Search code examples
yoctosha256software-updatersa-sha256

Is there a way to create hash(sha256) for images in Yocto's swupdate layer?

My objective is,

  1. To create sha256 for all the required files(which go into .swu)
  2. To Sign sw-description file with RSA algorithm.

My .swu consists:

  • kernel Image - bzImage
  • rootfile system - panther2-usb-panther2.ext4
  • software description file - sw-description
  • post install script - postinstall_swu.sh

I have created a script which generates sha256 and signs sw-description. Here is the script:

#!/bin/bash

IMAGES="bzImage panther2-usb-panther2.ext4"
FILES="sw-description sw-description.sig postinstall_swu.sh $IMAGES"
echo "Executing swu signing script..."

cp ../sw-description .
cp ../postinstall_swu.sh .
cp ../../../../../deploy/images/panther2/bzImage .
cp ../../../../../deploy/images/panther2/panther2-usb-panther2.ext4 .

read -d ' ' SHA_ROOTFS < <(sha256sum panther2-usb-panther2.ext4)
read -d ' ' SHA_BZIMAGE < <(sha256sum bzImage)
read -d ' ' SHA_POSTINSTALL < <(sha256sum postinstall_swu.sh)

sed -i ':a;N;$!ba; s/sha256 = "[0-9A-Za-z]*"/sha256 = '"\"${SHA_ROOTFS}"\"'/1' sw-description
sed -i ':a;N;$!ba; s/sha256 = "[0-9A-Za-z]*"/sha256 = '"\"${SHA_BZIMAGE}"\"'/2' sw-description
sed -i ':a;N;$!ba; s/sha256 = "[0-9A-Za-z]*"/sha256 = '"\"${SHA_POSTINSTALL}"\"'/3' sw-description

openssl dgst -sha256 -sign ../priv.pem -passin file:../passphrase sw-description > sw-description.sig

for i in $FILES;do
        echo $i;done | cpio -ov -H crc >  panther2-swu-$USER-devbuild.swu

cp panther2-swu-$USER-devbuild.swu ../../../../../deploy/images/panther2

Is above approach better?

Is there a way to ask yocto/swupdate layer to generate sha256 for all above files(except sw-description) and add these generated sha256 into sw-description file?

I can sign sw-description by defining SWUPDATE_SIGNING andSWUPDATE_PRIVATE_KEY variables in my recipe file but

how to generate sha256?

Solution

  • meta-swupdate Yocto layer takes care of signed images.

    Swupdate image recipe should contain for example:

    SWUPDATE_SIGNING = "RSA" 
SWUPDATE_PRIVATE_KEY = "/path/to/key"

    Then, sha256 is automatically computed in sw-description file with following syntax:

    sha256 = "@panther2-usb-panther2.ext4";

    Where panther2-usb-panther2.ext4 is an artifact listed in SWUPDATE_IMAGES variable.

    More details can be found in: