From 1d94d298a0ef7292a07185641d856e6a09e81d2e Mon Sep 17 00:00:00 2001 From: John Crispin Date: Wed, 18 Jun 2025 13:26:42 +0200 Subject: [PATCH] certificates: add support for tar file based certificate storage Fixes: WIFI-14694 Signed-off-by: John Crispin --- .../certificates/files/usr/bin/mount_certs | 43 +++++++++++++------ .../certificates/files/usr/bin/store_certs | 25 +++++++++++ .../cloud_discovery/files/usr/bin/est_client | 3 +- 3 files changed, 57 insertions(+), 14 deletions(-) create mode 100755 feeds/tip/certificates/files/usr/bin/store_certs diff --git a/feeds/tip/certificates/files/usr/bin/mount_certs b/feeds/tip/certificates/files/usr/bin/mount_certs index 781445a07..ff11b035e 100755 --- a/feeds/tip/certificates/files/usr/bin/mount_certs +++ b/feeds/tip/certificates/files/usr/bin/mount_certs @@ -6,20 +6,17 @@ check_certificates() { check_certificates +bootconfig_lookup() { + case "$(fw_printenv -n cert_part)" in + 0) echo "0:BOOTCONFIG" + ;; + 1) echo "0:BOOTCONFIG1" + ;; + esac +} + . /lib/functions.sh mkdir -p /certificates /etc/ucentral/ -mtd=$(find_mtd_index certificates) - -if [ "$(head -c 4 /dev/mtd$mtd)" == "hsqs" ]; then - mount -t squashfs /dev/mtdblock$mtd /certificates -else - [ -n "$mtd" -a -f /sys/class/mtd/mtd$mtd/oobsize ] && ubiattach -p /dev/mtd$mtd - if [ -n "$(ubinfo -a | grep certificates)" ]; then - [ -e /dev/ubi0 ] && mount -t ubifs ubi0:certificates /certificates - [ -e /dev/ubi1 ] && mount -t ubifs ubi1:certificates /certificates - fi -fi - case "$(board_name)" in cig,wf660a) mmc_dev=$(echo $(find_mmc_part "0:ETHPHYFW") | sed 's/^.\{5\}//') @@ -31,8 +28,28 @@ cig,wf672) ;; sonicfi,rap7110c-341x) mmc_dev=$(echo $(find_mmc_part "certificates") | sed 's/^.\{5\}//') - [ -n "$mmc_dev" ] && mount -t squashfs /dev/$mmc_dev /certificates + [ -n "$mmc_dev" ] && mount -t squashfs /dev/$mmc_dev /mnt + bootconfig=$(bootconfig_lookup) + if [ -n "$bootconfig" ]; then + mmc_dev=$(echo $(find_mmc_part "$bootconfig") | sed 's/^.\{5\}//') + [ -n "$mmc_dev" ] && tar xf /dev/$mmc_dev -C /certificates + else + cp /mnt/* /certificates/ + umount /mnt + fi ;; +*) + mtd=$(find_mtd_index certificates) + + if [ "$(head -c 4 /dev/mtd$mtd)" == "hsqs" ]; then + mount -t squashfs /dev/mtdblock$mtd /certificates + else + [ -n "$mtd" -a -f /sys/class/mtd/mtd$mtd/oobsize ] && ubiattach -p /dev/mtd$mtd + if [ -n "$(ubinfo -a | grep certificates)" ]; then + [ -e /dev/ubi0 ] && mount -t ubifs ubi0:certificates /certificates + [ -e /dev/ubi1 ] && mount -t ubifs ubi1:certificates /certificates + fi + fi esac check_certificates diff --git a/feeds/tip/certificates/files/usr/bin/store_certs b/feeds/tip/certificates/files/usr/bin/store_certs new file mode 100755 index 000000000..fcc599a88 --- /dev/null +++ b/feeds/tip/certificates/files/usr/bin/store_certs @@ -0,0 +1,25 @@ +#!/bin/sh + +bootconfig_lookup() { + bootconfig="$(fw_printenv -n cert_part)" + case "$(fw_printenv -n cert_part)" in + 0) echo "0:BOOTCONFIG1" + bootconfig=1 + ;; + *) echo "0:BOOTCONFIG" + bootconfig=0 + ;; + esac + fw_setenv cert_part $bootconfig +} + +. /lib/functions.sh +case "$(board_name)" in +sonicfi,rap7110c-341x) + cd /certificates + tar cf /tmp/certs.tar + bootconfig=$(bootconfig_lookup) + mmc_dev=$(echo $(find_mmc_part $bootconfig) | sed 's/^.\{5\}//') + dd if=/tmp/certs.tar of=/dev/$bootconfig + ;; +esac diff --git a/feeds/tip/cloud_discovery/files/usr/bin/est_client b/feeds/tip/cloud_discovery/files/usr/bin/est_client index 569c478db..18a7cf4b3 100755 --- a/feeds/tip/cloud_discovery/files/usr/bin/est_client +++ b/feeds/tip/cloud_discovery/files/usr/bin/est_client @@ -42,7 +42,8 @@ function generate_csr(cert) { function store_operational_cert(path, target) { system('mount_certs'); system(`cp ${path} /certificates/${target}`); - + system('store_certs'); + ulog(LOG_INFO, `Persistently stored ${target}\n`); }