From 77378436fcaa95b07c42d26a00fc021990004374 Mon Sep 17 00:00:00 2001 From: Laurent Bonnans Date: Thu, 5 Sep 2019 16:59:18 +0200 Subject: Raspberrypi4 initial support Signed-off-by: Laurent Bonnans --- conf/include/bblayers/sota_raspberrypi4-64.inc | 3 +++ conf/include/bblayers/sota_raspberrypi4.inc | 3 +++ 2 files changed, 6 insertions(+) create mode 100644 conf/include/bblayers/sota_raspberrypi4-64.inc create mode 100644 conf/include/bblayers/sota_raspberrypi4.inc (limited to 'conf') diff --git a/conf/include/bblayers/sota_raspberrypi4-64.inc b/conf/include/bblayers/sota_raspberrypi4-64.inc new file mode 100644 index 0000000..7e320af --- /dev/null +++ b/conf/include/bblayers/sota_raspberrypi4-64.inc @@ -0,0 +1,3 @@ +BBLAYERS += "${METADIR}/meta-updater-raspberrypi" +BBLAYERS += "${METADIR}/meta-raspberrypi" +BBLAYERS += "${METADIR}/meta-openembedded/meta-networking" diff --git a/conf/include/bblayers/sota_raspberrypi4.inc b/conf/include/bblayers/sota_raspberrypi4.inc new file mode 100644 index 0000000..7e320af --- /dev/null +++ b/conf/include/bblayers/sota_raspberrypi4.inc @@ -0,0 +1,3 @@ +BBLAYERS += "${METADIR}/meta-updater-raspberrypi" +BBLAYERS += "${METADIR}/meta-raspberrypi" +BBLAYERS += "${METADIR}/meta-openembedded/meta-networking" -- cgit v1.2.3-54-g00ecf From 29a1bd84bac8c273f5cec40560165df15f11638a Mon Sep 17 00:00:00 2001 From: Patrick Vacek Date: Mon, 14 Oct 2019 12:06:23 +0200 Subject: aktualizr: use SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS for config recipes. This is a bit of a compromise. These recipes are allarch, since they do not depend on an architecture, but they depend on aktualizr, which is definitely not allarch. Therefore, we must tell bitbake not to treat the aktualizr architecture as a dependency of these recipes. However, this means that if one of the config files changes in the aktualizr repo, we need to bump the version of the recipe that uses it to make sure bitbake picks up that change. Signed-off-by: Patrick Vacek --- conf/layer.conf | 9 +++++++++ recipes-sota/aktualizr/aktualizr-device-prov-creds.bb | 5 +++++ recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb | 5 ++++- recipes-sota/aktualizr/aktualizr-device-prov.bb | 4 ++++ recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb | 7 +++++++ recipes-sota/aktualizr/aktualizr-shared-prov.bb | 3 +++ recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb | 5 +++++ 7 files changed, 37 insertions(+), 1 deletion(-) (limited to 'conf') diff --git a/conf/layer.conf b/conf/layer.conf index ec791bb..98fee2a 100644 --- a/conf/layer.conf +++ b/conf/layer.conf @@ -11,3 +11,12 @@ BBFILE_PRIORITY_sota = "7" LAYERDEPENDS_sota = "filesystems-layer" LAYERSERIES_COMPAT_sota = "thud warrior" + +SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS += " \ + aktualizr-device-prov->aktualizr \ + aktualizr-device-prov-creds->aktualizr \ + aktualizr-device-prov-hsm->aktualizr \ + aktualizr-shared-prov->aktualizr \ + aktualizr-shared-prov-creds->aktualizr \ + aktualizr-uboot-env-rollback->aktualizr \ +" diff --git a/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb index d8b29b4..a3c7d66 100644 --- a/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb +++ b/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb @@ -15,6 +15,11 @@ inherit allarch DEPENDS = "aktualizr aktualizr-native openssl-native" ALLOW_EMPTY_${PN} = "1" +# If the config file from aktualizr used here is changed, you will need to bump +# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS! +PV = "1.0" +PR = "1" + SRC_URI = " \ file://ca.cnf \ " diff --git a/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb b/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb index e8ef513..8d4bc9c 100644 --- a/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb +++ b/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb @@ -12,10 +12,13 @@ inherit allarch DEPENDS = "aktualizr" RDEPENDS_${PN}_append = "${@' aktualizr-device-prov-creds softhsm-testtoken' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}" -SRC_URI = "" +# If the config file from aktualizr used here is changed, you will need to bump +# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS! PV = "1.0" PR = "6" +SRC_URI = "" + do_install() { install -m 0700 -d ${D}${libdir}/sota/conf.d install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota-device-cred-hsm.toml \ diff --git a/recipes-sota/aktualizr/aktualizr-device-prov.bb b/recipes-sota/aktualizr/aktualizr-device-prov.bb index fbe29a1..e8c75bb 100644 --- a/recipes-sota/aktualizr/aktualizr-device-prov.bb +++ b/recipes-sota/aktualizr/aktualizr-device-prov.bb @@ -12,9 +12,13 @@ inherit allarch DEPENDS = "aktualizr" RDEPENDS_${PN}_append = "${@' aktualizr-device-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}" +# If the config file from aktualizr used here is changed, you will need to bump +# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS! PV = "1.0" PR = "1" +SRC_URI = "" + do_install() { install -m 0700 -d ${D}${libdir}/sota/conf.d install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota-device-cred.toml \ diff --git a/recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb index b3b539d..9c6f0dd 100644 --- a/recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb +++ b/recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb @@ -9,6 +9,13 @@ inherit allarch DEPENDS = "zip-native" ALLOW_EMPTY_${PN} = "1" +# If the config file from aktualizr used here is changed, you will need to bump +# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS! +PV = "1.0" +PR = "1" + +SRC_URI = "" + require credentials.inc do_install() { diff --git a/recipes-sota/aktualizr/aktualizr-shared-prov.bb b/recipes-sota/aktualizr/aktualizr-shared-prov.bb index 00588dc..2ee47a1 100644 --- a/recipes-sota/aktualizr/aktualizr-shared-prov.bb +++ b/recipes-sota/aktualizr/aktualizr-shared-prov.bb @@ -11,6 +11,9 @@ inherit allarch # the aktualizr (target) recipe. DEPENDS = "aktualizr" RDEPENDS_${PN}_append = "${@' aktualizr-shared-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}" + +# If the config file from aktualizr used here is changed, you will need to bump +# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS! PV = "1.0" PR = "6" diff --git a/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb b/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb index 5a49d16..2895e5c 100644 --- a/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb +++ b/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb @@ -8,6 +8,11 @@ inherit allarch DEPENDS = "aktualizr" +# If the config file from aktualizr used here is changed, you will need to bump +# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS! +PV = "1.0" +PR = "1" + SRC_URI = "" do_install() { -- cgit v1.2.3-54-g00ecf From c0cd8356834088b273e14a9da98ca445b4b5368b Mon Sep 17 00:00:00 2001 From: Patrick Vacek Date: Mon, 14 Oct 2019 12:30:49 +0200 Subject: layer.conf: Update LAYERDEPENDS_sota. It was missing a few dependencies. Signed-off-by: Patrick Vacek --- conf/layer.conf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'conf') diff --git a/conf/layer.conf b/conf/layer.conf index 98fee2a..aeb33d8 100644 --- a/conf/layer.conf +++ b/conf/layer.conf @@ -9,7 +9,9 @@ BBFILE_COLLECTIONS += "sota" BBFILE_PATTERN_sota = "^${LAYERDIR}/" BBFILE_PRIORITY_sota = "7" -LAYERDEPENDS_sota = "filesystems-layer" +LAYERDEPENDS_sota = "openembedded-layer" +LAYERDEPENDS_sota += "meta-python" +LAYERDEPENDS_sota += "filesystems-layer" LAYERSERIES_COMPAT_sota = "thud warrior" SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS += " \ -- cgit v1.2.3-54-g00ecf From d2c460685d6cc5373f7a98609521e6deb6e11d4e Mon Sep 17 00:00:00 2001 From: Patrick Vacek Date: Thu, 17 Oct 2019 17:01:18 +0200 Subject: aktualizr-device-prov-creds: remove it. Originally I was just trying to remove the reference to DEPLOY_DIR_IMAGE because it depends on MACHINE, but then I realized that this recipe is just plain not worth keeping. It isn't viable for anything except the most limited testing, since it bakes device-specific credentials into an image, but we weren't even using it for testing. Signed-off-by: Patrick Vacek --- conf/layer.conf | 1 - .../aktualizr/aktualizr-device-prov-creds.bb | 67 ---------------------- .../aktualizr/aktualizr-device-prov-hsm.bb | 1 - recipes-sota/aktualizr/aktualizr-device-prov.bb | 1 - recipes-test/images/secondary-image.bb | 1 - scripts/find_aktualizr_dependencies.sh | 1 - 6 files changed, 72 deletions(-) delete mode 100644 recipes-sota/aktualizr/aktualizr-device-prov-creds.bb (limited to 'conf') diff --git a/conf/layer.conf b/conf/layer.conf index aeb33d8..035a46b 100644 --- a/conf/layer.conf +++ b/conf/layer.conf @@ -16,7 +16,6 @@ LAYERSERIES_COMPAT_sota = "thud warrior" SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS += " \ aktualizr-device-prov->aktualizr \ - aktualizr-device-prov-creds->aktualizr \ aktualizr-device-prov-hsm->aktualizr \ aktualizr-shared-prov->aktualizr \ aktualizr-shared-prov-creds->aktualizr \ diff --git a/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb deleted file mode 100644 index a3c7d66..0000000 --- a/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb +++ /dev/null @@ -1,67 +0,0 @@ -SUMMARY = "Credentials for device provisioning with fleet CA certificate" -HOMEPAGE = "https://github.com/advancedtelematic/aktualizr" -SECTION = "base" -LICENSE = "MPL-2.0" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" - -inherit allarch - -# WARNING: This is NOT an ideal solution. The secure way to provision devices -# is to create certificate request directly on the device (either with HSM/TPM -# or with software) and then sign it with a CA stored on a disconnected machine. - -# We need to get the config files from the aktualizr-host-tools package built by -# the aktualizr (target) recipe. -DEPENDS = "aktualizr aktualizr-native openssl-native" -ALLOW_EMPTY_${PN} = "1" - -# If the config file from aktualizr used here is changed, you will need to bump -# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS! -PV = "1.0" -PR = "1" - -SRC_URI = " \ - file://ca.cnf \ - " - -require credentials.inc - -export SOTA_CACERT_PATH -export SOTA_CAKEY_PATH - -do_install() { - if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then - if [ -z ${SOTA_CACERT_PATH} ]; then - SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem - SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem - mkdir -p ${DEPLOY_DIR_IMAGE}/CA - bbwarn "SOTA_CACERT_PATH is not specified, use default one at ${SOTA_CACERT_PATH}" - - if [ ! -f ${SOTA_CACERT_PATH} ]; then - bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA" - SOTA_CACERT_DIR_PATH="$(dirname "${SOTA_CACERT_PATH}")" - openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096 - openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert - bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server" - fi - fi - - if [ -z ${SOTA_CAKEY_PATH} ]; then - bbfatal "SOTA_CAKEY_PATH should be set when using device credential provisioning" - fi - - install -m 0700 -d ${D}${localstatedir}/sota - aktualizr-cert-provider --credentials ${SOTA_PACKED_CREDENTIALS} \ - --fleet-ca ${SOTA_CACERT_PATH} \ - --fleet-ca-key ${SOTA_CAKEY_PATH} \ - --root-ca \ - --server-url \ - --local ${D} \ - --config ${STAGING_DIR_HOST}${libdir}/sota/sota-device-cred.toml - fi -} - -FILES_${PN} = " \ - ${localstatedir}/sota/*" - -# vim:set ts=4 sw=4 sts=4 expandtab: diff --git a/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb b/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb index 8d4bc9c..4eadb77 100644 --- a/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb +++ b/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb @@ -10,7 +10,6 @@ inherit allarch # We need to get the config files from the aktualizr-host-tools package built by # the aktualizr (target) recipe. DEPENDS = "aktualizr" -RDEPENDS_${PN}_append = "${@' aktualizr-device-prov-creds softhsm-testtoken' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}" # If the config file from aktualizr used here is changed, you will need to bump # the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS! diff --git a/recipes-sota/aktualizr/aktualizr-device-prov.bb b/recipes-sota/aktualizr/aktualizr-device-prov.bb index e8c75bb..55f398d 100644 --- a/recipes-sota/aktualizr/aktualizr-device-prov.bb +++ b/recipes-sota/aktualizr/aktualizr-device-prov.bb @@ -10,7 +10,6 @@ inherit allarch # We need to get the config files from the aktualizr-host-tools package built by # the aktualizr (target) recipe. DEPENDS = "aktualizr" -RDEPENDS_${PN}_append = "${@' aktualizr-device-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}" # If the config file from aktualizr used here is changed, you will need to bump # the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS! diff --git a/recipes-test/images/secondary-image.bb b/recipes-test/images/secondary-image.bb index 27d1e3f..7db2c68 100644 --- a/recipes-test/images/secondary-image.bb +++ b/recipes-test/images/secondary-image.bb @@ -14,7 +14,6 @@ IMAGE_INSTALL_remove = " \ aktualizr-shared-prov \ aktualizr-shared-prov-creds \ aktualizr-device-prov \ - aktualizr-device-prov-creds \ aktualizr-device-prov-hsm \ aktualizr-uboot-env-rollback \ virtual/network-configuration \ diff --git a/scripts/find_aktualizr_dependencies.sh b/scripts/find_aktualizr_dependencies.sh index 493df80..fcb2f97 100755 --- a/scripts/find_aktualizr_dependencies.sh +++ b/scripts/find_aktualizr_dependencies.sh @@ -13,7 +13,6 @@ ${parentdir}/find_dependencies.py aktualizr ${parentdir}/find_dependencies.py aktualizr-shared-prov ${parentdir}/find_dependencies.py aktualizr-shared-prov-creds ${parentdir}/find_dependencies.py aktualizr-device-prov -${parentdir}/find_dependencies.py aktualizr-device-prov-creds ${parentdir}/find_dependencies.py aktualizr-device-prov-hsm ${parentdir}/find_dependencies.py aktualizr-auto-reboot ${parentdir}/find_dependencies.py aktualizr-disable-send-ip -- cgit v1.2.3-54-g00ecf