mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed
* [ptxdist] [PATCH 1/3] ptxd_lib_code_signing: introduce code signing groups
@ 2021-04-12 16:18 Marc Kleine-Budde
  2021-04-12 16:18 ` [ptxdist] [PATCH 2/3] ptxd_lib_imx_hab/template-barebox-imx-habv4/ptxdist-set-keys-hsm: convert to use the code signing group imx-habv4-srk Marc Kleine-Budde
  2021-04-12 16:19 ` [ptxdist] [PATCH 3/3] ptxd_lib_code_signing: cs_get_ca(): only output CA if existing Marc Kleine-Budde
  0 siblings, 2 replies; 6+ messages in thread
From: Marc Kleine-Budde @ 2021-04-12 16:18 UTC (permalink / raw)
  To: ptxdist; +Cc: Marc Kleine-Budde

This patch introduces code signing groups.

A code signing group consists of one or more rolls. It should be used
where more than one role is needed, but the exact names and/or number of
rolls depend on the used code signing provider.

For example the generation of the imx HABv4 fuse table. It can use 1...4
SRK keys as input. If the signing provider is a HSM the current
mechanism with continuous numbered URI may not work, code signing groups
for the rescue.

To make use of code signing groups, define roles as usual:

| r="imx-habv4-srk1"
| cs_define_role "${r}"
| cs_set_uri "${r}" "pkcs11:object=SRK CA 0"
| cs_append_ca_from_uri "${r}"
|
| r="imx-habv4-srk2"
| cs_define_role "${r}"
| cs_set_uri "${r}" "pkcs11:object=SRK CA 1"
| cs_append_ca_from_uri "${r}"

Now define a group and add the roles to the group:

| g="imx-habv4-srk"
| cs_define_group "${g}"
| cs_group_add_roles "${g}" "imx-habv4-srk1" "imx-habv4-srk2"

Use the function cs_group_get_roles to get the roles of a group. In a
later patch the function ptxd_make_imx_habv4_gen_table() is converted to
make use $(cs_group_get_roles imx-habv4-srk) to get the groups of the
imx-habv4-srk role.

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 scripts/lib/ptxd_lib_code_signing.sh | 45 ++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
index 3e1654bb36e4..ba38a8edd12d 100644
--- a/scripts/lib/ptxd_lib_code_signing.sh
+++ b/scripts/lib/ptxd_lib_code_signing.sh
@@ -99,6 +99,51 @@ cs_define_role() {
 }
 export -f cs_define_role
 
+#
+# cs_define_group <group>
+#
+# Define a new key group.
+#
+cs_define_group() {
+    local group="${1}"
+    cs_init_variables
+
+    mkdir -p "${keydir}/${group}.group" &&
+    rm -f "${keydir}/${group}.group/roles"
+}
+export -f cs_define_group
+
+#
+# cs_group_add_roles <group> <role> ... <role>
+#
+# Set the roles for a group
+#
+cs_group_add_roles() {
+    local group="${1}"
+    shift
+    cs_init_variables
+
+    local orig_IFS="${IFS}"
+    IFS="
+"
+    echo "${*}" >> "${keydir}/${group}.group/roles" &&
+    IFS=${orig_IFS}
+}
+export -f cs_group_add_roles
+
+#
+# cs_group_get_roles <group>
+#
+# Gets the roles of a group
+#
+cs_group_get_roles() {
+    local group="${1}"
+    cs_init_variables
+
+    cat "${keydir}/${group}.group/roles"
+}
+export -f cs_group_get_roles
+
 #
 # cs_set_uri <role> <uri>
 #
-- 
2.30.2



_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [ptxdist] [PATCH 2/3] ptxd_lib_imx_hab/template-barebox-imx-habv4/ptxdist-set-keys-hsm: convert to use the code signing group imx-habv4-srk
  2021-04-12 16:18 [ptxdist] [PATCH 1/3] ptxd_lib_code_signing: introduce code signing groups Marc Kleine-Budde
@ 2021-04-12 16:18 ` Marc Kleine-Budde
  2021-04-23  6:07   ` Michael Olbrich
  2021-04-12 16:19 ` [ptxdist] [PATCH 3/3] ptxd_lib_code_signing: cs_get_ca(): only output CA if existing Marc Kleine-Budde
  1 sibling, 1 reply; 6+ messages in thread
From: Marc Kleine-Budde @ 2021-04-12 16:18 UTC (permalink / raw)
  To: ptxdist; +Cc: Marc Kleine-Budde

This patch converts barebox and the barebox template to make use of code
signing groups as introduced in the previous patch.

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 .../ptxdist-set-keys-hsm.sh                   |  6 ++-
 .../templates/template-barebox-imx-habv4-make |  2 +-
 scripts/lib/ptxd_lib_imx_hab.sh               | 44 ++++++++++++++-----
 3 files changed, 39 insertions(+), 13 deletions(-)

diff --git a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
index bcd531d69572..b94eff049eac 100755
--- a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
+++ b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
@@ -18,7 +18,7 @@ set_rauc_keys() {
 }
 
 set_imx_habv4_keys() {
-	local r
+	local r g
 
 	# HSM use case, assuming it contains only 1st CSF/IMG key
 	for i in 1 2 3 4; do
@@ -28,6 +28,10 @@ set_imx_habv4_keys() {
 		cs_append_ca_from_uri "${r}"
 	done
 
+	g="imx-habv4-srk"
+	cs_define_group "${g}"
+	cs_group_add_roles "${g}" "imx-habv4-srk1" "imx-habv4-srk2" "imx-habv4-srk3" "imx-habv4-srk4"
+
 	r="imx-habv4-csf1"
 	cs_define_role ${r}
 	cs_set_uri "${r}" "pkcs11:token=foo;object=csf1"
diff --git a/rules/templates/template-barebox-imx-habv4-make b/rules/templates/template-barebox-imx-habv4-make
index eb752c8349d9..cc825dc90292 100644
--- a/rules/templates/template-barebox-imx-habv4-make
+++ b/rules/templates/template-barebox-imx-habv4-make
@@ -74,7 +74,7 @@ $(STATEDIR)/barebox-@package@.compile:
 	@$(call targetinfo)
 
 	@$(call world/env, BAREBOX_@PACKAGE@) \
-		ptxd_make_imx_habv4_gen_table "imx-habv4-srk%d" 4
+		ptxd_make_imx_habv4_gen_table imx-habv4-srk
 
 	@$(call world/compile, BAREBOX_@PACKAGE@)
 
diff --git a/scripts/lib/ptxd_lib_imx_hab.sh b/scripts/lib/ptxd_lib_imx_hab.sh
index d1e2aba99fab..f6f81834d0e7 100644
--- a/scripts/lib/ptxd_lib_imx_hab.sh
+++ b/scripts/lib/ptxd_lib_imx_hab.sh
@@ -9,7 +9,9 @@
 #
 # ptxd_make_imx_habv4_gen_table - generate the srk fuse file and srk table for i.MX HABv4
 #
-# usage: ptxd_make_imx_habv4_gen_table <template> [<srk_count>]
+# usage: ptxd_make_imx_habv4_gen_table <role group>|<template> [<srk_count>]
+#
+# role group: the group that specified all roles to access the keys
 #
 # template: the role template to access the keys. Must contain a "%d" which is
 #           used as index
@@ -25,25 +27,45 @@
 #     This will contain the srk hash which must be written to the fuses
 #
 ptxd_make_imx_habv4_gen_table_impl() {
+    local group="${1}"
     local template="${1}"
     local srk_count="${2}"
     local table_bin="${pkg_build_dir}/imx-srk-table.bin"
     local srk_fuse_bin="${pkg_build_dir}/imx-srk-fuse.bin"
     local -a certs
+    local i
 
-    if [ -z "${srk_count}" ]; then
-	srk_count=4
-    fi
+    case "${template}" in
+	*%d*)	# <template> [<srk_count>]
+	    if [ -z "${srk_count}" ]; then
+		srk_count=4
+	    fi
 
-    if [ "${srk_count}" -gt 4 ]; then
-	ptxd_bailout "HABv4 allows only 4 certificates"
-    fi
+	    if [ "${srk_count}" -gt 4 ]; then
+		ptxd_bailout "HABv4 allows only 4 certificates"
+	    fi
 
-    echo -e "generating $(basename ${table_bin}) and $(basename ${srk_fuse_bin})\n"
+	    for i in $(seq ${srk_count}); do
+		certs[${#certs[*]}]="$(cs_get_ca "$(printf "${template}" ${i})")"
+	    done
+	    ;;
+	*)	# <role group>
+	    local -a roles=( $(cs_group_get_roles "${group}") )
+
+	    if [ "${#roles[@]}" -eq 0 ]; then
+		ptxd_bailout "Failed to get roles for group '${group}'"
+	    fi
 
-    for i in $(seq ${srk_count}); do
-	certs[${#certs[*]}]="$(cs_get_ca "$(printf "${template}" ${i})")"
-    done
+	    if [ "${#roles[@]}" -gt 4 ]; then
+		ptxd_bailout "HABv4 allows only 4 certificates"
+	    fi
+
+	    for i in "${roles[@]}"; do
+		certs[${#certs[*]}]="$(cs_get_ca "${i}")"
+	    done
+    esac
+
+    echo -e "generating $(basename ${table_bin}) and $(basename ${srk_fuse_bin})\n"
 
     local orig_IFS="${IFS}"
     IFS=","
-- 
2.30.2



_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [ptxdist] [PATCH 3/3] ptxd_lib_code_signing: cs_get_ca(): only output CA if existing
  2021-04-12 16:18 [ptxdist] [PATCH 1/3] ptxd_lib_code_signing: introduce code signing groups Marc Kleine-Budde
  2021-04-12 16:18 ` [ptxdist] [PATCH 2/3] ptxd_lib_imx_hab/template-barebox-imx-habv4/ptxdist-set-keys-hsm: convert to use the code signing group imx-habv4-srk Marc Kleine-Budde
@ 2021-04-12 16:19 ` Marc Kleine-Budde
  2021-04-23  6:33   ` Michael Olbrich
  1 sibling, 1 reply; 6+ messages in thread
From: Marc Kleine-Budde @ 2021-04-12 16:19 UTC (permalink / raw)
  To: ptxdist; +Cc: Marc Kleine-Budde

This patch changes cs_get_ca() to only output the CA if it actually
exists. This makes it possible to use make's $(if ...) conditional.

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 scripts/lib/ptxd_lib_code_signing.sh | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
index ba38a8edd12d..ff0eca16859c 100644
--- a/scripts/lib/ptxd_lib_code_signing.sh
+++ b/scripts/lib/ptxd_lib_code_signing.sh
@@ -288,7 +288,11 @@ cs_get_ca() {
     local role="${1}"
     cs_init_variables
 
-    echo "${keydir}/${role}/ca.pem"
+    local ca="${keydir}/${role}/ca.pem"
+
+    if [ -e "${ca}" ]; then
+	echo "${ca}"
+    fi
 }
 export -f cs_get_ca
 
-- 
2.30.2



_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [ptxdist] [PATCH 2/3] ptxd_lib_imx_hab/template-barebox-imx-habv4/ptxdist-set-keys-hsm: convert to use the code signing group imx-habv4-srk
  2021-04-12 16:18 ` [ptxdist] [PATCH 2/3] ptxd_lib_imx_hab/template-barebox-imx-habv4/ptxdist-set-keys-hsm: convert to use the code signing group imx-habv4-srk Marc Kleine-Budde
@ 2021-04-23  6:07   ` Michael Olbrich
  2021-04-26 10:25     ` Roland Hieber
  0 siblings, 1 reply; 6+ messages in thread
From: Michael Olbrich @ 2021-04-23  6:07 UTC (permalink / raw)
  To: ptxdist; +Cc: Marc Kleine-Budde

On Mon, Apr 12, 2021 at 06:18:59PM +0200, Marc Kleine-Budde wrote:
> This patch converts barebox and the barebox template to make use of code
> signing groups as introduced in the previous patch.
> 
> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
> ---
>  .../ptxdist-set-keys-hsm.sh                   |  6 ++-
>  .../templates/template-barebox-imx-habv4-make |  2 +-
>  scripts/lib/ptxd_lib_imx_hab.sh               | 44 ++++++++++++++-----
>  3 files changed, 39 insertions(+), 13 deletions(-)
> 
> diff --git a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
> index bcd531d69572..b94eff049eac 100755
> --- a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
> +++ b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
> @@ -18,7 +18,7 @@ set_rauc_keys() {
>  }
>  
>  set_imx_habv4_keys() {
> -	local r
> +	local r g
>  
>  	# HSM use case, assuming it contains only 1st CSF/IMG key
>  	for i in 1 2 3 4; do
> @@ -28,6 +28,10 @@ set_imx_habv4_keys() {
>  		cs_append_ca_from_uri "${r}"
>  	done
>  
> +	g="imx-habv4-srk"
> +	cs_define_group "${g}"
> +	cs_group_add_roles "${g}" "imx-habv4-srk1" "imx-habv4-srk2" "imx-habv4-srk3" "imx-habv4-srk4"
> +
>  	r="imx-habv4-csf1"
>  	cs_define_role ${r}
>  	cs_set_uri "${r}" "pkcs11:token=foo;object=csf1"
> diff --git a/rules/templates/template-barebox-imx-habv4-make b/rules/templates/template-barebox-imx-habv4-make
> index eb752c8349d9..cc825dc90292 100644
> --- a/rules/templates/template-barebox-imx-habv4-make
> +++ b/rules/templates/template-barebox-imx-habv4-make
> @@ -74,7 +74,7 @@ $(STATEDIR)/barebox-@package@.compile:
>  	@$(call targetinfo)
>  
>  	@$(call world/env, BAREBOX_@PACKAGE@) \
> -		ptxd_make_imx_habv4_gen_table "imx-habv4-srk%d" 4
> +		ptxd_make_imx_habv4_gen_table imx-habv4-srk

For this to work with the devel provider, host-ptx-code-signing-dev must be
updated to create this group. I needs the same changes that you made to the
code-signing-provider template above, right?
Can you please add that and provide a new version for the PTXdist package?

Michael

>  
>  	@$(call world/compile, BAREBOX_@PACKAGE@)
>  
> diff --git a/scripts/lib/ptxd_lib_imx_hab.sh b/scripts/lib/ptxd_lib_imx_hab.sh
> index d1e2aba99fab..f6f81834d0e7 100644
> --- a/scripts/lib/ptxd_lib_imx_hab.sh
> +++ b/scripts/lib/ptxd_lib_imx_hab.sh
> @@ -9,7 +9,9 @@
>  #
>  # ptxd_make_imx_habv4_gen_table - generate the srk fuse file and srk table for i.MX HABv4
>  #
> -# usage: ptxd_make_imx_habv4_gen_table <template> [<srk_count>]
> +# usage: ptxd_make_imx_habv4_gen_table <role group>|<template> [<srk_count>]
> +#
> +# role group: the group that specified all roles to access the keys
>  #
>  # template: the role template to access the keys. Must contain a "%d" which is
>  #           used as index
> @@ -25,25 +27,45 @@
>  #     This will contain the srk hash which must be written to the fuses
>  #
>  ptxd_make_imx_habv4_gen_table_impl() {
> +    local group="${1}"
>      local template="${1}"
>      local srk_count="${2}"
>      local table_bin="${pkg_build_dir}/imx-srk-table.bin"
>      local srk_fuse_bin="${pkg_build_dir}/imx-srk-fuse.bin"
>      local -a certs
> +    local i
>  
> -    if [ -z "${srk_count}" ]; then
> -	srk_count=4
> -    fi
> +    case "${template}" in
> +	*%d*)	# <template> [<srk_count>]
> +	    if [ -z "${srk_count}" ]; then
> +		srk_count=4
> +	    fi
>  
> -    if [ "${srk_count}" -gt 4 ]; then
> -	ptxd_bailout "HABv4 allows only 4 certificates"
> -    fi
> +	    if [ "${srk_count}" -gt 4 ]; then
> +		ptxd_bailout "HABv4 allows only 4 certificates"
> +	    fi
>  
> -    echo -e "generating $(basename ${table_bin}) and $(basename ${srk_fuse_bin})\n"
> +	    for i in $(seq ${srk_count}); do
> +		certs[${#certs[*]}]="$(cs_get_ca "$(printf "${template}" ${i})")"
> +	    done
> +	    ;;
> +	*)	# <role group>
> +	    local -a roles=( $(cs_group_get_roles "${group}") )
> +
> +	    if [ "${#roles[@]}" -eq 0 ]; then
> +		ptxd_bailout "Failed to get roles for group '${group}'"
> +	    fi
>  
> -    for i in $(seq ${srk_count}); do
> -	certs[${#certs[*]}]="$(cs_get_ca "$(printf "${template}" ${i})")"
> -    done
> +	    if [ "${#roles[@]}" -gt 4 ]; then
> +		ptxd_bailout "HABv4 allows only 4 certificates"
> +	    fi
> +
> +	    for i in "${roles[@]}"; do
> +		certs[${#certs[*]}]="$(cs_get_ca "${i}")"
> +	    done
> +    esac
> +
> +    echo -e "generating $(basename ${table_bin}) and $(basename ${srk_fuse_bin})\n"
>  
>      local orig_IFS="${IFS}"
>      IFS=","
> -- 
> 2.30.2
> 
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> 

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [ptxdist] [PATCH 3/3] ptxd_lib_code_signing: cs_get_ca(): only output CA if existing
  2021-04-12 16:19 ` [ptxdist] [PATCH 3/3] ptxd_lib_code_signing: cs_get_ca(): only output CA if existing Marc Kleine-Budde
@ 2021-04-23  6:33   ` Michael Olbrich
  0 siblings, 0 replies; 6+ messages in thread
From: Michael Olbrich @ 2021-04-23  6:33 UTC (permalink / raw)
  To: ptxdist; +Cc: Marc Kleine-Budde

On Mon, Apr 12, 2021 at 06:19:00PM +0200, Marc Kleine-Budde wrote:
> This patch changes cs_get_ca() to only output the CA if it actually
> exists. This makes it possible to use make's $(if ...) conditional.
> 
> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
> ---
>  scripts/lib/ptxd_lib_code_signing.sh | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
> index ba38a8edd12d..ff0eca16859c 100644
> --- a/scripts/lib/ptxd_lib_code_signing.sh
> +++ b/scripts/lib/ptxd_lib_code_signing.sh
> @@ -288,7 +288,11 @@ cs_get_ca() {
>      local role="${1}"
>      cs_init_variables
>  
> -    echo "${keydir}/${role}/ca.pem"
> +    local ca="${keydir}/${role}/ca.pem"
> +
> +    if [ -e "${ca}" ]; then
> +	echo "${ca}"
> +    fi

So, I know we talked about this, and I suggested this solution. But after
thinking about this a bit more, I think it's a bit fragile: It causes
silent problems if this is evaluated too early.

I don't quite remember the use-case, but maybe we can add the following
here:

    if [ ! -d "${keydir}" ]; then
	echo ERROR_CA_NOT_YET_SET
    fi

Similar to what we do for URIs. So if it's evaluated in make with ':=' then
we always get this string. If some tool tries to use this as a filename it
should be clearer what's wrong here.
And with the '$(if ..)' case, you get false positives (and that will
probably fail later because there is no ca) and no false negatives that
may do the wrong thing silently.

Michael

>  }
>  export -f cs_get_ca
>  
> -- 
> 2.30.2
> 
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> 

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [ptxdist] [PATCH 2/3] ptxd_lib_imx_hab/template-barebox-imx-habv4/ptxdist-set-keys-hsm: convert to use the code signing group imx-habv4-srk
  2021-04-23  6:07   ` Michael Olbrich
@ 2021-04-26 10:25     ` Roland Hieber
  0 siblings, 0 replies; 6+ messages in thread
From: Roland Hieber @ 2021-04-26 10:25 UTC (permalink / raw)
  To: ptxdist, Marc Kleine-Budde

On Fri, Apr 23, 2021 at 08:07:50AM +0200, Michael Olbrich wrote:
> On Mon, Apr 12, 2021 at 06:18:59PM +0200, Marc Kleine-Budde wrote:
> > This patch converts barebox and the barebox template to make use of code
> > signing groups as introduced in the previous patch.
> > 
> > Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
> > ---
> >  .../ptxdist-set-keys-hsm.sh                   |  6 ++-
> >  .../templates/template-barebox-imx-habv4-make |  2 +-
> >  scripts/lib/ptxd_lib_imx_hab.sh               | 44 ++++++++++++++-----
> >  3 files changed, 39 insertions(+), 13 deletions(-)
> > 
> > diff --git a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
> > index bcd531d69572..b94eff049eac 100755
> > --- a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
> > +++ b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
> > @@ -18,7 +18,7 @@ set_rauc_keys() {
> >  }
> >  
> >  set_imx_habv4_keys() {
> > -	local r
> > +	local r g
> >  
> >  	# HSM use case, assuming it contains only 1st CSF/IMG key
> >  	for i in 1 2 3 4; do
> > @@ -28,6 +28,10 @@ set_imx_habv4_keys() {
> >  		cs_append_ca_from_uri "${r}"
> >  	done
> >  
> > +	g="imx-habv4-srk"
> > +	cs_define_group "${g}"
> > +	cs_group_add_roles "${g}" "imx-habv4-srk1" "imx-habv4-srk2" "imx-habv4-srk3" "imx-habv4-srk4"
> > +
> >  	r="imx-habv4-csf1"
> >  	cs_define_role ${r}
> >  	cs_set_uri "${r}" "pkcs11:token=foo;object=csf1"
> > diff --git a/rules/templates/template-barebox-imx-habv4-make b/rules/templates/template-barebox-imx-habv4-make
> > index eb752c8349d9..cc825dc90292 100644
> > --- a/rules/templates/template-barebox-imx-habv4-make
> > +++ b/rules/templates/template-barebox-imx-habv4-make
> > @@ -74,7 +74,7 @@ $(STATEDIR)/barebox-@package@.compile:
> >  	@$(call targetinfo)
> >  
> >  	@$(call world/env, BAREBOX_@PACKAGE@) \
> > -		ptxd_make_imx_habv4_gen_table "imx-habv4-srk%d" 4
> > +		ptxd_make_imx_habv4_gen_table imx-habv4-srk
> 
> For this to work with the devel provider, host-ptx-code-signing-dev must be
> updated to create this group. I needs the same changes that you made to the
> code-signing-provider template above, right?
> Can you please add that and provide a new version for the PTXdist package?

And could you also add a bit of trivial documentation to
doc/dev_code_signing.rst so people see that it exists?

 - Roland

-- 
Roland Hieber, Pengutronix e.K.          | r.hieber@pengutronix.de     |
Steuerwalder Str. 21                     | https://www.pengutronix.de/ |
31137 Hildesheim, Germany                | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686         | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2021-04-26 10:26 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-12 16:18 [ptxdist] [PATCH 1/3] ptxd_lib_code_signing: introduce code signing groups Marc Kleine-Budde
2021-04-12 16:18 ` [ptxdist] [PATCH 2/3] ptxd_lib_imx_hab/template-barebox-imx-habv4/ptxdist-set-keys-hsm: convert to use the code signing group imx-habv4-srk Marc Kleine-Budde
2021-04-23  6:07   ` Michael Olbrich
2021-04-26 10:25     ` Roland Hieber
2021-04-12 16:19 ` [ptxdist] [PATCH 3/3] ptxd_lib_code_signing: cs_get_ca(): only output CA if existing Marc Kleine-Budde
2021-04-23  6:33   ` Michael Olbrich

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox