From mboxrd@z Thu Jan  1 00:00:00 1970
Return-path: <ptxdist-bounces@pengutronix.de>
From: Bastian Krause <bst@pengutronix.de>
Date: Fri, 15 May 2020 16:26:39 +0200
Message-Id: <20200515142641.812-14-bst@pengutronix.de>
In-Reply-To: <20200515142641.812-1-bst@pengutronix.de>
References: <20200515142641.812-1-bst@pengutronix.de>
MIME-Version: 1.0
Subject: [ptxdist] [PATCH v2 13/15] rauc/image-rauc: use code signing
 infrastructure for key retrieval
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <http://metis.pengutronix.de/cgi-bin/mailman/options/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <http://metis.pengutronix.de/cgi-bin/mailman/private/ptxdist/>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <http://metis.pengutronix.de/cgi-bin/mailman/listinfo/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Reply-To: ptxdist@pengutronix.de
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ptxdist-bounces@pengutronix.de
Sender: "ptxdist" <ptxdist-bounces@pengutronix.de>
To: ptxdist@pengutronix.de
Cc: Bastian Krause <bst@pengutronix.de>

Use the keys provided by the currently active key provider via PKCS#11
instead of key files placed in the platform config directory. In order
to make sure the new mechanics are used after a BSP update the rauc.key
file is no longer allowed to exist in the platformconfig directory.

Note: requires genimage v13 or later and ptx-code-signing-dev 0.4 or
later

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
Changes since (implicit) v1:
  - add code signing env to image rauc env
  - clarify required versions of genimage/ptx-code-signing-dev in commit
    message
---
 platforms/image-rauc.in          |   1 +
 projectroot/etc/rauc/ca.cert.pem |   7 --
 rules/image-rauc.make            |  36 ++-------
 rules/rauc.in                    |   1 +
 rules/rauc.make                  |  11 ++-
 scripts/rauc-gen-test-certs.sh   | 126 -------------------------------
 6 files changed, 17 insertions(+), 165 deletions(-)
 delete mode 100644 projectroot/etc/rauc/ca.cert.pem
 delete mode 100755 scripts/rauc-gen-test-certs.sh

diff --git a/platforms/image-rauc.in b/platforms/image-rauc.in
index 658ddd5cd..1f9427b40 100644
--- a/platforms/image-rauc.in
+++ b/platforms/image-rauc.in
@@ -6,6 +6,7 @@ menuconfig IMAGE_RAUC
 	select HOST_GENIMAGE
 	select HOST_RAUC
 	select IMAGE_ROOT_TGZ
+	select CODE_SIGNING
 	help
 	  This generates a RAUC update Bundle for the selected platform using
 	  genimage.
diff --git a/projectroot/etc/rauc/ca.cert.pem b/projectroot/etc/rauc/ca.cert.pem
deleted file mode 100644
index be1aa7c30..000000000
--- a/projectroot/etc/rauc/ca.cert.pem
+++ /dev/null
@@ -1,7 +0,0 @@
-# This is a dummy keyring file. Please overwrite this with one that matches
-# your X.509 infrastructure if you intend to use RAUC for secure updates!
-#
-# If you really do not intend to actively use the security features (or for
-# testing purpose) you may create a development certificate by executing the
-# script `rauc-gen-test-certs.sh` from the `scripts` folder in your PTXdist
-# installation.
diff --git a/rules/image-rauc.make b/rules/image-rauc.make
index 839cb400b..d85b88cc2 100644
--- a/rules/image-rauc.make
+++ b/rules/image-rauc.make
@@ -26,46 +26,20 @@ IMAGE_RAUC_CONFIG	:= rauc.config
 
 ifdef PTXCONF_IMAGE_RAUC
 
-IMAGE_RAUC_KEY := $(call ptx/in-platformconfigdir, config/rauc/rauc.key.pem)
-IMAGE_RAUC_CERT := $(call ptx/in-platformconfigdir, config/rauc/rauc.cert.pem)
-
-IMAGE_RAUC_ENV	:= \
+IMAGE_RAUC_ENV	= \
+	$(CODE_SIGNING_ENV) \
 	RAUC_BUNDLE_COMPATIBLE="$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))" \
 	RAUC_BUNDLE_VERSION="$(call remove_quotes, $(PTXCONF_RAUC_BUNDLE_VERSION))" \
 	RAUC_BUNDLE_BUILD=$(call ptx/sh, date +%FT%T%z) \
 	RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \
-	RAUC_KEY=$(IMAGE_RAUC_KEY) \
-	RAUC_CERT=$(IMAGE_RAUC_CERT)
+	RAUC_KEY="$(shell cs_get_uri update)" \
+	RAUC_CERT="$(shell cs_get_uri update)"
 
-$(IMAGE_RAUC_IMAGE): $(IMAGE_RAUC_KEY) $(IMAGE_RAUC_CERT)
+$(IMAGE_RAUC_IMAGE):
 	@$(call targetinfo)
 	@$(call image/genimage, IMAGE_RAUC)
 	@$(call finish)
 
-$(IMAGE_RAUC_KEY):
-	@echo
-	@echo "****************************************************************************"
-	@echo "******** Please place your signing key in config/rauc/rauc.key.pem. ********"
-	@echo "*                                                                          *"
-	@echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh   *"
-	@echo "*       from the scripts/ folder of your PTXdist installation              *"
-	@echo "****************************************************************************"
-	@echo
-	@echo
-	@exit 1
-
-$(IMAGE_RAUC_CERT):
-	@echo
-	@echo "****************************************************************************"
-	@echo "**** Please place your signing certificate in config/rauc/rauc.cert.pem. ***"
-	@echo "*                                                                          *"
-	@echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh   *"
-	@echo "*       from the scripts/ folder of your PTXdist installation              *"
-	@echo "****************************************************************************"
-	@echo
-	@echo
-	@exit 1
-
 endif
 
 # vim: syntax=make
diff --git a/rules/rauc.in b/rules/rauc.in
index d712bc7b9..56fc3ae3b 100644
--- a/rules/rauc.in
+++ b/rules/rauc.in
@@ -7,6 +7,7 @@ menuconfig RAUC
 	select GLIB
 	select GLIB_LIBMOUNT
 	select HOST_GLIB
+	select CODE_SIGNING
 	select BUSYBOX_FEATURE_TAR_LONG_OPTIONS	if BUSYBOX_TAR
 	select BUSYBOX_FEATURE_TAR_AUTODETECT	if BUSYBOX_TAR
 	select BUSYBOX_FEATURE_SEAMLESS_XZ	if BUSYBOX_TAR
diff --git a/rules/rauc.make b/rules/rauc.make
index ade9bd5dd..f9a10fbbc 100644
--- a/rules/rauc.make
+++ b/rules/rauc.make
@@ -46,6 +46,14 @@ RAUC_CONF_OPT	:= \
 	--with-dbuspolicydir=/usr/share/dbus-1/system.d \
 	--with-dbussystemservicedir=/usr/share/dbus-1/system-services
 
+$(STATEDIR)/rauc.prepare:
+	@$(call targetinfo)
+	@test ! -e "$(call ptx/in-platformconfigdir, config/rauc/rauc.key)" || \
+		ptxd_bailout "Please use the key provider infrastructure desribed in:" \
+			"scripts/lib/ptxd_lib_code_signing.sh"
+	@$(call world/prepare, RAUC)
+	@$(call touch)
+
 # ----------------------------------------------------------------------------
 # Target-Install
 # ----------------------------------------------------------------------------
@@ -66,7 +74,8 @@ ifdef PTXCONF_RAUC_CONFIGURATION
 	@$(call install_replace, rauc, /etc/rauc/system.conf, \
 		@RAUC_BUNDLE_COMPATIBLE@, \
 		"$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))")
-	@$(call install_alternative, rauc, 0, 0, 0644, /etc/rauc/ca.cert.pem)
+	@$(call install_copy, rauc, 0, 0, 0644, $(shell cs_get_ca update), \
+		/etc/rauc/ca.cert.pem)
 endif
 
 ifdef PTXCONF_RAUC_SERVICE
diff --git a/scripts/rauc-gen-test-certs.sh b/scripts/rauc-gen-test-certs.sh
deleted file mode 100755
index b4ea6a8cf..000000000
--- a/scripts/rauc-gen-test-certs.sh
+++ /dev/null
@@ -1,126 +0,0 @@
-#!/bin/bash
-#
-# Copyright (C) 2017 by Enrico Joerns <e.joerns@pengutronix.de>
-# Copyright (C) 2016 by Jan Luebbe <j.luebbe@pengutronix.de>
-#
-# For further information about the PTXdist project and license conditions
-# see the README file.
-#
-# ---
-#
-# Demo script that generates certificate files required to sign and verify
-# RAUC update tool bundles.
-#
-
-set -xe
-
-ORG="Test Org"
-CA="rauc CA"
-
-# After the CRL expires, signatures cannot be verified anymore
-CRL="-crldays 5000"
-
-BASE="$(pwd)/rauc-openssl-ca"
-
-if [ -e $BASE ]; then
-  echo "$BASE already exists"
-  exit 1
-fi
-
-mkdir -p $BASE/dev/{private,certs}
-touch $BASE/dev/index.txt
-echo 01 > $BASE/dev/serial
-
-cat > $BASE/openssl.cnf <<EOF
-[ ca ]
-default_ca      = CA_default            # The default ca section
-
-[ CA_default ]
-
-dir            = .                     # top dir
-database       = \$dir/index.txt        # index file.
-new_certs_dir  = \$dir/certs            # new certs dir
-
-certificate    = \$dir/ca.cert.pem       # The CA cert
-serial         = \$dir/serial           # serial no file
-private_key    = \$dir/private/ca.key.pem# CA private key
-RANDFILE       = \$dir/private/.rand    # random number file
-
-default_startdate = 19700101000000Z
-default_enddate = 99991231235959Z
-default_crl_days= 30                   # how long before next CRL
-default_md     = sha256                # md to use
-
-policy         = policy_any            # default policy
-email_in_dn    = no                    # Don't add the email into cert DN
-
-name_opt       = ca_default            # Subject name display option
-cert_opt       = ca_default            # Certificate display option
-copy_extensions = none                 # Don't copy extensions from request
-
-[ policy_any ]
-organizationName       = match
-commonName             = supplied
-
-[ req ]
-default_bits           = 2048
-distinguished_name     = req_distinguished_name
-x509_extensions        = v3_leaf
-encrypt_key = no
-default_md = sha256
-
-[ req_distinguished_name ]
-commonName                     = Common Name (eg, YOUR name)
-commonName_max                 = 64
-
-[ v3_ca ]
-
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = CA:TRUE
-
-[ v3_inter ]
-
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = CA:TRUE,pathlen:0
-
-[ v3_leaf ]
-
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = CA:FALSE
-EOF
-
-export OPENSSL_CONF=$BASE/openssl.cnf
-
-echo "Development CA"
-cd $BASE/dev
-openssl req -newkey rsa -keyout private/ca.key.pem -out ca.csr.pem -subj "/O=$ORG/CN=$ORG $CA Development"
-openssl ca -batch -selfsign -extensions v3_ca -in ca.csr.pem -out ca.cert.pem -keyfile private/ca.key.pem
-
-echo "Development Signing Keys 1"
-cd $BASE/dev
-openssl req -newkey rsa -keyout private/rauc.key.pem -out rauc.csr.pem -subj "/O=$ORG/CN=$ORG Development-1"
-openssl ca -batch -extensions v3_leaf -in rauc.csr.pem -out rauc.cert.pem
-
-cat << EOF
-===============================================================================
-
-Note that the default application should be to set up a public key
-infrastructure at your site and use keys and certificates genereated by these.
-
-In oder to use the just generated files in your BSP for testing purpose or if
-you do not intend to use real authentification, follow the instructions below. 
-
-Place the key and certificate file in your platform-dir's config/ folder:
-
-  cp rauc-openssl-ca/private/rauc.key.pem <platform-dir>/config/rauc/rauc.key.pem
-  cp rauc-openssl-ca/rauc.cert.pem <platform-dir>/config/rauc/rauc.cert.pem
-
-Place the keyring file in your platform-dir's projectroot/ folder:
-
-  cp rauc-openssl-ca/ca.cert.pem <plaform-dir>/projectroot/etc/rauc/ca.cert.pem
-
-===============================================================================
-EOF
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de