George McCollister
1cfc25a19c
swupdate_class: Add support for engine signing
|
преди 8 години | |
|---|---|---|
| classes | преди 8 години | |
| conf | преди 10 години | |
| recipes-bsp | преди 9 години | |
| recipes-core | преди 10 години | |
| recipes-devtools | преди 10 години | |
| recipes-extended | преди 9 години | |
| recipes-support | преди 9 години | |
| COPYING.MIT | преди 12 години | |
| README | преди 8 години |
README
meta-swupdate, Yocto layer for deploy tool
==========================================
This layer's purpose is to add support for a deployment
mechanism of Yocto's images based on swupdate project.
Layer dependencies
------------------
This layer depends on:
URI: git://github.com/openembedded/meta-openembedded.git
subdirectory: meta-oe
Image hashing
-------------
During creation of the update file, occurrences of @IMAGE (where IMAGE is an
image filename) are replaced with the sha256 hash of the image.
SWU image signing
------------
To enable signing:
Set SWUPDATE_SIGNING = "1"
Set SWUPDATE_PRIVATE_KEY to the full path of private key file
sw-description is signed with the private key and the signature is writen to
sw-description.sig which is included in the SWU file.
Encrypted private keys are not currently supported since a secure
mechanism must exist to provide the passphrase.
SWU image hardware signing
--------------------------
One may prefer to sign the SWU image with a hardware token or hardware security
module (HSM) which doesn't expose the private key.
To enable, SWUPDATE_SIGNING_ENGINE must be set to an available openssl engine.
Example:
SWUPDATE_SIGNING_ENGINE = "pkcs11"
SWUPDATE_SIGNING_ENGINE_PATH may need to be set so that openssl can locate the
engine.
Example:
SWUPDATE_SIGNING_ENGINE_PATH = "/usr/lib"
Instead of setting SWUPDATE_PRIVATE_KEY to the full path of a file, set it to
a key string recognized by the engine used.
Example:
SWUPDATE_PRIVATE_KEY = "pkcs11:model=SoftHSM%20v2;" \
"manufacturer=SoftHSM%20project;" \
"serial=1234567890;" \
"token=test-token;pin-value=123456;" \
"object=swupdate-test"
Maintainer
----------
Stefano Babic
Submitting patches
------------------
You can submit your patches (or post questions reagarding
this layer to the swupdate Mailing List:
swupdate@googlegroups.com
When creating patches, please use something like:
git format-patch -s --subject-prefix='meta-swupdate][PATCH'
Please use 'git send- email' to send the generated patches to the ML
to bypass changes from your mailer.
==========================================
This layer's purpose is to add support for a deployment
mechanism of Yocto's images based on swupdate project.
Layer dependencies
------------------
This layer depends on:
URI: git://github.com/openembedded/meta-openembedded.git
subdirectory: meta-oe
Image hashing
-------------
During creation of the update file, occurrences of @IMAGE (where IMAGE is an
image filename) are replaced with the sha256 hash of the image.
SWU image signing
------------
To enable signing:
Set SWUPDATE_SIGNING = "1"
Set SWUPDATE_PRIVATE_KEY to the full path of private key file
sw-description is signed with the private key and the signature is writen to
sw-description.sig which is included in the SWU file.
Encrypted private keys are not currently supported since a secure
mechanism must exist to provide the passphrase.
SWU image hardware signing
--------------------------
One may prefer to sign the SWU image with a hardware token or hardware security
module (HSM) which doesn't expose the private key.
To enable, SWUPDATE_SIGNING_ENGINE must be set to an available openssl engine.
Example:
SWUPDATE_SIGNING_ENGINE = "pkcs11"
SWUPDATE_SIGNING_ENGINE_PATH may need to be set so that openssl can locate the
engine.
Example:
SWUPDATE_SIGNING_ENGINE_PATH = "/usr/lib"
Instead of setting SWUPDATE_PRIVATE_KEY to the full path of a file, set it to
a key string recognized by the engine used.
Example:
SWUPDATE_PRIVATE_KEY = "pkcs11:model=SoftHSM%20v2;" \
"manufacturer=SoftHSM%20project;" \
"serial=1234567890;" \
"token=test-token;pin-value=123456;" \
"object=swupdate-test"
Maintainer
----------
Stefano Babic
Submitting patches
------------------
You can submit your patches (or post questions reagarding
this layer to the swupdate Mailing List:
swupdate@googlegroups.com
When creating patches, please use something like:
git format-patch -s --subject-prefix='meta-swupdate][PATCH'
Please use 'git send- email' to send the generated patches to the ML
to bypass changes from your mailer.