From: Ladislav Michl <ladis@linux-mips.org>
To: ptxdist@pengutronix.de
Cc: Bastian Krause <bst@pengutronix.de>
Subject: Re: [ptxdist] [PATCH v3 2/6] package templates: add code-signing-provider template
Date: Thu, 24 Sep 2020 12:04:27 +0200 [thread overview]
Message-ID: <20200924100427.GA225235@lenoch> (raw)
In-Reply-To: <20200617143125.23999-3-bst@pengutronix.de>
Hi and sorry to revive this old patch. I just hadn't time to finish
conversion to code-signing-provider sooner...
On Wed, Jun 17, 2020 at 04:31:21PM +0200, Bastian Krause wrote:
> A ptxdist code signing provider is a package which selects the required
> host tools needed for the code signing helpers to work. A shell script
> is needed to define roles, set PKCS#11 URIs and import keys if SoftHSM
> is used. In order to simplify its creation provide a template along with
> an example script.
>
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> ---
> Changes since v2:
> - rename srk object name for consistency reasons
> - ask user about HSM type
> - split HSM/SoftHSM ptxdist-set-keys.sh cases into separate files
> - introduce wizard.sh to generate ptxdist-set-keys.sh HSM case specific
> - set dependencies HSM case specific
> - introduce pre rule template to extend CODE_SIGNING_ENV HSM case
> specific
> ---
> .../ptxdist-set-keys-hsm.sh | 42 ++++++++++++++
> .../ptxdist-set-keys-softhsm.sh | 58 +++++++++++++++++++
> .../templates/code-signing-provider/wizard.sh | 10 ++++
> .../template-code-signing-provider-choice-in | 5 ++
> .../template-code-signing-provider-in | 14 +++++
> .../template-code-signing-provider-make | 41 +++++++++++++
> .../template-code-signing-provider-pre-make | 15 +++++
> scripts/lib/ptxd_lib_template.sh | 31 ++++++++++
> 8 files changed, 216 insertions(+)
> create mode 100755 rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
> create mode 100755 rules/templates/code-signing-provider/ptxdist-set-keys-softhsm.sh
> create mode 100644 rules/templates/code-signing-provider/wizard.sh
> create mode 100644 rules/templates/template-code-signing-provider-choice-in
> create mode 100644 rules/templates/template-code-signing-provider-in
> create mode 100644 rules/templates/template-code-signing-provider-make
> create mode 100644 rules/templates/template-code-signing-provider-pre-make
>
> diff --git a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
> new file mode 100755
> index 000000000..6bbe830f2
> --- /dev/null
> +++ b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
> @@ -0,0 +1,42 @@
> +#!/bin/bash
> +
> +set -e
> +
> +set_fit_keys() {
> + local r="image-kernel-fit"
> + cs_define_role "${r}"
> +
> + # HSM use case
> + cs_set_uri "${r}" "pkcs11:token=foo;object=kernel-fit"
> +}
> +
> +set_rauc_keys() {
> + local r="update"
> + cs_define_role "${r}"
> + cs_set_uri "${r}" "pkcs11:token=foo;object=rauc"
> + cs_append_ca_from_uri "${r}"
> +}
> +
> +set_imx_habv4_keys() {
> + # HSM use case, assuming it contains only 1st CSF/IMG key
> + for i in 1 2 3 4; do
> + r="imx-habv4-srk${i}"
> + cs_define_role "${r}"
> + cs_set_uri "${r}" "pkcs11:token=foo;object=srk${i}"
> + cs_append_ca_from_uri "${r}"
> + done
> +
> + r="imx-habv4-csf1"
> + cs_define_role ${r}
> + cs_set_uri "${r}" "pkcs11:token=foo;object=csf1"
> +
> + r="imx-habv4-img1"
> + cs_define_role ${r}
> + cs_set_uri "${r}" "pkcs11:token=foo;object=img1"
> +}
> +
> +
> +# HSM use case
> +set_fit_keys
> +set_rauc_keys
> +set_imx_habv4_keys
> diff --git a/rules/templates/code-signing-provider/ptxdist-set-keys-softhsm.sh b/rules/templates/code-signing-provider/ptxdist-set-keys-softhsm.sh
> new file mode 100755
> index 000000000..0836d61d1
> --- /dev/null
> +++ b/rules/templates/code-signing-provider/ptxdist-set-keys-softhsm.sh
> @@ -0,0 +1,58 @@
> +#!/bin/bash
> +
> +set -e
> +
> +import_fit_keys() {
> + local fit_cert_dir=fit
> + local r="image-kernel-fit"
> + cs_define_role "${r}"
> +
> + cs_import_cert_from_der "${r}" "${fit_cert_dir}/fit-4096-development.crt"
> + cs_import_pubkey_from_pem "${r}" "${fit_cert_dir}/fit-4096-development.key"
> + cs_import_privkey_from_pem "${r}" "${fit_cert_dir}/fit-4096-development.key"
> +}
> +
> +import_rauc_keys() {
> + local rauc_cert_dir=rauc
> + local r="update"
> + cs_define_role "${r}"
> +
> + # SoftHSM use case
> + cs_import_cert_from_pem "${r}" "${rauc_cert_dir}/rauc.cert.pem"
> + cs_import_pubkey_from_pem "${r}" "${rauc_cert_dir}/rauc.key.pem"
> + cs_import_privkey_from_pem "${r}" "${rauc_cert_dir}/rauc.key.pem"
> +
> + cs_append_ca_from_uri "${r}"
> +}
For those previously using scripts/rauc-gen-test-certs.sh above shoud read:
import_rauc_keys() {
local rauc_cert_dir=${PTXDIST_WORKSPACE}/configs/rauc
local r="update"
cs_define_role "${r}"
# SoftHSM use case
cs_import_cert_from_pem "${r}" "${rauc_cert_dir}/rauc.cert.pem"
cs_import_key_from_pem "${r}" "${rauc_cert_dir}/rauc.key.pem"
cs_append_ca_from_pem "${r}" "${rauc_cert_dir}/ca.cert.pem"
}
scripts/rauc-gen-test-certs.sh generated those files and back then there was
following note:
===============================================================================
Note that the default application should be to set up a public key
infrastructure at your site and use keys and certificates genereated by these.
In oder to use the just generated files in your BSP for testing purpose or if
you do not intend to use real authentification, follow the instructions below.
Place the key and certificate file in your platform-dir's config/ folder:
cp rauc-openssl-ca/private/rauc.key.pem <platform-dir>/config/rauc/rauc.key.pem
cp rauc-openssl-ca/rauc.cert.pem <platform-dir>/config/rauc/rauc.cert.pem
Place the keyring file in your platform-dir's projectroot/ folder:
cp rauc-openssl-ca/ca.cert.pem <plaform-dir>/projectroot/etc/rauc/ca.cert.pem
===============================================================================
Perhaps it would be nice to mention than in documentation as it could save time
to others.
Thanks to Enrico Jorns for help with debugging that.
> +import_imx_habv4_keys() {
> + local imx_habv4_key_dir="habv4"
> + local crts="${imx_habv4_key_dir}/crts"
> + local keys="${imx_habv4_key_dir}/keys"
> + local OPENSSL_KEYPASS="${imx_habv4_key_dir}/keys/key_pass.txt"
> +
> + for i in 1 2 3 4; do
> + r="imx-habv4-srk${i}"
> + cs_define_role "${r}"
> + cs_import_cert_from_der "${r}" "${crts}/SRK${i}_sha256_4096_65537_v3_ca_crt.der"
> + cs_import_key_from_pem "${r}" "${keys}/SRK${i}_sha256_4096_65537_v3_ca_key.pem"
> + cs_append_ca_from_uri "${r}"
> +
> + r="imx-habv4-csf${i}"
> + cs_define_role "${r}"
> + cs_import_cert_from_der "${r}" "${crts}/CSF${i}_1_sha256_4096_65537_v3_usr_crt.der"
> + cs_import_key_from_pem "${r}" "${keys}/CSF${i}_1_sha256_4096_65537_v3_usr_key.pem"
> +
> + r="imx-habv4-img${i}"
> + cs_define_role "${r}"
> + cs_import_cert_from_der "${r}" "${crts}/IMG${i}_1_sha256_4096_65537_v3_usr_crt.der"
> + cs_import_key_from_pem "${r}" "${keys}/IMG${i}_1_sha256_4096_65537_v3_usr_key.pem"
> + done
> +}
> +
> +
> +# SoftHSM use case
> +cs_init_softhsm
> +import_fit_keys
> +import_rauc_keys
> +import_imx_habv4_keys
> diff --git a/rules/templates/code-signing-provider/wizard.sh b/rules/templates/code-signing-provider/wizard.sh
> new file mode 100644
> index 000000000..83d6d54e3
> --- /dev/null
> +++ b/rules/templates/code-signing-provider/wizard.sh
> @@ -0,0 +1,10 @@
> +#!/bin/bash
> +
> +if [ "$TYPE" = "SoftHSM" ]; then
> + mv ptxdist-set-keys-softhsm.sh ptxdist-set-keys.sh
> + rm ptxdist-set-keys-hsm.sh
> +
> +elif [ "$TYPE" = "HSM with OpenSC support" ] || [ "$TYPE" = "other HSM" ]; then
> + mv ptxdist-set-keys-hsm.sh ptxdist-set-keys.sh
> + rm ptxdist-set-keys-softhsm.sh
> +fi
> diff --git a/rules/templates/template-code-signing-provider-choice-in b/rules/templates/template-code-signing-provider-choice-in
> new file mode 100644
> index 000000000..e2108f870
> --- /dev/null
> +++ b/rules/templates/template-code-signing-provider-choice-in
> @@ -0,0 +1,5 @@
> +## SECTION=code_signing_provider
> +
> +config CODE_SIGNING_PROVIDER_@PACKAGE@
> + bool
> + prompt "@package@"
> diff --git a/rules/templates/template-code-signing-provider-in b/rules/templates/template-code-signing-provider-in
> new file mode 100644
> index 000000000..b84ba839c
> --- /dev/null
> +++ b/rules/templates/template-code-signing-provider-in
> @@ -0,0 +1,14 @@
> +## SECTION=code_signing
> +
> +config CODE_SIGNING
> + select HOST_@PACKAGE@_CODE_SIGNING if CODE_SIGNING_PROVIDER_@PACKAGE@
> +
> +config CODE_SIGNING_PROVIDER
> + default "@package@" if CODE_SIGNING_PROVIDER_@PACKAGE@
> +
> +config HOST_@PACKAGE@_CODE_SIGNING
> + bool
> + select HOST_LIBP11
> + select HOST_OPENSSL
> + select HOST_EXTRACT_CERT
> + @EXTRA_DEPENDENCIES@
> diff --git a/rules/templates/template-code-signing-provider-make b/rules/templates/template-code-signing-provider-make
> new file mode 100644
> index 000000000..94830d92e
> --- /dev/null
> +++ b/rules/templates/template-code-signing-provider-make
> @@ -0,0 +1,41 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) @YEAR@ by @AUTHOR@
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +#
> +# We provide this package
> +#
> +HOST_PACKAGES-$(PTXCONF_HOST_@PACKAGE@_CODE_SIGNING) += host-@package@-code-signing
> +
> +#
> +# Paths and names
> +#
> +HOST_@PACKAGE@_CODE_SIGNING_VERSION := @VERSION@
> +HOST_@PACKAGE@_CODE_SIGNING := @package@-code-signing-$(HOST_@PACKAGE@_CODE_SIGNING_VERSION)
> +HOST_@PACKAGE@_CODE_SIGNING_URL := file://local_src/@package@-code-signing
> +HOST_@PACKAGE@_CODE_SIGNING_DIR := $(HOST_BUILDDIR)/$(HOST_@PACKAGE@_CODE_SIGNING)
> +
> +HOST_@PACKAGE@_CODE_SIGNING_CONF_TOOL := NO
> +
> +# ----------------------------------------------------------------------------
> +# Compile
> +# ----------------------------------------------------------------------------
> +
> +HOST_@PACKAGE@_CODE_SIGNING_MAKE_ENV := \
> + $(CODE_SIGNING_ENV)
> +
> +$(STATEDIR)/host-@package@-code-signing.compile:
> + @$(call targetinfo)
> + @$(call world/execute, HOST_@PACKAGE@_CODE_SIGNING, \
> + ./ptxdist-set-keys.sh)
> + @$(call touch)
> +
> +$(STATEDIR)/host-@package@-code-signing.install:
> + @$(call targetinfo)
> + @$(call touch)
> +
> +# vim: syntax=make
> diff --git a/rules/templates/template-code-signing-provider-pre-make b/rules/templates/template-code-signing-provider-pre-make
> new file mode 100644
> index 000000000..28cac750c
> --- /dev/null
> +++ b/rules/templates/template-code-signing-provider-pre-make
> @@ -0,0 +1,15 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) @YEAR@ by @AUTHOR@
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +ifndef PTXCONF_CODE_SIGNING_PROVIDER_@PACKAGE@
> +CODE_SIGNING_ENV += \
> + PKCS11_MODULE_PATH=@MODULE_PATH@
> + $(HSM_CODE_SIGNING_ENV)
> +endif
> +
> +# vim: syntax=make
> diff --git a/scripts/lib/ptxd_lib_template.sh b/scripts/lib/ptxd_lib_template.sh
> index 6b405763b..805d8d9d3 100644
> --- a/scripts/lib/ptxd_lib_template.sh
> +++ b/scripts/lib/ptxd_lib_template.sh
> @@ -486,3 +486,34 @@ ptxd_template_new_blspec_entry() {
> export -f ptxd_template_new_blspec_entry
> ptxd_template_help_list[${#ptxd_template_help_list[@]}]="blspec-entry"
> ptxd_template_help_list[${#ptxd_template_help_list[@]}]="create package for a bootloader spec entry"
> +
> +ptxd_template_new_code_signing_provider() {
> + export class="host-"
> + ptxd_template_read_basic &&
> + ptxd_template_read_author &&
> + ptxd_template_read_options "provider type" TYPE "SoftHSM" "HSM with OpenSC support" "other HSM"
> + package_filename="${package_filename}-code-signing"
> + local template_file="$(ptxd_template_file "${template}-choice-in")"
> + local filename="${PTXDIST_PLATFORMCONFIGDIR}/platforms/${class}${package_filename}-choice.in"
> + ptxd_template_filter "${template_file}" "${filename}"
> + template_file="$(ptxd_template_file "${template}-pre-make")"
> + filename="${PTXDIST_PLATFORMCONFIGDIR}/rules/pre/020-${package_filename}-hsm.make"
> + if [ "$TYPE" = "SoftHSM" ]; then
> + export EXTRA_DEPENDENCIES="select HOST_SOFTHSM"
> + elif [ "$TYPE" = "HSM with OpenSC support" ]; then
> + export EXTRA_DEPENDENCIES="select HOST_OPENSC
> + select HOST_OPENSC_PCSC"
> + export MODULE_PATH="\${PTXDIST_SYSROOT_HOST}/lib/pkcs11/opensc-pkcs11.so"
> + ptxd_template_filter "${template_file}" "${filename}"
> + elif [ "$TYPE" = "other HSM" ]; then
> + export EXTRA_DEPENDENCIES="select FIXME"
> + export MODULE_PATH="\${PTXDIST_SYSROOT_HOST}/fix/me"
> + ptxd_template_filter "${template_file}" "${filename}"
> + fi
> + ptxd_template_write_platform_rules
> + package="${package}-code-signing"
> + ptxd_template_write_src
> +}
> +export -f ptxd_template_new_code_signing_provider
> +ptxd_template_help_list[${#ptxd_template_help_list[@]}]="code-signing-provider"
> +ptxd_template_help_list[${#ptxd_template_help_list[@]}]="create package for a code signing provider"
> --
> 2.27.0
>
>
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
next prev parent reply other threads:[~2020-09-24 10:04 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-17 14:31 [ptxdist] [PATCH v3 0/6] Add code-signing-provider template, add code signing docs Bastian Krause
2020-06-17 14:31 ` [ptxdist] [PATCH v3 1/6] ptxd_lib_template: add ptxd_template_read_options Bastian Krause
2020-06-19 6:24 ` Michael Olbrich
2020-06-19 8:13 ` Bastian Krause
2020-06-19 22:04 ` [ptxdist] [APPLIED] " Michael Olbrich
2020-06-17 14:31 ` [ptxdist] [PATCH v3 2/6] package templates: add code-signing-provider template Bastian Krause
2020-06-18 11:40 ` Roland Hieber
2020-06-18 11:50 ` Bastian Krause
2020-06-19 6:12 ` Michael Olbrich
2020-06-19 6:28 ` Michael Olbrich
2020-06-19 7:52 ` Bastian Krause
2020-06-19 22:04 ` [ptxdist] [APPLIED] " Michael Olbrich
2020-09-24 10:04 ` Ladislav Michl [this message]
2020-09-24 11:05 ` [ptxdist] [PATCH v3 2/6] " Bastian Krause
2020-09-24 11:15 ` Ladislav Michl
2020-09-24 12:23 ` Bastian Krause
2020-06-17 14:31 ` [ptxdist] [PATCH v3 3/6] doc: dev_manual: split up into multiple files Bastian Krause
2020-06-19 22:04 ` [ptxdist] [APPLIED] " Michael Olbrich
2020-06-17 14:31 ` [ptxdist] [PATCH v3 4/6] doc: move code signing docs from scripts/ into doc/ Bastian Krause
2020-06-19 22:04 ` [ptxdist] [APPLIED] " Michael Olbrich
2020-06-17 14:31 ` [ptxdist] [PATCH v3 5/6] doc: dev_code_signing: rework and extend code signing section Bastian Krause
2020-06-19 22:04 ` [ptxdist] [APPLIED] " Michael Olbrich
2020-06-17 14:31 ` [ptxdist] [PATCH v3 6/6] doc: introduce ref_code_signing_helpers Bastian Krause
2020-06-19 22:04 ` [ptxdist] [APPLIED] " Michael Olbrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200924100427.GA225235@lenoch \
--to=ladis@linux-mips.org \
--cc=bst@pengutronix.de \
--cc=ptxdist@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox