mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed
* [ptxdist] [PATCHv2 0/3] Add basic support for the RAUC update tool
@ 2017-03-20 11:36 Enrico Jorns
  2017-03-20 11:36 ` [ptxdist] [PATCH 1/3] rauc: new package Enrico Jorns
                   ` (3 more replies)
  0 siblings, 4 replies; 6+ messages in thread
From: Enrico Jorns @ 2017-03-20 11:36 UTC (permalink / raw)
  To: ptxdist; +Cc: Enrico Jorns, jlu

These patches add recipes for building the RAUC update tool as well as a recipe
for creating basic update Bundles using RAUC and genimage.

Enrico Jorns (3):
  rauc: new package
  image-rauc: new package
  scripts: add script that generates test certificates for RAUC

 config/images/rauc.config                          |  17 +++
 platforms/image-rauc.in                            |  28 +++++
 projectroot/etc/rauc/ca.cert.pem                   |   7 ++
 projectroot/etc/rauc/system.conf                   |  36 ++++++
 .../lib/systemd/system/rauc-mark-good.service      |  10 ++
 rules/host-rauc.in                                 |   8 ++
 rules/host-rauc.make                               |  32 ++++++
 rules/image-rauc.make                              |  69 +++++++++++
 rules/rauc.in                                      |  34 ++++++
 rules/rauc.make                                    |  90 +++++++++++++++
 scripts/rauc-gen-test-certs.sh                     | 128 +++++++++++++++++++++
 11 files changed, 459 insertions(+)
 create mode 100644 config/images/rauc.config
 create mode 100644 platforms/image-rauc.in
 create mode 100644 projectroot/etc/rauc/ca.cert.pem
 create mode 100644 projectroot/etc/rauc/system.conf
 create mode 100644 projectroot/lib/systemd/system/rauc-mark-good.service
 create mode 100644 rules/host-rauc.in
 create mode 100644 rules/host-rauc.make
 create mode 100644 rules/image-rauc.make
 create mode 100644 rules/rauc.in
 create mode 100644 rules/rauc.make
 create mode 100755 scripts/rauc-gen-test-certs.sh

-- 
2.11.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [ptxdist] [PATCH 1/3] rauc: new package
  2017-03-20 11:36 [ptxdist] [PATCHv2 0/3] Add basic support for the RAUC update tool Enrico Jorns
@ 2017-03-20 11:36 ` Enrico Jorns
  2017-03-20 11:36 ` [ptxdist] [PATCH 2/3] image-rauc: " Enrico Jorns
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 6+ messages in thread
From: Enrico Jorns @ 2017-03-20 11:36 UTC (permalink / raw)
  To: ptxdist; +Cc: Enrico Jorns, jlu

This adds recipes for building the RAUC update tool both as a host
tool as well as a target update tool and service.

When using systemd, the package will install a rauc.service that allows
to start RAUC, by default RAUC does not start automatically but uses
D-Bus activation when invoked by your application or by the command line
tool ./rauc.
You will also get a rauc-mark-good.service in your rootfs by default
that is wanted by multi-user.taget and is used to notify the underlying
bootloader implementation about having booted successfully in userspace.
You can also make it depend on your application services being started.

For integrating RAUC with your platform, you need to have a system
description file /etc/rauc/system.conf in your platforms projectroot/
dir. This defines all relevant slots and provides information and
configuration RAUC requires to properly handle the platform it is
running on.

You also have to place a valid keyring file into you platforms
projectroot/ as /etc/rauc/ca.cert.pem to allow RAUC verifying update
Bundles before installing them.

There are dummy files installed by default for ca.cert.pem and
system.conf which only contain hints on how to set up correct
project-specific ones.

The additional good-marking-service installed by the recipe runs after
user space is brought up and notifies the underlying bootloader
implementation about a successful boot of the system.
This is typically used in conjunction with a boot attempts counter
in the bootloader that is decremented before starting the systemd and
reset by `rauc status mark-good` to indicate a successfully system
startup.

Signed-off-by: Enrico Jorns <ejo@pengutronix.de>
---
 projectroot/etc/rauc/ca.cert.pem                   |  7 ++
 projectroot/etc/rauc/system.conf                   | 36 +++++++++
 .../lib/systemd/system/rauc-mark-good.service      | 10 +++
 rules/host-rauc.in                                 |  8 ++
 rules/host-rauc.make                               | 32 ++++++++
 rules/rauc.in                                      | 34 ++++++++
 rules/rauc.make                                    | 90 ++++++++++++++++++++++
 7 files changed, 217 insertions(+)
 create mode 100644 projectroot/etc/rauc/ca.cert.pem
 create mode 100644 projectroot/etc/rauc/system.conf
 create mode 100644 projectroot/lib/systemd/system/rauc-mark-good.service
 create mode 100644 rules/host-rauc.in
 create mode 100644 rules/host-rauc.make
 create mode 100644 rules/rauc.in
 create mode 100644 rules/rauc.make

diff --git a/projectroot/etc/rauc/ca.cert.pem b/projectroot/etc/rauc/ca.cert.pem
new file mode 100644
index 000000000..be1aa7c30
--- /dev/null
+++ b/projectroot/etc/rauc/ca.cert.pem
@@ -0,0 +1,7 @@
+# This is a dummy keyring file. Please overwrite this with one that matches
+# your X.509 infrastructure if you intend to use RAUC for secure updates!
+#
+# If you really do not intend to actively use the security features (or for
+# testing purpose) you may create a development certificate by executing the
+# script `rauc-gen-test-certs.sh` from the `scripts` folder in your PTXdist
+# installation.
diff --git a/projectroot/etc/rauc/system.conf b/projectroot/etc/rauc/system.conf
new file mode 100644
index 000000000..2881ab2f8
--- /dev/null
+++ b/projectroot/etc/rauc/system.conf
@@ -0,0 +1,36 @@
+## This is an example RAUC system configuration. This file will be installed
+## into /etc/rauc/system.conf on your target and describes your system from the
+## perspective of the RAUC update service.
+##
+## If you find this file in your build rootfs, your have not set up a
+## system.conf for your platform, yet.
+## Create one according to this dummy template from
+## `projectroot/etc/rauc/system.conf` in your PTXdist installation and place it
+## in the platform directory of you project under
+## `projectroot/etc/rauc/system.conf`.
+##
+## ---
+##
+# [system]
+# compatible=@RAUC_BUNDLE_COMPATIBLE@
+# bootloader=<barebox|uboot|grub>
+# 
+# [slot.rootfs.0]
+# device=/dev/mmcblkXp1
+# type=ext4
+# bootname=system0
+# 
+# [slot.rootfs.1]
+# device=/dev/mmcblkXp2
+# type=ext4
+# bootname=system1
+#
+# [slot.appfs.0]
+# device=/dev/mmcblkXp3
+# type=ext4
+# parent=rootfs.0
+#
+# [slot.appfs.1]
+# device=/dev/mmcblkXp4
+# type=ext4
+# parent=rootfs.1
diff --git a/projectroot/lib/systemd/system/rauc-mark-good.service b/projectroot/lib/systemd/system/rauc-mark-good.service
new file mode 100644
index 000000000..af4daab9f
--- /dev/null
+++ b/projectroot/lib/systemd/system/rauc-mark-good.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=RAUC Good-marking Service
+ConditionKernelCommandLine=|bootchooser.active
+ConditionKernelCommandLine=|rauc.slot
+
+[Service]
+ExecStart=/usr/bin/rauc status mark-good
+
+[Install]
+WantedBy=multi-user.target
diff --git a/rules/host-rauc.in b/rules/host-rauc.in
new file mode 100644
index 000000000..0e02743c7
--- /dev/null
+++ b/rules/host-rauc.in
@@ -0,0 +1,8 @@
+## SECTION=hosttools_noprompt
+## SECTION=hosttools_platform
+
+config HOST_RAUC
+	tristate
+	select HOST_GLIB
+	select HOST_OPENSSL
+	select HOST_SQUASHFS_TOOLS
diff --git a/rules/host-rauc.make b/rules/host-rauc.make
new file mode 100644
index 000000000..4345ae8f5
--- /dev/null
+++ b/rules/host-rauc.make
@@ -0,0 +1,32 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2015 by Michael Grzeschik <mgr@pengutronix.de>
+#
+# See CREDITS for details about who has contributed to this project.
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+HOST_PACKAGES-$(PTXCONF_HOST_RAUC) += host-rauc
+
+# ----------------------------------------------------------------------------
+# Prepare
+# ----------------------------------------------------------------------------
+
+#
+# autoconf
+#
+HOST_RAUC_CONF_TOOL	:= autoconf
+HOST_RAUC_CONF_OPT	:= \
+	$(HOST_AUTOCONF) \
+	--disable-code-coverage \
+	--disable-valgrind \
+	--disable-service \
+	--disable-network \
+	--disable-json
+
+# vim: syntax=make
diff --git a/rules/rauc.in b/rules/rauc.in
new file mode 100644
index 000000000..263a67bf1
--- /dev/null
+++ b/rules/rauc.in
@@ -0,0 +1,34 @@
+## SECTION=applications
+
+menuconfig RAUC
+	tristate
+	prompt "Rauc Update Tool              "
+	select OPENSSL
+	select GLIB
+	select LIBCURL		if RAUC_NETWORK
+	select JSON_GLIB	if RAUC_JSON
+	help
+	  Robust Auto-Update Controller. RAUC controls the update process on embedded linux systems.
+
+if RAUC
+
+config RAUC_NETWORK
+	bool
+	prompt "network support"
+
+config RAUC_JSON
+	bool
+	prompt "JSON support"
+
+config RAUC_COMPATIBLE
+	prompt "RAUC Compatible"
+	string
+	default "${PTXCONF_PROJECT_VENDOR}\ ${PTXCONF_PROJECT}"
+	help
+	  An explicit identification string that RAUC uses to assure an update
+	  bundle matches with the correct root filesystem on the target.
+
+	  Only if the compatible in the targets RAUC system.conf file and those
+	  in the Bundle's manifest match exactly, an update will be performed
+
+endif
diff --git a/rules/rauc.make b/rules/rauc.make
new file mode 100644
index 000000000..ba7152bbd
--- /dev/null
+++ b/rules/rauc.make
@@ -0,0 +1,90 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2015 by Enrico Joerns <e.joerns@pengutronix.de>
+#
+# See CREDITS for details about who has contributed to this project.
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+PACKAGES-$(PTXCONF_RAUC) += rauc
+
+#
+# Paths and names
+#
+RAUC_VERSION	:= v0.1
+RAUC_MD5	:= 33c6f45b71f9b9c082fa852c3d5915d9
+RAUC		:= rauc-$(RAUC_VERSION)
+RAUC_SUFFIX	:= tar.xz
+RAUC_URL	:= https://github.com/rauc/rauc/releases/download/v0.1/rauc-0.1.tar.xz
+RAUC_SOURCE	:= $(SRCDIR)/$(RAUC).$(RAUC_SUFFIX)
+RAUC_DIR	:= $(BUILDDIR)/$(RAUC)
+RAUC_LICENSE	:= LGPL-2.1
+
+# ----------------------------------------------------------------------------
+# Prepare
+# ----------------------------------------------------------------------------
+
+#RAUC_CONF_ENV	:= $(CROSS_ENV)
+
+#
+# autoconf
+#
+RAUC_CONF_TOOL	:= autoconf
+RAUC_CONF_OPT	:= \
+	$(CROSS_AUTOCONF_USR) \
+	--enable-debug=info \
+	$(GLOBAL_LARGE_FILE_OPTION) \
+	--disable-code-coverage \
+	--disable-valgrind \
+	--enable-service \
+	--$(call ptx/endis,PTXCONF_RAUC_NETWORK)-network \
+	--$(call ptx/endis,PTXCONF_RAUC_JSON)-json \
+	--with-systemdunitdir=/lib/systemd/system \
+	--with-dbuspolicydir=/usr/share/dbus-1/system.d \
+	--with-dbussystemservicedir=/usr/share/dbus-1/system-services
+
+# ----------------------------------------------------------------------------
+# Target-Install
+# ----------------------------------------------------------------------------
+
+$(STATEDIR)/rauc.targetinstall:
+	@$(call targetinfo)
+
+	@$(call install_init, rauc)
+	@$(call install_fixup, rauc,PRIORITY,optional)
+	@$(call install_fixup, rauc,SECTION,base)
+	@$(call install_fixup, rauc,AUTHOR,"Enrico Joerns <e.joerns@pengutronix.de>")
+	@$(call install_fixup, rauc,DESCRIPTION,missing)
+
+	@$(call install_copy, rauc, 0, 0, 0755, -, /usr/bin/rauc)
+	@$(call install_alternative, rauc, 0, 0, 0644, /etc/rauc/system.conf)
+	@$(call install_replace, rauc, /etc/rauc/system.conf, \
+		@RAUC_BUNDLE_COMPATIBLE@, \
+		$(PTXCONF_RAUC_COMPATIBLE))
+	@$(call install_alternative, rauc, 0, 0, 0644, /etc/rauc/ca.cert.pem)
+
+	@$(call install_copy, rauc, 0, 0, 0644, -, \
+		/usr/share/dbus-1/system-services/de.pengutronix.rauc.service)
+	@$(call install_copy, rauc, 0, 0, 0644, -, \
+		/usr/share/dbus-1/system.d/de.pengutronix.rauc.conf)
+
+ifdef PTXCONF_INITMETHOD_SYSTEMD
+	@$(call install_alternative, rauc, 0, 0, 0644, \
+		/lib/systemd/system/rauc.service)
+
+	@$(call install_alternative, rauc, 0, 0, 0644, \
+		/lib/systemd/system/rauc-mark-good.service)
+	@$(call install_link, rauc, ../rauc-mark-good.service, \
+		/lib/systemd/system/multi-user.target.wants/rauc-mark-good.service)
+endif
+
+	@$(call install_finish, rauc)
+
+	@$(call touch)
+
+# vim: syntax=make
-- 
2.11.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [ptxdist] [PATCH 2/3] image-rauc: new package
  2017-03-20 11:36 [ptxdist] [PATCHv2 0/3] Add basic support for the RAUC update tool Enrico Jorns
  2017-03-20 11:36 ` [ptxdist] [PATCH 1/3] rauc: new package Enrico Jorns
@ 2017-03-20 11:36 ` Enrico Jorns
  2017-03-20 11:36 ` [ptxdist] [PATCH 3/3] scripts: add script that generates test certificates for RAUC Enrico Jorns
  2017-03-24 14:34 ` [ptxdist] [PATCHv2 0/3] Add basic support for the RAUC update tool Michael Olbrich
  3 siblings, 0 replies; 6+ messages in thread
From: Enrico Jorns @ 2017-03-20 11:36 UTC (permalink / raw)
  To: ptxdist; +Cc: Enrico Jorns, jlu

This adds a default image recipe for building a RAUC update Bundle out of the
systems rootfs.

In order to sign your update (mandatory) you need to place a valid certificate
and key file in your BSP. Their location is
default they are currently expected to be located at:

  $(PTXDIST_PLATFORMCONFIGDIR)/config/rauc/rauc.key.pem (key)
  $(PTXDIST_PLATFORMCONFIGDIR)/config/rauc/rauc.cert.pem (cert)

PTXdist will then create the bundle during a run of `ptxdist images`.

Signed-off-by: Enrico Jorns <ejo@pengutronix.de>
---
 config/images/rauc.config | 17 ++++++++++++
 platforms/image-rauc.in   | 28 +++++++++++++++++++
 rules/image-rauc.make     | 69 +++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 114 insertions(+)
 create mode 100644 config/images/rauc.config
 create mode 100644 platforms/image-rauc.in
 create mode 100644 rules/image-rauc.make

diff --git a/config/images/rauc.config b/config/images/rauc.config
new file mode 100644
index 000000000..fb43c7efb
--- /dev/null
+++ b/config/images/rauc.config
@@ -0,0 +1,17 @@
+image update.raucb {
+	rauc {
+		file root.tar.gz { image = "root.tgz" }
+		manifest = "
+			[update]
+			compatible=@RAUC_BUNDLE_COMPATIBLE@
+			version=@RAUC_BUNDLE_VERSION@
+			build=@RAUC_BUNDLE_BUILD@
+			description=@RAUC_BUNDLE_DESCRIPTION@
+
+			[image.rootfs]
+			filename=root.tar.gz
+			"
+		cert = "@RAUC_CERT@"
+		key = "@RAUC_KEY@"
+	}
+}
diff --git a/platforms/image-rauc.in b/platforms/image-rauc.in
new file mode 100644
index 000000000..71c6898ba
--- /dev/null
+++ b/platforms/image-rauc.in
@@ -0,0 +1,28 @@
+## SECTION=image2
+
+menuconfig IMAGE_RAUC
+	tristate
+	prompt "Generate RAUC Update Bundle"
+	select HOST_GENIMAGE
+	select HOST_RAUC
+	select IMAGE_ROOT_TGZ
+	help
+	  This generates a RAUC update Bundle for the selected platform using
+	  genimage.
+
+	  By default, this will create a simple Bundle for updating a 'rootfs'
+	  slot with the content from PTXdist's root file system .tgz image.
+
+	  To customize the bundle, copy and adapt the genimage configuration
+	  file rauc.config.
+
+if IMAGE_RAUC
+
+config IMAGE_RAUC_DESCRIPTION
+	prompt "RAUC Bundle Description"
+	string
+	default ""
+	help
+	  Optional description that will be placed in the Bundles metadata.
+
+endif
diff --git a/rules/image-rauc.make b/rules/image-rauc.make
new file mode 100644
index 000000000..5f34909de
--- /dev/null
+++ b/rules/image-rauc.make
@@ -0,0 +1,69 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2017 by Enrico Joerns <e.joerns@pengutronix.de>
+# Copyright (C) 2016 by Michael Olbrich <m.olbrich@pengutronix.de>
+#
+# See CREDITS for details about who has contributed to this project.
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+IMAGE_PACKAGES-$(PTXCONF_IMAGE_RAUC) += image-rauc
+
+#
+# Paths and names
+#
+IMAGE_RAUC		:= image-rauc
+IMAGE_RAUC_DIR		:= $(BUILDDIR)/$(IMAGE_RAUC)
+IMAGE_RAUC_IMAGE	:= $(IMAGEDIR)/update.raucb
+IMAGE_RAUC_CONFIG	:= rauc.config
+
+# ----------------------------------------------------------------------------
+# Image
+# ----------------------------------------------------------------------------
+
+IMAGE_RAUC_KEY = $(PTXDIST_PLATFORMCONFIGDIR)/config/rauc/rauc.key.pem
+IMAGE_RAUC_CERT = $(PTXDIST_PLATFORMCONFIGDIR)/config/rauc/rauc.cert.pem
+
+IMAGE_RAUC_ENV	:= \
+	RAUC_BUNDLE_COMPATIBLE=$(PTXCONF_RAUC_COMPATIBLE) \
+	RAUC_BUNDLE_VERSION=$(PTXDIST_BSP_AUTOVERSION) \
+	RAUC_BUNDLE_BUILD=$(shell date +%FT%T%z) \
+	RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \
+	RAUC_KEY=$(IMAGE_RAUC_KEY) \
+	RAUC_CERT=$(IMAGE_RAUC_CERT)
+
+$(IMAGE_RAUC_IMAGE): $(IMAGE_RAUC_KEY) $(IMAGE_RAUC_CERT)
+	@$(call targetinfo)
+	@$(call image/genimage, IMAGE_RAUC)
+	@$(call finish)
+
+$(IMAGE_RAUC_KEY):
+	@echo
+	@echo "****************************************************************************"
+	@echo "******** Please place your signing key in config/rauc/rauc.key.pem. ********"
+	@echo "*                                                                          *"
+	@echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh   *"
+	@echo "*       from the scripts/ folder of your PTXdist installation              *"
+	@echo "****************************************************************************"
+	@echo
+	@echo
+	@exit 1
+
+$(IMAGE_RAUC_CERT):
+	@echo
+	@echo "****************************************************************************"
+	@echo "**** Please place your signing certificate in config/rauc/rauc.cert.pem. ***"
+	@echo "*                                                                          *"
+	@echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh   *"
+	@echo "*       from the scripts/ folder of your PTXdist installation              *"
+	@echo "****************************************************************************"
+	@echo
+	@echo
+	@exit 1
+
+# vim: syntax=make
-- 
2.11.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [ptxdist] [PATCH 3/3] scripts: add script that generates test certificates for RAUC
  2017-03-20 11:36 [ptxdist] [PATCHv2 0/3] Add basic support for the RAUC update tool Enrico Jorns
  2017-03-20 11:36 ` [ptxdist] [PATCH 1/3] rauc: new package Enrico Jorns
  2017-03-20 11:36 ` [ptxdist] [PATCH 2/3] image-rauc: " Enrico Jorns
@ 2017-03-20 11:36 ` Enrico Jorns
  2017-03-24 14:34 ` [ptxdist] [PATCHv2 0/3] Add basic support for the RAUC update tool Michael Olbrich
  3 siblings, 0 replies; 6+ messages in thread
From: Enrico Jorns @ 2017-03-20 11:36 UTC (permalink / raw)
  To: ptxdist; +Cc: Enrico Jorns, jlu

Signed-off-by: Enrico Jorns <ejo@pengutronix.de>
---
 scripts/rauc-gen-test-certs.sh | 128 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 128 insertions(+)
 create mode 100755 scripts/rauc-gen-test-certs.sh

diff --git a/scripts/rauc-gen-test-certs.sh b/scripts/rauc-gen-test-certs.sh
new file mode 100755
index 000000000..06f4d297b
--- /dev/null
+++ b/scripts/rauc-gen-test-certs.sh
@@ -0,0 +1,128 @@
+#!/bin/bash
+#
+# Copyright (C) 2017 by Enrico Joerns <e.joerns@pengutronix.de>
+# Copyright (C) 2016 by Jan Luebbe <j.luebbe@pengutronix.de>
+#
+# See CREDITS for details about who has contributed to this project.
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+# ---
+#
+# Demo script that generates certificate files required to sign and verify
+# RAUC update tool bundles.
+#
+
+set -xe
+
+ORG="Test Org"
+CA="rauc CA"
+
+# After the CRL expires, signatures cannot be verified anymore
+CRL="-crldays 5000"
+
+BASE="$(pwd)/rauc-openssl-ca"
+
+if [ -e $BASE ]; then
+  echo "$BASE already exists"
+  exit 1
+fi
+
+mkdir -p $BASE/dev/{private,certs}
+touch $BASE/dev/index.txt
+echo 01 > $BASE/dev/serial
+
+cat > $BASE/openssl.cnf <<EOF
+[ ca ]
+default_ca      = CA_default            # The default ca section
+
+[ CA_default ]
+
+dir            = .                     # top dir
+database       = \$dir/index.txt        # index file.
+new_certs_dir  = \$dir/certs            # new certs dir
+
+certificate    = \$dir/ca.cert.pem       # The CA cert
+serial         = \$dir/serial           # serial no file
+private_key    = \$dir/private/ca.key.pem# CA private key
+RANDFILE       = \$dir/private/.rand    # random number file
+
+default_startdate = 19700101000000Z
+default_enddate = 99991231235959Z
+default_crl_days= 30                   # how long before next CRL
+default_md     = sha256                # md to use
+
+policy         = policy_any            # default policy
+email_in_dn    = no                    # Don't add the email into cert DN
+
+name_opt       = ca_default            # Subject name display option
+cert_opt       = ca_default            # Certificate display option
+copy_extensions = none                 # Don't copy extensions from request
+
+[ policy_any ]
+organizationName       = match
+commonName             = supplied
+
+[ req ]
+default_bits           = 2048
+distinguished_name     = req_distinguished_name
+x509_extensions        = v3_leaf
+encrypt_key = no
+default_md = sha256
+
+[ req_distinguished_name ]
+commonName                     = Common Name (eg, YOUR name)
+commonName_max                 = 64
+
+[ v3_ca ]
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = CA:TRUE
+
+[ v3_inter ]
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = CA:TRUE,pathlen:0
+
+[ v3_leaf ]
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = CA:FALSE
+EOF
+
+export OPENSSL_CONF=$BASE/openssl.cnf
+
+echo "Development CA"
+cd $BASE/dev
+openssl req -newkey rsa -keyout private/ca.key.pem -out ca.csr.pem -subj "/O=$ORG/CN=$ORG $CA Development"
+openssl ca -batch -selfsign -extensions v3_ca -in ca.csr.pem -out ca.cert.pem -keyfile private/ca.key.pem
+
+echo "Development Signing Keys 1"
+cd $BASE/dev
+openssl req -newkey rsa -keyout private/rauc.key.pem -out rauc.csr.pem -subj "/O=$ORG/CN=$ORG Development-1"
+openssl ca -batch -extensions v3_leaf -in rauc.csr.pem -out rauc.cert.pem
+
+cat << EOF
+===============================================================================
+
+Note that the default application should be to set up a public key
+infrastructure at your site and use keys and certificates genereated by these.
+
+In oder to use the just generated files in your BSP for testing purpose or if
+you do not intend to use real authentification, follow the instructions below. 
+
+Place the key and certificate file in your platform-dir's config/ folder:
+
+  cp rauc-openssl-ca/private/rauc.key.pem <platform-dir>/config/rauc/rauc.key.pem
+  cp rauc-openssl-ca/rauc.cert.pem <platform-dir>/config/rauc/rauc.cert.pem
+
+Place the keyring file in your platform-dir's projectroot/ folder:
+
+  cp rauc-openssl-ca/ca.cert.pem <plaform-dir>/projectroot/etc/rauc/ca.cert.pem
+
+===============================================================================
+EOF
-- 
2.11.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [ptxdist] [PATCHv2 0/3] Add basic support for the RAUC update tool
  2017-03-20 11:36 [ptxdist] [PATCHv2 0/3] Add basic support for the RAUC update tool Enrico Jorns
                   ` (2 preceding siblings ...)
  2017-03-20 11:36 ` [ptxdist] [PATCH 3/3] scripts: add script that generates test certificates for RAUC Enrico Jorns
@ 2017-03-24 14:34 ` Michael Olbrich
  2017-03-24 19:00   ` Alexander Dahl
  3 siblings, 1 reply; 6+ messages in thread
From: Michael Olbrich @ 2017-03-24 14:34 UTC (permalink / raw)
  To: ptxdist

On Mon, Mar 20, 2017 at 12:36:24PM +0100, Enrico Jorns wrote:
> These patches add recipes for building the RAUC update tool as well as a recipe
> for creating basic update Bundles using RAUC and genimage.
> 
> Enrico Jorns (3):
>   rauc: new package
>   image-rauc: new package
>   scripts: add script that generates test certificates for RAUC

Thanks, all applied.

Michael

>  config/images/rauc.config                          |  17 +++
>  platforms/image-rauc.in                            |  28 +++++
>  projectroot/etc/rauc/ca.cert.pem                   |   7 ++
>  projectroot/etc/rauc/system.conf                   |  36 ++++++
>  .../lib/systemd/system/rauc-mark-good.service      |  10 ++
>  rules/host-rauc.in                                 |   8 ++
>  rules/host-rauc.make                               |  32 ++++++
>  rules/image-rauc.make                              |  69 +++++++++++
>  rules/rauc.in                                      |  34 ++++++
>  rules/rauc.make                                    |  90 +++++++++++++++
>  scripts/rauc-gen-test-certs.sh                     | 128 +++++++++++++++++++++
>  11 files changed, 459 insertions(+)
>  create mode 100644 config/images/rauc.config
>  create mode 100644 platforms/image-rauc.in
>  create mode 100644 projectroot/etc/rauc/ca.cert.pem
>  create mode 100644 projectroot/etc/rauc/system.conf
>  create mode 100644 projectroot/lib/systemd/system/rauc-mark-good.service
>  create mode 100644 rules/host-rauc.in
>  create mode 100644 rules/host-rauc.make
>  create mode 100644 rules/image-rauc.make
>  create mode 100644 rules/rauc.in
>  create mode 100644 rules/rauc.make
>  create mode 100755 scripts/rauc-gen-test-certs.sh
> 
> -- 
> 2.11.0
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [ptxdist] [PATCHv2 0/3] Add basic support for the RAUC update tool
  2017-03-24 14:34 ` [ptxdist] [PATCHv2 0/3] Add basic support for the RAUC update tool Michael Olbrich
@ 2017-03-24 19:00   ` Alexander Dahl
  0 siblings, 0 replies; 6+ messages in thread
From: Alexander Dahl @ 2017-03-24 19:00 UTC (permalink / raw)
  To: ptxdist


[-- Attachment #1.1: Type: text/plain, Size: 860 bytes --]

Hei hei,

On Fri, Mar 24, 2017 at 03:34:55PM +0100, Michael Olbrich wrote:
> On Mon, Mar 20, 2017 at 12:36:24PM +0100, Enrico Jorns wrote:
> > These patches add recipes for building the RAUC update tool as well as a recipe
> > for creating basic update Bundles using RAUC and genimage.
> > 
> > Enrico Jorns (3):
> >   rauc: new package
> >   image-rauc: new package
> >   scripts: add script that generates test certificates for RAUC
> 
> Thanks, all applied.

Thanks to both of you, I very much appreciate the inclusion of RAUC
into ptxdist. :-)

Greets
Alex

-- 
»With the first link, the chain is forged. The first speech censured, 
the first thought forbidden, the first freedom denied, chains us all 
irrevocably.« (Jean-Luc Picard, quoting Judge Aaron Satie)
*** GnuPG-FP: C28E E6B9 0263 95CF 8FAF  08FA 34AD CD00 7221 5CC6 ***

[-- Attachment #1.2: Type: application/pgp-signature, Size: 819 bytes --]

[-- Attachment #2: Type: text/plain, Size: 91 bytes --]

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2017-03-24 19:00 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-03-20 11:36 [ptxdist] [PATCHv2 0/3] Add basic support for the RAUC update tool Enrico Jorns
2017-03-20 11:36 ` [ptxdist] [PATCH 1/3] rauc: new package Enrico Jorns
2017-03-20 11:36 ` [ptxdist] [PATCH 2/3] image-rauc: " Enrico Jorns
2017-03-20 11:36 ` [ptxdist] [PATCH 3/3] scripts: add script that generates test certificates for RAUC Enrico Jorns
2017-03-24 14:34 ` [ptxdist] [PATCHv2 0/3] Add basic support for the RAUC update tool Michael Olbrich
2017-03-24 19:00   ` Alexander Dahl

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox