From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from gallifrey.ext.pengutronix.de ([2001:67c:670:201:5054:ff:fe8d:eefb] helo=bjornoya.blackshift.org) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lVzHK-0008T6-1I for ptxdist@pengutronix.de; Mon, 12 Apr 2021 18:19:10 +0200 Received: from dspam.blackshift.org (localhost [127.0.0.1]) by bjornoya.blackshift.org (Postfix) with SMTP id D3E2F60D0B3 for ; Mon, 12 Apr 2021 16:19:08 +0000 (UTC) From: Marc Kleine-Budde Date: Mon, 12 Apr 2021 18:18:58 +0200 Message-Id: <20210412161900.2376802-1-mkl@pengutronix.de> MIME-Version: 1.0 Subject: [ptxdist] [PATCH 1/3] ptxd_lib_code_signing: introduce code signing groups List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: ptxdist@pengutronix.de Cc: Marc Kleine-Budde This patch introduces code signing groups. A code signing group consists of one or more rolls. It should be used where more than one role is needed, but the exact names and/or number of rolls depend on the used code signing provider. For example the generation of the imx HABv4 fuse table. It can use 1...4 SRK keys as input. If the signing provider is a HSM the current mechanism with continuous numbered URI may not work, code signing groups for the rescue. To make use of code signing groups, define roles as usual: | r="imx-habv4-srk1" | cs_define_role "${r}" | cs_set_uri "${r}" "pkcs11:object=SRK CA 0" | cs_append_ca_from_uri "${r}" | | r="imx-habv4-srk2" | cs_define_role "${r}" | cs_set_uri "${r}" "pkcs11:object=SRK CA 1" | cs_append_ca_from_uri "${r}" Now define a group and add the roles to the group: | g="imx-habv4-srk" | cs_define_group "${g}" | cs_group_add_roles "${g}" "imx-habv4-srk1" "imx-habv4-srk2" Use the function cs_group_get_roles to get the roles of a group. In a later patch the function ptxd_make_imx_habv4_gen_table() is converted to make use $(cs_group_get_roles imx-habv4-srk) to get the groups of the imx-habv4-srk role. Signed-off-by: Marc Kleine-Budde --- scripts/lib/ptxd_lib_code_signing.sh | 45 ++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh index 3e1654bb36e4..ba38a8edd12d 100644 --- a/scripts/lib/ptxd_lib_code_signing.sh +++ b/scripts/lib/ptxd_lib_code_signing.sh @@ -99,6 +99,51 @@ cs_define_role() { } export -f cs_define_role +# +# cs_define_group +# +# Define a new key group. +# +cs_define_group() { + local group="${1}" + cs_init_variables + + mkdir -p "${keydir}/${group}.group" && + rm -f "${keydir}/${group}.group/roles" +} +export -f cs_define_group + +# +# cs_group_add_roles ... +# +# Set the roles for a group +# +cs_group_add_roles() { + local group="${1}" + shift + cs_init_variables + + local orig_IFS="${IFS}" + IFS=" +" + echo "${*}" >> "${keydir}/${group}.group/roles" && + IFS=${orig_IFS} +} +export -f cs_group_add_roles + +# +# cs_group_get_roles +# +# Gets the roles of a group +# +cs_group_get_roles() { + local group="${1}" + cs_init_variables + + cat "${keydir}/${group}.group/roles" +} +export -f cs_group_get_roles + # # cs_set_uri # -- 2.30.2 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de