bmcd: Add TLS

Per default, the bmcd will generate new self signed certificates in the case they do not exist yet. (x509 rsa4096) HTTPS is enabled for both IPv4 and IPv6 on port 443. HTTP traffic will be redirected to the HTTPS port
turing-machines · Sep 15, 2023 · c5cf86e · c5cf86e
1 parent ce92f84
commit c5cf86e
Show file tree

Hide file tree

Showing 9 changed files with 31 additions and 25 deletions.
diff --git a/tp2bmc/board/tp2bmc/overlay/etc/bmcd/config.yaml b/tp2bmc/board/tp2bmc/overlay/etc/bmcd/config.yaml
@@ -0,0 +1,4 @@
+---
+tls:
+  certificate: /etc/ssl/certs/bmcd_cert.pem
+  private_key: /etc/ssl/certs/bmcd_key.pem
diff --git a/tp2bmc/board/tp2bmc/overlay/etc/init.d/S93startup b/tp2bmc/board/tp2bmc/overlay/etc/init.d/S93startup
@@ -13,8 +13,5 @@ if [ "$1" = "start" ]; then
 
     sleep 1
     /etc/setStaticNet.sh
-
-    bmc &
-
     /etc/test_ping.sh &
 fi
diff --git a/tp2bmc/configs/tp2bmc_defconfig b/tp2bmc/configs/tp2bmc_defconfig
@@ -92,6 +92,8 @@ BR2_PACKAGE_LIBGPIOD_TOOLS=y
 BR2_PACKAGE_LIBGPIOD=y
 BR2_PACKAGE_LIBTIRPC=y
 BR2_PACKAGE_LIBUBOOTENV=y
+BR2_PACKAGE_LIBOPENSSL=y
+BR2_PACKAGE_LIBOPENSSL_BIN=y
 BR2_PACKAGE_LVM2=y
 BR2_PACKAGE_MTD_MKFSUBIFS=y
 BR2_PACKAGE_MTD_MTDPART=y

diff --git a/tp2bmc/package/bmcd/Config.in b/tp2bmc/package/bmcd/Config.in
@@ -1,6 +1,8 @@
 config BR2_PACKAGE_BMCD
 	bool "bmcd"
 	depends on BR2_PACKAGE_HOST_RUSTC_TARGET_ARCH_SUPPORTS
+    depends on BR2_PACKAGE_LIBOPENSSL_BIN
+
 	select BR2_PACKAGE_HOST_RUSTC
 	help
 	  System management daemon for the Baseboard Management Controller (BMC)
diff --git a/tp2bmc/package/bmcd/S94bmcd b/tp2bmc/package/bmcd/S94bmcd
@@ -3,12 +3,16 @@
 DAEMON="bmcd"
 BIN="/usr/bin/$DAEMON"
 PIDFILE="/var/run/$DAEMON.pid"
+CERTFILE="/etc/ssl/certs/bmcd_cert.pem"
+KEYFILE="/etc/ssl/certs/bmcd_key.pem"
 
 start() {
     printf 'Starting %s...\n' "$DAEMON"
 
+    [ ! -f "$CERTFILE" ] || [ ! -f "$KEYFILE" ] && /etc/bmcd/generate_self_signedx509.sh 
+
     start-stop-daemon --start --quiet --background --make-pidfile --pidfile "$PIDFILE" --no-close \
-        --exec "$BIN"
+        --exec "$BIN" -- --config "/etc/bmcd/config.yaml"
 
     # Note: there are a lot of init.d scripts in buildroot packages that use -b/--background flag
     # for programs that don't daemonize themselves. Contrary to the vast majority of them, it's

diff --git a/tp2bmc/package/bmcd/bmcd.mk b/tp2bmc/package/bmcd/bmcd.mk
@@ -1,31 +1,17 @@
 ###########################################################
 #
 # bmcd
-#
 ###########################################################
 
-BMCD_VERSION = bb3636350509b09fcb4b4637b8fd669719206d5a
+BMCD_VERSION = d8a002a096954c3193beb72e50e52730342312f2
 BMCD_SITE = $(call github,turing-machines,bmcd,$(BMCD_VERSION))
 BMCD_LICENSE = Apache-2.0
 BMCD_LICENSE_FILES = LICENSE
+BMCD_DEPENDENCIES += libopenssl
 BMCD_CARGO_ENV := PKG_CONFIG_ALLOW_CROSS=1
 BMCD_CARGO_ENV += CC_armv7_unknown_linux_gnueabi="arm-linux-gcc"
 
-define BMCD_BUILD_CMDS
-	cd $(BMCD_SRCDIR) && \
-	$(TARGET_MAKE_ENV) \
-		$(PKG_CARGO_ENV) \
-		$(BMCD_CARGO_ENV) \
-		cargo build \
-			--offline \
-			$(if $(BR2_ENABLE_DEBUG),,--release) \
-			--manifest-path Cargo.toml \
-			--locked \
-			$(BMCD_CARGO_BUILD_OPTS)
-endef
-
 # A copy of default build commands but with --path amended, since we have a virtual manifest.
-# For the same reasons as in tpi_rs.mk, TARGET_CONFIGURE_OPTS are removed.
 define BMCD_INSTALL_TARGET_CMDS
 	cd $(BMCD_SRCDIR) && \
 	$(TARGET_MAKE_ENV) \
@@ -40,6 +26,9 @@ define BMCD_INSTALL_TARGET_CMDS
 			--locked \
 			-Z target-applies-to-host \
 			$(BMCD_CARGO_INSTALL_OPTS)
+
+	$(INSTALL) -D -m 744 $(BR2_EXTERNAL_TP2BMC_PATH)/package/bmcd/generate_self_signedx509.sh \
+		$(TARGET_DIR)/etc/bmcd/generate_self_signedx509.sh
 endef
 
 define BMCD_INSTALL_INIT_SYSV

diff --git a/tp2bmc/package/bmcd/generate_self_signedx509.sh b/tp2bmc/package/bmcd/generate_self_signedx509.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+echo "generating new self signed X509 certs.."
+
+ssl_dir=/etc/ssl/certs/
+mkdir -p $ssl_dir
+openssl req -x509 -newkey rsa:4096 -keyout $ssl_dir/bmcd_key.pem \
+    -out $ssl_dir/bmcd_cert.pem -nodes -subj "/CN=Turing-Pi self signed"
+
+echo "Done"
diff --git a/tp2bmc/package/tpi/Config.in b/tp2bmc/package/tpi/Config.in
@@ -1,4 +1,4 @@
 config BR2_PACKAGE_TPI
-bool "TPI"
-help
-turing pi CLI.
+    bool "TPI"
+    help
+        turing pi CLI.
diff --git a/tp2bmc/package/tpi/tpi.mk b/tp2bmc/package/tpi/tpi.mk
@@ -3,9 +3,7 @@
 ###########################################################
 TPI_VERSION:= 0.1.0
 TPI_SITE = $(call github,turing-machines,tpi,$(TPI_VERSION))
-TPI_INSTALL_TARGET =YES
 TPI_LICENSE = Apache-2.0
 TPI_LICENSE_FILES = LICENSE
-TPI_INSTALL_TARGET = YES
 
 $(eval $(cargo-package))