automated: linux: device registration with HSM module

This patch allows to register device to FoundriesFactory using HSM. It's
enabled in ota-update and factory-reset tests. Main use case is to test
registration with SE050 devices from NXP.

Signed-off-by: Milosz Wasilewski <[email protected]>

automated/linux/factory-reset/prepare-reset.sh

@@ -11,11 +11,14 @@ TYPE="factory_reset"
 ADDITIONAL_TYPE=""
 LABEL=""
 SOTA_CONFDIR="/etc/sota/conf.d"
+HSM_MODULE=""
 
 usage() {
     echo "\
     Usage: $0 [-t <factory_reset|factory_reset_keep_sota|factory_reset_keep_sota_docker>]
               [-a <factory_reset|factory_reset_keep_sota|factory_reset_keep_sota_docker>]
+              [-l <target label>]
+              [-s <hsm module>]
 
     -t <factory_reset|factory_reset_keep_sota|factory_reset_keep_sota_docker>
         factory_reset: Full reset, removes contents of /etc/ and /var/
@@ -26,14 +29,19 @@ usage() {
     -l <target label>
         Adds a label/tag to the [pacman] section of the toml. This forces aktualizr-lite
         to use the tag and avoids possible unintentional OTA update.
+    -s <hsm module>
+        Enables factory registration with HSM module. This option assumes using
+        pkcs#11 database. Works with FoundriesFactory. Requires support in
+        FoundriesFactory auto registration script.
     "
 }
 
-while getopts "t:a:l:h" opts; do
+while getopts "t:a:l:s:h" opts; do
     case "$opts" in
         t) TYPE="${OPTARG}";;
         a) ADDITIONAL_TYPE="${OPTARG}";;
         l) LABEL="${OPTARG}";;
+        s) HSM_MODULE="${OPTARG}";;
         h|*) usage ; exit 1 ;;
     esac
 done
@@ -55,6 +63,11 @@ if [ -n "${LABEL}" ]; then
     echo "[pacman]" > "${SOTA_CONFDIR}"/z-99-aklite-tag.toml
     echo "tags = ${LABEL}" >> "${SOTA_CONFDIR}"/z-99-aklite-tag.toml
 fi
+if [ -n "${HSM_MODULE}" ]; then
+    echo "HSM_MODULE=\"${HSM_MODULE}\"" > /etc/sota/hsm
+    echo "HSM_PIN=87654321" >> /etc/sota/hsm
+    echo "HSM_SOPIN=12345678" >> /etc/sota/hsm
+fi
 # create signal files
 touch /var/sota/ota.signal
 touch /var/sota/ota.result
@@ -87,6 +100,16 @@ if [ -f /var/sota/sql.db ]; then
 else
     report_fail "${TYPE}-device-registration"
 fi
+if [ -n "${HSM_MODULE}" ]; then
+    if grep "${HSM_MODULE}" /var/sota/sota.toml; then
+        report_pass "${TYPE}-hsm-registration"
+    else
+        report_fail "${TYPE}-hsm-registration"
+    fi
+else
+    report_skip "${TYPE}-hsm-registration"
+fi
+
 touch "/var/.${TYPE}"
 if [ -n "${ADDITIONAL_TYPE}" ]; then
     touch "/var/.${ADDITIONAL_TYPE}"

automated/linux/factory-reset/prepare-reset.yaml

@@ -15,6 +15,9 @@ metadata:
 
       If higher priority type is present, lower priority
       type is ignored.
+
+      Device can be registered with specifig tag using LABEL variable.
+      Device can be registered with HSM using HSM_MODULE variable.
       "
 
     maintainer:
@@ -35,8 +38,9 @@ params:
         # TYPE and ADDITIONAL_TYPE
         ADDITIONAL_TYPE: ""
         LABEL: ""
+        HSM_MODULE: ""
 run:
     steps:
         - cd ./automated/linux/factory-reset
-        - ./prepare-reset.sh -t "${TYPE}" -a "${ADDITIONAL_TYPE}" -l "${LABEL}"
+        - ./prepare-reset.sh -t "${TYPE}" -a "${ADDITIONAL_TYPE}" -l "${LABEL}" -s "${HSM_MODULE}"
         - ../../utils/send-to-lava.sh ./output/result.txt

automated/linux/ota-update/download-update.sh

@@ -17,6 +17,7 @@ U_BOOT_VARIABLE_NAME="foobar"
 U_BOOT_VARIABLE_VALUE="baz"
 DEBUG="false"
 SOTA_CONFDIR="/etc/sota/conf.d"
+HSM_MODULE=""
 
 usage() {
 	echo "\
@@ -46,17 +47,19 @@ usage() {
     -w u-boot variable value. This is assigned to the variable set
         with -v flag. Default: baz
     -d <true|false> Enables more debug messages. Default: false
+    -S <hsm module> Register device with HSM module.
 	"
 }
 
-while getopts "t:u:s:o:V:w:d:h" opts; do
+while getopts "t:u:s:o:V:w:d:S:h" opts; do
 	case "$opts" in
         t) TYPE="${OPTARG}";;
         u) UBOOT_VAR_TOOL="${OPTARG}";;
         s) UBOOT_VAR_SET_TOOL="${OPTARG}";;
         o) PACMAN_TYPE="${OPTARG}";;
         w) U_BOOT_VARIABLE_VALUE="${OPTARG}";;
         V) U_BOOT_VARIABLE_NAME="${OPTARG}";;
+        S) HSM_MODULE="${OPTARG}";;
         d) DEBUG="${OPTARG}";;
         h|*) usage ; exit 1 ;;
 	esac
@@ -97,6 +100,11 @@ cp z-99-aklite-disable-reboot.toml "${SOTA_CONFDIR}"
 if [ "${PACMAN_TYPE}" = "ostree" ]; then
     cp z-99-ostree.toml "${SOTA_CONFDIR}"
 fi
+if [ -n "${HSM_MODULE}" ]; then
+    echo "HSM_MODULE=\"${HSM_MODULE}\"" > /etc/sota/hsm
+    echo "HSM_PIN=87654321" >> /etc/sota/hsm
+    echo "HSM_SOPIN=12345678" >> /etc/sota/hsm
+fi
 report_pass "${TYPE}-create-aklite-callback"
 # create signal files
 touch /var/sota/ota.signal
@@ -121,6 +129,16 @@ done
 # add some delay so aklite can setup variables
 sleep 5
 
+if [ -n "${HSM_MODULE}" ]; then
+    if grep "${HSM_MODULE}" /var/sota/sota.toml; then
+        report_pass "${TYPE}-hsm-registration"
+    else
+        report_fail "${TYPE}-hsm-registration"
+    fi
+else
+    report_skip "${TYPE}-hsm-registration"
+fi
+
 # u-boot variables change when aklite starts (at least on some devices)
 # check u-boot variables to ensure we're on freshly flashed device
 bootcount_before_download=$(uboot_variable_value bootcount)

automated/linux/ota-update/download-update.yaml

@@ -25,8 +25,9 @@ params:
         UBOOT_VARIABLE_NAME: "foobar"
         UBOOT_VARIABLE_VALUE: "baz"
         DEBUG: "false"
+        HSM_MODULE: ""
 run:
     steps:
         - cd ./automated/linux/ota-update
-        - ./download-update.sh -t "${TYPE}" -u "${UBOOT_VAR_TOOL}" -s "${UBOOT_VAR_SET_TOOL}" -o "${PACMAN_TYPE}" -V "${UBOOT_VARIABLE_NAME}" -w "${UBOOT_VARIABLE_VALUE}" -d "${DEBUG}"
+        - ./download-update.sh -t "${TYPE}" -u "${UBOOT_VAR_TOOL}" -s "${UBOOT_VAR_SET_TOOL}" -o "${PACMAN_TYPE}" -V "${UBOOT_VARIABLE_NAME}" -w "${UBOOT_VARIABLE_VALUE}" -d "${DEBUG}" -S "${HSM_MODULE}"
         - ../../utils/send-to-lava.sh ./output/result.txt