rauc · mschwan-phytec · Jul 22, 2024 · Jul 22, 2024
diff --git a/classes-recipe/bundle.bbclass b/classes-recipe/bundle.bbclass
@@ -76,6 +76,14 @@
 #
 #   RAUC_KEYRING_FILE ?= "ca.cert.pem"
 #
+# To encrypt manifests of bundles using the "crypt" format, set
+#
+#   RAUC_CRYPT_BUNDLE = "1"
+#
+# and set a corresponding certificate file of the recipient(s):
+#
+#   RAUC_CRYPT_CERT_FILE ?= "recipient-certs.pem"
+#
 # Enable building casync bundles with
 #
 #   RAUC_CASYNC_BUNDLE = "1"
@@ -129,10 +137,11 @@ RAUC_BUNDLE_HOOKS[doc] = "Allows to specify an additional hook executable and bu
 RAUC_BUNDLE_EXTRA_FILES[doc] = "Specifies list of additional files to add to bundle. Files must either be located in UNPACKDIR (added by SRC_URI) or DEPLOY_DIR_IMAGE (assured by RAUC_BUNDLE_EXTRA_DEPENDS)"
 RAUC_BUNDLE_EXTRA_DEPENDS[doc] = "Specifies list of recipes that create artifacts in DEPLOY_DIR_IMAGE. For recipes not depending on do_deploy task also <recipename>:do_<taskname> notation is supported"
 
+RAUC_CRYPT_BUNDLE ??= "0"
 RAUC_CASYNC_BUNDLE ??= "0"
 
 RAUC_BUNDLE_FORMAT ??= ""
-RAUC_BUNDLE_FORMAT[doc] = "Specifies the bundle format to be used (plain/verity)."
+RAUC_BUNDLE_FORMAT[doc] = "Specifies the bundle format to be used (plain/verity/crypt)."
 
 RAUC_VARFLAGS_SLOTS = "name type fstype file hooks adaptive rename offset depends"
 RAUC_VARFLAGS_HOOKS = "file hooks"
@@ -182,6 +191,8 @@ RAUC_KEY_FILE ??= ""
 RAUC_KEY_FILE[doc] = "Specifies the path to the RAUC key file used for signing. Use COREBASE to reference files located in any shared BSP folder."
 RAUC_CERT_FILE ??= ""
 RAUC_CERT_FILE[doc] = "Specifies the path to the RAUC cert file used for signing. Use COREBASE to reference files located in any shared BSP folder."
+RAUC_CRYPT_CERT_FILE ??= ""
+RAUC_CRYPT_CERT_FILE[doc] = "Specifies the path to the RAUC cert file used for encryption. Use COREBASE to reference files located in any shared BSP folder."
 RAUC_KEYRING_FILE ??= ""
 RAUC_KEYRING_FILE[doc] = "Specifies the path to the RAUC keyring file used for bundle signature verification. Use COREBASE to reference files located in any shared BSP folder."
 BUNDLE_ARGS ??= ""
@@ -394,6 +405,16 @@ BUNDLE_LINK_NAME ??= "${BUNDLE_BASENAME}-${MACHINE}"
 BUNDLE_EXTENSION ??= ".raucb"
 BUNDLE_EXTENSION[doc] = "Specifies desired custom filename extension of generated RAUC bundle."
 
+CRYPT_BUNDLE_BASENAME ??= "crypt-${BUNDLE_BASENAME}"
+CRYPT_BUNDLE_BASENAME[doc] = "Specifies desired output base name of generated RAUC crypt bundle."
+CRYPT_BUNDLE_NAME ??= "${CRYPT_BUNDLE_BASENAME}-${MACHINE}-${DATETIME}"
+CRYPT_BUNDLE_NAME[doc] = "Specifies desired full output name of generated RAUC crypt bundle."
+# Don't include the DATETIME variable in the sstate package sigantures
+CRYPT_BUNDLE_NAME[vardepsexclude] = "DATETIME"
+CRYPT_BUNDLE_LINK_NAME ??= "${CRYPT_BUNDLE_BASENAME}-${MACHINE}"
+CRYPT_BUNDLE_EXTENSION ??= "${BUNDLE_EXTENSION}"
+CRYPT_BUNDLE_EXTENSION[doc] = "Specifies desired custom filename extension of generated RAUC bundle."
+
 CASYNC_BUNDLE_BASENAME ??= "casync-${BUNDLE_BASENAME}"
 CASYNC_BUNDLE_BASENAME[doc] = "Specifies desired output base name of generated RAUC casync bundle."
 CASYNC_BUNDLE_NAME ??= "${CASYNC_BUNDLE_BASENAME}-${MACHINE}-${DATETIME}"
@@ -421,6 +442,22 @@ do_bundle() {
 		${BUNDLE_DIR} \
 		${B}/bundle.raucb
 
+	if [ ${RAUC_CRYPT_BUNDLE} -eq 1 ]; then
+		if [ -z "${RAUC_CRYPT_CERT_FILE}" ]; then
+			bbfatal "'RAUC_CRYPT_CERT_FILE' not set. Please set a valid recipient certificate file location."
+		fi
+		if [ -z "${RAUC_KEYRING_FILE}" ]; then
+			bbfatal "'RAUC_KEYRING_FILE' not set. Please set a valid keyring file location."
+		fi
+
+		${STAGING_BINDIR_NATIVE}/rauc encrypt \
+			--debug \
+			--to="${RAUC_CRYPT_CERT_FILE}" \
+			--keyring="${RAUC_KEYRING_FILE}" \
+			${B}/bundle.raucb \
+			${B}/crypt-bundle.raucb
+	fi
+
 	if [ ${RAUC_CASYNC_BUNDLE} -eq 1 ]; then
 		if [ -z "${RAUC_KEYRING_FILE}" ]; then
 			bbfatal "'RAUC_KEYRING_FILE' not set. Please set a valid keyring file location."
@@ -457,6 +494,11 @@ do_deploy() {
 	install -m 0644 ${B}/bundle.raucb ${DEPLOYDIR}/${BUNDLE_NAME}${BUNDLE_EXTENSION}
 	ln -sf ${BUNDLE_NAME}${BUNDLE_EXTENSION} ${DEPLOYDIR}/${BUNDLE_LINK_NAME}${BUNDLE_EXTENSION}
 
+	if [ ${RAUC_CRYPT_BUNDLE} -eq 1 ]; then
+		install -m 0644 ${B}/crypt-bundle.raucb ${DEPLOYDIR}/${CRYPT_BUNDLE_NAME}${CRYPT_BUNDLE_EXTENSION}
+		ln -sf ${CRYPT_BUNDLE_NAME}${CRYPT_BUNDLE_EXTENSION} ${DEPLOYDIR}/${CRYPT_BUNDLE_LINK_NAME}${CRYPT_BUNDLE_EXTENSION}
+	fi
+
 	if [ ${RAUC_CASYNC_BUNDLE} -eq 1 ]; then
 		install -m 0644 ${B}/casync-bundle.raucb ${DEPLOYDIR}/${CASYNC_BUNDLE_NAME}${CASYNC_BUNDLE_EXTENSION}
 		cp -r ${B}/casync-bundle.castr ${DEPLOYDIR}/${CASYNC_BUNDLE_NAME}.castr

diff --git a/recipes-kernel/linux/linux-yocto/rauc.cfg b/recipes-kernel/linux/linux-yocto/rauc.cfg
@@ -4,4 +4,6 @@ CONFIG_MD=y
 CONFIG_BLK_DEV_DM=y
 CONFIG_BLK_DEV_NBD=y
 CONFIG_DM_VERITY=y
+CONFIG_DM_CRYPT=y
+CONFIG_CRYPTO_AES=y
 CONFIG_CRYPTO_SHA256=y