From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: From: Bastian Krause References: <20200608085305.30964-1-bst@pengutronix.de> <20200608085305.30964-2-bst@pengutronix.de> <20200612091825.GA27654@pengutronix.de> <20200612095439.GD27654@pengutronix.de> <20200612100538.GF27654@pengutronix.de> Message-ID: <10f5fdb7-f946-079f-1033-9e9b0e20c132@pengutronix.de> Date: Wed, 17 Jun 2020 16:45:11 +0200 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US Subject: Re: [ptxdist] [PATCH 1/5] package templates: add code-signing-provider template List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: ptxdist@pengutronix.de Cc: Marc Kleine-Budde , Roland Hieber On 6/12/20 1:05 PM, Bastian Krause wrote: > > On 6/12/20 12:05 PM, Michael Olbrich wrote: >> On Fri, Jun 12, 2020 at 11:54:39AM +0200, Michael Olbrich wrote: >>> On Fri, Jun 12, 2020 at 11:18:25AM +0200, Michael Olbrich wrote: >>>> On Mon, Jun 08, 2020 at 10:53:01AM +0200, Bastian Krause wrote: >>>>> A ptxdist code signing provider is a package which selects the required >>>>> host tools needed for the code signing helpers to work. A shell script >>>>> is needed to define roles, set PKCS#11 URIs and import keys if SoftHSM >>>>> is used. In order to simplify its creation provide a template along with >>>>> an example script. >>>> >>>> I think we should query whether a HSM or SoftHSM will be used and install >>>> an appropriate script and set the correct dependencies. >>>> >>>>> Signed-off-by: Bastian Krause >>>>> --- >>>>> .../code-signing-provider/ptxdist-set-keys.sh | 96 +++++++++++++++++++ >>>>> .../template-code-signing-provider-choice-in | 5 + >>>>> .../template-code-signing-provider-in | 16 ++++ >>>>> .../template-code-signing-provider-make | 41 ++++++++ >>>>> scripts/lib/ptxd_lib_template.sh | 16 ++++ >>>>> 5 files changed, 174 insertions(+) >>>>> create mode 100755 rules/templates/code-signing-provider/ptxdist-set-keys.sh >>>>> create mode 100644 rules/templates/template-code-signing-provider-choice-in >>>>> create mode 100644 rules/templates/template-code-signing-provider-in >>>>> create mode 100644 rules/templates/template-code-signing-provider-make >>>>> >>>>> diff --git a/rules/templates/code-signing-provider/ptxdist-set-keys.sh b/rules/templates/code-signing-provider/ptxdist-set-keys.sh >>>>> new file mode 100755 >>>>> index 000000000..040a61534 >>>>> --- /dev/null >>>>> +++ b/rules/templates/code-signing-provider/ptxdist-set-keys.sh >>>>> @@ -0,0 +1,96 @@ >>>>> +#!/bin/bash >>>>> + >>>>> +set -e >>>>> + >>>>> +set_fit_keys() { >>>>> + local r="image-kernel-fit" >>>>> + cs_define_role "${r}" >>>>> + >>>>> + # HSM use case >>>>> + cs_set_uri "${r}" "pkcs11:token=foo;object=kernel-fit" >>>>> +} >>>>> + >>>>> +import_fit_keys() { >>>>> + local fit_cert_dir=fit >>>>> + local r="image-kernel-fit" >>>>> + cs_define_role "${r}" >>>>> + >>>>> + cs_import_cert_from_der "${r}" "${fit_cert_dir}/fit-4096-development.crt" >>>>> + cs_import_pubkey_from_pem "${r}" "${fit_cert_dir}/fit-4096-development.key" >>>>> + cs_import_privkey_from_pem "${r}" "${fit_cert_dir}/fit-4096-development.key" >>>>> +} >>>>> + >>>>> +set_rauc_keys() { >>>>> + local r="update" >>>>> + cs_define_role "${r}" >>>>> + cs_set_uri "${r}" "pkcs11:token=foo;object=rauc" >>>>> + cs_append_ca_from_uri "${r}" >>>>> +} >>>>> + >>>>> +import_rauc_keys() { >>>>> + local rauc_cert_dir=rauc >>>>> + local r="update" >>>>> + cs_define_role "${r}" >>>>> + >>>>> + # SoftHSM use case >>>>> + cs_import_cert_from_pem "${r}" "${rauc_cert_dir}/rauc.cert.pem" >>>>> + cs_import_pubkey_from_pem "${r}" "${rauc_cert_dir}/rauc.key.pem" >>>>> + cs_import_privkey_from_pem "${r}" "${rauc_cert_dir}/rauc.key.pem" >>>>> + >>>>> + cs_append_ca_from_uri "${r}" >>>>> +} >>>>> + >>>>> +set_imx_habv4_keys() { >>>>> + # HSM use case, assuming it contains only 1st CSF/IMG key >>>>> + for i in 1 2 3 4; do >>>>> + r="imx-habv4-srk${i}" >>>>> + cs_define_role "${r}" >>>>> + cs_set_uri "${r}" "pkcs11:token=foo;object=srk-release${i}" >>>>> + cs_append_ca_from_uri "${r}" >>>>> + done >>>>> + >>>>> + r="imx-habv4-csf1" >>>>> + cs_define_role ${r} >>>>> + cs_set_uri "${r}" "pkcs11:token=foo;object=csf1" >>>>> + >>>>> + r="imx-habv4-img1" >>>>> + cs_define_role ${r} >>>>> + cs_set_uri "${r}" "pkcs11:token=foo;object=img1" >>>>> +} >>>>> + >>>>> +import_imx_habv4_keys() { >>>>> + local imx_habv4_key_dir="habv4" >>>>> + local crts="${imx_habv4_key_dir}/crts" >>>>> + local keys="${imx_habv4_key_dir}/keys" >>>>> + local OPENSSL_KEYPASS="${imx_habv4_key_dir}/keys/key_pass.txt" >>>>> + >>>>> + for i in 1 2 3 4; do >>>>> + r="imx-habv4-srk${i}" >>>>> + cs_define_role "${r}" >>>>> + cs_import_cert_from_der "${r}" "${crts}/SRK${i}_sha256_4096_65537_v3_ca_crt.der" >>>>> + cs_import_key_from_pem "${r}" "${keys}/SRK${i}_sha256_4096_65537_v3_ca_key.pem" >>>>> + cs_append_ca_from_uri "${r}" >>>>> + >>>>> + r="imx-habv4-csf${i}" >>>>> + cs_define_role "${r}" >>>>> + cs_import_cert_from_der "${r}" "${crts}/CSF${i}_1_sha256_4096_65537_v3_usr_crt.der" >>>>> + cs_import_key_from_pem "${r}" "${keys}/CSF${i}_1_sha256_4096_65537_v3_usr_key.pem" >>>>> + >>>>> + r="imx-habv4-img${i}" >>>>> + cs_define_role "${r}" >>>>> + cs_import_cert_from_der "${r}" "${crts}/IMG${i}_1_sha256_4096_65537_v3_usr_crt.der" >>>>> + cs_import_key_from_pem "${r}" "${keys}/IMG${i}_1_sha256_4096_65537_v3_usr_key.pem" >>>>> + done >>>>> +} >>>>> + >>>>> + >>>>> +# HSM use case >>>>> +#set_fit_keys >>>>> +#set_rauc_keys >>>>> +#set_imx_habv4_keys >>>>> + >>>>> +# or: SoftHSM use case >>>>> +#cs_init_softhsm >>>>> +#import_fit_keys >>>>> +#import_rauc_keys >>>>> +#import_imx_habv4_keys >>>> >>>> Split this into two scripts that work for the correct use-case. >>>> And use the wizard.sh to delete one and rename the other. >>>> >>>>> diff --git a/rules/templates/template-code-signing-provider-choice-in b/rules/templates/template-code-signing-provider-choice-in >>>>> new file mode 100644 >>>>> index 000000000..e2108f870 >>>>> --- /dev/null >>>>> +++ b/rules/templates/template-code-signing-provider-choice-in >>>>> @@ -0,0 +1,5 @@ >>>>> +## SECTION=code_signing_provider >>>>> + >>>>> +config CODE_SIGNING_PROVIDER_@PACKAGE@ >>>>> + bool >>>>> + prompt "@package@" >>>>> diff --git a/rules/templates/template-code-signing-provider-in b/rules/templates/template-code-signing-provider-in >>>>> new file mode 100644 >>>>> index 000000000..a0c61e6ef >>>>> --- /dev/null >>>>> +++ b/rules/templates/template-code-signing-provider-in >>>>> @@ -0,0 +1,16 @@ >>>>> +## SECTION=code_signing >>>>> + >>>>> +config CODE_SIGNING >>>>> + select HOST_@PACKAGE@_CODE_SIGNING if CODE_SIGNING_PROVIDER_@PACKAGE@ >>>>> + >>>>> +config CODE_SIGNING_PROVIDER >>>>> + default "@package@" if CODE_SIGNING_PROVIDER_@PACKAGE@ >>>>> + >>>>> +config HOST_@PACKAGE@_CODE_SIGNING >>>>> + bool >>>>> + select HOST_OPENSC >>>>> + select HOST_LIBP11 >>>>> + select HOST_OPENSSL >>>>> + #select HOST_SOFTHSM >>>>> + #select HOST_OPENSC_PCSC >>>>> + #select HOST_EXTRACT_CERT >>>> >>>> We can substitute multi-line values here. So just >>>> >>>> @DEPENDENCIES@ >>>> >>>> and set that to the correct full list of dependencies in the script. >>>> >>>> >>>>> diff --git a/rules/templates/template-code-signing-provider-make b/rules/templates/template-code-signing-provider-make >>>>> new file mode 100644 >>>>> index 000000000..94830d92e >>>>> --- /dev/null >>>>> +++ b/rules/templates/template-code-signing-provider-make >>>>> @@ -0,0 +1,41 @@ >>>>> +# -*-makefile-*- >>>>> +# >>>>> +# Copyright (C) @YEAR@ by @AUTHOR@ >>>>> +# >>>>> +# For further information about the PTXdist project and license conditions >>>>> +# see the README file. >>>>> +# >>>>> + >>>>> +# >>>>> +# We provide this package >>>>> +# >>>>> +HOST_PACKAGES-$(PTXCONF_HOST_@PACKAGE@_CODE_SIGNING) += host-@package@-code-signing >>>>> + >>>>> +# >>>>> +# Paths and names >>>>> +# >>>>> +HOST_@PACKAGE@_CODE_SIGNING_VERSION := @VERSION@ >>>>> +HOST_@PACKAGE@_CODE_SIGNING := @package@-code-signing-$(HOST_@PACKAGE@_CODE_SIGNING_VERSION) >>>>> +HOST_@PACKAGE@_CODE_SIGNING_URL := file://local_src/@package@-code-signing >>>>> +HOST_@PACKAGE@_CODE_SIGNING_DIR := $(HOST_BUILDDIR)/$(HOST_@PACKAGE@_CODE_SIGNING) >>>>> + >>>>> +HOST_@PACKAGE@_CODE_SIGNING_CONF_TOOL := NO >>>>> + >>>>> +# ---------------------------------------------------------------------------- >>>>> +# Compile >>>>> +# ---------------------------------------------------------------------------- >>>>> + >>>>> +HOST_@PACKAGE@_CODE_SIGNING_MAKE_ENV := \ >>>>> + $(CODE_SIGNING_ENV) >>>>> + >>>>> +$(STATEDIR)/host-@package@-code-signing.compile: >>>>> + @$(call targetinfo) >>>>> + @$(call world/execute, HOST_@PACKAGE@_CODE_SIGNING, \ >>>>> + ./ptxdist-set-keys.sh) >>>>> + @$(call touch) >>>>> + >>>>> +$(STATEDIR)/host-@package@-code-signing.install: >>>>> + @$(call targetinfo) >>>>> + @$(call touch) >>>>> + >>>>> +# vim: syntax=make >>>>> diff --git a/scripts/lib/ptxd_lib_template.sh b/scripts/lib/ptxd_lib_template.sh >>>>> index f39e6e033..b89981f45 100644 >>>>> --- a/scripts/lib/ptxd_lib_template.sh >>>>> +++ b/scripts/lib/ptxd_lib_template.sh >>>>> @@ -460,3 +460,19 @@ ptxd_template_new_blspec_entry() { >>>>> export -f ptxd_template_new_blspec_entry >>>>> ptxd_template_help_list[${#ptxd_template_help_list[@]}]="blspec-entry" >>>>> ptxd_template_help_list[${#ptxd_template_help_list[@]}]="create package for a bootloader spec entry" >>>>> + >>>>> +ptxd_template_new_code_signing_provider() { >>>>> + export class="host-" >>>>> + ptxd_template_read_basic && >>>>> + ptxd_template_read_author && >>>> >>>> The question for the type should be here. Maybe provide an list and the >>>> user must input the index number or something like that. >>> >>> So, after reading the docs, I think there should be 3 options here: >>> >>> 1) SoftHSM >>> 2) HSM (with OpenSC) >>> 3) HSM (custom) >>> >>> And for the HSM cases, the template should also provide the rules/pre/... >>> file for CODE_SIGNING_ENV. Maybe with the module name as a variable? >>> Substitute 'opensc-pkcs11' for OpenSC and 'fixme' otherwise. >> >> Or ask for the module name? I don't have a good understanding what is >> usually necessary for other HSMs beyond the PKCS11_MODULE_PATH, so I don't >> know if that makes sense. > > I've disucssed this with Marc some time ago. We came up with the idea of > setting the HSM specifics in CODE_SIGNING_ENV via another code signing > provider helper, e.g. "cs_append_env". In our opinion the code signing > provider should know (and set) such extra environment variables. Note: this implementation idea was not addressed in v3 of the patch series. v3 now uses generated pre make files to extend CODE_SIGNING_ENV for the selected HSM use case. It would still be nice to have something like "cs_append_env" as a substitute for the pre rules in the future. Leaving it open to someone else :) Regards, Bastian -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de