From mboxrd@z Thu Jan  1 00:00:00 1970
Return-path: <ptxdist-bounces@pengutronix.de>
Received: from gallifrey.ext.pengutronix.de
 ([2001:67c:670:201:5054:ff:fe8d:eefb] helo=bjornoya.blackshift.org)
 by metis.ext.pengutronix.de with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mkl@pengutronix.de>) id 1lVzHJ-0008Sx-Uc
 for ptxdist@pengutronix.de; Mon, 12 Apr 2021 18:19:10 +0200
Received: from dspam.blackshift.org (localhost [127.0.0.1])
 by bjornoya.blackshift.org (Postfix) with SMTP id D137260D0B2
 for <ptxdist@pengutronix.de>; Mon, 12 Apr 2021 16:19:08 +0000 (UTC)
From: Marc Kleine-Budde <mkl@pengutronix.de>
Date: Mon, 12 Apr 2021 18:18:59 +0200
Message-Id: <20210412161900.2376802-2-mkl@pengutronix.de>
In-Reply-To: <20210412161900.2376802-1-mkl@pengutronix.de>
References: <20210412161900.2376802-1-mkl@pengutronix.de>
MIME-Version: 1.0
Subject: [ptxdist] [PATCH 2/3]
 ptxd_lib_imx_hab/template-barebox-imx-habv4/ptxdist-set-keys-hsm: convert
 to use the code signing group imx-habv4-srk
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <http://metis.pengutronix.de/cgi-bin/mailman/options/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <http://metis.pengutronix.de/cgi-bin/mailman/private/ptxdist/>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <http://metis.pengutronix.de/cgi-bin/mailman/listinfo/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Reply-To: ptxdist@pengutronix.de
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ptxdist-bounces@pengutronix.de
Sender: "ptxdist" <ptxdist-bounces@pengutronix.de>
To: ptxdist@pengutronix.de
Cc: Marc Kleine-Budde <mkl@pengutronix.de>

This patch converts barebox and the barebox template to make use of code
signing groups as introduced in the previous patch.

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 .../ptxdist-set-keys-hsm.sh                   |  6 ++-
 .../templates/template-barebox-imx-habv4-make |  2 +-
 scripts/lib/ptxd_lib_imx_hab.sh               | 44 ++++++++++++++-----
 3 files changed, 39 insertions(+), 13 deletions(-)

diff --git a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
index bcd531d69572..b94eff049eac 100755
--- a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
+++ b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
@@ -18,7 +18,7 @@ set_rauc_keys() {
 }
 
 set_imx_habv4_keys() {
-	local r
+	local r g
 
 	# HSM use case, assuming it contains only 1st CSF/IMG key
 	for i in 1 2 3 4; do
@@ -28,6 +28,10 @@ set_imx_habv4_keys() {
 		cs_append_ca_from_uri "${r}"
 	done
 
+	g="imx-habv4-srk"
+	cs_define_group "${g}"
+	cs_group_add_roles "${g}" "imx-habv4-srk1" "imx-habv4-srk2" "imx-habv4-srk3" "imx-habv4-srk4"
+
 	r="imx-habv4-csf1"
 	cs_define_role ${r}
 	cs_set_uri "${r}" "pkcs11:token=foo;object=csf1"
diff --git a/rules/templates/template-barebox-imx-habv4-make b/rules/templates/template-barebox-imx-habv4-make
index eb752c8349d9..cc825dc90292 100644
--- a/rules/templates/template-barebox-imx-habv4-make
+++ b/rules/templates/template-barebox-imx-habv4-make
@@ -74,7 +74,7 @@ $(STATEDIR)/barebox-@package@.compile:
 	@$(call targetinfo)
 
 	@$(call world/env, BAREBOX_@PACKAGE@) \
-		ptxd_make_imx_habv4_gen_table "imx-habv4-srk%d" 4
+		ptxd_make_imx_habv4_gen_table imx-habv4-srk
 
 	@$(call world/compile, BAREBOX_@PACKAGE@)
 
diff --git a/scripts/lib/ptxd_lib_imx_hab.sh b/scripts/lib/ptxd_lib_imx_hab.sh
index d1e2aba99fab..f6f81834d0e7 100644
--- a/scripts/lib/ptxd_lib_imx_hab.sh
+++ b/scripts/lib/ptxd_lib_imx_hab.sh
@@ -9,7 +9,9 @@
 #
 # ptxd_make_imx_habv4_gen_table - generate the srk fuse file and srk table for i.MX HABv4
 #
-# usage: ptxd_make_imx_habv4_gen_table <template> [<srk_count>]
+# usage: ptxd_make_imx_habv4_gen_table <role group>|<template> [<srk_count>]
+#
+# role group: the group that specified all roles to access the keys
 #
 # template: the role template to access the keys. Must contain a "%d" which is
 #           used as index
@@ -25,25 +27,45 @@
 #     This will contain the srk hash which must be written to the fuses
 #
 ptxd_make_imx_habv4_gen_table_impl() {
+    local group="${1}"
     local template="${1}"
     local srk_count="${2}"
     local table_bin="${pkg_build_dir}/imx-srk-table.bin"
     local srk_fuse_bin="${pkg_build_dir}/imx-srk-fuse.bin"
     local -a certs
+    local i
 
-    if [ -z "${srk_count}" ]; then
-	srk_count=4
-    fi
+    case "${template}" in
+	*%d*)	# <template> [<srk_count>]
+	    if [ -z "${srk_count}" ]; then
+		srk_count=4
+	    fi
 
-    if [ "${srk_count}" -gt 4 ]; then
-	ptxd_bailout "HABv4 allows only 4 certificates"
-    fi
+	    if [ "${srk_count}" -gt 4 ]; then
+		ptxd_bailout "HABv4 allows only 4 certificates"
+	    fi
 
-    echo -e "generating $(basename ${table_bin}) and $(basename ${srk_fuse_bin})\n"
+	    for i in $(seq ${srk_count}); do
+		certs[${#certs[*]}]="$(cs_get_ca "$(printf "${template}" ${i})")"
+	    done
+	    ;;
+	*)	# <role group>
+	    local -a roles=( $(cs_group_get_roles "${group}") )
+
+	    if [ "${#roles[@]}" -eq 0 ]; then
+		ptxd_bailout "Failed to get roles for group '${group}'"
+	    fi
 
-    for i in $(seq ${srk_count}); do
-	certs[${#certs[*]}]="$(cs_get_ca "$(printf "${template}" ${i})")"
-    done
+	    if [ "${#roles[@]}" -gt 4 ]; then
+		ptxd_bailout "HABv4 allows only 4 certificates"
+	    fi
+
+	    for i in "${roles[@]}"; do
+		certs[${#certs[*]}]="$(cs_get_ca "${i}")"
+	    done
+    esac
+
+    echo -e "generating $(basename ${table_bin}) and $(basename ${srk_fuse_bin})\n"
 
     local orig_IFS="${IFS}"
     IFS=","
-- 
2.30.2



_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de