mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed
From: Marc Kleine-Budde <mkl@pengutronix.de>
To: ptxdist@pengutronix.de
Cc: Marc Kleine-Budde <mkl@pengutronix.de>
Subject: [ptxdist] [PATCH 1/3] ptxd_lib_code_signing: introduce code signing groups
Date: Mon, 12 Apr 2021 18:18:58 +0200	[thread overview]
Message-ID: <20210412161900.2376802-1-mkl@pengutronix.de> (raw)

This patch introduces code signing groups.

A code signing group consists of one or more rolls. It should be used
where more than one role is needed, but the exact names and/or number of
rolls depend on the used code signing provider.

For example the generation of the imx HABv4 fuse table. It can use 1...4
SRK keys as input. If the signing provider is a HSM the current
mechanism with continuous numbered URI may not work, code signing groups
for the rescue.

To make use of code signing groups, define roles as usual:

| r="imx-habv4-srk1"
| cs_define_role "${r}"
| cs_set_uri "${r}" "pkcs11:object=SRK CA 0"
| cs_append_ca_from_uri "${r}"
|
| r="imx-habv4-srk2"
| cs_define_role "${r}"
| cs_set_uri "${r}" "pkcs11:object=SRK CA 1"
| cs_append_ca_from_uri "${r}"

Now define a group and add the roles to the group:

| g="imx-habv4-srk"
| cs_define_group "${g}"
| cs_group_add_roles "${g}" "imx-habv4-srk1" "imx-habv4-srk2"

Use the function cs_group_get_roles to get the roles of a group. In a
later patch the function ptxd_make_imx_habv4_gen_table() is converted to
make use $(cs_group_get_roles imx-habv4-srk) to get the groups of the
imx-habv4-srk role.

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 scripts/lib/ptxd_lib_code_signing.sh | 45 ++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
index 3e1654bb36e4..ba38a8edd12d 100644
--- a/scripts/lib/ptxd_lib_code_signing.sh
+++ b/scripts/lib/ptxd_lib_code_signing.sh
@@ -99,6 +99,51 @@ cs_define_role() {
 }
 export -f cs_define_role
 
+#
+# cs_define_group <group>
+#
+# Define a new key group.
+#
+cs_define_group() {
+    local group="${1}"
+    cs_init_variables
+
+    mkdir -p "${keydir}/${group}.group" &&
+    rm -f "${keydir}/${group}.group/roles"
+}
+export -f cs_define_group
+
+#
+# cs_group_add_roles <group> <role> ... <role>
+#
+# Set the roles for a group
+#
+cs_group_add_roles() {
+    local group="${1}"
+    shift
+    cs_init_variables
+
+    local orig_IFS="${IFS}"
+    IFS="
+"
+    echo "${*}" >> "${keydir}/${group}.group/roles" &&
+    IFS=${orig_IFS}
+}
+export -f cs_group_add_roles
+
+#
+# cs_group_get_roles <group>
+#
+# Gets the roles of a group
+#
+cs_group_get_roles() {
+    local group="${1}"
+    cs_init_variables
+
+    cat "${keydir}/${group}.group/roles"
+}
+export -f cs_group_get_roles
+
 #
 # cs_set_uri <role> <uri>
 #
-- 
2.30.2



_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

             reply	other threads:[~2021-04-12 16:19 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-12 16:18 Marc Kleine-Budde [this message]
2021-04-12 16:18 ` [ptxdist] [PATCH 2/3] ptxd_lib_imx_hab/template-barebox-imx-habv4/ptxdist-set-keys-hsm: convert to use the code signing group imx-habv4-srk Marc Kleine-Budde
2021-04-23  6:07   ` Michael Olbrich
2021-04-26 10:25     ` Roland Hieber
2021-04-12 16:19 ` [ptxdist] [PATCH 3/3] ptxd_lib_code_signing: cs_get_ca(): only output CA if existing Marc Kleine-Budde
2021-04-23  6:33   ` Michael Olbrich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210412161900.2376802-1-mkl@pengutronix.de \
    --to=mkl@pengutronix.de \
    --cc=ptxdist@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox