From 3f70b2d2f4a3a2fb50be4b8c395d9d09b0853f1a Mon Sep 17 00:00:00 2001
From: Patrick Vacek <patrickvacek@gmail.com>
Date: Thu, 17 Oct 2019 17:01:18 +0200
Subject: aktualizr-device-prov-creds: remove it.

Originally I was just trying to remove the reference to DEPLOY_DIR_IMAGE
because it depends on MACHINE, but then I realized that this recipe is
just plain not worth keeping. It isn't viable for anything except the
most limited testing, since it bakes device-specific credentials into an
image, but we weren't even using it for testing.

Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
---
 .../aktualizr/aktualizr-device-prov-creds.bb       | 67 ----------------------
 .../aktualizr/aktualizr-device-prov-hsm.bb         |  1 -
 recipes-sota/aktualizr/aktualizr-device-prov.bb    |  1 -
 3 files changed, 69 deletions(-)
 delete mode 100644 recipes-sota/aktualizr/aktualizr-device-prov-creds.bb

(limited to 'recipes-sota/aktualizr')

diff --git a/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb
deleted file mode 100644
index a3c7d66..0000000
--- a/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb
+++ /dev/null
@@ -1,67 +0,0 @@
-SUMMARY = "Credentials for device provisioning with fleet CA certificate"
-HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
-SECTION = "base"
-LICENSE = "MPL-2.0"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
-
-inherit allarch
-
-# WARNING: This is NOT an ideal solution. The secure way to provision devices
-# is to create certificate request directly on the device (either with HSM/TPM
-# or with software) and then sign it with a CA stored on a disconnected machine.
-
-# We need to get the config files from the aktualizr-host-tools package built by
-# the aktualizr (target) recipe.
-DEPENDS = "aktualizr aktualizr-native openssl-native"
-ALLOW_EMPTY_${PN} = "1"
-
-# If the config file from aktualizr used here is changed, you will need to bump
-# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS!
-PV = "1.0"
-PR = "1"
-
-SRC_URI = " \
-            file://ca.cnf \
-            "
-
-require credentials.inc
-
-export SOTA_CACERT_PATH
-export SOTA_CAKEY_PATH
-
-do_install() {
-    if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then
-        if [ -z ${SOTA_CACERT_PATH} ]; then
-            SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem
-            SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem
-            mkdir -p ${DEPLOY_DIR_IMAGE}/CA
-            bbwarn "SOTA_CACERT_PATH is not specified, use default one at ${SOTA_CACERT_PATH}"
-
-            if [ ! -f ${SOTA_CACERT_PATH} ]; then
-                bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA"
-                SOTA_CACERT_DIR_PATH="$(dirname "${SOTA_CACERT_PATH}")"
-                openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096
-                openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert
-                bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server"
-            fi
-        fi
-
-        if [ -z ${SOTA_CAKEY_PATH} ]; then
-            bbfatal "SOTA_CAKEY_PATH should be set when using device credential provisioning"
-        fi
-
-        install -m 0700 -d ${D}${localstatedir}/sota
-        aktualizr-cert-provider --credentials ${SOTA_PACKED_CREDENTIALS} \
-                                --fleet-ca ${SOTA_CACERT_PATH} \
-                                --fleet-ca-key ${SOTA_CAKEY_PATH} \
-                                --root-ca \
-                                --server-url \
-                                --local ${D} \
-                                --config ${STAGING_DIR_HOST}${libdir}/sota/sota-device-cred.toml
-    fi
-}
-
-FILES_${PN} = " \
-                ${localstatedir}/sota/*"
-
-# vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb b/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb
index 8d4bc9c..4eadb77 100644
--- a/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb
+++ b/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb
@@ -10,7 +10,6 @@ inherit allarch
 # We need to get the config files from the aktualizr-host-tools package built by
 # the aktualizr (target) recipe.
 DEPENDS = "aktualizr"
-RDEPENDS_${PN}_append = "${@' aktualizr-device-prov-creds softhsm-testtoken' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}"
 
 # If the config file from aktualizr used here is changed, you will need to bump
 # the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS!
diff --git a/recipes-sota/aktualizr/aktualizr-device-prov.bb b/recipes-sota/aktualizr/aktualizr-device-prov.bb
index e8c75bb..55f398d 100644
--- a/recipes-sota/aktualizr/aktualizr-device-prov.bb
+++ b/recipes-sota/aktualizr/aktualizr-device-prov.bb
@@ -10,7 +10,6 @@ inherit allarch
 # We need to get the config files from the aktualizr-host-tools package built by
 # the aktualizr (target) recipe.
 DEPENDS = "aktualizr"
-RDEPENDS_${PN}_append = "${@' aktualizr-device-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}"
 
 # If the config file from aktualizr used here is changed, you will need to bump
 # the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS!
-- 
cgit v1.2.3-54-g00ecf