From: Bastian Krause <bst@pengutronix.de>
To: ptxdist@pengutronix.de
Cc: Marc Kleine-Budde <mkl@pengutronix.de>,
Roland Hieber <rhi@pengutronix.de>
Subject: Re: [ptxdist] [PATCH 1/5] package templates: add code-signing-provider template
Date: Wed, 17 Jun 2020 16:45:11 +0200 [thread overview]
Message-ID: <10f5fdb7-f946-079f-1033-9e9b0e20c132@pengutronix.de> (raw)
In-Reply-To: <ed735f43-6fb9-5cc7-3041-2818843c86b1@pengutronix.de>
On 6/12/20 1:05 PM, Bastian Krause wrote:
>
> On 6/12/20 12:05 PM, Michael Olbrich wrote:
>> On Fri, Jun 12, 2020 at 11:54:39AM +0200, Michael Olbrich wrote:
>>> On Fri, Jun 12, 2020 at 11:18:25AM +0200, Michael Olbrich wrote:
>>>> On Mon, Jun 08, 2020 at 10:53:01AM +0200, Bastian Krause wrote:
>>>>> A ptxdist code signing provider is a package which selects the required
>>>>> host tools needed for the code signing helpers to work. A shell script
>>>>> is needed to define roles, set PKCS#11 URIs and import keys if SoftHSM
>>>>> is used. In order to simplify its creation provide a template along with
>>>>> an example script.
>>>>
>>>> I think we should query whether a HSM or SoftHSM will be used and install
>>>> an appropriate script and set the correct dependencies.
>>>>
>>>>> Signed-off-by: Bastian Krause <bst@pengutronix.de>
>>>>> ---
>>>>> .../code-signing-provider/ptxdist-set-keys.sh | 96 +++++++++++++++++++
>>>>> .../template-code-signing-provider-choice-in | 5 +
>>>>> .../template-code-signing-provider-in | 16 ++++
>>>>> .../template-code-signing-provider-make | 41 ++++++++
>>>>> scripts/lib/ptxd_lib_template.sh | 16 ++++
>>>>> 5 files changed, 174 insertions(+)
>>>>> create mode 100755 rules/templates/code-signing-provider/ptxdist-set-keys.sh
>>>>> create mode 100644 rules/templates/template-code-signing-provider-choice-in
>>>>> create mode 100644 rules/templates/template-code-signing-provider-in
>>>>> create mode 100644 rules/templates/template-code-signing-provider-make
>>>>>
>>>>> diff --git a/rules/templates/code-signing-provider/ptxdist-set-keys.sh b/rules/templates/code-signing-provider/ptxdist-set-keys.sh
>>>>> new file mode 100755
>>>>> index 000000000..040a61534
>>>>> --- /dev/null
>>>>> +++ b/rules/templates/code-signing-provider/ptxdist-set-keys.sh
>>>>> @@ -0,0 +1,96 @@
>>>>> +#!/bin/bash
>>>>> +
>>>>> +set -e
>>>>> +
>>>>> +set_fit_keys() {
>>>>> + local r="image-kernel-fit"
>>>>> + cs_define_role "${r}"
>>>>> +
>>>>> + # HSM use case
>>>>> + cs_set_uri "${r}" "pkcs11:token=foo;object=kernel-fit"
>>>>> +}
>>>>> +
>>>>> +import_fit_keys() {
>>>>> + local fit_cert_dir=fit
>>>>> + local r="image-kernel-fit"
>>>>> + cs_define_role "${r}"
>>>>> +
>>>>> + cs_import_cert_from_der "${r}" "${fit_cert_dir}/fit-4096-development.crt"
>>>>> + cs_import_pubkey_from_pem "${r}" "${fit_cert_dir}/fit-4096-development.key"
>>>>> + cs_import_privkey_from_pem "${r}" "${fit_cert_dir}/fit-4096-development.key"
>>>>> +}
>>>>> +
>>>>> +set_rauc_keys() {
>>>>> + local r="update"
>>>>> + cs_define_role "${r}"
>>>>> + cs_set_uri "${r}" "pkcs11:token=foo;object=rauc"
>>>>> + cs_append_ca_from_uri "${r}"
>>>>> +}
>>>>> +
>>>>> +import_rauc_keys() {
>>>>> + local rauc_cert_dir=rauc
>>>>> + local r="update"
>>>>> + cs_define_role "${r}"
>>>>> +
>>>>> + # SoftHSM use case
>>>>> + cs_import_cert_from_pem "${r}" "${rauc_cert_dir}/rauc.cert.pem"
>>>>> + cs_import_pubkey_from_pem "${r}" "${rauc_cert_dir}/rauc.key.pem"
>>>>> + cs_import_privkey_from_pem "${r}" "${rauc_cert_dir}/rauc.key.pem"
>>>>> +
>>>>> + cs_append_ca_from_uri "${r}"
>>>>> +}
>>>>> +
>>>>> +set_imx_habv4_keys() {
>>>>> + # HSM use case, assuming it contains only 1st CSF/IMG key
>>>>> + for i in 1 2 3 4; do
>>>>> + r="imx-habv4-srk${i}"
>>>>> + cs_define_role "${r}"
>>>>> + cs_set_uri "${r}" "pkcs11:token=foo;object=srk-release${i}"
>>>>> + cs_append_ca_from_uri "${r}"
>>>>> + done
>>>>> +
>>>>> + r="imx-habv4-csf1"
>>>>> + cs_define_role ${r}
>>>>> + cs_set_uri "${r}" "pkcs11:token=foo;object=csf1"
>>>>> +
>>>>> + r="imx-habv4-img1"
>>>>> + cs_define_role ${r}
>>>>> + cs_set_uri "${r}" "pkcs11:token=foo;object=img1"
>>>>> +}
>>>>> +
>>>>> +import_imx_habv4_keys() {
>>>>> + local imx_habv4_key_dir="habv4"
>>>>> + local crts="${imx_habv4_key_dir}/crts"
>>>>> + local keys="${imx_habv4_key_dir}/keys"
>>>>> + local OPENSSL_KEYPASS="${imx_habv4_key_dir}/keys/key_pass.txt"
>>>>> +
>>>>> + for i in 1 2 3 4; do
>>>>> + r="imx-habv4-srk${i}"
>>>>> + cs_define_role "${r}"
>>>>> + cs_import_cert_from_der "${r}" "${crts}/SRK${i}_sha256_4096_65537_v3_ca_crt.der"
>>>>> + cs_import_key_from_pem "${r}" "${keys}/SRK${i}_sha256_4096_65537_v3_ca_key.pem"
>>>>> + cs_append_ca_from_uri "${r}"
>>>>> +
>>>>> + r="imx-habv4-csf${i}"
>>>>> + cs_define_role "${r}"
>>>>> + cs_import_cert_from_der "${r}" "${crts}/CSF${i}_1_sha256_4096_65537_v3_usr_crt.der"
>>>>> + cs_import_key_from_pem "${r}" "${keys}/CSF${i}_1_sha256_4096_65537_v3_usr_key.pem"
>>>>> +
>>>>> + r="imx-habv4-img${i}"
>>>>> + cs_define_role "${r}"
>>>>> + cs_import_cert_from_der "${r}" "${crts}/IMG${i}_1_sha256_4096_65537_v3_usr_crt.der"
>>>>> + cs_import_key_from_pem "${r}" "${keys}/IMG${i}_1_sha256_4096_65537_v3_usr_key.pem"
>>>>> + done
>>>>> +}
>>>>> +
>>>>> +
>>>>> +# HSM use case
>>>>> +#set_fit_keys
>>>>> +#set_rauc_keys
>>>>> +#set_imx_habv4_keys
>>>>> +
>>>>> +# or: SoftHSM use case
>>>>> +#cs_init_softhsm
>>>>> +#import_fit_keys
>>>>> +#import_rauc_keys
>>>>> +#import_imx_habv4_keys
>>>>
>>>> Split this into two scripts that work for the correct use-case.
>>>> And use the wizard.sh to delete one and rename the other.
>>>>
>>>>> diff --git a/rules/templates/template-code-signing-provider-choice-in b/rules/templates/template-code-signing-provider-choice-in
>>>>> new file mode 100644
>>>>> index 000000000..e2108f870
>>>>> --- /dev/null
>>>>> +++ b/rules/templates/template-code-signing-provider-choice-in
>>>>> @@ -0,0 +1,5 @@
>>>>> +## SECTION=code_signing_provider
>>>>> +
>>>>> +config CODE_SIGNING_PROVIDER_@PACKAGE@
>>>>> + bool
>>>>> + prompt "@package@"
>>>>> diff --git a/rules/templates/template-code-signing-provider-in b/rules/templates/template-code-signing-provider-in
>>>>> new file mode 100644
>>>>> index 000000000..a0c61e6ef
>>>>> --- /dev/null
>>>>> +++ b/rules/templates/template-code-signing-provider-in
>>>>> @@ -0,0 +1,16 @@
>>>>> +## SECTION=code_signing
>>>>> +
>>>>> +config CODE_SIGNING
>>>>> + select HOST_@PACKAGE@_CODE_SIGNING if CODE_SIGNING_PROVIDER_@PACKAGE@
>>>>> +
>>>>> +config CODE_SIGNING_PROVIDER
>>>>> + default "@package@" if CODE_SIGNING_PROVIDER_@PACKAGE@
>>>>> +
>>>>> +config HOST_@PACKAGE@_CODE_SIGNING
>>>>> + bool
>>>>> + select HOST_OPENSC
>>>>> + select HOST_LIBP11
>>>>> + select HOST_OPENSSL
>>>>> + #select HOST_SOFTHSM
>>>>> + #select HOST_OPENSC_PCSC
>>>>> + #select HOST_EXTRACT_CERT
>>>>
>>>> We can substitute multi-line values here. So just
>>>>
>>>> @DEPENDENCIES@
>>>>
>>>> and set that to the correct full list of dependencies in the script.
>>>>
>>>>
>>>>> diff --git a/rules/templates/template-code-signing-provider-make b/rules/templates/template-code-signing-provider-make
>>>>> new file mode 100644
>>>>> index 000000000..94830d92e
>>>>> --- /dev/null
>>>>> +++ b/rules/templates/template-code-signing-provider-make
>>>>> @@ -0,0 +1,41 @@
>>>>> +# -*-makefile-*-
>>>>> +#
>>>>> +# Copyright (C) @YEAR@ by @AUTHOR@
>>>>> +#
>>>>> +# For further information about the PTXdist project and license conditions
>>>>> +# see the README file.
>>>>> +#
>>>>> +
>>>>> +#
>>>>> +# We provide this package
>>>>> +#
>>>>> +HOST_PACKAGES-$(PTXCONF_HOST_@PACKAGE@_CODE_SIGNING) += host-@package@-code-signing
>>>>> +
>>>>> +#
>>>>> +# Paths and names
>>>>> +#
>>>>> +HOST_@PACKAGE@_CODE_SIGNING_VERSION := @VERSION@
>>>>> +HOST_@PACKAGE@_CODE_SIGNING := @package@-code-signing-$(HOST_@PACKAGE@_CODE_SIGNING_VERSION)
>>>>> +HOST_@PACKAGE@_CODE_SIGNING_URL := file://local_src/@package@-code-signing
>>>>> +HOST_@PACKAGE@_CODE_SIGNING_DIR := $(HOST_BUILDDIR)/$(HOST_@PACKAGE@_CODE_SIGNING)
>>>>> +
>>>>> +HOST_@PACKAGE@_CODE_SIGNING_CONF_TOOL := NO
>>>>> +
>>>>> +# ----------------------------------------------------------------------------
>>>>> +# Compile
>>>>> +# ----------------------------------------------------------------------------
>>>>> +
>>>>> +HOST_@PACKAGE@_CODE_SIGNING_MAKE_ENV := \
>>>>> + $(CODE_SIGNING_ENV)
>>>>> +
>>>>> +$(STATEDIR)/host-@package@-code-signing.compile:
>>>>> + @$(call targetinfo)
>>>>> + @$(call world/execute, HOST_@PACKAGE@_CODE_SIGNING, \
>>>>> + ./ptxdist-set-keys.sh)
>>>>> + @$(call touch)
>>>>> +
>>>>> +$(STATEDIR)/host-@package@-code-signing.install:
>>>>> + @$(call targetinfo)
>>>>> + @$(call touch)
>>>>> +
>>>>> +# vim: syntax=make
>>>>> diff --git a/scripts/lib/ptxd_lib_template.sh b/scripts/lib/ptxd_lib_template.sh
>>>>> index f39e6e033..b89981f45 100644
>>>>> --- a/scripts/lib/ptxd_lib_template.sh
>>>>> +++ b/scripts/lib/ptxd_lib_template.sh
>>>>> @@ -460,3 +460,19 @@ ptxd_template_new_blspec_entry() {
>>>>> export -f ptxd_template_new_blspec_entry
>>>>> ptxd_template_help_list[${#ptxd_template_help_list[@]}]="blspec-entry"
>>>>> ptxd_template_help_list[${#ptxd_template_help_list[@]}]="create package for a bootloader spec entry"
>>>>> +
>>>>> +ptxd_template_new_code_signing_provider() {
>>>>> + export class="host-"
>>>>> + ptxd_template_read_basic &&
>>>>> + ptxd_template_read_author &&
>>>>
>>>> The question for the type should be here. Maybe provide an list and the
>>>> user must input the index number or something like that.
>>>
>>> So, after reading the docs, I think there should be 3 options here:
>>>
>>> 1) SoftHSM
>>> 2) HSM (with OpenSC)
>>> 3) HSM (custom)
>>>
>>> And for the HSM cases, the template should also provide the rules/pre/...
>>> file for CODE_SIGNING_ENV. Maybe with the module name as a variable?
>>> Substitute 'opensc-pkcs11' for OpenSC and 'fixme' otherwise.
>>
>> Or ask for the module name? I don't have a good understanding what is
>> usually necessary for other HSMs beyond the PKCS11_MODULE_PATH, so I don't
>> know if that makes sense.
>
> I've disucssed this with Marc some time ago. We came up with the idea of
> setting the HSM specifics in CODE_SIGNING_ENV via another code signing
> provider helper, e.g. "cs_append_env". In our opinion the code signing
> provider should know (and set) such extra environment variables.
Note: this implementation idea was not addressed in v3 of the patch
series. v3 now uses generated pre make files to extend CODE_SIGNING_ENV
for the selected HSM use case. It would still be nice to have something
like "cs_append_env" as a substitute for the pre rules in the future.
Leaving it open to someone else :)
Regards,
Bastian
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
next prev parent reply other threads:[~2020-06-17 14:45 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-08 8:53 [ptxdist] [PATCH 0/5] Add code-signing-provider template, add code signing docs Bastian Krause
2020-06-08 8:53 ` [ptxdist] [PATCH 1/5] package templates: add code-signing-provider template Bastian Krause
2020-06-12 9:18 ` Michael Olbrich
2020-06-12 9:54 ` Michael Olbrich
2020-06-12 10:05 ` Michael Olbrich
2020-06-12 11:05 ` Bastian Krause
2020-06-17 14:45 ` Bastian Krause [this message]
2020-06-16 13:56 ` Bastian Krause
2020-06-16 15:00 ` Michael Olbrich
2020-06-08 8:53 ` [ptxdist] [PATCH 2/5] doc: dev_manual: split up into multiple files Bastian Krause
2020-06-08 8:53 ` [ptxdist] [PATCH 3/5] doc: move code signing docs from scripts/ into doc/ Bastian Krause
2020-06-08 8:53 ` [ptxdist] [PATCH 4/5] doc: dev_code_signing: rework and extend code signing section Bastian Krause
2020-06-08 10:16 ` Roland Hieber
2020-06-12 8:55 ` Bastian Krause
2020-06-08 8:53 ` [ptxdist] [PATCH 5/5] doc: introduce ref_code_signing_helpers Bastian Krause
2020-06-12 9:28 ` Michael Olbrich
2020-06-12 9:49 ` Michael Olbrich
2020-06-08 10:17 ` [ptxdist] [PATCH 0/5] Add code-signing-provider template, add code signing docs Roland Hieber
2020-06-09 15:04 ` Ladislav Michl
2020-06-12 10:04 ` Michael Olbrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=10f5fdb7-f946-079f-1033-9e9b0e20c132@pengutronix.de \
--to=bst@pengutronix.de \
--cc=mkl@pengutronix.de \
--cc=ptxdist@pengutronix.de \
--cc=rhi@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox