kaspar/RIOT
1
0
Fork 0
mirror of https://github.com/RIOT-OS/RIOT.git synced 2025-12-15 09:33:50 +01:00
Code Releases Activity

makefiles/suit: place keys in $XDG_DATA_HOME

Browse Source 
Placing the SUIT key in the RIOT repository folder is dangerous as
a repo checkout is by most people considered a volatile location.
Since all important files are stored in git, deleting the entire folder
or it's contents is not an uncommon cleanup operation.

If the user is at that point unaware that SUIT key material is stored
in that folder, that key will then be lost.

Another workflow may involve multiple checkouts of the RIOT repository
to multiple folders to work on several features at the same time, or for
easy cross-referencing or splitting of off features from an integration
into a feature branch.
In that case each checkout would use it's own incompatible SUIT key.

To avoid all these pitfalls, place the SUIT keys outside the RIOT
repository in the $XDG_DATA_HOME directory.
This commit is contained in:
Benjamin Valentin 2022-06-02 00:02:26 +02:00
parent 6cca6234b0
commit 5e52d15409
3 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
examples/suit_update/README.hardware.md
View File

@ -571,7 +571,7 @@ The following default values are using for generating the manifest:
SUIT_SEQNR ?= $(APP_VER)
SUIT_CLASS ?= $(BOARD)
SUIT_KEY ?= default
SUIT_KEY_DIR ?= $(RIOTBASE)/keys
SUIT_KEY_DIR ?= $(XDG_DATA_HOME)/RIOT/keys
SUIT_SEC ?= $(SUIT_KEY_DIR)/$(SUIT_KEY).pem
All files (both slot binaries, both manifests, copies of manifests with

3
examples/suit_update/README.md
View File

@ -62,7 +62,8 @@ SUIT keys consist of a private and a public key file, stored in `$(SUIT_KEY_DIR)
Similar to how ssh names its keyfiles, the public key filename equals the
private key file, but has an extra `.pub` appended.
`SUIT_KEY_DIR` defaults to the `keys/` folder at the top of a RIOT checkout.
`SUIT_KEY_DIR` defaults to the `keys/` folder in `$XDG_DATA_HOME/RIOT`
(usually `~/.local/share/RIOT/keys`).
If the chosen key doesn't exist, it will be generated automatically.
That step can be done manually using the `suit/genkey` target.

3
makefiles/suit.base.inc.mk
View File

@ -10,11 +10,12 @@ SUIT_TOOL ?= $(RIOTBASE)/dist/tools/suit/suit-manifest-generator/bin/suit-tool
# Will use $(SUIT_KEY_DIR)/$(SUIT_KEY).pem as combined private/public key
# files.
SUIT_KEY ?= default
XDG_DATA_HOME ?= $(HOME)/.local/share
ifeq (1, $(RIOT_CI_BUILD))
SUIT_KEY_DIR ?= $(BINDIR)
else
SUIT_KEY_DIR ?= $(RIOTBASE)/keys
SUIT_KEY_DIR ?= $(XDG_DATA_HOME)/RIOT/keys
endif
# Enable user to encrypt private key with a password