From: Bastian Krause <bst@pengutronix.de>
To: ptxdist@pengutronix.de
Cc: Bastian Krause <bst@pengutronix.de>, Roland Hieber <rhi@pengutronix.de>
Subject: [ptxdist] [PATCH v3 4/6] doc: move code signing docs from scripts/ into doc/
Date: Wed, 17 Jun 2020 16:31:23 +0200 [thread overview]
Message-ID: <20200617143125.23999-5-bst@pengutronix.de> (raw)
In-Reply-To: <20200617143125.23999-1-bst@pengutronix.de>
Signed-off-by: Bastian Krause <bst@pengutronix.de>
Reviewed-by: Roland Hieber <rhi@pengutronix.de>
Tested-by: Ladislav Michl <ladis@linux-mips.org>
---
No changes since (implicit) v1.
---
doc/dev_code_signing.rst | 36 ++++++++++++++++++++++++++++
doc/dev_manual.rst | 1 +
scripts/lib/ptxd_lib_code_signing.sh | 32 ++-----------------------
3 files changed, 39 insertions(+), 30 deletions(-)
create mode 100644 doc/dev_code_signing.rst
diff --git a/doc/dev_code_signing.rst b/doc/dev_code_signing.rst
new file mode 100644
index 000000000..de0087f8b
--- /dev/null
+++ b/doc/dev_code_signing.rst
@@ -0,0 +1,36 @@
+.. _code_signing:
+
+Code Signing
+------------
+
+This is an overview over the ptxdist signing infrastructure.
+ptxdist uses PKCS#11 internally for providing access to keys and certificates.
+Packages that wish to sign something should implement a PKCS#11 interface.
+
+As PKCS#11 URIs usually differ between different usecases (release vs.
+development) the URIs normally are not hardcoded in the package configuration.
+Instead, ptxdist has the idea of "roles" which are string identifiers used to
+access a single private/public key pair and a certificate.
+
+ptxdist supports Hardware Security Modules (HSM).
+In case a HSM is not present or shall not be used SoftHSM is used internally to
+transparently provide the same API internally.
+
+For each role a PKCS#11 URI must be known by ptxdist.
+In case of a HSM the keys and certificates are stored in the HSM, but ptxdist
+needs to know the PKCS#11 URI to access the keys.
+This is done in ptxdist rule files calling cs_set_uri <role> <uri>.
+For SoftHSM the URI is generated internally by ptxdist, but instead the
+keys/certificates for each role have have to be imported.
+This is done with the cs_import_* functions below.
+
+During each invocation of ptxdist exactly one key provider is active.
+The code signing provider can be chosen with the PTXCONF_CODE_SIGNING_PROVIDER
+variable.
+A code signing provider is a package resposible for providing the role <->
+PKCS#11 URI relationships in case a HSM is used or for providing the key
+material in case SoftHSM is used.
+
+A package which wants to sign something or which needs access to keys has to
+select CODE_SIGNING.
+This makes sure the keys are ready when the package is being built.
diff --git a/doc/dev_manual.rst b/doc/dev_manual.rst
index 47a77a9be..03a05a661 100644
--- a/doc/dev_manual.rst
+++ b/doc/dev_manual.rst
@@ -14,3 +14,4 @@ This chapter shows all (or most) of the details of how PTXdist works.
dev_add_bin_only_files
dev_create_new_pkg_templates
dev_layers_in_ptxdist
+ dev_code_signing
diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
index a7779f821..65ce62dd0 100644
--- a/scripts/lib/ptxd_lib_code_signing.sh
+++ b/scripts/lib/ptxd_lib_code_signing.sh
@@ -7,36 +7,8 @@
#
#
-# This is an overview over the ptxdist signing infrastructure. ptxdist
-# uses PKCS#11 internally for providing access to keys and certificates.
-# Packages that wish to sign something should implement a PKCS#11 interface.
-#
-# As PKCS#11 URIs usually differ between different usecases (release vs.
-# development) the URIs normally are not hardcoded in the package
-# configuration. Instead, ptxdist has the idea of "roles" which are string
-# identifiers used to access a single private/public key pair and a
-# certificate.
-#
-# ptxdist supports Hardware Security Modules (HSM). In case a HSM is not
-# present or shall not be used SoftHSM is used internally to transparently
-# provide the same API internally.
-#
-# For each role a PKCS#11 URI must be known by ptxdist. In case of a HSM
-# the keys and certificates are stored in the HSM, but ptxdist needs to know
-# the PKCS#11 URI to access the keys. This is done in ptxdist rule files
-# calling cs_set_uri <role> <uri>. For SoftHSM the URI is generated internally
-# by ptxdist, but instead the keys/certificates for each role have have to
-# be imported. This is done with the cs_import_* functions below.
-#
-# During each invocation of ptxdist exactly one key provider is active. The
-# code signing provider can be chosen with the PTXCONF_CODE_SIGNING_PROVIDER
-# variable. A code signing provider is a package resposible for providing
-# the role <-> PKCS#11 URI relationships in case a HSM is used or for providing
-# the key material in case SoftHSM is used.
-#
-# A package which wants to sign something or which needs access to keys has
-# to select CODE_SIGNING. This makes sure the keys are ready when the package
-# is being built.
+# See doc/dev_code_signing.rst for documentation about PTXdist's code signing
+# infrastructure.
#
cs_check_env() {
--
2.27.0
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
next prev parent reply other threads:[~2020-06-17 14:31 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-17 14:31 [ptxdist] [PATCH v3 0/6] Add code-signing-provider template, add code signing docs Bastian Krause
2020-06-17 14:31 ` [ptxdist] [PATCH v3 1/6] ptxd_lib_template: add ptxd_template_read_options Bastian Krause
2020-06-19 6:24 ` Michael Olbrich
2020-06-19 8:13 ` Bastian Krause
2020-06-19 22:04 ` [ptxdist] [APPLIED] " Michael Olbrich
2020-06-17 14:31 ` [ptxdist] [PATCH v3 2/6] package templates: add code-signing-provider template Bastian Krause
2020-06-18 11:40 ` Roland Hieber
2020-06-18 11:50 ` Bastian Krause
2020-06-19 6:12 ` Michael Olbrich
2020-06-19 6:28 ` Michael Olbrich
2020-06-19 7:52 ` Bastian Krause
2020-06-19 22:04 ` [ptxdist] [APPLIED] " Michael Olbrich
2020-09-24 10:04 ` [ptxdist] [PATCH v3 2/6] " Ladislav Michl
2020-09-24 11:05 ` Bastian Krause
2020-09-24 11:15 ` Ladislav Michl
2020-09-24 12:23 ` Bastian Krause
2020-06-17 14:31 ` [ptxdist] [PATCH v3 3/6] doc: dev_manual: split up into multiple files Bastian Krause
2020-06-19 22:04 ` [ptxdist] [APPLIED] " Michael Olbrich
2020-06-17 14:31 ` Bastian Krause [this message]
2020-06-19 22:04 ` [ptxdist] [APPLIED] doc: move code signing docs from scripts/ into doc/ Michael Olbrich
2020-06-17 14:31 ` [ptxdist] [PATCH v3 5/6] doc: dev_code_signing: rework and extend code signing section Bastian Krause
2020-06-19 22:04 ` [ptxdist] [APPLIED] " Michael Olbrich
2020-06-17 14:31 ` [ptxdist] [PATCH v3 6/6] doc: introduce ref_code_signing_helpers Bastian Krause
2020-06-19 22:04 ` [ptxdist] [APPLIED] " Michael Olbrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200617143125.23999-5-bst@pengutronix.de \
--to=bst@pengutronix.de \
--cc=ptxdist@pengutronix.de \
--cc=rhi@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox