From mboxrd@z Thu Jan  1 00:00:00 1970
Delivery-date: Mon, 26 Apr 2021 12:26:34 +0200
Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33])
	by lore.white.stw.pengutronix.de with esmtp (Exim 4.92)
	(envelope-from <ptxdist-bounces+lore=lore.pengutronix.de@pengutronix.de>)
	id 1layRm-00033o-C8
	for lore@lore.pengutronix.de; Mon, 26 Apr 2021 12:26:34 +0200
Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de)
	by metis.ext.pengutronix.de with esmtp (Exim 4.92)
	(envelope-from <ptxdist-bounces@pengutronix.de>)
	id 1layRl-0002hA-UX; Mon, 26 Apr 2021 12:26:33 +0200
Received: from ptx.hi.pengutronix.de ([2001:67c:670:100:1d::c0])
 by metis.ext.pengutronix.de with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <rhi@pengutronix.de>)
 id 1layRC-0002gi-Eu; Mon, 26 Apr 2021 12:25:58 +0200
Received: from rhi by ptx.hi.pengutronix.de with local (Exim 4.92)
 (envelope-from <rhi@pengutronix.de>)
 id 1layRC-0007vQ-5q; Mon, 26 Apr 2021 12:25:58 +0200
Date: Mon, 26 Apr 2021 12:25:58 +0200
From: Roland Hieber <rhi@pengutronix.de>
To: ptxdist@pengutronix.de, Marc Kleine-Budde <mkl@pengutronix.de>
Message-ID: <20210426102558.bnud6cxhek3q5iqe@pengutronix.de>
References: <20210412161900.2376802-1-mkl@pengutronix.de>
 <20210412161900.2376802-2-mkl@pengutronix.de>
 <20210423060750.GD4162561@pengutronix.de>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20210423060750.GD4162561@pengutronix.de>
User-Agent: NeoMutt/20180716
Subject: Re: [ptxdist] [PATCH 2/3]
 ptxd_lib_imx_hab/template-barebox-imx-habv4/ptxdist-set-keys-hsm: convert
 to use the code signing group imx-habv4-srk
X-BeenThere: ptxdist@pengutronix.de
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <http://metis.pengutronix.de/cgi-bin/mailman/options/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <http://metis.pengutronix.de/cgi-bin/mailman/private/ptxdist/>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <http://metis.pengutronix.de/cgi-bin/mailman/listinfo/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Reply-To: ptxdist@pengutronix.de
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "ptxdist" <ptxdist-bounces@pengutronix.de>
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de
X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false

On Fri, Apr 23, 2021 at 08:07:50AM +0200, Michael Olbrich wrote:
> On Mon, Apr 12, 2021 at 06:18:59PM +0200, Marc Kleine-Budde wrote:
> > This patch converts barebox and the barebox template to make use of code
> > signing groups as introduced in the previous patch.
> > 
> > Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
> > ---
> >  .../ptxdist-set-keys-hsm.sh                   |  6 ++-
> >  .../templates/template-barebox-imx-habv4-make |  2 +-
> >  scripts/lib/ptxd_lib_imx_hab.sh               | 44 ++++++++++++++-----
> >  3 files changed, 39 insertions(+), 13 deletions(-)
> > 
> > diff --git a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
> > index bcd531d69572..b94eff049eac 100755
> > --- a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
> > +++ b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
> > @@ -18,7 +18,7 @@ set_rauc_keys() {
> >  }
> >  
> >  set_imx_habv4_keys() {
> > -	local r
> > +	local r g
> >  
> >  	# HSM use case, assuming it contains only 1st CSF/IMG key
> >  	for i in 1 2 3 4; do
> > @@ -28,6 +28,10 @@ set_imx_habv4_keys() {
> >  		cs_append_ca_from_uri "${r}"
> >  	done
> >  
> > +	g="imx-habv4-srk"
> > +	cs_define_group "${g}"
> > +	cs_group_add_roles "${g}" "imx-habv4-srk1" "imx-habv4-srk2" "imx-habv4-srk3" "imx-habv4-srk4"
> > +
> >  	r="imx-habv4-csf1"
> >  	cs_define_role ${r}
> >  	cs_set_uri "${r}" "pkcs11:token=foo;object=csf1"
> > diff --git a/rules/templates/template-barebox-imx-habv4-make b/rules/templates/template-barebox-imx-habv4-make
> > index eb752c8349d9..cc825dc90292 100644
> > --- a/rules/templates/template-barebox-imx-habv4-make
> > +++ b/rules/templates/template-barebox-imx-habv4-make
> > @@ -74,7 +74,7 @@ $(STATEDIR)/barebox-@package@.compile:
> >  	@$(call targetinfo)
> >  
> >  	@$(call world/env, BAREBOX_@PACKAGE@) \
> > -		ptxd_make_imx_habv4_gen_table "imx-habv4-srk%d" 4
> > +		ptxd_make_imx_habv4_gen_table imx-habv4-srk
> 
> For this to work with the devel provider, host-ptx-code-signing-dev must be
> updated to create this group. I needs the same changes that you made to the
> code-signing-provider template above, right?
> Can you please add that and provide a new version for the PTXdist package?

And could you also add a bit of trivial documentation to
doc/dev_code_signing.rst so people see that it exists?

 - Roland

-- 
Roland Hieber, Pengutronix e.K.          | r.hieber@pengutronix.de     |
Steuerwalder Str. 21                     | https://www.pengutronix.de/ |
31137 Hildesheim, Germany                | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686         | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de