SUMMARY = "Credentials for device provisioning with fleet CA certificate" HOMEPAGE = "https://github.com/advancedtelematic/aktualizr" SECTION = "base" LICENSE = "MPL-2.0" LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" inherit allarch # WARNING: This is NOT an ideal solution. The secure way to provision devices # is to create certificate request directly on the device (either with HSM/TPM # or with software) and then sign it with a CA stored on a disconnected machine. # We need to get the config files from the aktualizr-host-tools package built by # the aktualizr (target) recipe. DEPENDS = "aktualizr aktualizr-native openssl-native" ALLOW_EMPTY_${PN} = "1" # If the config file from aktualizr used here is changed, you will need to bump # the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS! PV = "1.0" PR = "1" SRC_URI = " \ file://ca.cnf \ " require credentials.inc export SOTA_CACERT_PATH export SOTA_CAKEY_PATH do_install() { if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then if [ -z ${SOTA_CACERT_PATH} ]; then SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem mkdir -p ${DEPLOY_DIR_IMAGE}/CA bbwarn "SOTA_CACERT_PATH is not specified, use default one at ${SOTA_CACERT_PATH}" if [ ! -f ${SOTA_CACERT_PATH} ]; then bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA" SOTA_CACERT_DIR_PATH="$(dirname "${SOTA_CACERT_PATH}")" openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096 openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server" fi fi if [ -z ${SOTA_CAKEY_PATH} ]; then bbfatal "SOTA_CAKEY_PATH should be set when using device credential provisioning" fi install -m 0700 -d ${D}${localstatedir}/sota aktualizr-cert-provider --credentials ${SOTA_PACKED_CREDENTIALS} \ --fleet-ca ${SOTA_CACERT_PATH} \ --fleet-ca-key ${SOTA_CAKEY_PATH} \ --root-ca \ --server-url \ --local ${D} \ --config ${STAGING_DIR_HOST}${libdir}/sota/sota-device-cred.toml fi } FILES_${PN} = " \ ${localstatedir}/sota/*" # vim:set ts=4 sw=4 sts=4 expandtab: