From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: From: Bastian Krause Date: Wed, 17 Jun 2020 16:31:21 +0200 Message-Id: <20200617143125.23999-3-bst@pengutronix.de> In-Reply-To: <20200617143125.23999-1-bst@pengutronix.de> References: <20200617143125.23999-1-bst@pengutronix.de> MIME-Version: 1.0 Subject: [ptxdist] [PATCH v3 2/6] package templates: add code-signing-provider template List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: ptxdist@pengutronix.de Cc: Bastian Krause A ptxdist code signing provider is a package which selects the required host tools needed for the code signing helpers to work. A shell script is needed to define roles, set PKCS#11 URIs and import keys if SoftHSM is used. In order to simplify its creation provide a template along with an example script. Signed-off-by: Bastian Krause --- Changes since v2: - rename srk object name for consistency reasons - ask user about HSM type - split HSM/SoftHSM ptxdist-set-keys.sh cases into separate files - introduce wizard.sh to generate ptxdist-set-keys.sh HSM case specific - set dependencies HSM case specific - introduce pre rule template to extend CODE_SIGNING_ENV HSM case specific --- .../ptxdist-set-keys-hsm.sh | 42 ++++++++++++++ .../ptxdist-set-keys-softhsm.sh | 58 +++++++++++++++++++ .../templates/code-signing-provider/wizard.sh | 10 ++++ .../template-code-signing-provider-choice-in | 5 ++ .../template-code-signing-provider-in | 14 +++++ .../template-code-signing-provider-make | 41 +++++++++++++ .../template-code-signing-provider-pre-make | 15 +++++ scripts/lib/ptxd_lib_template.sh | 31 ++++++++++ 8 files changed, 216 insertions(+) create mode 100755 rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh create mode 100755 rules/templates/code-signing-provider/ptxdist-set-keys-softhsm.sh create mode 100644 rules/templates/code-signing-provider/wizard.sh create mode 100644 rules/templates/template-code-signing-provider-choice-in create mode 100644 rules/templates/template-code-signing-provider-in create mode 100644 rules/templates/template-code-signing-provider-make create mode 100644 rules/templates/template-code-signing-provider-pre-make diff --git a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh new file mode 100755 index 000000000..6bbe830f2 --- /dev/null +++ b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +set -e + +set_fit_keys() { + local r="image-kernel-fit" + cs_define_role "${r}" + + # HSM use case + cs_set_uri "${r}" "pkcs11:token=foo;object=kernel-fit" +} + +set_rauc_keys() { + local r="update" + cs_define_role "${r}" + cs_set_uri "${r}" "pkcs11:token=foo;object=rauc" + cs_append_ca_from_uri "${r}" +} + +set_imx_habv4_keys() { + # HSM use case, assuming it contains only 1st CSF/IMG key + for i in 1 2 3 4; do + r="imx-habv4-srk${i}" + cs_define_role "${r}" + cs_set_uri "${r}" "pkcs11:token=foo;object=srk${i}" + cs_append_ca_from_uri "${r}" + done + + r="imx-habv4-csf1" + cs_define_role ${r} + cs_set_uri "${r}" "pkcs11:token=foo;object=csf1" + + r="imx-habv4-img1" + cs_define_role ${r} + cs_set_uri "${r}" "pkcs11:token=foo;object=img1" +} + + +# HSM use case +set_fit_keys +set_rauc_keys +set_imx_habv4_keys diff --git a/rules/templates/code-signing-provider/ptxdist-set-keys-softhsm.sh b/rules/templates/code-signing-provider/ptxdist-set-keys-softhsm.sh new file mode 100755 index 000000000..0836d61d1 --- /dev/null +++ b/rules/templates/code-signing-provider/ptxdist-set-keys-softhsm.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +set -e + +import_fit_keys() { + local fit_cert_dir=fit + local r="image-kernel-fit" + cs_define_role "${r}" + + cs_import_cert_from_der "${r}" "${fit_cert_dir}/fit-4096-development.crt" + cs_import_pubkey_from_pem "${r}" "${fit_cert_dir}/fit-4096-development.key" + cs_import_privkey_from_pem "${r}" "${fit_cert_dir}/fit-4096-development.key" +} + +import_rauc_keys() { + local rauc_cert_dir=rauc + local r="update" + cs_define_role "${r}" + + # SoftHSM use case + cs_import_cert_from_pem "${r}" "${rauc_cert_dir}/rauc.cert.pem" + cs_import_pubkey_from_pem "${r}" "${rauc_cert_dir}/rauc.key.pem" + cs_import_privkey_from_pem "${r}" "${rauc_cert_dir}/rauc.key.pem" + + cs_append_ca_from_uri "${r}" +} + +import_imx_habv4_keys() { + local imx_habv4_key_dir="habv4" + local crts="${imx_habv4_key_dir}/crts" + local keys="${imx_habv4_key_dir}/keys" + local OPENSSL_KEYPASS="${imx_habv4_key_dir}/keys/key_pass.txt" + + for i in 1 2 3 4; do + r="imx-habv4-srk${i}" + cs_define_role "${r}" + cs_import_cert_from_der "${r}" "${crts}/SRK${i}_sha256_4096_65537_v3_ca_crt.der" + cs_import_key_from_pem "${r}" "${keys}/SRK${i}_sha256_4096_65537_v3_ca_key.pem" + cs_append_ca_from_uri "${r}" + + r="imx-habv4-csf${i}" + cs_define_role "${r}" + cs_import_cert_from_der "${r}" "${crts}/CSF${i}_1_sha256_4096_65537_v3_usr_crt.der" + cs_import_key_from_pem "${r}" "${keys}/CSF${i}_1_sha256_4096_65537_v3_usr_key.pem" + + r="imx-habv4-img${i}" + cs_define_role "${r}" + cs_import_cert_from_der "${r}" "${crts}/IMG${i}_1_sha256_4096_65537_v3_usr_crt.der" + cs_import_key_from_pem "${r}" "${keys}/IMG${i}_1_sha256_4096_65537_v3_usr_key.pem" + done +} + + +# SoftHSM use case +cs_init_softhsm +import_fit_keys +import_rauc_keys +import_imx_habv4_keys diff --git a/rules/templates/code-signing-provider/wizard.sh b/rules/templates/code-signing-provider/wizard.sh new file mode 100644 index 000000000..83d6d54e3 --- /dev/null +++ b/rules/templates/code-signing-provider/wizard.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +if [ "$TYPE" = "SoftHSM" ]; then + mv ptxdist-set-keys-softhsm.sh ptxdist-set-keys.sh + rm ptxdist-set-keys-hsm.sh + +elif [ "$TYPE" = "HSM with OpenSC support" ] || [ "$TYPE" = "other HSM" ]; then + mv ptxdist-set-keys-hsm.sh ptxdist-set-keys.sh + rm ptxdist-set-keys-softhsm.sh +fi diff --git a/rules/templates/template-code-signing-provider-choice-in b/rules/templates/template-code-signing-provider-choice-in new file mode 100644 index 000000000..e2108f870 --- /dev/null +++ b/rules/templates/template-code-signing-provider-choice-in @@ -0,0 +1,5 @@ +## SECTION=code_signing_provider + +config CODE_SIGNING_PROVIDER_@PACKAGE@ + bool + prompt "@package@" diff --git a/rules/templates/template-code-signing-provider-in b/rules/templates/template-code-signing-provider-in new file mode 100644 index 000000000..b84ba839c --- /dev/null +++ b/rules/templates/template-code-signing-provider-in @@ -0,0 +1,14 @@ +## SECTION=code_signing + +config CODE_SIGNING + select HOST_@PACKAGE@_CODE_SIGNING if CODE_SIGNING_PROVIDER_@PACKAGE@ + +config CODE_SIGNING_PROVIDER + default "@package@" if CODE_SIGNING_PROVIDER_@PACKAGE@ + +config HOST_@PACKAGE@_CODE_SIGNING + bool + select HOST_LIBP11 + select HOST_OPENSSL + select HOST_EXTRACT_CERT + @EXTRA_DEPENDENCIES@ diff --git a/rules/templates/template-code-signing-provider-make b/rules/templates/template-code-signing-provider-make new file mode 100644 index 000000000..94830d92e --- /dev/null +++ b/rules/templates/template-code-signing-provider-make @@ -0,0 +1,41 @@ +# -*-makefile-*- +# +# Copyright (C) @YEAR@ by @AUTHOR@ +# +# For further information about the PTXdist project and license conditions +# see the README file. +# + +# +# We provide this package +# +HOST_PACKAGES-$(PTXCONF_HOST_@PACKAGE@_CODE_SIGNING) += host-@package@-code-signing + +# +# Paths and names +# +HOST_@PACKAGE@_CODE_SIGNING_VERSION := @VERSION@ +HOST_@PACKAGE@_CODE_SIGNING := @package@-code-signing-$(HOST_@PACKAGE@_CODE_SIGNING_VERSION) +HOST_@PACKAGE@_CODE_SIGNING_URL := file://local_src/@package@-code-signing +HOST_@PACKAGE@_CODE_SIGNING_DIR := $(HOST_BUILDDIR)/$(HOST_@PACKAGE@_CODE_SIGNING) + +HOST_@PACKAGE@_CODE_SIGNING_CONF_TOOL := NO + +# ---------------------------------------------------------------------------- +# Compile +# ---------------------------------------------------------------------------- + +HOST_@PACKAGE@_CODE_SIGNING_MAKE_ENV := \ + $(CODE_SIGNING_ENV) + +$(STATEDIR)/host-@package@-code-signing.compile: + @$(call targetinfo) + @$(call world/execute, HOST_@PACKAGE@_CODE_SIGNING, \ + ./ptxdist-set-keys.sh) + @$(call touch) + +$(STATEDIR)/host-@package@-code-signing.install: + @$(call targetinfo) + @$(call touch) + +# vim: syntax=make diff --git a/rules/templates/template-code-signing-provider-pre-make b/rules/templates/template-code-signing-provider-pre-make new file mode 100644 index 000000000..28cac750c --- /dev/null +++ b/rules/templates/template-code-signing-provider-pre-make @@ -0,0 +1,15 @@ +# -*-makefile-*- +# +# Copyright (C) @YEAR@ by @AUTHOR@ +# +# For further information about the PTXdist project and license conditions +# see the README file. +# + +ifndef PTXCONF_CODE_SIGNING_PROVIDER_@PACKAGE@ +CODE_SIGNING_ENV += \ + PKCS11_MODULE_PATH=@MODULE_PATH@ + $(HSM_CODE_SIGNING_ENV) +endif + +# vim: syntax=make diff --git a/scripts/lib/ptxd_lib_template.sh b/scripts/lib/ptxd_lib_template.sh index 6b405763b..805d8d9d3 100644 --- a/scripts/lib/ptxd_lib_template.sh +++ b/scripts/lib/ptxd_lib_template.sh @@ -486,3 +486,34 @@ ptxd_template_new_blspec_entry() { export -f ptxd_template_new_blspec_entry ptxd_template_help_list[${#ptxd_template_help_list[@]}]="blspec-entry" ptxd_template_help_list[${#ptxd_template_help_list[@]}]="create package for a bootloader spec entry" + +ptxd_template_new_code_signing_provider() { + export class="host-" + ptxd_template_read_basic && + ptxd_template_read_author && + ptxd_template_read_options "provider type" TYPE "SoftHSM" "HSM with OpenSC support" "other HSM" + package_filename="${package_filename}-code-signing" + local template_file="$(ptxd_template_file "${template}-choice-in")" + local filename="${PTXDIST_PLATFORMCONFIGDIR}/platforms/${class}${package_filename}-choice.in" + ptxd_template_filter "${template_file}" "${filename}" + template_file="$(ptxd_template_file "${template}-pre-make")" + filename="${PTXDIST_PLATFORMCONFIGDIR}/rules/pre/020-${package_filename}-hsm.make" + if [ "$TYPE" = "SoftHSM" ]; then + export EXTRA_DEPENDENCIES="select HOST_SOFTHSM" + elif [ "$TYPE" = "HSM with OpenSC support" ]; then + export EXTRA_DEPENDENCIES="select HOST_OPENSC + select HOST_OPENSC_PCSC" + export MODULE_PATH="\${PTXDIST_SYSROOT_HOST}/lib/pkcs11/opensc-pkcs11.so" + ptxd_template_filter "${template_file}" "${filename}" + elif [ "$TYPE" = "other HSM" ]; then + export EXTRA_DEPENDENCIES="select FIXME" + export MODULE_PATH="\${PTXDIST_SYSROOT_HOST}/fix/me" + ptxd_template_filter "${template_file}" "${filename}" + fi + ptxd_template_write_platform_rules + package="${package}-code-signing" + ptxd_template_write_src +} +export -f ptxd_template_new_code_signing_provider +ptxd_template_help_list[${#ptxd_template_help_list[@]}]="code-signing-provider" +ptxd_template_help_list[${#ptxd_template_help_list[@]}]="create package for a code signing provider" -- 2.27.0 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de