From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Date: Thu, 24 Sep 2020 12:04:27 +0200 From: Ladislav Michl Message-ID: <20200924100427.GA225235@lenoch> References: <20200617143125.23999-1-bst@pengutronix.de> <20200617143125.23999-3-bst@pengutronix.de> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20200617143125.23999-3-bst@pengutronix.de> Subject: Re: [ptxdist] [PATCH v3 2/6] package templates: add code-signing-provider template List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: ptxdist@pengutronix.de Cc: Bastian Krause Hi and sorry to revive this old patch. I just hadn't time to finish conversion to code-signing-provider sooner... On Wed, Jun 17, 2020 at 04:31:21PM +0200, Bastian Krause wrote: > A ptxdist code signing provider is a package which selects the required > host tools needed for the code signing helpers to work. A shell script > is needed to define roles, set PKCS#11 URIs and import keys if SoftHSM > is used. In order to simplify its creation provide a template along with > an example script. > > Signed-off-by: Bastian Krause > --- > Changes since v2: > - rename srk object name for consistency reasons > - ask user about HSM type > - split HSM/SoftHSM ptxdist-set-keys.sh cases into separate files > - introduce wizard.sh to generate ptxdist-set-keys.sh HSM case specific > - set dependencies HSM case specific > - introduce pre rule template to extend CODE_SIGNING_ENV HSM case > specific > --- > .../ptxdist-set-keys-hsm.sh | 42 ++++++++++++++ > .../ptxdist-set-keys-softhsm.sh | 58 +++++++++++++++++++ > .../templates/code-signing-provider/wizard.sh | 10 ++++ > .../template-code-signing-provider-choice-in | 5 ++ > .../template-code-signing-provider-in | 14 +++++ > .../template-code-signing-provider-make | 41 +++++++++++++ > .../template-code-signing-provider-pre-make | 15 +++++ > scripts/lib/ptxd_lib_template.sh | 31 ++++++++++ > 8 files changed, 216 insertions(+) > create mode 100755 rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh > create mode 100755 rules/templates/code-signing-provider/ptxdist-set-keys-softhsm.sh > create mode 100644 rules/templates/code-signing-provider/wizard.sh > create mode 100644 rules/templates/template-code-signing-provider-choice-in > create mode 100644 rules/templates/template-code-signing-provider-in > create mode 100644 rules/templates/template-code-signing-provider-make > create mode 100644 rules/templates/template-code-signing-provider-pre-make > > diff --git a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh > new file mode 100755 > index 000000000..6bbe830f2 > --- /dev/null > +++ b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh > @@ -0,0 +1,42 @@ > +#!/bin/bash > + > +set -e > + > +set_fit_keys() { > + local r="image-kernel-fit" > + cs_define_role "${r}" > + > + # HSM use case > + cs_set_uri "${r}" "pkcs11:token=foo;object=kernel-fit" > +} > + > +set_rauc_keys() { > + local r="update" > + cs_define_role "${r}" > + cs_set_uri "${r}" "pkcs11:token=foo;object=rauc" > + cs_append_ca_from_uri "${r}" > +} > + > +set_imx_habv4_keys() { > + # HSM use case, assuming it contains only 1st CSF/IMG key > + for i in 1 2 3 4; do > + r="imx-habv4-srk${i}" > + cs_define_role "${r}" > + cs_set_uri "${r}" "pkcs11:token=foo;object=srk${i}" > + cs_append_ca_from_uri "${r}" > + done > + > + r="imx-habv4-csf1" > + cs_define_role ${r} > + cs_set_uri "${r}" "pkcs11:token=foo;object=csf1" > + > + r="imx-habv4-img1" > + cs_define_role ${r} > + cs_set_uri "${r}" "pkcs11:token=foo;object=img1" > +} > + > + > +# HSM use case > +set_fit_keys > +set_rauc_keys > +set_imx_habv4_keys > diff --git a/rules/templates/code-signing-provider/ptxdist-set-keys-softhsm.sh b/rules/templates/code-signing-provider/ptxdist-set-keys-softhsm.sh > new file mode 100755 > index 000000000..0836d61d1 > --- /dev/null > +++ b/rules/templates/code-signing-provider/ptxdist-set-keys-softhsm.sh > @@ -0,0 +1,58 @@ > +#!/bin/bash > + > +set -e > + > +import_fit_keys() { > + local fit_cert_dir=fit > + local r="image-kernel-fit" > + cs_define_role "${r}" > + > + cs_import_cert_from_der "${r}" "${fit_cert_dir}/fit-4096-development.crt" > + cs_import_pubkey_from_pem "${r}" "${fit_cert_dir}/fit-4096-development.key" > + cs_import_privkey_from_pem "${r}" "${fit_cert_dir}/fit-4096-development.key" > +} > + > +import_rauc_keys() { > + local rauc_cert_dir=rauc > + local r="update" > + cs_define_role "${r}" > + > + # SoftHSM use case > + cs_import_cert_from_pem "${r}" "${rauc_cert_dir}/rauc.cert.pem" > + cs_import_pubkey_from_pem "${r}" "${rauc_cert_dir}/rauc.key.pem" > + cs_import_privkey_from_pem "${r}" "${rauc_cert_dir}/rauc.key.pem" > + > + cs_append_ca_from_uri "${r}" > +} For those previously using scripts/rauc-gen-test-certs.sh above shoud read: import_rauc_keys() { local rauc_cert_dir=${PTXDIST_WORKSPACE}/configs/rauc local r="update" cs_define_role "${r}" # SoftHSM use case cs_import_cert_from_pem "${r}" "${rauc_cert_dir}/rauc.cert.pem" cs_import_key_from_pem "${r}" "${rauc_cert_dir}/rauc.key.pem" cs_append_ca_from_pem "${r}" "${rauc_cert_dir}/ca.cert.pem" } scripts/rauc-gen-test-certs.sh generated those files and back then there was following note: =============================================================================== Note that the default application should be to set up a public key infrastructure at your site and use keys and certificates genereated by these. In oder to use the just generated files in your BSP for testing purpose or if you do not intend to use real authentification, follow the instructions below. Place the key and certificate file in your platform-dir's config/ folder: cp rauc-openssl-ca/private/rauc.key.pem /config/rauc/rauc.key.pem cp rauc-openssl-ca/rauc.cert.pem /config/rauc/rauc.cert.pem Place the keyring file in your platform-dir's projectroot/ folder: cp rauc-openssl-ca/ca.cert.pem /projectroot/etc/rauc/ca.cert.pem =============================================================================== Perhaps it would be nice to mention than in documentation as it could save time to others. Thanks to Enrico Jorns for help with debugging that. > +import_imx_habv4_keys() { > + local imx_habv4_key_dir="habv4" > + local crts="${imx_habv4_key_dir}/crts" > + local keys="${imx_habv4_key_dir}/keys" > + local OPENSSL_KEYPASS="${imx_habv4_key_dir}/keys/key_pass.txt" > + > + for i in 1 2 3 4; do > + r="imx-habv4-srk${i}" > + cs_define_role "${r}" > + cs_import_cert_from_der "${r}" "${crts}/SRK${i}_sha256_4096_65537_v3_ca_crt.der" > + cs_import_key_from_pem "${r}" "${keys}/SRK${i}_sha256_4096_65537_v3_ca_key.pem" > + cs_append_ca_from_uri "${r}" > + > + r="imx-habv4-csf${i}" > + cs_define_role "${r}" > + cs_import_cert_from_der "${r}" "${crts}/CSF${i}_1_sha256_4096_65537_v3_usr_crt.der" > + cs_import_key_from_pem "${r}" "${keys}/CSF${i}_1_sha256_4096_65537_v3_usr_key.pem" > + > + r="imx-habv4-img${i}" > + cs_define_role "${r}" > + cs_import_cert_from_der "${r}" "${crts}/IMG${i}_1_sha256_4096_65537_v3_usr_crt.der" > + cs_import_key_from_pem "${r}" "${keys}/IMG${i}_1_sha256_4096_65537_v3_usr_key.pem" > + done > +} > + > + > +# SoftHSM use case > +cs_init_softhsm > +import_fit_keys > +import_rauc_keys > +import_imx_habv4_keys > diff --git a/rules/templates/code-signing-provider/wizard.sh b/rules/templates/code-signing-provider/wizard.sh > new file mode 100644 > index 000000000..83d6d54e3 > --- /dev/null > +++ b/rules/templates/code-signing-provider/wizard.sh > @@ -0,0 +1,10 @@ > +#!/bin/bash > + > +if [ "$TYPE" = "SoftHSM" ]; then > + mv ptxdist-set-keys-softhsm.sh ptxdist-set-keys.sh > + rm ptxdist-set-keys-hsm.sh > + > +elif [ "$TYPE" = "HSM with OpenSC support" ] || [ "$TYPE" = "other HSM" ]; then > + mv ptxdist-set-keys-hsm.sh ptxdist-set-keys.sh > + rm ptxdist-set-keys-softhsm.sh > +fi > diff --git a/rules/templates/template-code-signing-provider-choice-in b/rules/templates/template-code-signing-provider-choice-in > new file mode 100644 > index 000000000..e2108f870 > --- /dev/null > +++ b/rules/templates/template-code-signing-provider-choice-in > @@ -0,0 +1,5 @@ > +## SECTION=code_signing_provider > + > +config CODE_SIGNING_PROVIDER_@PACKAGE@ > + bool > + prompt "@package@" > diff --git a/rules/templates/template-code-signing-provider-in b/rules/templates/template-code-signing-provider-in > new file mode 100644 > index 000000000..b84ba839c > --- /dev/null > +++ b/rules/templates/template-code-signing-provider-in > @@ -0,0 +1,14 @@ > +## SECTION=code_signing > + > +config CODE_SIGNING > + select HOST_@PACKAGE@_CODE_SIGNING if CODE_SIGNING_PROVIDER_@PACKAGE@ > + > +config CODE_SIGNING_PROVIDER > + default "@package@" if CODE_SIGNING_PROVIDER_@PACKAGE@ > + > +config HOST_@PACKAGE@_CODE_SIGNING > + bool > + select HOST_LIBP11 > + select HOST_OPENSSL > + select HOST_EXTRACT_CERT > + @EXTRA_DEPENDENCIES@ > diff --git a/rules/templates/template-code-signing-provider-make b/rules/templates/template-code-signing-provider-make > new file mode 100644 > index 000000000..94830d92e > --- /dev/null > +++ b/rules/templates/template-code-signing-provider-make > @@ -0,0 +1,41 @@ > +# -*-makefile-*- > +# > +# Copyright (C) @YEAR@ by @AUTHOR@ > +# > +# For further information about the PTXdist project and license conditions > +# see the README file. > +# > + > +# > +# We provide this package > +# > +HOST_PACKAGES-$(PTXCONF_HOST_@PACKAGE@_CODE_SIGNING) += host-@package@-code-signing > + > +# > +# Paths and names > +# > +HOST_@PACKAGE@_CODE_SIGNING_VERSION := @VERSION@ > +HOST_@PACKAGE@_CODE_SIGNING := @package@-code-signing-$(HOST_@PACKAGE@_CODE_SIGNING_VERSION) > +HOST_@PACKAGE@_CODE_SIGNING_URL := file://local_src/@package@-code-signing > +HOST_@PACKAGE@_CODE_SIGNING_DIR := $(HOST_BUILDDIR)/$(HOST_@PACKAGE@_CODE_SIGNING) > + > +HOST_@PACKAGE@_CODE_SIGNING_CONF_TOOL := NO > + > +# ---------------------------------------------------------------------------- > +# Compile > +# ---------------------------------------------------------------------------- > + > +HOST_@PACKAGE@_CODE_SIGNING_MAKE_ENV := \ > + $(CODE_SIGNING_ENV) > + > +$(STATEDIR)/host-@package@-code-signing.compile: > + @$(call targetinfo) > + @$(call world/execute, HOST_@PACKAGE@_CODE_SIGNING, \ > + ./ptxdist-set-keys.sh) > + @$(call touch) > + > +$(STATEDIR)/host-@package@-code-signing.install: > + @$(call targetinfo) > + @$(call touch) > + > +# vim: syntax=make > diff --git a/rules/templates/template-code-signing-provider-pre-make b/rules/templates/template-code-signing-provider-pre-make > new file mode 100644 > index 000000000..28cac750c > --- /dev/null > +++ b/rules/templates/template-code-signing-provider-pre-make > @@ -0,0 +1,15 @@ > +# -*-makefile-*- > +# > +# Copyright (C) @YEAR@ by @AUTHOR@ > +# > +# For further information about the PTXdist project and license conditions > +# see the README file. > +# > + > +ifndef PTXCONF_CODE_SIGNING_PROVIDER_@PACKAGE@ > +CODE_SIGNING_ENV += \ > + PKCS11_MODULE_PATH=@MODULE_PATH@ > + $(HSM_CODE_SIGNING_ENV) > +endif > + > +# vim: syntax=make > diff --git a/scripts/lib/ptxd_lib_template.sh b/scripts/lib/ptxd_lib_template.sh > index 6b405763b..805d8d9d3 100644 > --- a/scripts/lib/ptxd_lib_template.sh > +++ b/scripts/lib/ptxd_lib_template.sh > @@ -486,3 +486,34 @@ ptxd_template_new_blspec_entry() { > export -f ptxd_template_new_blspec_entry > ptxd_template_help_list[${#ptxd_template_help_list[@]}]="blspec-entry" > ptxd_template_help_list[${#ptxd_template_help_list[@]}]="create package for a bootloader spec entry" > + > +ptxd_template_new_code_signing_provider() { > + export class="host-" > + ptxd_template_read_basic && > + ptxd_template_read_author && > + ptxd_template_read_options "provider type" TYPE "SoftHSM" "HSM with OpenSC support" "other HSM" > + package_filename="${package_filename}-code-signing" > + local template_file="$(ptxd_template_file "${template}-choice-in")" > + local filename="${PTXDIST_PLATFORMCONFIGDIR}/platforms/${class}${package_filename}-choice.in" > + ptxd_template_filter "${template_file}" "${filename}" > + template_file="$(ptxd_template_file "${template}-pre-make")" > + filename="${PTXDIST_PLATFORMCONFIGDIR}/rules/pre/020-${package_filename}-hsm.make" > + if [ "$TYPE" = "SoftHSM" ]; then > + export EXTRA_DEPENDENCIES="select HOST_SOFTHSM" > + elif [ "$TYPE" = "HSM with OpenSC support" ]; then > + export EXTRA_DEPENDENCIES="select HOST_OPENSC > + select HOST_OPENSC_PCSC" > + export MODULE_PATH="\${PTXDIST_SYSROOT_HOST}/lib/pkcs11/opensc-pkcs11.so" > + ptxd_template_filter "${template_file}" "${filename}" > + elif [ "$TYPE" = "other HSM" ]; then > + export EXTRA_DEPENDENCIES="select FIXME" > + export MODULE_PATH="\${PTXDIST_SYSROOT_HOST}/fix/me" > + ptxd_template_filter "${template_file}" "${filename}" > + fi > + ptxd_template_write_platform_rules > + package="${package}-code-signing" > + ptxd_template_write_src > +} > +export -f ptxd_template_new_code_signing_provider > +ptxd_template_help_list[${#ptxd_template_help_list[@]}]="code-signing-provider" > +ptxd_template_help_list[${#ptxd_template_help_list[@]}]="create package for a code signing provider" > -- > 2.27.0 > > > _______________________________________________ > ptxdist mailing list > ptxdist@pengutronix.de > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de