From mboxrd@z Thu Jan  1 00:00:00 1970
Return-path: <ptxdist-bounces@pengutronix.de>
From: Bastian Krause <bst@pengutronix.de>
Date: Fri, 12 Jun 2020 12:52:27 +0200
Message-Id: <20200612105231.4318-2-bst@pengutronix.de>
In-Reply-To: <20200612105231.4318-1-bst@pengutronix.de>
References: <20200612105231.4318-1-bst@pengutronix.de>
MIME-Version: 1.0
Subject: [ptxdist] [PATCH v2 1/5] package templates: add
 code-signing-provider template
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <http://metis.pengutronix.de/cgi-bin/mailman/options/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <http://metis.pengutronix.de/cgi-bin/mailman/private/ptxdist/>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <http://metis.pengutronix.de/cgi-bin/mailman/listinfo/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Reply-To: ptxdist@pengutronix.de
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ptxdist-bounces@pengutronix.de
Sender: "ptxdist" <ptxdist-bounces@pengutronix.de>
To: ptxdist@pengutronix.de
Cc: Bastian Krause <bst@pengutronix.de>, Roland Hieber <rhi@pengutronix.de>

A ptxdist code signing provider is a package which selects the required
host tools needed for the code signing helpers to work. A shell script
is needed to define roles, set PKCS#11 URIs and import keys if SoftHSM
is used. In order to simplify its creation provide a template along with
an example script.

Signed-off-by: Bastian Krause <bst@pengutronix.de>
Reviewed-by: Roland Hieber <rhi@pengutronix.de>
Tested-by: Ladislav Michl <ladis@linux-mips.org>
---
No changes since (implicit) v1.
---
 .../code-signing-provider/ptxdist-set-keys.sh | 96 +++++++++++++++++++
 .../template-code-signing-provider-choice-in  |  5 +
 .../template-code-signing-provider-in         | 16 ++++
 .../template-code-signing-provider-make       | 41 ++++++++
 scripts/lib/ptxd_lib_template.sh              | 16 ++++
 5 files changed, 174 insertions(+)
 create mode 100755 rules/templates/code-signing-provider/ptxdist-set-keys.sh
 create mode 100644 rules/templates/template-code-signing-provider-choice-in
 create mode 100644 rules/templates/template-code-signing-provider-in
 create mode 100644 rules/templates/template-code-signing-provider-make

diff --git a/rules/templates/code-signing-provider/ptxdist-set-keys.sh b/rules/templates/code-signing-provider/ptxdist-set-keys.sh
new file mode 100755
index 000000000..040a61534
--- /dev/null
+++ b/rules/templates/code-signing-provider/ptxdist-set-keys.sh
@@ -0,0 +1,96 @@
+#!/bin/bash
+
+set -e
+
+set_fit_keys() {
+	local r="image-kernel-fit"
+	cs_define_role "${r}"
+
+	# HSM use case
+	cs_set_uri "${r}" "pkcs11:token=foo;object=kernel-fit"
+}
+
+import_fit_keys() {
+	local fit_cert_dir=fit
+	local r="image-kernel-fit"
+	cs_define_role "${r}"
+
+	cs_import_cert_from_der "${r}" "${fit_cert_dir}/fit-4096-development.crt"
+	cs_import_pubkey_from_pem "${r}" "${fit_cert_dir}/fit-4096-development.key"
+	cs_import_privkey_from_pem "${r}" "${fit_cert_dir}/fit-4096-development.key"
+}
+
+set_rauc_keys() {
+	local r="update"
+	cs_define_role "${r}"
+	cs_set_uri "${r}" "pkcs11:token=foo;object=rauc"
+	cs_append_ca_from_uri "${r}"
+}
+
+import_rauc_keys() {
+	local rauc_cert_dir=rauc
+	local r="update"
+	cs_define_role "${r}"
+
+	# SoftHSM use case
+	cs_import_cert_from_pem "${r}" "${rauc_cert_dir}/rauc.cert.pem"
+	cs_import_pubkey_from_pem "${r}" "${rauc_cert_dir}/rauc.key.pem"
+	cs_import_privkey_from_pem "${r}" "${rauc_cert_dir}/rauc.key.pem"
+
+	cs_append_ca_from_uri "${r}"
+}
+
+set_imx_habv4_keys() {
+	# HSM use case, assuming it contains only 1st CSF/IMG key
+	for i in 1 2 3 4; do
+		r="imx-habv4-srk${i}"
+		cs_define_role "${r}"
+		cs_set_uri "${r}" "pkcs11:token=foo;object=srk-release${i}"
+		cs_append_ca_from_uri "${r}"
+	done
+
+	r="imx-habv4-csf1"
+	cs_define_role ${r}
+	cs_set_uri "${r}" "pkcs11:token=foo;object=csf1"
+
+	r="imx-habv4-img1"
+	cs_define_role ${r}
+	cs_set_uri "${r}" "pkcs11:token=foo;object=img1"
+}
+
+import_imx_habv4_keys() {
+	local imx_habv4_key_dir="habv4"
+	local crts="${imx_habv4_key_dir}/crts"
+	local keys="${imx_habv4_key_dir}/keys"
+	local OPENSSL_KEYPASS="${imx_habv4_key_dir}/keys/key_pass.txt"
+
+	for i in 1 2 3 4; do
+		r="imx-habv4-srk${i}"
+		cs_define_role "${r}"
+		cs_import_cert_from_der "${r}" "${crts}/SRK${i}_sha256_4096_65537_v3_ca_crt.der"
+		cs_import_key_from_pem "${r}" "${keys}/SRK${i}_sha256_4096_65537_v3_ca_key.pem"
+		cs_append_ca_from_uri "${r}"
+
+		r="imx-habv4-csf${i}"
+		cs_define_role "${r}"
+		cs_import_cert_from_der "${r}" "${crts}/CSF${i}_1_sha256_4096_65537_v3_usr_crt.der"
+		cs_import_key_from_pem "${r}" "${keys}/CSF${i}_1_sha256_4096_65537_v3_usr_key.pem"
+
+		r="imx-habv4-img${i}"
+		cs_define_role "${r}"
+		cs_import_cert_from_der "${r}" "${crts}/IMG${i}_1_sha256_4096_65537_v3_usr_crt.der"
+		cs_import_key_from_pem "${r}" "${keys}/IMG${i}_1_sha256_4096_65537_v3_usr_key.pem"
+	done
+}
+
+
+# HSM use case
+#set_fit_keys
+#set_rauc_keys
+#set_imx_habv4_keys
+
+# or: SoftHSM use case
+#cs_init_softhsm
+#import_fit_keys
+#import_rauc_keys
+#import_imx_habv4_keys
diff --git a/rules/templates/template-code-signing-provider-choice-in b/rules/templates/template-code-signing-provider-choice-in
new file mode 100644
index 000000000..e2108f870
--- /dev/null
+++ b/rules/templates/template-code-signing-provider-choice-in
@@ -0,0 +1,5 @@
+## SECTION=code_signing_provider
+
+config CODE_SIGNING_PROVIDER_@PACKAGE@
+	bool
+	prompt "@package@"
diff --git a/rules/templates/template-code-signing-provider-in b/rules/templates/template-code-signing-provider-in
new file mode 100644
index 000000000..a0c61e6ef
--- /dev/null
+++ b/rules/templates/template-code-signing-provider-in
@@ -0,0 +1,16 @@
+## SECTION=code_signing
+
+config CODE_SIGNING
+	select HOST_@PACKAGE@_CODE_SIGNING if CODE_SIGNING_PROVIDER_@PACKAGE@
+
+config CODE_SIGNING_PROVIDER
+	default "@package@" if CODE_SIGNING_PROVIDER_@PACKAGE@
+
+config HOST_@PACKAGE@_CODE_SIGNING
+	bool
+	select HOST_OPENSC
+	select HOST_LIBP11
+	select HOST_OPENSSL
+	#select HOST_SOFTHSM
+	#select HOST_OPENSC_PCSC
+	#select HOST_EXTRACT_CERT
diff --git a/rules/templates/template-code-signing-provider-make b/rules/templates/template-code-signing-provider-make
new file mode 100644
index 000000000..94830d92e
--- /dev/null
+++ b/rules/templates/template-code-signing-provider-make
@@ -0,0 +1,41 @@
+# -*-makefile-*-
+#
+# Copyright (C) @YEAR@ by @AUTHOR@
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+HOST_PACKAGES-$(PTXCONF_HOST_@PACKAGE@_CODE_SIGNING) += host-@package@-code-signing
+
+#
+# Paths and names
+#
+HOST_@PACKAGE@_CODE_SIGNING_VERSION	:= @VERSION@
+HOST_@PACKAGE@_CODE_SIGNING		:= @package@-code-signing-$(HOST_@PACKAGE@_CODE_SIGNING_VERSION)
+HOST_@PACKAGE@_CODE_SIGNING_URL		:= file://local_src/@package@-code-signing
+HOST_@PACKAGE@_CODE_SIGNING_DIR		:= $(HOST_BUILDDIR)/$(HOST_@PACKAGE@_CODE_SIGNING)
+
+HOST_@PACKAGE@_CODE_SIGNING_CONF_TOOL	:= NO
+
+# ----------------------------------------------------------------------------
+# Compile
+# ----------------------------------------------------------------------------
+
+HOST_@PACKAGE@_CODE_SIGNING_MAKE_ENV	:= \
+	$(CODE_SIGNING_ENV)
+
+$(STATEDIR)/host-@package@-code-signing.compile:
+	@$(call targetinfo)
+	@$(call world/execute, HOST_@PACKAGE@_CODE_SIGNING, \
+		./ptxdist-set-keys.sh)
+	@$(call touch)
+
+$(STATEDIR)/host-@package@-code-signing.install:
+	@$(call targetinfo)
+	@$(call touch)
+
+# vim: syntax=make
diff --git a/scripts/lib/ptxd_lib_template.sh b/scripts/lib/ptxd_lib_template.sh
index f39e6e033..b89981f45 100644
--- a/scripts/lib/ptxd_lib_template.sh
+++ b/scripts/lib/ptxd_lib_template.sh
@@ -460,3 +460,19 @@ ptxd_template_new_blspec_entry() {
 export -f ptxd_template_new_blspec_entry
 ptxd_template_help_list[${#ptxd_template_help_list[@]}]="blspec-entry"
 ptxd_template_help_list[${#ptxd_template_help_list[@]}]="create package for a bootloader spec entry"
+
+ptxd_template_new_code_signing_provider() {
+    export class="host-"
+    ptxd_template_read_basic &&
+    ptxd_template_read_author &&
+    package_filename="${package_filename}-code-signing"
+    ptxd_template_write_platform_rules
+    local template_file="$(ptxd_template_file "${template}-choice-in")"
+    local filename="${PTXDIST_PLATFORMCONFIGDIR}/platforms/${class}${package_filename}-choice.in"
+    ptxd_template_filter "${template_file}" "${filename}"
+    package="${package}-code-signing"
+    ptxd_template_write_src
+}
+export -f ptxd_template_new_code_signing_provider
+ptxd_template_help_list[${#ptxd_template_help_list[@]}]="code-signing-provider"
+ptxd_template_help_list[${#ptxd_template_help_list[@]}]="create package for a code signing provider"
-- 
2.27.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de