George McCollister
3ba81db806
swupdate_class: Add support for engine signing
|
há 8 anos atrás | |
|---|---|---|
| classes | há 8 anos atrás | |
| conf | há 10 anos atrás | |
| recipes-bsp | há 9 anos atrás | |
| recipes-core | há 10 anos atrás | |
| recipes-devtools | há 10 anos atrás | |
| recipes-extended | há 9 anos atrás | |
| recipes-support | há 9 anos atrás | |
| COPYING.MIT | há 12 anos atrás | |
| README | há 8 anos atrás |
README
meta-swupdate, Yocto layer for deploy tool
==========================================
This layer's purpose is to add support for a deployment
mechanism of Yocto's images based on swupdate project.
Layer dependencies
------------------
This layer depends on:
URI: git://github.com/openembedded/meta-openembedded.git
subdirectory: meta-oe
Image hashing
-------------
During creation of the update file, occurrences of @IMAGE (where IMAGE is an
image filename) are replaced with the sha256 hash of the image.
SWU image signing
------------
To enable signing:
Set SWUPDATE_SIGNING = "1"
Set SWUPDATE_PRIVATE_KEY to the full path of private key file
sw-description is signed with the private key and the signature is writen to
sw-description.sig which is included in the SWU file.
Encrypted private keys are not currently supported since a secure
mechanism must exist to provide the passphrase.
SWU image hardware signing
--------------------------
One may prefer to sign the SWU image with a hardware token or hardware security
module (HSM) which doesn't expose the private key.
To enable, SWUPDATE_SIGNING_ENGINE must be set to an available openssl engine.
Example:
SWUPDATE_SIGNING_ENGINE = "pkcs11"
SWUPDATE_SIGNING_ENGINE_PATH may need to be set so that openssl can locate the
engine.
Example:
SWUPDATE_SIGNING_ENGINE_PATH = "/usr/lib"
Instead of setting SWUPDATE_PRIVATE_KEY to the full path of a file, set it to
a key string recognized by the engine used.
Example:
SWUPDATE_PRIVATE_KEY = "pkcs11:model=SoftHSM%20v2;" \
"manufacturer=SoftHSM%20project;" \
"serial=1234567890;" \
"token=test-token;pin-value=123456;" \
"object=swupdate-test"
Maintainer
----------
Stefano Babic
Submitting patches
------------------
You can submit your patches (or post questions reagarding
this layer to the swupdate Mailing List:
swupdate@googlegroups.com
When creating patches, please use something like:
git format-patch -s --subject-prefix='meta-swupdate][PATCH'
Please use 'git send- email' to send the generated patches to the ML
to bypass changes from your mailer.
==========================================
This layer's purpose is to add support for a deployment
mechanism of Yocto's images based on swupdate project.
Layer dependencies
------------------
This layer depends on:
URI: git://github.com/openembedded/meta-openembedded.git
subdirectory: meta-oe
Image hashing
-------------
During creation of the update file, occurrences of @IMAGE (where IMAGE is an
image filename) are replaced with the sha256 hash of the image.
SWU image signing
------------
To enable signing:
Set SWUPDATE_SIGNING = "1"
Set SWUPDATE_PRIVATE_KEY to the full path of private key file
sw-description is signed with the private key and the signature is writen to
sw-description.sig which is included in the SWU file.
Encrypted private keys are not currently supported since a secure
mechanism must exist to provide the passphrase.
SWU image hardware signing
--------------------------
One may prefer to sign the SWU image with a hardware token or hardware security
module (HSM) which doesn't expose the private key.
To enable, SWUPDATE_SIGNING_ENGINE must be set to an available openssl engine.
Example:
SWUPDATE_SIGNING_ENGINE = "pkcs11"
SWUPDATE_SIGNING_ENGINE_PATH may need to be set so that openssl can locate the
engine.
Example:
SWUPDATE_SIGNING_ENGINE_PATH = "/usr/lib"
Instead of setting SWUPDATE_PRIVATE_KEY to the full path of a file, set it to
a key string recognized by the engine used.
Example:
SWUPDATE_PRIVATE_KEY = "pkcs11:model=SoftHSM%20v2;" \
"manufacturer=SoftHSM%20project;" \
"serial=1234567890;" \
"token=test-token;pin-value=123456;" \
"object=swupdate-test"
Maintainer
----------
Stefano Babic
Submitting patches
------------------
You can submit your patches (or post questions reagarding
this layer to the swupdate Mailing List:
swupdate@googlegroups.com
When creating patches, please use something like:
git format-patch -s --subject-prefix='meta-swupdate][PATCH'
Please use 'git send- email' to send the generated patches to the ML
to bypass changes from your mailer.