From fc53cea0d9386a257b4f817cf20e0d13081a9952 Mon Sep 17 00:00:00 2001
From: Zygmunt Krynicki <zygmunt.krynicki@huawei.com>
Date: Fri, 1 Oct 2021 12:04:35 +0200
Subject: [PATCH] rauc: use known insecure keys by default

Unless overridden in another layer or in local.conf, rauc will bundle
and use a know public key for verifying updates. This allows us to
to have some set of defaults that work out of the box and allow testing
the OTA stack and producing signed update bundles coming out of the CI
system.

The key is insecure and will expire in a year. This is intentional. Over
time we may switch to a reference key that is managed and secured or
re-generate another key for another year.

The insecure key has a fixed name and that name is used to trigger a
bitbake warning. OTA stack will learn to detect that key and similarly
warn users, or perform equally appropriate operations, in order to
reduce the risk of someone accidentally using this key in production.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@huawei.com>
---
 .../rauc/files/ostc-insecure-cert.pem         |  1 +
 .../rauc/files/raspberrypi4/system.conf       |  3 +-
 .../recipes-core/rauc/insecure-keys/cert.pem  | 33 ++++++++++++
 .../rauc/insecure-keys/cert.pem.license       |  3 ++
 .../rauc/insecure-keys/gen-keys.sh            | 15 ++++++
 .../recipes-core/rauc/insecure-keys/key.pem   | 52 +++++++++++++++++++
 .../rauc/insecure-keys/key.pem.license        |  3 ++
 .../recipes-core/rauc/rauc_%.bbappend         | 29 +++++++++++
 8 files changed, 137 insertions(+), 2 deletions(-)
 create mode 120000 meta-ohos-core/recipes-core/rauc/files/ostc-insecure-cert.pem
 create mode 100644 meta-ohos-core/recipes-core/rauc/insecure-keys/cert.pem
 create mode 100644 meta-ohos-core/recipes-core/rauc/insecure-keys/cert.pem.license
 create mode 100755 meta-ohos-core/recipes-core/rauc/insecure-keys/gen-keys.sh
 create mode 100644 meta-ohos-core/recipes-core/rauc/insecure-keys/key.pem
 create mode 100644 meta-ohos-core/recipes-core/rauc/insecure-keys/key.pem.license

diff --git a/meta-ohos-core/recipes-core/rauc/files/ostc-insecure-cert.pem b/meta-ohos-core/recipes-core/rauc/files/ostc-insecure-cert.pem
new file mode 120000
index 00000000..b43558dc
--- /dev/null
+++ b/meta-ohos-core/recipes-core/rauc/files/ostc-insecure-cert.pem
@@ -0,0 +1 @@
+../insecure-keys/cert.pem
\ No newline at end of file
diff --git a/meta-ohos-core/recipes-core/rauc/files/raspberrypi4/system.conf b/meta-ohos-core/recipes-core/rauc/files/raspberrypi4/system.conf
index 87a52272..db2de8ff 100644
--- a/meta-ohos-core/recipes-core/rauc/files/raspberrypi4/system.conf
+++ b/meta-ohos-core/recipes-core/rauc/files/raspberrypi4/system.conf
@@ -24,8 +24,7 @@ device=/dev/mmcblk0p3
 bootname=B
 
 [keyring]
-# FIXME(zyga): This keyring should be defined somewhere.
-path=/etc/rauc/cert.pem
+path=/etc/rauc/ostc-insecure-cert.pem
 
 [handlers]
 # Use SystemOTA for RAUC pre-install and post-install handlers. This is
diff --git a/meta-ohos-core/recipes-core/rauc/insecure-keys/cert.pem b/meta-ohos-core/recipes-core/rauc/insecure-keys/cert.pem
new file mode 100644
index 00000000..dd93658c
--- /dev/null
+++ b/meta-ohos-core/recipes-core/rauc/insecure-keys/cert.pem
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFqzCCA5OgAwIBAgIUFu9TLmQwFHVklqu2i1r4G8ffaX4wDQYJKoZIhvcNAQEL
+BQAwZTEUMBIGA1UEAwwLb3N0Yy1ldS5vcmcxLzAtBgNVBAoMJk9wZW4gU291cmNl
+IFRlY2hub2xvZ3kgQ2VudGVyIChFdXJvcGUpMQswCQYDVQQGEwJQTDEPMA0GA1UE
+BwwGV2Fyc2F3MB4XDTIxMTAwMTA4NTM0MFoXDTIyMTAwMTA4NTM0MFowZTEUMBIG
+A1UEAwwLb3N0Yy1ldS5vcmcxLzAtBgNVBAoMJk9wZW4gU291cmNlIFRlY2hub2xv
+Z3kgQ2VudGVyIChFdXJvcGUpMQswCQYDVQQGEwJQTDEPMA0GA1UEBwwGV2Fyc2F3
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAs3cKxU+a4a/l9WNqd56D
+D/jfYqIn6f5cjByVlgETWzlnCXlvinxi37kKSSrlefsddijo5dLU6VgMFQOgBdoU
+Sjnq3ADf/nQn8gxzAMnRYjdPg7+sRIXqXoNfyUPeTEskilbTV45AShC7pNiRVLpI
+H3QsfpSqnjklRTgfy8QZ+QLZomZFkebkVvSpyBzR7Tp0ThprT1sz8tjJUMNF7bHs
+uhaA58UUJGvJ5r+hpZ8tMlrgsjC9AI+fx7H/urpC4u9eL1FJ6p0aSzOCMuF6G7vF
+tt5k3cruklB5Crav3ec3o0zsuNUGhNL5mi3mSAgPDYt/8evpcgVf8lr+CTkJNxmq
+TOSUlP8UTWDtNFr3nfmUTTxU8f0WE3MAtmxQpmL6x46I+3bWLSwYJeqKlkODayje
+6jALOJAY0MzyABpx+/kpKtSZgz2NLLJIdWgTz15/6EiOJqipwRMVduFJfzfdEe34
+X+xtbMjRK/CFEB6OMWwnmTmIYuPpS8tMpudNp2IL0E4LPjYHzaimX4ZG+QVX6zv/
+3Rf0UijDAcUQ8xRx/LB2k4V++0JapLmMXhb/xPWX536XBaR8f4Eej4/B825yr8j+
+tey1EbhWtjenUk1k0fnRKqfBr7E7WYV32qDyp+Sm1nEHT6CRPuuAd2i7e8V25VGh
+uzUHww1ykB7XXz2w8Ysa5c0CAwEAAaNTMFEwHQYDVR0OBBYEFFL5nYXej6FBMQNI
+DV0QKwkn67OvMB8GA1UdIwQYMBaAFFL5nYXej6FBMQNIDV0QKwkn67OvMA8GA1Ud
+EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAKCDTCQKmrAAki41uBHL9Sb4
+Hcacqv8AYVETNDKwp2MA63bOgGG2dPVLLGrpg6gCR5t8YFvqHa7jHpvzv8AlJfJt
+hyfAANhvvBTkWvEQUFSDqybA8FZR/hvVuVqnlFbQuXcUTBw+/Br4Atx45h6oPwCT
+d9A0hTZJxL12XKiV8vPEbiPZ+RE+3pCyNBqpVczshA9kYz6+Od3diRbpJ1NL8a2g
+asf44DlyIq4wgHIqIdJ7CpxRD0MZxZEsLe+MMt0+gCZQ6saddMg6VcpU188nGHgL
+HmuxCzZzRrpbTzQupM0rHac/gmwgLjDAxtr0QRHr1acm8Mnol22SrwER8GBuSrKm
+vqk4nvkbzhOdNrjBXv0sYZS2sA4tIfUzLwywqTKbt4OL/UdV3GutsarIIG/62qCf
+9Qr+PfI7kKRCFO5Gz7I0Xbtqpcb6kaVa/rUnprAeDHufl/jj5FJOPD7EVFxBf8Hg
+BmdlbUTv9ef9v+cLEBxoIJemu4f+yZR3GgLMlfWfEc3PqpqvfeVo4I/EGyOa+aO7
+E0obhYtS054nJuBLXaz9JHz1wrgHh6mTGd0Sa+DBXVHb1swM7I+QRrnFUooIAo5S
+lrPO7UDKEw1KOJNdSwF4RUVMUXI8FlYojczKnMBvGLk/kTwA4+tSK2v7ftFlhQl+
+7ZY6l0GCGuFxAZgqoMA5
+-----END CERTIFICATE-----
diff --git a/meta-ohos-core/recipes-core/rauc/insecure-keys/cert.pem.license b/meta-ohos-core/recipes-core/rauc/insecure-keys/cert.pem.license
new file mode 100644
index 00000000..98a0b3f4
--- /dev/null
+++ b/meta-ohos-core/recipes-core/rauc/insecure-keys/cert.pem.license
@@ -0,0 +1,3 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
diff --git a/meta-ohos-core/recipes-core/rauc/insecure-keys/gen-keys.sh b/meta-ohos-core/recipes-core/rauc/insecure-keys/gen-keys.sh
new file mode 100755
index 00000000..cd89f768
--- /dev/null
+++ b/meta-ohos-core/recipes-core/rauc/insecure-keys/gen-keys.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# The insecure pair of keys that are present in this layer were generated with
+# the following command. The keys will expire after a year. This is
+# intentional.
+openssl req -x509 -newkey rsa:4096 \
+    -keyout key.pem \
+    -out cert.pem \
+    -days 365 \
+    -nodes \
+    -subj "/CN=ostc-eu.org/O=Open Source Technology Center (Europe)/C=PL/L=Warsaw" </dev/null
+
diff --git a/meta-ohos-core/recipes-core/rauc/insecure-keys/key.pem b/meta-ohos-core/recipes-core/rauc/insecure-keys/key.pem
new file mode 100644
index 00000000..8279c10c
--- /dev/null
+++ b/meta-ohos-core/recipes-core/rauc/insecure-keys/key.pem
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCzdwrFT5rhr+X1
+Y2p3noMP+N9ioifp/lyMHJWWARNbOWcJeW+KfGLfuQpJKuV5+x12KOjl0tTpWAwV
+A6AF2hRKOercAN/+dCfyDHMAydFiN0+Dv6xEhepeg1/JQ95MSySKVtNXjkBKELuk
+2JFUukgfdCx+lKqeOSVFOB/LxBn5AtmiZkWR5uRW9KnIHNHtOnROGmtPWzPy2MlQ
+w0Xtsey6FoDnxRQka8nmv6Glny0yWuCyML0Aj5/Hsf+6ukLi714vUUnqnRpLM4Iy
+4Xobu8W23mTdyu6SUHkKtq/d5zejTOy41QaE0vmaLeZICA8Ni3/x6+lyBV/yWv4J
+OQk3GapM5JSU/xRNYO00Wved+ZRNPFTx/RYTcwC2bFCmYvrHjoj7dtYtLBgl6oqW
+Q4NrKN7qMAs4kBjQzPIAGnH7+Skq1JmDPY0sskh1aBPPXn/oSI4mqKnBExV24Ul/
+N90R7fhf7G1syNEr8IUQHo4xbCeZOYhi4+lLy0ym502nYgvQTgs+NgfNqKZfhkb5
+BVfrO//dF/RSKMMBxRDzFHH8sHaThX77QlqkuYxeFv/E9ZfnfpcFpHx/gR6Pj8Hz
+bnKvyP617LURuFa2N6dSTWTR+dEqp8GvsTtZhXfaoPKn5KbWcQdPoJE+64B3aLt7
+xXblUaG7NQfDDXKQHtdfPbDxixrlzQIDAQABAoICAEfsaIOlIKRcU2Ph4PRpsYsA
+Kb6k0CxGBZ8dgZGpgrFnsvSoF1y/9vxEc2vZZjhZvHfzc0tQEIYoBEeTuVk/Ciyp
+Q4fCTgLzWGL4PErPlzuugQ6DDa40oTYZnpTRv1CCOPW8UFzhpMBKLnmlVbFIKsl4
+TLC6MhrROi+gi5WlVOdoDgK4zB7qEw8KZNTPQA68A4qdqe4W1h34Zc4ZRHg7e20k
+waqhYC4siLESkd0HixyIMU8Ym1aTOOzWWG/kYBQE7JE4GdCN/9CtpvtvQ/nDajyc
+qn3861n2KFxz1M2w8apflOuKbF9lEiWJSaYKnMXH55H0Aw3wO4CsmOznT9smTQpy
+LIA3D4+ot2ck9CYsb+3tBbJWIkwogsDx3S+nooTmnJRGPmI9Qga9D9uq2EqGarbT
+BS2XIOMK6BYyl5z4cFose9gjCGqB79aGiOJE2rRCePJRZXwhapwp8hnOL+3wr1X8
+PqM1ITenar53GsNGfyqurEbTHaSIDh9ypNAFzNjZYTrzJ2mVH1ptY/lFH62lYDPz
+bSUZ4S02BqHBLlOrvrRDU7AaA0GwTp+2wbBOk4DV4GyZfeqbl++v5xNBMZmL7gY0
+6WNZDOV67/LbW6Uh+NHC9QeFXDp+VZzVvotF5q9a7ix3p/SwH+4OfFodrhevIsge
+rnA6O+fj7q8tk+lNzWidAoIBAQDYsziaEYPyBwHTjjlhbPdoSNVQ953Yc7icJ9xJ
+ya6rVmmTYMLE1/YL8Izl42iiJz8vNcRqn0H8SBTQleWXO5a6CJaPVIbol5GQpevp
+VBPYUbmeEp1TfeC0tRbpc7sYe+tSFc7BXbER6yRh8exnY2Y+oRkcr/LVjaALbk3s
+tPdi+9OXvQoPCHOkcf9kcVhe6rPgZlHjmSqd+QJQev/P25KVQBHJFtPpLmgqA484
+iCNqH0znUYedyDmGslE10uy3iTG4EbyXjIetaIXvM5vodhvCjIk/JsuvuQ50OclG
+4TAMzftGMkaJis4xKy9O5RzdQKreUH4dQu0xuGQQvs15yFHXAoIBAQDUAxnACd2i
+uO8+RM1ba5axnZHmHbc9mKTqiuzO/NRgOZa0hXbECaxQ4xJz4J4tCOLEcUodelED
+OB1Dd7gSZpHJHx/cvMelFB4nLvSL4azL4h+v9OsXVeCxXiE/zbhpu4LE5AkDKwi1
+bUWYFj9LcisRNt22JJ6VmObwumSN0xLo1lECfFlB0/ZN0pwlWcEGI0BwAd2yr4bd
+wpH/wryRNE0rAAB9JAFHgk5pzwXoiMJDal+k5yskPGglg6r9nkhyugaC6Ks3p0X2
+ljCy2R/eSGpGHMnJ5EoM1U+gX8YZRjo3I8kBJ39vBikcU7xirxaQNiVoJcKRbSC6
+3GFPUm5IXZj7AoIBAQCIM92XuPqd3Rmgxvv56Gt4+I5bXcewjMu0GrmzBzjqKF4j
+a+X/o13bE078D3tssA5etgTGn2LyFrw+fnjYHXQXad54KEDDYMD1kdQ9y8LNbFCm
+sjyAhdX+vvOvuDYYpYq7BUn279Sj1o//n/de5HMXWlpWVaDj6Sh3BtWjufrkFDRi
+Y0c3O7Cz45MKptNMlWiJ2sYNr+/BawmxXB39n5z6glKredWn8qs1/RbACZF42kOU
+AQKkgXzm1J2GnxR6J5lAgKVw+7srm07TkjSkX9gC6CI7tz6/LCmRk+CW1GNHKRCO
+hnsfaEdBUEtj403JIyRCp4UdDzvWzHbYr5SmvunxAoIBAHMWm8vbjyzeJ0EuKCwQ
+Y2VXm/PG/cm6KwwHDjXumXsCyASGzsnsVlYybbnpnPPldvQca5dE5uVQeNI/EvUq
+KMl809cHw3ihSx0KKEYm455pybnCwjuQqsCd0H7KNelvmLU49It7uOaDwtukeAeE
+mkxl9EUD6/JZZkQXaq5yfjlW3fLzfaB2Z6YnRgwghN/IExq6aJavIg8PqCGmnKZW
+Ne25uoo0GV2wJtDZSOPKGWpvPCxQMOMix4ZVy2SRn9JnmVFG7GrxqtEJBraPlvUb
+alVVG1U1T91XjjoIw4jEzqVQD7VIs6yZM4flDMalNSJjwjqfBNfc3X+SUmC05pjx
+9jECggEAU3CH1S8sCBvZLAXxbi2J0tSqKUdmJLXxAHNBKHb01qXZ61NzUyDUz7nC
+sevqEq7J9vnbuR9HrMFjy95DgOttlgMGTUanOX44Y70PnPyvDAKGmR7Cl5RITkor
+XvfyxKWxYe6RFVnkvVcarCpt+1PPOfNEeWeFj3N8R+IzWOG5ZH2aqXhqJ7XdDMuo
+1YsxyRLxCSmGmZoZshkeyGvX/qQLH1dpsI8Va6t787eLaU6z4lHhtgCj52vupzax
+i/uzc1P+vjVv45LbxlD2P92bfoAHtShh3POQ9mnAkeh86lgvs87ydFz1dOTpSkpI
+Ut7m/IA0ihpotNXJv3shdR0pRGqXcw==
+-----END PRIVATE KEY-----
diff --git a/meta-ohos-core/recipes-core/rauc/insecure-keys/key.pem.license b/meta-ohos-core/recipes-core/rauc/insecure-keys/key.pem.license
new file mode 100644
index 00000000..98a0b3f4
--- /dev/null
+++ b/meta-ohos-core/recipes-core/rauc/insecure-keys/key.pem.license
@@ -0,0 +1,3 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
diff --git a/meta-ohos-core/recipes-core/rauc/rauc_%.bbappend b/meta-ohos-core/recipes-core/rauc/rauc_%.bbappend
index 30e9e98e..9cfcf46f 100644
--- a/meta-ohos-core/recipes-core/rauc/rauc_%.bbappend
+++ b/meta-ohos-core/recipes-core/rauc/rauc_%.bbappend
@@ -14,3 +14,32 @@ FILESEXTRAPATHS_prepend_raspberrypi4-64 := "${THISDIR}/files/raspberrypi4:"
 # Make the RAUC package machine-specific. This lets us put the specific configuration
 # file, which encodes the slot configuration, into it safely.
 PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+# Use the known insecure public key which is a part of this layer as the key
+# baked into our reference images.
+#
+# This key is meant to be insecure for two reasons:
+#
+# 1) There are no binary updates available for the reference images, nor there
+# are any binary updates that come out which are production-grade and can be
+# deployed directly. This is the responsibility of the integrator for a
+# specific product. Having a known-insecure key should discourage people from
+# using artifacts coming out of CI as updates for anything not related to
+# testing.
+#
+# 2) There is no need to use a sophisticated secure key storage environment in
+# order to build reference images to allow CI-made artifacts to be signed and
+# useful for testing.
+
+# Set RAUC_KEYRING_FILE which is is defined in meta-rauc. This still allows any
+# downstream overrides to define it more strongly and use a different private
+# key. This variable is also set up to append to SRC_URI, so no additional
+# declaration is needed.
+RAUC_KEYRING_FILE ?= "ostc-insecure-cert.pem"
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+
+do_install_append() {
+    if [ -f ${D}${sysconfdir}/rauc/ostc-insecure-cert.pem ]; then
+        bbwarn "The image is using a known, insecure test key for verifying RAUC bundles. Do not use this in production systems."
+    fi
+}
-- 
GitLab