[ptxdist] [PATCH v2 00/15] Fix/extend code signing infrastructure/consumers

[ptxdist] [PATCH v2 00/15] Fix/extend code signing infrastructure/consumers

[Bastian Krause]

This series includes various bug fixes and extensions of ptxdist's code
signing infrastructure and its consumers. This includes HAB barebox
images, signed FIT images and RAUC bundles. Real HSMs can now be used
for signing. Newly introduced helpers simplify CA handling.

Changes since implicit v1 (20200514134300.16105-1-bst@pengutronix.de and
following, without cover letter):
  - add new line when appending to a CA
  - select necessary host tools directly in code signing provier, not in
    CODE_SIGNING
  - add code signing env to image rauc env
  - re-add accidentally dropped rules/code-signing.in introducing
    CODE_SIGNING for ptxconfig
  - move "code-signing: introduce for ptxconfig, add sanity check"
    before "rauc/image-rauc: use code signing infrastructure for key
    retrieval"
  - clarify required versions of genimage/ptx-code-signing-dev in commit
    messages
  - add rauc version bump
  - sign ramdisk in FIT images (if enabled)

Regards,
Bastian

Bastian Krause (15):
  host-genimage: version bump 11 -> 13
  ptxd_lib_code_signing: return error string in cs_get_uri for make
    error case
  ptxd_lib_imx_hab: fix srk fuse file and table generation
  ptxd_lib_code_signing: introduce CA helper
  host-ptx-code-signing-dev: version bump 0.2 -> 0.4
  ptxd_lib_imx_hab/template-barebox-imx-habv4: use cs_get_ca helper
  ptxd_lib_imx_hab/template-barebox-imx-habv4: make number of SRKs
    configurable
  ptxd_make_fit_image: call mkimage with ptxd_exec
  u-boot/ptxd_make_fit_image: avoid overriding object name
  ptxd_make_fit_image: sign ramdisk if enabled
  code-signing: move code-signing.in to platforms/
  code-signing: introduce for ptxconfig, add sanity check
  rauc/image-rauc: use code signing infrastructure for key retrieval
  image-rauc: enable keyring verification
  rauc: version bump 1.2 -> 1.3

 config/images/rauc.config                     |   1 +
 ...erriding-the-object-name-when-alread.patch |  81 +++++++++++
 patches/u-boot-2020.04/series                 |   4 +
 platforms/code-signing.in                     |  23 ++++
 platforms/image-rauc.in                       |   1 +
 projectroot/etc/rauc/ca.cert.pem              |   7 -
 rules/code-signing.in                         |  23 +---
 rules/code-signing.make                       |  13 ++
 rules/host-genimage.make                      |   4 +-
 rules/host-ptx-code-signing-dev.in            |   3 +
 rules/host-ptx-code-signing-dev.make          |   4 +-
 rules/image-rauc.make                         |  37 +----
 rules/rauc.in                                 |   1 +
 rules/rauc.make                               |  15 ++-
 rules/templates/template-barebox-imx-habv4-in |   1 -
 .../templates/template-barebox-imx-habv4-make |   2 +-
 scripts/lib/ptxd_lib_code_signing.sh          |  71 +++++++++-
 scripts/lib/ptxd_lib_imx_hab.sh               |  32 +++--
 scripts/lib/ptxd_make_fit_image.sh            |   8 +-
 scripts/rauc-gen-test-certs.sh                | 126 ------------------
 20 files changed, 246 insertions(+), 211 deletions(-)
 create mode 100644 patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch
 create mode 100644 patches/u-boot-2020.04/series
 create mode 100644 platforms/code-signing.in
 delete mode 100644 projectroot/etc/rauc/ca.cert.pem
 create mode 100644 rules/code-signing.make
 delete mode 100755 scripts/rauc-gen-test-certs.sh

-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH v2 01/15] host-genimage: version bump 11 -> 13

[Bastian Krause]

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
 rules/host-genimage.make | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/host-genimage.make b/rules/host-genimage.make
index 28d0d613a..baa69e3fb 100644
--- a/rules/host-genimage.make
+++ b/rules/host-genimage.make
@@ -14,8 +14,8 @@ HOST_PACKAGES-$(PTXCONF_HOST_GENIMAGE) += host-genimage
 #
 # Paths and names
 #
-HOST_GENIMAGE_VERSION	:= 11
-HOST_GENIMAGE_MD5	:= 5db95026ff8aedcbcf7804098f685c7b
+HOST_GENIMAGE_VERSION	:= 13
+HOST_GENIMAGE_MD5	:= 84ec07d684f27a425b3789f87c35ffa3
 HOST_GENIMAGE		:= genimage-$(HOST_GENIMAGE_VERSION)
 HOST_GENIMAGE_SUFFIX	:= tar.xz
 HOST_GENIMAGE_URL	:= http://www.pengutronix.de/software/genimage/download/$(HOST_GENIMAGE).$(HOST_GENIMAGE_SUFFIX)
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH v2 02/15] ptxd_lib_code_signing: return error string in cs_get_uri for make error case

[Bastian Krause]

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
 scripts/lib/ptxd_lib_code_signing.sh | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
index 588a4b1b4..f93f183df 100644
--- a/scripts/lib/ptxd_lib_code_signing.sh
+++ b/scripts/lib/ptxd_lib_code_signing.sh
@@ -154,7 +154,11 @@ cs_get_uri() {
 	if [ ${#FUNCNAME[*]} -gt 1 ]; then
 	    ptxd_bailout "No PKCS#11 URI for role ${role}"
 	else
-	    # ignore the error if cs_get_uri is called directly from make
+	    # cs_get_uri was called directly from make prior to cs_set_uri,
+	    # which may not be an error if it is evaluated early *and* later
+	    # again - return a unique error string in case it is not expected
+	    # and a user stumbles upon this
+	    echo "ERROR_URI_NOT_YET_SET"
 	    return
 	fi
     fi
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH v2 03/15] ptxd_lib_imx_hab: fix srk fuse file and table generation

[Bastian Krause]

srktool's help text states "certificate filenames must be separated by
a ',' with no spaces". Line continuating using "\" with the next line
being indented leads to a space being inserted between the SRK2
certificate and the SRK3 certificate.
srktool does not fail, but ignores everything after the space silently.
Thus only the first two certicates end up in the fuse file and table.

Fix this by specifying all certs on a single line.

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
 scripts/lib/ptxd_lib_imx_hab.sh | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/scripts/lib/ptxd_lib_imx_hab.sh b/scripts/lib/ptxd_lib_imx_hab.sh
index 8be376ff1..034bf82b2 100644
--- a/scripts/lib/ptxd_lib_imx_hab.sh
+++ b/scripts/lib/ptxd_lib_imx_hab.sh
@@ -43,8 +43,7 @@ ptxd_make_imx_habv4_gen_table_impl() {
 	--table "${table_bin}" \
 	--efuses "${srk_fuse_bin}" \
 	--digest sha256 \
-	--certs ${tmpdir}/srk1.pem,${tmpdir}/srk2.pem,\
-	    ${tmpdir}/srk3.pem,${tmpdir}/srk4.pem
+	--certs ${tmpdir}/srk1.pem,${tmpdir}/srk2.pem,${tmpdir}/srk3.pem,${tmpdir}/srk4.pem
 }
 export -f ptxd_make_imx_habv4_gen_table_impl
 
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH v2 04/15] ptxd_lib_code_signing: introduce CA helper

[Bastian Krause]

These helpers allow key providers to append certificates to their CA.
'cs_get_ca <role>' then returns the path to the keyring allowing rules
and other helpers to retrieve it easily.

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
Changes since (implicit) v1:
  - add new line when appending to a CA
---
 scripts/lib/ptxd_lib_code_signing.sh | 65 ++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)

diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
index f93f183df..a7779f821 100644
--- a/scripts/lib/ptxd_lib_code_signing.sh
+++ b/scripts/lib/ptxd_lib_code_signing.sh
@@ -261,3 +261,68 @@ cs_import_key_from_pem() {
     cs_import_privkey_from_pem "${role}" "${pem}"
 }
 export -f cs_import_key_from_pem
+
+#
+# cs_get_ca <role>
+#
+# Get the path to the CA in pem format from a role
+#
+cs_get_ca() {
+    local role="${1}"
+    cs_init_variables
+
+    echo "${keydir}/${role}/ca.pem"
+}
+export -f cs_get_ca
+
+#
+# cs_append_ca_from_pem <role> <pem>
+#
+# Append PEM to CA for a role
+#
+cs_append_ca_from_pem() {
+    local role="${1}"
+    local pem="${2}"
+    cs_init_variables
+
+    cat "${pem}" >> "${keydir}/${role}/ca.pem"
+    # add new line in case ${pem} does not end with an EOL
+    echo >> "${keydir}/${role}/ca.pem"
+}
+export -f cs_append_ca_from_pem
+
+#
+# cs_append_ca_from_der <role> <der>
+#
+# Append DER to CA for a role
+#
+cs_append_ca_from_der() {
+    local role="${1}"
+    local der="${2}"
+    cs_init_variables
+
+    ptxd_exec openssl x509 -inform der -in "${der}" \
+	-out "${tmpdir}/ca.pem" &&
+    cs_append_ca_from_pem "${role}" "${tmpdir}/ca.pem"
+}
+export -f cs_append_ca_from_der
+
+#
+# cs_append_ca_from_uri <role> [<uri>]
+#
+# Append certificate specified by URI or by already set URI to CA for a role
+#
+cs_append_ca_from_uri() {
+    local role="${1}"
+    local uri="${2}"
+    local tmpdir="$(mktemp -d "${PTXDIST_TEMPDIR}/${role}-ca.XXXXXX")"
+    cs_init_variables
+
+    if [ -z "${uri}" ]; then
+	uri=$(cs_get_uri "${role}")
+    fi
+
+    ptxd_exec extract-cert "${uri}" "${tmpdir}/ca.der" &&
+    cs_append_ca_from_der "${role}" "${tmpdir}/ca.der"
+}
+export -f cs_append_ca_from_uri
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH v2 05/15] host-ptx-code-signing-dev: version bump 0.2 -> 0.4

[Bastian Krause]

This includes a fix of a copy/paste error in import_rauc_keys's role.
Additionally the new helper cs_append_ca_from_uri is now used for RAUC
and HAB SRK roles. The helper function requires HOST_EXTRACT_CERT,
HOST_OPENSSL and HOST_LIBP11.

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
Changes since (implicit) v1:
  - select necessary host tools directly in code signing provier, not in
    CODE_SIGNING
  - select required HOST_LIBP11
---
 rules/host-ptx-code-signing-dev.in   | 3 +++
 rules/host-ptx-code-signing-dev.make | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/rules/host-ptx-code-signing-dev.in b/rules/host-ptx-code-signing-dev.in
index 19ea46c40..7cad9f54d 100644
--- a/rules/host-ptx-code-signing-dev.in
+++ b/rules/host-ptx-code-signing-dev.in
@@ -10,3 +10,6 @@ config HOST_PTX_CODE_SIGNING_DEV
 	bool
 	select HOST_SOFTHSM
 	select HOST_OPENSC
+	select HOST_EXTRACT_CERT
+	select HOST_OPENSSL
+	select HOST_LIBP11
diff --git a/rules/host-ptx-code-signing-dev.make b/rules/host-ptx-code-signing-dev.make
index ea40ac646..d97ae60ef 100644
--- a/rules/host-ptx-code-signing-dev.make
+++ b/rules/host-ptx-code-signing-dev.make
@@ -14,8 +14,8 @@ HOST_PACKAGES-$(PTXCONF_HOST_PTX_CODE_SIGNING_DEV) += host-ptx-code-signing-dev
 #
 # Paths and names
 #
-HOST_PTX_CODE_SIGNING_DEV_VERSION	:= 0.2
-HOST_PTX_CODE_SIGNING_DEV_MD5		:= 1d8f695cde55ea9bbfac9804ce439c9a
+HOST_PTX_CODE_SIGNING_DEV_VERSION	:= 0.4
+HOST_PTX_CODE_SIGNING_DEV_MD5		:= 853ac0147adc0b46dc695e16a7101aaa
 HOST_PTX_CODE_SIGNING_DEV		:= ptx-code-signing-dev-$(HOST_PTX_CODE_SIGNING_DEV_VERSION)
 HOST_PTX_CODE_SIGNING_DEV_SUFFIX	:= tar.gz
 HOST_PTX_CODE_SIGNING_DEV_URL		:= https://git.pengutronix.de/cgit/ptx-code-signing-dev/snapshot/$(HOST_PTX_CODE_SIGNING_DEV).$(HOST_PTX_CODE_SIGNING_DEV_SUFFIX)
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH v2 06/15] ptxd_lib_imx_hab/template-barebox-imx-habv4: use cs_get_ca helper

[Bastian Krause]

Key providers now take care of calling the CA helpers. This makes sure
the CA is already present in pem format. Use that instead of extracting
and converting the certs here again. Thus HOST_EXTRACT_CERT is no longer
a dependency of template-barebox-imx-habv4.

Note: requires ptx-code-signing-dev 0.4 or later

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
Changes since (implicit) v1:
  - clarify required version of ptx-code-signing-dev in commit message
---
 rules/templates/template-barebox-imx-habv4-in |  1 -
 scripts/lib/ptxd_lib_imx_hab.sh               | 16 ++++++++--------
 2 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/rules/templates/template-barebox-imx-habv4-in b/rules/templates/template-barebox-imx-habv4-in
index af3e59986..16258cbee 100644
--- a/rules/templates/template-barebox-imx-habv4-in
+++ b/rules/templates/template-barebox-imx-habv4-in
@@ -3,7 +3,6 @@
 config BAREBOX_@PACKAGE@
 	tristate
 	select CODE_SIGNING
-	select HOST_EXTRACT_CERT
 	select HOST_IMX_CST
 	prompt "Barebox (@package@)"
 	help
diff --git a/scripts/lib/ptxd_lib_imx_hab.sh b/scripts/lib/ptxd_lib_imx_hab.sh
index 034bf82b2..781c1b3f6 100644
--- a/scripts/lib/ptxd_lib_imx_hab.sh
+++ b/scripts/lib/ptxd_lib_imx_hab.sh
@@ -26,24 +26,24 @@ ptxd_make_imx_habv4_gen_table_impl() {
     local template="${1}"
     local table_bin="${pkg_build_dir}/imx-srk-table.bin"
     local srk_fuse_bin="${pkg_build_dir}/imx-srk-fuse.bin"
-    local tmpdir="$(mktemp -d "${PTXDIST_TEMPDIR}/imx-habv4.XXXXXX")"
+    local -a certs
 
     echo -e "generating $(basename ${table_bin}) and $(basename ${srk_fuse_bin})\n"
 
     for i in 1 2 3 4; do
-	local t=$(printf "${template}" "${i}")
-	local uri=$(cs_get_uri "$t")
+	certs[${#certs[*]}]="$(cs_get_ca "$(printf "${template}" ${i})")"
+    done
 
-	ptxd_exec extract-cert "${uri}" ${tmpdir}/srk${i}.der &&
-	ptxd_exec openssl x509 -inform der -in ${tmpdir}/srk${i}.der \
-	    -out ${tmpdir}/srk${i}.pem || break
-    done &&
+    local orig_IFS="${IFS}"
+    IFS=","
+    certs="${certs[*]}"
+    IFS="${orig_IFS}"
 
     ptxd_exec srktool --hab_ver 4 \
 	--table "${table_bin}" \
 	--efuses "${srk_fuse_bin}" \
 	--digest sha256 \
-	--certs ${tmpdir}/srk1.pem,${tmpdir}/srk2.pem,${tmpdir}/srk3.pem,${tmpdir}/srk4.pem
+	--certs "${certs}"
 }
 export -f ptxd_make_imx_habv4_gen_table_impl
 
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH v2 07/15] ptxd_lib_imx_hab/template-barebox-imx-habv4: make number of SRKs configurable

[Bastian Krause]

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
 rules/templates/template-barebox-imx-habv4-make |  2 +-
 scripts/lib/ptxd_lib_imx_hab.sh                 | 15 +++++++++++++--
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/rules/templates/template-barebox-imx-habv4-make b/rules/templates/template-barebox-imx-habv4-make
index d8086f0cf..ec402afa1 100644
--- a/rules/templates/template-barebox-imx-habv4-make
+++ b/rules/templates/template-barebox-imx-habv4-make
@@ -74,7 +74,7 @@ $(STATEDIR)/barebox-@package@.compile:
 	@$(call targetinfo)
 
 	@$(call world/env, BAREBOX_@PACKAGE@) \
-		ptxd_make_imx_habv4_gen_table "imx-habv4-srk%d"
+		ptxd_make_imx_habv4_gen_table "imx-habv4-srk%d" 4
 
 	@$(call world/compile, BAREBOX_@PACKAGE@)
 
diff --git a/scripts/lib/ptxd_lib_imx_hab.sh b/scripts/lib/ptxd_lib_imx_hab.sh
index 781c1b3f6..d1e2aba99 100644
--- a/scripts/lib/ptxd_lib_imx_hab.sh
+++ b/scripts/lib/ptxd_lib_imx_hab.sh
@@ -9,10 +9,12 @@
 #
 # ptxd_make_imx_habv4_gen_table - generate the srk fuse file and srk table for i.MX HABv4
 #
-# usage: ptxd_make_imx_habv4_gen_table <template>
+# usage: ptxd_make_imx_habv4_gen_table <template> [<srk_count>]
 #
 # template: the role template to access the keys. Must contain a "%d" which is
 #           used as index
+# srk_count: the number of keys (keys with index 1..srk_count will be used),
+#            defaults to 4
 #
 # The output files are generated in the package build dir:
 #
@@ -24,13 +26,22 @@
 #
 ptxd_make_imx_habv4_gen_table_impl() {
     local template="${1}"
+    local srk_count="${2}"
     local table_bin="${pkg_build_dir}/imx-srk-table.bin"
     local srk_fuse_bin="${pkg_build_dir}/imx-srk-fuse.bin"
     local -a certs
 
+    if [ -z "${srk_count}" ]; then
+	srk_count=4
+    fi
+
+    if [ "${srk_count}" -gt 4 ]; then
+	ptxd_bailout "HABv4 allows only 4 certificates"
+    fi
+
     echo -e "generating $(basename ${table_bin}) and $(basename ${srk_fuse_bin})\n"
 
-    for i in 1 2 3 4; do
+    for i in $(seq ${srk_count}); do
 	certs[${#certs[*]}]="$(cs_get_ca "$(printf "${template}" ${i})")"
     done
 
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH v2 08/15] ptxd_make_fit_image: call mkimage with ptxd_exec

[Bastian Krause]

It helps debugging failing mkimage calls.

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
 scripts/lib/ptxd_make_fit_image.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/lib/ptxd_make_fit_image.sh b/scripts/lib/ptxd_make_fit_image.sh
index 761d6bf1e..041c5b803 100644
--- a/scripts/lib/ptxd_make_fit_image.sh
+++ b/scripts/lib/ptxd_make_fit_image.sh
@@ -127,6 +127,6 @@ ptxd_make_image_fit() {
 	echo "Generated device-tree for the fit image:"
 	cat "${its}"
     fi &&
-    mkimage -N pkcs11 -f "${its}" "${image_image}" -r "${sign_args[@]}"
+    ptxd_exec mkimage -N pkcs11 -f "${its}" "${image_image}" -r "${sign_args[@]}"
 }
 export -f ptxd_make_image_fit
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH v2 09/15] u-boot/ptxd_make_fit_image: avoid overriding object name

[Bastian Krause]

Having multiple "object=" occurrences in a single PKCS#11 URI does not
work for all cases, at least not for opensc-pkcs11. Thus u-boot's
PKCS#11 handling was patched to avoid overriding the object name when
it is already specified. The patch was sent upstream.

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
 ...erriding-the-object-name-when-alread.patch | 81 +++++++++++++++++++
 patches/u-boot-2020.04/series                 |  4 +
 scripts/lib/ptxd_make_fit_image.sh            |  4 +-
 3 files changed, 86 insertions(+), 3 deletions(-)
 create mode 100644 patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch
 create mode 100644 patches/u-boot-2020.04/series

diff --git a/patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch b/patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch
new file mode 100644
index 000000000..5ba930fb5
--- /dev/null
+++ b/patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch
@@ -0,0 +1,81 @@
+From: Jan Luebbe <jlu@pengutronix.de>
+Date: Mon, 16 Mar 2020 11:45:22 +0100
+Subject: [PATCH] lib: rsa: avoid overriding the object name when already
+ specified
+
+If "object=" is specified in "keydir" when using the pkcs11 engine do
+not append another "object=<key-name-hint>". This makes it possible to
+use object names other than the key name hint. These two string
+identifiers are not necessarily equal.
+
+Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
+Signed-off-by: Bastian Krause <bst@pengutronix.de>
+Reviewed-by: George McCollister <george.mccollister@gmail.com>
+Forwarded: https://lists.denx.de/pipermail/u-boot/2020-May/411892.html
+---
+ doc/uImage.FIT/signature.txt |  8 +++++---
+ lib/rsa/rsa-sign.c           | 22 ++++++++++++++++------
+ 2 files changed, 21 insertions(+), 9 deletions(-)
+
+diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt
+index 3591225a6edd..d4afd755e9fc 100644
+--- a/doc/uImage.FIT/signature.txt
++++ b/doc/uImage.FIT/signature.txt
+@@ -481,12 +481,14 @@ openssl. This may require setting up LD_LIBRARY_PATH if engine is not installed
+ to openssl's default search paths.
+ 
+ PKCS11 engine support forms "key id" based on "keydir" and with
+-"key-name-hint". "key-name-hint" is used as "object" name and "keydir" if
+-defined is used to define (prefix for) which PKCS11 source is being used for
+-lookup up for the key.
++"key-name-hint". "key-name-hint" is used as "object" name (if not defined in
++keydir). "keydir" (if defined) is used to define (prefix for) which PKCS11 source
++is being used for lookup up for the key.
+ 
+ PKCS11 engine key ids:
+    "pkcs11:<keydir>;object=<key-name-hint>;type=<public|private>"
++or, if keydir contains "object="
++   "pkcs11:<keydir>;type=<public|private>"
+ or
+    "pkcs11:object=<key-name-hint>;type=<public|private>",
+ 
+diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
+index 580c74470939..1914b9641312 100644
+--- a/lib/rsa/rsa-sign.c
++++ b/lib/rsa/rsa-sign.c
+@@ -135,9 +135,14 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name,
+ 
+ 	if (engine_id && !strcmp(engine_id, "pkcs11")) {
+ 		if (keydir)
+-			snprintf(key_id, sizeof(key_id),
+-				 "pkcs11:%s;object=%s;type=public",
+-				 keydir, name);
++			if (strstr(keydir, "object="))
++				snprintf(key_id, sizeof(key_id),
++					 "pkcs11:%s;type=public",
++					 keydir);
++			else
++				snprintf(key_id, sizeof(key_id),
++					 "pkcs11:%s;object=%s;type=public",
++					 keydir, name);
+ 		else
+ 			snprintf(key_id, sizeof(key_id),
+ 				 "pkcs11:object=%s;type=public",
+@@ -255,9 +260,14 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name,
+ 
+ 	if (engine_id && !strcmp(engine_id, "pkcs11")) {
+ 		if (keydir)
+-			snprintf(key_id, sizeof(key_id),
+-				 "pkcs11:%s;object=%s;type=private",
+-				 keydir, name);
++			if (strstr(keydir, "object="))
++				snprintf(key_id, sizeof(key_id),
++					 "pkcs11:%s;type=private",
++					 keydir);
++			else
++				snprintf(key_id, sizeof(key_id),
++					 "pkcs11:%s;object=%s;type=private",
++					 keydir, name);
+ 		else
+ 			snprintf(key_id, sizeof(key_id),
+ 				 "pkcs11:object=%s;type=private",
diff --git a/patches/u-boot-2020.04/series b/patches/u-boot-2020.04/series
new file mode 100644
index 000000000..02db98548
--- /dev/null
+++ b/patches/u-boot-2020.04/series
@@ -0,0 +1,4 @@
+# generated by git-ptx-patches
+#tag:base --start-number 1
+0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch
+# d5b0f03c362d4c4e9d26f37173d666d6  - git-ptx-patches magic
diff --git a/scripts/lib/ptxd_make_fit_image.sh b/scripts/lib/ptxd_make_fit_image.sh
index 041c5b803..c2725ab3d 100644
--- a/scripts/lib/ptxd_make_fit_image.sh
+++ b/scripts/lib/ptxd_make_fit_image.sh
@@ -106,9 +106,7 @@ ptxd_make_image_fit() {
 	#
 	# It would have been too simple for mkimage to just take a
 	# PKCS#11 URI. We must drop the "pkcs11:" prefix which U-Boot
-	# then adds again. Also mkimage adds "object=<key_name_hint>"
-	# to the URI which our URI already has. Well having it twice
-	# doesn't seem to hurt at least SoftHSM.
+	# then adds again.
 	#
 	pkcs11_uri=$(echo "${pkcs11_uri}" | sed "s/pkcs11://")
 	sign_args=( -k "${pkcs11_uri}" )
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH v2 10/15] ptxd_make_fit_image: sign ramdisk if enabled

[Bastian Krause]

Until now only kernel and fdt are signed by mkimage. If a ramdisk is
used sign it also.

Unfortunately quotes are not usable in the alternative value of
variable paramater substitution ${parameter:+alt_value}:

  https://stackoverflow.com/questions/40995523/bash-variable-expansion-var-in-here-document-removing-double-quotes

Thus use printf as a workaround.

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
Note: newly added in v2.
---
 scripts/lib/ptxd_make_fit_image.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/lib/ptxd_make_fit_image.sh b/scripts/lib/ptxd_make_fit_image.sh
index c2725ab3d..56f273686 100644
--- a/scripts/lib/ptxd_make_fit_image.sh
+++ b/scripts/lib/ptxd_make_fit_image.sh
@@ -78,7 +78,7 @@ EOF
 			signature-1 {
 				algo = "sha256,rsa4096";
 				key-name-hint = "${image_key_name_hint}";
-				sign-images = "fdt", "kernel";
+				sign-images = "fdt", "kernel"${image_initramfs:+$(printf %s ', "ramdisk"')};
 			};
 EOF
 	fi
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH v2 11/15] code-signing: move code-signing.in to platforms/

[Bastian Krause]

rules/code-signing.in belongs in platforms/, so move it there.

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
 {rules => platforms}/code-signing.in | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename {rules => platforms}/code-signing.in (100%)

diff --git a/rules/code-signing.in b/platforms/code-signing.in
similarity index 100%
rename from rules/code-signing.in
rename to platforms/code-signing.in
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH v2 12/15] code-signing: introduce for ptxconfig, add sanity check

[Bastian Krause]

Create a new rules/code-signing.in to be able to select CODE_SIGNING
not only in platformconfig but also in ptxconfig.

Also make sure that PTXCONF_CODE_SIGNING_PROVIDER is set correctly if
PTXCONF_CODE_SIGNING is set.

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
Changes since (implicit) v1:
  - re-add accidentally dropped rules/code-signing.in introducing
    CODE_SIGNING for ptxconfig
  - move before "rauc/image-rauc: use code signing infrastructure for key retrieval"
---
 rules/code-signing.in   |  4 ++++
 rules/code-signing.make | 13 +++++++++++++
 2 files changed, 17 insertions(+)
 create mode 100644 rules/code-signing.in
 create mode 100644 rules/code-signing.make

diff --git a/rules/code-signing.in b/rules/code-signing.in
new file mode 100644
index 000000000..ae2ba726d
--- /dev/null
+++ b/rules/code-signing.in
@@ -0,0 +1,4 @@
+## SECTION=hosttools_noprompt_ptx
+
+config CODE_SIGNING
+	bool
diff --git a/rules/code-signing.make b/rules/code-signing.make
new file mode 100644
index 000000000..db1c5ab88
--- /dev/null
+++ b/rules/code-signing.make
@@ -0,0 +1,13 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2020 by Bastian Krause <bst@pengutronix.de>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+ifdef PTXCONF_CODE_SIGNING
+ifeq ($(call remove_quotes,$(PTXCONF_CODE_SIGNING_PROVIDER)),)
+$(error PTXCONF_CODE_SIGNING_PROVIDER must be set correctly)
+endif
+endif
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH v2 13/15] rauc/image-rauc: use code signing infrastructure for key retrieval

[Bastian Krause]

Use the keys provided by the currently active key provider via PKCS#11
instead of key files placed in the platform config directory. In order
to make sure the new mechanics are used after a BSP update the rauc.key
file is no longer allowed to exist in the platformconfig directory.

Note: requires genimage v13 or later and ptx-code-signing-dev 0.4 or
later

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
Changes since (implicit) v1:
  - add code signing env to image rauc env
  - clarify required versions of genimage/ptx-code-signing-dev in commit
    message
---
 platforms/image-rauc.in          |   1 +
 projectroot/etc/rauc/ca.cert.pem |   7 --
 rules/image-rauc.make            |  36 ++-------
 rules/rauc.in                    |   1 +
 rules/rauc.make                  |  11 ++-
 scripts/rauc-gen-test-certs.sh   | 126 -------------------------------
 6 files changed, 17 insertions(+), 165 deletions(-)
 delete mode 100644 projectroot/etc/rauc/ca.cert.pem
 delete mode 100755 scripts/rauc-gen-test-certs.sh

diff --git a/platforms/image-rauc.in b/platforms/image-rauc.in
index 658ddd5cd..1f9427b40 100644
--- a/platforms/image-rauc.in
+++ b/platforms/image-rauc.in
@@ -6,6 +6,7 @@ menuconfig IMAGE_RAUC
 	select HOST_GENIMAGE
 	select HOST_RAUC
 	select IMAGE_ROOT_TGZ
+	select CODE_SIGNING
 	help
 	  This generates a RAUC update Bundle for the selected platform using
 	  genimage.
diff --git a/projectroot/etc/rauc/ca.cert.pem b/projectroot/etc/rauc/ca.cert.pem
deleted file mode 100644
index be1aa7c30..000000000
--- a/projectroot/etc/rauc/ca.cert.pem
+++ /dev/null
@@ -1,7 +0,0 @@
-# This is a dummy keyring file. Please overwrite this with one that matches
-# your X.509 infrastructure if you intend to use RAUC for secure updates!
-#
-# If you really do not intend to actively use the security features (or for
-# testing purpose) you may create a development certificate by executing the
-# script `rauc-gen-test-certs.sh` from the `scripts` folder in your PTXdist
-# installation.
diff --git a/rules/image-rauc.make b/rules/image-rauc.make
index 839cb400b..d85b88cc2 100644
--- a/rules/image-rauc.make
+++ b/rules/image-rauc.make
@@ -26,46 +26,20 @@ IMAGE_RAUC_CONFIG	:= rauc.config
 
 ifdef PTXCONF_IMAGE_RAUC
 
-IMAGE_RAUC_KEY := $(call ptx/in-platformconfigdir, config/rauc/rauc.key.pem)
-IMAGE_RAUC_CERT := $(call ptx/in-platformconfigdir, config/rauc/rauc.cert.pem)
-
-IMAGE_RAUC_ENV	:= \
+IMAGE_RAUC_ENV	= \
+	$(CODE_SIGNING_ENV) \
 	RAUC_BUNDLE_COMPATIBLE="$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))" \
 	RAUC_BUNDLE_VERSION="$(call remove_quotes, $(PTXCONF_RAUC_BUNDLE_VERSION))" \
 	RAUC_BUNDLE_BUILD=$(call ptx/sh, date +%FT%T%z) \
 	RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \
-	RAUC_KEY=$(IMAGE_RAUC_KEY) \
-	RAUC_CERT=$(IMAGE_RAUC_CERT)
+	RAUC_KEY="$(shell cs_get_uri update)" \
+	RAUC_CERT="$(shell cs_get_uri update)"
 
-$(IMAGE_RAUC_IMAGE): $(IMAGE_RAUC_KEY) $(IMAGE_RAUC_CERT)
+$(IMAGE_RAUC_IMAGE):
 	@$(call targetinfo)
 	@$(call image/genimage, IMAGE_RAUC)
 	@$(call finish)
 
-$(IMAGE_RAUC_KEY):
-	@echo
-	@echo "****************************************************************************"
-	@echo "******** Please place your signing key in config/rauc/rauc.key.pem. ********"
-	@echo "*                                                                          *"
-	@echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh   *"
-	@echo "*       from the scripts/ folder of your PTXdist installation              *"
-	@echo "****************************************************************************"
-	@echo
-	@echo
-	@exit 1
-
-$(IMAGE_RAUC_CERT):
-	@echo
-	@echo "****************************************************************************"
-	@echo "**** Please place your signing certificate in config/rauc/rauc.cert.pem. ***"
-	@echo "*                                                                          *"
-	@echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh   *"
-	@echo "*       from the scripts/ folder of your PTXdist installation              *"
-	@echo "****************************************************************************"
-	@echo
-	@echo
-	@exit 1
-
 endif
 
 # vim: syntax=make
diff --git a/rules/rauc.in b/rules/rauc.in
index d712bc7b9..56fc3ae3b 100644
--- a/rules/rauc.in
+++ b/rules/rauc.in
@@ -7,6 +7,7 @@ menuconfig RAUC
 	select GLIB
 	select GLIB_LIBMOUNT
 	select HOST_GLIB
+	select CODE_SIGNING
 	select BUSYBOX_FEATURE_TAR_LONG_OPTIONS	if BUSYBOX_TAR
 	select BUSYBOX_FEATURE_TAR_AUTODETECT	if BUSYBOX_TAR
 	select BUSYBOX_FEATURE_SEAMLESS_XZ	if BUSYBOX_TAR
diff --git a/rules/rauc.make b/rules/rauc.make
index ade9bd5dd..f9a10fbbc 100644
--- a/rules/rauc.make
+++ b/rules/rauc.make
@@ -46,6 +46,14 @@ RAUC_CONF_OPT	:= \
 	--with-dbuspolicydir=/usr/share/dbus-1/system.d \
 	--with-dbussystemservicedir=/usr/share/dbus-1/system-services
 
+$(STATEDIR)/rauc.prepare:
+	@$(call targetinfo)
+	@test ! -e "$(call ptx/in-platformconfigdir, config/rauc/rauc.key)" || \
+		ptxd_bailout "Please use the key provider infrastructure desribed in:" \
+			"scripts/lib/ptxd_lib_code_signing.sh"
+	@$(call world/prepare, RAUC)
+	@$(call touch)
+
 # ----------------------------------------------------------------------------
 # Target-Install
 # ----------------------------------------------------------------------------
@@ -66,7 +74,8 @@ ifdef PTXCONF_RAUC_CONFIGURATION
 	@$(call install_replace, rauc, /etc/rauc/system.conf, \
 		@RAUC_BUNDLE_COMPATIBLE@, \
 		"$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))")
-	@$(call install_alternative, rauc, 0, 0, 0644, /etc/rauc/ca.cert.pem)
+	@$(call install_copy, rauc, 0, 0, 0644, $(shell cs_get_ca update), \
+		/etc/rauc/ca.cert.pem)
 endif
 
 ifdef PTXCONF_RAUC_SERVICE
diff --git a/scripts/rauc-gen-test-certs.sh b/scripts/rauc-gen-test-certs.sh
deleted file mode 100755
index b4ea6a8cf..000000000
--- a/scripts/rauc-gen-test-certs.sh
+++ /dev/null
@@ -1,126 +0,0 @@
-#!/bin/bash
-#
-# Copyright (C) 2017 by Enrico Joerns <e.joerns@pengutronix.de>
-# Copyright (C) 2016 by Jan Luebbe <j.luebbe@pengutronix.de>
-#
-# For further information about the PTXdist project and license conditions
-# see the README file.
-#
-# ---
-#
-# Demo script that generates certificate files required to sign and verify
-# RAUC update tool bundles.
-#
-
-set -xe
-
-ORG="Test Org"
-CA="rauc CA"
-
-# After the CRL expires, signatures cannot be verified anymore
-CRL="-crldays 5000"
-
-BASE="$(pwd)/rauc-openssl-ca"
-
-if [ -e $BASE ]; then
-  echo "$BASE already exists"
-  exit 1
-fi
-
-mkdir -p $BASE/dev/{private,certs}
-touch $BASE/dev/index.txt
-echo 01 > $BASE/dev/serial
-
-cat > $BASE/openssl.cnf <<EOF
-[ ca ]
-default_ca      = CA_default            # The default ca section
-
-[ CA_default ]
-
-dir            = .                     # top dir
-database       = \$dir/index.txt        # index file.
-new_certs_dir  = \$dir/certs            # new certs dir
-
-certificate    = \$dir/ca.cert.pem       # The CA cert
-serial         = \$dir/serial           # serial no file
-private_key    = \$dir/private/ca.key.pem# CA private key
-RANDFILE       = \$dir/private/.rand    # random number file
-
-default_startdate = 19700101000000Z
-default_enddate = 99991231235959Z
-default_crl_days= 30                   # how long before next CRL
-default_md     = sha256                # md to use
-
-policy         = policy_any            # default policy
-email_in_dn    = no                    # Don't add the email into cert DN
-
-name_opt       = ca_default            # Subject name display option
-cert_opt       = ca_default            # Certificate display option
-copy_extensions = none                 # Don't copy extensions from request
-
-[ policy_any ]
-organizationName       = match
-commonName             = supplied
-
-[ req ]
-default_bits           = 2048
-distinguished_name     = req_distinguished_name
-x509_extensions        = v3_leaf
-encrypt_key = no
-default_md = sha256
-
-[ req_distinguished_name ]
-commonName                     = Common Name (eg, YOUR name)
-commonName_max                 = 64
-
-[ v3_ca ]
-
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = CA:TRUE
-
-[ v3_inter ]
-
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = CA:TRUE,pathlen:0
-
-[ v3_leaf ]
-
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = CA:FALSE
-EOF
-
-export OPENSSL_CONF=$BASE/openssl.cnf
-
-echo "Development CA"
-cd $BASE/dev
-openssl req -newkey rsa -keyout private/ca.key.pem -out ca.csr.pem -subj "/O=$ORG/CN=$ORG $CA Development"
-openssl ca -batch -selfsign -extensions v3_ca -in ca.csr.pem -out ca.cert.pem -keyfile private/ca.key.pem
-
-echo "Development Signing Keys 1"
-cd $BASE/dev
-openssl req -newkey rsa -keyout private/rauc.key.pem -out rauc.csr.pem -subj "/O=$ORG/CN=$ORG Development-1"
-openssl ca -batch -extensions v3_leaf -in rauc.csr.pem -out rauc.cert.pem
-
-cat << EOF
-===============================================================================
-
-Note that the default application should be to set up a public key
-infrastructure at your site and use keys and certificates genereated by these.
-
-In oder to use the just generated files in your BSP for testing purpose or if
-you do not intend to use real authentification, follow the instructions below. 
-
-Place the key and certificate file in your platform-dir's config/ folder:
-
-  cp rauc-openssl-ca/private/rauc.key.pem <platform-dir>/config/rauc/rauc.key.pem
-  cp rauc-openssl-ca/rauc.cert.pem <platform-dir>/config/rauc/rauc.cert.pem
-
-Place the keyring file in your platform-dir's projectroot/ folder:
-
-  cp rauc-openssl-ca/ca.cert.pem <plaform-dir>/projectroot/etc/rauc/ca.cert.pem
-
-===============================================================================
-EOF
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH v2 14/15] image-rauc: enable keyring verification

[Bastian Krause]

Note: requires genimage v13 or later

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
Changes since (implicit) v1:
  - clarify required version of genimage in commit message
---
 config/images/rauc.config | 1 +
 rules/image-rauc.make     | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/config/images/rauc.config b/config/images/rauc.config
index 8396bd4be..0c824f00e 100644
--- a/config/images/rauc.config
+++ b/config/images/rauc.config
@@ -13,5 +13,6 @@ image @IMAGE@ {
 			"
 		cert = "@RAUC_CERT@"
 		key = "@RAUC_KEY@"
+		keyring = "@RAUC_KEYRING@"
 	}
 }
diff --git a/rules/image-rauc.make b/rules/image-rauc.make
index d85b88cc2..fe1b0e89b 100644
--- a/rules/image-rauc.make
+++ b/rules/image-rauc.make
@@ -33,7 +33,8 @@ IMAGE_RAUC_ENV	= \
 	RAUC_BUNDLE_BUILD=$(call ptx/sh, date +%FT%T%z) \
 	RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \
 	RAUC_KEY="$(shell cs_get_uri update)" \
-	RAUC_CERT="$(shell cs_get_uri update)"
+	RAUC_CERT="$(shell cs_get_uri update)" \
+	RAUC_KEYRING="$(shell cs_get_ca update)"
 
 $(IMAGE_RAUC_IMAGE):
 	@$(call targetinfo)
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH v2 15/15] rauc: version bump 1.2 -> 1.3

[Bastian Krause]

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
Note: newly added in v2.
---
 rules/rauc.make | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/rauc.make b/rules/rauc.make
index f9a10fbbc..075a7d649 100644
--- a/rules/rauc.make
+++ b/rules/rauc.make
@@ -14,8 +14,8 @@ PACKAGES-$(PTXCONF_RAUC) += rauc
 #
 # Paths and names
 #
-RAUC_VERSION	:= 1.2
-RAUC_MD5	:= e2a1772825c6ea900e4824b670846a00
+RAUC_VERSION	:= 1.3
+RAUC_MD5	:= 04ba029daa51e1f70fe53d62f2c5ebc3
 RAUC		:= rauc-$(RAUC_VERSION)
 RAUC_SUFFIX	:= tar.xz
 RAUC_URL	:= https://github.com/rauc/rauc/releases/download/v$(RAUC_VERSION)/$(RAUC).$(RAUC_SUFFIX)
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [APPLIED] host-genimage: version bump 11 -> 13

[Michael Olbrich]

Thanks, applied as 943766bfdd12fefa509613f7055c6340cc26afa1.

Michael

[sent from post-receive hook]

On Tue, 19 May 2020 14:23:37 +0200, Bastian Krause <bst@pengutronix.de> wrote:
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> Message-Id: <20200515142641.812-2-bst@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/rules/host-genimage.make b/rules/host-genimage.make
> index 28d0d613a1d6..baa69e3fbf9f 100644
> --- a/rules/host-genimage.make
> +++ b/rules/host-genimage.make
> @@ -14,8 +14,8 @@ HOST_PACKAGES-$(PTXCONF_HOST_GENIMAGE) += host-genimage
>  #
>  # Paths and names
>  #
> -HOST_GENIMAGE_VERSION	:= 11
> -HOST_GENIMAGE_MD5	:= 5db95026ff8aedcbcf7804098f685c7b
> +HOST_GENIMAGE_VERSION	:= 13
> +HOST_GENIMAGE_MD5	:= 84ec07d684f27a425b3789f87c35ffa3
>  HOST_GENIMAGE		:= genimage-$(HOST_GENIMAGE_VERSION)
>  HOST_GENIMAGE_SUFFIX	:= tar.xz
>  HOST_GENIMAGE_URL	:= http://www.pengutronix.de/software/genimage/download/$(HOST_GENIMAGE).$(HOST_GENIMAGE_SUFFIX)

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [APPLIED] ptxd_lib_imx_hab: fix srk fuse file and table generation

[Michael Olbrich]

Thanks, applied as 62b473be8da55fdc020c630004efab881c78b9d4.

Michael

[sent from post-receive hook]

On Tue, 19 May 2020 14:23:38 +0200, Bastian Krause <bst@pengutronix.de> wrote:
> srktool's help text states "certificate filenames must be separated by
> a ',' with no spaces". Line continuating using "\" with the next line
> being indented leads to a space being inserted between the SRK2
> certificate and the SRK3 certificate.
> srktool does not fail, but ignores everything after the space silently.
> Thus only the first two certicates end up in the fuse file and table.
> 
> Fix this by specifying all certs on a single line.
> 
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> Message-Id: <20200515142641.812-4-bst@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/scripts/lib/ptxd_lib_imx_hab.sh b/scripts/lib/ptxd_lib_imx_hab.sh
> index 8be376ff12c9..034bf82b232a 100644
> --- a/scripts/lib/ptxd_lib_imx_hab.sh
> +++ b/scripts/lib/ptxd_lib_imx_hab.sh
> @@ -43,8 +43,7 @@ ptxd_make_imx_habv4_gen_table_impl() {
>  	--table "${table_bin}" \
>  	--efuses "${srk_fuse_bin}" \
>  	--digest sha256 \
> -	--certs ${tmpdir}/srk1.pem,${tmpdir}/srk2.pem,\
> -	    ${tmpdir}/srk3.pem,${tmpdir}/srk4.pem
> +	--certs ${tmpdir}/srk1.pem,${tmpdir}/srk2.pem,${tmpdir}/srk3.pem,${tmpdir}/srk4.pem
>  }
>  export -f ptxd_make_imx_habv4_gen_table_impl
>  

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [APPLIED] ptxd_lib_code_signing: return error string in cs_get_uri for make error case

[Michael Olbrich]

Thanks, applied as 6c024da4d92217c468983d4a8bd8c3e252d36af8.

Michael

[sent from post-receive hook]

On Tue, 19 May 2020 14:23:38 +0200, Bastian Krause <bst@pengutronix.de> wrote:
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> Message-Id: <20200515142641.812-3-bst@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
> index 588a4b1b44fa..f93f183df8e8 100644
> --- a/scripts/lib/ptxd_lib_code_signing.sh
> +++ b/scripts/lib/ptxd_lib_code_signing.sh
> @@ -154,7 +154,11 @@ cs_get_uri() {
>  	if [ ${#FUNCNAME[*]} -gt 1 ]; then
>  	    ptxd_bailout "No PKCS#11 URI for role ${role}"
>  	else
> -	    # ignore the error if cs_get_uri is called directly from make
> +	    # cs_get_uri was called directly from make prior to cs_set_uri,
> +	    # which may not be an error if it is evaluated early *and* later
> +	    # again - return a unique error string in case it is not expected
> +	    # and a user stumbles upon this
> +	    echo "ERROR_URI_NOT_YET_SET"
>  	    return
>  	fi
>      fi

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [APPLIED] ptxd_lib_code_signing: introduce CA helper

[Michael Olbrich]

Thanks, applied as 2670bde257e1a0fd4f56ef6d983d770cf251b2dd.

Michael

[sent from post-receive hook]

On Tue, 19 May 2020 14:23:39 +0200, Bastian Krause <bst@pengutronix.de> wrote:
> These helpers allow key providers to append certificates to their CA.
> 'cs_get_ca <role>' then returns the path to the keyring allowing rules
> and other helpers to retrieve it easily.
> 
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> Message-Id: <20200515142641.812-5-bst@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
> index f93f183df8e8..a7779f8212c6 100644
> --- a/scripts/lib/ptxd_lib_code_signing.sh
> +++ b/scripts/lib/ptxd_lib_code_signing.sh
> @@ -261,3 +261,68 @@ cs_import_key_from_pem() {
>      cs_import_privkey_from_pem "${role}" "${pem}"
>  }
>  export -f cs_import_key_from_pem
> +
> +#
> +# cs_get_ca <role>
> +#
> +# Get the path to the CA in pem format from a role
> +#
> +cs_get_ca() {
> +    local role="${1}"
> +    cs_init_variables
> +
> +    echo "${keydir}/${role}/ca.pem"
> +}
> +export -f cs_get_ca
> +
> +#
> +# cs_append_ca_from_pem <role> <pem>
> +#
> +# Append PEM to CA for a role
> +#
> +cs_append_ca_from_pem() {
> +    local role="${1}"
> +    local pem="${2}"
> +    cs_init_variables
> +
> +    cat "${pem}" >> "${keydir}/${role}/ca.pem"
> +    # add new line in case ${pem} does not end with an EOL
> +    echo >> "${keydir}/${role}/ca.pem"
> +}
> +export -f cs_append_ca_from_pem
> +
> +#
> +# cs_append_ca_from_der <role> <der>
> +#
> +# Append DER to CA for a role
> +#
> +cs_append_ca_from_der() {
> +    local role="${1}"
> +    local der="${2}"
> +    cs_init_variables
> +
> +    ptxd_exec openssl x509 -inform der -in "${der}" \
> +	-out "${tmpdir}/ca.pem" &&
> +    cs_append_ca_from_pem "${role}" "${tmpdir}/ca.pem"
> +}
> +export -f cs_append_ca_from_der
> +
> +#
> +# cs_append_ca_from_uri <role> [<uri>]
> +#
> +# Append certificate specified by URI or by already set URI to CA for a role
> +#
> +cs_append_ca_from_uri() {
> +    local role="${1}"
> +    local uri="${2}"
> +    local tmpdir="$(mktemp -d "${PTXDIST_TEMPDIR}/${role}-ca.XXXXXX")"
> +    cs_init_variables
> +
> +    if [ -z "${uri}" ]; then
> +	uri=$(cs_get_uri "${role}")
> +    fi
> +
> +    ptxd_exec extract-cert "${uri}" "${tmpdir}/ca.der" &&
> +    cs_append_ca_from_der "${role}" "${tmpdir}/ca.der"
> +}
> +export -f cs_append_ca_from_uri

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [APPLIED] host-ptx-code-signing-dev: version bump 0.2 -> 0.4

[Michael Olbrich]

Thanks, applied as e218050ff02017e661035d2bb251ec9cb39cf80f.

Michael

[sent from post-receive hook]

On Tue, 19 May 2020 14:23:40 +0200, Bastian Krause <bst@pengutronix.de> wrote:
> This includes a fix of a copy/paste error in import_rauc_keys's role.
> Additionally the new helper cs_append_ca_from_uri is now used for RAUC
> and HAB SRK roles. The helper function requires HOST_EXTRACT_CERT,
> HOST_OPENSSL and HOST_LIBP11.
> 
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> Message-Id: <20200515142641.812-6-bst@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/rules/host-ptx-code-signing-dev.in b/rules/host-ptx-code-signing-dev.in
> index 19ea46c40e09..7cad9f54d9dd 100644
> --- a/rules/host-ptx-code-signing-dev.in
> +++ b/rules/host-ptx-code-signing-dev.in
> @@ -10,3 +10,6 @@ config HOST_PTX_CODE_SIGNING_DEV
>  	bool
>  	select HOST_SOFTHSM
>  	select HOST_OPENSC
> +	select HOST_EXTRACT_CERT
> +	select HOST_OPENSSL
> +	select HOST_LIBP11
> diff --git a/rules/host-ptx-code-signing-dev.make b/rules/host-ptx-code-signing-dev.make
> index ea40ac646fcc..d97ae60ef140 100644
> --- a/rules/host-ptx-code-signing-dev.make
> +++ b/rules/host-ptx-code-signing-dev.make
> @@ -14,8 +14,8 @@ HOST_PACKAGES-$(PTXCONF_HOST_PTX_CODE_SIGNING_DEV) += host-ptx-code-signing-dev
>  #
>  # Paths and names
>  #
> -HOST_PTX_CODE_SIGNING_DEV_VERSION	:= 0.2
> -HOST_PTX_CODE_SIGNING_DEV_MD5		:= 1d8f695cde55ea9bbfac9804ce439c9a
> +HOST_PTX_CODE_SIGNING_DEV_VERSION	:= 0.4
> +HOST_PTX_CODE_SIGNING_DEV_MD5		:= 853ac0147adc0b46dc695e16a7101aaa
>  HOST_PTX_CODE_SIGNING_DEV		:= ptx-code-signing-dev-$(HOST_PTX_CODE_SIGNING_DEV_VERSION)
>  HOST_PTX_CODE_SIGNING_DEV_SUFFIX	:= tar.gz
>  HOST_PTX_CODE_SIGNING_DEV_URL		:= https://git.pengutronix.de/cgit/ptx-code-signing-dev/snapshot/$(HOST_PTX_CODE_SIGNING_DEV).$(HOST_PTX_CODE_SIGNING_DEV_SUFFIX)

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [APPLIED] ptxd_lib_imx_hab/template-barebox-imx-habv4: use cs_get_ca helper

[Michael Olbrich]

Thanks, applied as f67dc22691a8671ea3306f768712d3185f453077.

Michael

[sent from post-receive hook]

On Tue, 19 May 2020 14:23:40 +0200, Bastian Krause <bst@pengutronix.de> wrote:
> Key providers now take care of calling the CA helpers. This makes sure
> the CA is already present in pem format. Use that instead of extracting
> and converting the certs here again. Thus HOST_EXTRACT_CERT is no longer
> a dependency of template-barebox-imx-habv4.
> 
> Note: requires ptx-code-signing-dev 0.4 or later
> 
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> Message-Id: <20200515142641.812-7-bst@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/rules/templates/template-barebox-imx-habv4-in b/rules/templates/template-barebox-imx-habv4-in
> index af3e599861bc..16258cbee833 100644
> --- a/rules/templates/template-barebox-imx-habv4-in
> +++ b/rules/templates/template-barebox-imx-habv4-in
> @@ -3,7 +3,6 @@
>  config BAREBOX_@PACKAGE@
>  	tristate
>  	select CODE_SIGNING
> -	select HOST_EXTRACT_CERT
>  	select HOST_IMX_CST
>  	prompt "Barebox (@package@)"
>  	help
> diff --git a/scripts/lib/ptxd_lib_imx_hab.sh b/scripts/lib/ptxd_lib_imx_hab.sh
> index 034bf82b232a..781c1b3f610e 100644
> --- a/scripts/lib/ptxd_lib_imx_hab.sh
> +++ b/scripts/lib/ptxd_lib_imx_hab.sh
> @@ -26,24 +26,24 @@ ptxd_make_imx_habv4_gen_table_impl() {
>      local template="${1}"
>      local table_bin="${pkg_build_dir}/imx-srk-table.bin"
>      local srk_fuse_bin="${pkg_build_dir}/imx-srk-fuse.bin"
> -    local tmpdir="$(mktemp -d "${PTXDIST_TEMPDIR}/imx-habv4.XXXXXX")"
> +    local -a certs
>  
>      echo -e "generating $(basename ${table_bin}) and $(basename ${srk_fuse_bin})\n"
>  
>      for i in 1 2 3 4; do
> -	local t=$(printf "${template}" "${i}")
> -	local uri=$(cs_get_uri "$t")
> +	certs[${#certs[*]}]="$(cs_get_ca "$(printf "${template}" ${i})")"
> +    done
>  
> -	ptxd_exec extract-cert "${uri}" ${tmpdir}/srk${i}.der &&
> -	ptxd_exec openssl x509 -inform der -in ${tmpdir}/srk${i}.der \
> -	    -out ${tmpdir}/srk${i}.pem || break
> -    done &&
> +    local orig_IFS="${IFS}"
> +    IFS=","
> +    certs="${certs[*]}"
> +    IFS="${orig_IFS}"
>  
>      ptxd_exec srktool --hab_ver 4 \
>  	--table "${table_bin}" \
>  	--efuses "${srk_fuse_bin}" \
>  	--digest sha256 \
> -	--certs ${tmpdir}/srk1.pem,${tmpdir}/srk2.pem,${tmpdir}/srk3.pem,${tmpdir}/srk4.pem
> +	--certs "${certs}"
>  }
>  export -f ptxd_make_imx_habv4_gen_table_impl
>  

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [APPLIED] ptxd_make_fit_image: call mkimage with ptxd_exec

[Michael Olbrich]

Thanks, applied as 339831586a10bc28de9a0cd41f4f658995ff9704.

Michael

[sent from post-receive hook]

On Tue, 19 May 2020 14:23:41 +0200, Bastian Krause <bst@pengutronix.de> wrote:
> It helps debugging failing mkimage calls.
> 
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> Message-Id: <20200515142641.812-9-bst@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/scripts/lib/ptxd_make_fit_image.sh b/scripts/lib/ptxd_make_fit_image.sh
> index 761d6bf1e8da..041c5b80341d 100644
> --- a/scripts/lib/ptxd_make_fit_image.sh
> +++ b/scripts/lib/ptxd_make_fit_image.sh
> @@ -127,6 +127,6 @@ ptxd_make_image_fit() {
>  	echo "Generated device-tree for the fit image:"
>  	cat "${its}"
>      fi &&
> -    mkimage -N pkcs11 -f "${its}" "${image_image}" -r "${sign_args[@]}"
> +    ptxd_exec mkimage -N pkcs11 -f "${its}" "${image_image}" -r "${sign_args[@]}"
>  }
>  export -f ptxd_make_image_fit

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [APPLIED] ptxd_lib_imx_hab/template-barebox-imx-habv4: make number of SRKs configurable

[Michael Olbrich]

Thanks, applied as 3e150564474af6cd16ef804d7226ef5237c74c11.

Michael

[sent from post-receive hook]

On Tue, 19 May 2020 14:23:41 +0200, Bastian Krause <bst@pengutronix.de> wrote:
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> Message-Id: <20200515142641.812-8-bst@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/rules/templates/template-barebox-imx-habv4-make b/rules/templates/template-barebox-imx-habv4-make
> index d8086f0cf057..ec402afa1edf 100644
> --- a/rules/templates/template-barebox-imx-habv4-make
> +++ b/rules/templates/template-barebox-imx-habv4-make
> @@ -74,7 +74,7 @@ $(STATEDIR)/barebox-@package@.compile:
>  	@$(call targetinfo)
>  
>  	@$(call world/env, BAREBOX_@PACKAGE@) \
> -		ptxd_make_imx_habv4_gen_table "imx-habv4-srk%d"
> +		ptxd_make_imx_habv4_gen_table "imx-habv4-srk%d" 4
>  
>  	@$(call world/compile, BAREBOX_@PACKAGE@)
>  
> diff --git a/scripts/lib/ptxd_lib_imx_hab.sh b/scripts/lib/ptxd_lib_imx_hab.sh
> index 781c1b3f610e..d1e2aba99fab 100644
> --- a/scripts/lib/ptxd_lib_imx_hab.sh
> +++ b/scripts/lib/ptxd_lib_imx_hab.sh
> @@ -9,10 +9,12 @@
>  #
>  # ptxd_make_imx_habv4_gen_table - generate the srk fuse file and srk table for i.MX HABv4
>  #
> -# usage: ptxd_make_imx_habv4_gen_table <template>
> +# usage: ptxd_make_imx_habv4_gen_table <template> [<srk_count>]
>  #
>  # template: the role template to access the keys. Must contain a "%d" which is
>  #           used as index
> +# srk_count: the number of keys (keys with index 1..srk_count will be used),
> +#            defaults to 4
>  #
>  # The output files are generated in the package build dir:
>  #
> @@ -24,13 +26,22 @@
>  #
>  ptxd_make_imx_habv4_gen_table_impl() {
>      local template="${1}"
> +    local srk_count="${2}"
>      local table_bin="${pkg_build_dir}/imx-srk-table.bin"
>      local srk_fuse_bin="${pkg_build_dir}/imx-srk-fuse.bin"
>      local -a certs
>  
> +    if [ -z "${srk_count}" ]; then
> +	srk_count=4
> +    fi
> +
> +    if [ "${srk_count}" -gt 4 ]; then
> +	ptxd_bailout "HABv4 allows only 4 certificates"
> +    fi
> +
>      echo -e "generating $(basename ${table_bin}) and $(basename ${srk_fuse_bin})\n"
>  
> -    for i in 1 2 3 4; do
> +    for i in $(seq ${srk_count}); do
>  	certs[${#certs[*]}]="$(cs_get_ca "$(printf "${template}" ${i})")"
>      done
>  

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [APPLIED] ptxd_make_fit_image: sign ramdisk if enabled

[Michael Olbrich]

Thanks, applied as 3573571a0883b7119d8b36553befaa6c7857f407.

Michael

[sent from post-receive hook]

On Tue, 19 May 2020 14:23:42 +0200, Bastian Krause <bst@pengutronix.de> wrote:
> Until now only kernel and fdt are signed by mkimage. If a ramdisk is
> used sign it also.
> 
> Unfortunately quotes are not usable in the alternative value of
> variable paramater substitution ${parameter:+alt_value}:
> 
>   https://stackoverflow.com/questions/40995523/bash-variable-expansion-var-in-here-document-removing-double-quotes
> 
> Thus use printf as a workaround.
> 
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> Message-Id: <20200515142641.812-11-bst@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/scripts/lib/ptxd_make_fit_image.sh b/scripts/lib/ptxd_make_fit_image.sh
> index c2725ab3ddde..56f273686dc4 100644
> --- a/scripts/lib/ptxd_make_fit_image.sh
> +++ b/scripts/lib/ptxd_make_fit_image.sh
> @@ -78,7 +78,7 @@ EOF
>  			signature-1 {
>  				algo = "sha256,rsa4096";
>  				key-name-hint = "${image_key_name_hint}";
> -				sign-images = "fdt", "kernel";
> +				sign-images = "fdt", "kernel"${image_initramfs:+$(printf %s ', "ramdisk"')};
>  			};
>  EOF
>  	fi

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [APPLIED] u-boot/ptxd_make_fit_image: avoid overriding object name

[Michael Olbrich]

Thanks, applied as d6a751d6155dca50b17150fffb731530c3ab8e6c.

Michael

[sent from post-receive hook]

On Tue, 19 May 2020 14:23:42 +0200, Bastian Krause <bst@pengutronix.de> wrote:
> Having multiple "object=" occurrences in a single PKCS#11 URI does not
> work for all cases, at least not for opensc-pkcs11. Thus u-boot's
> PKCS#11 handling was patched to avoid overriding the object name when
> it is already specified. The patch was sent upstream.
> 
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> Message-Id: <20200515142641.812-10-bst@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch b/patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch
> new file mode 100644
> index 000000000000..5ba930fb5ba1
> --- /dev/null
> +++ b/patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch
> @@ -0,0 +1,81 @@
> +From: Jan Luebbe <jlu@pengutronix.de>
> +Date: Mon, 16 Mar 2020 11:45:22 +0100
> +Subject: [PATCH] lib: rsa: avoid overriding the object name when already
> + specified
> +
> +If "object=" is specified in "keydir" when using the pkcs11 engine do
> +not append another "object=<key-name-hint>". This makes it possible to
> +use object names other than the key name hint. These two string
> +identifiers are not necessarily equal.
> +
> +Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
> +Signed-off-by: Bastian Krause <bst@pengutronix.de>
> +Reviewed-by: George McCollister <george.mccollister@gmail.com>
> +Forwarded: https://lists.denx.de/pipermail/u-boot/2020-May/411892.html
> +---
> + doc/uImage.FIT/signature.txt |  8 +++++---
> + lib/rsa/rsa-sign.c           | 22 ++++++++++++++++------
> + 2 files changed, 21 insertions(+), 9 deletions(-)
> +
> +diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt
> +index 3591225a6edd..d4afd755e9fc 100644
> +--- a/doc/uImage.FIT/signature.txt
> ++++ b/doc/uImage.FIT/signature.txt
> +@@ -481,12 +481,14 @@ openssl. This may require setting up LD_LIBRARY_PATH if engine is not installed
> + to openssl's default search paths.
> + 
> + PKCS11 engine support forms "key id" based on "keydir" and with
> +-"key-name-hint". "key-name-hint" is used as "object" name and "keydir" if
> +-defined is used to define (prefix for) which PKCS11 source is being used for
> +-lookup up for the key.
> ++"key-name-hint". "key-name-hint" is used as "object" name (if not defined in
> ++keydir). "keydir" (if defined) is used to define (prefix for) which PKCS11 source
> ++is being used for lookup up for the key.
> + 
> + PKCS11 engine key ids:
> +    "pkcs11:<keydir>;object=<key-name-hint>;type=<public|private>"
> ++or, if keydir contains "object="
> ++   "pkcs11:<keydir>;type=<public|private>"
> + or
> +    "pkcs11:object=<key-name-hint>;type=<public|private>",
> + 
> +diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
> +index 580c74470939..1914b9641312 100644
> +--- a/lib/rsa/rsa-sign.c
> ++++ b/lib/rsa/rsa-sign.c
> +@@ -135,9 +135,14 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name,
> + 
> + 	if (engine_id && !strcmp(engine_id, "pkcs11")) {
> + 		if (keydir)
> +-			snprintf(key_id, sizeof(key_id),
> +-				 "pkcs11:%s;object=%s;type=public",
> +-				 keydir, name);
> ++			if (strstr(keydir, "object="))
> ++				snprintf(key_id, sizeof(key_id),
> ++					 "pkcs11:%s;type=public",
> ++					 keydir);
> ++			else
> ++				snprintf(key_id, sizeof(key_id),
> ++					 "pkcs11:%s;object=%s;type=public",
> ++					 keydir, name);
> + 		else
> + 			snprintf(key_id, sizeof(key_id),
> + 				 "pkcs11:object=%s;type=public",
> +@@ -255,9 +260,14 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name,
> + 
> + 	if (engine_id && !strcmp(engine_id, "pkcs11")) {
> + 		if (keydir)
> +-			snprintf(key_id, sizeof(key_id),
> +-				 "pkcs11:%s;object=%s;type=private",
> +-				 keydir, name);
> ++			if (strstr(keydir, "object="))
> ++				snprintf(key_id, sizeof(key_id),
> ++					 "pkcs11:%s;type=private",
> ++					 keydir);
> ++			else
> ++				snprintf(key_id, sizeof(key_id),
> ++					 "pkcs11:%s;object=%s;type=private",
> ++					 keydir, name);
> + 		else
> + 			snprintf(key_id, sizeof(key_id),
> + 				 "pkcs11:object=%s;type=private",
> diff --git a/patches/u-boot-2020.04/series b/patches/u-boot-2020.04/series
> new file mode 100644
> index 000000000000..02db98548f59
> --- /dev/null
> +++ b/patches/u-boot-2020.04/series
> @@ -0,0 +1,4 @@
> +# generated by git-ptx-patches
> +#tag:base --start-number 1
> +0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch
> +# d5b0f03c362d4c4e9d26f37173d666d6  - git-ptx-patches magic
> diff --git a/scripts/lib/ptxd_make_fit_image.sh b/scripts/lib/ptxd_make_fit_image.sh
> index 041c5b80341d..c2725ab3ddde 100644
> --- a/scripts/lib/ptxd_make_fit_image.sh
> +++ b/scripts/lib/ptxd_make_fit_image.sh
> @@ -106,9 +106,7 @@ ptxd_make_image_fit() {
>  	#
>  	# It would have been too simple for mkimage to just take a
>  	# PKCS#11 URI. We must drop the "pkcs11:" prefix which U-Boot
> -	# then adds again. Also mkimage adds "object=<key_name_hint>"
> -	# to the URI which our URI already has. Well having it twice
> -	# doesn't seem to hurt at least SoftHSM.
> +	# then adds again.
>  	#
>  	pkcs11_uri=$(echo "${pkcs11_uri}" | sed "s/pkcs11://")
>  	sign_args=( -k "${pkcs11_uri}" )

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [APPLIED] code-signing: move code-signing.in to platforms/

[Michael Olbrich]

Thanks, applied as ce95bf74f032d47fdbec91f6505fc430f83427be.

Michael

[sent from post-receive hook]

On Tue, 19 May 2020 14:23:43 +0200, Bastian Krause <bst@pengutronix.de> wrote:
> rules/code-signing.in belongs in platforms/, so move it there.
> 
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> Message-Id: <20200515142641.812-12-bst@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/rules/code-signing.in b/platforms/code-signing.in
> similarity index 100%
> rename from rules/code-signing.in
> rename to platforms/code-signing.in

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [APPLIED] code-signing: introduce for ptxconfig, add sanity check

[Michael Olbrich]

Thanks, applied as c691a61e4b244d30b046289655228981d27adc2c.

Michael

[sent from post-receive hook]

On Tue, 19 May 2020 14:23:44 +0200, Bastian Krause <bst@pengutronix.de> wrote:
> Create a new rules/code-signing.in to be able to select CODE_SIGNING
> not only in platformconfig but also in ptxconfig.
> 
> Also make sure that PTXCONF_CODE_SIGNING_PROVIDER is set correctly if
> PTXCONF_CODE_SIGNING is set.
> 
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> Message-Id: <20200515142641.812-13-bst@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/rules/code-signing.in b/rules/code-signing.in
> new file mode 100644
> index 000000000000..ae2ba726d209
> --- /dev/null
> +++ b/rules/code-signing.in
> @@ -0,0 +1,4 @@
> +## SECTION=hosttools_noprompt_ptx
> +
> +config CODE_SIGNING
> +	bool
> diff --git a/rules/code-signing.make b/rules/code-signing.make
> new file mode 100644
> index 000000000000..db1c5ab884af
> --- /dev/null
> +++ b/rules/code-signing.make
> @@ -0,0 +1,13 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2020 by Bastian Krause <bst@pengutronix.de>
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +ifdef PTXCONF_CODE_SIGNING
> +ifeq ($(call remove_quotes,$(PTXCONF_CODE_SIGNING_PROVIDER)),)
> +$(error PTXCONF_CODE_SIGNING_PROVIDER must be set correctly)
> +endif
> +endif

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [APPLIED] rauc/image-rauc: use code signing infrastructure for key retrieval

[Michael Olbrich]

Thanks, applied as c420c0745b568fbf2ab2d0f7394c27935ed7faf2.

Michael

[sent from post-receive hook]

On Tue, 19 May 2020 14:23:44 +0200, Bastian Krause <bst@pengutronix.de> wrote:
> Use the keys provided by the currently active key provider via PKCS#11
> instead of key files placed in the platform config directory. In order
> to make sure the new mechanics are used after a BSP update the rauc.key
> file is no longer allowed to exist in the platformconfig directory.
> 
> Note: requires genimage v13 or later and ptx-code-signing-dev 0.4 or
> later
> 
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> Message-Id: <20200515142641.812-14-bst@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/platforms/image-rauc.in b/platforms/image-rauc.in
> index 658ddd5cd167..1f9427b40f42 100644
> --- a/platforms/image-rauc.in
> +++ b/platforms/image-rauc.in
> @@ -6,6 +6,7 @@ menuconfig IMAGE_RAUC
>  	select HOST_GENIMAGE
>  	select HOST_RAUC
>  	select IMAGE_ROOT_TGZ
> +	select CODE_SIGNING
>  	help
>  	  This generates a RAUC update Bundle for the selected platform using
>  	  genimage.
> diff --git a/projectroot/etc/rauc/ca.cert.pem b/projectroot/etc/rauc/ca.cert.pem
> deleted file mode 100644
> index be1aa7c30e77..000000000000
> --- a/projectroot/etc/rauc/ca.cert.pem
> +++ /dev/null
> @@ -1,7 +0,0 @@
> -# This is a dummy keyring file. Please overwrite this with one that matches
> -# your X.509 infrastructure if you intend to use RAUC for secure updates!
> -#
> -# If you really do not intend to actively use the security features (or for
> -# testing purpose) you may create a development certificate by executing the
> -# script `rauc-gen-test-certs.sh` from the `scripts` folder in your PTXdist
> -# installation.
> diff --git a/rules/image-rauc.make b/rules/image-rauc.make
> index 839cb400bdbd..d85b88cc2ecd 100644
> --- a/rules/image-rauc.make
> +++ b/rules/image-rauc.make
> @@ -26,46 +26,20 @@ IMAGE_RAUC_CONFIG	:= rauc.config
>  
>  ifdef PTXCONF_IMAGE_RAUC
>  
> -IMAGE_RAUC_KEY := $(call ptx/in-platformconfigdir, config/rauc/rauc.key.pem)
> -IMAGE_RAUC_CERT := $(call ptx/in-platformconfigdir, config/rauc/rauc.cert.pem)
> -
> -IMAGE_RAUC_ENV	:= \
> +IMAGE_RAUC_ENV	= \
> +	$(CODE_SIGNING_ENV) \
>  	RAUC_BUNDLE_COMPATIBLE="$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))" \
>  	RAUC_BUNDLE_VERSION="$(call remove_quotes, $(PTXCONF_RAUC_BUNDLE_VERSION))" \
>  	RAUC_BUNDLE_BUILD=$(call ptx/sh, date +%FT%T%z) \
>  	RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \
> -	RAUC_KEY=$(IMAGE_RAUC_KEY) \
> -	RAUC_CERT=$(IMAGE_RAUC_CERT)
> +	RAUC_KEY="$(shell cs_get_uri update)" \
> +	RAUC_CERT="$(shell cs_get_uri update)"
>  
> -$(IMAGE_RAUC_IMAGE): $(IMAGE_RAUC_KEY) $(IMAGE_RAUC_CERT)
> +$(IMAGE_RAUC_IMAGE):
>  	@$(call targetinfo)
>  	@$(call image/genimage, IMAGE_RAUC)
>  	@$(call finish)
>  
> -$(IMAGE_RAUC_KEY):
> -	@echo
> -	@echo "****************************************************************************"
> -	@echo "******** Please place your signing key in config/rauc/rauc.key.pem. ********"
> -	@echo "*                                                                          *"
> -	@echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh   *"
> -	@echo "*       from the scripts/ folder of your PTXdist installation              *"
> -	@echo "****************************************************************************"
> -	@echo
> -	@echo
> -	@exit 1
> -
> -$(IMAGE_RAUC_CERT):
> -	@echo
> -	@echo "****************************************************************************"
> -	@echo "**** Please place your signing certificate in config/rauc/rauc.cert.pem. ***"
> -	@echo "*                                                                          *"
> -	@echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh   *"
> -	@echo "*       from the scripts/ folder of your PTXdist installation              *"
> -	@echo "****************************************************************************"
> -	@echo
> -	@echo
> -	@exit 1
> -
>  endif
>  
>  # vim: syntax=make
> diff --git a/rules/rauc.in b/rules/rauc.in
> index d712bc7b9c36..56fc3ae3be45 100644
> --- a/rules/rauc.in
> +++ b/rules/rauc.in
> @@ -7,6 +7,7 @@ menuconfig RAUC
>  	select GLIB
>  	select GLIB_LIBMOUNT
>  	select HOST_GLIB
> +	select CODE_SIGNING
>  	select BUSYBOX_FEATURE_TAR_LONG_OPTIONS	if BUSYBOX_TAR
>  	select BUSYBOX_FEATURE_TAR_AUTODETECT	if BUSYBOX_TAR
>  	select BUSYBOX_FEATURE_SEAMLESS_XZ	if BUSYBOX_TAR
> diff --git a/rules/rauc.make b/rules/rauc.make
> index ade9bd5dd2c5..f9a10fbbcff6 100644
> --- a/rules/rauc.make
> +++ b/rules/rauc.make
> @@ -46,6 +46,14 @@ RAUC_CONF_OPT	:= \
>  	--with-dbuspolicydir=/usr/share/dbus-1/system.d \
>  	--with-dbussystemservicedir=/usr/share/dbus-1/system-services
>  
> +$(STATEDIR)/rauc.prepare:
> +	@$(call targetinfo)
> +	@test ! -e "$(call ptx/in-platformconfigdir, config/rauc/rauc.key)" || \
> +		ptxd_bailout "Please use the key provider infrastructure desribed in:" \
> +			"scripts/lib/ptxd_lib_code_signing.sh"
> +	@$(call world/prepare, RAUC)
> +	@$(call touch)
> +
>  # ----------------------------------------------------------------------------
>  # Target-Install
>  # ----------------------------------------------------------------------------
> @@ -66,7 +74,8 @@ ifdef PTXCONF_RAUC_CONFIGURATION
>  	@$(call install_replace, rauc, /etc/rauc/system.conf, \
>  		@RAUC_BUNDLE_COMPATIBLE@, \
>  		"$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))")
> -	@$(call install_alternative, rauc, 0, 0, 0644, /etc/rauc/ca.cert.pem)
> +	@$(call install_copy, rauc, 0, 0, 0644, $(shell cs_get_ca update), \
> +		/etc/rauc/ca.cert.pem)
>  endif
>  
>  ifdef PTXCONF_RAUC_SERVICE
> diff --git a/scripts/rauc-gen-test-certs.sh b/scripts/rauc-gen-test-certs.sh
> deleted file mode 100755
> index b4ea6a8cf2ef..000000000000
> --- a/scripts/rauc-gen-test-certs.sh
> +++ /dev/null
> @@ -1,126 +0,0 @@
> -#!/bin/bash
> -#
> -# Copyright (C) 2017 by Enrico Joerns <e.joerns@pengutronix.de>
> -# Copyright (C) 2016 by Jan Luebbe <j.luebbe@pengutronix.de>
> -#
> -# For further information about the PTXdist project and license conditions
> -# see the README file.
> -#
> -# ---
> -#
> -# Demo script that generates certificate files required to sign and verify
> -# RAUC update tool bundles.
> -#
> -
> -set -xe
> -
> -ORG="Test Org"
> -CA="rauc CA"
> -
> -# After the CRL expires, signatures cannot be verified anymore
> -CRL="-crldays 5000"
> -
> -BASE="$(pwd)/rauc-openssl-ca"
> -
> -if [ -e $BASE ]; then
> -  echo "$BASE already exists"
> -  exit 1
> -fi
> -
> -mkdir -p $BASE/dev/{private,certs}
> -touch $BASE/dev/index.txt
> -echo 01 > $BASE/dev/serial
> -
> -cat > $BASE/openssl.cnf <<EOF
> -[ ca ]
> -default_ca      = CA_default            # The default ca section
> -
> -[ CA_default ]
> -
> -dir            = .                     # top dir
> -database       = \$dir/index.txt        # index file.
> -new_certs_dir  = \$dir/certs            # new certs dir
> -
> -certificate    = \$dir/ca.cert.pem       # The CA cert
> -serial         = \$dir/serial           # serial no file
> -private_key    = \$dir/private/ca.key.pem# CA private key
> -RANDFILE       = \$dir/private/.rand    # random number file
> -
> -default_startdate = 19700101000000Z
> -default_enddate = 99991231235959Z
> -default_crl_days= 30                   # how long before next CRL
> -default_md     = sha256                # md to use
> -
> -policy         = policy_any            # default policy
> -email_in_dn    = no                    # Don't add the email into cert DN
> -
> -name_opt       = ca_default            # Subject name display option
> -cert_opt       = ca_default            # Certificate display option
> -copy_extensions = none                 # Don't copy extensions from request
> -
> -[ policy_any ]
> -organizationName       = match
> -commonName             = supplied
> -
> -[ req ]
> -default_bits           = 2048
> -distinguished_name     = req_distinguished_name
> -x509_extensions        = v3_leaf
> -encrypt_key = no
> -default_md = sha256
> -
> -[ req_distinguished_name ]
> -commonName                     = Common Name (eg, YOUR name)
> -commonName_max                 = 64
> -
> -[ v3_ca ]
> -
> -subjectKeyIdentifier=hash
> -authorityKeyIdentifier=keyid:always,issuer:always
> -basicConstraints = CA:TRUE
> -
> -[ v3_inter ]
> -
> -subjectKeyIdentifier=hash
> -authorityKeyIdentifier=keyid:always,issuer:always
> -basicConstraints = CA:TRUE,pathlen:0
> -
> -[ v3_leaf ]
> -
> -subjectKeyIdentifier=hash
> -authorityKeyIdentifier=keyid:always,issuer:always
> -basicConstraints = CA:FALSE
> -EOF
> -
> -export OPENSSL_CONF=$BASE/openssl.cnf
> -
> -echo "Development CA"
> -cd $BASE/dev
> -openssl req -newkey rsa -keyout private/ca.key.pem -out ca.csr.pem -subj "/O=$ORG/CN=$ORG $CA Development"
> -openssl ca -batch -selfsign -extensions v3_ca -in ca.csr.pem -out ca.cert.pem -keyfile private/ca.key.pem
> -
> -echo "Development Signing Keys 1"
> -cd $BASE/dev
> -openssl req -newkey rsa -keyout private/rauc.key.pem -out rauc.csr.pem -subj "/O=$ORG/CN=$ORG Development-1"
> -openssl ca -batch -extensions v3_leaf -in rauc.csr.pem -out rauc.cert.pem
> -
> -cat << EOF
> -===============================================================================
> -
> -Note that the default application should be to set up a public key
> -infrastructure at your site and use keys and certificates genereated by these.
> -
> -In oder to use the just generated files in your BSP for testing purpose or if
> -you do not intend to use real authentification, follow the instructions below. 
> -
> -Place the key and certificate file in your platform-dir's config/ folder:
> -
> -  cp rauc-openssl-ca/private/rauc.key.pem <platform-dir>/config/rauc/rauc.key.pem
> -  cp rauc-openssl-ca/rauc.cert.pem <platform-dir>/config/rauc/rauc.cert.pem
> -
> -Place the keyring file in your platform-dir's projectroot/ folder:
> -
> -  cp rauc-openssl-ca/ca.cert.pem <plaform-dir>/projectroot/etc/rauc/ca.cert.pem
> -
> -===============================================================================
> -EOF

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [APPLIED] rauc: version bump 1.2 -> 1.3

[Michael Olbrich]

Thanks, applied as 675ce06a3eab7a2f4c9a9587dd8344c8f5fe699b.

Michael

[sent from post-receive hook]

On Tue, 19 May 2020 14:23:45 +0200, Bastian Krause <bst@pengutronix.de> wrote:
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> Message-Id: <20200515142641.812-16-bst@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/rules/rauc.make b/rules/rauc.make
> index f9a10fbbcff6..075a7d649437 100644
> --- a/rules/rauc.make
> +++ b/rules/rauc.make
> @@ -14,8 +14,8 @@ PACKAGES-$(PTXCONF_RAUC) += rauc
>  #
>  # Paths and names
>  #
> -RAUC_VERSION	:= 1.2
> -RAUC_MD5	:= e2a1772825c6ea900e4824b670846a00
> +RAUC_VERSION	:= 1.3
> +RAUC_MD5	:= 04ba029daa51e1f70fe53d62f2c5ebc3
>  RAUC		:= rauc-$(RAUC_VERSION)
>  RAUC_SUFFIX	:= tar.xz
>  RAUC_URL	:= https://github.com/rauc/rauc/releases/download/v$(RAUC_VERSION)/$(RAUC).$(RAUC_SUFFIX)

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [APPLIED] image-rauc: enable keyring verification

[Michael Olbrich]

Thanks, applied as 1880dbf92d14a54879ee041ee3f18be755d0d0ad.

Michael

[sent from post-receive hook]

On Tue, 19 May 2020 14:23:45 +0200, Bastian Krause <bst@pengutronix.de> wrote:
> Note: requires genimage v13 or later
> 
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> Message-Id: <20200515142641.812-15-bst@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/config/images/rauc.config b/config/images/rauc.config
> index 8396bd4bea74..0c824f00e5d3 100644
> --- a/config/images/rauc.config
> +++ b/config/images/rauc.config
> @@ -13,5 +13,6 @@ image @IMAGE@ {
>  			"
>  		cert = "@RAUC_CERT@"
>  		key = "@RAUC_KEY@"
> +		keyring = "@RAUC_KEYRING@"
>  	}
>  }
> diff --git a/rules/image-rauc.make b/rules/image-rauc.make
> index d85b88cc2ecd..fe1b0e89be7c 100644
> --- a/rules/image-rauc.make
> +++ b/rules/image-rauc.make
> @@ -33,7 +33,8 @@ IMAGE_RAUC_ENV	= \
>  	RAUC_BUNDLE_BUILD=$(call ptx/sh, date +%FT%T%z) \
>  	RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \
>  	RAUC_KEY="$(shell cs_get_uri update)" \
> -	RAUC_CERT="$(shell cs_get_uri update)"
> +	RAUC_CERT="$(shell cs_get_uri update)" \
> +	RAUC_KEYRING="$(shell cs_get_ca update)"
>  
>  $(IMAGE_RAUC_IMAGE):
>  	@$(call targetinfo)

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de