From 7e426508b7a7f873fadd5886bd526276eee16bd9 Mon Sep 17 00:00:00 2001 From: Patrick Vacek Date: Fri, 11 Oct 2019 15:22:45 +0200 Subject: aktualizr: fix secondary recipes' dependencies. Most do not need to depend on aktualizr-native and do not need to be rebuilt if the credentials change. Signed-off-by: Patrick Vacek --- recipes-sota/aktualizr/aktualizr-device-prov-creds.bb | 6 ++++-- recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb | 6 +++--- recipes-sota/aktualizr/aktualizr-device-prov.bb | 6 +++--- recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb | 2 +- recipes-sota/aktualizr/aktualizr-shared-prov.bb | 8 ++++---- recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb | 5 ++--- 6 files changed, 17 insertions(+), 16 deletions(-) diff --git a/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb index 6e02a50..d8b29b4 100644 --- a/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb +++ b/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb @@ -6,11 +6,13 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7 inherit allarch -# WARNING: it is NOT a production solution. The secure way to provision devices +# WARNING: This is NOT an ideal solution. The secure way to provision devices # is to create certificate request directly on the device (either with HSM/TPM # or with software) and then sign it with a CA stored on a disconnected machine. -DEPENDS = "aktualizr aktualizr-native" +# We need to get the config files from the aktualizr-host-tools package built by +# the aktualizr (target) recipe. +DEPENDS = "aktualizr aktualizr-native openssl-native" ALLOW_EMPTY_${PN} = "1" SRC_URI = " \ diff --git a/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb b/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb index c3cd593..e8ef513 100644 --- a/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb +++ b/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb @@ -7,15 +7,15 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7 inherit allarch -DEPENDS = "aktualizr aktualizr-native" +# We need to get the config files from the aktualizr-host-tools package built by +# the aktualizr (target) recipe. +DEPENDS = "aktualizr" RDEPENDS_${PN}_append = "${@' aktualizr-device-prov-creds softhsm-testtoken' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}" SRC_URI = "" PV = "1.0" PR = "6" -require credentials.inc - do_install() { install -m 0700 -d ${D}${libdir}/sota/conf.d install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota-device-cred-hsm.toml \ diff --git a/recipes-sota/aktualizr/aktualizr-device-prov.bb b/recipes-sota/aktualizr/aktualizr-device-prov.bb index d579532..fbe29a1 100644 --- a/recipes-sota/aktualizr/aktualizr-device-prov.bb +++ b/recipes-sota/aktualizr/aktualizr-device-prov.bb @@ -7,14 +7,14 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7 inherit allarch -DEPENDS = "aktualizr aktualizr-native openssl-native" +# We need to get the config files from the aktualizr-host-tools package built by +# the aktualizr (target) recipe. +DEPENDS = "aktualizr" RDEPENDS_${PN}_append = "${@' aktualizr-device-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}" PV = "1.0" PR = "1" -require credentials.inc - do_install() { install -m 0700 -d ${D}${libdir}/sota/conf.d install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota-device-cred.toml \ diff --git a/recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb index 2701c07..b3b539d 100644 --- a/recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb +++ b/recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7 inherit allarch -DEPENDS = "aktualizr-native zip-native" +DEPENDS = "zip-native" ALLOW_EMPTY_${PN} = "1" require credentials.inc diff --git a/recipes-sota/aktualizr/aktualizr-shared-prov.bb b/recipes-sota/aktualizr/aktualizr-shared-prov.bb index d3d6f16..00588dc 100644 --- a/recipes-sota/aktualizr/aktualizr-shared-prov.bb +++ b/recipes-sota/aktualizr/aktualizr-shared-prov.bb @@ -7,15 +7,15 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7 inherit allarch -DEPENDS = "aktualizr-native zip-native" +# We need to get the config files from the aktualizr-host-tools package built by +# the aktualizr (target) recipe. +DEPENDS = "aktualizr" RDEPENDS_${PN}_append = "${@' aktualizr-shared-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}" PV = "1.0" PR = "6" SRC_URI = "" -require credentials.inc - do_install() { if [ -n "${SOTA_AUTOPROVISION_CREDENTIALS}" ]; then bbwarn "SOTA_AUTOPROVISION_CREDENTIALS are ignored. Please use SOTA_PACKED_CREDENTIALS" @@ -31,7 +31,7 @@ do_install() { fi install -m 0700 -d ${D}${libdir}/sota/conf.d - install -m 0644 ${STAGING_DIR_NATIVE}${libdir}/sota/sota-shared-cred.toml \ + install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota-shared-cred.toml \ ${D}${libdir}/sota/conf.d/20-sota-shared-cred.toml } diff --git a/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb b/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb index 860f225..5a49d16 100644 --- a/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb +++ b/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb @@ -6,14 +6,13 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7 inherit allarch -DEPENDS = "aktualizr-native" -RDEPENDS_${PN} = "aktualizr" +DEPENDS = "aktualizr" SRC_URI = "" do_install() { install -m 0700 -d ${D}${libdir}/sota/conf.d - install -m 0644 ${STAGING_DIR_NATIVE}${libdir}/sota/sota-uboot-env.toml ${D}${libdir}/sota/conf.d/30-rollback.toml + install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota-uboot-env.toml ${D}${libdir}/sota/conf.d/30-rollback.toml } FILES_${PN} = " \ -- cgit v1.2.3-54-g00ecf From 8301d07b8d109e5f4164418f66ec2e504fef918e Mon Sep 17 00:00:00 2001 From: Patrick Vacek Date: Fri, 11 Oct 2019 16:19:19 +0200 Subject: demo-network-config: use ${libdir} consistently. Signed-off-by: Patrick Vacek --- recipes-test/demo-network-config/network-config.inc | 6 +++--- recipes-test/demo-network-config/primary-network-config.bb | 6 +++--- recipes-test/demo-network-config/secondary-network-config.bb | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/recipes-test/demo-network-config/network-config.inc b/recipes-test/demo-network-config/network-config.inc index ed623d4..a231a24 100644 --- a/recipes-test/demo-network-config/network-config.inc +++ b/recipes-test/demo-network-config/network-config.inc @@ -6,11 +6,11 @@ SECONDARY_INTERFACE ?= "${@ 'eth0' if d.getVar('MACHINE') == 'raspberrypi3' else do_install_append() { bbnote "Network configuration type to be applied: ${CONF_TYPE}" - install -d ${D}/usr/lib/systemd/network - install -m 0644 ${WORKDIR}/26-${CONF_TYPE}-client.network ${D}/usr/lib/systemd/network/ + install -d ${D}${libdir}/systemd/network + install -m 0644 ${WORKDIR}/26-${CONF_TYPE}-client.network ${D}${libdir}/systemd/network/ sed -i -e 's|@ADDR@|${IP_ADDR}|g' \ -e 's|@IFNAME@|${SECONDARY_INTERFACE}|g' \ - ${D}/usr/lib/systemd/network/26-${CONF_TYPE}-client.network + ${D}${libdir}/systemd/network/26-${CONF_TYPE}-client.network } diff --git a/recipes-test/demo-network-config/primary-network-config.bb b/recipes-test/demo-network-config/primary-network-config.bb index d840a95..0b0119b 100644 --- a/recipes-test/demo-network-config/primary-network-config.bb +++ b/recipes-test/demo-network-config/primary-network-config.bb @@ -8,13 +8,13 @@ SRC_URI = "\ file://27-dhcp-client-external.network \ " -FILES_${PN} = "/usr/lib/systemd/network" +FILES_${PN} = "${libdir}/systemd/network" PR = "1" do_install() { - install -d ${D}/usr/lib/systemd/network - install -m 0644 ${WORKDIR}/27-dhcp-client-external.network ${D}/usr/lib/systemd/network/ + install -d ${D}${libdir}/systemd/network + install -m 0644 ${WORKDIR}/27-dhcp-client-external.network ${D}${libdir}/systemd/network/ } PRIMARY_IP ?= "10.0.3.1" diff --git a/recipes-test/demo-network-config/secondary-network-config.bb b/recipes-test/demo-network-config/secondary-network-config.bb index b1d70f1..cef8274 100644 --- a/recipes-test/demo-network-config/secondary-network-config.bb +++ b/recipes-test/demo-network-config/secondary-network-config.bb @@ -12,13 +12,13 @@ SRC_URI = "\ file://27-dhcp-client-external.network \ " -FILES_${PN} = "/usr/lib/systemd/network" +FILES_${PN} = "${libdir}/systemd/network" PR = "1" do_install() { - install -d ${D}/usr/lib/systemd/network - install -m 0644 ${WORKDIR}/27-dhcp-client-external.network ${D}/usr/lib/systemd/network/ + install -d ${D}${libdir}/systemd/network + install -m 0644 ${WORKDIR}/27-dhcp-client-external.network ${D}${libdir}/systemd/network/ } SECONDARY_IP ?= "10.0.3.2" -- cgit v1.2.3-54-g00ecf From a316bce65b8be2e42dd16ec4230d2b545083c290 Mon Sep 17 00:00:00 2001 From: Patrick Vacek Date: Fri, 11 Oct 2019 16:20:04 +0200 Subject: demo-config: inherit allarch for config-only recipes. Signed-off-by: Patrick Vacek --- recipes-test/demo-config/primary-config.bb | 2 ++ recipes-test/demo-config/secondary-config.bb | 12 +++++++----- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/recipes-test/demo-config/primary-config.bb b/recipes-test/demo-config/primary-config.bb index 27cb553..b1964e2 100644 --- a/recipes-test/demo-config/primary-config.bb +++ b/recipes-test/demo-config/primary-config.bb @@ -4,6 +4,8 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7 require shared-conf.inc +inherit allarch + PRIMARY_SECONDARIES ?= "${SECONDARY_IP}:${SECONDARY_PORT}" SRC_URI = "\ diff --git a/recipes-test/demo-config/secondary-config.bb b/recipes-test/demo-config/secondary-config.bb index 9411646..b2b9547 100644 --- a/recipes-test/demo-config/secondary-config.bb +++ b/recipes-test/demo-config/secondary-config.bb @@ -4,6 +4,8 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7 require shared-conf.inc +inherit allarch + SECONDARY_SERIAL_ID ?= "" SOTA_HARDWARE_ID ?= "${MACHINE}-sndry" SECONDARY_HARDWARE_ID ?= "${SOTA_HARDWARE_ID}" @@ -16,18 +18,18 @@ SRC_URI = "\ do_install () { install -m 0700 -d ${D}${libdir}/sota/conf.d - install -m 0644 ${WORKDIR}/30-fake-pacman.toml ${D}/${libdir}/sota/conf.d/30-fake-pacman.toml + install -m 0644 ${WORKDIR}/30-fake-pacman.toml ${D}${libdir}/sota/conf.d/30-fake-pacman.toml - install -m 0644 ${WORKDIR}/35-network-config.toml ${D}/${libdir}/sota/conf.d/35-network-config.toml + install -m 0644 ${WORKDIR}/35-network-config.toml ${D}${libdir}/sota/conf.d/35-network-config.toml sed -i -e 's|@PORT@|${SECONDARY_PORT}|g' \ -e 's|@PRIMARY_IP@|${PRIMARY_IP}|g' \ -e 's|@PRIMARY_PORT@|${PRIMARY_PORT}|g' \ - ${D}/${libdir}/sota/conf.d/35-network-config.toml + ${D}${libdir}/sota/conf.d/35-network-config.toml - install -m 0644 ${WORKDIR}/45-id-config.toml ${D}/${libdir}/sota/conf.d/45-id-config.toml + install -m 0644 ${WORKDIR}/45-id-config.toml ${D}${libdir}/sota/conf.d/45-id-config.toml sed -i -e 's|@SERIAL@|${SECONDARY_SERIAL_ID}|g' \ -e 's|@HWID@|${SECONDARY_HARDWARE_ID}|g' \ - ${D}/${libdir}/sota/conf.d/45-id-config.toml + ${D}${libdir}/sota/conf.d/45-id-config.toml } -- cgit v1.2.3-54-g00ecf From 44a3013733071c7f14472af7423816d6c9ecc52c Mon Sep 17 00:00:00 2001 From: Patrick Vacek Date: Mon, 14 Oct 2019 12:05:26 +0200 Subject: demo-config: recipes that depend on MACHINE cannot be allarch. Signed-off-by: Patrick Vacek --- recipes-test/demo-config/secondary-config.bb | 2 -- recipes-test/demo-network-config/primary-network-config.bb | 2 -- recipes-test/demo-network-config/secondary-network-config.bb | 2 -- 3 files changed, 6 deletions(-) diff --git a/recipes-test/demo-config/secondary-config.bb b/recipes-test/demo-config/secondary-config.bb index b2b9547..55358b7 100644 --- a/recipes-test/demo-config/secondary-config.bb +++ b/recipes-test/demo-config/secondary-config.bb @@ -4,8 +4,6 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7 require shared-conf.inc -inherit allarch - SECONDARY_SERIAL_ID ?= "" SOTA_HARDWARE_ID ?= "${MACHINE}-sndry" SECONDARY_HARDWARE_ID ?= "${SOTA_HARDWARE_ID}" diff --git a/recipes-test/demo-network-config/primary-network-config.bb b/recipes-test/demo-network-config/primary-network-config.bb index 0b0119b..544a5ec 100644 --- a/recipes-test/demo-network-config/primary-network-config.bb +++ b/recipes-test/demo-network-config/primary-network-config.bb @@ -2,8 +2,6 @@ DESCRIPTION = "Sample network configuration for an Uptane Primary" LICENSE = "MPL-2.0" LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" -inherit allarch - SRC_URI = "\ file://27-dhcp-client-external.network \ " diff --git a/recipes-test/demo-network-config/secondary-network-config.bb b/recipes-test/demo-network-config/secondary-network-config.bb index cef8274..ca83d53 100644 --- a/recipes-test/demo-network-config/secondary-network-config.bb +++ b/recipes-test/demo-network-config/secondary-network-config.bb @@ -2,8 +2,6 @@ DESCRIPTION = "Sample network configuration for an Uptane Secondary" LICENSE = "MPL-2.0" LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" -inherit allarch - # TODO: It configures the 'user' interface in NAT mode and provides an access to public Inet via it # which is not desired for Secondary. It cannot be just removed since we get SSH access to Secondary # VM via this interface. So, the task is to configure the interface in such way that it does provide access -- cgit v1.2.3-54-g00ecf From 837b2fc0f2ccf6d334ebf026a44f3ea0f83323a7 Mon Sep 17 00:00:00 2001 From: Patrick Vacek Date: Mon, 14 Oct 2019 12:06:23 +0200 Subject: aktualizr: use SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS for config recipes. This is a bit of a compromise. These recipes are allarch, since they do not depend on an architecture, but they depend on aktualizr, which is definitely not allarch. Therefore, we must tell bitbake not to treat the aktualizr architecture as a dependency of these recipes. However, this means that if one of the config files changes in the aktualizr repo, we need to bump the version of the recipe that uses it to make sure bitbake picks up that change. Signed-off-by: Patrick Vacek --- conf/layer.conf | 9 +++++++++ recipes-sota/aktualizr/aktualizr-device-prov-creds.bb | 5 +++++ recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb | 5 ++++- recipes-sota/aktualizr/aktualizr-device-prov.bb | 4 ++++ recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb | 7 +++++++ recipes-sota/aktualizr/aktualizr-shared-prov.bb | 3 +++ recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb | 5 +++++ 7 files changed, 37 insertions(+), 1 deletion(-) diff --git a/conf/layer.conf b/conf/layer.conf index 145c806..4bc341a 100644 --- a/conf/layer.conf +++ b/conf/layer.conf @@ -11,3 +11,12 @@ BBFILE_PRIORITY_sota = "7" LAYERDEPENDS_sota = "filesystems-layer" LAYERSERIES_COMPAT_sota = "thud warrior zeus" + +SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS += " \ + aktualizr-device-prov->aktualizr \ + aktualizr-device-prov-creds->aktualizr \ + aktualizr-device-prov-hsm->aktualizr \ + aktualizr-shared-prov->aktualizr \ + aktualizr-shared-prov-creds->aktualizr \ + aktualizr-uboot-env-rollback->aktualizr \ +" diff --git a/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb index d8b29b4..a3c7d66 100644 --- a/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb +++ b/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb @@ -15,6 +15,11 @@ inherit allarch DEPENDS = "aktualizr aktualizr-native openssl-native" ALLOW_EMPTY_${PN} = "1" +# If the config file from aktualizr used here is changed, you will need to bump +# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS! +PV = "1.0" +PR = "1" + SRC_URI = " \ file://ca.cnf \ " diff --git a/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb b/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb index e8ef513..8d4bc9c 100644 --- a/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb +++ b/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb @@ -12,10 +12,13 @@ inherit allarch DEPENDS = "aktualizr" RDEPENDS_${PN}_append = "${@' aktualizr-device-prov-creds softhsm-testtoken' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}" -SRC_URI = "" +# If the config file from aktualizr used here is changed, you will need to bump +# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS! PV = "1.0" PR = "6" +SRC_URI = "" + do_install() { install -m 0700 -d ${D}${libdir}/sota/conf.d install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota-device-cred-hsm.toml \ diff --git a/recipes-sota/aktualizr/aktualizr-device-prov.bb b/recipes-sota/aktualizr/aktualizr-device-prov.bb index fbe29a1..e8c75bb 100644 --- a/recipes-sota/aktualizr/aktualizr-device-prov.bb +++ b/recipes-sota/aktualizr/aktualizr-device-prov.bb @@ -12,9 +12,13 @@ inherit allarch DEPENDS = "aktualizr" RDEPENDS_${PN}_append = "${@' aktualizr-device-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}" +# If the config file from aktualizr used here is changed, you will need to bump +# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS! PV = "1.0" PR = "1" +SRC_URI = "" + do_install() { install -m 0700 -d ${D}${libdir}/sota/conf.d install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota-device-cred.toml \ diff --git a/recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb index b3b539d..9c6f0dd 100644 --- a/recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb +++ b/recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb @@ -9,6 +9,13 @@ inherit allarch DEPENDS = "zip-native" ALLOW_EMPTY_${PN} = "1" +# If the config file from aktualizr used here is changed, you will need to bump +# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS! +PV = "1.0" +PR = "1" + +SRC_URI = "" + require credentials.inc do_install() { diff --git a/recipes-sota/aktualizr/aktualizr-shared-prov.bb b/recipes-sota/aktualizr/aktualizr-shared-prov.bb index 00588dc..2ee47a1 100644 --- a/recipes-sota/aktualizr/aktualizr-shared-prov.bb +++ b/recipes-sota/aktualizr/aktualizr-shared-prov.bb @@ -11,6 +11,9 @@ inherit allarch # the aktualizr (target) recipe. DEPENDS = "aktualizr" RDEPENDS_${PN}_append = "${@' aktualizr-shared-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}" + +# If the config file from aktualizr used here is changed, you will need to bump +# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS! PV = "1.0" PR = "6" diff --git a/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb b/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb index 5a49d16..2895e5c 100644 --- a/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb +++ b/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb @@ -8,6 +8,11 @@ inherit allarch DEPENDS = "aktualizr" +# If the config file from aktualizr used here is changed, you will need to bump +# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS! +PV = "1.0" +PR = "1" + SRC_URI = "" do_install() { -- cgit v1.2.3-54-g00ecf From d1118a121810c5c76e33a63909d43b4e25439250 Mon Sep 17 00:00:00 2001 From: Patrick Vacek Date: Mon, 14 Oct 2019 12:30:49 +0200 Subject: layer.conf: Update LAYERDEPENDS_sota. It was missing a few dependencies. Signed-off-by: Patrick Vacek --- conf/layer.conf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/conf/layer.conf b/conf/layer.conf index 4bc341a..f25c5c9 100644 --- a/conf/layer.conf +++ b/conf/layer.conf @@ -9,7 +9,9 @@ BBFILE_COLLECTIONS += "sota" BBFILE_PATTERN_sota = "^${LAYERDIR}/" BBFILE_PRIORITY_sota = "7" -LAYERDEPENDS_sota = "filesystems-layer" +LAYERDEPENDS_sota = "openembedded-layer" +LAYERDEPENDS_sota += "meta-python" +LAYERDEPENDS_sota += "filesystems-layer" LAYERSERIES_COMPAT_sota = "thud warrior zeus" SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS += " \ -- cgit v1.2.3-54-g00ecf From 9ff5720ec9914e15c23ec45109977d153c65facc Mon Sep 17 00:00:00 2001 From: Laurent Bonnans Date: Tue, 15 Oct 2019 18:58:24 +0200 Subject: Split aktualizr hwid config to another recipe So that we can fix the ${MACHINE} dependency issues Signed-off-by: Laurent Bonnans --- recipes-sota/aktualizr/aktualizr-hwid.bb | 23 +++++++++++++++++++++++ recipes-sota/aktualizr/aktualizr_git.bb | 6 +----- 2 files changed, 24 insertions(+), 5 deletions(-) create mode 100644 recipes-sota/aktualizr/aktualizr-hwid.bb diff --git a/recipes-sota/aktualizr/aktualizr-hwid.bb b/recipes-sota/aktualizr/aktualizr-hwid.bb new file mode 100644 index 0000000..64b1bda --- /dev/null +++ b/recipes-sota/aktualizr/aktualizr-hwid.bb @@ -0,0 +1,23 @@ +SUMMARY = "Aktualizr hwid configuration" +HOMEPAGE = "https://github.com/advancedtelematic/aktualizr" +SECTION = "base" +LICENSE = "MPL-2.0" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" + +PACKAGE_ARCH = "${MACHINE_ARCH}" + +SRC_URI = "" + +do_install() { + install -m 0700 -d ${D}${libdir}/sota/conf.d + if [ -n "${SOTA_HARDWARE_ID}" ]; then + printf "[provision]\nprimary_ecu_hardware_id = ${SOTA_HARDWARE_ID}\n" > ${D}${libdir}/sota/conf.d/40-hardware-id.toml + fi +} + +FILES_${PN} = " \ + ${libdir}/sota/conf.d \ + ${libdir}/sota/conf.d/40-hardware-id.toml \ + " + +# vim:set ts=4 sw=4 sts=4 expandtab: diff --git a/recipes-sota/aktualizr/aktualizr_git.bb b/recipes-sota/aktualizr/aktualizr_git.bb index d878d88..0de0866 100644 --- a/recipes-sota/aktualizr/aktualizr_git.bb +++ b/recipes-sota/aktualizr/aktualizr_git.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=815ca599c9df247a0c7f619bab123dad" DEPENDS = "boost curl openssl libarchive libsodium sqlite3 asn1c-native" DEPENDS_append = "${@bb.utils.contains('PTEST_ENABLED', '1', ' coreutils-native net-tools-native ostree-native aktualizr-native ', '', d)}" -RDEPENDS_${PN}_class-target = "aktualizr-configs lshw" +RDEPENDS_${PN}_class-target = "aktualizr-configs aktualizr-hwid lshw" RDEPENDS_${PN}-host-tools = "aktualizr aktualizr-cert-provider ${@bb.utils.contains('PACKAGECONFIG', 'sota-tools', 'garage-deploy garage-push', '', d)}" RDEPENDS_${PN}-ptest += "bash cmake curl net-tools python3-core python3-misc python3-modules openssl-bin sqlite3 valgrind" @@ -105,10 +105,6 @@ do_install_append () { install -m 0700 -d ${D}${libdir}/sota/conf.d install -m 0700 -d ${D}${sysconfdir}/sota/conf.d - if [ -n "${SOTA_HARDWARE_ID}" ]; then - printf "[provision]\nprimary_ecu_hardware_id = ${SOTA_HARDWARE_ID}\n" > ${D}${libdir}/sota/conf.d/40-hardware-id.toml - fi - install -m 0755 -d ${D}${systemd_unitdir}/system aktualizr_service=${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'serialcan', '${WORKDIR}/aktualizr-serialcan.service', '${WORKDIR}/aktualizr.service', d)} install -m 0644 ${aktualizr_service} ${D}${systemd_unitdir}/system/aktualizr.service -- cgit v1.2.3-54-g00ecf From b9658f86850b7f66680ee79e7d876f2dba044c4d Mon Sep 17 00:00:00 2001 From: Patrick Vacek Date: Wed, 16 Oct 2019 16:54:55 +0200 Subject: Specify more configs as MACHINE_ARCH. If they depend on MACHINE, that's what we gotta do. Still haven't sorted out aktualizr-device-prov-creds, though. Signed-off-by: Patrick Vacek --- recipes-sota/aktualizr/aktualizr-hwid.bb | 1 + recipes-test/demo-config/secondary-config.bb | 3 +++ recipes-test/demo-network-config/network-config.inc | 3 +++ 3 files changed, 7 insertions(+) diff --git a/recipes-sota/aktualizr/aktualizr-hwid.bb b/recipes-sota/aktualizr/aktualizr-hwid.bb index 64b1bda..fd3e395 100644 --- a/recipes-sota/aktualizr/aktualizr-hwid.bb +++ b/recipes-sota/aktualizr/aktualizr-hwid.bb @@ -4,6 +4,7 @@ SECTION = "base" LICENSE = "MPL-2.0" LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" +# Because of the dependency on MACHINE. PACKAGE_ARCH = "${MACHINE_ARCH}" SRC_URI = "" diff --git a/recipes-test/demo-config/secondary-config.bb b/recipes-test/demo-config/secondary-config.bb index 55358b7..ddbed89 100644 --- a/recipes-test/demo-config/secondary-config.bb +++ b/recipes-test/demo-config/secondary-config.bb @@ -4,6 +4,9 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7 require shared-conf.inc +# Because of the dependency on MACHINE. +PACKAGE_ARCH = "${MACHINE_ARCH}" + SECONDARY_SERIAL_ID ?= "" SOTA_HARDWARE_ID ?= "${MACHINE}-sndry" SECONDARY_HARDWARE_ID ?= "${SOTA_HARDWARE_ID}" diff --git a/recipes-test/demo-network-config/network-config.inc b/recipes-test/demo-network-config/network-config.inc index a231a24..b023f51 100644 --- a/recipes-test/demo-network-config/network-config.inc +++ b/recipes-test/demo-network-config/network-config.inc @@ -2,6 +2,9 @@ SRC_URI_append = "\ file://26-${CONF_TYPE}-client.network \ " +# Because of the dependency on MACHINE. +PACKAGE_ARCH = "${MACHINE_ARCH}" + SECONDARY_INTERFACE ?= "${@ 'eth0' if d.getVar('MACHINE') == 'raspberrypi3' else 'enp0s5'}" do_install_append() { -- cgit v1.2.3-54-g00ecf From 3f70b2d2f4a3a2fb50be4b8c395d9d09b0853f1a Mon Sep 17 00:00:00 2001 From: Patrick Vacek Date: Thu, 17 Oct 2019 17:01:18 +0200 Subject: aktualizr-device-prov-creds: remove it. Originally I was just trying to remove the reference to DEPLOY_DIR_IMAGE because it depends on MACHINE, but then I realized that this recipe is just plain not worth keeping. It isn't viable for anything except the most limited testing, since it bakes device-specific credentials into an image, but we weren't even using it for testing. Signed-off-by: Patrick Vacek --- conf/layer.conf | 1 - .../aktualizr/aktualizr-device-prov-creds.bb | 67 ---------------------- .../aktualizr/aktualizr-device-prov-hsm.bb | 1 - recipes-sota/aktualizr/aktualizr-device-prov.bb | 1 - recipes-test/images/secondary-image.bb | 1 - scripts/find_aktualizr_dependencies.sh | 1 - 6 files changed, 72 deletions(-) delete mode 100644 recipes-sota/aktualizr/aktualizr-device-prov-creds.bb diff --git a/conf/layer.conf b/conf/layer.conf index f25c5c9..225875b 100644 --- a/conf/layer.conf +++ b/conf/layer.conf @@ -16,7 +16,6 @@ LAYERSERIES_COMPAT_sota = "thud warrior zeus" SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS += " \ aktualizr-device-prov->aktualizr \ - aktualizr-device-prov-creds->aktualizr \ aktualizr-device-prov-hsm->aktualizr \ aktualizr-shared-prov->aktualizr \ aktualizr-shared-prov-creds->aktualizr \ diff --git a/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb deleted file mode 100644 index a3c7d66..0000000 --- a/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb +++ /dev/null @@ -1,67 +0,0 @@ -SUMMARY = "Credentials for device provisioning with fleet CA certificate" -HOMEPAGE = "https://github.com/advancedtelematic/aktualizr" -SECTION = "base" -LICENSE = "MPL-2.0" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" - -inherit allarch - -# WARNING: This is NOT an ideal solution. The secure way to provision devices -# is to create certificate request directly on the device (either with HSM/TPM -# or with software) and then sign it with a CA stored on a disconnected machine. - -# We need to get the config files from the aktualizr-host-tools package built by -# the aktualizr (target) recipe. -DEPENDS = "aktualizr aktualizr-native openssl-native" -ALLOW_EMPTY_${PN} = "1" - -# If the config file from aktualizr used here is changed, you will need to bump -# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS! -PV = "1.0" -PR = "1" - -SRC_URI = " \ - file://ca.cnf \ - " - -require credentials.inc - -export SOTA_CACERT_PATH -export SOTA_CAKEY_PATH - -do_install() { - if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then - if [ -z ${SOTA_CACERT_PATH} ]; then - SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem - SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem - mkdir -p ${DEPLOY_DIR_IMAGE}/CA - bbwarn "SOTA_CACERT_PATH is not specified, use default one at ${SOTA_CACERT_PATH}" - - if [ ! -f ${SOTA_CACERT_PATH} ]; then - bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA" - SOTA_CACERT_DIR_PATH="$(dirname "${SOTA_CACERT_PATH}")" - openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096 - openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert - bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server" - fi - fi - - if [ -z ${SOTA_CAKEY_PATH} ]; then - bbfatal "SOTA_CAKEY_PATH should be set when using device credential provisioning" - fi - - install -m 0700 -d ${D}${localstatedir}/sota - aktualizr-cert-provider --credentials ${SOTA_PACKED_CREDENTIALS} \ - --fleet-ca ${SOTA_CACERT_PATH} \ - --fleet-ca-key ${SOTA_CAKEY_PATH} \ - --root-ca \ - --server-url \ - --local ${D} \ - --config ${STAGING_DIR_HOST}${libdir}/sota/sota-device-cred.toml - fi -} - -FILES_${PN} = " \ - ${localstatedir}/sota/*" - -# vim:set ts=4 sw=4 sts=4 expandtab: diff --git a/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb b/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb index 8d4bc9c..4eadb77 100644 --- a/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb +++ b/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb @@ -10,7 +10,6 @@ inherit allarch # We need to get the config files from the aktualizr-host-tools package built by # the aktualizr (target) recipe. DEPENDS = "aktualizr" -RDEPENDS_${PN}_append = "${@' aktualizr-device-prov-creds softhsm-testtoken' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}" # If the config file from aktualizr used here is changed, you will need to bump # the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS! diff --git a/recipes-sota/aktualizr/aktualizr-device-prov.bb b/recipes-sota/aktualizr/aktualizr-device-prov.bb index e8c75bb..55f398d 100644 --- a/recipes-sota/aktualizr/aktualizr-device-prov.bb +++ b/recipes-sota/aktualizr/aktualizr-device-prov.bb @@ -10,7 +10,6 @@ inherit allarch # We need to get the config files from the aktualizr-host-tools package built by # the aktualizr (target) recipe. DEPENDS = "aktualizr" -RDEPENDS_${PN}_append = "${@' aktualizr-device-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}" # If the config file from aktualizr used here is changed, you will need to bump # the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS! diff --git a/recipes-test/images/secondary-image.bb b/recipes-test/images/secondary-image.bb index 27d1e3f..7db2c68 100644 --- a/recipes-test/images/secondary-image.bb +++ b/recipes-test/images/secondary-image.bb @@ -14,7 +14,6 @@ IMAGE_INSTALL_remove = " \ aktualizr-shared-prov \ aktualizr-shared-prov-creds \ aktualizr-device-prov \ - aktualizr-device-prov-creds \ aktualizr-device-prov-hsm \ aktualizr-uboot-env-rollback \ virtual/network-configuration \ diff --git a/scripts/find_aktualizr_dependencies.sh b/scripts/find_aktualizr_dependencies.sh index 493df80..fcb2f97 100755 --- a/scripts/find_aktualizr_dependencies.sh +++ b/scripts/find_aktualizr_dependencies.sh @@ -13,7 +13,6 @@ ${parentdir}/find_dependencies.py aktualizr ${parentdir}/find_dependencies.py aktualizr-shared-prov ${parentdir}/find_dependencies.py aktualizr-shared-prov-creds ${parentdir}/find_dependencies.py aktualizr-device-prov -${parentdir}/find_dependencies.py aktualizr-device-prov-creds ${parentdir}/find_dependencies.py aktualizr-device-prov-hsm ${parentdir}/find_dependencies.py aktualizr-auto-reboot ${parentdir}/find_dependencies.py aktualizr-disable-send-ip -- cgit v1.2.3-54-g00ecf