From: Bastian Krause <bst@pengutronix.de>
To: ptxdist@pengutronix.de
Cc: Bastian Krause <bst@pengutronix.de>
Subject: [ptxdist] [PATCH v2 00/15] Fix/extend code signing infrastructure/consumers
Date: Fri, 15 May 2020 16:26:26 +0200 [thread overview]
Message-ID: <20200515142641.812-1-bst@pengutronix.de> (raw)
This series includes various bug fixes and extensions of ptxdist's code
signing infrastructure and its consumers. This includes HAB barebox
images, signed FIT images and RAUC bundles. Real HSMs can now be used
for signing. Newly introduced helpers simplify CA handling.
Changes since implicit v1 (20200514134300.16105-1-bst@pengutronix.de and
following, without cover letter):
- add new line when appending to a CA
- select necessary host tools directly in code signing provier, not in
CODE_SIGNING
- add code signing env to image rauc env
- re-add accidentally dropped rules/code-signing.in introducing
CODE_SIGNING for ptxconfig
- move "code-signing: introduce for ptxconfig, add sanity check"
before "rauc/image-rauc: use code signing infrastructure for key
retrieval"
- clarify required versions of genimage/ptx-code-signing-dev in commit
messages
- add rauc version bump
- sign ramdisk in FIT images (if enabled)
Regards,
Bastian
Bastian Krause (15):
host-genimage: version bump 11 -> 13
ptxd_lib_code_signing: return error string in cs_get_uri for make
error case
ptxd_lib_imx_hab: fix srk fuse file and table generation
ptxd_lib_code_signing: introduce CA helper
host-ptx-code-signing-dev: version bump 0.2 -> 0.4
ptxd_lib_imx_hab/template-barebox-imx-habv4: use cs_get_ca helper
ptxd_lib_imx_hab/template-barebox-imx-habv4: make number of SRKs
configurable
ptxd_make_fit_image: call mkimage with ptxd_exec
u-boot/ptxd_make_fit_image: avoid overriding object name
ptxd_make_fit_image: sign ramdisk if enabled
code-signing: move code-signing.in to platforms/
code-signing: introduce for ptxconfig, add sanity check
rauc/image-rauc: use code signing infrastructure for key retrieval
image-rauc: enable keyring verification
rauc: version bump 1.2 -> 1.3
config/images/rauc.config | 1 +
...erriding-the-object-name-when-alread.patch | 81 +++++++++++
patches/u-boot-2020.04/series | 4 +
platforms/code-signing.in | 23 ++++
platforms/image-rauc.in | 1 +
projectroot/etc/rauc/ca.cert.pem | 7 -
rules/code-signing.in | 23 +---
rules/code-signing.make | 13 ++
rules/host-genimage.make | 4 +-
rules/host-ptx-code-signing-dev.in | 3 +
rules/host-ptx-code-signing-dev.make | 4 +-
rules/image-rauc.make | 37 +----
rules/rauc.in | 1 +
rules/rauc.make | 15 ++-
rules/templates/template-barebox-imx-habv4-in | 1 -
.../templates/template-barebox-imx-habv4-make | 2 +-
scripts/lib/ptxd_lib_code_signing.sh | 71 +++++++++-
scripts/lib/ptxd_lib_imx_hab.sh | 32 +++--
scripts/lib/ptxd_make_fit_image.sh | 8 +-
scripts/rauc-gen-test-certs.sh | 126 ------------------
20 files changed, 246 insertions(+), 211 deletions(-)
create mode 100644 patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch
create mode 100644 patches/u-boot-2020.04/series
create mode 100644 platforms/code-signing.in
delete mode 100644 projectroot/etc/rauc/ca.cert.pem
create mode 100644 rules/code-signing.make
delete mode 100755 scripts/rauc-gen-test-certs.sh
--
2.26.2
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
next reply other threads:[~2020-05-15 14:26 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-15 14:26 Bastian Krause [this message]
2020-05-15 14:26 ` [ptxdist] [PATCH v2 01/15] host-genimage: version bump 11 -> 13 Bastian Krause
2020-05-19 12:23 ` [ptxdist] [APPLIED] " Michael Olbrich
2020-05-15 14:26 ` [ptxdist] [PATCH v2 02/15] ptxd_lib_code_signing: return error string in cs_get_uri for make error case Bastian Krause
2020-05-19 12:23 ` [ptxdist] [APPLIED] " Michael Olbrich
2020-05-15 14:26 ` [ptxdist] [PATCH v2 03/15] ptxd_lib_imx_hab: fix srk fuse file and table generation Bastian Krause
2020-05-19 12:23 ` [ptxdist] [APPLIED] " Michael Olbrich
2020-05-15 14:26 ` [ptxdist] [PATCH v2 04/15] ptxd_lib_code_signing: introduce CA helper Bastian Krause
2020-05-19 12:23 ` [ptxdist] [APPLIED] " Michael Olbrich
2020-05-15 14:26 ` [ptxdist] [PATCH v2 05/15] host-ptx-code-signing-dev: version bump 0.2 -> 0.4 Bastian Krause
2020-05-19 12:23 ` [ptxdist] [APPLIED] " Michael Olbrich
2020-05-15 14:26 ` [ptxdist] [PATCH v2 06/15] ptxd_lib_imx_hab/template-barebox-imx-habv4: use cs_get_ca helper Bastian Krause
2020-05-19 12:23 ` [ptxdist] [APPLIED] " Michael Olbrich
2020-05-15 14:26 ` [ptxdist] [PATCH v2 07/15] ptxd_lib_imx_hab/template-barebox-imx-habv4: make number of SRKs configurable Bastian Krause
2020-05-19 12:23 ` [ptxdist] [APPLIED] " Michael Olbrich
2020-05-15 14:26 ` [ptxdist] [PATCH v2 08/15] ptxd_make_fit_image: call mkimage with ptxd_exec Bastian Krause
2020-05-19 12:23 ` [ptxdist] [APPLIED] " Michael Olbrich
2020-05-15 14:26 ` [ptxdist] [PATCH v2 09/15] u-boot/ptxd_make_fit_image: avoid overriding object name Bastian Krause
2020-05-19 12:23 ` [ptxdist] [APPLIED] " Michael Olbrich
2020-05-15 14:26 ` [ptxdist] [PATCH v2 10/15] ptxd_make_fit_image: sign ramdisk if enabled Bastian Krause
2020-05-19 12:23 ` [ptxdist] [APPLIED] " Michael Olbrich
2020-05-15 14:26 ` [ptxdist] [PATCH v2 11/15] code-signing: move code-signing.in to platforms/ Bastian Krause
2020-05-19 12:23 ` [ptxdist] [APPLIED] " Michael Olbrich
2020-05-15 14:26 ` [ptxdist] [PATCH v2 12/15] code-signing: introduce for ptxconfig, add sanity check Bastian Krause
2020-05-19 12:23 ` [ptxdist] [APPLIED] " Michael Olbrich
2020-05-15 14:26 ` [ptxdist] [PATCH v2 13/15] rauc/image-rauc: use code signing infrastructure for key retrieval Bastian Krause
2020-05-19 12:23 ` [ptxdist] [APPLIED] " Michael Olbrich
2020-05-15 14:26 ` [ptxdist] [PATCH v2 14/15] image-rauc: enable keyring verification Bastian Krause
2020-05-19 12:23 ` [ptxdist] [APPLIED] " Michael Olbrich
2020-05-15 14:26 ` [ptxdist] [PATCH v2 15/15] rauc: version bump 1.2 -> 1.3 Bastian Krause
2020-05-19 12:23 ` [ptxdist] [APPLIED] " Michael Olbrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200515142641.812-1-bst@pengutronix.de \
--to=bst@pengutronix.de \
--cc=ptxdist@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox