From 6ab132ed5580c7197769662b7af04410cbc9690f Mon Sep 17 00:00:00 2001 From: merltron <30755179+merltron@users.noreply.github.com> Date: Mon, 13 May 2019 12:50:54 +0200 Subject: OTA-2606: Renaming provisioning methods Updating links to documentation with proper terminology rather than aktualiz repo topics (aktualizr repo also now has a mirror of the same topic). Signed-off-by: Patrick Vacek --- README.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'README.adoc') diff --git a/README.adoc b/README.adoc index a28d934..f1fe0e5 100644 --- a/README.adoc +++ b/README.adoc @@ -88,7 +88,7 @@ Your images will also need network connectivity to be able to reach an actual OT * `INITRAMFS_IMAGE` - initramfs/initrd image that is used as a proxy while booting into OSTree deployment. Do not change this setting unless you are sure that your initramfs can serve as such a proxy. * `SOTA_PACKED_CREDENTIALS` - when set, your ostree commit will be pushed to a remote repo as a bitbake step. This should be the path to a zipped credentials file in https://github.com/advancedtelematic/aktualizr/blob/master/docs/credentials.adoc[the format accepted by garage-push]. * `SOTA_DEPLOY_CREDENTIALS` - when set to '1' (default value), deploys credentials to the built image. Override it in `local.conf` to built a generic image that can be provisioned manually after the build. -* `SOTA_CLIENT_PROV` - which provisioning method to use. Valid options are https://github.com/advancedtelematic/aktualizr/blob/master/docs/automatic-provisioning.adoc[`aktualizr-auto-prov`], https://github.com/advancedtelematic/aktualizr/blob/master/docs/implicit-provisioning.adoc[`aktualizr-ca-implicit-prov`], and https://github.com/advancedtelematic/aktualizr/blob/master/docs/hsm-provisioning.adoc[`aktualizr-hsm-prov`]. The default is `aktualizr-auto-prov`. This can also be set to an empty string to avoid using a provisioning recipe. +* `SOTA_CLIENT_PROV` - which provisioning method to use. Valid options are [`aktualizr-auto-prov`], [`aktualizr-ca-implicit-prov`], and [`aktualizr-hsm-prov`]. For more information on these provisioning methods, see the https://docs.ota.here.com/client-config/client-provisioning-methods.html[OTA Connect documentation]. The default is `aktualizr-auto-prov`. This can also be set to an empty string to avoid using a provisioning recipe. * `SOTA_CLIENT_FEATURES` - extensions to aktualizr. The only valid options are `hsm` (to build with HSM support) and `secondary-network` (to set up a simulated 'in-vehicle' network with support for a primary node with a DHCP server and a secondary node with a DHCP client). * `SOTA_SECONDARY_CONFIG_DIR` - a directory containing JSON configuration files for virtual secondaries on the host. These will be installed into `/etc/sota/ecus` on the device and automatically provided to aktualizr. * `SOTA_HARDWARE_ID` - a custom hardware ID that will be written to the aktualizr config. Defaults to MACHINE if not set. -- cgit v1.2.3-54-g00ecf From e41ef379f8613b52c35efd7b07987f2040368c48 Mon Sep 17 00:00:00 2001 From: Merlin Carter Date: Mon, 20 May 2019 13:15:38 +0200 Subject: OTA-2606: Renaming provisioning methods Removing unnecessary square brackets Signed-off-by: Merlin Carter Signed-off-by: Patrick Vacek --- README.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'README.adoc') diff --git a/README.adoc b/README.adoc index f1fe0e5..9d17413 100644 --- a/README.adoc +++ b/README.adoc @@ -88,7 +88,7 @@ Your images will also need network connectivity to be able to reach an actual OT * `INITRAMFS_IMAGE` - initramfs/initrd image that is used as a proxy while booting into OSTree deployment. Do not change this setting unless you are sure that your initramfs can serve as such a proxy. * `SOTA_PACKED_CREDENTIALS` - when set, your ostree commit will be pushed to a remote repo as a bitbake step. This should be the path to a zipped credentials file in https://github.com/advancedtelematic/aktualizr/blob/master/docs/credentials.adoc[the format accepted by garage-push]. * `SOTA_DEPLOY_CREDENTIALS` - when set to '1' (default value), deploys credentials to the built image. Override it in `local.conf` to built a generic image that can be provisioned manually after the build. -* `SOTA_CLIENT_PROV` - which provisioning method to use. Valid options are [`aktualizr-auto-prov`], [`aktualizr-ca-implicit-prov`], and [`aktualizr-hsm-prov`]. For more information on these provisioning methods, see the https://docs.ota.here.com/client-config/client-provisioning-methods.html[OTA Connect documentation]. The default is `aktualizr-auto-prov`. This can also be set to an empty string to avoid using a provisioning recipe. +* `SOTA_CLIENT_PROV` - which provisioning method to use. Valid options are `aktualizr-auto-prov`, `aktualizr-ca-implicit-prov`, and `aktualizr-hsm-prov`. For more information on these provisioning methods, see the https://docs.ota.here.com/client-config/client-provisioning-methods.html[OTA Connect documentation]. The default is `aktualizr-auto-prov`. This can also be set to an empty string to avoid using a provisioning recipe. * `SOTA_CLIENT_FEATURES` - extensions to aktualizr. The only valid options are `hsm` (to build with HSM support) and `secondary-network` (to set up a simulated 'in-vehicle' network with support for a primary node with a DHCP server and a secondary node with a DHCP client). * `SOTA_SECONDARY_CONFIG_DIR` - a directory containing JSON configuration files for virtual secondaries on the host. These will be installed into `/etc/sota/ecus` on the device and automatically provided to aktualizr. * `SOTA_HARDWARE_ID` - a custom hardware ID that will be written to the aktualizr config. Defaults to MACHINE if not set. -- cgit v1.2.3-54-g00ecf From 0b8f4c6518dbfdd0e599300dec23eb7dab52d0fd Mon Sep 17 00:00:00 2001 From: Patrick Vacek Date: Fri, 17 May 2019 12:22:23 +0200 Subject: aktualizr-polling-interval: new config fragment. Can be used for testing purposes after we increase the default polling interval in aktualizr. We no longer recommend anything less than an hour for production use cases, but it's still convenient to poll more frequently while testing. Signed-off-by: Patrick Vacek --- README.adoc | 1 + recipes-sota/config/aktualizr-polling-interval.bb | 29 ++++++++++++++++++++++ recipes-sota/config/files/60-polling-interval.toml | 2 ++ 3 files changed, 32 insertions(+) create mode 100644 recipes-sota/config/aktualizr-polling-interval.bb create mode 100644 recipes-sota/config/files/60-polling-interval.toml (limited to 'README.adoc') diff --git a/README.adoc b/README.adoc index 9d17413..b447a2f 100644 --- a/README.adoc +++ b/README.adoc @@ -96,6 +96,7 @@ Your images will also need network connectivity to be able to reach an actual OT * `SOTA_DT_OVERLAYS` - whitespace-separated list of used device tree overlays for FIT image. This list is OSTree-updateable as well. * `SOTA_EXTRA_CONF_FRAGS` - extra https://lxr.missinglinkelectronics.com/uboot/doc/uImage.FIT/overlay-fdt-boot.txt[configuration fragments] for FIT image. * `RESOURCE_xxx_pn-aktualizr` - controls maximum resource usage of the aktualizr service, when `aktualizr-resource-control` is installed on the image. See <> for details. +* `SOTA_POLLING_SEC` - sets polling interval for aktualizr to check for updates if aktualizr-polling-sec is included in the image. == Usage diff --git a/recipes-sota/config/aktualizr-polling-interval.bb b/recipes-sota/config/aktualizr-polling-interval.bb new file mode 100644 index 0000000..53c008a --- /dev/null +++ b/recipes-sota/config/aktualizr-polling-interval.bb @@ -0,0 +1,29 @@ +SUMMARY = "Set polling interval in Aktualizr" +DESCRIPTION = "Configures aktualizr to poll at a custom frequency (suitable for testing or other purposes)" +HOMEPAGE = "https://github.com/advancedtelematic/aktualizr" +SECTION = "base" +LICENSE = "MPL-2.0" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" + +inherit allarch + +SRC_URI = " \ + file://60-polling-interval.toml \ + " + +SOTA_POLLING_SEC ?= "30" + +do_install_append () { + install -m 0700 -d ${D}${libdir}/sota/conf.d + install -m 0644 ${WORKDIR}/60-polling-interval.toml ${D}${libdir}/sota/conf.d/60-polling-interval.toml + + sed -i -e 's|@POLLING_SEC@|${SOTA_POLLING_SEC}|g' \ + ${D}${libdir}/sota/conf.d/60-polling-interval.toml +} + +FILES_${PN} = " \ + ${libdir}/sota/conf.d/60-polling-interval.toml \ + " + +# vim:set ts=4 sw=4 sts=4 expandtab: + diff --git a/recipes-sota/config/files/60-polling-interval.toml b/recipes-sota/config/files/60-polling-interval.toml new file mode 100644 index 0000000..7d25d05 --- /dev/null +++ b/recipes-sota/config/files/60-polling-interval.toml @@ -0,0 +1,2 @@ +[uptane] +polling_sec = @POLLING_SEC@ -- cgit v1.2.3-54-g00ecf From 0b9caa66a90e0a0ea673ffcc37a00818e4806dac Mon Sep 17 00:00:00 2001 From: Patrick Vacek Date: Tue, 28 May 2019 09:46:28 +0200 Subject: Rename provisioning methods. "Autoprovisioning" or "automatic provisioning" is now known as "shared credential provisioning". "Implicit provisioning" is now known as "device credential provisioning". "HSM provisioning" was always a misnomer, so it is now refered to as "device credential provisioning with an HSM". This includes a bump of the aktualizr version as well. Signed-off-by: Patrick Vacek --- README.adoc | 12 ++--- classes/sota.bbclass | 2 +- lib/oeqa/selftest/cases/updater_minnowboard.py | 2 +- lib/oeqa/selftest/cases/updater_qemux86_64.py | 40 +++++++-------- lib/oeqa/selftest/cases/updater_raspberrypi.py | 3 +- .../aktualizr/aktualizr-auto-prov-creds.bb | 31 ----------- recipes-sota/aktualizr/aktualizr-auto-prov.bb | 45 ---------------- .../aktualizr/aktualizr-ca-implicit-prov-creds.bb | 57 -------------------- .../aktualizr/aktualizr-ca-implicit-prov.bb | 30 ----------- .../aktualizr/aktualizr-device-prov-creds.bb | 60 ++++++++++++++++++++++ .../aktualizr/aktualizr-device-prov-hsm.bb | 30 +++++++++++ recipes-sota/aktualizr/aktualizr-device-prov.bb | 29 +++++++++++ recipes-sota/aktualizr/aktualizr-hsm-prov.bb | 30 ----------- .../aktualizr/aktualizr-shared-prov-creds.bb | 32 ++++++++++++ recipes-sota/aktualizr/aktualizr-shared-prov.bb | 43 ++++++++++++++++ .../aktualizr/aktualizr-uboot-env-rollback.bb | 2 +- recipes-sota/aktualizr/aktualizr_git.bb | 15 +++--- recipes-test/demo-config/files/30-fake-pacman.toml | 2 + recipes-test/demo-config/files/30-fake_pacman.toml | 2 - .../demo-config/files/30-secondary-config.toml | 2 + .../demo-config/files/30-secondary_config.toml | 2 - .../demo-config/files/35-network-config.toml | 4 ++ .../demo-config/files/35-network_config.toml | 4 -- recipes-test/demo-config/files/45-id-config.toml | 3 ++ recipes-test/demo-config/files/45-id_config.toml | 3 -- recipes-test/demo-config/primary-config.bb | 6 +-- recipes-test/demo-config/secondary-config.bb | 22 ++++---- recipes-test/images/secondary-image.bb | 10 ++-- scripts/find_aktualizr_dependencies.sh | 13 ++--- 29 files changed, 268 insertions(+), 268 deletions(-) delete mode 100644 recipes-sota/aktualizr/aktualizr-auto-prov-creds.bb delete mode 100644 recipes-sota/aktualizr/aktualizr-auto-prov.bb delete mode 100644 recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb delete mode 100644 recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb create mode 100644 recipes-sota/aktualizr/aktualizr-device-prov-creds.bb create mode 100644 recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb create mode 100644 recipes-sota/aktualizr/aktualizr-device-prov.bb delete mode 100644 recipes-sota/aktualizr/aktualizr-hsm-prov.bb create mode 100644 recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb create mode 100644 recipes-sota/aktualizr/aktualizr-shared-prov.bb create mode 100644 recipes-test/demo-config/files/30-fake-pacman.toml delete mode 100644 recipes-test/demo-config/files/30-fake_pacman.toml create mode 100644 recipes-test/demo-config/files/30-secondary-config.toml delete mode 100644 recipes-test/demo-config/files/30-secondary_config.toml create mode 100644 recipes-test/demo-config/files/35-network-config.toml delete mode 100644 recipes-test/demo-config/files/35-network_config.toml create mode 100644 recipes-test/demo-config/files/45-id-config.toml delete mode 100644 recipes-test/demo-config/files/45-id_config.toml (limited to 'README.adoc') diff --git a/README.adoc b/README.adoc index b447a2f..41d8e96 100644 --- a/README.adoc +++ b/README.adoc @@ -80,7 +80,7 @@ Your images will also need network connectivity to be able to reach an actual OT * `OSTREE_REPO` - path to your OSTree repository. Defaults to `$\{DEPLOY_DIR_IMAGE}/ostree_repo` * `OSTREE_OSNAME` - OS deployment name on your target device. For more information about deployments and osnames see the https://ostree.readthedocs.io/en/latest/manual/deployment/[OSTree documentation]. Defaults to "poky". -* `OSTREE_COMMIT_BODY` - Message attached to OSTree commit. Empty by default. +* `OSTREE_COMMIT_BODY` - Message attached to OSTree commit. Empty by default. * `OSTREE_COMMIT_SUBJECT` - Commit subject used by OSTree. Defaults to `Commit-id: ${IMAGE_NAME}` * `OSTREE_UPDATE_SUMMARY` - Set this to '1' to update summary of OSTree repository on each commit. '0' by default. * `OSTREE_DEPLOY_DEVICETREE` - Set this to '1' to include devicetree(s) to boot @@ -88,7 +88,7 @@ Your images will also need network connectivity to be able to reach an actual OT * `INITRAMFS_IMAGE` - initramfs/initrd image that is used as a proxy while booting into OSTree deployment. Do not change this setting unless you are sure that your initramfs can serve as such a proxy. * `SOTA_PACKED_CREDENTIALS` - when set, your ostree commit will be pushed to a remote repo as a bitbake step. This should be the path to a zipped credentials file in https://github.com/advancedtelematic/aktualizr/blob/master/docs/credentials.adoc[the format accepted by garage-push]. * `SOTA_DEPLOY_CREDENTIALS` - when set to '1' (default value), deploys credentials to the built image. Override it in `local.conf` to built a generic image that can be provisioned manually after the build. -* `SOTA_CLIENT_PROV` - which provisioning method to use. Valid options are `aktualizr-auto-prov`, `aktualizr-ca-implicit-prov`, and `aktualizr-hsm-prov`. For more information on these provisioning methods, see the https://docs.ota.here.com/client-config/client-provisioning-methods.html[OTA Connect documentation]. The default is `aktualizr-auto-prov`. This can also be set to an empty string to avoid using a provisioning recipe. +* `SOTA_CLIENT_PROV` - which provisioning method to use. Valid options are `aktualizr-shared-prov`, `aktualizr-device-prov`, and `aktualizr-device-prov-hsm`. For more information on these provisioning methods, see the https://docs.ota.here.com/client-config/client-provisioning-methods.html[OTA Connect documentation]. The default is `aktualizr-shared-prov`. This can also be set to an empty string to avoid using a provisioning recipe. * `SOTA_CLIENT_FEATURES` - extensions to aktualizr. The only valid options are `hsm` (to build with HSM support) and `secondary-network` (to set up a simulated 'in-vehicle' network with support for a primary node with a DHCP server and a secondary node with a DHCP client). * `SOTA_SECONDARY_CONFIG_DIR` - a directory containing JSON configuration files for virtual secondaries on the host. These will be installed into `/etc/sota/ecus` on the device and automatically provided to aktualizr. * `SOTA_HARDWARE_ID` - a custom hardware ID that will be written to the aktualizr config. Defaults to MACHINE if not set. @@ -251,13 +251,13 @@ The aktualizr tests will now be part of the deployed ptest suite, which can be r As described in <> section you can set `SOTA_DEPLOY_CREDENTIALS` to `0` to prevent deploying credentials to the built `wic` image. In this case you get a generic image that you can use e.g. on a production line to flash a series of devices. The cost of this approach is that this image is half-baked and should be provisioned before it can connect to the backend. -Provisioning procedure depends on your provisioning recipe, i.e. the value of `SOTA_CLIENT_PROV` (equal to `aktualizr-auto-prov` by default): +Provisioning procedure depends on your provisioning recipe, i.e. the value of `SOTA_CLIENT_PROV` (equal to `aktualizr-shared-prov` by default): -* For `aktualizr-auto-prov` put your `credentials.zip` to `/var/sota/sota_provisioning_credentials.zip` on the filesystem of a running device. If you have the filesystem of our device mounted to your build machine, prefix all paths with `/ostree/deploy/poky` as in `/ostree/deploy/poky/var/sota/sota_provisioning_credentials.zip`. -* For `aktualizr-ca-implicit-prov` +* For `aktualizr-shared-prov` put your `credentials.zip` to `/var/sota/sota_provisioning_credentials.zip` on the filesystem of a running device. If you have the filesystem of our device mounted to your build machine, prefix all paths with `/ostree/deploy/poky` as in `/ostree/deploy/poky/var/sota/sota_provisioning_credentials.zip`. +* For `aktualizr-device-prov` ** put URL to the backend server (together with protocol prefix and port number) at `/var/sota/gateway.url`. If you're using HERE OTA Connect, you can find the URL in the `autoprov.url` file in your credentials archive. ** put client certificate, private key and root CA certificate (for the *server*, not for the *device*) at `/var/sota/import/client.pem`, `/var/sota/import/pkey.pem` and `/var/sota/import/root.crt` respectively. -* For `aktualizr-hsm-prov` +* For `aktualizr-device-prov-hsm` ** put URL to the server backend (together with protocol prefix and port number) at `/var/sota/gateway.url`. If you're using HERE OTA Connect, you can find the URL in the `autoprov.url` file in your credentials archive. ** put root CA certificate (for the *server*, not for the *device*) at `/var/sota/import/root.crt`. ** put client certificate and private key to slots 1 and 2 of the PKCS#11-compatible device. diff --git a/classes/sota.bbclass b/classes/sota.bbclass index 56b9a8e..26c1b85 100644 --- a/classes/sota.bbclass +++ b/classes/sota.bbclass @@ -3,7 +3,7 @@ DISTROOVERRIDES .= "${@bb.utils.contains('DISTRO_FEATURES', 'sota', ':sota', '', HOSTTOOLS_NONFATAL += "java" SOTA_CLIENT ??= "aktualizr" -SOTA_CLIENT_PROV ??= "aktualizr-auto-prov" +SOTA_CLIENT_PROV ??= "aktualizr-shared-prov" SOTA_DEPLOY_CREDENTIALS ?= "1" SOTA_HARDWARE_ID ??= "${MACHINE}" diff --git a/lib/oeqa/selftest/cases/updater_minnowboard.py b/lib/oeqa/selftest/cases/updater_minnowboard.py index f5df584..267445b 100644 --- a/lib/oeqa/selftest/cases/updater_minnowboard.py +++ b/lib/oeqa/selftest/cases/updater_minnowboard.py @@ -29,7 +29,7 @@ class MinnowTests(OESelftestTestCase): self.meta_minnow = None self.append_config('MACHINE = "intel-corei7-64"') self.append_config('OSTREE_BOOTLOADER = "grub"') - self.append_config('SOTA_CLIENT_PROV = " aktualizr-auto-prov "') + self.append_config('SOTA_CLIENT_PROV = " aktualizr-shared-prov "') self.qemu, self.s = qemu_launch(efi=True, machine='intel-corei7-64') def tearDownLocal(self): diff --git a/lib/oeqa/selftest/cases/updater_qemux86_64.py b/lib/oeqa/selftest/cases/updater_qemux86_64.py index f951bc7..e26a022 100644 --- a/lib/oeqa/selftest/cases/updater_qemux86_64.py +++ b/lib/oeqa/selftest/cases/updater_qemux86_64.py @@ -16,7 +16,7 @@ class GeneralTests(OESelftestTestCase): def test_credentials(self): logger = logging.getLogger("selftest") logger.info('Running bitbake to build core-image-minimal') - self.append_config('SOTA_CLIENT_PROV = "aktualizr-auto-prov"') + self.append_config('SOTA_CLIENT_PROV = "aktualizr-shared-prov"') bitbake('core-image-minimal') credentials = get_bb_var('SOTA_PACKED_CREDENTIALS') # skip the test if the variable SOTA_PACKED_CREDENTIALS is not set @@ -46,13 +46,13 @@ class AktualizrToolsTests(OESelftestTestCase): def test_cert_provider_local_output(self): logger = logging.getLogger("selftest") - logger.info('Running bitbake to build aktualizr-ca-implicit-prov') - bitbake('aktualizr-ca-implicit-prov') + logger.info('Running bitbake to build aktualizr-device-prov') + bitbake('aktualizr-device-prov') bb_vars = get_bb_vars(['SOTA_PACKED_CREDENTIALS', 'T'], 'aktualizr-native') creds = bb_vars['SOTA_PACKED_CREDENTIALS'] temp_dir = bb_vars['T'] - bb_vars_prov = get_bb_vars(['STAGING_DIR_HOST', 'libdir'], 'aktualizr-ca-implicit-prov') - config = bb_vars_prov['STAGING_DIR_HOST'] + bb_vars_prov['libdir'] + '/sota/sota_implicit_prov_ca.toml' + bb_vars_prov = get_bb_vars(['STAGING_DIR_HOST', 'libdir'], 'aktualizr-device-prov') + config = bb_vars_prov['STAGING_DIR_HOST'] + bb_vars_prov['libdir'] + '/sota/sota-device-cred.toml' akt_native_run(self, 'aktualizr-cert-provider -c {creds} -r -l {temp} -g {config}' .format(creds=creds, temp=temp_dir, config=config)) @@ -69,7 +69,7 @@ class AktualizrToolsTests(OESelftestTestCase): self.assertTrue(os.path.getsize(ca_path) > 0, "Client certificate at %s is empty." % ca_path) -class AutoProvTests(OESelftestTestCase): +class SharedCredProvTests(OESelftestTestCase): def setUpLocal(self): layer = "meta-updater-qemux86-64" @@ -85,7 +85,7 @@ class AutoProvTests(OESelftestTestCase): else: self.meta_qemu = None self.append_config('MACHINE = "qemux86-64"') - self.append_config('SOTA_CLIENT_PROV = " aktualizr-auto-prov "') + self.append_config('SOTA_CLIENT_PROV = " aktualizr-shared-prov "') self.qemu, self.s = qemu_launch(machine='qemux86-64') def tearDownLocal(self): @@ -127,7 +127,7 @@ class ManualControlTests(OESelftestTestCase): else: self.meta_qemu = None self.append_config('MACHINE = "qemux86-64"') - self.append_config('SOTA_CLIENT_PROV = " aktualizr-auto-prov "') + self.append_config('SOTA_CLIENT_PROV = " aktualizr-shared-prov "') self.append_config('SYSTEMD_AUTO_ENABLE_aktualizr = "disable"') self.qemu, self.s = qemu_launch(machine='qemux86-64') @@ -155,7 +155,7 @@ class ManualControlTests(OESelftestTestCase): 'Aktualizr should have run' + stderr.decode() + stdout.decode()) -class ImplProvTests(OESelftestTestCase): +class DeviceCredProvTests(OESelftestTestCase): def setUpLocal(self): layer = "meta-updater-qemux86-64" @@ -171,9 +171,9 @@ class ImplProvTests(OESelftestTestCase): else: self.meta_qemu = None self.append_config('MACHINE = "qemux86-64"') - self.append_config('SOTA_CLIENT_PROV = " aktualizr-ca-implicit-prov "') + self.append_config('SOTA_CLIENT_PROV = " aktualizr-device-prov "') self.append_config('SOTA_DEPLOY_CREDENTIALS = "0"') - runCmd('bitbake -c cleanall aktualizr aktualizr-ca-implicit-prov') + runCmd('bitbake -c cleanall aktualizr aktualizr-device-prov') self.qemu, self.s = qemu_launch(machine='qemux86-64') def tearDownLocal(self): @@ -201,8 +201,8 @@ class ImplProvTests(OESelftestTestCase): # Run aktualizr-cert-provider. bb_vars = get_bb_vars(['SOTA_PACKED_CREDENTIALS'], 'aktualizr-native') creds = bb_vars['SOTA_PACKED_CREDENTIALS'] - bb_vars_prov = get_bb_vars(['STAGING_DIR_HOST', 'libdir'], 'aktualizr-ca-implicit-prov') - config = bb_vars_prov['STAGING_DIR_HOST'] + bb_vars_prov['libdir'] + '/sota/sota_implicit_prov_ca.toml' + bb_vars_prov = get_bb_vars(['STAGING_DIR_HOST', 'libdir'], 'aktualizr-device-prov') + config = bb_vars_prov['STAGING_DIR_HOST'] + bb_vars_prov['libdir'] + '/sota/sota-device-cred.toml' print('Provisining at root@localhost:%d' % self.qemu.ssh_port) akt_native_run(self, 'aktualizr-cert-provider -c {creds} -t root@localhost -p {port} -s -u -r -g {config}' @@ -211,7 +211,7 @@ class ImplProvTests(OESelftestTestCase): verifyProvisioned(self, machine) -class HsmTests(OESelftestTestCase): +class DeviceCredProvHsmTests(OESelftestTestCase): def setUpLocal(self): layer = "meta-updater-qemux86-64" @@ -227,11 +227,11 @@ class HsmTests(OESelftestTestCase): else: self.meta_qemu = None self.append_config('MACHINE = "qemux86-64"') - self.append_config('SOTA_CLIENT_PROV = "aktualizr-hsm-prov"') + self.append_config('SOTA_CLIENT_PROV = "aktualizr-device-prov-hsm"') self.append_config('SOTA_DEPLOY_CREDENTIALS = "0"') self.append_config('SOTA_CLIENT_FEATURES = "hsm"') self.append_config('IMAGE_INSTALL_append = " softhsm-testtoken"') - runCmd('bitbake -c cleanall aktualizr aktualizr-hsm-prov') + runCmd('bitbake -c cleanall aktualizr aktualizr-device-prov-hsm') self.qemu, self.s = qemu_launch(machine='qemux86-64') def tearDownLocal(self): @@ -269,8 +269,8 @@ class HsmTests(OESelftestTestCase): # Run aktualizr-cert-provider. bb_vars = get_bb_vars(['SOTA_PACKED_CREDENTIALS'], 'aktualizr-native') creds = bb_vars['SOTA_PACKED_CREDENTIALS'] - bb_vars_prov = get_bb_vars(['STAGING_DIR_HOST', 'libdir'], 'aktualizr-hsm-prov') - config = bb_vars_prov['STAGING_DIR_HOST'] + bb_vars_prov['libdir'] + '/sota/sota_hsm_prov.toml' + bb_vars_prov = get_bb_vars(['STAGING_DIR_HOST', 'libdir'], 'aktualizr-device-prov-hsm') + config = bb_vars_prov['STAGING_DIR_HOST'] + bb_vars_prov['libdir'] + '/sota/sota-device-cred-hsm.toml' akt_native_run(self, 'aktualizr-cert-provider -c {creds} -t root@localhost -p {port} -r -s -u -g {config}' .format(creds=creds, port=self.qemu.ssh_port, config=config)) @@ -369,7 +369,7 @@ class IpSecondaryTests(OESelftestTestCase): def configure(self): self._test_ctx.append_config('MACHINE = "qemux86-64"') - self._test_ctx.append_config('SOTA_CLIENT_PROV = " aktualizr-auto-prov "') + self._test_ctx.append_config('SOTA_CLIENT_PROV = " aktualizr-shared-prov "') def is_ecu_registered(self, ecu_id): max_number_of_tries = 20 @@ -456,7 +456,7 @@ class ResourceControlTests(OESelftestTestCase): else: self.meta_qemu = None self.append_config('MACHINE = "qemux86-64"') - self.append_config('SOTA_CLIENT_PROV = " aktualizr-auto-prov "') + self.append_config('SOTA_CLIENT_PROV = " aktualizr-shared-prov "') self.append_config('IMAGE_INSTALL_append += " aktualizr-resource-control "') self.append_config('RESOURCE_CPU_WEIGHT_pn-aktualizr = "1000"') self.append_config('RESOURCE_MEMORY_HIGH_pn-aktualizr = "50M"') diff --git a/lib/oeqa/selftest/cases/updater_raspberrypi.py b/lib/oeqa/selftest/cases/updater_raspberrypi.py index 785d703..f6ae903 100644 --- a/lib/oeqa/selftest/cases/updater_raspberrypi.py +++ b/lib/oeqa/selftest/cases/updater_raspberrypi.py @@ -53,7 +53,7 @@ class RpiTests(OESelftestTestCase): self.meta_qemu = None self.append_config('MACHINE = "raspberrypi3"') - self.append_config('SOTA_CLIENT_PROV = " aktualizr-auto-prov "') + self.append_config('SOTA_CLIENT_PROV = " aktualizr-shared-prov "') def tearDownLocal(self): if self.meta_qemu: @@ -68,7 +68,6 @@ class RpiTests(OESelftestTestCase): def test_build(self): logger = logging.getLogger("selftest") logger.info('Running bitbake to build core-image-minimal') - self.append_config('SOTA_CLIENT_PROV = "aktualizr-auto-prov"') bitbake('core-image-minimal') credentials = get_bb_var('SOTA_PACKED_CREDENTIALS') # Skip the test if the variable SOTA_PACKED_CREDENTIALS is not set. diff --git a/recipes-sota/aktualizr/aktualizr-auto-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-auto-prov-creds.bb deleted file mode 100644 index 6b2dd27..0000000 --- a/recipes-sota/aktualizr/aktualizr-auto-prov-creds.bb +++ /dev/null @@ -1,31 +0,0 @@ -SUMMARY = "Credentials for autoprovisioning scenario" -SECTION = "base" -LICENSE = "MPL-2.0" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" - -inherit allarch - -DEPENDS = "aktualizr-native zip-native" -ALLOW_EMPTY_${PN} = "1" - -require credentials.inc - -do_install() { - if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then - install -m 0700 -d ${D}${localstatedir}/sota - cp "${SOTA_PACKED_CREDENTIALS}" ${D}${localstatedir}/sota/sota_provisioning_credentials.zip - # Device should not be able to push data to treehub - zip -d ${D}${localstatedir}/sota/sota_provisioning_credentials.zip treehub.json - # Device has no use for the API Gateway. Remove if present. See: - # https://github.com/advancedtelematic/ota-plus-server/pull/1913/ - if unzip -l ${D}${localstatedir}/sota/sota_provisioning_credentials.zip api_gateway.url > /dev/null; then - zip -d ${D}${localstatedir}/sota/sota_provisioning_credentials.zip api_gateway.url - fi - fi -} - -FILES_${PN} = " \ - ${localstatedir}/sota/sota_provisioning_credentials.zip \ - " - -# vim:set ts=4 sw=4 sts=4 expandtab: diff --git a/recipes-sota/aktualizr/aktualizr-auto-prov.bb b/recipes-sota/aktualizr/aktualizr-auto-prov.bb deleted file mode 100644 index 4b68491..0000000 --- a/recipes-sota/aktualizr/aktualizr-auto-prov.bb +++ /dev/null @@ -1,45 +0,0 @@ -SUMMARY = "Aktualizr configuration for autoprovisioning" -DESCRIPTION = "Configuration for automatically provisioning Aktualizr, the SOTA Client application written in C++" -HOMEPAGE = "https://github.com/advancedtelematic/aktualizr" -SECTION = "base" -LICENSE = "MPL-2.0" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" - -inherit allarch - -DEPENDS = "aktualizr-native zip-native" -RDEPENDS_${PN}_append = "${@' aktualizr-auto-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}" -PV = "1.0" -PR = "6" - -SRC_URI = "" - -require credentials.inc - -do_install() { - if [ -n "${SOTA_AUTOPROVISION_CREDENTIALS}" ]; then - bbwarn "SOTA_AUTOPROVISION_CREDENTIALS are ignored. Please use SOTA_PACKED_CREDENTIALS" - fi - if [ -n "${SOTA_AUTOPROVISION_URL}" ]; then - bbwarn "SOTA_AUTOPROVISION_URL is ignored. Please use SOTA_PACKED_CREDENTIALS" - fi - if [ -n "${SOTA_AUTOPROVISION_URL_FILE}" ]; then - bbwarn "SOTA_AUTOPROVISION_URL_FILE is ignored. Please use SOTA_PACKED_CREDENTIALS" - fi - if [ -n "${OSTREE_PUSH_CREDENTIALS}" ]; then - bbwarn "OSTREE_PUSH_CREDENTIALS is ignored. Please use SOTA_PACKED_CREDENTIALS" - fi - - install -m 0700 -d ${D}${libdir}/sota/conf.d - aktualizr_toml=${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-network', 'sota_autoprov_primary.toml', 'sota_autoprov.toml', d)} - - install -m 0644 ${STAGING_DIR_NATIVE}${libdir}/sota/${aktualizr_toml} \ - ${D}${libdir}/sota/conf.d/20-${aktualizr_toml} -} - -FILES_${PN} = " \ - ${libdir}/sota/conf.d \ - ${libdir}/sota/conf.d/20-${aktualizr_toml} \ - " - -# vim:set ts=4 sw=4 sts=4 expandtab: diff --git a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb deleted file mode 100644 index da17d77..0000000 --- a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb +++ /dev/null @@ -1,57 +0,0 @@ -SUMMARY = "Credentials for implicit provisioning with CA certificate" -SECTION = "base" -LICENSE = "MPL-2.0" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" - -inherit allarch - -# WARNING: it is NOT a production solution. The secure way to provision devices -# is to create certificate request directly on the device (either with HSM/TPM -# or with software) and then sign it with a CA stored on a disconnected machine. - -DEPENDS = "aktualizr aktualizr-native" -ALLOW_EMPTY_${PN} = "1" - -SRC_URI = " \ - file://ca.cnf \ - " - -require credentials.inc - -export SOTA_CACERT_PATH -export SOTA_CAKEY_PATH - -do_install() { - if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then - if [ -z ${SOTA_CACERT_PATH} ]; then - SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem - SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem - mkdir -p ${DEPLOY_DIR_IMAGE}/CA - bbwarn "SOTA_CACERT_PATH is not specified, use default one at ${SOTA_CACERT_PATH}" - - if [ ! -f ${SOTA_CACERT_PATH} ]; then - bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA" - SOTA_CACERT_DIR_PATH="$(dirname "${SOTA_CACERT_PATH}")" - openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096 - openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert - bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server" - fi - fi - - if [ -z ${SOTA_CAKEY_PATH} ]; then - bbfatal "SOTA_CAKEY_PATH should be set when using implicit provisioning" - fi - - install -m 0700 -d ${D}${localstatedir}/sota - aktualizr-cert-provider --credentials ${SOTA_PACKED_CREDENTIALS} \ - --fleet-ca ${SOTA_CACERT_PATH} \ - --fleet-ca-key ${SOTA_CAKEY_PATH} \ - --root-ca \ - --server-url \ - --local ${D} \ - --config ${STAGING_DIR_HOST}${libdir}/sota/sota_implicit_prov_ca.toml - fi -} - -FILES_${PN} = " \ - ${localstatedir}/sota/*" diff --git a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb deleted file mode 100644 index 414cb5e..0000000 --- a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb +++ /dev/null @@ -1,30 +0,0 @@ -SUMMARY = "Aktualizr configuration for implicit provisioning with CA" -DESCRIPTION = "Configuration for implicitly provisioning Aktualizr using externally provided or generated CA" - -HOMEPAGE = "https://github.com/advancedtelematic/aktualizr" -SECTION = "base" -LICENSE = "MPL-2.0" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" - -inherit allarch - -DEPENDS = "aktualizr aktualizr-native openssl-native" -RDEPENDS_${PN}_append = "${@' aktualizr-ca-implicit-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}" - -PV = "1.0" -PR = "1" - -require credentials.inc - -do_install() { - install -m 0700 -d ${D}${libdir}/sota/conf.d - - install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota_implicit_prov_ca.toml \ - ${D}${libdir}/sota/conf.d/20-sota_implicit_prov_ca.toml -} - -FILES_${PN} = " \ - ${libdir}/sota/conf.d/20-sota_implicit_prov_ca.toml \ - " - -# vim:set ts=4 sw=4 sts=4 expandtab: diff --git a/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb new file mode 100644 index 0000000..6e02a50 --- /dev/null +++ b/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb @@ -0,0 +1,60 @@ +SUMMARY = "Credentials for device provisioning with fleet CA certificate" +HOMEPAGE = "https://github.com/advancedtelematic/aktualizr" +SECTION = "base" +LICENSE = "MPL-2.0" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" + +inherit allarch + +# WARNING: it is NOT a production solution. The secure way to provision devices +# is to create certificate request directly on the device (either with HSM/TPM +# or with software) and then sign it with a CA stored on a disconnected machine. + +DEPENDS = "aktualizr aktualizr-native" +ALLOW_EMPTY_${PN} = "1" + +SRC_URI = " \ + file://ca.cnf \ + " + +require credentials.inc + +export SOTA_CACERT_PATH +export SOTA_CAKEY_PATH + +do_install() { + if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then + if [ -z ${SOTA_CACERT_PATH} ]; then + SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem + SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem + mkdir -p ${DEPLOY_DIR_IMAGE}/CA + bbwarn "SOTA_CACERT_PATH is not specified, use default one at ${SOTA_CACERT_PATH}" + + if [ ! -f ${SOTA_CACERT_PATH} ]; then + bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA" + SOTA_CACERT_DIR_PATH="$(dirname "${SOTA_CACERT_PATH}")" + openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096 + openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert + bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server" + fi + fi + + if [ -z ${SOTA_CAKEY_PATH} ]; then + bbfatal "SOTA_CAKEY_PATH should be set when using device credential provisioning" + fi + + install -m 0700 -d ${D}${localstatedir}/sota + aktualizr-cert-provider --credentials ${SOTA_PACKED_CREDENTIALS} \ + --fleet-ca ${SOTA_CACERT_PATH} \ + --fleet-ca-key ${SOTA_CAKEY_PATH} \ + --root-ca \ + --server-url \ + --local ${D} \ + --config ${STAGING_DIR_HOST}${libdir}/sota/sota-device-cred.toml + fi +} + +FILES_${PN} = " \ + ${localstatedir}/sota/*" + +# vim:set ts=4 sw=4 sts=4 expandtab: diff --git a/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb b/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb new file mode 100644 index 0000000..c3cd593 --- /dev/null +++ b/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb @@ -0,0 +1,30 @@ +SUMMARY = "Aktualizr configuration for device credential provisioning with HSM support" +DESCRIPTION = "Configuration for provisioning Aktualizr with device credentials using externally provided or generated CA with HSM support" +HOMEPAGE = "https://github.com/advancedtelematic/aktualizr" +SECTION = "base" +LICENSE = "MPL-2.0" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" + +inherit allarch + +DEPENDS = "aktualizr aktualizr-native" +RDEPENDS_${PN}_append = "${@' aktualizr-device-prov-creds softhsm-testtoken' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}" + +SRC_URI = "" +PV = "1.0" +PR = "6" + +require credentials.inc + +do_install() { + install -m 0700 -d ${D}${libdir}/sota/conf.d + install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota-device-cred-hsm.toml \ + ${D}${libdir}/sota/conf.d/20-sota-device-cred-hsm.toml +} + +FILES_${PN} = " \ + ${libdir}/sota/conf.d \ + ${libdir}/sota/conf.d/20-sota-device-cred-hsm.toml \ + " + +# vim:set ts=4 sw=4 sts=4 expandtab: diff --git a/recipes-sota/aktualizr/aktualizr-device-prov.bb b/recipes-sota/aktualizr/aktualizr-device-prov.bb new file mode 100644 index 0000000..d579532 --- /dev/null +++ b/recipes-sota/aktualizr/aktualizr-device-prov.bb @@ -0,0 +1,29 @@ +SUMMARY = "Aktualizr configuration for device credential provisioning" +DESCRIPTION = "Configuration for provisioning Aktualizr with device credentials using externally provided or generated CA" +HOMEPAGE = "https://github.com/advancedtelematic/aktualizr" +SECTION = "base" +LICENSE = "MPL-2.0" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" + +inherit allarch + +DEPENDS = "aktualizr aktualizr-native openssl-native" +RDEPENDS_${PN}_append = "${@' aktualizr-device-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}" + +PV = "1.0" +PR = "1" + +require credentials.inc + +do_install() { + install -m 0700 -d ${D}${libdir}/sota/conf.d + install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota-device-cred.toml \ + ${D}${libdir}/sota/conf.d/20-sota-device-cred.toml +} + +FILES_${PN} = " \ + ${libdir}/sota/conf.d \ + ${libdir}/sota/conf.d/20-sota-device-cred.toml \ + " + +# vim:set ts=4 sw=4 sts=4 expandtab: diff --git a/recipes-sota/aktualizr/aktualizr-hsm-prov.bb b/recipes-sota/aktualizr/aktualizr-hsm-prov.bb deleted file mode 100644 index 77c6720..0000000 --- a/recipes-sota/aktualizr/aktualizr-hsm-prov.bb +++ /dev/null @@ -1,30 +0,0 @@ -SUMMARY = "Aktualizr configuration with HSM support" -DESCRIPTION = "Configuration for HSM provisioning with Aktualizr, the SOTA Client application written in C++" -HOMEPAGE = "https://github.com/advancedtelematic/aktualizr" -SECTION = "base" -LICENSE = "MPL-2.0" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" - -inherit allarch - -DEPENDS = "aktualizr aktualizr-native" -RDEPENDS_${PN}_append = "${@' aktualizr-ca-implicit-prov-creds softhsm-testtoken' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}" - -SRC_URI = "" -PV = "1.0" -PR = "6" - -require credentials.inc - -do_install() { - install -m 0700 -d ${D}${libdir}/sota/conf.d - install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota_hsm_prov.toml \ - ${D}${libdir}/sota/conf.d/20-sota_hsm_prov.toml -} - -FILES_${PN} = " \ - ${libdir}/sota/conf.d \ - ${libdir}/sota/conf.d/20-sota_hsm_prov.toml \ - " - -# vim:set ts=4 sw=4 sts=4 expandtab: diff --git a/recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb new file mode 100644 index 0000000..dbb5fde --- /dev/null +++ b/recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb @@ -0,0 +1,32 @@ +SUMMARY = "Credentials for shared provisioning" +HOMEPAGE = "https://github.com/advancedtelematic/aktualizr" +SECTION = "base" +LICENSE = "MPL-2.0" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" + +inherit allarch + +DEPENDS = "aktualizr-native zip-native" +ALLOW_EMPTY_${PN} = "1" + +require credentials.inc + +do_install() { + if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then + install -m 0700 -d ${D}${localstatedir}/sota + cp "${SOTA_PACKED_CREDENTIALS}" ${D}${localstatedir}/sota/sota_provisioning_credentials.zip + # Device should not be able to push data to treehub + zip -d ${D}${localstatedir}/sota/sota_provisioning_credentials.zip treehub.json + # Device has no use for the API Gateway. Remove if present. See: + # https://github.com/advancedtelematic/ota-plus-server/pull/1913/ + if unzip -l ${D}${localstatedir}/sota/sota_provisioning_credentials.zip api_gateway.url > /dev/null; then + zip -d ${D}${localstatedir}/sota/sota_provisioning_credentials.zip api_gateway.url + fi + fi +} + +FILES_${PN} = " \ + ${localstatedir}/sota/sota_provisioning_credentials.zip \ + " + +# vim:set ts=4 sw=4 sts=4 expandtab: diff --git a/recipes-sota/aktualizr/aktualizr-shared-prov.bb b/recipes-sota/aktualizr/aktualizr-shared-prov.bb new file mode 100644 index 0000000..d3d6f16 --- /dev/null +++ b/recipes-sota/aktualizr/aktualizr-shared-prov.bb @@ -0,0 +1,43 @@ +SUMMARY = "Aktualizr configuration for shared credential provisioning" +DESCRIPTION = "Configuration for provisioning Aktualizr with shared credentials" +HOMEPAGE = "https://github.com/advancedtelematic/aktualizr" +SECTION = "base" +LICENSE = "MPL-2.0" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" + +inherit allarch + +DEPENDS = "aktualizr-native zip-native" +RDEPENDS_${PN}_append = "${@' aktualizr-shared-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}" +PV = "1.0" +PR = "6" + +SRC_URI = "" + +require credentials.inc + +do_install() { + if [ -n "${SOTA_AUTOPROVISION_CREDENTIALS}" ]; then + bbwarn "SOTA_AUTOPROVISION_CREDENTIALS are ignored. Please use SOTA_PACKED_CREDENTIALS" + fi + if [ -n "${SOTA_AUTOPROVISION_URL}" ]; then + bbwarn "SOTA_AUTOPROVISION_URL is ignored. Please use SOTA_PACKED_CREDENTIALS" + fi + if [ -n "${SOTA_AUTOPROVISION_URL_FILE}" ]; then + bbwarn "SOTA_AUTOPROVISION_URL_FILE is ignored. Please use SOTA_PACKED_CREDENTIALS" + fi + if [ -n "${OSTREE_PUSH_CREDENTIALS}" ]; then + bbwarn "OSTREE_PUSH_CREDENTIALS is ignored. Please use SOTA_PACKED_CREDENTIALS" + fi + + install -m 0700 -d ${D}${libdir}/sota/conf.d + install -m 0644 ${STAGING_DIR_NATIVE}${libdir}/sota/sota-shared-cred.toml \ + ${D}${libdir}/sota/conf.d/20-sota-shared-cred.toml +} + +FILES_${PN} = " \ + ${libdir}/sota/conf.d \ + ${libdir}/sota/conf.d/20-sota-shared-cred.toml \ + " + +# vim:set ts=4 sw=4 sts=4 expandtab: diff --git a/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb b/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb index d962876..860f225 100644 --- a/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb +++ b/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb @@ -13,7 +13,7 @@ SRC_URI = "" do_install() { install -m 0700 -d ${D}${libdir}/sota/conf.d - install -m 0644 ${STAGING_DIR_NATIVE}${libdir}/sota/sota_uboot_env.toml ${D}${libdir}/sota/conf.d/30-rollback.toml + install -m 0644 ${STAGING_DIR_NATIVE}${libdir}/sota/sota-uboot-env.toml ${D}${libdir}/sota/conf.d/30-rollback.toml } FILES_${PN} = " \ diff --git a/recipes-sota/aktualizr/aktualizr_git.bb b/recipes-sota/aktualizr/aktualizr_git.bb index edacdb1..75d5bd9 100755 --- a/recipes-sota/aktualizr/aktualizr_git.bb +++ b/recipes-sota/aktualizr/aktualizr_git.bb @@ -31,7 +31,7 @@ SRC_URI = " \ SRC_URI[md5sum] = "e104ccd4f32e52571a5fc0e5042db050" SRC_URI[sha256sum] = "c590be1a57523bfe097af82279eda5c97cf40ae47fb27162cf33c469702c8a9b" -SRCREV = "8c523efc4c1f1e6d9dfd41b7e23a202ade4d9ff7" +SRCREV = "fce5854ff10e7efd52d69bbaf68dc2af990d5746" BRANCH ?= "master" S = "${WORKDIR}/git" @@ -92,12 +92,11 @@ do_install_ptest() { do_install_append () { install -d ${D}${libdir}/sota - install -m 0644 ${S}/config/sota_autoprov.toml ${D}/${libdir}/sota/sota_autoprov.toml - install -m 0644 ${S}/config/sota_autoprov_primary.toml ${D}/${libdir}/sota/sota_autoprov_primary.toml - install -m 0644 ${S}/config/sota_hsm_prov.toml ${D}/${libdir}/sota/sota_hsm_prov.toml - install -m 0644 ${S}/config/sota_implicit_prov_ca.toml ${D}/${libdir}/sota/sota_implicit_prov_ca.toml - install -m 0644 ${S}/config/sota_secondary.toml ${D}/${libdir}/sota/sota_secondary.toml - install -m 0644 ${S}/config/sota_uboot_env.toml ${D}/${libdir}/sota/sota_uboot_env.toml + install -m 0644 ${S}/config/sota-shared-cred.toml ${D}/${libdir}/sota/sota-shared-cred.toml + install -m 0644 ${S}/config/sota-device-cred-hsm.toml ${D}/${libdir}/sota/sota-device-cred-hsm.toml + install -m 0644 ${S}/config/sota-device-cred.toml ${D}/${libdir}/sota/sota-device-cred.toml + install -m 0644 ${S}/config/sota-secondary.toml ${D}/${libdir}/sota/sota-secondary.toml + install -m 0644 ${S}/config/sota-uboot-env.toml ${D}/${libdir}/sota/sota-uboot-env.toml install -d ${D}${systemd_unitdir}/system install -m 0644 ${WORKDIR}/aktualizr-secondary.service ${D}${systemd_unitdir}/system/aktualizr-secondary.service install -m 0700 -d ${D}${libdir}/sota/conf.d @@ -173,7 +172,7 @@ FILES_${PN}-examples = " \ FILES_${PN}-secondary = " \ ${bindir}/aktualizr-secondary \ - ${libdir}/sota/sota_secondary.toml \ + ${libdir}/sota/sota-secondary.toml \ ${systemd_unitdir}/system/aktualizr-secondary.service \ " diff --git a/recipes-test/demo-config/files/30-fake-pacman.toml b/recipes-test/demo-config/files/30-fake-pacman.toml new file mode 100644 index 0000000..3fb5cf2 --- /dev/null +++ b/recipes-test/demo-config/files/30-fake-pacman.toml @@ -0,0 +1,2 @@ +[pacman] +type = "fake" diff --git a/recipes-test/demo-config/files/30-fake_pacman.toml b/recipes-test/demo-config/files/30-fake_pacman.toml deleted file mode 100644 index 3fb5cf2..0000000 --- a/recipes-test/demo-config/files/30-fake_pacman.toml +++ /dev/null @@ -1,2 +0,0 @@ -[pacman] -type = "fake" diff --git a/recipes-test/demo-config/files/30-secondary-config.toml b/recipes-test/demo-config/files/30-secondary-config.toml new file mode 100644 index 0000000..7714240 --- /dev/null +++ b/recipes-test/demo-config/files/30-secondary-config.toml @@ -0,0 +1,2 @@ +[uptane] +secondary_config_file = "@CFG_FILEPATH@" diff --git a/recipes-test/demo-config/files/30-secondary_config.toml b/recipes-test/demo-config/files/30-secondary_config.toml deleted file mode 100644 index 7714240..0000000 --- a/recipes-test/demo-config/files/30-secondary_config.toml +++ /dev/null @@ -1,2 +0,0 @@ -[uptane] -secondary_config_file = "@CFG_FILEPATH@" diff --git a/recipes-test/demo-config/files/35-network-config.toml b/recipes-test/demo-config/files/35-network-config.toml new file mode 100644 index 0000000..db7a1bb --- /dev/null +++ b/recipes-test/demo-config/files/35-network-config.toml @@ -0,0 +1,4 @@ +[network] +port = @PORT@ +primary_ip = @PRIMARY_IP@ +primary_port = @PRIMARY_PORT@ diff --git a/recipes-test/demo-config/files/35-network_config.toml b/recipes-test/demo-config/files/35-network_config.toml deleted file mode 100644 index db7a1bb..0000000 --- a/recipes-test/demo-config/files/35-network_config.toml +++ /dev/null @@ -1,4 +0,0 @@ -[network] -port = @PORT@ -primary_ip = @PRIMARY_IP@ -primary_port = @PRIMARY_PORT@ diff --git a/recipes-test/demo-config/files/45-id-config.toml b/recipes-test/demo-config/files/45-id-config.toml new file mode 100644 index 0000000..6cbd77f --- /dev/null +++ b/recipes-test/demo-config/files/45-id-config.toml @@ -0,0 +1,3 @@ +[uptane] +ecu_serial = @SERIAL@ +ecu_hardware_id = @HWID@ diff --git a/recipes-test/demo-config/files/45-id_config.toml b/recipes-test/demo-config/files/45-id_config.toml deleted file mode 100644 index 6cbd77f..0000000 --- a/recipes-test/demo-config/files/45-id_config.toml +++ /dev/null @@ -1,3 +0,0 @@ -[uptane] -ecu_serial = @SERIAL@ -ecu_hardware_id = @HWID@ diff --git a/recipes-test/demo-config/primary-config.bb b/recipes-test/demo-config/primary-config.bb index 0cd9180..27cb553 100644 --- a/recipes-test/demo-config/primary-config.bb +++ b/recipes-test/demo-config/primary-config.bb @@ -7,7 +7,7 @@ require shared-conf.inc PRIMARY_SECONDARIES ?= "${SECONDARY_IP}:${SECONDARY_PORT}" SRC_URI = "\ - file://30-secondary_config.toml \ + file://30-secondary-config.toml \ file://ip_secondary_config.json \ " @@ -56,8 +56,8 @@ do_install () { # install aktualizr config file (toml) that points to the secondary config file, so aktualizr is aware about it install -m 0700 -d ${D}${libdir}/sota/conf.d - install -m 0644 ${WORKDIR}/30-secondary_config.toml ${D}${libdir}/sota/conf.d - sed -i "s|@CFG_FILEPATH@|$SECONDARY_CONFIG_FILEPATH_ON_IMAGE|g" ${D}${libdir}/sota/conf.d/30-secondary_config.toml + install -m 0644 ${WORKDIR}/30-secondary-config.toml ${D}${libdir}/sota/conf.d + sed -i "s|@CFG_FILEPATH@|$SECONDARY_CONFIG_FILEPATH_ON_IMAGE|g" ${D}${libdir}/sota/conf.d/30-secondary-config.toml } FILES_${PN} = " \ diff --git a/recipes-test/demo-config/secondary-config.bb b/recipes-test/demo-config/secondary-config.bb index 5b213d1..9411646 100644 --- a/recipes-test/demo-config/secondary-config.bb +++ b/recipes-test/demo-config/secondary-config.bb @@ -9,33 +9,33 @@ SOTA_HARDWARE_ID ?= "${MACHINE}-sndry" SECONDARY_HARDWARE_ID ?= "${SOTA_HARDWARE_ID}" SRC_URI = "\ - file://30-fake_pacman.toml \ - file://35-network_config.toml \ - file://45-id_config.toml \ + file://30-fake-pacman.toml \ + file://35-network-config.toml \ + file://45-id-config.toml \ " do_install () { install -m 0700 -d ${D}${libdir}/sota/conf.d - install -m 0644 ${WORKDIR}/30-fake_pacman.toml ${D}/${libdir}/sota/conf.d/30-fake_pacman.toml + install -m 0644 ${WORKDIR}/30-fake-pacman.toml ${D}/${libdir}/sota/conf.d/30-fake-pacman.toml - install -m 0644 ${WORKDIR}/35-network_config.toml ${D}/${libdir}/sota/conf.d/35-network_config.toml + install -m 0644 ${WORKDIR}/35-network-config.toml ${D}/${libdir}/sota/conf.d/35-network-config.toml sed -i -e 's|@PORT@|${SECONDARY_PORT}|g' \ -e 's|@PRIMARY_IP@|${PRIMARY_IP}|g' \ -e 's|@PRIMARY_PORT@|${PRIMARY_PORT}|g' \ - ${D}/${libdir}/sota/conf.d/35-network_config.toml + ${D}/${libdir}/sota/conf.d/35-network-config.toml - install -m 0644 ${WORKDIR}/45-id_config.toml ${D}/${libdir}/sota/conf.d/45-id_config.toml + install -m 0644 ${WORKDIR}/45-id-config.toml ${D}/${libdir}/sota/conf.d/45-id-config.toml sed -i -e 's|@SERIAL@|${SECONDARY_SERIAL_ID}|g' \ -e 's|@HWID@|${SECONDARY_HARDWARE_ID}|g' \ - ${D}/${libdir}/sota/conf.d/45-id_config.toml + ${D}/${libdir}/sota/conf.d/45-id-config.toml } FILES_${PN} = " \ ${libdir}/sota/conf.d \ - ${libdir}/sota/conf.d/30-fake_pacman.toml \ - ${libdir}/sota/conf.d/35-network_config.toml \ - ${libdir}/sota/conf.d/45-id_config.toml \ + ${libdir}/sota/conf.d/30-fake-pacman.toml \ + ${libdir}/sota/conf.d/35-network-config.toml \ + ${libdir}/sota/conf.d/45-id-config.toml \ " # vim:set ts=4 sw=4 sts=4 expandtab: diff --git a/recipes-test/images/secondary-image.bb b/recipes-test/images/secondary-image.bb index 4cae874..27d1e3f 100644 --- a/recipes-test/images/secondary-image.bb +++ b/recipes-test/images/secondary-image.bb @@ -11,11 +11,11 @@ SOTA_HARDWARE_ID ?= "${MACHINE}-sndry" # RDEPENDS on aktualizr) IMAGE_INSTALL_remove = " \ aktualizr \ - aktualizr-auto-prov \ - aktualizr-auto-prov-creds \ - aktualizr-ca-implicit-prov \ - aktualizr-ca-implicit-prov-creds \ - aktualizr-hsm-prov \ + aktualizr-shared-prov \ + aktualizr-shared-prov-creds \ + aktualizr-device-prov \ + aktualizr-device-prov-creds \ + aktualizr-device-prov-hsm \ aktualizr-uboot-env-rollback \ virtual/network-configuration \ " diff --git a/scripts/find_aktualizr_dependencies.sh b/scripts/find_aktualizr_dependencies.sh index 986b541..493df80 100755 --- a/scripts/find_aktualizr_dependencies.sh +++ b/scripts/find_aktualizr_dependencies.sh @@ -10,14 +10,15 @@ parentdir="$(dirname "$0")" # (jsoncpp, open62541, picojson). Also check libp11, dpkg, and systemd since # those are common dependencies not enabled by default. ${parentdir}/find_dependencies.py aktualizr -${parentdir}/find_dependencies.py aktualizr-auto-prov -${parentdir}/find_dependencies.py aktualizr-auto-prov-creds -${parentdir}/find_dependencies.py aktualizr-ca-implicit-prov -${parentdir}/find_dependencies.py aktualizr-ca-implicit-prov-creds -${parentdir}/find_dependencies.py aktualizr-hsm-prov -${parentdir}/find_dependencies.py aktualizr-hsm-prov-creds +${parentdir}/find_dependencies.py aktualizr-shared-prov +${parentdir}/find_dependencies.py aktualizr-shared-prov-creds +${parentdir}/find_dependencies.py aktualizr-device-prov +${parentdir}/find_dependencies.py aktualizr-device-prov-creds +${parentdir}/find_dependencies.py aktualizr-device-prov-hsm +${parentdir}/find_dependencies.py aktualizr-auto-reboot ${parentdir}/find_dependencies.py aktualizr-disable-send-ip ${parentdir}/find_dependencies.py aktualizr-log-debug +${parentdir}/find_dependencies.py aktualizr-polling-interval ${parentdir}/find_dependencies.py libp11 ${parentdir}/find_dependencies.py dpkg ${parentdir}/find_dependencies.py systemd -- cgit v1.2.3-54-g00ecf