[Buildroot] [PATCH 1/1] package/swupdate: add option to enable USB install

James Hilliard james.hilliard1 at gmail.com
Sat Sep 11 16:45:44 UTC 2021


On Sat, Sep 11, 2021 at 10:37 AM Yann E. MORIN <yann.morin.1998 at free.fr> wrote:
>
> James, All,
>
> On 2021-09-11 09:10 -0600, James Hilliard spake thusly:
> > Signed-off-by: James Hilliard <james.hilliard1 at gmail.com>
> > ---
> >  package/swupdate/Config.in          | 7 +++++++
> >  package/swupdate/swupdate-usb.rules | 2 ++
> >  package/swupdate/swupdate.mk        | 3 +++
> >  3 files changed, 12 insertions(+)
> >  create mode 100644 package/swupdate/swupdate-usb.rules
> >
> > diff --git a/package/swupdate/Config.in b/package/swupdate/Config.in
> > index 6b832cfcbf..54a99b73d5 100644
> > --- a/package/swupdate/Config.in
> > +++ b/package/swupdate/Config.in
> > @@ -60,6 +60,13 @@ config BR2_PACKAGE_SWUPDATE_CONFIG
> >         I you wish to use your own modified swupdate configuration
> >         file specify the config file location with this option.
> >
> > +config BR2_PACKAGE_SWUPDATE_USB
> > +     bool "swupdate usb"
> > +     default y
>
> Options should not default to 'y', unless there is a good reason for
> that, in which case it should be dully explained in the commit log.

Hmm, I have this defaulting to yes for consistency with meta-swupdate.

>
> > +     depends on BR2_PACKAGE_SYSTEMD
> > +     help
> > +       Enable update from USB disk.
> > +
> >  config BR2_PACKAGE_SWUPDATE_WEBSERVER
> >       bool "swupdate webserver"
> >       default y
> > diff --git a/package/swupdate/swupdate-usb.rules b/package/swupdate/swupdate-usb.rules
> > new file mode 100644
> > index 0000000000..b4efd0b733
> > --- /dev/null
> > +++ b/package/swupdate/swupdate-usb.rules
> > @@ -0,0 +1,2 @@
> > +ACTION=="add", KERNEL=="sd*", SUBSYSTEM=="block", ENV{ID_BUS}=="usb", ENV{ID_FS_USAGE}=="filesystem", TAG+="systemd", ENV{SYSTEMD_WANTS}+="swupdate-usb@%k.service"
> > +
>
> Spurious trailing empty line.

Ah, that must have been in meta-swupdate as well.

>
> Also, I concur with Arnout: this is a bit dangerous, and users must be
> made aware, in one form or another, that they should really setup a PKI
> to sign their swu, or anyone with physical access to the device will be
> able to update to arbitrary firmwares.

I mean, that's not really specific to this, swupdate has multiple
install methods
that all have optional signature validation. For example the webserver is really
no different than usb install when it comes to needing validation to prevent
arbitrary firmwares from being installed.

>
> Regards,
> Yann E. MORIN.
>
> > diff --git a/package/swupdate/swupdate.mk b/package/swupdate/swupdate.mk
> > index c49af7ebf7..c06106e2ee 100644
> > --- a/package/swupdate/swupdate.mk
> > +++ b/package/swupdate/swupdate.mk
> > @@ -252,6 +252,9 @@ define SWUPDATE_INSTALL_INIT_SYSTEMD
> >               $(TARGET_DIR)/usr/lib/systemd/system/swupdate.socket
> >       $(INSTALL) -D -m 644 package/swupdate/swupdate-usb at .service \
> >               $(TARGET_DIR)/usr/lib/systemd/system/swupdate-usb at .service
> > +     $(if $(BR2_PACKAGE_SWUPDATE_USB), \
> > +             $(INSTALL) -D -m 644 package/swupdate/swupdate-usb.rules \
>
> I know this is not enforced everywhere, and that the CWD at runtime is
> always the top-level of the buildroot tree, but I'd really like that we
> refer to the package directory using the appropriate variable, rather
> than hard-coding it, like $(SWUPDATE_PKGDIR):
>
>     $(INSTALL) -D -m 644 $(SWUPDATE_PKGDIR)/swupdate-usb.rules ...

Ah, I had just copied the existing style used here, I'll send a patch
reworking that
for swupdate.

>
> Regards,
> Yann E. MORIN.
>
> > +                     $(TARGET_DIR)/lib/udev/rules.d/swupdate-usb.rules)
> >       $(INSTALL) -D -m 644 package/swupdate/swupdate-progress.service \
> >               $(TARGET_DIR)/usr/lib/systemd/system/swupdate-progress.service
> >       $(INSTALL) -D -m 644 package/swupdate/tmpfiles-swupdate.conf \
> > --
> > 2.25.1
> >
> > _______________________________________________
> > buildroot mailing list
> > buildroot at lists.buildroot.org
> > https://lists.buildroot.org/mailman/listinfo/buildroot
>
> --
> .-----------------.--------------------.------------------.--------------------.
> |  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
> | +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
> | +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
> | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
> '------------------------------^-------^------------------^--------------------'


More information about the buildroot mailing list