@@ -13,6 +13,7 @@ software =
device = "/dev/mmcblk0p1";
type = "raw";
compressed = "zlib";
+ sha256 = "$swupdate_get_sha256(@@IMAGE_BASENAME@@-@@MACHINE@@.rootfs.ext4.gz)";
},
);
uboot: (
@@ -30,6 +31,7 @@ software =
device = "/dev/mmcblk0p2";
type = "raw";
compressed = "zlib";
+ sha256 = "$swupdate_get_sha256(@@IMAGE_BASENAME@@-@@MACHINE@@.rootfs.ext4.gz)";
},
);
uboot: (
@@ -1,4 +1,5 @@
inherit swupdate
+inherit ti-secdev
IMAGE_BASENAME ?= "tisdk-default-image"
@@ -21,3 +22,6 @@ SWUPDATE_IMAGES_FSTYPES[tisdk-bootstrap-image] = ".rootfs.ext4.gz"
SWUPDATE_IMAGES_FSTYPES[tisdk-jailhouse-image] = ".rootfs.ext4.gz"
SWUPDATE_IMAGES_FSTYPES[tisdk-thinlinux-image] = ".rootfs.ext4.gz"
SWUPDATE_IMAGES_FSTYPES[tisdk-bootstrap-base-image] = ".rootfs.ext4.gz"
+
+SWUPDATE_SIGNING = "RSA"
+SWUPDATE_PRIVATE_KEY = "${TI_SECURE_DEV_PKG}/keys/custMpk.key"
@@ -4,6 +4,7 @@ CONFIG_HW_COMPATIBILITY=y
CONFIG_UBOOT=y
CONFIG_SYSTEMD=y
CONFIG_WEBSERVER=y
+CONFIG_SIGNED_IMAGES=y
CONFIG_BOOTLOADERHANDLER=y
CONFIG_CFI=y
CONFIG_EMMC_HANDLER=y
@@ -12,4 +12,4 @@ fi
UBOOT_BOOTCOUNT_ADDR=0x4301c100
devmem2 $UBOOT_BOOTCOUNT_ADDR w 0
-swupdate -H @MACHINE@:1.0 ${SELECTION} -p 'reboot' -f /etc/swupdate.cfg -w "-r /www -p 8080"
+swupdate -H @MACHINE@:1.0 ${SELECTION} -p 'reboot' -f /etc/swupdate.cfg -w "-r /www -p 8080" -k /etc/custMpk.pub
@@ -1,4 +1,5 @@
inherit swupdate-lib
+inherit ti-secdev
FILESEXTRAPATHS:append := "${THISDIR}/files:"
@@ -8,6 +9,8 @@ FILES:${PN} += " \
${SWUPDATE_HW_COMPATIBILITY_FILE} \
"
+DEPENDS += "openssl-native"
+
SRC_URI += " \
file://defconfig \
file://swupdate.sh \
@@ -27,4 +30,6 @@ do_install:append () {
install -d ${D}${sysconfdir}
install -m 644 ${WORKDIR}/swupdate.cfg ${D}${sysconfdir}
sed -i "s#@MACHINE@#${MACHINE}#g" ${D}${sysconfdir}/swupdate.cfg
+
+ openssl rsa -in ${TI_SECURE_DEV_PKG}/keys/custMpk.key -pubout -out ${D}/etc/custMpk.pub
}
To ensure the platform can only be updated from an authorised source, this patch adds signing to the .swu update image using the pre-existing custMpk keys from ti-secdev. Signed-off-by: Anshul Dalal <anshuld@ti.com> --- .../recipes-swupdate/images/files/sw-description | 2 ++ meta-arago-distro/recipes-swupdate/images/update-image.bb | 4 ++++ meta-arago-distro/recipes-swupdate/swupdate/files/defconfig | 1 + .../recipes-swupdate/swupdate/files/swupdate.sh | 2 +- .../recipes-swupdate/swupdate/swupdate_%.bbappend | 5 +++++ 5 files changed, 13 insertions(+), 1 deletion(-)