summaryrefslogtreecommitdiffstats
path: root/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb
diff options
context:
space:
mode:
Diffstat (limited to 'recipes-sota/aktualizr/aktualizr-device-prov-creds.bb')
-rw-r--r--recipes-sota/aktualizr/aktualizr-device-prov-creds.bb67
1 files changed, 0 insertions, 67 deletions
diff --git a/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb
deleted file mode 100644
index a3c7d66..0000000
--- a/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb
+++ /dev/null
@@ -1,67 +0,0 @@
1SUMMARY = "Credentials for device provisioning with fleet CA certificate"
2HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
3SECTION = "base"
4LICENSE = "MPL-2.0"
5LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
6
7inherit allarch
8
9# WARNING: This is NOT an ideal solution. The secure way to provision devices
10# is to create certificate request directly on the device (either with HSM/TPM
11# or with software) and then sign it with a CA stored on a disconnected machine.
12
13# We need to get the config files from the aktualizr-host-tools package built by
14# the aktualizr (target) recipe.
15DEPENDS = "aktualizr aktualizr-native openssl-native"
16ALLOW_EMPTY_${PN} = "1"
17
18# If the config file from aktualizr used here is changed, you will need to bump
19# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS!
20PV = "1.0"
21PR = "1"
22
23SRC_URI = " \
24 file://ca.cnf \
25 "
26
27require credentials.inc
28
29export SOTA_CACERT_PATH
30export SOTA_CAKEY_PATH
31
32do_install() {
33 if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then
34 if [ -z ${SOTA_CACERT_PATH} ]; then
35 SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem
36 SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem
37 mkdir -p ${DEPLOY_DIR_IMAGE}/CA
38 bbwarn "SOTA_CACERT_PATH is not specified, use default one at ${SOTA_CACERT_PATH}"
39
40 if [ ! -f ${SOTA_CACERT_PATH} ]; then
41 bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA"
42 SOTA_CACERT_DIR_PATH="$(dirname "${SOTA_CACERT_PATH}")"
43 openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096
44 openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert
45 bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server"
46 fi
47 fi
48
49 if [ -z ${SOTA_CAKEY_PATH} ]; then
50 bbfatal "SOTA_CAKEY_PATH should be set when using device credential provisioning"
51 fi
52
53 install -m 0700 -d ${D}${localstatedir}/sota
54 aktualizr-cert-provider --credentials ${SOTA_PACKED_CREDENTIALS} \
55 --fleet-ca ${SOTA_CACERT_PATH} \
56 --fleet-ca-key ${SOTA_CAKEY_PATH} \
57 --root-ca \
58 --server-url \
59 --local ${D} \
60 --config ${STAGING_DIR_HOST}${libdir}/sota/sota-device-cred.toml
61 fi
62}
63
64FILES_${PN} = " \
65 ${localstatedir}/sota/*"
66
67# vim:set ts=4 sw=4 sts=4 expandtab: