To ensure the platform can only be updated from an authorised source, this patch adds signing to the .swu update image using the pre-existing custMpk keys from ti-secdev.
Signed-off-by: Anshul Dalal <[email protected]> --- .../recipes-swupdate/images/files/sw-description | 2 ++ meta-arago-distro/recipes-swupdate/images/update-image.bb | 4 ++++ meta-arago-distro/recipes-swupdate/swupdate/files/defconfig | 1 + .../recipes-swupdate/swupdate/files/swupdate.sh | 2 +- .../recipes-swupdate/swupdate/swupdate_%.bbappend | 5 +++++ 5 files changed, 13 insertions(+), 1 deletion(-) diff --git a/meta-arago-distro/recipes-swupdate/images/files/sw-description b/meta-arago-distro/recipes-swupdate/images/files/sw-description index 241bc95c..8a7e5f4d 100644 --- a/meta-arago-distro/recipes-swupdate/images/files/sw-description +++ b/meta-arago-distro/recipes-swupdate/images/files/sw-description @@ -13,6 +13,7 @@ software = device = "/dev/mmcblk0p1"; type = "raw"; compressed = "zlib"; + sha256 = "$swupdate_get_sha256(@@IMAGE_BASENAME@@-@@MACHINE@@.rootfs.ext4.gz)"; }, ); uboot: ( @@ -30,6 +31,7 @@ software = device = "/dev/mmcblk0p2"; type = "raw"; compressed = "zlib"; + sha256 = "$swupdate_get_sha256(@@IMAGE_BASENAME@@-@@MACHINE@@.rootfs.ext4.gz)"; }, ); uboot: ( diff --git a/meta-arago-distro/recipes-swupdate/images/update-image.bb b/meta-arago-distro/recipes-swupdate/images/update-image.bb index 33b0b74c..6176e5a6 100644 --- a/meta-arago-distro/recipes-swupdate/images/update-image.bb +++ b/meta-arago-distro/recipes-swupdate/images/update-image.bb @@ -1,4 +1,5 @@ inherit swupdate +inherit ti-secdev IMAGE_BASENAME ?= "tisdk-default-image" @@ -21,3 +22,6 @@ SWUPDATE_IMAGES_FSTYPES[tisdk-bootstrap-image] = ".rootfs.ext4.gz" SWUPDATE_IMAGES_FSTYPES[tisdk-jailhouse-image] = ".rootfs.ext4.gz" SWUPDATE_IMAGES_FSTYPES[tisdk-thinlinux-image] = ".rootfs.ext4.gz" SWUPDATE_IMAGES_FSTYPES[tisdk-bootstrap-base-image] = ".rootfs.ext4.gz" + +SWUPDATE_SIGNING = "RSA" +SWUPDATE_PRIVATE_KEY = "${TI_SECURE_DEV_PKG}/keys/custMpk.key" diff --git a/meta-arago-distro/recipes-swupdate/swupdate/files/defconfig b/meta-arago-distro/recipes-swupdate/swupdate/files/defconfig index 4a2d78c0..0bf605f7 100644 --- a/meta-arago-distro/recipes-swupdate/swupdate/files/defconfig +++ b/meta-arago-distro/recipes-swupdate/swupdate/files/defconfig @@ -4,6 +4,7 @@ CONFIG_HW_COMPATIBILITY=y CONFIG_UBOOT=y CONFIG_SYSTEMD=y CONFIG_WEBSERVER=y +CONFIG_SIGNED_IMAGES=y CONFIG_BOOTLOADERHANDLER=y CONFIG_CFI=y CONFIG_EMMC_HANDLER=y diff --git a/meta-arago-distro/recipes-swupdate/swupdate/files/swupdate.sh b/meta-arago-distro/recipes-swupdate/swupdate/files/swupdate.sh index 2083062e..fc32e4cf 100644 --- a/meta-arago-distro/recipes-swupdate/swupdate/files/swupdate.sh +++ b/meta-arago-distro/recipes-swupdate/swupdate/files/swupdate.sh @@ -12,4 +12,4 @@ fi UBOOT_BOOTCOUNT_ADDR=0x4301c100 devmem2 $UBOOT_BOOTCOUNT_ADDR w 0 -swupdate -H @MACHINE@:1.0 ${SELECTION} -p 'reboot' -f /etc/swupdate.cfg -w "-r /www -p 8080" +swupdate -H @MACHINE@:1.0 ${SELECTION} -p 'reboot' -f /etc/swupdate.cfg -w "-r /www -p 8080" -k /etc/custMpk.pub diff --git a/meta-arago-distro/recipes-swupdate/swupdate/swupdate_%.bbappend b/meta-arago-distro/recipes-swupdate/swupdate/swupdate_%.bbappend index 20f87435..bff44926 100644 --- a/meta-arago-distro/recipes-swupdate/swupdate/swupdate_%.bbappend +++ b/meta-arago-distro/recipes-swupdate/swupdate/swupdate_%.bbappend @@ -1,4 +1,5 @@ inherit swupdate-lib +inherit ti-secdev FILESEXTRAPATHS:append := "${THISDIR}/files:" @@ -8,6 +9,8 @@ FILES:${PN} += " \ ${SWUPDATE_HW_COMPATIBILITY_FILE} \ " +DEPENDS += "openssl-native" + SRC_URI += " \ file://defconfig \ file://swupdate.sh \ @@ -27,4 +30,6 @@ do_install:append () { install -d ${D}${sysconfdir} install -m 644 ${WORKDIR}/swupdate.cfg ${D}${sysconfdir} sed -i "s#@MACHINE@#${MACHINE}#g" ${D}${sysconfdir}/swupdate.cfg + + openssl rsa -in ${TI_SECURE_DEV_PKG}/keys/custMpk.key -pubout -out ${D}/etc/custMpk.pub } -- 2.52.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#16851): https://lists.yoctoproject.org/g/meta-arago/message/16851 Mute This Topic: https://lists.yoctoproject.org/mt/116574479/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-arago/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
