This patch introduces code signing groups. A code signing group consists of one or more rolls. It should be used where more than one role is needed, but the exact names and/or number of rolls depend on the used code signing provider. For example the generation of the imx HABv4 fuse table. It can use 1...4 SRK keys as input. If the signing provider is a HSM the current mechanism with continuous numbered URI may not work, code signing groups for the rescue. To make use of code signing groups, define roles as usual: | r="imx-habv4-srk1" | cs_define_role "${r}" | cs_set_uri "${r}" "pkcs11:object=SRK CA 0" | cs_append_ca_from_uri "${r}" | | r="imx-habv4-srk2" | cs_define_role "${r}" | cs_set_uri "${r}" "pkcs11:object=SRK CA 1" | cs_append_ca_from_uri "${r}" Now define a group and add the roles to the group: | g="imx-habv4-srk" | cs_define_group "${g}" | cs_group_add_roles "${g}" "imx-habv4-srk1" "imx-habv4-srk2" Use the function cs_group_get_roles to get the roles of a group. In a later patch the function ptxd_make_imx_habv4_gen_table() is converted to make use $(cs_group_get_roles imx-habv4-srk) to get the groups of the imx-habv4-srk role. Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> --- scripts/lib/ptxd_lib_code_signing.sh | 45 ++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh index 3e1654bb36e4..ba38a8edd12d 100644 --- a/scripts/lib/ptxd_lib_code_signing.sh +++ b/scripts/lib/ptxd_lib_code_signing.sh @@ -99,6 +99,51 @@ cs_define_role() { } export -f cs_define_role +# +# cs_define_group <group> +# +# Define a new key group. +# +cs_define_group() { + local group="${1}" + cs_init_variables + + mkdir -p "${keydir}/${group}.group" && + rm -f "${keydir}/${group}.group/roles" +} +export -f cs_define_group + +# +# cs_group_add_roles <group> <role> ... <role> +# +# Set the roles for a group +# +cs_group_add_roles() { + local group="${1}" + shift + cs_init_variables + + local orig_IFS="${IFS}" + IFS=" +" + echo "${*}" >> "${keydir}/${group}.group/roles" && + IFS=${orig_IFS} +} +export -f cs_group_add_roles + +# +# cs_group_get_roles <group> +# +# Gets the roles of a group +# +cs_group_get_roles() { + local group="${1}" + cs_init_variables + + cat "${keydir}/${group}.group/roles" +} +export -f cs_group_get_roles + # # cs_set_uri <role> <uri> # -- 2.30.2 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
This patch converts barebox and the barebox template to make use of code signing groups as introduced in the previous patch. Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> --- .../ptxdist-set-keys-hsm.sh | 6 ++- .../templates/template-barebox-imx-habv4-make | 2 +- scripts/lib/ptxd_lib_imx_hab.sh | 44 ++++++++++++++----- 3 files changed, 39 insertions(+), 13 deletions(-) diff --git a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh index bcd531d69572..b94eff049eac 100755 --- a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh +++ b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh @@ -18,7 +18,7 @@ set_rauc_keys() { } set_imx_habv4_keys() { - local r + local r g # HSM use case, assuming it contains only 1st CSF/IMG key for i in 1 2 3 4; do @@ -28,6 +28,10 @@ set_imx_habv4_keys() { cs_append_ca_from_uri "${r}" done + g="imx-habv4-srk" + cs_define_group "${g}" + cs_group_add_roles "${g}" "imx-habv4-srk1" "imx-habv4-srk2" "imx-habv4-srk3" "imx-habv4-srk4" + r="imx-habv4-csf1" cs_define_role ${r} cs_set_uri "${r}" "pkcs11:token=foo;object=csf1" diff --git a/rules/templates/template-barebox-imx-habv4-make b/rules/templates/template-barebox-imx-habv4-make index eb752c8349d9..cc825dc90292 100644 --- a/rules/templates/template-barebox-imx-habv4-make +++ b/rules/templates/template-barebox-imx-habv4-make @@ -74,7 +74,7 @@ $(STATEDIR)/barebox-@package@.compile: @$(call targetinfo) @$(call world/env, BAREBOX_@PACKAGE@) \ - ptxd_make_imx_habv4_gen_table "imx-habv4-srk%d" 4 + ptxd_make_imx_habv4_gen_table imx-habv4-srk @$(call world/compile, BAREBOX_@PACKAGE@) diff --git a/scripts/lib/ptxd_lib_imx_hab.sh b/scripts/lib/ptxd_lib_imx_hab.sh index d1e2aba99fab..f6f81834d0e7 100644 --- a/scripts/lib/ptxd_lib_imx_hab.sh +++ b/scripts/lib/ptxd_lib_imx_hab.sh @@ -9,7 +9,9 @@ # # ptxd_make_imx_habv4_gen_table - generate the srk fuse file and srk table for i.MX HABv4 # -# usage: ptxd_make_imx_habv4_gen_table <template> [<srk_count>] +# usage: ptxd_make_imx_habv4_gen_table <role group>|<template> [<srk_count>] +# +# role group: the group that specified all roles to access the keys # # template: the role template to access the keys. Must contain a "%d" which is # used as index @@ -25,25 +27,45 @@ # This will contain the srk hash which must be written to the fuses # ptxd_make_imx_habv4_gen_table_impl() { + local group="${1}" local template="${1}" local srk_count="${2}" local table_bin="${pkg_build_dir}/imx-srk-table.bin" local srk_fuse_bin="${pkg_build_dir}/imx-srk-fuse.bin" local -a certs + local i - if [ -z "${srk_count}" ]; then - srk_count=4 - fi + case "${template}" in + *%d*) # <template> [<srk_count>] + if [ -z "${srk_count}" ]; then + srk_count=4 + fi - if [ "${srk_count}" -gt 4 ]; then - ptxd_bailout "HABv4 allows only 4 certificates" - fi + if [ "${srk_count}" -gt 4 ]; then + ptxd_bailout "HABv4 allows only 4 certificates" + fi - echo -e "generating $(basename ${table_bin}) and $(basename ${srk_fuse_bin})\n" + for i in $(seq ${srk_count}); do + certs[${#certs[*]}]="$(cs_get_ca "$(printf "${template}" ${i})")" + done + ;; + *) # <role group> + local -a roles=( $(cs_group_get_roles "${group}") ) + + if [ "${#roles[@]}" -eq 0 ]; then + ptxd_bailout "Failed to get roles for group '${group}'" + fi - for i in $(seq ${srk_count}); do - certs[${#certs[*]}]="$(cs_get_ca "$(printf "${template}" ${i})")" - done + if [ "${#roles[@]}" -gt 4 ]; then + ptxd_bailout "HABv4 allows only 4 certificates" + fi + + for i in "${roles[@]}"; do + certs[${#certs[*]}]="$(cs_get_ca "${i}")" + done + esac + + echo -e "generating $(basename ${table_bin}) and $(basename ${srk_fuse_bin})\n" local orig_IFS="${IFS}" IFS="," -- 2.30.2 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
This patch changes cs_get_ca() to only output the CA if it actually exists. This makes it possible to use make's $(if ...) conditional. Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> --- scripts/lib/ptxd_lib_code_signing.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh index ba38a8edd12d..ff0eca16859c 100644 --- a/scripts/lib/ptxd_lib_code_signing.sh +++ b/scripts/lib/ptxd_lib_code_signing.sh @@ -288,7 +288,11 @@ cs_get_ca() { local role="${1}" cs_init_variables - echo "${keydir}/${role}/ca.pem" + local ca="${keydir}/${role}/ca.pem" + + if [ -e "${ca}" ]; then + echo "${ca}" + fi } export -f cs_get_ca -- 2.30.2 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
On Mon, Apr 12, 2021 at 06:18:59PM +0200, Marc Kleine-Budde wrote: > This patch converts barebox and the barebox template to make use of code > signing groups as introduced in the previous patch. > > Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> > --- > .../ptxdist-set-keys-hsm.sh | 6 ++- > .../templates/template-barebox-imx-habv4-make | 2 +- > scripts/lib/ptxd_lib_imx_hab.sh | 44 ++++++++++++++----- > 3 files changed, 39 insertions(+), 13 deletions(-) > > diff --git a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh > index bcd531d69572..b94eff049eac 100755 > --- a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh > +++ b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh > @@ -18,7 +18,7 @@ set_rauc_keys() { > } > > set_imx_habv4_keys() { > - local r > + local r g > > # HSM use case, assuming it contains only 1st CSF/IMG key > for i in 1 2 3 4; do > @@ -28,6 +28,10 @@ set_imx_habv4_keys() { > cs_append_ca_from_uri "${r}" > done > > + g="imx-habv4-srk" > + cs_define_group "${g}" > + cs_group_add_roles "${g}" "imx-habv4-srk1" "imx-habv4-srk2" "imx-habv4-srk3" "imx-habv4-srk4" > + > r="imx-habv4-csf1" > cs_define_role ${r} > cs_set_uri "${r}" "pkcs11:token=foo;object=csf1" > diff --git a/rules/templates/template-barebox-imx-habv4-make b/rules/templates/template-barebox-imx-habv4-make > index eb752c8349d9..cc825dc90292 100644 > --- a/rules/templates/template-barebox-imx-habv4-make > +++ b/rules/templates/template-barebox-imx-habv4-make > @@ -74,7 +74,7 @@ $(STATEDIR)/barebox-@package@.compile: > @$(call targetinfo) > > @$(call world/env, BAREBOX_@PACKAGE@) \ > - ptxd_make_imx_habv4_gen_table "imx-habv4-srk%d" 4 > + ptxd_make_imx_habv4_gen_table imx-habv4-srk For this to work with the devel provider, host-ptx-code-signing-dev must be updated to create this group. I needs the same changes that you made to the code-signing-provider template above, right? Can you please add that and provide a new version for the PTXdist package? Michael > > @$(call world/compile, BAREBOX_@PACKAGE@) > > diff --git a/scripts/lib/ptxd_lib_imx_hab.sh b/scripts/lib/ptxd_lib_imx_hab.sh > index d1e2aba99fab..f6f81834d0e7 100644 > --- a/scripts/lib/ptxd_lib_imx_hab.sh > +++ b/scripts/lib/ptxd_lib_imx_hab.sh > @@ -9,7 +9,9 @@ > # > # ptxd_make_imx_habv4_gen_table - generate the srk fuse file and srk table for i.MX HABv4 > # > -# usage: ptxd_make_imx_habv4_gen_table <template> [<srk_count>] > +# usage: ptxd_make_imx_habv4_gen_table <role group>|<template> [<srk_count>] > +# > +# role group: the group that specified all roles to access the keys > # > # template: the role template to access the keys. Must contain a "%d" which is > # used as index > @@ -25,25 +27,45 @@ > # This will contain the srk hash which must be written to the fuses > # > ptxd_make_imx_habv4_gen_table_impl() { > + local group="${1}" > local template="${1}" > local srk_count="${2}" > local table_bin="${pkg_build_dir}/imx-srk-table.bin" > local srk_fuse_bin="${pkg_build_dir}/imx-srk-fuse.bin" > local -a certs > + local i > > - if [ -z "${srk_count}" ]; then > - srk_count=4 > - fi > + case "${template}" in > + *%d*) # <template> [<srk_count>] > + if [ -z "${srk_count}" ]; then > + srk_count=4 > + fi > > - if [ "${srk_count}" -gt 4 ]; then > - ptxd_bailout "HABv4 allows only 4 certificates" > - fi > + if [ "${srk_count}" -gt 4 ]; then > + ptxd_bailout "HABv4 allows only 4 certificates" > + fi > > - echo -e "generating $(basename ${table_bin}) and $(basename ${srk_fuse_bin})\n" > + for i in $(seq ${srk_count}); do > + certs[${#certs[*]}]="$(cs_get_ca "$(printf "${template}" ${i})")" > + done > + ;; > + *) # <role group> > + local -a roles=( $(cs_group_get_roles "${group}") ) > + > + if [ "${#roles[@]}" -eq 0 ]; then > + ptxd_bailout "Failed to get roles for group '${group}'" > + fi > > - for i in $(seq ${srk_count}); do > - certs[${#certs[*]}]="$(cs_get_ca "$(printf "${template}" ${i})")" > - done > + if [ "${#roles[@]}" -gt 4 ]; then > + ptxd_bailout "HABv4 allows only 4 certificates" > + fi > + > + for i in "${roles[@]}"; do > + certs[${#certs[*]}]="$(cs_get_ca "${i}")" > + done > + esac > + > + echo -e "generating $(basename ${table_bin}) and $(basename ${srk_fuse_bin})\n" > > local orig_IFS="${IFS}" > IFS="," > -- > 2.30.2 > > > > _______________________________________________ > ptxdist mailing list > ptxdist@pengutronix.de > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de > _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
On Mon, Apr 12, 2021 at 06:19:00PM +0200, Marc Kleine-Budde wrote: > This patch changes cs_get_ca() to only output the CA if it actually > exists. This makes it possible to use make's $(if ...) conditional. > > Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> > --- > scripts/lib/ptxd_lib_code_signing.sh | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh > index ba38a8edd12d..ff0eca16859c 100644 > --- a/scripts/lib/ptxd_lib_code_signing.sh > +++ b/scripts/lib/ptxd_lib_code_signing.sh > @@ -288,7 +288,11 @@ cs_get_ca() { > local role="${1}" > cs_init_variables > > - echo "${keydir}/${role}/ca.pem" > + local ca="${keydir}/${role}/ca.pem" > + > + if [ -e "${ca}" ]; then > + echo "${ca}" > + fi So, I know we talked about this, and I suggested this solution. But after thinking about this a bit more, I think it's a bit fragile: It causes silent problems if this is evaluated too early. I don't quite remember the use-case, but maybe we can add the following here: if [ ! -d "${keydir}" ]; then echo ERROR_CA_NOT_YET_SET fi Similar to what we do for URIs. So if it's evaluated in make with ':=' then we always get this string. If some tool tries to use this as a filename it should be clearer what's wrong here. And with the '$(if ..)' case, you get false positives (and that will probably fail later because there is no ca) and no false negatives that may do the wrong thing silently. Michael > } > export -f cs_get_ca > > -- > 2.30.2 > > > > _______________________________________________ > ptxdist mailing list > ptxdist@pengutronix.de > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de > _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
On Fri, Apr 23, 2021 at 08:07:50AM +0200, Michael Olbrich wrote: > On Mon, Apr 12, 2021 at 06:18:59PM +0200, Marc Kleine-Budde wrote: > > This patch converts barebox and the barebox template to make use of code > > signing groups as introduced in the previous patch. > > > > Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> > > --- > > .../ptxdist-set-keys-hsm.sh | 6 ++- > > .../templates/template-barebox-imx-habv4-make | 2 +- > > scripts/lib/ptxd_lib_imx_hab.sh | 44 ++++++++++++++----- > > 3 files changed, 39 insertions(+), 13 deletions(-) > > > > diff --git a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh > > index bcd531d69572..b94eff049eac 100755 > > --- a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh > > +++ b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh > > @@ -18,7 +18,7 @@ set_rauc_keys() { > > } > > > > set_imx_habv4_keys() { > > - local r > > + local r g > > > > # HSM use case, assuming it contains only 1st CSF/IMG key > > for i in 1 2 3 4; do > > @@ -28,6 +28,10 @@ set_imx_habv4_keys() { > > cs_append_ca_from_uri "${r}" > > done > > > > + g="imx-habv4-srk" > > + cs_define_group "${g}" > > + cs_group_add_roles "${g}" "imx-habv4-srk1" "imx-habv4-srk2" "imx-habv4-srk3" "imx-habv4-srk4" > > + > > r="imx-habv4-csf1" > > cs_define_role ${r} > > cs_set_uri "${r}" "pkcs11:token=foo;object=csf1" > > diff --git a/rules/templates/template-barebox-imx-habv4-make b/rules/templates/template-barebox-imx-habv4-make > > index eb752c8349d9..cc825dc90292 100644 > > --- a/rules/templates/template-barebox-imx-habv4-make > > +++ b/rules/templates/template-barebox-imx-habv4-make > > @@ -74,7 +74,7 @@ $(STATEDIR)/barebox-@package@.compile: > > @$(call targetinfo) > > > > @$(call world/env, BAREBOX_@PACKAGE@) \ > > - ptxd_make_imx_habv4_gen_table "imx-habv4-srk%d" 4 > > + ptxd_make_imx_habv4_gen_table imx-habv4-srk > > For this to work with the devel provider, host-ptx-code-signing-dev must be > updated to create this group. I needs the same changes that you made to the > code-signing-provider template above, right? > Can you please add that and provide a new version for the PTXdist package? And could you also add a bit of trivial documentation to doc/dev_code_signing.rst so people see that it exists? - Roland -- Roland Hieber, Pengutronix e.K. | r.hieber@pengutronix.de | Steuerwalder Str. 21 | https://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de