-
Notifications
You must be signed in to change notification settings - Fork 1
/
README
252 lines (181 loc) · 8.56 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
A layer that builds The Update Framework in Yocto
Dependencies
============
This layer depends on:
URI: git://git.yoctoproject.org/poky
branch: rocko
or
URI: git://git.openembedded.org/openembedded-core
branch: rocko
URI: git://git.openembedded.org/bitbake
branch: 1.36
URI: https://github.com/MontaVista-OpenSourceTechnology/meta-montavista-cgx
branch: rocko
URI: git://git.openembedded.org/meta-openembedded
layers: meta-perl, meta-gnome, meta-multimedia, xfce-layer
branch: rocko
Source code
===========
https://github.com/MontaVista-OpenSourceTechnology/meta-tuf
Maintenance
===========
Maintainers:
Contributing
============
Contributions and patches can be sent to the MontaVista mailing
list: [email protected]"
When sending patches please take a look at the contribution guide available
here: https://wiki.yoctoproject.org/wiki/Contribution_Guidelines
example:
git send-email -1 -M --to [email protected] --subject-prefix=meta-montavista-cgx][PATCH
Table of Contents
=================
I. Adding the meta-tuf layer to your build
II. Using meta-tuf
III. Key update
IV. ostree and ostree-rpm
I. Adding the meta-tuf layer to your build
=================================================
In order to use this layer, you need to make the build system aware of
it.
Assuming the meta-montavista-cgl layer exists at the top-level of your
yocto build tree, you can add it to the build system by adding the
location of the meta-montavista-cgl layer to bblayers.conf, along with any
other layers needed. Adapt the below list to proper format.
BBLAYERS:
meta
meta-openembedded/meta-networking
meta-openembedded/meta-oe
meta-openembedded/meta-python
meta-openembedded/meta-webserver
II. Using meta-tuf
==================
The design of meta-tuf allows you to use TUF in a normal fashion with
assists from this layer. This allows you to configure TUF as you want
but have semi-automated means for loading you TUF repository from the
build.
The meta-tuf layer is a little bit unusual because it is a setup to
allow deployment to a remote system. It sets things up to use the
tuf-manifest repo tool deploying updates, and it installs the
tuf-manifest client tool on the client with the configuration files
specified in local.conf. It also create the proper manifest files so
tufm-repo can use them to install files into a TUF repository.
Using this tool does require knowledge of The Update Framework (TUF).
See https://theupdateframework.github.io/ for that. How you configure
things has security implications.
You should also refer to the tuf-manifest package documentation.
The following variables are used by meta-tuf and can be used to
control it's operation. These are:
TUF_MANIFEST_DIR ?= "${DEPLOY_DIR_IMAGE}"
The place where the tuf-manifest manifest files will be stored. By
default this is the standard image directory, but it can be any other
place that you want to maintain it (so it can be backed up, etc.).
TUF_MANIFEST_USER_FILENAME ?= "manifest"
The base name of the manifest files. These will have a '.<num>'
appended to them for version, so manifest.1 is the first version,
manifest.2 the second, etc. The default is "manifest".
TUF_MANIFEST_FILENR ?= "${TUF_MANIFEST_CURRENT_FILENR}"
The next file number for a manifest number. This is used to set the
client manifest number it uses to know what version it is on. By
default TIF_MANIFEST_DIR is scanned for files named
TUF_MANIFEST_USER_FILENAME.<num>, this variable will be set to the
next sequence it finds. So if manifest.1 and manifest.2 are there,
this variable will be "3". If there is no manifest file, it will
be set to "1". Manifest files must be in sequence!
TUF_MANIFEST_CLIENT_REPO
This is the client repository directory that you create when creating
your TUF repo. It is installed on the client.
TUF_MANIFEST_CONF
The tuf-manifest configuration file to install on the client. This
sets the URL where updates will come from, the handler for updates,
etc.
FIXME - add info about setting PRs properly, using the PR server.
The basic procedure is:
1) Get your image working like you want. The builds themselves are
not tied to the framework directly, you have to add them by hand.
So you can build, test, rebuild, etc. until you get what you want,
then add them.
2) Create a TUF repo. You can do this with the repo.py tool from
TUF. You can also use the tufm-repo tool that is part of
tuf-manifest, since it is a wrapper around the repo tool. This is
an important step to get right, as it will affect the security of
your system. For best security, you should:
a) Create the repo on an air-gapped machine, and set the number
of root keys (generally a minimum of 3).
b) Create separate root signing keys on other machines (generally
at least two other machine) and sign the repo with those keys.
Make sure not to transfer the root keys off the machine they
were created on.
c) Transfer the repo to the build machine (preferably also air-gapped)
without the root keys, of course, just the target, snapshot,
and timestamp keys. This is where you will install the files
with tufm-repo.
With this setup, you can survive the loss/compromise of any single
key.
3) Add:
INHERIT =+ "tuf-manifest"
IMAGE_INSTALL_append = " python3-tuf-manifest-client"
TUF_MANIFEST_CLIENT_REPO = "/path/to/tuf/tufclient"
TUF_MANIFEST_CONF = "/path/to/tuf-manifest.conf"
EXTRA_IMAGE_FEATURES += "package-management"
to your local.conf and rebuild. You need RPM package management
on, too. This will create the manifest file and put
tuf-manifest-client onto the target. The two variables shown are
required, you may need to set other variables as described above.
Note that you cannot do the above until you have the repo in place
on the build system. The repo and conf files must be in place.
You could do step 2 first, then step 1 and 3 together.
The full format of tuf-manifest.conf is describe in the tuf_manifest
documentation at
https://github.com/MontaVista-OpenSourceTechnology/tuf_manifest
In general, you should only need the following set:
[Manifest]
url=<user must set this>
filebase=manifest
handler=<user must set this>
The filebase is optional, but if you use a different manifest name
in the steps below, it must be set in filebase.
The python-tufm-manifest-client package includes:
/usr/lib/tuf-manifest/scripts/tuf-rpm-updater
that is a simple script that will update RPM packages, you can
use that for the handler if you are doing straight RPM.
4) Build the host version of the tuf-manifest tools:
bitbake python3-tuf-native python3-tuf-manifest-native
bitbake build-sysroots
source <the proper env script in the project bin directory>
export PYTHONPATH=${BUILDROOT}/tmp/sysroots/x86_64/usr/lib/python2.7/site-packages
This will get the tufm-repo command into your path. Hopefully
the PYTHONPATH thing will go away, but it's necessary for now.
5) Copy the tmp/deploy/images/<target>/<imagename>.tuf-manifest to
<TUF_MANIFEST_DIR>/manifest.1. This will be the first version of
the image. The filename "manifest.<n>" is the default, you can use
a different base name if you like, you just need to set it properly
in the tuf-manifest.conf file on the target.
6) Run:
tufm-repo --load-manifest --manifest <TUF_MANIFEST_DIR>/manifest.1
--manifest-dir tmp/deploy/rpm/*
To process the manifest and load all the files into the repository.
7) Copy the repository to your web server.
8) Deploy your target system and have it run tufm-client
periodically. this will look for updates and install them
automatically. You should log output and errors from tufm-client.
The tufm-repo command has a subcommand that allows updating the
timestamp and snapshot timeouts periodically, which is useful for
the web server.
To deploy the next update:
1) Make the necessary changes, build, test, etc. as you normally
would.
2) Copy the tmp/deploy/images/<target>/<imagename>.tuf-manifest to
TUF_MANIFEST_DIR/manifest.2. This will be the second version of
the image.
Then follow steps 4-7 above. Your clients will automatically pick up
the changes and install them.
III. Key update
===============
If a key is compromised or it going to expire, or you need to issue a
new root metadata file because it is going to expire...
*Write this*
IV. ostree and ostree-rpm
=========================
describe how to use ostree and ostree-rpm