feat(iot2050-firmware-update): Add optional firmware signature verification

This commit introduces an optional but highly recommended digital signature
verification mechanism for firmware updates. Users can now enforce
cryptographic checks on firmware images within an update tarball to
ensure their integrity and authenticity before flashing.

Key changes include:
- New `--verify` argument: Enables signature verification during a
  regular update process. If specified, the tool will look for a `.sig`
  file corresponding to the firmware within the tarball.
- Integrated verification logic: The `FirmwareTarball` class now
  contains a method to perform PKCS1v15 SHA512 signature verification
  using the `cryptography` library. This check occurs prior to any
  flashing operations.
- Strict enforcement: When `--verify` is used, a missing signature
  file or a failed verification will result in an `UpgradeError`,
  aborting the update with a `BAD_SIGNATURE` or `INVALID_FIRMWARE`
  error code.

This enhancement significantly improves the security posture of the
firmware update process by preventing the installation of tampered or
unauthorized firmware.

Signed-off-by: Enes Colpan <enes.colpan@siemens.com>

Author: colpane

meta-example/recipes-app/iot2050-firmware-update/files/custMpk.crt

@@ -0,0 +1 @@
+../../../../meta/recipes-bsp/secure-boot-otp-provisioning/files/keys/custMpk.crt

meta-example/recipes-app/iot2050-firmware-update/files/iot2050-firmware-update.tmpl

@@ -19,6 +19,7 @@ The <firmware-update-package>.tar.xz should contain:
   - firmware.bin: The firmware to update, could be more than one.
   - update.conf.json: The update criteria.
   - u-boot-initial-env: Builtin environment
+  - firmware.bin.sig: (Optional)The signature file for the firmware.bin
 
 Example of update.conf.json:
 {
@@ -123,6 +124,11 @@ from progress.bar import Bar
 from threading import Thread, Event
 from types import SimpleNamespace as Namespace
 
+# Import cryptography modules for signature verification
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import padding
+from cryptography.exceptions import InvalidSignature
+
 class ErrorCode(Enum):
     """The ErrorCode class describes the return codes"""
     SUCCESS = 0
@@ -134,7 +140,9 @@ class ErrorCode(Enum):
     CANCELED = 6
     INVALID_FIRMWARE = 7
     FAILED = 8
-
+    MISSING_SIGNATURE = 9
+    MISSING_PUBLIC_KEY = 10
+    BAD_SIGNATURE = 11
 
 class UpgradeError(Exception):
     def __init__(self, ErrorInfo, code=ErrorCode.FAILED.value):
@@ -438,11 +446,12 @@ class FirmwareUpdate():
     firmware update.
     """
     def __init__(self, tarball, backup_path, interactor,
-                rollback=False, reset=False):
+                rollback=False, reset=False, verify_signature=False):
         self.back_fw_path = os.path.join("".join(backup_path), ".rollback_fw")
         self.rollback_fw_tar = os.path.join(self.back_fw_path,
                                             'rollback_backup_fw.tar')
         self.interactor = interactor
+        self.verify_signature = verify_signature
         try:
             if rollback:
                 if not os.path.exists(self.rollback_fw_tar) or \
@@ -451,7 +460,7 @@ class FirmwareUpdate():
                                        ErrorCode.ROLLBACK_FAILED.value)
 
                 tarball = open(self.rollback_fw_tar, "rb")
-                self.tarball = FirmwareTarball(tarball, interactor, None)
+                self.tarball = FirmwareTarball(tarball, interactor, None, False)
             else:
                 self.tarball = tarball
 
@@ -548,6 +557,19 @@ class FirmwareUpdate():
         print("===================================================")
 
         try:
+            # Perform signature verification before starting the actual flashing
+            if self.verify_signature:
+                print("Verifying firmware signatures...")
+                # The primary firmware (uboot) is the one to be signed
+                firmware_name_to_verify = self.tarball.get_file_name(self.tarball.FIRMWARE_TYPES[0])
+                if firmware_name_to_verify:
+                    self.tarball.verify_firmware_signature(firmware_name_to_verify)
+                    print(f"Signature for {firmware_name_to_verify} verified successfully.")
+                else:
+                    raise UpgradeError("Could not determine primary firmware name for signature verification.",
+                                       ErrorCode.INVALID_FIRMWARE.value)
+                print("Firmware signature verification complete. Proceeding with update.")
+
             for firmware_type in self.firmwares:
                 if firmware_type == self.tarball.FIRMWARE_TYPES[2]:
                     continue
@@ -567,7 +589,7 @@ class FirmwareUpdate():
                     raise UpgradeError("Firmware digest verification failed")
         except UpgradeError as e:
             self.interactor.progress_bar(start=False)
-            raise UpgradeError(e.err, ErrorCode.FLASHING_FAILED.value)
+            raise UpgradeError(e.err, e.code)
 
     def __get_md5_digest(self, content):
         """Verify the update integrity"""
@@ -582,6 +604,9 @@ class FirmwareTarball(object):
 
     CONF_JSON = 'update.conf.json'
     UBOOT_ENV_FILE = 'u-boot-initial-env'
+    FIRMWARE_SIG_EXT = '.sig'
+    PUBLIC_KEY_PATH = '/usr/share/iot2050/fwu/public.key'
+
     # "env" must be after "uboot" because uboot update will overwrite env
     # partition
     FIRMWARE_TYPES = [
@@ -590,10 +615,11 @@ class FirmwareTarball(object):
         "conf"
     ]
 
-    def __init__(self, firmware_tarball, interactor, env_list):
+    def __init__(self, firmware_tarball, interactor, env_list, verify_signature_flag=False):
         self.interactor = interactor
         self.firmware_tarball = firmware_tarball
         self.env_list = env_list
+        self.verify_signature_flag = verify_signature_flag
 
         # extract file path
         self.extract_path = "/tmp"
@@ -784,6 +810,53 @@ class FirmwareTarball(object):
 
         return uboot_env_assemble_file, open(uboot_env_assemble_file, 'rb')
 
+    def verify_firmware_signature(self, firmware_name):
+        """
+        Verifies the digital signature of a firmware file.
+        Expects a signature file with the same name as the firmware
+        but with a .sig extension in the tarball.
+        The public key is expected at PUBLIC_KEY_PATH.
+        """
+        firmware_path = self.get_file_path(firmware_name)
+        signature_path = firmware_path + self.FIRMWARE_SIG_EXT
+
+        if not os.path.exists(firmware_path):
+            raise UpgradeError(f"Firmware file not found: {firmware_path}",
+                               ErrorCode.INVALID_FIRMWARE.value)
+        if not os.path.exists(signature_path):
+            # If --verify is used, signature file is mandatory
+            if self.verify_signature_flag:
+                raise UpgradeError(f"Signature file not found {signature_path}. Signature verification is enabled, but the .sig file is missing.",
+                                   ErrorCode.MISSING_SIGNATURE.value)
+            else:
+                # This case should ideally not be reached if verify_signature_flag is false
+                # as this method would only be called if verify_signature_flag is true.
+                # However, as a safeguard:
+                print(f"Warning: Signature file not found for {firmware_name}. Skipping signature verification.")
+                return
+
+        if not os.path.exists(self.PUBLIC_KEY_PATH):
+            raise UpgradeError(f"Public key not found at {self.PUBLIC_KEY_PATH}. Cannot verify signature.",
+                               ErrorCode.MISSING_PUBLIC_KEY.value)
+
+        try:
+            with open(self.PUBLIC_KEY_PATH, "rb") as f:
+                pubkey = serialization.load_pem_public_key(f.read())
+
+            with open(firmware_path, "rb") as f:
+                message = f.read()
+
+            with open(signature_path, "rb") as f:
+                sig = f.read()
+
+            pubkey.verify(sig, message, padding.PKCS1v15(), hashes.SHA512())
+            print(f"Signature for {firmware_name} is GOOD.")
+        except InvalidSignature:
+            raise UpgradeError(f"BAD SIGNATURE for {firmware_name}. Firmware is malicious or corrupted. Aborting update.",
+                               ErrorCode.BAD_SIGNATURE.value)
+        except Exception as e:
+            raise UpgradeError(f"Error during signature verification for {firmware_name}: {e}",
+                               ErrorCode.FAILED.value)
 
 class BoardInfo(object):
     """The BoardInfo represents the updating IOT2050 board information"""
@@ -899,6 +972,8 @@ def main(argv):
              using tarball format firmware, reset environment
         5. %(prog)s -b
              rollback the firmware to the version before the upgrade
+        6. %(prog)s --verify file.tar.xz
+             perform a regular update, but enforce signature verification for the firmware
          ''')
     epilog=textwrap.dedent('''\
         Return Value:
@@ -913,6 +988,9 @@ def main(argv):
           | 6           | User canceled                            |
           | 7           | Invalid firmware                         |
           | 8           | Failed to update                         |
+          | 9           | Missing firmware signature               |
+          | 10          | Missing public key                       |
+          | 11          | Bad firmware signature                   |
          ''')
     parser = argparse.ArgumentParser(
         description=description,
@@ -939,6 +1017,9 @@ def main(argv):
                         help='Rollback the firmware to the version before the \
                         upgrade',
                         action='store_true')
+    parser.add_argument('--verify',
+                        help='Enforce signature verification for the firmware in the tarball',
+                        action='store_true')
     group2 = parser.add_mutually_exclusive_group()
     group2.add_argument('-n', '--no-backup',
                         help='Do not generate a firmware backup',
@@ -954,25 +1035,28 @@ def main(argv):
 
     try:
         args = parser.parse_args()
-        if args.force and (args.no_backup or args.backup_dir):
-            parser.error("argument -f/--force: not allowed with -n/--no-backup, -d/--backup-dir")
+        if args.force and (args.no_backup or args.backup_dir or args.verify):
+            parser.error("argument -f/--force: not allowed with -n/--no-backup, -d/--backup-dir, or --verify")
+        # Ensure firmware is specified for any update or verify operation
+        if not args.rollback and not args.firmware:
+             print("No firmware or action specified. A firmware tarball is required for update or verification.", file=sys.stderr)
+             return ErrorCode.INVALID_ARG.value
+
     except IOError as e:
         print(e.strerror, file=sys.stderr)
         return ErrorCode.INVALID_ARG.value
 
-    if not args.rollback and not args.firmware:
-        print("No firmware specified")
-        return ErrorCode.INVALID_ARG.value
-
     interactor = UserInterface(args.quiet);
 
     try:
-        if args.rollback:
+        if args.rollback or args.force:
             tarball = None
-        elif not args.force:
+        else:
+            # For regular update or update with verification
             tarball = FirmwareTarball(args.firmware, interactor,
-                                      args.preserve_list)
-            # FirmwareTarball to check firmware
+                                      args.preserve_list, args.verify)
+
+            # FirmwareTarball to check firmware compatibility
             if not tarball.check_firmware():
                 print("OS image version must be newer than the minimal version, "
                       "no firmware image could be updated on this device!")
@@ -1004,7 +1088,8 @@ def main(argv):
                 args.backup_dir,
                 interactor,
                 args.rollback,
-                args.reset
+                args.reset,
+                args.verify
             )
 
         # FirmwareUpdate to rollback
@@ -1027,10 +1112,13 @@ def main(argv):
                 updater.update()
                 break
             except UpgradeError as e:
-                if index > 2:
+                if (index > 2 or
+                    e.code == ErrorCode.MISSING_SIGNATURE.value or
+                    e.code == ErrorCode.BAD_SIGNATURE.value or
+                    e.code == ErrorCode.MISSING_PUBLIC_KEY.value):
                     raise UpgradeError(e.err, e.code)
                 index += 1
-                print("{}, try again!".format(e.err))
+                print("{}, trying again!".format(e.err))
     except UpgradeError as e:
         print(e.err)
         input_reminder = '''
@@ -1056,7 +1144,6 @@ Hit the Enter Key to Exit:
         return ErrorCode.SUCCESS.value
     os.system('reboot')
 
-
 if __name__ == '__main__':
     CODE = main(sys.argv)
-    sys.exit(CODE)
+    sys.exit(CODE)

…-update/iot2050-firmware-update_1.0.1.bb …-update/iot2050-firmware-update_1.1.0.bbmeta-example/recipes-app/iot2050-firmware-update/iot2050-firmware-update_1.0.1.bb renamed to meta-example/recipes-app/iot2050-firmware-update/iot2050-firmware-update_1.1.0.bb meta-example/recipes-app/iot2050-firmware-update/iot2050-firmware-update_1.0.1.bb renamed to meta-example/recipes-app/iot2050-firmware-update/iot2050-firmware-update_1.1.0.bb

@@ -9,14 +9,15 @@
 # COPYING.MIT file in the top-level directory.
 #
 
-PR = "2"
+PR = "1"
 
 DESCRIPTION = "OSPI Firmware Update Scripts"
 MAINTAINER = "chao.zeng@siemens.com"
 
 SRC_URI = " \
     file://update.conf.json.tmpl \
-    file://iot2050-firmware-update.tmpl"
+    file://iot2050-firmware-update.tmpl \
+    file://custMpk.crt"
 
 OS_VERSION_KEY ?= "BUILD_ID"
 MIN_OS_VERSION ?= "V01.01.01"
@@ -28,14 +29,19 @@ DPKG_ARCH = "any"
 
 inherit dpkg-raw
 
-DEBIAN_DEPENDS = "python3-progress, python3-packaging, u-boot-tools"
+DEBIAN_DEPENDS = "python3-cryptography, python3-progress, python3-packaging, u-boot-tools"
+DEBIAN_BUILD_DEPENDS = "openssl"
 
 do_install() {
     install -v -d ${D}/usr/sbin/
     install -v -m 755 ${WORKDIR}/iot2050-firmware-update ${D}/usr/sbin/
 
     install -v -d ${D}/usr/share/iot2050/fwu
     install -v -m 644 ${WORKDIR}/update.conf.json ${D}/usr/share/iot2050/fwu/
+   
+    openssl x509 -in ${WORKDIR}/custMpk.crt -pubkey -noout > ${WORKDIR}/public.key
+    install -v -d ${D}/usr/share/iot2050/fwu
+    install -v -m 644 ${WORKDIR}/public.key ${D}/usr/share/iot2050/fwu/
 }
 
 do_deploy_deb:append() {