0

My objective is,

  1. To create sha256 for all the required files(which go into .swu)
  2. To Sign sw-description file with RSA algorithm.

My .swu consists:

  • kernel Image - bzImage
  • rootfile system - panther2-usb-panther2.ext4
  • software description file - sw-description
  • post install script - postinstall_swu.sh

I have created a script which generates sha256 and signs sw-description. Here is the script:

#!/bin/bash

IMAGES="bzImage panther2-usb-panther2.ext4"
FILES="sw-description sw-description.sig postinstall_swu.sh $IMAGES"
echo "Executing swu signing script..."

cp ../sw-description .
cp ../postinstall_swu.sh .
cp ../../../../../deploy/images/panther2/bzImage .
cp ../../../../../deploy/images/panther2/panther2-usb-panther2.ext4 .

read -d ' ' SHA_ROOTFS < <(sha256sum panther2-usb-panther2.ext4)
read -d ' ' SHA_BZIMAGE < <(sha256sum bzImage)
read -d ' ' SHA_POSTINSTALL < <(sha256sum postinstall_swu.sh)

sed -i ':a;N;$!ba; s/sha256 = "[0-9A-Za-z]*"/sha256 = '"\"${SHA_ROOTFS}"\"'/1' sw-description
sed -i ':a;N;$!ba; s/sha256 = "[0-9A-Za-z]*"/sha256 = '"\"${SHA_BZIMAGE}"\"'/2' sw-description
sed -i ':a;N;$!ba; s/sha256 = "[0-9A-Za-z]*"/sha256 = '"\"${SHA_POSTINSTALL}"\"'/3' sw-description

openssl dgst -sha256 -sign ../priv.pem -passin file:../passphrase sw-description > sw-description.sig

for i in $FILES;do
        echo $i;done | cpio -ov -H crc >  panther2-swu-$USER-devbuild.swu

cp panther2-swu-$USER-devbuild.swu ../../../../../deploy/images/panther2

Is above approach better?

Is there a way to ask yocto/swupdate layer to generate sha256 for all above files(except sw-description) and add these generated sha256 into sw-description file?

I can sign sw-description by defining SWUPDATE_SIGNING andSWUPDATE_PRIVATE_KEY variables in my recipe file but

how to generate sha256?

Raxesh Oriya
  • 383
  • 6
  • 27
  • Again do no reinvent the wheel, meta-swupdate already does it very well. If you want to do it yourself, you can use `bb.utils.sha256_file` python function – Nayfe Apr 30 '19 at 07:20
  • Can you please tell me what should I do to enable `sha256` generation in meta-swupdate since I couldn't find it anywhere. Any configuration or environment variable which needs to be set – Raxesh Oriya Apr 30 '19 at 07:32
  • I added a comment in your previous post with information about it. – Nayfe Apr 30 '19 at 08:21
  • I had gone through those links and not found anything on `sha256` which made me to post this question – Raxesh Oriya Apr 30 '19 at 09:00
  • Maybe [this page](https://sbabic.github.io/swupdate/building-with-yocto.html) explains it better. You just have to add `sha256 = "@panther2-usb-panther2.ext4";` in `sw-description` to autogenerate sha256, then you need to add `SWUPDATE_SIGNING SWUPDATE_IMAGES SWUPDATE_IMAGES_FSTYPES` variables in recipe. – Nayfe Apr 30 '19 at 10:08
  • Thanks a lot @Nayfe, it worked, so happy, made my day !!!! You could post it as an answer. – Raxesh Oriya Apr 30 '19 at 10:24
  • I'm glad it helped – Nayfe Apr 30 '19 at 10:58

1 Answers1

4

meta-swupdate Yocto layer takes care of signed images.

Swupdate image recipe should contain for example:

SWUPDATE_SIGNING = "RSA" 
SWUPDATE_PRIVATE_KEY = "/path/to/key"

Then, sha256 is automatically computed in sw-description file with following syntax:

sha256 = "@panther2-usb-panther2.ext4";

Where panther2-usb-panther2.ext4 is an artifact listed in SWUPDATE_IMAGES variable.

More details can be found in:

Nayfe
  • 2,130
  • 13
  • 18