From 0e3423aa8e92a7846f55fbb530ddd1a67f262f6d Mon Sep 17 00:00:00 2001 From: Anton Gerasimov Date: Wed, 5 Sep 2018 16:22:07 +0200 Subject: Add SOTA_DEPLOY_CREDENTIALS variable to control whether the built image should be provisioned --- README.adoc | 1 + classes/sota.bbclass | 2 + .../aktualizr/aktualizr-auto-prov-creds.bb | 23 ++++++++++ recipes-sota/aktualizr/aktualizr-auto-prov.bb | 20 +++------ .../aktualizr/aktualizr-ca-implicit-prov-creds.bb | 50 ++++++++++++++++++++++ .../aktualizr/aktualizr-ca-implicit-prov.bb | 46 ++------------------ recipes-sota/aktualizr/aktualizr-hsm-prov.bb | 9 +--- recipes-sota/aktualizr/aktualizr-implicit-prov.bb | 35 --------------- recipes-sota/aktualizr/aktualizr_git.bb | 7 ++- 9 files changed, 90 insertions(+), 103 deletions(-) create mode 100644 recipes-sota/aktualizr/aktualizr-auto-prov-creds.bb create mode 100644 recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb delete mode 100644 recipes-sota/aktualizr/aktualizr-implicit-prov.bb diff --git a/README.adoc b/README.adoc index d2bd4b5..d8e5f4d 100644 --- a/README.adoc +++ b/README.adoc @@ -80,6 +80,7 @@ Although we have used U-Boot so far, other boot loaders can be configured work w * `OSTREE_OSNAME` - OS deployment name on your target device. For more information about deployments and osnames see the https://ostree.readthedocs.io/en/latest/manual/deployment/[OSTree documentation]. Defaults to "poky". * `OSTREE_INITRAMFS_IMAGE` - initramfs/initrd image that is used as a proxy while booting into OSTree deployment. Do not change this setting unless you are sure that your initramfs can serve as such a proxy. * `SOTA_PACKED_CREDENTIALS` - when set, your ostree commit will be pushed to a remote repo as a bitbake step. This should be the path to a zipped credentials file in https://github.com/advancedtelematic/aktualizr/blob/master/docs/credentials.adoc[the format accepted by garage-push]. +* `SOTA_DEPLOY_CREDENTIALS` - when set to '1' (default value), deploys credentials to the built image. Override it in `local.conf` to built a generic image that can be provisioned manually after the build. * `SOTA_CLIENT_PROV` - which provisioning method to use. Valid options are https://github.com/advancedtelematic/aktualizr/blob/master/docs/automatic-provisioning.adoc[`aktualizr-auto-prov`], https://github.com/advancedtelematic/aktualizr/blob/master/docs/implicit-provisioning.adoc[`aktualizr-implicit-prov`], and https://github.com/advancedtelematic/aktualizr/blob/master/docs/hsm-provisioning.adoc[`aktualizr-hsm-prov`]. The default is `aktualizr-auto-prov`. This can also be set to an empty string to avoid using a provisioning recipe. * `SOTA_CLIENT_FEATURES` - extensions to aktualizr. The only valid options are `hsm` (to build with HSM support) and `secondary-network` (to set up a simulated 'in-vehicle' network with support for a primary node with a DHCP server and a secondary node with a DHCP client). * `SOTA_SECONDARY_ECUS` - a list of paths separated by spaces of JSON configuration files for virtual secondaries on the host. These will be installed into `/var/sota/ecus` on the device. diff --git a/classes/sota.bbclass b/classes/sota.bbclass index fbd8534..657fbc2 100644 --- a/classes/sota.bbclass +++ b/classes/sota.bbclass @@ -9,6 +9,8 @@ HOSTTOOLS_NONFATAL += "java" SOTA_CLIENT ??= "aktualizr" SOTA_CLIENT_PROV ??= "aktualizr-auto-prov" +SOTA_DEPLOY_CREDENTIALS ?= "1" + IMAGE_INSTALL_append_sota = " ostree os-release ${SOTA_CLIENT} ${SOTA_CLIENT_PROV}" IMAGE_CLASSES += " image_types_ostree image_types_ota" IMAGE_FSTYPES += "${@bb.utils.contains('DISTRO_FEATURES', 'sota', 'ostreepush garagesign garagecheck otaimg wic', ' ', d)}" diff --git a/recipes-sota/aktualizr/aktualizr-auto-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-auto-prov-creds.bb new file mode 100644 index 0000000..d964a0a --- /dev/null +++ b/recipes-sota/aktualizr/aktualizr-auto-prov-creds.bb @@ -0,0 +1,23 @@ +SUMMARY = "Credentials for autoprovisioning scenario" +SECTION = "base" +LICENSE = "MPL-2.0" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" + +DEPENDS = "aktualizr-native zip-native" + +require credentials.inc + +do_install() { + if [ -n ${SOTA_PACKED_CREDENTIALS} ]; then + install -m 0700 -d ${D}${localstatedir}/sota + cp ${SOTA_PACKED_CREDENTIALS} ${D}${localstatedir}/sota/sota_provisioning_credentials.zip + # Device should not be able to push data to treehub + zip -d ${D}${localstatedir}/sota/sota_provisioning_credentials.zip treehub.json + fi +} + +FILES_${PN} = " \ + ${localstatedir}/sota/sota_provisioning_credentials.zip \ + " + +# vim:set ts=4 sw=4 sts=4 expandtab: diff --git a/recipes-sota/aktualizr/aktualizr-auto-prov.bb b/recipes-sota/aktualizr/aktualizr-auto-prov.bb index 9fa95ed..65e89bd 100644 --- a/recipes-sota/aktualizr/aktualizr-auto-prov.bb +++ b/recipes-sota/aktualizr/aktualizr-auto-prov.bb @@ -6,7 +6,8 @@ LICENSE = "MPL-2.0" LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" DEPENDS = "aktualizr-native zip-native" -RDEPENDS_${PN} = "aktualizr" +RDEPENDS_${PN}_append = "${@' aktualizr-auto-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS', True) == '1' else ''}" +RDEPENDS_${PN} = " aktualizr" PV = "1.0" PR = "6" @@ -31,19 +32,10 @@ do_install() { install -m 0700 -d ${D}${libdir}/sota/conf.d install -m 0700 -d ${D}${localstatedir}/sota - if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then - aktualizr_toml=${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-network', 'sota_autoprov_primary.toml', 'sota_autoprov.toml', d)} - - install -m 0644 ${STAGING_DIR_NATIVE}${libdir}/sota/${aktualizr_toml} \ - ${D}${libdir}/sota/conf.d/20-${aktualizr_toml} - - # deploy SOTA credentials - if [ -e ${SOTA_PACKED_CREDENTIALS} ]; then - cp ${SOTA_PACKED_CREDENTIALS} ${D}${localstatedir}/sota/sota_provisioning_credentials.zip - # Device should not be able to push data to treehub - zip -d ${D}${localstatedir}/sota/sota_provisioning_credentials.zip treehub.json - fi - fi + aktualizr_toml=${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-network', 'sota_autoprov_primary.toml', 'sota_autoprov.toml', d)} + + install -m 0644 ${STAGING_DIR_NATIVE}${libdir}/sota/${aktualizr_toml} \ + ${D}${libdir}/sota/conf.d/20-${aktualizr_toml} } FILES_${PN} = " \ diff --git a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb new file mode 100644 index 0000000..5debc19 --- /dev/null +++ b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb @@ -0,0 +1,50 @@ +SUMMARY = "Credentials for implicit provisioning with CA certificate" +SECTION = "base" +LICENSE = "MPL-2.0" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" + +DEPENDS = "aktualizr aktualizr-native" + +SRC_URI = " \ + file://ca.cnf \ + " + +require credentials.inc + +export SOTA_CACERT_PATH +export SOTA_CAKEY_PATH + +do_install() { + if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then + if [ -z ${SOTA_CACERT_PATH} ]; then + SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem + SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem + mkdir -p ${DEPLOY_DIR_IMAGE}/CA + bbwarn "SOTA_CACERT_PATH is not specified, use default one at $SOTA_CACERT_PATH" + + if [ ! -f ${SOTA_CACERT_PATH} ]; then + bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA" + SOTA_CACERT_DIR_PATH="$(dirname "$SOTA_CACERT_PATH")" + openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096 + openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert + bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server" + fi + fi + + if [ -z ${SOTA_CAKEY_PATH} ]; then + bberror "SOTA_CAKEY_PATH should be set when using implicit provisioning" + fi + + install -m 0700 -d ${D}${localstatedir}/sota + aktualizr_cert_provider --credentials ${SOTA_PACKED_CREDENTIALS} \ + --device-ca ${SOTA_CACERT_PATH} \ + --device-ca-key ${SOTA_CAKEY_PATH} \ + --root-ca \ + --server-url \ + --local ${D} \ + --config ${STAGING_DIR_HOST}${libdir}/sota/sota_implicit_prov_ca.toml + fi +} + +FILES_${PN} = " \ + ${localstatedir}/sota/*" diff --git a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb index 1ad561c..2763185 100644 --- a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb +++ b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb @@ -9,64 +9,24 @@ SECTION = "base" LICENSE = "MPL-2.0" LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" -DEPENDS = "aktualizr-native openssl-native" -RDEPENDS_${PN} = "aktualizr" +DEPENDS = "aktualizr aktualizr-native openssl-native" +RDEPENDS_${PN}_append = "${@' aktualizr-ca-implicit-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS', True) == '1' else ''}" -SRC_URI = " \ - file://ca.cnf \ - " PV = "1.0" PR = "1" require environment.inc require credentials.inc -export SOTA_CACERT_PATH -export SOTA_CAKEY_PATH - do_install() { install -m 0700 -d ${D}${libdir}/sota/conf.d - if [ -z "${SOTA_PACKED_CREDENTIALS}" ]; then - bberror "SOTA_PACKED_CREDENTIALS are required for implicit provisioning" - fi - - if [ -z ${SOTA_CACERT_PATH} ]; then - SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem - SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem - mkdir -p ${DEPLOY_DIR_IMAGE}/CA - bbwarn "SOTA_CACERT_PATH is not specified, use default one at $SOTA_CACERT_PATH" - - if [ ! -f ${SOTA_CACERT_PATH} ]; then - bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA" - SOTA_CACERT_DIR_PATH="$(dirname "$SOTA_CACERT_PATH")" - openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096 - openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert - bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server" - fi - fi - - if [ -z ${SOTA_CAKEY_PATH} ]; then - bberror "SOTA_CAKEY_PATH should be set when using implicit provisioning" - fi - - install -m 0700 -d ${D}${localstatedir}/sota - install -m 0644 ${STAGING_DIR_NATIVE}${libdir}/sota/sota_implicit_prov_ca.toml \ + install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota_implicit_prov_ca.toml \ ${D}${libdir}/sota/conf.d/20-sota_implicit_prov_ca.toml - aktualizr_cert_provider --credentials ${SOTA_PACKED_CREDENTIALS} \ - --device-ca ${SOTA_CACERT_PATH} \ - --device-ca-key ${SOTA_CAKEY_PATH} \ - --root-ca \ - --server-url \ - --local ${D}${localstatedir}/sota \ - --config ${STAGING_DIR_NATIVE}${libdir}/sota/sota_implicit_prov_ca.toml } FILES_${PN} = " \ - ${libdir}/sota/conf.d \ ${libdir}/sota/conf.d/20-sota_implicit_prov_ca.toml \ - ${libdir}/sota/root.crt \ - ${localstatedir}/sota/* \ " # vim:set ts=4 sw=4 sts=4 expandtab: diff --git a/recipes-sota/aktualizr/aktualizr-hsm-prov.bb b/recipes-sota/aktualizr/aktualizr-hsm-prov.bb index e811424..151b543 100644 --- a/recipes-sota/aktualizr/aktualizr-hsm-prov.bb +++ b/recipes-sota/aktualizr/aktualizr-hsm-prov.bb @@ -5,8 +5,8 @@ SECTION = "base" LICENSE = "MPL-2.0" LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" -DEPENDS = "aktualizr-native" -RDEPENDS_${PN} = "aktualizr" +DEPENDS = "aktualizr aktualizr-native" +RDEPENDS_${PN}_append = "${@' aktualizr-ca-implicit-prov-creds softhsm-testtoken' if d.getVar('SOTA_DEPLOY_CREDENTIALS', True) == '1' else ''}" SRC_URI = "" PV = "1.0" @@ -19,16 +19,11 @@ do_install() { install -m 0700 -d ${D}${libdir}/sota/conf.d install -m 0644 ${STAGING_DIR_NATIVE}${libdir}/sota/sota_hsm_prov.toml \ ${D}${libdir}/sota/conf.d/20-sota_hsm_prov.toml - if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then - aktualizr_implicit_writer -c ${SOTA_PACKED_CREDENTIALS} --no-root-ca \ - -o ${D}${libdir}/sota/conf.d/30-implicit_server.toml -p ${D} - fi } FILES_${PN} = " \ ${libdir}/sota/conf.d \ ${libdir}/sota/conf.d/20-sota_hsm_prov.toml \ - ${libdir}/sota/conf.d/30-implicit_server.toml \ " # vim:set ts=4 sw=4 sts=4 expandtab: diff --git a/recipes-sota/aktualizr/aktualizr-implicit-prov.bb b/recipes-sota/aktualizr/aktualizr-implicit-prov.bb deleted file mode 100644 index 69ab03c..0000000 --- a/recipes-sota/aktualizr/aktualizr-implicit-prov.bb +++ /dev/null @@ -1,35 +0,0 @@ -SUMMARY = "Aktualizr configuration for implicit provisioning" -DESCRIPTION = "Configuration for implicitly provisioning Aktualizr, the SOTA Client application written in C++" -HOMEPAGE = "https://github.com/advancedtelematic/aktualizr" -SECTION = "base" -LICENSE = "MPL-2.0" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" - -DEPENDS = "aktualizr-native" -RDEPENDS_${PN} = "aktualizr" - -SRC_URI = "" -PV = "1.0" -PR = "1" - -require environment.inc -require credentials.inc - -do_install() { - install -m 0700 -d ${D}${libdir}/sota/conf.d - install -m 0644 ${STAGING_DIR_NATIVE}${libdir}/sota/sota_implicit_prov.toml \ - ${D}${libdir}/sota/conf.d/20-sota_implicit_prov.toml - if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then - aktualizr_implicit_writer -c ${SOTA_PACKED_CREDENTIALS} \ - -o ${D}${libdir}/sota/conf.d/30-implicit_server.toml -p ${D} - fi -} - -FILES_${PN} = " \ - ${libdir}/sota/conf.d \ - ${libdir}/sota/conf.d/20-implicit_prov.toml \ - ${libdir}/sota/conf.d/30-implicit_server.toml \ - ${libdir}/sota/root.crt \ - " - -# vim:set ts=4 sw=4 sts=4 expandtab: diff --git a/recipes-sota/aktualizr/aktualizr_git.bb b/recipes-sota/aktualizr/aktualizr_git.bb index 20008c9..c3a7420 100755 --- a/recipes-sota/aktualizr/aktualizr_git.bb +++ b/recipes-sota/aktualizr/aktualizr_git.bb @@ -11,12 +11,13 @@ DEPENDS_append_class-native = "glib-2.0-native " RDEPENDS_${PN}_class-target = "lshw " RDEPENDS_${PN}_append_class-target = "${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'serialcan', ' slcand-start', '', d)} " -RDEPENDS_${PN}_append_class-target = "${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'hsm', ' softhsm softhsm-testtoken', '', d)}" RDEPENDS_${PN}_append_class-target = " ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'ubootenv', ' u-boot-fw-utils aktualizr-uboot-env-rollback', '', d)} " RDEPENDS_${PN}_append_class-target = " ${PN}-tools " RDEPENDS_${PN}-secondary_append_class-target = " ${PN}-tools " +RDEPENDS_${PN}_class-target = " openssl-bin " + PV = "1.0+git${SRCPV}" PR = "7" @@ -27,7 +28,7 @@ SRC_URI = " \ file://aktualizr-secondary.socket \ file://aktualizr-serialcan.service \ " -SRCREV = "487905ccb2a4b7e8b01becd051242fe504e85950" +SRCREV = "097c763ab4b4b057fa6bedfdac2049e53df93539" BRANCH ?= "master" S = "${WORKDIR}/git" @@ -65,7 +66,6 @@ do_install_append () { install -m 0644 ${S}/config/sota_autoprov.toml ${D}/${libdir}/sota/sota_autoprov.toml install -m 0644 ${S}/config/sota_autoprov_primary.toml ${D}/${libdir}/sota/sota_autoprov_primary.toml install -m 0644 ${S}/config/sota_hsm_prov.toml ${D}/${libdir}/sota/sota_hsm_prov.toml - install -m 0644 ${S}/config/sota_implicit_prov.toml ${D}/${libdir}/sota/sota_implicit_prov.toml install -m 0644 ${S}/config/sota_implicit_prov_ca.toml ${D}/${libdir}/sota/sota_implicit_prov_ca.toml install -m 0644 ${S}/config/sota_secondary.toml ${D}/${libdir}/sota/sota_secondary.toml install -m 0644 ${S}/config/sota_uboot_env.toml ${D}/${libdir}/sota/sota_uboot_env.toml @@ -114,7 +114,6 @@ FILES_${PN}-host-tools = " \ ${libdir}/sota/sota_autoprov.toml \ ${libdir}/sota/sota_autoprov_primary.toml \ ${libdir}/sota/sota_hsm_prov.toml \ - ${libdir}/sota/sota_implicit_prov.toml \ ${libdir}/sota/sota_implicit_prov_ca.toml \ ${libdir}/sota/sota_uboot_env.toml \ " -- cgit v1.2.3-54-g00ecf