[ptxdist] [PATCH v2 0/2] yubi HSM pkcs11 plugin for signing provider

[ptxdist] [PATCH v2 0/2] yubi HSM pkcs11 plugin for signing provider

[Denis Osterland-Heim]

[-- Attachment #1: Type: text/plain, Size: 1913 bytes --]

v1 -> v2:
- pass variables to CODE_SIGNING_ENV in favour of noproxy patch
- remove function extending patches, which seams easier to maintain

Denis Osterland-Heim (2):
      host-libcurl: enable http(s) support
      host-yubihsm-shell: new package

 rules/host-libcurl.make          |  4 ++--
 rules/host-yubihsm-shell.in      | 13 +++++++++++++
 rules/host-yubihsm-shell.make    | 37 +++++++++++++++++++++++++++++++++++++
 rules/pre/030-yubihsm-shell.make | 11 +++++++++++
 4 files changed, 63 insertions(+), 2 deletions(-)

base-commit: c33f9942d ("glib: version bump 2.66.6 -> 2.68.0")

Diehl Connectivity Solutions GmbH
Geschäftsführung: Horst Leonberger
Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
Nürnberg: HRB 32315

________________________________

Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.

- Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter:

https://www.diehl.com/group/de/transparenz-und-informationspflichten/

The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited.

- For general information on data protection and your respective rights please visit:

https://www.diehl.com/group/en/transparency-and-information-obligations/



[-- Attachment #2: 1617115710.Vfd01Idfe513M709882.mbox --]
[-- Type: application/mbox, Size: 1418 bytes --]

[-- Attachment #3: 1617115710.Vfd01Idfe687M718182.mbox --]
[-- Type: application/mbox, Size: 3607 bytes --]

[-- Attachment #4: Type: text/plain, Size: 181 bytes --]

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH v2 0/2] yubi HSM pkcs11 plugin for signing provider

[Michael Olbrich]

On Tue, Mar 30, 2021 at 02:53:42PM +0000, Denis Osterland-Heim wrote:
> v1 -> v2:
> - pass variables to CODE_SIGNING_ENV in favour of noproxy patch
> - remove function extending patches, which seams easier to maintain
> 
> Denis Osterland-Heim (2):
>       host-libcurl: enable http(s) support
>       host-yubihsm-shell: new package
> 
>  rules/host-libcurl.make          |  4 ++--
>  rules/host-yubihsm-shell.in      | 13 +++++++++++++
>  rules/host-yubihsm-shell.make    | 37 +++++++++++++++++++++++++++++++++++++
>  rules/pre/030-yubihsm-shell.make | 11 +++++++++++
>  4 files changed, 63 insertions(+), 2 deletions(-)
> 
> base-commit: c33f9942d ("glib: version bump 2.66.6 -> 2.68.0")
> 
> Return-Path: <osterlad@cwpc1435.diehlako.local>
> X-Original-To: ptxdist@pengutronix.de
> Delivered-To: osterlad@cwpc1435.diehlako.local
> Received: by cwpc1435.diehlako.local (Postfix, from userid 1001)
> 	id ABA433E432B; Tue, 30 Mar 2021 16:48:30 +0200 (CEST)
> From: Denis Osterland-Heim <denis.osterland@diehl.com>
> To: ptxdist@pengutronix.de
> Subject: [PATCH v2 1/2] host-libcurl: enable http(s) support
> Date: Tue, 30 Mar 2021 16:48:27 +0200
> Message-Id: <20210330144828.15293-2-denis.osterland@diehl.com>
> X-Mailer: git-send-email 2.31.1
> In-Reply-To: <20210330144828.15293-1-denis.osterland@diehl.com>
> References: <20210330144828.15293-1-denis.osterland@diehl.com>
> MIME-Version: 1.0
> Content-Transfer-Encoding: 8bit
> 
> Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
> ---
>  rules/host-libcurl.make | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/rules/host-libcurl.make b/rules/host-libcurl.make
> index dc28de778..1a2a1fcf5 100644
> --- a/rules/host-libcurl.make
> +++ b/rules/host-libcurl.make
> @@ -61,7 +61,7 @@ HOST_LIBCURL_CONF_OPT	:= \
>  	--without-librtmp \
>  	\
>  	--disable-ares \
> -	--disable-http \
> +	--enable-http \
>  	--disable-nghttp2 \
>  	--disable-cookies \
>  	--disable-ftp \
> @@ -69,7 +69,7 @@ HOST_LIBCURL_CONF_OPT	:= \
>  	--disable-file \
>  	--disable-crypto-auth \
>  	--disable-libssh2 \
> -	--without-ssl
> +	--with-ssl

still missing the openssl dependency.


>  
>  $(STATEDIR)/host-libcurl.install:
>  	@$(call targetinfo)
> -- 
> 2.31.1
> 

> Return-Path: <osterlad@cwpc1435.diehlako.local>
> X-Original-To: ptxdist@pengutronix.de
> Delivered-To: osterlad@cwpc1435.diehlako.local
> Received: by cwpc1435.diehlako.local (Postfix, from userid 1001)
> 	id AE8CF3E432B; Tue, 30 Mar 2021 16:48:30 +0200 (CEST)
> From: Denis Osterland-Heim <denis.osterland@diehl.com>
> To: ptxdist@pengutronix.de
> Subject: [PATCH v2 2/2] host-yubihsm-shell: new package
> Date: Tue, 30 Mar 2021 16:48:28 +0200
> Message-Id: <20210330144828.15293-3-denis.osterland@diehl.com>
> X-Mailer: git-send-email 2.31.1
> In-Reply-To: <20210330144828.15293-1-denis.osterland@diehl.com>
> References: <20210330144828.15293-1-denis.osterland@diehl.com>
> MIME-Version: 1.0
> Content-Transfer-Encoding: 8bit
> 
> This package provides the pkcs11 plugin for yubi HSMs,
> which allows to create a signing provider for it.
> 
> Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
> ---
>  rules/host-yubihsm-shell.in      | 13 +++++++++++
>  rules/host-yubihsm-shell.make    | 37 ++++++++++++++++++++++++++++++++
>  rules/pre/030-yubihsm-shell.make | 11 ++++++++++
>  3 files changed, 61 insertions(+)
>  create mode 100644 rules/host-yubihsm-shell.in
>  create mode 100644 rules/host-yubihsm-shell.make
>  create mode 100644 rules/pre/030-yubihsm-shell.make
> 
> diff --git a/rules/host-yubihsm-shell.in b/rules/host-yubihsm-shell.in
> new file mode 100644
> index 000000000..3b17a2e98
> --- /dev/null
> +++ b/rules/host-yubihsm-shell.in
> @@ -0,0 +1,13 @@
> +## SECTION=hosttools_noprompt
> +
> +config HOST_YUBIHSM_SHELL
> +	tristate
> +	default ALLYES
> +	select HOST_CMAKE
> +	select HOST_OPENSSL
> +	select HOST_LIBCURL
> +	select HOST_LIBUSB
> +	select HOST_GENGETOPT
> +	select HOST_LIBEDIT
> +	select HOST_PCSC_LITE
> +	select HOST_LIBP11
> diff --git a/rules/host-yubihsm-shell.make b/rules/host-yubihsm-shell.make
> new file mode 100644
> index 000000000..3ebfc8c1f
> --- /dev/null
> +++ b/rules/host-yubihsm-shell.make
> @@ -0,0 +1,37 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2021 by Denis Osterland-Heim <Denis.Osterland@diehl.com>
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +HOST_PACKAGES-$(PTXCONF_HOST_YUBIHSM_SHELL) += host-yubihsm-shell
> +
> +#
> +# Paths and names
> +#
> +HOST_YUBIHSM_SHELL_VERSION	:= 2.1.0
> +HOST_YUBIHSM_SHELL_MD5		:= 7363c0bc4ed037e262474beaa6e1407b
> +HOST_YUBIHSM_SHELL		:= yubihsm-shell-$(HOST_YUBIHSM_SHELL_VERSION)
> +HOST_YUBIHSM_SHELL_SUFFIX	:= tar.gz
> +HOST_YUBIHSM_SHELL_URL		:= https://github.com/Yubico/yubihsm-shell/archive/$(HOST_YUBIHSM_SHELL_VERSION).$(HOST_YUBIHSM_SHELL_SUFFIX)
> +HOST_YUBIHSM_SHELL_SOURCE	:= $(SRCDIR)/$(HOST_YUBIHSM_SHELL).$(HOST_YUBIHSM_SHELL_SUFFIX)
> +HOST_YUBIHSM_SHELL_DIR		:= $(HOST_BUILDDIR)/$(HOST_YUBIHSM_SHELL)
> +
> +# ----------------------------------------------------------------------------
> +# Prepare
> +# ----------------------------------------------------------------------------
> +
> +#
> +# cmake
> +#
> +HOST_YUBIHSM_SHELL_CONF_TOOL	:= cmake
> +HOST_YUBIHSM_SHELL_CONF_OPT	:=  \
> +	$(HOST_CMAKE_OPT) \
> +	-DBUILD_ONLY_LIB=OFF \
> +	-DENABLE_COVERAGE=OFF \
> +	-DSUPRESS_MSVC_WARNINGS=ON \
> +	-DWITHOUT_MANPAGES=1
> +
> +# vim: syntax=make
> diff --git a/rules/pre/030-yubihsm-shell.make b/rules/pre/030-yubihsm-shell.make
> new file mode 100644
> index 000000000..fbfc48f2d
> --- /dev/null
> +++ b/rules/pre/030-yubihsm-shell.make
> @@ -0,0 +1,11 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2021 by Denis Osterland-Heim <denis.osterland@diehl.com>
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +ifdef PTXCONF_HOST_YUBIHSM_SHELL
> +CODE_SIGNING_ENV += HTTPS_PROXY= HTTP_PROXY= https_proxy= http_proxy=
> +endif

Could you add a comment, why this is needed?

Hmmm, in general, I'd prefer to ifdef based on the provider and not the
package. But that will be some custom stuff and I don't want to require
this kind of thing in the BSP.

The proxy stuff is just a bit of a sanity check anyways. The packages that
use CODE_SIGNING_ENV are bootloaders, images, etc. I'm not too worried
about those. It's stuff like python packages that try to download missing
dependencies at build-time.

So this is fine, even if it's not 100 percent correct.

Regards,
Michael


> -- 
> 2.31.1
> 

> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH v2 0/2] yubi HSM pkcs11 plugin for signing provider

[Denis Osterland-Heim]

Hi,

Am Mittwoch, den 31.03.2021, 09:22 +0200 schrieb Michael Olbrich:
> On Tue, Mar 30, 2021 at 02:53:42PM +0000, Denis Osterland-Heim wrote:
> > v1 -> v2:
> > - pass variables to CODE_SIGNING_ENV in favour of noproxy patch
> > - remove function extending patches, which seams easier to maintain
> >
> > Denis Osterland-Heim (2):
> >       host-libcurl: enable http(s) support
> >       host-yubihsm-shell: new package
> >
> >  rules/host-libcurl.make          |  4 ++--
> >  rules/host-yubihsm-shell.in      | 13 +++++++++++++
> >  rules/host-yubihsm-shell.make    | 37 +++++++++++++++++++++++++++++++++++++
> >  rules/pre/030-yubihsm-shell.make | 11 +++++++++++
> >  4 files changed, 63 insertions(+), 2 deletions(-)
> >
> > base-commit: c33f9942d ("glib: version bump 2.66.6 -> 2.68.0")
> >
> > Return-Path: <osterlad@cwpc1435.diehlako.local>
> > X-Original-To: ptxdist@pengutronix.de
> > Delivered-To: osterlad@cwpc1435.diehlako.local
> > Received: by cwpc1435.diehlako.local (Postfix, from userid 1001)
> > id ABA433E432B; Tue, 30 Mar 2021 16:48:30 +0200 (CEST)
> > From: Denis Osterland-Heim <denis.osterland@diehl.com>
> > To: ptxdist@pengutronix.de
> > Subject: [PATCH v2 1/2] host-libcurl: enable http(s) support
> > Date: Tue, 30 Mar 2021 16:48:27 +0200
> > Message-Id: <20210330144828.15293-2-denis.osterland@diehl.com>
> > X-Mailer: git-send-email 2.31.1
> > In-Reply-To: <20210330144828.15293-1-denis.osterland@diehl.com>
> > References: <20210330144828.15293-1-denis.osterland@diehl.com>
> > MIME-Version: 1.0
> > Content-Transfer-Encoding: 8bit
> >
> > Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
> > ---
> >  rules/host-libcurl.make | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/rules/host-libcurl.make b/rules/host-libcurl.make
> > index dc28de778..1a2a1fcf5 100644
> > --- a/rules/host-libcurl.make
> > +++ b/rules/host-libcurl.make
> > @@ -61,7 +61,7 @@ HOST_LIBCURL_CONF_OPT:= \
> >  --without-librtmp \
> >  \
> >  --disable-ares \
> > ---disable-http \
> > +--enable-http \
> >  --disable-nghttp2 \
> >  --disable-cookies \
> >  --disable-ftp \
> > @@ -69,7 +69,7 @@ HOST_LIBCURL_CONF_OPT:= \
> >  --disable-file \
> >  --disable-crypto-auth \
> >  --disable-libssh2 \
> > ---without-ssl
> > +--with-ssl
>
> still missing the openssl dependency.
sorry, will be in next version

>
>
> >
> >  $(STATEDIR)/host-libcurl.install:
> >  @$(call targetinfo)
> > --
> > 2.31.1
> >
> > Return-Path: <osterlad@cwpc1435.diehlako.local>
> > X-Original-To: ptxdist@pengutronix.de
> > Delivered-To: osterlad@cwpc1435.diehlako.local
> > Received: by cwpc1435.diehlako.local (Postfix, from userid 1001)
> > id AE8CF3E432B; Tue, 30 Mar 2021 16:48:30 +0200 (CEST)
> > From: Denis Osterland-Heim <denis.osterland@diehl.com>
> > To: ptxdist@pengutronix.de
> > Subject: [PATCH v2 2/2] host-yubihsm-shell: new package
> > Date: Tue, 30 Mar 2021 16:48:28 +0200
> > Message-Id: <20210330144828.15293-3-denis.osterland@diehl.com>
> > X-Mailer: git-send-email 2.31.1
> > In-Reply-To: <20210330144828.15293-1-denis.osterland@diehl.com>
> > References: <20210330144828.15293-1-denis.osterland@diehl.com>
> > MIME-Version: 1.0
> > Content-Transfer-Encoding: 8bit
> >
> > This package provides the pkcs11 plugin for yubi HSMs,
> > which allows to create a signing provider for it.
> >
> > Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
> > ---
> >  rules/host-yubihsm-shell.in      | 13 +++++++++++
> >  rules/host-yubihsm-shell.make    | 37 ++++++++++++++++++++++++++++++++
> >  rules/pre/030-yubihsm-shell.make | 11 ++++++++++
> >  3 files changed, 61 insertions(+)
> >  create mode 100644 rules/host-yubihsm-shell.in
> >  create mode 100644 rules/host-yubihsm-shell.make
> >  create mode 100644 rules/pre/030-yubihsm-shell.make
> >
> > diff --git a/rules/host-yubihsm-shell.in b/rules/host-yubihsm-shell.in
> > new file mode 100644
> > index 000000000..3b17a2e98
> > --- /dev/null
> > +++ b/rules/host-yubihsm-shell.in
> > @@ -0,0 +1,13 @@
> > +## SECTION=hosttools_noprompt
> > +
> > +config HOST_YUBIHSM_SHELL
> > +tristate
> > +default ALLYES
> > +select HOST_CMAKE
> > +select HOST_OPENSSL
> > +select HOST_LIBCURL
> > +select HOST_LIBUSB
> > +select HOST_GENGETOPT
> > +select HOST_LIBEDIT
> > +select HOST_PCSC_LITE
> > +select HOST_LIBP11
> > diff --git a/rules/host-yubihsm-shell.make b/rules/host-yubihsm-shell.make
> > new file mode 100644
> > index 000000000..3ebfc8c1f
> > --- /dev/null
> > +++ b/rules/host-yubihsm-shell.make
> > @@ -0,0 +1,37 @@
> > +# -*-makefile-*-
> > +#
> > +# Copyright (C) 2021 by Denis Osterland-Heim <Denis.Osterland@diehl.com>
> > +#
> > +# For further information about the PTXdist project and license conditions
> > +# see the README file.
> > +#
> > +
> > +HOST_PACKAGES-$(PTXCONF_HOST_YUBIHSM_SHELL) += host-yubihsm-shell
> > +
> > +#
> > +# Paths and names
> > +#
> > +HOST_YUBIHSM_SHELL_VERSION:= 2.1.0
> > +HOST_YUBIHSM_SHELL_MD5:= 7363c0bc4ed037e262474beaa6e1407b
> > +HOST_YUBIHSM_SHELL:= yubihsm-shell-$(HOST_YUBIHSM_SHELL_VERSION)
> > +HOST_YUBIHSM_SHELL_SUFFIX:= tar.gz
> > +HOST_YUBIHSM_SHELL_URL:= https://github.com/Yubico/yubihsm-shell/archive/$(HOST_YUBIHSM_SHELL_VERSION).$(HOST_YUBIHSM_SHELL_SUFFIX)
> > +HOST_YUBIHSM_SHELL_SOURCE:= $(SRCDIR)/$(HOST_YUBIHSM_SHELL).$(HOST_YUBIHSM_SHELL_SUFFIX)
> > +HOST_YUBIHSM_SHELL_DIR:= $(HOST_BUILDDIR)/$(HOST_YUBIHSM_SHELL)
> > +
> > +# ----------------------------------------------------------------------------
> > +# Prepare
> > +# ----------------------------------------------------------------------------
> > +
> > +#
> > +# cmake
> > +#
> > +HOST_YUBIHSM_SHELL_CONF_TOOL:= cmake
> > +HOST_YUBIHSM_SHELL_CONF_OPT:=  \
> > +$(HOST_CMAKE_OPT) \
> > +-DBUILD_ONLY_LIB=OFF \
> > +-DENABLE_COVERAGE=OFF \
> > +-DSUPRESS_MSVC_WARNINGS=ON \
> > +-DWITHOUT_MANPAGES=1
> > +
> > +# vim: syntax=make
> > diff --git a/rules/pre/030-yubihsm-shell.make b/rules/pre/030-yubihsm-shell.make
> > new file mode 100644
> > index 000000000..fbfc48f2d
> > --- /dev/null
> > +++ b/rules/pre/030-yubihsm-shell.make
> > @@ -0,0 +1,11 @@
> > +# -*-makefile-*-
> > +#
> > +# Copyright (C) 2021 by Denis Osterland-Heim <denis.osterland@diehl.com>
> > +#
> > +# For further information about the PTXdist project and license conditions
> > +# see the README file.
> > +#
> > +
> > +ifdef PTXCONF_HOST_YUBIHSM_SHELL
> > +CODE_SIGNING_ENV += HTTPS_PROXY= HTTP_PROXY= https_proxy= http_proxy=
> > +endif
>
> Could you add a comment, why this is needed?
>
> Hmmm, in general, I'd prefer to ifdef based on the provider and not the
> package. But that will be some custom stuff and I don't want to require
> this kind of thing in the BSP.
>
> The proxy stuff is just a bit of a sanity check anyways. The packages that
> use CODE_SIGNING_ENV are bootloaders, images, etc. I'm not too worried
> about those. It's stuff like python packages that try to download missing
> dependencies at build-time.
>
> So this is fine, even if it's not 100 percent correct.
I know what you mean.
What do you think about adding it to the template?
I guess we should not copy this to x providers but define a macro.
I would think about:

--- a/rules/pre/010-code-signing.make
+++ b/rules/pre/010-code-signing.make
@@ -11,4 +11,7 @@ CODE_SIGNING_ENV = \
        OPENSSL_CONF="$(PTXDIST_SYSROOT_HOST)/ssl/openssl.cnf" \
        OPENSSL_ENGINES="$(PTXDIST_SYSROOT_HOST)/lib/engines-1.1"

+ptx/online-code-signing-poriver = CODE_SIGNING_ENV += \
+       HTTPS_PROXY= HTTP_PROXY= https_proxy= http_proxy=
+
 # vim: syntax=make
--- a/rules/templates/template-code-signing-provider-pre-make
+++ b/rules/templates/template-code-signing-provider-pre-make
@@ -9,6 +9,10 @@
 ifdef PTXCONF_CODE_SIGNING_PROVIDER_@PACKAGE@
 CODE_SIGNING_ENV += \
        PKCS11_MODULE_PATH=@MODULE_PATH@
+
+# if your provider communicates to a server uncomment the following lines
+# to allow network requests outside of get stage
+#$(call ptx/online-code-signing-poriver)
 endif

 # vim: syntax=make

Regard, Denis
>
> Regards,
> Michael
>
>
> > --
> > 2.31.1
> >
> > _______________________________________________
> > ptxdist mailing list
> > ptxdist@pengutronix.de
> > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
>
>
Diehl Connectivity Solutions GmbH
Geschäftsführung: Horst Leonberger
Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
Nürnberg: HRB 32315

________________________________

Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.

- Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter:

https://www.diehl.com/group/de/transparenz-und-informationspflichten/

The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited.

- For general information on data protection and your respective rights please visit:

https://www.diehl.com/group/en/transparency-and-information-obligations/


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH v2 0/2] yubi HSM pkcs11 plugin for signing provider

[Michael Olbrich]

On Wed, Mar 31, 2021 at 11:27:58AM +0000, Denis Osterland-Heim wrote:
> Hi,
> 
> Am Mittwoch, den 31.03.2021, 09:22 +0200 schrieb Michael Olbrich:
> > On Tue, Mar 30, 2021 at 02:53:42PM +0000, Denis Osterland-Heim wrote:
> > > v1 -> v2:
> > > - pass variables to CODE_SIGNING_ENV in favour of noproxy patch
> > > - remove function extending patches, which seams easier to maintain
> > >
> > > Denis Osterland-Heim (2):
> > >       host-libcurl: enable http(s) support
> > >       host-yubihsm-shell: new package
> > >
> > >  rules/host-libcurl.make          |  4 ++--
> > >  rules/host-yubihsm-shell.in      | 13 +++++++++++++
> > >  rules/host-yubihsm-shell.make    | 37 +++++++++++++++++++++++++++++++++++++
> > >  rules/pre/030-yubihsm-shell.make | 11 +++++++++++
> > >  4 files changed, 63 insertions(+), 2 deletions(-)
> > >
> > > base-commit: c33f9942d ("glib: version bump 2.66.6 -> 2.68.0")
> > >
> > > Return-Path: <osterlad@cwpc1435.diehlako.local>
> > > X-Original-To: ptxdist@pengutronix.de
> > > Delivered-To: osterlad@cwpc1435.diehlako.local
> > > Received: by cwpc1435.diehlako.local (Postfix, from userid 1001)
> > > id ABA433E432B; Tue, 30 Mar 2021 16:48:30 +0200 (CEST)
> > > From: Denis Osterland-Heim <denis.osterland@diehl.com>
> > > To: ptxdist@pengutronix.de
> > > Subject: [PATCH v2 1/2] host-libcurl: enable http(s) support
> > > Date: Tue, 30 Mar 2021 16:48:27 +0200
> > > Message-Id: <20210330144828.15293-2-denis.osterland@diehl.com>
> > > X-Mailer: git-send-email 2.31.1
> > > In-Reply-To: <20210330144828.15293-1-denis.osterland@diehl.com>
> > > References: <20210330144828.15293-1-denis.osterland@diehl.com>
> > > MIME-Version: 1.0
> > > Content-Transfer-Encoding: 8bit
> > >
> > > Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
> > > ---
> > >  rules/host-libcurl.make | 4 ++--
> > >  1 file changed, 2 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/rules/host-libcurl.make b/rules/host-libcurl.make
> > > index dc28de778..1a2a1fcf5 100644
> > > --- a/rules/host-libcurl.make
> > > +++ b/rules/host-libcurl.make
> > > @@ -61,7 +61,7 @@ HOST_LIBCURL_CONF_OPT:= \
> > >  --without-librtmp \
> > >  \
> > >  --disable-ares \
> > > ---disable-http \
> > > +--enable-http \
> > >  --disable-nghttp2 \
> > >  --disable-cookies \
> > >  --disable-ftp \
> > > @@ -69,7 +69,7 @@ HOST_LIBCURL_CONF_OPT:= \
> > >  --disable-file \
> > >  --disable-crypto-auth \
> > >  --disable-libssh2 \
> > > ---without-ssl
> > > +--with-ssl
> >
> > still missing the openssl dependency.
> sorry, will be in next version

:-)

> > > diff --git a/rules/pre/030-yubihsm-shell.make b/rules/pre/030-yubihsm-shell.make
> > > new file mode 100644
> > > index 000000000..fbfc48f2d
> > > --- /dev/null
> > > +++ b/rules/pre/030-yubihsm-shell.make
> > > @@ -0,0 +1,11 @@
> > > +# -*-makefile-*-
> > > +#
> > > +# Copyright (C) 2021 by Denis Osterland-Heim <denis.osterland@diehl.com>
> > > +#
> > > +# For further information about the PTXdist project and license conditions
> > > +# see the README file.
> > > +#
> > > +
> > > +ifdef PTXCONF_HOST_YUBIHSM_SHELL
> > > +CODE_SIGNING_ENV += HTTPS_PROXY= HTTP_PROXY= https_proxy= http_proxy=
> > > +endif
> >
> > Could you add a comment, why this is needed?
> >
> > Hmmm, in general, I'd prefer to ifdef based on the provider and not the
> > package. But that will be some custom stuff and I don't want to require
> > this kind of thing in the BSP.
> >
> > The proxy stuff is just a bit of a sanity check anyways. The packages that
> > use CODE_SIGNING_ENV are bootloaders, images, etc. I'm not too worried
> > about those. It's stuff like python packages that try to download missing
> > dependencies at build-time.
> >
> > So this is fine, even if it's not 100 percent correct.
> I know what you mean.
> What do you think about adding it to the template?
> I guess we should not copy this to x providers but define a macro.
> I would think about:

Yes, that's a good idea.

Michael

> --- a/rules/pre/010-code-signing.make
> +++ b/rules/pre/010-code-signing.make
> @@ -11,4 +11,7 @@ CODE_SIGNING_ENV = \
>         OPENSSL_CONF="$(PTXDIST_SYSROOT_HOST)/ssl/openssl.cnf" \
>         OPENSSL_ENGINES="$(PTXDIST_SYSROOT_HOST)/lib/engines-1.1"
> 
> +ptx/online-code-signing-poriver = CODE_SIGNING_ENV += \
> +       HTTPS_PROXY= HTTP_PROXY= https_proxy= http_proxy=
> +
>  # vim: syntax=make
> --- a/rules/templates/template-code-signing-provider-pre-make
> +++ b/rules/templates/template-code-signing-provider-pre-make
> @@ -9,6 +9,10 @@
>  ifdef PTXCONF_CODE_SIGNING_PROVIDER_@PACKAGE@
>  CODE_SIGNING_ENV += \
>         PKCS11_MODULE_PATH=@MODULE_PATH@
> +
> +# if your provider communicates to a server uncomment the following lines
> +# to allow network requests outside of get stage
> +#$(call ptx/online-code-signing-poriver)
>  endif
> 
>  # vim: syntax=make

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de