diff options
| author |   ToshikazuOhiwa <toshikazu_ohiwa@mail.toyota.co.jp> | 2020-03-30 09:24:26 +0900 |
|---|---|---|
| committer | ToshikazuOhiwa <toshikazu_ohiwa@mail.toyota.co.jp> | 2020-03-30 09:24:26 +0900 |
| commit | 5b80bfd7bffd4c20d80b7c70a7130529e9a755dd (patch) | |
| tree | b4bb18dcd1487dbf1ea8127e5671b7bb2eded033 /external/meta-updater/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb | |
| parent | 706ad73eb02caf8532deaf5d38995bd258725cb8 (diff) | |
agl-basesystem
Diffstat (limited to 'external/meta-updater/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb')
| -rw-r--r-- | external/meta-updater/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/external/meta-updater/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb b/external/meta-updater/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb new file mode 100644 index 00000000..6e02a501 --- /dev/null +++ b/external/meta-updater/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb @@ -0,0 +1,60 @@ +SUMMARY = "Credentials for device provisioning with fleet CA certificate" +HOMEPAGE = "https://github.com/advancedtelematic/aktualizr" +SECTION = "base" +LICENSE = "MPL-2.0" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad" + +inherit allarch + +# WARNING: it is NOT a production solution. The secure way to provision devices +# is to create certificate request directly on the device (either with HSM/TPM +# or with software) and then sign it with a CA stored on a disconnected machine. + +DEPENDS = "aktualizr aktualizr-native" +ALLOW_EMPTY_${PN} = "1" + +SRC_URI = " \ + file://ca.cnf \ + " + +require credentials.inc + +export SOTA_CACERT_PATH +export SOTA_CAKEY_PATH + +do_install() { + if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then + if [ -z ${SOTA_CACERT_PATH} ]; then + SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem + SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem + mkdir -p ${DEPLOY_DIR_IMAGE}/CA + bbwarn "SOTA_CACERT_PATH is not specified, use default one at ${SOTA_CACERT_PATH}" + + if [ ! -f ${SOTA_CACERT_PATH} ]; then + bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA" + SOTA_CACERT_DIR_PATH="$(dirname "${SOTA_CACERT_PATH}")" + openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096 + openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert + bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server" + fi + fi + + if [ -z ${SOTA_CAKEY_PATH} ]; then + bbfatal "SOTA_CAKEY_PATH should be set when using device credential provisioning" + fi + + install -m 0700 -d ${D}${localstatedir}/sota + aktualizr-cert-provider --credentials ${SOTA_PACKED_CREDENTIALS} \ + --fleet-ca ${SOTA_CACERT_PATH} \ + --fleet-ca-key ${SOTA_CAKEY_PATH} \ + --root-ca \ + --server-url \ + --local ${D} \ + --config ${STAGING_DIR_HOST}${libdir}/sota/sota-device-cred.toml + fi +} + +FILES_${PN} = " \ + ${localstatedir}/sota/*" + +# vim:set ts=4 sw=4 sts=4 expandtab: |