From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: From: Bastian Krause Date: Fri, 15 May 2020 16:26:26 +0200 Message-Id: <20200515142641.812-1-bst@pengutronix.de> MIME-Version: 1.0 Subject: [ptxdist] [PATCH v2 00/15] Fix/extend code signing infrastructure/consumers List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: ptxdist@pengutronix.de Cc: Bastian Krause This series includes various bug fixes and extensions of ptxdist's code signing infrastructure and its consumers. This includes HAB barebox images, signed FIT images and RAUC bundles. Real HSMs can now be used for signing. Newly introduced helpers simplify CA handling. Changes since implicit v1 (20200514134300.16105-1-bst@pengutronix.de and following, without cover letter): - add new line when appending to a CA - select necessary host tools directly in code signing provier, not in CODE_SIGNING - add code signing env to image rauc env - re-add accidentally dropped rules/code-signing.in introducing CODE_SIGNING for ptxconfig - move "code-signing: introduce for ptxconfig, add sanity check" before "rauc/image-rauc: use code signing infrastructure for key retrieval" - clarify required versions of genimage/ptx-code-signing-dev in commit messages - add rauc version bump - sign ramdisk in FIT images (if enabled) Regards, Bastian Bastian Krause (15): host-genimage: version bump 11 -> 13 ptxd_lib_code_signing: return error string in cs_get_uri for make error case ptxd_lib_imx_hab: fix srk fuse file and table generation ptxd_lib_code_signing: introduce CA helper host-ptx-code-signing-dev: version bump 0.2 -> 0.4 ptxd_lib_imx_hab/template-barebox-imx-habv4: use cs_get_ca helper ptxd_lib_imx_hab/template-barebox-imx-habv4: make number of SRKs configurable ptxd_make_fit_image: call mkimage with ptxd_exec u-boot/ptxd_make_fit_image: avoid overriding object name ptxd_make_fit_image: sign ramdisk if enabled code-signing: move code-signing.in to platforms/ code-signing: introduce for ptxconfig, add sanity check rauc/image-rauc: use code signing infrastructure for key retrieval image-rauc: enable keyring verification rauc: version bump 1.2 -> 1.3 config/images/rauc.config | 1 + ...erriding-the-object-name-when-alread.patch | 81 +++++++++++ patches/u-boot-2020.04/series | 4 + platforms/code-signing.in | 23 ++++ platforms/image-rauc.in | 1 + projectroot/etc/rauc/ca.cert.pem | 7 - rules/code-signing.in | 23 +--- rules/code-signing.make | 13 ++ rules/host-genimage.make | 4 +- rules/host-ptx-code-signing-dev.in | 3 + rules/host-ptx-code-signing-dev.make | 4 +- rules/image-rauc.make | 37 +---- rules/rauc.in | 1 + rules/rauc.make | 15 ++- rules/templates/template-barebox-imx-habv4-in | 1 - .../templates/template-barebox-imx-habv4-make | 2 +- scripts/lib/ptxd_lib_code_signing.sh | 71 +++++++++- scripts/lib/ptxd_lib_imx_hab.sh | 32 +++-- scripts/lib/ptxd_make_fit_image.sh | 8 +- scripts/rauc-gen-test-certs.sh | 126 ------------------ 20 files changed, 246 insertions(+), 211 deletions(-) create mode 100644 patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch create mode 100644 patches/u-boot-2020.04/series create mode 100644 platforms/code-signing.in delete mode 100644 projectroot/etc/rauc/ca.cert.pem create mode 100644 rules/code-signing.make delete mode 100755 scripts/rauc-gen-test-certs.sh -- 2.26.2 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de