From: Michael Olbrich <m.olbrich@pengutronix.de>
To: ptxdist@pengutronix.de
Cc: Bastian Krause <bst@pengutronix.de>
Subject: Re: [ptxdist] [PATCH 10/13] rauc/image-rauc: use code signing infrastructure for key retrieval
Date: Fri, 15 May 2020 12:40:35 +0200 [thread overview]
Message-ID: <20200515104035.GC7220@pengutronix.de> (raw)
In-Reply-To: <20200514134300.16105-10-bst@pengutronix.de>
On Thu, May 14, 2020 at 03:42:57PM +0200, Bastian Krause wrote:
> Use the keys provided by the currently active key provider via PKCS#11
> instead of key files placed in the platform config directory. In order
> to make sure the new mechanics are used after a BSP update the rauc.key
> file is no longer allowed to exist in the platformconfig directory.
>
> Note: requires genimage >= v12 and ptx-code-signing-dev > 0.3
>
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> ---
> platforms/image-rauc.in | 1 +
> projectroot/etc/rauc/ca.cert.pem | 7 --
> rules/image-rauc.make | 37 ++-------
> rules/rauc.in | 1 +
> rules/rauc.make | 11 ++-
> scripts/rauc-gen-test-certs.sh | 126 -------------------------------
> 6 files changed, 17 insertions(+), 166 deletions(-)
> delete mode 100644 projectroot/etc/rauc/ca.cert.pem
> delete mode 100755 scripts/rauc-gen-test-certs.sh
>
> diff --git a/platforms/image-rauc.in b/platforms/image-rauc.in
> index 658ddd5cd..1f9427b40 100644
> --- a/platforms/image-rauc.in
> +++ b/platforms/image-rauc.in
> @@ -6,6 +6,7 @@ menuconfig IMAGE_RAUC
> select HOST_GENIMAGE
> select HOST_RAUC
> select IMAGE_ROOT_TGZ
> + select CODE_SIGNING
> help
> This generates a RAUC update Bundle for the selected platform using
> genimage.
> diff --git a/projectroot/etc/rauc/ca.cert.pem b/projectroot/etc/rauc/ca.cert.pem
> deleted file mode 100644
> index be1aa7c30..000000000
> --- a/projectroot/etc/rauc/ca.cert.pem
> +++ /dev/null
> @@ -1,7 +0,0 @@
> -# This is a dummy keyring file. Please overwrite this with one that matches
> -# your X.509 infrastructure if you intend to use RAUC for secure updates!
> -#
> -# If you really do not intend to actively use the security features (or for
> -# testing purpose) you may create a development certificate by executing the
> -# script `rauc-gen-test-certs.sh` from the `scripts` folder in your PTXdist
> -# installation.
> diff --git a/rules/image-rauc.make b/rules/image-rauc.make
> index 839cb400b..a031edfae 100644
> --- a/rules/image-rauc.make
> +++ b/rules/image-rauc.make
> @@ -26,46 +26,19 @@ IMAGE_RAUC_CONFIG := rauc.config
>
> ifdef PTXCONF_IMAGE_RAUC
>
> -IMAGE_RAUC_KEY := $(call ptx/in-platformconfigdir, config/rauc/rauc.key.pem)
> -IMAGE_RAUC_CERT := $(call ptx/in-platformconfigdir, config/rauc/rauc.cert.pem)
> -
> -IMAGE_RAUC_ENV := \
> +IMAGE_RAUC_ENV = \
> RAUC_BUNDLE_COMPATIBLE="$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))" \
> RAUC_BUNDLE_VERSION="$(call remove_quotes, $(PTXCONF_RAUC_BUNDLE_VERSION))" \
> RAUC_BUNDLE_BUILD=$(call ptx/sh, date +%FT%T%z) \
> RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \
> - RAUC_KEY=$(IMAGE_RAUC_KEY) \
> - RAUC_CERT=$(IMAGE_RAUC_CERT)
> + RAUC_KEY="$(shell cs_get_uri update)" \
> + RAUC_CERT="$(shell cs_get_uri update)"
>
> -$(IMAGE_RAUC_IMAGE): $(IMAGE_RAUC_KEY) $(IMAGE_RAUC_CERT)
> +$(IMAGE_RAUC_IMAGE):
> @$(call targetinfo)
> - @$(call image/genimage, IMAGE_RAUC)
> + @$(CODE_SIGNING_ENV) $(call image/genimage, IMAGE_RAUC)
Why don't you add $(CODE_SIGNING_ENV) to IMAGE_RAUC_ENV instead?
Michael
> @$(call finish)
>
> -$(IMAGE_RAUC_KEY):
> - @echo
> - @echo "****************************************************************************"
> - @echo "******** Please place your signing key in config/rauc/rauc.key.pem. ********"
> - @echo "* *"
> - @echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh *"
> - @echo "* from the scripts/ folder of your PTXdist installation *"
> - @echo "****************************************************************************"
> - @echo
> - @echo
> - @exit 1
> -
> -$(IMAGE_RAUC_CERT):
> - @echo
> - @echo "****************************************************************************"
> - @echo "**** Please place your signing certificate in config/rauc/rauc.cert.pem. ***"
> - @echo "* *"
> - @echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh *"
> - @echo "* from the scripts/ folder of your PTXdist installation *"
> - @echo "****************************************************************************"
> - @echo
> - @echo
> - @exit 1
> -
> endif
>
> # vim: syntax=make
> diff --git a/rules/rauc.in b/rules/rauc.in
> index d712bc7b9..56fc3ae3b 100644
> --- a/rules/rauc.in
> +++ b/rules/rauc.in
> @@ -7,6 +7,7 @@ menuconfig RAUC
> select GLIB
> select GLIB_LIBMOUNT
> select HOST_GLIB
> + select CODE_SIGNING
> select BUSYBOX_FEATURE_TAR_LONG_OPTIONS if BUSYBOX_TAR
> select BUSYBOX_FEATURE_TAR_AUTODETECT if BUSYBOX_TAR
> select BUSYBOX_FEATURE_SEAMLESS_XZ if BUSYBOX_TAR
> diff --git a/rules/rauc.make b/rules/rauc.make
> index ade9bd5dd..f9a10fbbc 100644
> --- a/rules/rauc.make
> +++ b/rules/rauc.make
> @@ -46,6 +46,14 @@ RAUC_CONF_OPT := \
> --with-dbuspolicydir=/usr/share/dbus-1/system.d \
> --with-dbussystemservicedir=/usr/share/dbus-1/system-services
>
> +$(STATEDIR)/rauc.prepare:
> + @$(call targetinfo)
> + @test ! -e "$(call ptx/in-platformconfigdir, config/rauc/rauc.key)" || \
> + ptxd_bailout "Please use the key provider infrastructure desribed in:" \
> + "scripts/lib/ptxd_lib_code_signing.sh"
> + @$(call world/prepare, RAUC)
> + @$(call touch)
> +
> # ----------------------------------------------------------------------------
> # Target-Install
> # ----------------------------------------------------------------------------
> @@ -66,7 +74,8 @@ ifdef PTXCONF_RAUC_CONFIGURATION
> @$(call install_replace, rauc, /etc/rauc/system.conf, \
> @RAUC_BUNDLE_COMPATIBLE@, \
> "$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))")
> - @$(call install_alternative, rauc, 0, 0, 0644, /etc/rauc/ca.cert.pem)
> + @$(call install_copy, rauc, 0, 0, 0644, $(shell cs_get_ca update), \
> + /etc/rauc/ca.cert.pem)
> endif
>
> ifdef PTXCONF_RAUC_SERVICE
> diff --git a/scripts/rauc-gen-test-certs.sh b/scripts/rauc-gen-test-certs.sh
> deleted file mode 100755
> index b4ea6a8cf..000000000
> --- a/scripts/rauc-gen-test-certs.sh
> +++ /dev/null
> @@ -1,126 +0,0 @@
> -#!/bin/bash
> -#
> -# Copyright (C) 2017 by Enrico Joerns <e.joerns@pengutronix.de>
> -# Copyright (C) 2016 by Jan Luebbe <j.luebbe@pengutronix.de>
> -#
> -# For further information about the PTXdist project and license conditions
> -# see the README file.
> -#
> -# ---
> -#
> -# Demo script that generates certificate files required to sign and verify
> -# RAUC update tool bundles.
> -#
> -
> -set -xe
> -
> -ORG="Test Org"
> -CA="rauc CA"
> -
> -# After the CRL expires, signatures cannot be verified anymore
> -CRL="-crldays 5000"
> -
> -BASE="$(pwd)/rauc-openssl-ca"
> -
> -if [ -e $BASE ]; then
> - echo "$BASE already exists"
> - exit 1
> -fi
> -
> -mkdir -p $BASE/dev/{private,certs}
> -touch $BASE/dev/index.txt
> -echo 01 > $BASE/dev/serial
> -
> -cat > $BASE/openssl.cnf <<EOF
> -[ ca ]
> -default_ca = CA_default # The default ca section
> -
> -[ CA_default ]
> -
> -dir = . # top dir
> -database = \$dir/index.txt # index file.
> -new_certs_dir = \$dir/certs # new certs dir
> -
> -certificate = \$dir/ca.cert.pem # The CA cert
> -serial = \$dir/serial # serial no file
> -private_key = \$dir/private/ca.key.pem# CA private key
> -RANDFILE = \$dir/private/.rand # random number file
> -
> -default_startdate = 19700101000000Z
> -default_enddate = 99991231235959Z
> -default_crl_days= 30 # how long before next CRL
> -default_md = sha256 # md to use
> -
> -policy = policy_any # default policy
> -email_in_dn = no # Don't add the email into cert DN
> -
> -name_opt = ca_default # Subject name display option
> -cert_opt = ca_default # Certificate display option
> -copy_extensions = none # Don't copy extensions from request
> -
> -[ policy_any ]
> -organizationName = match
> -commonName = supplied
> -
> -[ req ]
> -default_bits = 2048
> -distinguished_name = req_distinguished_name
> -x509_extensions = v3_leaf
> -encrypt_key = no
> -default_md = sha256
> -
> -[ req_distinguished_name ]
> -commonName = Common Name (eg, YOUR name)
> -commonName_max = 64
> -
> -[ v3_ca ]
> -
> -subjectKeyIdentifier=hash
> -authorityKeyIdentifier=keyid:always,issuer:always
> -basicConstraints = CA:TRUE
> -
> -[ v3_inter ]
> -
> -subjectKeyIdentifier=hash
> -authorityKeyIdentifier=keyid:always,issuer:always
> -basicConstraints = CA:TRUE,pathlen:0
> -
> -[ v3_leaf ]
> -
> -subjectKeyIdentifier=hash
> -authorityKeyIdentifier=keyid:always,issuer:always
> -basicConstraints = CA:FALSE
> -EOF
> -
> -export OPENSSL_CONF=$BASE/openssl.cnf
> -
> -echo "Development CA"
> -cd $BASE/dev
> -openssl req -newkey rsa -keyout private/ca.key.pem -out ca.csr.pem -subj "/O=$ORG/CN=$ORG $CA Development"
> -openssl ca -batch -selfsign -extensions v3_ca -in ca.csr.pem -out ca.cert.pem -keyfile private/ca.key.pem
> -
> -echo "Development Signing Keys 1"
> -cd $BASE/dev
> -openssl req -newkey rsa -keyout private/rauc.key.pem -out rauc.csr.pem -subj "/O=$ORG/CN=$ORG Development-1"
> -openssl ca -batch -extensions v3_leaf -in rauc.csr.pem -out rauc.cert.pem
> -
> -cat << EOF
> -===============================================================================
> -
> -Note that the default application should be to set up a public key
> -infrastructure at your site and use keys and certificates genereated by these.
> -
> -In oder to use the just generated files in your BSP for testing purpose or if
> -you do not intend to use real authentification, follow the instructions below.
> -
> -Place the key and certificate file in your platform-dir's config/ folder:
> -
> - cp rauc-openssl-ca/private/rauc.key.pem <platform-dir>/config/rauc/rauc.key.pem
> - cp rauc-openssl-ca/rauc.cert.pem <platform-dir>/config/rauc/rauc.cert.pem
> -
> -Place the keyring file in your platform-dir's projectroot/ folder:
> -
> - cp rauc-openssl-ca/ca.cert.pem <plaform-dir>/projectroot/etc/rauc/ca.cert.pem
> -
> -===============================================================================
> -EOF
> --
> 2.26.2
>
>
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
next prev parent reply other threads:[~2020-05-15 10:40 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-14 13:42 [ptxdist] [PATCH 01/13] host-genimage: version bump 11 -> 13 Bastian Krause
2020-05-14 13:42 ` [ptxdist] [PATCH 02/13] ptxd_lib_code_signing: return error string in cs_get_uri for make error case Bastian Krause
2020-05-14 13:42 ` [ptxdist] [PATCH 03/13] ptxd_lib_imx_hab: fix srk fuse file and table generation Bastian Krause
2020-05-14 13:42 ` [ptxdist] [PATCH 04/13] ptxd_lib_code_signing: introduce CA helper Bastian Krause
2020-05-15 10:36 ` Michael Olbrich
2020-05-15 11:21 ` Bastian Krause
2020-05-15 11:41 ` Jan Lübbe
2020-05-14 13:42 ` [ptxdist] [PATCH 05/13] host-ptx-code-signing-dev: version bump 0.2 -> 0.4 Bastian Krause
2020-05-14 16:00 ` Bastian Krause
2020-05-14 13:42 ` [ptxdist] [PATCH 06/13] ptxd_lib_imx_hab/template-barebox-imx-habv4: use cs_get_ca helper Bastian Krause
2020-05-15 10:37 ` Michael Olbrich
2020-05-15 11:22 ` Bastian Krause
2020-05-14 13:42 ` [ptxdist] [PATCH 07/13] ptxd_lib_imx_hab/template-barebox-imx-habv4: make number of SRKs configurable Bastian Krause
2020-05-14 13:42 ` [ptxdist] [PATCH 08/13] ptxd_make_fit_image: call mkimage with ptxd_exec Bastian Krause
2020-05-14 13:42 ` [ptxdist] [PATCH 09/13] u-boot/ptxd_make_fit_image: avoid overriding object name Bastian Krause
2020-05-14 13:42 ` [ptxdist] [PATCH 10/13] rauc/image-rauc: use code signing infrastructure for key retrieval Bastian Krause
2020-05-15 10:40 ` Michael Olbrich [this message]
2020-05-15 11:23 ` Bastian Krause
2020-05-14 13:42 ` [ptxdist] [PATCH 11/13] image-rauc: enable keyring verification Bastian Krause
2020-05-15 7:58 ` Michael Olbrich
2020-05-15 11:23 ` Bastian Krause
2020-05-14 13:42 ` [ptxdist] [PATCH 12/13] code-signing: move code-signing.in to platforms/ Bastian Krause
2020-05-14 13:43 ` [ptxdist] [PATCH 13/13] code-signing: introduce for ptxconfig, add sanity check Bastian Krause
2020-05-14 15:36 ` Bastian Krause
2020-05-15 7:55 ` Michael Olbrich
2020-05-15 11:24 ` Bastian Krause
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200515104035.GC7220@pengutronix.de \
--to=m.olbrich@pengutronix.de \
--cc=bst@pengutronix.de \
--cc=ptxdist@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox