[meta-swupdate] (scarthgap) encrypted artifacts

[Chris]

Hello,

I am using the scarthgap branch of meta-swupdate.  I have successfully implemented swu for a signed image.  I am now trying to add encryption, and I am getting a little confused by either documentation or my understanding about how it should work.  I am not seeing a ext4.gz.enc show up in my deploy dir.

This is my swu recipe:

********************************************************************

LICENSE = "CLOSED"

inherit swupdate

SRC_URI = "\
    file://emmcsetup.lua \
    file://sw-description \
"

inherit swupdate-enc
IMAGES_FSTYPES += ".ext4.gz.enc enc"

# images to build before building swupdate image
IMAGE_DEPENDS = "cjc-image"

# images that will be included in the .swu image
SWUPDATE_IMAGES = "cjc-image"

SWUPDATE_IMAGES_FSTYPES[cjc-image] = ".rootfs.ext4.gz"

SWUPDATE_SIGNING = "RSA"
SWUPDATE_PRIVATE_KEY =   "${SECRETS_DIR}/swupdate-sig-priv.pem"
SWUPDATE_PASSWORD_FILE = "${SECRETS_DIR}/swupdate-sig-passwd"

SWUPDATE_IMAGES_ENCRYPTED[cjc-image.rootfs.ext4.gz] = "1"
SWUPDATE_AES_FILE = "${SECRETS_DIR}/swupdate-enc-build-aes-file"

********************************************************************

My deploy dir has the following files (nitrogen93 is the machine), but I don't see an .enc being built.
cjc-image-nitrogen93.rootfs.ext4.gz
cjc-image-swu-nitrogen93.rootfs.swu 

Can I get some assistance?

Thanks

Chris

[Chris]

Hi Lisandro,

Thanks for the reply.  Can you clarify what I am doing that is the “old methodology”?  Should I not be using the scarthgap branch of meta-swupdate?  I think my recipe follows the docs you sent, so I’m not sure what part you are talking about.

Thanks,

Chris

On May 20, 2025, at 12:56 PM, Lisandro Pérez Meyer <lpm...@ics.com> wrote:

Hi!

That was an old methodology. Take a look at https://sbabic.github.io/swupdate/building-with-yocto.html#swu-image-content-s-encryption

[Lisandro Pérez Meyer]

Hi,

On Tue, May 20, 2025 at 3:52 PM Chris <cjc...@gmail.com> wrote:

Hi Lisandro,

Thanks for the reply.  Can you clarify what I am doing that is the “old methodology”?  Should I not be using the scarthgap branch of meta-swupdate?  I think my recipe follows the docs you sent, so I’m not sure what part you are talking about.

My understanding is that, on previous versions, the .enc file was an encrypted file created before calling the SWUpdate recipe. In other words: a FS_TYPE on which the image got encrypted. This was performed by https://github.com/sbabic/meta-swupdate/blob/master/classes-recipe/swupdate-enc.bbclass If you want take a look at this mailing list' archive, I have been asking the same questions like a month ago.

Now you do not need to create a .enc image, swupdate just encrypts the contents itself.

[Chris]

Hi Lisandra,

Yes, I did see your previous questions.  Unfortunately, I was still confused at the conclusion of that so that’s why I posted.  So it sounds like I don’t have to include FS_TYPE+=“enc” anymore?  That’s fine, but even if I take that out, I am not seeing the rootfs tar.gz in my .swu being encrypted.  I also, don’t see “ivt = ….” Added to the sw-desription (I was assuming meta-swupdate added this).  

Chris

On May 20, 2025, at 2:15 PM, 'Lisandro Pérez Meyer' via swupdate <swup...@googlegroups.com> wrote:

On Tuesday, May 20, 2025 at 4:13:01 PM UTC-3 Lisandro Pérez Meyer wrote:

Hi,

--
You received this message because you are subscribed to the Google Groups "swupdate" group.
To unsubscribe from this group and stop receiving emails from it, send an email to swupdate+u...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/swupdate/a59bb896-0fde-43ac-9b24-bdc5dfa87f2fn%40googlegroups.com.

[Lisandro Pérez Meyer]

Hi,

On Tuesday, May 20, 2025 at 4:33:08 PM UTC-3 Chris wrote:

Hi Lisandra,

Lisandro ;-)

 

Yes, I did see your previous questions.  Unfortunately, I was still confused at the conclusion of that so that’s why I posted.  So it sounds like I don’t have to include FS_TYPE+=“enc” anymore?  That’s fine, but even if I take that out, I am not seeing the rootfs tar.gz in my .swu being encrypted.  I also, don’t see “ivt = ….” Added to the sw-desription (I was assuming meta-swupdate added this).  

Exactly, you do not have to include `FS_TYPE+=enc" anymore. If you want post the recipe you are using to create the swu and I'll take a look. I did get to the point where my rootfs.tar.gz was actually encrypted. I tested this by getting the contents out of the cpio and running file on it.

[Chris]

OK I got it working.   I will post my recipe as a future reference.  I think I had it correct after some time, but finally doing a "-c cleansstate" got it to take effect.

Also, I think my expectation that meta-swupdate had a way to populate ivt in sw-description (unique for each build) was wrong - this doesn't exist as far as I can tell.  

I think the documentation around the SWUPDATE_AES_FILE still mentions IMAGE_FSTYPES += "enc", which is pretty confusing. 

@Lisandro Pérez Meyer  I appreciate your responses.  Thanks.

********************************************
LICENSE = "CLOSED"

# these files get included in .swu

SRC_URI = "\
    file://emmcsetup.lua \
    file://sw-description \
"

# images to build before building swupdate image
IMAGE_DEPENDS = "cjc-image"

# images and files that will be included in the .swu image

SWUPDATE_IMAGES = "cjc-image"

SWUPDATE_IMAGES_FSTYPES[cjc-image] = ".rootfs.ext4.gz"

SWUPDATE_SIGNING = "RSA"
SWUPDATE_PRIVATE_KEY =   "${SECRETS_DIR}/swupdate-sig-priv.pem"
SWUPDATE_PASSWORD_FILE = "${SECRETS_DIR}/swupdate-sig-passwd"

SWUPDATE_IMAGES_ENCRYPTED[cjc-image] = "1"

SWUPDATE_AES_FILE = "${SECRETS_DIR}/swupdate-enc-build-aes-file"

inherit swupdate
 
********************************************

--

You received this message because you are subscribed to the Google Groups "swupdate" group.
To unsubscribe from this group and stop receiving emails from it, send an email to swupdate+u...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/swupdate/0b26921c-673a-485b-9fa5-f3d800df9f7dn%40googlegroups.com.