diff options
Diffstat (limited to 'recipes-sota/aktualizr/aktualizr-device-prov-creds.bb')
-rw-r--r-- | recipes-sota/aktualizr/aktualizr-device-prov-creds.bb | 67 |
1 files changed, 0 insertions, 67 deletions
diff --git a/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb deleted file mode 100644 index a3c7d66..0000000 --- a/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb +++ /dev/null | |||
@@ -1,67 +0,0 @@ | |||
1 | SUMMARY = "Credentials for device provisioning with fleet CA certificate" | ||
2 | HOMEPAGE = "https://github.com/advancedtelematic/aktualizr" | ||
3 | SECTION = "base" | ||
4 | LICENSE = "MPL-2.0" | ||
5 | LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" | ||
6 | |||
7 | inherit allarch | ||
8 | |||
9 | # WARNING: This is NOT an ideal solution. The secure way to provision devices | ||
10 | # is to create certificate request directly on the device (either with HSM/TPM | ||
11 | # or with software) and then sign it with a CA stored on a disconnected machine. | ||
12 | |||
13 | # We need to get the config files from the aktualizr-host-tools package built by | ||
14 | # the aktualizr (target) recipe. | ||
15 | DEPENDS = "aktualizr aktualizr-native openssl-native" | ||
16 | ALLOW_EMPTY_${PN} = "1" | ||
17 | |||
18 | # If the config file from aktualizr used here is changed, you will need to bump | ||
19 | # the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS! | ||
20 | PV = "1.0" | ||
21 | PR = "1" | ||
22 | |||
23 | SRC_URI = " \ | ||
24 | file://ca.cnf \ | ||
25 | " | ||
26 | |||
27 | require credentials.inc | ||
28 | |||
29 | export SOTA_CACERT_PATH | ||
30 | export SOTA_CAKEY_PATH | ||
31 | |||
32 | do_install() { | ||
33 | if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then | ||
34 | if [ -z ${SOTA_CACERT_PATH} ]; then | ||
35 | SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem | ||
36 | SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem | ||
37 | mkdir -p ${DEPLOY_DIR_IMAGE}/CA | ||
38 | bbwarn "SOTA_CACERT_PATH is not specified, use default one at ${SOTA_CACERT_PATH}" | ||
39 | |||
40 | if [ ! -f ${SOTA_CACERT_PATH} ]; then | ||
41 | bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA" | ||
42 | SOTA_CACERT_DIR_PATH="$(dirname "${SOTA_CACERT_PATH}")" | ||
43 | openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096 | ||
44 | openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert | ||
45 | bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server" | ||
46 | fi | ||
47 | fi | ||
48 | |||
49 | if [ -z ${SOTA_CAKEY_PATH} ]; then | ||
50 | bbfatal "SOTA_CAKEY_PATH should be set when using device credential provisioning" | ||
51 | fi | ||
52 | |||
53 | install -m 0700 -d ${D}${localstatedir}/sota | ||
54 | aktualizr-cert-provider --credentials ${SOTA_PACKED_CREDENTIALS} \ | ||
55 | --fleet-ca ${SOTA_CACERT_PATH} \ | ||
56 | --fleet-ca-key ${SOTA_CAKEY_PATH} \ | ||
57 | --root-ca \ | ||
58 | --server-url \ | ||
59 | --local ${D} \ | ||
60 | --config ${STAGING_DIR_HOST}${libdir}/sota/sota-device-cred.toml | ||
61 | fi | ||
62 | } | ||
63 | |||
64 | FILES_${PN} = " \ | ||
65 | ${localstatedir}/sota/*" | ||
66 | |||
67 | # vim:set ts=4 sw=4 sts=4 expandtab: | ||