Re: [ptxdist] [PATCH v2 0/2] yubi HSM pkcs11 plugin for signing provider

[Michael Olbrich <m.olbrich@pengutronix.de>]

On Tue, Mar 30, 2021 at 02:53:42PM +0000, Denis Osterland-Heim wrote:
> v1 -> v2:
> - pass variables to CODE_SIGNING_ENV in favour of noproxy patch
> - remove function extending patches, which seams easier to maintain
> 
> Denis Osterland-Heim (2):
>       host-libcurl: enable http(s) support
>       host-yubihsm-shell: new package
> 
>  rules/host-libcurl.make          |  4 ++--
>  rules/host-yubihsm-shell.in      | 13 +++++++++++++
>  rules/host-yubihsm-shell.make    | 37 +++++++++++++++++++++++++++++++++++++
>  rules/pre/030-yubihsm-shell.make | 11 +++++++++++
>  4 files changed, 63 insertions(+), 2 deletions(-)
> 
> base-commit: c33f9942d ("glib: version bump 2.66.6 -> 2.68.0")
> 
> Return-Path: <osterlad@cwpc1435.diehlako.local>
> X-Original-To: ptxdist@pengutronix.de
> Delivered-To: osterlad@cwpc1435.diehlako.local
> Received: by cwpc1435.diehlako.local (Postfix, from userid 1001)
> 	id ABA433E432B; Tue, 30 Mar 2021 16:48:30 +0200 (CEST)
> From: Denis Osterland-Heim <denis.osterland@diehl.com>
> To: ptxdist@pengutronix.de
> Subject: [PATCH v2 1/2] host-libcurl: enable http(s) support
> Date: Tue, 30 Mar 2021 16:48:27 +0200
> Message-Id: <20210330144828.15293-2-denis.osterland@diehl.com>
> X-Mailer: git-send-email 2.31.1
> In-Reply-To: <20210330144828.15293-1-denis.osterland@diehl.com>
> References: <20210330144828.15293-1-denis.osterland@diehl.com>
> MIME-Version: 1.0
> Content-Transfer-Encoding: 8bit
> 
> Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
> ---
>  rules/host-libcurl.make | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/rules/host-libcurl.make b/rules/host-libcurl.make
> index dc28de778..1a2a1fcf5 100644
> --- a/rules/host-libcurl.make
> +++ b/rules/host-libcurl.make
> @@ -61,7 +61,7 @@ HOST_LIBCURL_CONF_OPT	:= \
>  	--without-librtmp \
>  	\
>  	--disable-ares \
> -	--disable-http \
> +	--enable-http \
>  	--disable-nghttp2 \
>  	--disable-cookies \
>  	--disable-ftp \
> @@ -69,7 +69,7 @@ HOST_LIBCURL_CONF_OPT	:= \
>  	--disable-file \
>  	--disable-crypto-auth \
>  	--disable-libssh2 \
> -	--without-ssl
> +	--with-ssl

still missing the openssl dependency.


>  
>  $(STATEDIR)/host-libcurl.install:
>  	@$(call targetinfo)
> -- 
> 2.31.1
> 

> Return-Path: <osterlad@cwpc1435.diehlako.local>
> X-Original-To: ptxdist@pengutronix.de
> Delivered-To: osterlad@cwpc1435.diehlako.local
> Received: by cwpc1435.diehlako.local (Postfix, from userid 1001)
> 	id AE8CF3E432B; Tue, 30 Mar 2021 16:48:30 +0200 (CEST)
> From: Denis Osterland-Heim <denis.osterland@diehl.com>
> To: ptxdist@pengutronix.de
> Subject: [PATCH v2 2/2] host-yubihsm-shell: new package
> Date: Tue, 30 Mar 2021 16:48:28 +0200
> Message-Id: <20210330144828.15293-3-denis.osterland@diehl.com>
> X-Mailer: git-send-email 2.31.1
> In-Reply-To: <20210330144828.15293-1-denis.osterland@diehl.com>
> References: <20210330144828.15293-1-denis.osterland@diehl.com>
> MIME-Version: 1.0
> Content-Transfer-Encoding: 8bit
> 
> This package provides the pkcs11 plugin for yubi HSMs,
> which allows to create a signing provider for it.
> 
> Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
> ---
>  rules/host-yubihsm-shell.in      | 13 +++++++++++
>  rules/host-yubihsm-shell.make    | 37 ++++++++++++++++++++++++++++++++
>  rules/pre/030-yubihsm-shell.make | 11 ++++++++++
>  3 files changed, 61 insertions(+)
>  create mode 100644 rules/host-yubihsm-shell.in
>  create mode 100644 rules/host-yubihsm-shell.make
>  create mode 100644 rules/pre/030-yubihsm-shell.make
> 
> diff --git a/rules/host-yubihsm-shell.in b/rules/host-yubihsm-shell.in
> new file mode 100644
> index 000000000..3b17a2e98
> --- /dev/null
> +++ b/rules/host-yubihsm-shell.in
> @@ -0,0 +1,13 @@
> +## SECTION=hosttools_noprompt
> +
> +config HOST_YUBIHSM_SHELL
> +	tristate
> +	default ALLYES
> +	select HOST_CMAKE
> +	select HOST_OPENSSL
> +	select HOST_LIBCURL
> +	select HOST_LIBUSB
> +	select HOST_GENGETOPT
> +	select HOST_LIBEDIT
> +	select HOST_PCSC_LITE
> +	select HOST_LIBP11
> diff --git a/rules/host-yubihsm-shell.make b/rules/host-yubihsm-shell.make
> new file mode 100644
> index 000000000..3ebfc8c1f
> --- /dev/null
> +++ b/rules/host-yubihsm-shell.make
> @@ -0,0 +1,37 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2021 by Denis Osterland-Heim <Denis.Osterland@diehl.com>
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +HOST_PACKAGES-$(PTXCONF_HOST_YUBIHSM_SHELL) += host-yubihsm-shell
> +
> +#
> +# Paths and names
> +#
> +HOST_YUBIHSM_SHELL_VERSION	:= 2.1.0
> +HOST_YUBIHSM_SHELL_MD5		:= 7363c0bc4ed037e262474beaa6e1407b
> +HOST_YUBIHSM_SHELL		:= yubihsm-shell-$(HOST_YUBIHSM_SHELL_VERSION)
> +HOST_YUBIHSM_SHELL_SUFFIX	:= tar.gz
> +HOST_YUBIHSM_SHELL_URL		:= https://github.com/Yubico/yubihsm-shell/archive/$(HOST_YUBIHSM_SHELL_VERSION).$(HOST_YUBIHSM_SHELL_SUFFIX)
> +HOST_YUBIHSM_SHELL_SOURCE	:= $(SRCDIR)/$(HOST_YUBIHSM_SHELL).$(HOST_YUBIHSM_SHELL_SUFFIX)
> +HOST_YUBIHSM_SHELL_DIR		:= $(HOST_BUILDDIR)/$(HOST_YUBIHSM_SHELL)
> +
> +# ----------------------------------------------------------------------------
> +# Prepare
> +# ----------------------------------------------------------------------------
> +
> +#
> +# cmake
> +#
> +HOST_YUBIHSM_SHELL_CONF_TOOL	:= cmake
> +HOST_YUBIHSM_SHELL_CONF_OPT	:=  \
> +	$(HOST_CMAKE_OPT) \
> +	-DBUILD_ONLY_LIB=OFF \
> +	-DENABLE_COVERAGE=OFF \
> +	-DSUPRESS_MSVC_WARNINGS=ON \
> +	-DWITHOUT_MANPAGES=1
> +
> +# vim: syntax=make
> diff --git a/rules/pre/030-yubihsm-shell.make b/rules/pre/030-yubihsm-shell.make
> new file mode 100644
> index 000000000..fbfc48f2d
> --- /dev/null
> +++ b/rules/pre/030-yubihsm-shell.make
> @@ -0,0 +1,11 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2021 by Denis Osterland-Heim <denis.osterland@diehl.com>
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +ifdef PTXCONF_HOST_YUBIHSM_SHELL
> +CODE_SIGNING_ENV += HTTPS_PROXY= HTTP_PROXY= https_proxy= http_proxy=
> +endif

Could you add a comment, why this is needed?

Hmmm, in general, I'd prefer to ifdef based on the provider and not the
package. But that will be some custom stuff and I don't want to require
this kind of thing in the BSP.

The proxy stuff is just a bit of a sanity check anyways. The packages that
use CODE_SIGNING_ENV are bootloaders, images, etc. I'm not too worried
about those. It's stuff like python packages that try to download missing
dependencies at build-time.

So this is fine, even if it's not 100 percent correct.

Regards,
Michael


> -- 
> 2.31.1
> 

> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de