mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed
From: Roland Hieber <rhi@pengutronix.de>
To: ptxdist@pengutronix.de
Cc: Marc Kleine-Budde <mkl@pengutronix.de>,
	Roland Hieber <rhi@pengutronix.de>
Subject: [ptxdist] [PATCH v3 2/5] ptxd_lib_code_signing: introduce role groups
Date: Thu,  8 Jul 2021 22:39:38 +0200	[thread overview]
Message-ID: <20210708203941.30212-2-rhi@pengutronix.de> (raw)
In-Reply-To: <20210708203941.30212-1-rhi@pengutronix.de>

From: Marc Kleine-Budde <mkl@pengutronix.de>

A role group consists of one or more roles. It should be used where more
than one role is needed, but the exact names and/or number of roles
depend on the used code signing provider.

For example the generation of the imx HABv4 fuse table can use 1 to 4
SRK keys as input. If the signing provider is an HSM, the current
mechanism with continuous numbered URI may not work – role groups to the
rescue.

To make use of role groups, define roles as usual:

| r="imx-habv4-srk1"
| cs_define_role "${r}"
| cs_set_uri "${r}" "pkcs11:object=SRK CA 0"
| cs_append_ca_from_uri "${r}"
|
| r="imx-habv4-srk2"
| cs_define_role "${r}"
| cs_set_uri "${r}" "pkcs11:object=SRK CA 1"
| cs_append_ca_from_uri "${r}"

Now define a role group and add the roles to the group:

| g="imx-habv4-srk"
| cs_define_group "${g}"
| cs_group_add_roles "${g}" "imx-habv4-srk1" "imx-habv4-srk2"

Use the function cs_group_get_roles() to get the roles of a group.

In a later patch the function ptxd_make_imx_habv4_gen_table() is
converted to make use $(cs_group_get_roles imx-habv4-srk) to get the
roles of the imx-habv4-srk group.

Co-authored-by: Roland Hieber <rhi@pengutronix.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
PATCH v3:
 - no changes

PATCH v2 (rhi): https://lore.ptxdist.org/ptxdist/20210627231121.28313-2-rhi@pengutronix.de
 - reorder from PATCH 1/n to PATCH 2/n
 - be more concise and call the new concept "role groups" instead of the
   (less expressive) "code signing groups" or "key groups"
 - add API docs for new shell functions (feedback from myself)
 - rephrase and fix typos in commit message

PATCH v1 (mkl): https://lore.ptxdist.org/ptxdist/20210412161900.2376802-1-mkl@pengutronix.de
---
 doc/dev_code_signing.rst             |  5 ++
 doc/ref_code_signing_helpers.rst     | 79 ++++++++++++++++++++++++++++
 scripts/lib/ptxd_lib_code_signing.sh | 45 ++++++++++++++++
 3 files changed, 129 insertions(+)

diff --git a/doc/dev_code_signing.rst b/doc/dev_code_signing.rst
index 56ac0e3b3217..1f43f2b60ade 100644
--- a/doc/dev_code_signing.rst
+++ b/doc/dev_code_signing.rst
@@ -19,6 +19,11 @@ development) the URIs are usually not hardcoded in the package configuration.
 Instead, PTXdist has the idea of **roles** which are string identifiers used to
 access a single private/public key pair and a certificate.
 
+Roles can be grouped into **role groups**.
+Role groups should be used where more than one role is needed, but the exact
+names and/or number of roles depend on the concrete code signing provider.
+For example, an i.MX HABv4 fuse table can contain up to four keys.
+
 Finally, one or several **code signing providers** supply the mapping from
 roles to the respective key material or even provide it themselves for
 development.
diff --git a/doc/ref_code_signing_helpers.rst b/doc/ref_code_signing_helpers.rst
index f7928f52ebef..99a395b287c9 100644
--- a/doc/ref_code_signing_helpers.rst
+++ b/doc/ref_code_signing_helpers.rst
@@ -215,6 +215,85 @@ Preconditions:
 - when used with SoftHSM, certificates must have been imported before
   (see :ref:`cs_import_cert_from_der`, :ref:`cs_import_cert_from_pem`)
 
+.. _cs_define_group:
+
+cs_define_group
+^^^^^^^^^^^^^^^
+
+Usage:
+
+.. code-block:: bash
+
+   cs_define_group <group>
+
+Define a new role group.
+
+See :ref:`cs_group_add_roles` for an example.
+
+.. _cs_group_add_roles:
+
+cs_group_add_roles
+^^^^^^^^^^^^^^^^^^
+
+Usage:
+
+.. code-block:: bash
+
+   cs_group_add_roles <group> <roles...>
+
+Add all given roles to a role group.
+
+Preconditions:
+
+- the group must have been defined (see :ref:`cs_define_group`)
+- the role(s) must have been defined (see :ref:`cs_define_role`)
+
+Example:
+
+.. code-block:: bash
+
+   # define two roles named imx-habv4-srk1 and imx-habv4-srk2
+   r="imx-habv4-srk1"
+   cs_define_role "${r}"
+   cs_set_uri "${r}" "pkcs11:object=SRK CA 0"
+   cs_append_ca_from_uri "${r}"
+   r="imx-habv4-srk2"
+   cs_define_role "${r}"
+   cs_set_uri "${r}" "pkcs11:object=SRK CA 1"
+   cs_append_ca_from_uri "${r}"
+
+   # define a group and add the roles
+   g="imx-habv4-srk"
+   cs_define_group "${g}"
+   cs_group_add_roles "${g}" "imx-habv4-srk1" "imx-habv4-srk2"
+
+.. _cs_group_get_roles:
+
+cs_group_get_roles
+^^^^^^^^^^^^^^^^^^
+
+Usage:
+
+.. code-block:: bash
+
+   cs_group_get_roles <group>
+
+Get a list of all roles that have been added to the role group.
+
+Example:
+
+.. code-block:: bash
+
+   # iterate over role names in a role group, and print their name and URI
+   for role in $(cs_group_get_roles "imx-habv4-srk"); do
+   	echo "role '${role}' has URI '$(cs_get_uri "${role}")'"
+   done
+
+In the example given in :ref:`cs_group_add_roles` above, this would print::
+
+   role 'imx-habv4-srk1' has URI 'pkcs11:object=SRK CA 0'
+   role 'imx-habv4-srk2' has URI 'pkcs11:object=SRK CA 1'
+
 Consumer Functions
 ~~~~~~~~~~~~~~~~~~
 
diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
index 199f679ef828..c1c61e063b6c 100644
--- a/scripts/lib/ptxd_lib_code_signing.sh
+++ b/scripts/lib/ptxd_lib_code_signing.sh
@@ -99,6 +99,51 @@ cs_define_role() {
 }
 export -f cs_define_role
 
+#
+# cs_define_group <group>
+#
+# Define a new role group.
+#
+cs_define_group() {
+    local group="${1}"
+    cs_init_variables
+
+    mkdir -p "${keydir}/${group}.group" &&
+    rm -f "${keydir}/${group}.group/roles"
+}
+export -f cs_define_group
+
+#
+# cs_group_add_roles <group> <role> ... <role>
+#
+# Set the roles for a group
+#
+cs_group_add_roles() {
+    local group="${1}"
+    shift
+    cs_init_variables
+
+    local orig_IFS="${IFS}"
+    IFS="
+"
+    echo "${*}" >> "${keydir}/${group}.group/roles" &&
+    IFS=${orig_IFS}
+}
+export -f cs_group_add_roles
+
+#
+# cs_group_get_roles <group>
+#
+# Gets the roles of a group
+#
+cs_group_get_roles() {
+    local group="${1}"
+    cs_init_variables
+
+    cat "${keydir}/${group}.group/roles"
+}
+export -f cs_group_get_roles
+
 #
 # cs_set_uri <role> <uri>
 #
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

  reply	other threads:[~2021-07-08 20:40 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-08 20:39 [ptxdist] [PATCH v3 1/5] ptxd_lib_code_signing: cs_get_ca(): improve error handling Roland Hieber
2021-07-08 20:39 ` Roland Hieber [this message]
2021-07-20 11:48   ` [ptxdist] [APPLIED] ptxd_lib_code_signing: introduce role groups Michael Olbrich
2021-07-08 20:39 ` [ptxdist] [PATCH v3 3/5] templates/code-signing-provider: set up the 'imx-habv4-srk' role group Roland Hieber
2021-07-20 11:48   ` [ptxdist] [APPLIED] " Michael Olbrich
2021-07-08 20:39 ` [ptxdist] [PATCH v3 4/5] templates/barebox-imx-habv4: use " Roland Hieber
2021-07-20 11:48   ` [ptxdist] [APPLIED] " Michael Olbrich
2021-07-08 20:39 ` [ptxdist] [PATCH v3 5/5] host-ptx-code-signing-dev: version bump 0.4 -> 0.5 Roland Hieber
2021-07-20 11:48   ` [ptxdist] [APPLIED] " Michael Olbrich
2021-07-09 13:36 ` [ptxdist] [PATCH v3 1/5] ptxd_lib_code_signing: cs_get_ca(): improve error handling Michael Olbrich
2021-07-12  8:42   ` Marc Kleine-Budde
2021-07-13 11:51     ` [ptxdist] [PATCH v4] " Roland Hieber
2021-07-14  6:21       ` Michael Olbrich
2021-07-15 13:42         ` [ptxdist] [PATCH v5] " Roland Hieber
2021-07-20 11:49           ` [ptxdist] [APPLIED] " Michael Olbrich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210708203941.30212-2-rhi@pengutronix.de \
    --to=rhi@pengutronix.de \
    --cc=mkl@pengutronix.de \
    --cc=ptxdist@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox