add OTA to, you can u | |||
17 | If you already have a Yocto-based project and you want to add atomic filesystem updates to it, you just need to do three things: | 17 | If you already have a Yocto-based project and you want to add atomic filesystem updates to it, you just need to do three things: |
18 | 18 | ||
19 | 1. Clone the `meta-updater` layer and add it to your https://www.yoctoproject.org/docs/2.1/ref-manual/ref-manual.html#structure-build-conf-bblayers.conf[bblayers.conf]. | 19 | 1. Clone the `meta-updater` layer and add it to your https://www.yoctoproject.org/docs/2.1/ref-manual/ref-manual.html#structure-build-conf-bblayers.conf[bblayers.conf]. |
20 | 2. Clone BSP integration layer (meta-updater-$\{PLATFORM}, e.g. https://github.com/advancedtelematic/meta-updater-raspberrypi[meta-updater-raspberrypi]) and add it to your conf/bblayers.conf. If your board isn't supported yet, you could write a BSP integration for it yourself. See the <<Adding support for your board>> section for the details. | 20 | 2. Clone BSP integration layer (`meta-updater-$\{PLATFORM}`, e.g. https://github.com/advancedtelematic/meta-updater-raspberrypi[meta-updater-raspberrypi]) and add it to your `conf/bblayers.conf`. If your board isn't supported yet, you could write a BSP integration for it yourself. See the <<Adding support for your board>> section for the details. |
21 | 3. Set up your https://www.yoctoproject.org/docs/2.1/ref-manual/ref-manual.html#var-DISTRO[distro]. If you are using "poky", the default distro in Yocto, you can change it in your conf/local.conf to "poky-sota". Alternatively, if you are using your own or third party distro configuration, you can add 'INHERIT += " sota"' to it, thus combining capabilities of your distro with meta-updater features. | 21 | 3. Set up your https://www.yoctoproject.org/docs/2.1/ref-manual/ref-manual.html#var-DISTRO[distro]. If you are using "poky", the default distro in Yocto, you can change it in your `conf/local.conf` to "poky-sota". Alternatively, if you are using your own or third party distro configuration, you can add `INHERIT += " sota"` to it, thus combining capabilities of your distro with meta-updater features. |
22 | 22 | ||
23 | You can then build your image as usual, with bitbake. After building the root file system, bitbake will then create an https://ostree.readthedocs.io/en/latest/manual/adapting-existing/[OSTree-enabled version] of it, commit it to your local OSTree repo and (optionally) push it to a remote server. Additionally, a live disk image will be created (normally named $\{IMAGE_NAME}.-sdimg-ota e.g. core-image-raspberrypi3.rpi-sdimg-ota). You can control this behaviour through <<variables in your local.conf,OSTree-related variables in your local.conf>>. | 23 | You can then build your image as usual, with bitbake. After building the root file system, bitbake will then create an https://ostree.readthedocs.io/en/latest/manual/adapting-existing/[OSTree-enabled version] of it, commit it to your local OSTree repo and (optionally) push it to a remote server. Additionally, a live disk image will be created (normally named `$\{IMAGE_NAME}.-sdimg-ota` e.g. `core-image-raspberrypi3.rpi-sdimg-ota`). You can control this behaviour through <<variables in your local.conf,OSTree-related variables in your local.conf>>. |
24 | 24 | ||
25 | === Build in AGL | 25 | === Build in AGL |
26 | 26 | ||
@@ -30,19 +30,19 @@ With AGL you can just add agl-sota feature while configuring your build environm | |||
30 | source meta-agl/scripts/aglsetup.sh -m porter agl-demo agl-appfw-smack agl-devel agl-sota | 30 | source meta-agl/scripts/aglsetup.sh -m porter agl-demo agl-appfw-smack agl-devel agl-sota |
31 | .... | 31 | .... |
32 | 32 | ||
33 | you can then run | 33 | You can then run: |
34 | 34 | ||
35 | .... | 35 | .... |
36 | bitbake agl-demo-platform | 36 | bitbake agl-demo-platform |
37 | .... | 37 | .... |
38 | 38 | ||
39 | and get as a result an "ostree_repo" folder in your images directory (tmp/deploy/images/$\{MACHINE}/ostree_repo). It will contain | 39 | and get as a result an `ostree_repo` folder in your images directory (`tmp/deploy/images/$\{MACHINE}/ostree_repo`). It will contain: |
40 | 40 | ||
41 | * your OSTree repository, with the rootfs committed as an OSTree deployment, | 41 | * your OSTree repository, with the rootfs committed as an OSTree deployment, |
42 | * an 'otaimg' bootstrap image, which is an OSTree physical sysroot as a burnable filesystem image, and optionally | 42 | * an `otaimg` bootstrap image, which is an OSTree physical sysroot as a burnable filesystem image, and optionally |
43 | * some machine-dependent live images (e.g. '_.rpi-sdimg-ota' for Raspberry Pi or '_.porter-sdimg-ota' Renesas Porter board). | 43 | * some machine-dependent live images (e.g. `.rpi-sdimg-ota` for Raspberry Pi or `.porter-sdimg-ota` Renesas Porter board). |
44 | 44 | ||
45 | Although aglsetup.sh hooks provide reasonable defaults for SOTA-related variables, you may want to tune some of them. | 45 | Although `aglsetup.sh` hooks provide reasonable defaults for SOTA-related variables, you may want to tune some of them. |
46 | 46 | ||
47 | === Build problems | 47 | === Build problems |
48 | 48 | ||
@@ -73,7 +73,7 @@ You may take a look into https://github.com/advancedtelematic/meta-updater-minno | |||
73 | 73 | ||
74 | Although we have used U-Boot so far, other boot loaders can be configured work with OSTree as well. | 74 | Although we have used U-Boot so far, other boot loaders can be configured work with OSTree as well. |
75 | 75 | ||
76 | == SOTA-related variables in local.conf | 76 | == SOTA-related variables in `local.conf` |
77 | 77 | ||
78 | * `OSTREE_REPO` - path to your OSTree repository. Defaults to `$\{DEPLOY_DIR_IMAGE}/ostree_repo` | 78 | * `OSTREE_REPO` - path to your OSTree repository. Defaults to `$\{DEPLOY_DIR_IMAGE}/ostree_repo` |
79 | * `OSTREE_OSNAME` - OS deployment name on your target device. For more information about deployments and osnames see the https://ostree.readthedocs.io/en/latest/manual/deployment/[OSTree documentation]. Defaults to "poky". | 79 | * `OSTREE_OSNAME` - OS deployment name on your target device. For more information about deployments and osnames see the https://ostree.readthedocs.io/en/latest/manual/deployment/[OSTree documentation]. Defaults to "poky". |
@@ -133,20 +133,34 @@ The https://github.com/advancedtelematic/aktualizr[aktualizr repo] contains a to | |||
133 | garage-push --repo=/path/to/ostree-repo --ref=mybranch --credentials=/path/to/credentials.zip | 133 | garage-push --repo=/path/to/ostree-repo --ref=mybranch --credentials=/path/to/credentials.zip |
134 | .... | 134 | .... |
135 | 135 | ||
136 | You can set SOTA_PACKED_CREDENTIALS in your local.conf to make your build results be automatically synchronized with a remote server. Credentials are stored in the JSON format described in the https://github.com/advancedtelematic/aktualizr/blob/master/README.sotatools.adoc[garage-push README]. This JSON file can be optionally stored inside a zip file, although if it is stored this way, the JSON file must be named treehub.json. | 136 | You can set `SOTA_PACKED_CREDENTIALS` in your `local.conf` to automatically synchronize your build results with a remote server. Credentials are stored in an archive as described in the https://github.com/advancedtelematic/aktualizr/blob/master/docs/credentials.adoc[aktualizr documentation]. |
137 | 137 | ||
138 | === QA | 138 | == QA with `oe-selftest` |
139 | 139 | ||
140 | This layer relies on the test framework oe-selftest for quality assurance. Follow the steps below to run the tests: | 140 | This layer relies on the test framework oe-selftest for quality assurance. Follow the steps below to run the tests: |
141 | 141 | ||
142 | * Append the line below to conf/local.conf | 142 | 1. Append the line below to `conf/local.conf` to disable the warning about supported operating systems: |
143 | + | ||
144 | ``` | ||
145 | SANITY_TESTED_DISTROS = "" | ||
146 | ``` | ||
143 | 147 | ||
148 | 2. If your image does not already include an ssh daemon such as dropbear or openssh, add this line to `conf/local.conf` as well: | ||
149 | + | ||
144 | ``` | 150 | ``` |
145 | SANITY_TESTED_DISTROS="" | 151 | IMAGE_INSTALL_append = " dropbear " |
146 | ``` | 152 | ``` |
147 | 153 | ||
148 | * Run oe-selftest: | 154 | 3. To be able to build an image for the grub tests, you will need to install https://github.com/tianocore/tianocore.github.io/wiki/OVMF[TianoCore's ovmf] package on your host system. On Debian-like systems, you can do so with this command: |
155 | + | ||
156 | ``` | ||
157 | sudo apt install ovmf | ||
158 | ``` | ||
149 | 159 | ||
160 | 4. Run oe-selftest: | ||
161 | + | ||
150 | ``` | 162 | ``` |
151 | oe-selftest --run-tests updater | 163 | oe-selftest --run-tests updater |
152 | ``` | 164 | ``` |
165 | |||
166 | For more information about oe-selftest, including details about how to run individual test modules or classes, please refer to the https://wiki.yoctoproject.org/wiki/Oe-selftest[Yocto Project wiki]. | ||
diff --git a/classes/image_types_ota.bbclass b/classes/image_types_ota.bbclass index e753e0e..d21441d 100644 --- a/classes/image_types_ota.bbclass +++ b/classes/image_types_ota.bbclass | |||
@@ -32,7 +32,7 @@ calculate_size () { | |||
32 | fi | 32 | fi |
33 | 33 | ||
34 | if [ "$SIZE" -lt "$MIN" ]; then | 34 | if [ "$SIZE" -lt "$MIN" ]; then |
35 | $SIZE=$MIN | 35 | SIZE=$MIN |
36 | fi | 36 | fi |
37 | 37 | ||
38 | SIZE=`expr $SIZE \+ $EXTRA` | 38 | SIZE=`expr $SIZE \+ $EXTRA` |
diff --git a/lib/oeqa/selftest/cases/updater.py b/lib/oeqa/selftest/cases/updater.py index 91ac9fc..b544762 100644 --- a/lib/oeqa/selftest/cases/updater.py +++ b/lib/oeqa/selftest/cases/updater.py | |||
@@ -1,6 +1,7 @@ | |||
1 | # pylint: disable=C0111,C0325 | 1 | # pylint: disable=C0111,C0325 |
2 | import os | 2 | import os |
3 | import logging | 3 | import logging |
4 | import re | ||
4 | import subprocess | 5 | import subprocess |
5 | import unittest | 6 | import unittest |
6 | from time import sleep | 7 | from time import sleep |
@@ -20,32 +21,13 @@ class SotaToolsTests(OESelftestTestCase): | |||
20 | bitbake('aktualizr-native') | 21 | bitbake('aktualizr-native') |
21 | 22 | ||
22 | def test_push_help(self): | 23 | def test_push_help(self): |
23 | bb_vars = get_bb_vars(['SYSROOT_DESTDIR', 'bindir'], 'aktualizr-native') | 24 | akt_native_run(self, 'garage-push --help') |
24 | p = bb_vars['SYSROOT_DESTDIR'] + bb_vars['bindir'] + "/" + "garage-push" | ||
25 | self.assertTrue(os.path.isfile(p), msg = "No garage-push found (%s)" % p) | ||
26 | result = runCmd('%s --help' % p, ignore_status=True) | ||
27 | self.assertEqual(result.status, 0, "Status not equal to 0. output: %s" % result.output) | ||
28 | 25 | ||
29 | def test_deploy_help(self): | 26 | def test_deploy_help(self): |
30 | bb_vars = get_bb_vars(['SYSROOT_DESTDIR', 'bindir'], 'aktualizr-native') | 27 | akt_native_run(self, 'garage-deploy --help') |
31 | p = bb_vars['SYSROOT_DESTDIR'] + bb_vars['bindir'] + "/" + "garage-deploy" | ||
32 | self.assertTrue(os.path.isfile(p), msg = "No garage-deploy found (%s)" % p) | ||
33 | result = runCmd('%s --help' % p, ignore_status=True) | ||
34 | self.assertEqual(result.status, 0, "Status not equal to 0. output: %s" % result.output) | ||
35 | 28 | ||
36 | def test_garagesign_help(self): | 29 | def test_garagesign_help(self): |
37 | bb_vars = get_bb_vars(['SYSROOT_DESTDIR', 'bindir'], 'aktualizr-native') | 30 | akt_native_run(self, 'garage-sign --help') |
38 | p = bb_vars['SYSROOT_DESTDIR'] + bb_vars['bindir'] + "/" + "garage-sign" | ||
39 | self.assertTrue(os.path.isfile(p), msg = "No garage-sign found (%s)" % p) | ||
40 | result = runCmd('%s --help' % p, ignore_status=True) | ||
41 | self.assertEqual(result.status, 0, "Status not equal to 0. output: %s" % result.output) | ||
42 | |||
43 | |||
44 | class HsmTests(OESelftestTestCase): | ||
45 | |||
46 | def test_hsm(self): | ||
47 | self.write_config('SOTA_CLIENT_FEATURES="hsm"') | ||
48 | bitbake('core-image-minimal') | ||
49 | 31 | ||
50 | 32 | ||
51 | class GeneralTests(OESelftestTestCase): | 33 | class GeneralTests(OESelftestTestCase): |
@@ -59,6 +41,9 @@ class GeneralTests(OESelftestTestCase): | |||
59 | self.assertNotEqual(result, -1, 'Feature "systemd" not set at DISTRO_FEATURES') | 41 | self.assertNotEqual(result, -1, 'Feature "systemd" not set at DISTRO_FEATURES') |
60 | 42 | ||
61 | def test_credentials(self): | 43 | def test_credentials(self): |
44 | logger = logging.getLogger("selftest") | ||
45 | logger.info('Running bitbake to build core-image-minimal') | ||
46 | self.append_config('SOTA_CLIENT_PROV = "aktualizr-auto-prov"') | ||
62 | bitbake('core-image-minimal') | 47 | bitbake('core-image-minimal') |
63 | credentials = get_bb_var('SOTA_PACKED_CREDENTIALS') | 48 | credentials = get_bb_var('SOTA_PACKED_CREDENTIALS') |
64 | # skip the test if the variable SOTA_PACKED_CREDENTIALS is not set | 49 | # skip the test if the variable SOTA_PACKED_CREDENTIALS is not set |
@@ -75,7 +60,8 @@ class GeneralTests(OESelftestTestCase): | |||
75 | 60 | ||
76 | def test_java(self): | 61 | def test_java(self): |
77 | result = runCmd('which java', ignore_status=True) | 62 | result = runCmd('which java', ignore_status=True) |
78 | self.assertEqual(result.status, 0, "Java not found.") | 63 | self.assertEqual(result.status, 0, |
64 | "Java not found. Do you have a JDK installed on your host machine?") | ||
79 | 65 | ||
80 | def test_add_package(self): | 66 | def test_add_package(self): |
81 | print('') | 67 | print('') |
@@ -85,7 +71,7 @@ class GeneralTests(OESelftestTestCase): | |||
85 | logger = logging.getLogger("selftest") | 71 | logger = logging.getLogger("selftest") |
86 | 72 | ||
87 | logger.info('Running bitbake with man in the image package list') | 73 | logger.info('Running bitbake with man in the image package list') |
88 | self.write_config('IMAGE_INSTALL_append = " man "') | 74 | self.append_config('IMAGE_INSTALL_append = " man "') |
89 | bitbake('-c cleanall man') | 75 | bitbake('-c cleanall man') |
90 | bitbake('core-image-minimal') | 76 | bitbake('core-image-minimal') |
91 | result = runCmd('oe-pkgdata-util find-path /usr/bin/man') | 77 | result = runCmd('oe-pkgdata-util find-path /usr/bin/man') |
@@ -95,7 +81,7 @@ class GeneralTests(OESelftestTestCase): | |||
95 | logger.info('First image %s has size %i' % (path1, size1)) | 81 | logger.info('First image %s has size %i' % (path1, size1)) |
96 | 82 | ||
97 | logger.info('Running bitbake without man in the image package list') | 83 | logger.info('Running bitbake without man in the image package list') |
98 | self.write_config('IMAGE_INSTALL_remove = " man "') | 84 | self.append_config('IMAGE_INSTALL_remove = " man "') |
99 | bitbake('-c cleanall man') | 85 | bitbake('-c cleanall man') |
100 | bitbake('core-image-minimal') | 86 | bitbake('core-image-minimal') |
101 | result = runCmd('oe-pkgdata-util find-path /usr/bin/man', ignore_status=True) | 87 | result = runCmd('oe-pkgdata-util find-path /usr/bin/man', ignore_status=True) |
@@ -108,6 +94,46 @@ class GeneralTests(OESelftestTestCase): | |||
108 | self.assertNotEqual(size1, size2, "Image sizes are identical; image was not rebuilt.") | 94 | self.assertNotEqual(size1, size2, "Image sizes are identical; image was not rebuilt.") |
109 | 95 | ||
110 | 96 | ||
97 | class AktualizrToolsTests(OESelftestTestCase): | ||
98 | |||
99 | @classmethod | ||
100 | def setUpClass(cls): | ||
101 | super(AktualizrToolsTests, cls).setUpClass() | ||
102 | logger = logging.getLogger("selftest") | ||
103 | logger.info('Running bitbake to build aktualizr-native tools') | ||
104 | bitbake('aktualizr-native') | ||
105 | |||
106 | def test_implicit_writer_help(self): | ||
107 | akt_native_run(self, 'aktualizr_implicit_writer --help') | ||
108 | |||
109 | def test_cert_provider_help(self): | ||
110 | akt_native_run(self, 'aktualizr_cert_provider --help') | ||
111 | |||
112 | def test_cert_provider_local_output(self): | ||
113 | logger = logging.getLogger("selftest") | ||
114 | logger.info('Running bitbake to build aktualizr-implicit-prov') | ||
115 | bitbake('aktualizr-implicit-prov') | ||
116 | bb_vars = get_bb_vars(['SOTA_PACKED_CREDENTIALS', 'T'], 'aktualizr-native') | ||
117 | creds = bb_vars['SOTA_PACKED_CREDENTIALS'] | ||
118 | temp_dir = bb_vars['T'] | ||
119 | bb_vars_prov = get_bb_vars(['STAGING_DIR_NATIVE', 'libdir'], 'aktualizr-implicit-prov') | ||
120 | config = bb_vars_prov['STAGING_DIR_NATIVE'] + bb_vars_prov['libdir'] + '/sota/sota_implicit_prov.toml' | ||
121 | |||
122 | akt_native_run(self, 'aktualizr_cert_provider -c {creds} -r -l {temp} -g {config}' | ||
123 | .format(creds=creds, temp=temp_dir, config=config)) | ||
124 | |||
125 | # Might be nice if these names weren't hardcoded. | ||
126 | cert_path = temp_dir + '/client.pem' | ||
127 | self.assertTrue(os.path.isfile(cert_path), "Client certificate not found at %s." % cert_path) | ||
128 | self.assertTrue(os.path.getsize(cert_path) > 0, "Client certificate at %s is empty." % cert_path) | ||
129 | pkey_path = temp_dir + '/pkey.pem' | ||
130 | self.assertTrue(os.path.isfile(pkey_path), "Private key not found at %s." % pkey_path) | ||
131 | self.assertTrue(os.path.getsize(pkey_path) > 0, "Private key at %s is empty." % pkey_path) | ||
132 | ca_path = temp_dir + '/root.crt' | ||
133 | self.assertTrue(os.path.isfile(ca_path), "Client certificate not found at %s." % ca_path) | ||
134 | self.assertTrue(os.path.getsize(ca_path) > 0, "Client certificate at %s is empty." % ca_path) | ||
135 | |||
136 | |||
111 | class QemuTests(OESelftestTestCase): | 137 | class QemuTests(OESelftestTestCase): |
112 | 138 | ||
113 | @classmethod | 139 | @classmethod |
@@ -118,14 +144,16 @@ class QemuTests(OESelftestTestCase): | |||
118 | @classmethod | 144 | @classmethod |
119 | def tearDownClass(cls): | 145 | def tearDownClass(cls): |
120 | qemu_terminate(cls.s) | 146 | qemu_terminate(cls.s) |
147 | super(QemuTests, cls).tearDownClass() | ||
121 | 148 | ||
122 | def run_command(self, command): | 149 | def qemu_command(self, command): |
123 | return qemu_send_command(self.qemu.ssh_port, command) | 150 | return qemu_send_command(self.qemu.ssh_port, command) |
124 | 151 | ||
125 | def test_hostname(self): | 152 | def test_qemu(self): |
126 | print('') | ||
127 | print('Checking machine name (hostname) of device:') | 153 | print('Checking machine name (hostname) of device:') |
128 | stdout, stderr, retcode = self.run_command('hostname') | 154 | stdout, stderr, retcode = self.qemu_command('hostname') |
155 | self.assertEqual(retcode, 0, "Unable to check hostname. " + | ||
156 | "Is an ssh daemon (such as dropbear or openssh) installed on the device?") | ||
129 | machine = get_bb_var('MACHINE', 'core-image-minimal') | 157 | machine = get_bb_var('MACHINE', 'core-image-minimal') |
130 | self.assertEqual(stderr, b'', 'Error: ' + stderr.decode()) | 158 | self.assertEqual(stderr, b'', 'Error: ' + stderr.decode()) |
131 | # Strip off line ending. | 159 | # Strip off line ending. |
@@ -133,30 +161,15 @@ class QemuTests(OESelftestTestCase): | |||
133 | self.assertEqual(value_str, machine, | 161 | self.assertEqual(value_str, machine, |
134 | 'MACHINE does not match hostname: ' + machine + ', ' + value_str) | 162 | 'MACHINE does not match hostname: ' + machine + ', ' + value_str) |
135 | print(value_str) | 163 | print(value_str) |
136 | |||
137 | def test_var_sota(self): | ||
138 | print('') | ||
139 | print('Checking contents of /var/sota:') | ||
140 | stdout, stderr, retcode = self.run_command('ls /var/sota') | ||
141 | self.assertEqual(stderr, b'', 'Error: ' + stderr.decode()) | ||
142 | self.assertEqual(retcode, 0) | ||
143 | print(stdout.decode()) | ||
144 | |||
145 | def test_aktualizr_info(self): | ||
146 | print('Checking output of aktualizr-info:') | 164 | print('Checking output of aktualizr-info:') |
147 | ran_ok = False | 165 | ran_ok = False |
148 | for delay in [0, 1, 2, 5, 10, 15]: | 166 | for delay in [0, 1, 2, 5, 10, 15]: |
149 | sleep(delay) | 167 | sleep(delay) |
150 | try: | 168 | stdout, stderr, retcode = self.qemu_command('aktualizr-info') |
151 | stdout, stderr, retcode = self.run_command('aktualizr-info') | 169 | if retcode == 0 and stderr == b'': |
152 | if retcode == 0 and stderr == b'': | 170 | ran_ok = True |
153 | ran_ok = True | 171 | break |
154 | break | 172 | self.assertTrue(ran_ok, 'aktualizr-info failed: ' + stderr.decode() + stdout.decode()) |
155 | except IOError as e: | ||
156 | print(e) | ||
157 | if not ran_ok: | ||
158 | print(stdout.decode()) | ||
159 | print(stderr.decode()) | ||
160 | 173 | ||
161 | 174 | ||
162 | class GrubTests(OESelftestTestCase): | 175 | class GrubTests(OESelftestTestCase): |
@@ -178,19 +191,220 @@ class GrubTests(OESelftestTestCase): | |||
178 | runCmd('bitbake-layers remove-layer "%s"' % self.meta_intel, ignore_status=True) | 191 | runCmd('bitbake-layers remove-layer "%s"' % self.meta_intel, ignore_status=True) |
179 | runCmd('bitbake-layers remove-layer "%s"' % self.meta_minnow, ignore_status=True) | 192 | runCmd('bitbake-layers remove-layer "%s"' % self.meta_minnow, ignore_status=True) |
180 | 193 | ||
194 | def qemu_command(self, command): | ||
195 | return qemu_send_command(self.qemu.ssh_port, command) | ||
196 | |||
181 | def test_grub(self): | 197 | def test_grub(self): |
182 | print('') | 198 | print('') |
183 | print('Checking machine name (hostname) of device:') | 199 | print('Checking machine name (hostname) of device:') |
184 | value, err, retcode = qemu_send_command(self.qemu.ssh_port, 'hostname') | 200 | stdout, stderr, retcode = self.qemu_command('hostname') |
201 | self.assertEqual(retcode, 0, "Unable to check hostname. " + | ||
202 | "Is an ssh daemon (such as dropbear or openssh) installed on the device?") | ||
203 | machine = get_bb_var('MACHINE', 'core-image-minimal') | ||
204 | self.assertEqual(stderr, b'', 'Error: ' + stderr.decode()) | ||
205 | # Strip off line ending. | ||
206 | value = stdout.decode()[:-1] | ||
207 | self.assertEqual(value, machine, | ||
208 | 'MACHINE does not match hostname: ' + machine + ', ' + value + | ||
209 | '\nIs TianoCore ovmf installed on your host machine?') | ||
210 | print(value) | ||
211 | print('Checking output of aktualizr-info:') | ||
212 | ran_ok = False | ||
213 | for delay in [0, 1, 2, 5, 10, 15]: | ||
214 | sleep(delay) | ||
215 | stdout, stderr, retcode = self.qemu_command('aktualizr-info') | ||
216 | if retcode == 0 and stderr == b'': | ||
217 | ran_ok = True | ||
218 | break | ||
219 | self.assertTrue(ran_ok, 'aktualizr-info failed: ' + stderr.decode() + stdout.decode()) | ||
220 | |||
221 | |||
222 | class ImplProvTests(OESelftestTestCase): | ||
223 | |||
224 | def setUpLocal(self): | ||
225 | self.append_config('SOTA_CLIENT_PROV = " aktualizr-implicit-prov "') | ||
226 | # note: this will build aktualizr-native as a side-effect | ||
227 | self.qemu, self.s = qemu_launch(machine='qemux86-64') | ||
228 | |||
229 | def tearDownLocal(self): | ||
230 | qemu_terminate(self.s) | ||
231 | |||
232 | def qemu_command(self, command): | ||
233 | return qemu_send_command(self.qemu.ssh_port, command) | ||
234 | |||
235 | def test_provisioning(self): | ||
236 | print('Checking machine name (hostname) of device:') | ||
237 | stdout, stderr, retcode = self.qemu_command('hostname') | ||
238 | self.assertEqual(retcode, 0, "Unable to check hostname. " + | ||
239 | "Is an ssh daemon (such as dropbear or openssh) installed on the device?") | ||
240 | machine = get_bb_var('MACHINE', 'core-image-minimal') | ||
241 | self.assertEqual(stderr, b'', 'Error: ' + stderr.decode()) | ||
242 | # Strip off line ending. | ||
243 | value_str = stdout.decode()[:-1] | ||
244 | self.assertEqual(value_str, machine, | ||
245 | 'MACHINE does not match hostname: ' + machine + ', ' + value_str) | ||
246 | print(value_str) | ||
247 | print('Checking output of aktualizr-info:') | ||
248 | ran_ok = False | ||
249 | for delay in [0, 1, 2, 5, 10, 15]: | ||
250 | stdout, stderr, retcode = self.qemu_command('aktualizr-info') | ||
251 | if retcode == 0 and stderr == b'': | ||
252 | ran_ok = True | ||
253 | break | ||
254 | self.assertTrue(ran_ok, 'aktualizr-info failed: ' + stderr.decode() + stdout.decode()) | ||
255 | # Verify that device has NOT yet provisioned. | ||
256 | self.assertIn(b'Couldn\'t load device ID', stdout, | ||
257 | 'Device already provisioned!? ' + stderr.decode() + stdout.decode()) | ||
258 | self.assertIn(b'Couldn\'t load ECU serials', stdout, | ||
259 | 'Device already provisioned!? ' + stderr.decode() + stdout.decode()) | ||
260 | self.assertIn(b'Provisioned on server: no', stdout, | ||
261 | 'Device already provisioned!? ' + stderr.decode() + stdout.decode()) | ||
262 | self.assertIn(b'Fetched metadata: no', stdout, | ||
263 | 'Device already provisioned!? ' + stderr.decode() + stdout.decode()) | ||
264 | |||
265 | # Run cert_provider. | ||
266 | bb_vars = get_bb_vars(['SOTA_PACKED_CREDENTIALS'], 'aktualizr-native') | ||
267 | creds = bb_vars['SOTA_PACKED_CREDENTIALS'] | ||
268 | bb_vars_prov = get_bb_vars(['STAGING_DIR_NATIVE', 'libdir'], 'aktualizr-implicit-prov') | ||
269 | config = bb_vars_prov['STAGING_DIR_NATIVE'] + bb_vars_prov['libdir'] + '/sota/sota_implicit_prov.toml' | ||
270 | |||
271 | akt_native_run(self, 'aktualizr_cert_provider -c {creds} -t root@localhost -p {port} -s -g {config}' | ||
272 | .format(creds=creds, port=self.qemu.ssh_port, config=config)) | ||
273 | |||
274 | # Verify that device HAS provisioned. | ||
275 | ran_ok = False | ||
276 | for delay in [5, 5, 5, 5, 10]: | ||
277 | sleep(delay) | ||
278 | stdout, stderr, retcode = self.qemu_command('aktualizr-info') | ||
279 | if retcode == 0 and stderr == b'' and stdout.decode().find('Fetched metadata: yes') >= 0: | ||
280 | ran_ok = True | ||
281 | break | ||
282 | self.assertIn(b'Device ID: ', stdout, 'Provisioning failed: ' + stderr.decode() + stdout.decode()) | ||
283 | self.assertIn(b'Primary ecu hardware ID: qemux86-64', stdout, | ||
284 | 'Provisioning failed: ' + stderr.decode() + stdout.decode()) | ||
285 | self.assertIn(b'Fetched metadata: yes', stdout, 'Provisioning failed: ' + stderr.decode() + stdout.decode()) | ||
286 | p = re.compile(r'Device ID: ([a-z0-9-]*)\n') | ||
287 | m = p.search(stdout.decode()) | ||
288 | self.assertTrue(m, 'Device ID could not be read: ' + stderr.decode() + stdout.decode()) | ||
289 | self.assertGreater(m.lastindex, 0, 'Device ID could not be read: ' + stderr.decode() + stdout.decode()) | ||
290 | logger = logging.getLogger("selftest") | ||
291 | logger.info('Device successfully provisioned with ID: ' + m.group(1)) | ||
292 | |||
293 | |||
294 | class HsmTests(OESelftestTestCase): | ||
295 | |||
296 | def setUpLocal(self): | ||
297 | self.append_config('SOTA_CLIENT_PROV = "aktualizr-hsm-prov"') | ||
298 | self.append_config('SOTA_CLIENT_FEATURES = "hsm"') | ||
299 | # note: this will build aktualizr-native as a side-effect | ||
300 | self.qemu, self.s = qemu_launch(machine='qemux86-64') | ||
301 | |||
302 | def tearDownLocal(self): | ||
303 | qemu_terminate(self.s) | ||
304 | |||
305 | def qemu_command(self, command): | ||
306 | return qemu_send_command(self.qemu.ssh_port, command) | ||
307 | |||
308 | def test_provisioning(self): | ||
309 | print('Checking machine name (hostname) of device:') | ||
310 | stdout, stderr, retcode = self.qemu_command('hostname') | ||
311 | self.assertEqual(retcode, 0, "Unable to check hostname. " + | ||
312 | "Is an ssh daemon (such as dropbear or openssh) installed on the device?") | ||
185 | machine = get_bb_var('MACHINE', 'core-image-minimal') | 313 | machine = get_bb_var('MACHINE', 'core-image-minimal') |
186 | self.assertEqual(err, b'', 'Error: ' + err.decode()) | 314 | self.assertEqual(stderr, b'', 'Error: ' + stderr.decode()) |
187 | self.assertEqual(retcode, 0) | ||
188 | # Strip off line ending. | 315 | # Strip off line ending. |
189 | value_str = value.decode()[:-1] | 316 | value_str = stdout.decode()[:-1] |
190 | self.assertEqual(value_str, machine, | 317 | self.assertEqual(value_str, machine, |
191 | 'MACHINE does not match hostname: ' + machine + ', ' + value_str + | 318 | 'MACHINE does not match hostname: ' + machine + ', ' + value_str + |
192 | '\nIs tianocore ovmf installed?') | 319 | '\nIs tianocore ovmf installed?') |
193 | print(value_str) | 320 | print(value_str) |
321 | print('Checking output of aktualizr-info:') | ||
322 | ran_ok = False | ||
323 | for delay in [0, 1, 2, 5, 10, 15]: | ||
324 | stdout, stderr, retcode = self.qemu_command('aktualizr-info') | ||
325 | if retcode == 0 and stderr == b'': | ||
326 | ran_ok = True | ||
327 | break | ||
328 | self.assertTrue(ran_ok, 'aktualizr-info failed: ' + stderr.decode() + stdout.decode()) | ||
329 | # Verify that device has NOT yet provisioned. | ||
330 | self.assertIn(b'Couldn\'t load device ID', stdout, | ||
331 | 'Device already provisioned!? ' + stderr.decode() + stdout.decode()) | ||
332 | self.assertIn(b'Couldn\'t load ECU serials', stdout, | ||
333 | 'Device already provisioned!? ' + stderr.decode() + stdout.decode()) | ||
334 | self.assertIn(b'Provisioned on server: no', stdout, | ||
335 | 'Device already provisioned!? ' + stderr.decode() + stdout.decode()) | ||
336 | self.assertIn(b'Fetched metadata: no', stdout, | ||
337 | 'Device already provisioned!? ' + stderr.decode() + stdout.decode()) | ||
338 | |||
339 | # Verify that HSM is not yet initialized. | ||
340 | pkcs11_command = 'pkcs11-tool --module=/usr/lib/softhsm/libsofthsm2.so -O' | ||
341 | stdout, stderr, retcode = self.qemu_command(pkcs11_command) | ||
342 | self.assertNotEqual(retcode, 0, 'pkcs11-tool succeeded before initialization: ' + | ||
343 | stdout.decode() + stderr.decode()) | ||
344 | softhsm2_command = 'softhsm2-util --show-slots' | ||
345 | stdout, stderr, retcode = self.qemu_command(softhsm2_command) | ||
346 | self.assertNotEqual(retcode, 0, 'softhsm2-tool succeeded before initialization: ' + | ||
347 | stdout.decode() + stderr.decode()) | ||
348 | |||
349 | # Run cert_provider. | ||
350 | bb_vars = get_bb_vars(['SOTA_PACKED_CREDENTIALS'], 'aktualizr-native') | ||
351 | creds = bb_vars['SOTA_PACKED_CREDENTIALS'] | ||
352 | bb_vars_prov = get_bb_vars(['STAGING_DIR_NATIVE', 'libdir'], 'aktualizr-hsm-prov') | ||
353 | config = bb_vars_prov['STAGING_DIR_NATIVE'] + bb_vars_prov['libdir'] + '/sota/sota_hsm_prov.toml' | ||
354 | |||
355 | akt_native_run(self, 'aktualizr_cert_provider -c {creds} -t root@localhost -p {port} -r -s -g {config}' | ||
356 | .format(creds=creds, port=self.qemu.ssh_port, config=config)) | ||
357 | |||
358 | # Verify that HSM is able to initialize. | ||
359 | ran_ok = False | ||
360 | for delay in [5, 5, 5, 5, 10]: | ||
361 | sleep(delay) | ||
362 | p11_out, p11_err, p11_ret = self.qemu_command(pkcs11_command) | ||
363 | hsm_out, hsm_err, hsm_ret = self.qemu_command(softhsm2_command) | ||
364 | if p11_ret == 0 and hsm_ret == 0 and hsm_err == b'': | ||
365 | ran_ok = True | ||
366 | break | ||
367 | self.assertTrue(ran_ok, 'pkcs11-tool or softhsm2-tool failed: ' + p11_err.decode() + | ||
368 | p11_out.decode() + hsm_err.decode() + hsm_out.decode()) | ||
369 | self.assertIn(b'present token', p11_err, 'pkcs11-tool failed: ' + p11_err.decode() + p11_out.decode()) | ||
370 | self.assertIn(b'X.509 cert', p11_out, 'pkcs11-tool failed: ' + p11_err.decode() + p11_out.decode()) | ||
371 | self.assertIn(b'Initialized: yes', hsm_out, 'softhsm2-tool failed: ' + | ||
372 | hsm_err.decode() + hsm_out.decode()) | ||
373 | self.assertIn(b'User PIN init.: yes', hsm_out, 'softhsm2-tool failed: ' + | ||
374 | hsm_err.decode() + hsm_out.decode()) | ||
375 | |||
376 | # Check that pkcs11 output matches sofhsm output. | ||
377 | p11_p = re.compile(r'Using slot [0-9] with a present token \((0x[0-9a-f]*)\)\s') | ||
378 | p11_m = p11_p.search(p11_err.decode()) | ||
379 | self.assertTrue(p11_m, 'Slot number not found with pkcs11-tool: ' + p11_err.decode() + p11_out.decode()) | ||
380 | self.assertGreater(p11_m.lastindex, 0, 'Slot number not found with pkcs11-tool: ' + | ||
381 | p11_err.decode() + p11_out.decode()) | ||
382 | hsm_p = re.compile(r'Description:\s*SoftHSM slot ID (0x[0-9a-f]*)\s') | ||
383 | hsm_m = hsm_p.search(hsm_out.decode()) | ||
384 | self.assertTrue(hsm_m, 'Slot number not found with softhsm2-tool: ' + hsm_err.decode() + hsm_out.decode()) | ||
385 | self.assertGreater(hsm_m.lastindex, 0, 'Slot number not found with softhsm2-tool: ' + | ||
386 | hsm_err.decode() + hsm_out.decode()) | ||
387 | self.assertEqual(p11_m.group(1), hsm_m.group(1), 'Slot number does not match: ' + | ||
388 | p11_err.decode() + p11_out.decode() + hsm_err.decode() + hsm_out.decode()) | ||
389 | |||
390 | # Verify that device HAS provisioned. | ||
391 | ran_ok = False | ||
392 | for delay in [5, 5, 5, 5, 10]: | ||
393 | sleep(delay) | ||
394 | stdout, stderr, retcode = self.qemu_command('aktualizr-info') | ||
395 | if retcode == 0 and stderr == b'' and stdout.decode().find('Fetched metadata: yes') >= 0: | ||
396 | ran_ok = True | ||
397 | break | ||
398 | self.assertIn(b'Device ID: ', stdout, 'Provisioning failed: ' + stderr.decode() + stdout.decode()) | ||
399 | self.assertIn(b'Primary ecu hardware ID: qemux86-64', stdout, | ||
400 | 'Provisioning failed: ' + stderr.decode() + stdout.decode()) | ||
401 | self.assertIn(b'Fetched metadata: yes', stdout, 'Provisioning failed: ' + stderr.decode() + stdout.decode()) | ||
402 | p = re.compile(r'Device ID: ([a-z0-9-]*)\n') | ||
403 | m = p.search(stdout.decode()) | ||
404 | self.assertTrue(m, 'Device ID could not be read: ' + stderr.decode() + stdout.decode()) | ||
405 | self.assertGreater(m.lastindex, 0, 'Device ID could not be read: ' + stderr.decode() + stdout.decode()) | ||
406 | logger = logging.getLogger("selftest") | ||
407 | logger.info('Device successfully provisioned with ID: ' + m.group(1)) | ||
194 | 408 | ||
195 | 409 | ||
196 | def qemu_launch(efi=False, machine=None): | 410 | def qemu_launch(efi=False, machine=None): |
@@ -220,12 +434,14 @@ def qemu_launch(efi=False, machine=None): | |||
220 | sleep(10) | 434 | sleep(10) |
221 | return qemu, s | 435 | return qemu, s |
222 | 436 | ||
437 | |||
223 | def qemu_terminate(s): | 438 | def qemu_terminate(s): |
224 | try: | 439 | try: |
225 | s.terminate() | 440 | s.terminate() |
226 | except KeyboardInterrupt: | 441 | except KeyboardInterrupt: |
227 | pass | 442 | pass |
228 | 443 | ||
444 | |||
229 | def qemu_send_command(port, command): | 445 | def qemu_send_command(port, command): |
230 | command = ['ssh -q -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@localhost -p ' + | 446 | command = ['ssh -q -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@localhost -p ' + |
231 | str(port) + ' "' + command + '"'] | 447 | str(port) + ' "' + command + '"'] |
@@ -233,4 +449,27 @@ def qemu_send_command(port, command): | |||
233 | stdout, stderr = s2.communicate() | 449 | stdout, stderr = s2.communicate() |
234 | return stdout, stderr, s2.returncode | 450 | return stdout, stderr, s2.returncode |
235 | 451 | ||
452 | |||
453 | def akt_native_run(testInst, cmd, **kwargs): | ||
454 | # run a command supplied by aktualizr-native and checks that: | ||
455 | # - the executable exists | ||
456 | # - the command runs without error | ||
457 | # NOTE: the base test class must have built aktualizr-native (in | ||
458 | # setUpClass, for example) | ||
459 | bb_vars = get_bb_vars(['SYSROOT_DESTDIR', 'base_prefix', 'libdir', 'bindir'], | ||
460 | 'aktualizr-native') | ||
461 | sysroot = bb_vars['SYSROOT_DESTDIR'] + bb_vars['base_prefix'] | ||
462 | sysrootbin = bb_vars['SYSROOT_DESTDIR'] + bb_vars['bindir'] | ||
463 | libdir = bb_vars['libdir'] | ||
464 | |||
465 | program, *_ = cmd.split(' ') | ||
466 | p = '{}/{}'.format(sysrootbin, program) | ||
467 | testInst.assertTrue(os.path.isfile(p), msg="No {} found ({})".format(program, p)) | ||
468 | env = dict(os.environ) | ||
469 | env['LD_LIBRARY_PATH'] = libdir | ||
470 | result = runCmd(cmd, env=env, native_sysroot=sysroot, ignore_status=True, **kwargs) | ||
471 | testInst.assertEqual(result.status, 0, "Status not equal to 0. output: %s" % result.output) | ||
472 | |||
473 | |||
474 | |||
236 | # vim:set ts=4 sw=4 sts=4 expandtab: | 475 | # vim:set ts=4 sw=4 sts=4 expandtab: |
diff --git a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb new file mode 100644 index 0000000..51e313d --- /dev/null +++ b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb | |||
@@ -0,0 +1,72 @@ | |||
1 | SUMMARY = "Aktualizr configuration for implicit provisioning with CA" | ||
2 | DESCRIPTION = "Systemd service and configurations for implicitly provisioning Aktualizr using externally provided or generated CA" | ||
3 | |||
4 | # WARNING: it is NOT a production solution. The secure way to provision devices is to create certificate request directly on the device | ||
5 | # (either with HSM/TPM or with software) and then sign it with a CA stored on a disconnected machine | ||
6 | |||
7 | HOMEPAGE = "https://github.com/advancedtelematic/aktualizr" | ||
8 | SECTION = "base" | ||
9 | LICENSE = "MPL-2.0" | ||
10 | LIC_FILES_CHKSUM = "file://${WORKDIR}/LICENSE;md5=9741c346eef56131163e13b9db1241b3" | ||
11 | |||
12 | DEPENDS = "aktualizr-native openssl-native" | ||
13 | RDEPENDS_${PN} = "aktualizr" | ||
14 | |||
15 | SRC_URI = " \ | ||
16 | file://LICENSE \ | ||
17 | file://ca.cnf \ | ||
18 | " | ||
19 | PV = "1.0" | ||
20 | PR = "1" | ||
21 | |||
22 | require environment.inc | ||
23 | require credentials.inc | ||
24 | |||
25 | export SOTA_CACERT_PATH | ||
26 | export SOTA_CAKEY_PATH | ||
27 | |||
28 | do_install() { | ||
29 | install -d ${D}${libdir}/sota | ||
30 | |||
31 | if [ -z "${SOTA_PACKED_CREDENTIALS}" ]; then | ||
32 | bberror "SOTA_PACKED_CREDENTIALS are required for implicit provisioning" | ||
33 | fi | ||
34 | |||
35 | if [ -z ${SOTA_CACERT_PATH} ]; then | ||
36 | SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem | ||
37 | SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem | ||
38 | mkdir -p ${DEPLOY_DIR_IMAGE}/CA | ||
39 | bbwarn "SOTA_CACERT_PATH is not specified, use default one at $SOTA_CACERT_PATH" | ||
40 | |||
41 | if [ ! -f ${SOTA_CACERT_PATH} ]; then | ||
42 | bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA" | ||
43 | SOTA_CACERT_DIR_PATH="$(dirname "$SOTA_CACERT_PATH")" | ||
44 | openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096 | ||
45 | openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert | ||
46 | bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server" | ||
47 | fi | ||
48 | fi | ||
49 | |||
50 | if [ -z ${SOTA_CAKEY_PATH} ]; then | ||
51 | bberror "SOTA_CAKEY_PATH should be set when using implicit provisioning" | ||
52 | fi | ||
53 | |||
54 | install -d ${D}${libdir}/sota | ||
55 | install -d ${D}${localstatedir}/sota | ||
56 | install -m 0644 ${STAGING_DIR_NATIVE}${libdir}/sota/sota_implicit_prov_ca.toml ${D}${libdir}/sota/sota.toml | ||
57 | aktualizr_cert_provider --credentials ${SOTA_PACKED_CREDENTIALS} \ | ||
58 | --device-ca ${SOTA_CACERT_PATH} \ | ||
59 | --device-ca-key ${SOTA_CAKEY_PATH} \ | ||
60 | --root-ca \ | ||
61 | --server-url \ | ||
62 | --local ${D}${localstatedir}/sota \ | ||
63 | --config ${D}${libdir}/sota/sota.toml | ||
64 | } | ||
65 | |||
66 | FILES_${PN} = " \ | ||
67 | ${localstatedir}/sota/* \ | ||
68 | ${libdir}/sota/sota.toml \ | ||
69 | ${libdir}/sota/root.crt \ | ||
70 | " | ||
71 | |||
72 | # vim:set ts=4 sw=4 sts=4 expandtab: | ||
diff --git a/recipes-sota/aktualizr/aktualizr_git.bb b/recipes-sota/aktualizr/aktualizr_git.bb index bed656a..4c4e975 100644 --- a/recipes-sota/aktualizr/aktualizr_git.bb +++ b/recipes-sota/aktualizr/aktualizr_git.bb | |||
@@ -6,11 +6,10 @@ LICENSE = "MPL-2.0" | |||
6 | LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=9741c346eef56131163e13b9db1241b3" | 6 | LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=9741c346eef56131163e13b9db1241b3" |
7 | 7 | ||
8 | DEPENDS = "boost curl openssl libarchive libsodium asn1c-native " | 8 | DEPENDS = "boost curl openssl libarchive libsodium asn1c-native " |
9 | DEPENDS_append_class-target = "jansson ostree ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'hsm', ' libp11', '', d)} " | 9 | DEPENDS_append_class-target = "ostree ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'hsm', ' libp11', '', d)} " |
10 | DEPENDS_append_class-native = "glib-2.0-native " | 10 | DEPENDS_append_class-native = "glib-2.0-native " |
11 | 11 | ||
12 | RDEPENDS_${PN}_class-target = "lshw " | 12 | RDEPENDS_${PN}_class-target = "lshw " |
13 | RDEPENDS_${PN}_append_class-target = "${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'hsm', ' engine-pkcs11', '', d)} " | ||
14 | RDEPENDS_${PN}_append_class-target = " ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'serialcan', ' slcand-start', '', d)} " | 13 | RDEPENDS_${PN}_append_class-target = " ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'serialcan', ' slcand-start', '', d)} " |
15 | 14 | ||
16 | PV = "1.0+git${SRCPV}" | 15 | PV = "1.0+git${SRCPV}" |
@@ -21,7 +20,7 @@ SRC_URI = " \ | |||
21 | file://aktualizr.service \ | 20 | file://aktualizr.service \ |
22 | file://aktualizr-serialcan.service \ | 21 | file://aktualizr-serialcan.service \ |
23 | " | 22 | " |
24 | SRCREV = "32a04532c1b7434b9cab89b78df389059ac45d40" | 23 | SRCREV = "1a6432175b9fb7326173e8db35d326cc1a1011a1" |
25 | BRANCH ?= "master" | 24 | BRANCH ?= "master" |
26 | 25 | ||
27 | S = "${WORKDIR}/git" | 26 | S = "${WORKDIR}/git" |
@@ -38,10 +37,10 @@ EXTRA_OECMAKE_append_class-target = " -DBUILD_OSTREE=ON -DBUILD_ISOTP=ON ${@bb.u | |||
38 | EXTRA_OECMAKE_append_class-native = " -DBUILD_SOTA_TOOLS=ON -DBUILD_OSTREE=OFF " | 37 | EXTRA_OECMAKE_append_class-native = " -DBUILD_SOTA_TOOLS=ON -DBUILD_OSTREE=OFF " |
39 | 38 | ||
40 | do_install_append () { | 39 | do_install_append () { |
41 | rm -f ${D}${bindir}/aktualizr_cert_provider | ||
42 | rm -fr ${D}${libdir}/systemd | 40 | rm -fr ${D}${libdir}/systemd |
43 | } | 41 | } |
44 | do_install_append_class-target () { | 42 | do_install_append_class-target () { |
43 | rm -f ${D}${bindir}/aktualizr_cert_provider | ||
45 | rm -f ${D}${bindir}/aktualizr_implicit_writer | 44 | rm -f ${D}${bindir}/aktualizr_implicit_writer |
46 | rm -f ${D}${libdir}/sota/sota.toml | 45 | rm -f ${D}${libdir}/sota/sota.toml |
47 | ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-example', '', 'rm -f ${D}${bindir}/example-interface', d)} | 46 | ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-example', '', 'rm -f ${D}${bindir}/example-interface', d)} |
@@ -51,6 +50,7 @@ do_install_append_class-target () { | |||
51 | aktualizr_service=${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'serialcan', '${WORKDIR}/aktualizr-serialcan.service', '${WORKDIR}/aktualizr.service', d)} | 50 | aktualizr_service=${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'serialcan', '${WORKDIR}/aktualizr-serialcan.service', '${WORKDIR}/aktualizr.service', d)} |
52 | install -m 0644 ${aktualizr_service} ${D}${systemd_unitdir}/system/aktualizr.service | 51 | install -m 0644 ${aktualizr_service} ${D}${systemd_unitdir}/system/aktualizr.service |
53 | } | 52 | } |
53 | |||
54 | do_install_append_class-native () { | 54 | do_install_append_class-native () { |
55 | rm -f ${D}${bindir}/aktualizr | 55 | rm -f ${D}${bindir}/aktualizr |
56 | rm -f ${D}${bindir}/aktualizr-info | 56 | rm -f ${D}${bindir}/aktualizr-info |
@@ -59,6 +59,7 @@ do_install_append_class-native () { | |||
59 | install -m 0644 ${S}/config/sota_autoprov.toml ${D}/${libdir}/sota/sota_autoprov.toml | 59 | install -m 0644 ${S}/config/sota_autoprov.toml ${D}/${libdir}/sota/sota_autoprov.toml |
60 | install -m 0644 ${S}/config/sota_hsm_prov.toml ${D}/${libdir}/sota/sota_hsm_prov.toml | 60 | install -m 0644 ${S}/config/sota_hsm_prov.toml ${D}/${libdir}/sota/sota_hsm_prov.toml |
61 | install -m 0644 ${S}/config/sota_implicit_prov.toml ${D}/${libdir}/sota/sota_implicit_prov.toml | 61 | install -m 0644 ${S}/config/sota_implicit_prov.toml ${D}/${libdir}/sota/sota_implicit_prov.toml |
62 | install -m 0644 ${S}/config/sota_implicit_prov_ca.toml ${D}/${libdir}/sota/sota_implicit_prov_ca.toml | ||
62 | 63 | ||
63 | install -m 0755 ${B}/src/sota_tools/garage-sign-prefix/src/garage-sign/bin/* ${D}${bindir} | 64 | install -m 0755 ${B}/src/sota_tools/garage-sign-prefix/src/garage-sign/bin/* ${D}${bindir} |
64 | install -m 0644 ${B}/src/sota_tools/garage-sign-prefix/src/garage-sign/lib/* ${D}${libdir} | 65 | install -m 0644 ${B}/src/sota_tools/garage-sign-prefix/src/garage-sign/lib/* ${D}${libdir} |
@@ -77,6 +78,7 @@ FILES_${PN}_class-target = " \ | |||
77 | FILES_${PN}_append_class-target = " ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-example', ' ${bindir}/example-interface', '', d)} " | 78 | FILES_${PN}_append_class-target = " ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-example', ' ${bindir}/example-interface', '', d)} " |
78 | FILES_${PN}_append_class-target = " ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-isotp-example', ' ${bindir}/isotp-test-interface', '', d)} " | 79 | FILES_${PN}_append_class-target = " ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-isotp-example', ' ${bindir}/isotp-test-interface', '', d)} " |
79 | FILES_${PN}_class-native = " \ | 80 | FILES_${PN}_class-native = " \ |
81 | ${bindir}/aktualizr_cert_provider \ | ||
80 | ${bindir}/aktualizr_implicit_writer \ | 82 | ${bindir}/aktualizr_implicit_writer \ |
81 | ${bindir}/garage-deploy \ | 83 | ${bindir}/garage-deploy \ |
82 | ${bindir}/garage-push \ | 84 | ${bindir}/garage-push \ |
diff --git a/recipes-sota/aktualizr/files/ca.cnf b/recipes-sota/aktualizr/files/ca.cnf new file mode 100644 index 0000000..352ec38 --- /dev/null +++ b/recipes-sota/aktualizr/files/ca.cnf | |||
@@ -0,0 +1,10 @@ | |||
1 | [req] | ||
2 | req_extensions = cacert | ||
3 | distinguished_name = req_distinguished_name | ||
4 | |||
5 | [req_distinguished_name] | ||
6 | |||
7 | [cacert] | ||
8 | basicConstraints = critical,CA:true | ||
9 | keyUsage = keyCertSign | ||
10 | |||
diff --git a/recipes-support/libp11/files/0001-Workaround-for-a-buggy-version-of-openssl-1.0.2m.patch b/recipes-support/libp11/files/0001-Workaround-for-a-buggy-version-of-openssl-1.0.2m.patch index 0538eff..bd233ee 100644 --- a/recipes-support/libp11/files/0001-Workaround-for-a-buggy-version-of-openssl-1.0.2m.patch +++ b/recipes-support/libp11/files/0001-Workaround-for-a-buggy-version-of-openssl-1.0.2m.patch | |||
@@ -17,7 +17,7 @@ index 45d5ad3..75625e6 100644 | |||
17 | 17 | ||
18 | -#if OPENSSL_VERSION_NUMBER < 0x100020d0L || defined(LIBRESSL_VERSION_NUMBER) | 18 | -#if OPENSSL_VERSION_NUMBER < 0x100020d0L || defined(LIBRESSL_VERSION_NUMBER) |
19 | -static void EVP_PKEY_meth_get_sign(EVP_PKEY_METHOD *pmeth, | 19 | -static void EVP_PKEY_meth_get_sign(EVP_PKEY_METHOD *pmeth, |
20 | +#if OPENSSL_VERSION_NUMBER <= 0x100020e0L || defined(LIBRESSL_VERSION_NUMBER) | 20 | +#if OPENSSL_VERSION_NUMBER < 0x100020f0L || defined(LIBRESSL_VERSION_NUMBER) |
21 | + | 21 | + |
22 | +# if (OPENSSL_VERSION_NUMBER & 0xFFFFFFF0) == 0x100020d0L | 22 | +# if (OPENSSL_VERSION_NUMBER & 0xFFFFFFF0) == 0x100020d0L |
23 | +# undef EVP_PKEY_meth_get_sign | 23 | +# undef EVP_PKEY_meth_get_sign |
diff --git a/recipes-support/libp11/libp11_0.4.7.bb b/recipes-support/libp11/libp11_0.4.7.bb index 7a93102..02d9e50 100644 --- a/recipes-support/libp11/libp11_0.4.7.bb +++ b/recipes-support/libp11/libp11_0.4.7.bb | |||
@@ -7,6 +7,7 @@ SECTION = "Development/Libraries" | |||
7 | LICENSE = "LGPLv2+" | 7 | LICENSE = "LGPLv2+" |
8 | LIC_FILES_CHKSUM = "file://COPYING;md5=fad9b3332be894bab9bc501572864b29" | 8 | LIC_FILES_CHKSUM = "file://COPYING;md5=fad9b3332be894bab9bc501572864b29" |
9 | DEPENDS = "libtool openssl" | 9 | DEPENDS = "libtool openssl" |
10 | RDEPENDS_${PN} += " opensc" | ||
10 | 11 | ||
11 | SRC_URI = "git://github.com/OpenSC/libp11.git \ | 12 | SRC_URI = "git://github.com/OpenSC/libp11.git \ |
12 | file://0001-Workaround-for-a-buggy-version-of-openssl-1.0.2m.patch" | 13 | file://0001-Workaround-for-a-buggy-version-of-openssl-1.0.2m.patch" |