Intel Internet Gateway: I sign and install RPM packages

If an SRM-enabled operating system is installed on your IoT gateway, each RPM package must be signed before installation, even if IMA security is not used. From this material, you will learn how to sign and install RPM packages in gateway operating systems with SRM turned on and off.


What we are going to talk about here applies to Intel IoT gateways based on Intel Atom, Intel Core and Intel Quark processors. Having mastered this guide, you will learn how to work with RPM-packages. Namely, sign them, install, uninstall. We will also consider the OS build for gateways and work with keys.

The reader is expected to have the following knowledge and skills:

• Execute Linux commands.
• Creating, editing, executing scripts.
• Installing and configuring software for Linux
• Using a terminal emulator, like Putty, with a connection between computers over a serial interface.

Here, the term "gateway" we will understand "Intel Gateway for the Internet of Things" ("Intel IoT Gateway"). A “computer” is a Linux system (preferably with Ubuntu 14.0.4 Base), which is used to develop applications for gateways.
')
This will highlight commands, API names, parameters, names of regular and executable files, paths in the file system.

Boldface is used to highlight references to user interface elements, on-screen buttons, and key names on the keyboard.

 ,    –  ,            . 

And so highlighted blocks of text that demonstrate the system's response to the execution of the script or the execution of a command entered from the keyboard.

In order to experience in practice what is going to be discussed, you must have a gateway prepared for work . The computer must have a Wind River development environment .

SRM in the gateway operating system

Consider how to build and install an operating system with the security function (SRM) on the gateway. When security is enabled, they must be signed before installing the RPMs on the gateway. To begin, modify the gateway's operating system configuration script.

1. When installing the development environment on a computer, the config.sh script was created, which is located in the $ HOME / Project folder. Edit this script as follows:
   
   Include this:
   
   --with-layer = wr-ima-appraise
   --without-layer = wr-mcafee
   
   Find and delete the following:
   
   wr-ima-appraise from --without-layer =.
   wr-mcafee from the expression --with-layer = .
   
   
2. Save and close the config.sh file.
   
   
3. Run config.sh

Now we will assemble the gateway operating system. To do this, in the $ HOME / Projects folder, run the following command:

 make fs 

Please note that it may take several hours to complete the command that builds the operating system image for installation on the gateway. It all depends on the power of the computer that is used for development.

Transferring the OS image to a flash drive

Copy the assembled image to a bootable flash disk. Its capacity should be at least 4 GB. In this case, keep in mind that when recording an OS image, all data from the disk will be deleted.

1. Display a list of computer drives:
   
   

    ls /dev/sd? 

   
   
2. Connect the USB drive to the computer.
   
   
3. Execute the command from step 1 again and compare its results with those obtained before connecting the disk. It is necessary to determine how the new flash disk is displayed on the system:
   
   

    ls /dev/sd? 

   
   Here is what the implementation of the above sequence of actions looks like.
   
   
   Display a list of storage devices connected to a computer
   
   In the next step, you will need to know the name of the USB disk in the system. In our case, this is / dev / sdb.
   
   
4. Navigate to the $ HOME / Project folder:
   
   

    cd $HOME/Project 

   
   
5. Deploy the gateway OS image to a USB disk. The compiled file of the operating system has a name corresponding to the processor type of the gateway. Use the command that is appropriate for the gateway on which you intend to install the OS, while replacing ??? in the name of the flash drive, found out above. Image capture takes about 15 minutes.
   
   Command for gateways with an Intel Atom processor:
   
   

    sudo ./deploy.sh -u -f export/intel-baytrail-64-idp-idp-dist.tar.bz2 \-d /dev/??? -y; sync 

   
   Command for gateways with an Intel Core processor:
   
   

    sudo ./deploy.sh -u -f export/intel-haswell-64-idp-idp-dist.tar.bz2 \-d /dev/??? -y; sync 

   
   Command for gateways with an Intel Quark processor:
   
   

    sudo ./deploy.sh -u -f export/intel-quark-idp-idp-dist.tar.bz2 \-d /dev/??? -y -u -b cross-hill; sync 

   
   
6. If necessary, enter the password and click OK. When you see the message DONE !, it will indicate that a bootable USB disk has been created.
   
   
7. Disconnect the drive from the computer and reconnect it. After mounting, it will look like two sections, one of which is available at
   
   

     /media/<username>/wr_usb_boot 

   
   
8. Copy the gateway operating system image file to a flash disk using the appropriate command. In this case, replace the username with the username under which you work in Linux.
   Command for gateways with an Intel Atom processor:
   
   

    sudo cp export/intel-baytrail-64-idp-idp-dist.tar.bz2 /media/<username>/wr_usb_boot/opt/; sync 

   
   Command for gateways with an Intel Core processor:
   
   

    sudo cp export/intel-haswell-64-idp-idp-dist.tar.bz2 /media/<username>/wr_usb_boot/opt/; sync 

   
   Command for gateways with an Intel Quark processor:
   
   

    sudo cp export/intel-quark-idp-idp-dist.tar.bz2 /media/<username>/wr_usb_boot/opt/; sync 

   
   
9. Unplug flash drive from computer

Install the OS on the gateway

Now install the operating system on the gateway. Please note that before loading the gateway from a flash disk, you need to make the appropriate changes in the BIOS. Here , in the “Appendix: Setup BIOS Boot from USB” section, you can find details about this. When the gateway is ready to boot from external media, follow these steps:

1. Turn off power to the gateway, connect a USB disk to it, and turn on the power. Log in with the username root and the same password.
   
   
2. Install the operating system on the gateway using the appropriate command:
   
   The command for gateways with an Intel Atom and Intel Core processor:
   
   

    tgt=/dev/sda /sbin/reset_media 

   
   Command for gateways with an Intel Quark processor:
   
   

    /sbin/reset_media 

   
   Answer the question Restore the boot media to its factory defaults yes . Installation may take about 20 minutes.
   If you encounter an error message with the following content: ERROR: Unmount / dev / sda1 failed! This means that the gateway could not boot from the flash disk. Check the boot order and UEFI parameters to see if the external drive is the first boot device.
   
   
3. Message DONE! will mean that the OS installation is complete. Turn off the gateway with this command:
   
   

    poweroff 

   
   
4. Disconnect the USB drive from the gateway and power on the device.
   If at this stage you encounter an error message, for example, with this: Reboot and select proper boot device , check the BIOS settings of the gateway. Namely, it is necessary that the built-in drive be in the first place in the download list.
   
   
5. Log in using root as the username and password.
   

We collect unprotected RPM-package

Create a project that includes an unprotected RPM package. Let's call it hello . Since security (SRM) is disabled in this package, you can use it to experiment with signatures.

The following steps need to be performed on the computer.

1. Create a project directory:
   
   

    mkdir -p $HOME/project_nosrm cd $HOME/project_nosrm 

   
   
   
2. Select the command that corresponds to the gateway you are using, and copy it to the Linux command line, execute. This will set up the development environment to build the training package without SRM.
   
   Command for gateways with an Intel Atom processor:
   
   

    $HOME/WindRiver/wrlinux-7/wrlinux/configure --enable-addons=wr-idp --enableboard=intel-baytrail-64 --enable-kernel=idp --enable-rootfs=idp --with-layer=wriot,wr-wks-oneagent-oma-dm-ia --with-template=feature/recovery,feature/openjdkbin,feature/realtek --without-layer=wr-srm 

   
   Command for gateways with an Intel Core processor:
   
   

    $HOME/WindRiver/wrlinux-7/wrlinux/configure --enable-addons=wr-idp --enableboard=intel-haswell-64 --enable-kernel=idp --enable-rootfs=idp --with-layer=wriot,wr-wks-oneagent-oma-dm-ia --with-template=feature/recovery,feature/openjdkbin,feature/realtek --without-layer=wr-srm 

   
   Command for gateways with an Intel Quark processor:
   
   

    $HOME/WindRiver/wrlinux-7/wrlinux/configure --enable-addons=wr-idp --enableboard=intel-quark --enable-kernel=idp --enable-rootfs=idp --with-layer=wr-iot,wrwks-oneagent-oma-dm-ia --with-template=feature/recovery,feature/openjdkbin,feature/realtek --without-layer=wr-srm 

   
   
   
3. Build the hello package:
   
   

    make -C build hello 

   
   Package will be compiled and saved.
   
   
4. The exact name of the folder and package file will differ depending on the gateway for which this package was prepared. Find out the name and location of the package, you can do it like this:
   
   

    cd $HOME/project_nosrm/bitbake_build/ find . -name hello*.rpm 

   
   Write down what you found out. We will need this information in the next section. There we will copy the hello package into three folders and figure out how to sign packages correctly.

Package copies and correct key

Create three folders in which you want to copy the hello package. In one of them put the keys that are needed in order to sign the package. For educational purposes, we will consider not only the correct way of signing and installing packages, but also the wrong one.

The following steps need to be performed on the computer.

1. Create directories to be used for experimenting with a signed, unsigned, and incorrectly signed package. They will, accordingly, have such names: goodkeys, notsigned, badkeys. And they will be located in the rpmtest folder.
   
   

    cd $HOME/project_nosrm/ mkdir rpmtest mkdir rpmtest/notsigned mkdir rpmtest/badkeys mkdir rpmtest/goodkeys 

   
   
2. Copy the unsigned hello package into each of the folders. Entering commands, replace [RPM directory] and [hello file] with the appropriate folder and package file names from your project:
   
   

    cp $HOME/Project/bitbake_build/tmp/deploy/[RMP directory]/[hello file].rpm rpmtest/notsigned cp $HOME/Project/bitbake_build/tmp/deploy/[RMP directory]/[hello file].rpm rpmtest/badkeys cp $HOME/Project/bitbake_build/tmp/deploy/[RMP directory]/[hello file].rpm rpmtest/goodkeys 

   
   
3. As a result of the operations described in the SRM section in the gateway operating system, you, among other things, created the right keys (certificates) that are suitable for signing packages with them. Copy these keys to the goodkeys folder.
   
   

    cp $HOME/Project/layers/wr-idp/wr-srm/files/keys/*.pem rpmtest/goodkeys 

   
   
4. Check whether the files with the keys were copied to the folder. Namely, there should be five files necessary for further work: a package RPM file, two keys (certificate) of the owner (owner keys) and two keys of the supplier (vendor keys). Run the following command:
   
   

    ls -1 rpmtest/goodkeys 

   
   If everything is done as it should, it should produce the following list of files:
   [hello file] .rpm
   owner-cert.pem
   owner-private.pem
   vendor-cert.pem
   vendor-private.pem
   
   As a result, at this stage you should have the following:
   
   - The notsigned and badkeys folders contain the hello package, but there are no files with keys in them.
   - The goodkeys folder contains the hello package and the correct key files. The package has not been signed yet.

Create keys

In the “SRM in the gateway operating system” section, keys were created that are suitable for signing RPM packages. In the previous section, we copied these keys and the hello package to the $ HOME / project_nonsrm / rpmtest / goodkeys folder .

Now we will create our own set of keys, which we will place in the badkeys folder. And, although these keys are quite normal, they are not suitable for signing a package, so we consider them "wrong." The purpose of creating these keys is to see what happens if you use the wrong keys to sign the package.

The following steps need to be performed on the computer.

1. The tool for working with keys is located in the $ HOME / Project project folder, which uses SRM. In the project folder where SRM does not apply, create a symbolic link to the key tool:
   
   

    cd $HOME/project_nonsrm/rpmtest ln -s $HOME/Project/SST SST 

   
   
2. Create an owner key and place it in the $ HOME / project_nonsrm / rpmtest / badkeys folder . This is quite a working key, but it is not suitable for signing an RPM package.
   
   

    ./SST create-key --role=owner --name=badowner --output-dir=./badkeys/ 

   
   
3. Create a supplier key and place it in the same folder:
   
   

    ./SST create-key --role=vendor --issuer=badowner --name=badvendor --output-dir=./ badkeys 

   
   
4. Check if the $ HOME / project_nonsrm / rpmtest / badkeys folder contains all the necessary files:
   ls -1 ./badkeys
   If done correctly, the command will display the following list:
   
   badowner-cert.pem
   badowner-private.pem
   badvendor-cert.pem
   badvendor-private.pem
   [hello file] .rpm
   
   This is what we now have:
   
   - Package hello and keys suitable for signing it in the goodkeys folder.
   - Package hello and unsuitable keys in the badkeys folder.
   - The hello package in the notsigned folder without any keys.
   
   Our package is still not signed, let's do it in the next section.

Sign the RPM package

Packages are signed with the supplier's private key, and when the package is installed on the gateway, the key vendor-cert.pem is installed along with them. It is used to verify the signature. Now we, with the help of the SST sign-rpm command, will sign packages located in folders with inappropriate and suitable keys.

1. Navigate to the folder that contains the package and inappropriate keys:
   
   

    cd $HOME/project_nosrm/rpmtest/badkeys 

   
   
2. Sign the hello package, which is in this folder, with the wrong key, replacing [hello file] in the command below with the name of the package file:
   
   

    ../SST sign-rpm --mode=rpm --priv-key=badvendor-private.pem ./[hello file].rpm 

   
   
3. Go to the folder with the appropriate keys:
   
   

    cd $HOME/project_nosrm/rpmtest/goodkeys 

   
   
4. Sign with them the package in the same folder:
   
   

    ../SST sign-rpm --mode=rpm --priv-key=badvendor-private.pem ./[hello file].rpm 

   
   
5. Since the symbolic link to the key tool is no longer needed, delete it.
   
   

    cd $HOME/project_nosrm/rpmtest rm SST 

   
   
6. Connect a USB drive to your computer.
   
   
7. At this stage there are the following files and folders:
   
   - Package hello , signed with a suitable key in the folder goodkeys .
   - Package hello , signed by the wrong key in the folder badkeys .
   - Unsigned hello package in the notsigned folder.
   
   Put all three folders into a tarball and copy it to a USB drive. In this example, the USB disk is mounted as / media / rpmflash . Edit the commands below to reflect how the drive is displayed on your system.
   
   

    cd $HOME/project_nosrm tar czvf rpmtest.tar.gz rpmtest cp rpmtest.tar.gz /media/rpmflash 

   
   
8. Unmount the USB drive, disconnect it from the computer, and plug it into the USB port of the gateway.
   
   
9. Copy the rpmtest.tar.gz file to the gateway drive and unpack the archive in the same directory where you copied it. In this example, the USB disk is mounted as / media / sdb1 , edit the command to match the state of your gateway:
   
   

    cd root cp /media/sdb1/rpmtest.tar.gz /root tar xzvf rpmtest.tar.gz 

   
   
10. Check the MD5 package signatures:
    
    

     cd rpmtest find . -name hello* -exec md5sum {} \; 

    
    What you get will be similar to the output shown below, but the signatures will be different. Most importantly, make sure they are all different.
    
    2430f938a6f96a0eeff2459ccb7b4ee8 ./badkeys/[hello file] .rpm
    0f631d629b8a7aa4c8e86ee13bdb9cfb ./notsigned/[hello file] .rpm
    a83507c6f5b1eeec49b034a2aae44968 ./goodkeys[hello file] .rpm

Install packages

Consider installing packages on the gateway. Recall that for educational purposes we are trying to install the following packages:

• Unsigned package.
• Package signed by the wrong key.
• Package signed with the correct key.

These actions must be performed on the gateway.

1. Try installing an unsigned package by replacing [hello file] with the name given to your file:
   
   

    cd /root/rpmtest/notsigned rpm -ivh [hello file].rpm 

   
   As a result of this command, an error message will be displayed:
   RPM [hello file] .rpm is not signed with extend openssl signature
   
   
2. Try to install a package that is signed with the wrong key. As in the first paragraph, use the name of your .rpm file in the command:
   
   

    cd /root/rpmtest/badkeys rpm -ivh [hello file].rpm 

   
   At the output, we again receive an error message, but of a different content:
   
   MD5 Code: e91148db3dd3a5e0bdb76ea5a8fa8e34
   Can not find the right certificate for RPM [hello file] .rpm
   
   
3. Now install the correctly signed package.
   
   

    cd /root/rpmtest/goodkeys rpm -ivh [hello file].rpm 

   
   In this case, we have a message about the successful installation.
   
   MD5 Code: e91148db3dd3a5e0bdb76ea5a8fa8e34
   Find right certificate: vendor-cert.pem
   Certificate vendor-cert.pem is verified successfully
   RPM package [hello file] .rpm is verified successfully
   Preparing ... ########################################### [100%]
   1: hello ########################################### [100%]
   Import IMA signatures successfully Update IMA signatures successfully
   
   
4. Test the installed package:
   hello
   If the program was successfully completed, this is what it displays:
   Hello world

Uninstalling the packages

Above, we successfully installed a correctly signed package. Now remove it.

1. Check whether the hello package is installed. In the previous section, we tested this by running the program, here we proceed differently:
   
   

    rpm -qa | grep hello 

   
   This command will print the name of the package, indicating that it is installed.
   
   
2. Remove the package:
   
   

    rpm -e hello 

   
   
3. Check if the package is really removed:
   
   

    rpm -qa | grep hello hello 

   
   As expected, an error message appeared:
   -sh: hello: command not found

Certificates: get information, remove and install

Consider the methods of working with certificates on the gateway.

1. Run a command that lists the certificates:
   
   

    imtools --listcert 

   
   It will report the certificate that was copied to the $ HOME / project_nosrm / rpmtest / goodkeys folder in the “Package copies and correct key” section.
   vendor-cert.pem
   
   
2. Remove certificate:
   

    imtools --removecert vendor-cert.pem 

   
   The output will be the following message:
   Remove certificate vendor-cert.pem successfully
   
   
3. Return the list of certificates again to check whether the certificate has really been deleted:
   
   

    imtools –listcert 

   
   Since the certificate is deleted, nothing will be output as a result of the command.
   
   
4. Check if the certificate can be installed from the $ HOME / project_nosrm / rpmtest / goodkeys folder . If so, install it.
   
   

    cd /root/rpmtest/goodkeys imtools --verifycert vendor-cert.pem 

   
   This pair of commands will display messages about the successful verification and installation of the certificate:
   
   Certificate vendor-cert.pem is verified successfully
   Certificate vendor-cert.pem is installed successfully

Results

Here is what you learned from this material:

• How to enable SRM support on the gateway.
• How to create a project to prepare an RPM package with SRM disabled for testing purposes.
• How to create signed, unsigned and incorrectly signed packages in order to check the OS response of the gateway to the installation of such pacts.
• How to install and uninstall packages on the gateway.
• How to view, add and delete certificates on the gateway.