mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed
* [ptxdist] [PATCH v3 1/5] ptxd_lib_code_signing: cs_get_ca(): improve error handling
@ 2021-07-08 20:39 Roland Hieber
  2021-07-08 20:39 ` [ptxdist] [PATCH v3 2/5] ptxd_lib_code_signing: introduce role groups Roland Hieber
                   ` (4 more replies)
  0 siblings, 5 replies; 15+ messages in thread
From: Roland Hieber @ 2021-07-08 20:39 UTC (permalink / raw)
  To: ptxdist; +Cc: Marc Kleine-Budde, Roland Hieber

From: Marc Kleine-Budde <mkl@pengutronix.de>

This patch changes cs_get_ca() to only output the CA if it actually
exists, or print an error and return 1 instead. This makes it possible
to use make's $(if $(filter-out, ERROR_CA_NOT_YET_SET, ...))
conditional.

Co-authored-by: Roland Hieber <rhi@pengutronix.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
PATCH v3:
 - correctly check for existence of ${keydir} instead of ${ca} (feedback
   from Michael Olbrich)
 - drop controversial re-indentation patches 6/7 and 7/7 from the series

PATCH v2 (rhi): https://lore.ptxdist.org/ptxdist/20210627231121.28313-1-rhi@pengutronix.de
 - reorder from PATCH 3/n to PATCH 1/n
 - echo "ERROR_CA_NOT_YET_SET" in case of error (feedback from Michael
   Olbrich) and also return 1

PATCH v1 (mkl): https://lore.ptxdist.org/ptxdist/20210412161900.2376802-3-mkl@pengutronix.de
---
 scripts/lib/ptxd_lib_code_signing.sh | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
index 3e1654bb36e4..199f679ef828 100644
--- a/scripts/lib/ptxd_lib_code_signing.sh
+++ b/scripts/lib/ptxd_lib_code_signing.sh
@@ -243,7 +243,13 @@ cs_get_ca() {
     local role="${1}"
     cs_init_variables
 
-    echo "${keydir}/${role}/ca.pem"
+    local ca="${keydir}/${role}/ca.pem"
+
+    if [ ! -d "${keydir}" ]; then
+	echo "ERROR_CA_NOT_YET_SET"
+	return 1
+    fi
+    echo "${ca}"
 }
 export -f cs_get_ca
 
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 15+ messages in thread

* [ptxdist] [PATCH v3 2/5] ptxd_lib_code_signing: introduce role groups
  2021-07-08 20:39 [ptxdist] [PATCH v3 1/5] ptxd_lib_code_signing: cs_get_ca(): improve error handling Roland Hieber
@ 2021-07-08 20:39 ` Roland Hieber
  2021-07-20 11:48   ` [ptxdist] [APPLIED] " Michael Olbrich
  2021-07-08 20:39 ` [ptxdist] [PATCH v3 3/5] templates/code-signing-provider: set up the 'imx-habv4-srk' role group Roland Hieber
                   ` (3 subsequent siblings)
  4 siblings, 1 reply; 15+ messages in thread
From: Roland Hieber @ 2021-07-08 20:39 UTC (permalink / raw)
  To: ptxdist; +Cc: Marc Kleine-Budde, Roland Hieber

From: Marc Kleine-Budde <mkl@pengutronix.de>

A role group consists of one or more roles. It should be used where more
than one role is needed, but the exact names and/or number of roles
depend on the used code signing provider.

For example the generation of the imx HABv4 fuse table can use 1 to 4
SRK keys as input. If the signing provider is an HSM, the current
mechanism with continuous numbered URI may not work – role groups to the
rescue.

To make use of role groups, define roles as usual:

| r="imx-habv4-srk1"
| cs_define_role "${r}"
| cs_set_uri "${r}" "pkcs11:object=SRK CA 0"
| cs_append_ca_from_uri "${r}"
|
| r="imx-habv4-srk2"
| cs_define_role "${r}"
| cs_set_uri "${r}" "pkcs11:object=SRK CA 1"
| cs_append_ca_from_uri "${r}"

Now define a role group and add the roles to the group:

| g="imx-habv4-srk"
| cs_define_group "${g}"
| cs_group_add_roles "${g}" "imx-habv4-srk1" "imx-habv4-srk2"

Use the function cs_group_get_roles() to get the roles of a group.

In a later patch the function ptxd_make_imx_habv4_gen_table() is
converted to make use $(cs_group_get_roles imx-habv4-srk) to get the
roles of the imx-habv4-srk group.

Co-authored-by: Roland Hieber <rhi@pengutronix.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
PATCH v3:
 - no changes

PATCH v2 (rhi): https://lore.ptxdist.org/ptxdist/20210627231121.28313-2-rhi@pengutronix.de
 - reorder from PATCH 1/n to PATCH 2/n
 - be more concise and call the new concept "role groups" instead of the
   (less expressive) "code signing groups" or "key groups"
 - add API docs for new shell functions (feedback from myself)
 - rephrase and fix typos in commit message

PATCH v1 (mkl): https://lore.ptxdist.org/ptxdist/20210412161900.2376802-1-mkl@pengutronix.de
---
 doc/dev_code_signing.rst             |  5 ++
 doc/ref_code_signing_helpers.rst     | 79 ++++++++++++++++++++++++++++
 scripts/lib/ptxd_lib_code_signing.sh | 45 ++++++++++++++++
 3 files changed, 129 insertions(+)

diff --git a/doc/dev_code_signing.rst b/doc/dev_code_signing.rst
index 56ac0e3b3217..1f43f2b60ade 100644
--- a/doc/dev_code_signing.rst
+++ b/doc/dev_code_signing.rst
@@ -19,6 +19,11 @@ development) the URIs are usually not hardcoded in the package configuration.
 Instead, PTXdist has the idea of **roles** which are string identifiers used to
 access a single private/public key pair and a certificate.
 
+Roles can be grouped into **role groups**.
+Role groups should be used where more than one role is needed, but the exact
+names and/or number of roles depend on the concrete code signing provider.
+For example, an i.MX HABv4 fuse table can contain up to four keys.
+
 Finally, one or several **code signing providers** supply the mapping from
 roles to the respective key material or even provide it themselves for
 development.
diff --git a/doc/ref_code_signing_helpers.rst b/doc/ref_code_signing_helpers.rst
index f7928f52ebef..99a395b287c9 100644
--- a/doc/ref_code_signing_helpers.rst
+++ b/doc/ref_code_signing_helpers.rst
@@ -215,6 +215,85 @@ Preconditions:
 - when used with SoftHSM, certificates must have been imported before
   (see :ref:`cs_import_cert_from_der`, :ref:`cs_import_cert_from_pem`)
 
+.. _cs_define_group:
+
+cs_define_group
+^^^^^^^^^^^^^^^
+
+Usage:
+
+.. code-block:: bash
+
+   cs_define_group <group>
+
+Define a new role group.
+
+See :ref:`cs_group_add_roles` for an example.
+
+.. _cs_group_add_roles:
+
+cs_group_add_roles
+^^^^^^^^^^^^^^^^^^
+
+Usage:
+
+.. code-block:: bash
+
+   cs_group_add_roles <group> <roles...>
+
+Add all given roles to a role group.
+
+Preconditions:
+
+- the group must have been defined (see :ref:`cs_define_group`)
+- the role(s) must have been defined (see :ref:`cs_define_role`)
+
+Example:
+
+.. code-block:: bash
+
+   # define two roles named imx-habv4-srk1 and imx-habv4-srk2
+   r="imx-habv4-srk1"
+   cs_define_role "${r}"
+   cs_set_uri "${r}" "pkcs11:object=SRK CA 0"
+   cs_append_ca_from_uri "${r}"
+   r="imx-habv4-srk2"
+   cs_define_role "${r}"
+   cs_set_uri "${r}" "pkcs11:object=SRK CA 1"
+   cs_append_ca_from_uri "${r}"
+
+   # define a group and add the roles
+   g="imx-habv4-srk"
+   cs_define_group "${g}"
+   cs_group_add_roles "${g}" "imx-habv4-srk1" "imx-habv4-srk2"
+
+.. _cs_group_get_roles:
+
+cs_group_get_roles
+^^^^^^^^^^^^^^^^^^
+
+Usage:
+
+.. code-block:: bash
+
+   cs_group_get_roles <group>
+
+Get a list of all roles that have been added to the role group.
+
+Example:
+
+.. code-block:: bash
+
+   # iterate over role names in a role group, and print their name and URI
+   for role in $(cs_group_get_roles "imx-habv4-srk"); do
+   	echo "role '${role}' has URI '$(cs_get_uri "${role}")'"
+   done
+
+In the example given in :ref:`cs_group_add_roles` above, this would print::
+
+   role 'imx-habv4-srk1' has URI 'pkcs11:object=SRK CA 0'
+   role 'imx-habv4-srk2' has URI 'pkcs11:object=SRK CA 1'
+
 Consumer Functions
 ~~~~~~~~~~~~~~~~~~
 
diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
index 199f679ef828..c1c61e063b6c 100644
--- a/scripts/lib/ptxd_lib_code_signing.sh
+++ b/scripts/lib/ptxd_lib_code_signing.sh
@@ -99,6 +99,51 @@ cs_define_role() {
 }
 export -f cs_define_role
 
+#
+# cs_define_group <group>
+#
+# Define a new role group.
+#
+cs_define_group() {
+    local group="${1}"
+    cs_init_variables
+
+    mkdir -p "${keydir}/${group}.group" &&
+    rm -f "${keydir}/${group}.group/roles"
+}
+export -f cs_define_group
+
+#
+# cs_group_add_roles <group> <role> ... <role>
+#
+# Set the roles for a group
+#
+cs_group_add_roles() {
+    local group="${1}"
+    shift
+    cs_init_variables
+
+    local orig_IFS="${IFS}"
+    IFS="
+"
+    echo "${*}" >> "${keydir}/${group}.group/roles" &&
+    IFS=${orig_IFS}
+}
+export -f cs_group_add_roles
+
+#
+# cs_group_get_roles <group>
+#
+# Gets the roles of a group
+#
+cs_group_get_roles() {
+    local group="${1}"
+    cs_init_variables
+
+    cat "${keydir}/${group}.group/roles"
+}
+export -f cs_group_get_roles
+
 #
 # cs_set_uri <role> <uri>
 #
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

^ permalink raw reply	[flat|nested] 15+ messages in thread

* [ptxdist] [PATCH v3 3/5] templates/code-signing-provider: set up the 'imx-habv4-srk' role group
  2021-07-08 20:39 [ptxdist] [PATCH v3 1/5] ptxd_lib_code_signing: cs_get_ca(): improve error handling Roland Hieber
  2021-07-08 20:39 ` [ptxdist] [PATCH v3 2/5] ptxd_lib_code_signing: introduce role groups Roland Hieber
@ 2021-07-08 20:39 ` Roland Hieber
  2021-07-20 11:48   ` [ptxdist] [APPLIED] " Michael Olbrich
  2021-07-08 20:39 ` [ptxdist] [PATCH v3 4/5] templates/barebox-imx-habv4: use " Roland Hieber
                   ` (2 subsequent siblings)
  4 siblings, 1 reply; 15+ messages in thread
From: Roland Hieber @ 2021-07-08 20:39 UTC (permalink / raw)
  To: ptxdist; +Cc: Marc Kleine-Budde, Roland Hieber

From: Marc Kleine-Budde <mkl@pengutronix.de>

Existing barebox-imx-habv4 recipes can still use the indexed
'imx-habv4-srk%d ' roles to fetch the SRK keys, but for compatibility
with HSM use cases that don't supported indexed role names, set up a new
role group that contains the roles.

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
PATCH v3:
 - no changes

PATCH v2 (rhi): https://lore.ptxdist.org/ptxdist/20210627231121.28313-3-rhi@pengutronix.de
 - split off code signing provider template changes from library and
   consumer changes (see next patch) to make patches easier to port to
   existing code signing providers

PATCH v1 (mkl): https://lore.ptxdist.org/ptxdist/20210412161900.2376802-2-mkl@pengutronix.de
---
 .../templates/code-signing-provider/ptxdist-set-keys-hsm.sh | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
index bcd531d69572..b94eff049eac 100755
--- a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
+++ b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
@@ -18,7 +18,7 @@ set_rauc_keys() {
 }
 
 set_imx_habv4_keys() {
-	local r
+	local r g
 
 	# HSM use case, assuming it contains only 1st CSF/IMG key
 	for i in 1 2 3 4; do
@@ -28,6 +28,10 @@ set_imx_habv4_keys() {
 		cs_append_ca_from_uri "${r}"
 	done
 
+	g="imx-habv4-srk"
+	cs_define_group "${g}"
+	cs_group_add_roles "${g}" "imx-habv4-srk1" "imx-habv4-srk2" "imx-habv4-srk3" "imx-habv4-srk4"
+
 	r="imx-habv4-csf1"
 	cs_define_role ${r}
 	cs_set_uri "${r}" "pkcs11:token=foo;object=csf1"
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 15+ messages in thread

* [ptxdist] [PATCH v3 4/5] templates/barebox-imx-habv4: use the 'imx-habv4-srk' role group
  2021-07-08 20:39 [ptxdist] [PATCH v3 1/5] ptxd_lib_code_signing: cs_get_ca(): improve error handling Roland Hieber
  2021-07-08 20:39 ` [ptxdist] [PATCH v3 2/5] ptxd_lib_code_signing: introduce role groups Roland Hieber
  2021-07-08 20:39 ` [ptxdist] [PATCH v3 3/5] templates/code-signing-provider: set up the 'imx-habv4-srk' role group Roland Hieber
@ 2021-07-08 20:39 ` Roland Hieber
  2021-07-20 11:48   ` [ptxdist] [APPLIED] " Michael Olbrich
  2021-07-08 20:39 ` [ptxdist] [PATCH v3 5/5] host-ptx-code-signing-dev: version bump 0.4 -> 0.5 Roland Hieber
  2021-07-09 13:36 ` [ptxdist] [PATCH v3 1/5] ptxd_lib_code_signing: cs_get_ca(): improve error handling Michael Olbrich
  4 siblings, 1 reply; 15+ messages in thread
From: Roland Hieber @ 2021-07-08 20:39 UTC (permalink / raw)
  To: ptxdist; +Cc: Marc Kleine-Budde, Roland Hieber

From: Marc Kleine-Budde <mkl@pengutronix.de>

The previous patch taught new code signing providers to set up the
'imx-habv4-srk' role group. This patch uses it for the barebox-imx-habv4
recipe.

Keep backwards compatibility with the old way of using indexed role
names in the library part, so existing recipes can still work with
ptxd_make_imx_habv4_gen_table() if their code signing provider sets up
the roles appropriately.

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
PATCH v3:
 - no changes

PATCH v2 (rhi): https://lore.ptxdist.org/ptxdist/20210627231121.28313-4-rhi@pengutronix.de
 - split up code signing provider template changes (see previous patch)
   from lib and consumer changes
 - fix ptxd_make_imx_habv4_gen_table() documentation comments

PATCH v1 (mkl): https://lore.ptxdist.org/ptxdist/20210412161900.2376802-2-mkl@pengutronix.de
---
 .../templates/template-barebox-imx-habv4-make |  2 +-
 scripts/lib/ptxd_lib_imx_hab.sh               | 49 ++++++++++++++-----
 2 files changed, 37 insertions(+), 14 deletions(-)

diff --git a/rules/templates/template-barebox-imx-habv4-make b/rules/templates/template-barebox-imx-habv4-make
index eb752c8349d9..cc825dc90292 100644
--- a/rules/templates/template-barebox-imx-habv4-make
+++ b/rules/templates/template-barebox-imx-habv4-make
@@ -74,7 +74,7 @@ $(STATEDIR)/barebox-@package@.compile:
 	@$(call targetinfo)
 
 	@$(call world/env, BAREBOX_@PACKAGE@) \
-		ptxd_make_imx_habv4_gen_table "imx-habv4-srk%d" 4
+		ptxd_make_imx_habv4_gen_table imx-habv4-srk
 
 	@$(call world/compile, BAREBOX_@PACKAGE@)
 
diff --git a/scripts/lib/ptxd_lib_imx_hab.sh b/scripts/lib/ptxd_lib_imx_hab.sh
index d1e2aba99fab..fa5b3e2c1439 100644
--- a/scripts/lib/ptxd_lib_imx_hab.sh
+++ b/scripts/lib/ptxd_lib_imx_hab.sh
@@ -9,12 +9,14 @@
 #
 # ptxd_make_imx_habv4_gen_table - generate the srk fuse file and srk table for i.MX HABv4
 #
-# usage: ptxd_make_imx_habv4_gen_table <template> [<srk_count>]
+# usage: ptxd_make_imx_habv4_gen_table <role group>
+#        ptxd_make_imx_habv4_gen_table <template> [<srk_count>]
 #
+# role group: the group that specifies all roles to access the keys
 # template: the role template to access the keys. Must contain a "%d" which is
 #           used as index
-# srk_count: the number of keys (keys with index 1..srk_count will be used),
-#            defaults to 4
+# srk_count: only when using <template>: the number of keys (keys with index
+#           1..srk_count will be used), defaults to 4
 #
 # The output files are generated in the package build dir:
 #
@@ -25,25 +27,46 @@
 #     This will contain the srk hash which must be written to the fuses
 #
 ptxd_make_imx_habv4_gen_table_impl() {
+    local group="${1}"
     local template="${1}"
     local srk_count="${2}"
     local table_bin="${pkg_build_dir}/imx-srk-table.bin"
     local srk_fuse_bin="${pkg_build_dir}/imx-srk-fuse.bin"
     local -a certs
+    local i
 
-    if [ -z "${srk_count}" ]; then
-	srk_count=4
-    fi
+    case "${template}" in
+	*%d*)	# <template> [<srk_count>]
+	    if [ -z "${srk_count}" ]; then
+		srk_count=4
+	    fi
 
-    if [ "${srk_count}" -gt 4 ]; then
-	ptxd_bailout "HABv4 allows only 4 certificates"
-    fi
+	    if [ "${srk_count}" -gt 4 ]; then
+		ptxd_bailout "HABv4 allows only 4 certificates"
+	    fi
 
-    echo -e "generating $(basename ${table_bin}) and $(basename ${srk_fuse_bin})\n"
+	    for i in $(seq ${srk_count}); do
+		certs[${#certs[*]}]="$(cs_get_ca "$(printf "${template}" ${i})")"
+	    done
+	    ;;
+
+	*)	# <role group>
+	    local -a roles=( $(cs_group_get_roles "${group}") )
+
+	    if [ "${#roles[@]}" -eq 0 ]; then
+		ptxd_bailout "Failed to get roles for group '${group}'"
+	    fi
 
-    for i in $(seq ${srk_count}); do
-	certs[${#certs[*]}]="$(cs_get_ca "$(printf "${template}" ${i})")"
-    done
+	    if [ "${#roles[@]}" -gt 4 ]; then
+		ptxd_bailout "HABv4 allows only 4 certificates"
+	    fi
+
+	    for i in "${roles[@]}"; do
+		certs[${#certs[*]}]="$(cs_get_ca "${i}")"
+	    done
+    esac
+
+    echo -e "generating $(basename ${table_bin}) and $(basename ${srk_fuse_bin})\n"
 
     local orig_IFS="${IFS}"
     IFS=","
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 15+ messages in thread

* [ptxdist] [PATCH v3 5/5] host-ptx-code-signing-dev: version bump 0.4 -> 0.5
  2021-07-08 20:39 [ptxdist] [PATCH v3 1/5] ptxd_lib_code_signing: cs_get_ca(): improve error handling Roland Hieber
                   ` (2 preceding siblings ...)
  2021-07-08 20:39 ` [ptxdist] [PATCH v3 4/5] templates/barebox-imx-habv4: use " Roland Hieber
@ 2021-07-08 20:39 ` Roland Hieber
  2021-07-20 11:48   ` [ptxdist] [APPLIED] " Michael Olbrich
  2021-07-09 13:36 ` [ptxdist] [PATCH v3 1/5] ptxd_lib_code_signing: cs_get_ca(): improve error handling Michael Olbrich
  4 siblings, 1 reply; 15+ messages in thread
From: Roland Hieber @ 2021-07-08 20:39 UTC (permalink / raw)
  To: ptxdist; +Cc: Roland Hieber

With this version, host-ptx-code-signing-dev sets up the new role groups
imx-habv4-srk, imx-habv4-csf and imx-habv4-img.

Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
PATCH v3:
 - no changes

PATCH v2 (rhi): https://lore.ptxdist.org/ptxdist/20210627231121.28313-5-rhi@pengutronix.de
 - new patch in v2 (feedback from Michael Olbrich)
---
 rules/host-ptx-code-signing-dev.make | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/host-ptx-code-signing-dev.make b/rules/host-ptx-code-signing-dev.make
index af7a774bc9a4..2314f88c2d88 100644
--- a/rules/host-ptx-code-signing-dev.make
+++ b/rules/host-ptx-code-signing-dev.make
@@ -14,8 +14,8 @@ HOST_PACKAGES-$(PTXCONF_HOST_PTX_CODE_SIGNING_DEV) += host-ptx-code-signing-dev
 #
 # Paths and names
 #
-HOST_PTX_CODE_SIGNING_DEV_VERSION	:= 0.4
-HOST_PTX_CODE_SIGNING_DEV_MD5		:= 853ac0147adc0b46dc695e16a7101aaa
+HOST_PTX_CODE_SIGNING_DEV_VERSION	:= 0.5
+HOST_PTX_CODE_SIGNING_DEV_MD5		:= ec83c9225c520932b515a7c3b353d149
 HOST_PTX_CODE_SIGNING_DEV		:= ptx-code-signing-dev-$(HOST_PTX_CODE_SIGNING_DEV_VERSION)
 HOST_PTX_CODE_SIGNING_DEV_SUFFIX	:= tar.gz
 HOST_PTX_CODE_SIGNING_DEV_URL		:= https://git.pengutronix.de/cgit/ptx-code-signing-dev/snapshot/$(HOST_PTX_CODE_SIGNING_DEV).$(HOST_PTX_CODE_SIGNING_DEV_SUFFIX)
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [ptxdist] [PATCH v3 1/5] ptxd_lib_code_signing: cs_get_ca(): improve error handling
  2021-07-08 20:39 [ptxdist] [PATCH v3 1/5] ptxd_lib_code_signing: cs_get_ca(): improve error handling Roland Hieber
                   ` (3 preceding siblings ...)
  2021-07-08 20:39 ` [ptxdist] [PATCH v3 5/5] host-ptx-code-signing-dev: version bump 0.4 -> 0.5 Roland Hieber
@ 2021-07-09 13:36 ` Michael Olbrich
  2021-07-12  8:42   ` Marc Kleine-Budde
  4 siblings, 1 reply; 15+ messages in thread
From: Michael Olbrich @ 2021-07-09 13:36 UTC (permalink / raw)
  To: Roland Hieber; +Cc: Marc Kleine-Budde, ptxdist

On Thu, Jul 08, 2021 at 10:39:37PM +0200, Roland Hieber wrote:
> From: Marc Kleine-Budde <mkl@pengutronix.de>
> 
> This patch changes cs_get_ca() to only output the CA if it actually
> exists, or print an error and return 1 instead. This makes it possible
> to use make's $(if $(filter-out, ERROR_CA_NOT_YET_SET, ...))
> conditional.
> 
> Co-authored-by: Roland Hieber <rhi@pengutronix.de>
> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> ---
> PATCH v3:
>  - correctly check for existence of ${keydir} instead of ${ca} (feedback
>    from Michael Olbrich)
>  - drop controversial re-indentation patches 6/7 and 7/7 from the series
> 
> PATCH v2 (rhi): https://lore.ptxdist.org/ptxdist/20210627231121.28313-1-rhi@pengutronix.de
>  - reorder from PATCH 3/n to PATCH 1/n
>  - echo "ERROR_CA_NOT_YET_SET" in case of error (feedback from Michael
>    Olbrich) and also return 1
> 
> PATCH v1 (mkl): https://lore.ptxdist.org/ptxdist/20210412161900.2376802-3-mkl@pengutronix.de
> ---
>  scripts/lib/ptxd_lib_code_signing.sh | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
> index 3e1654bb36e4..199f679ef828 100644
> --- a/scripts/lib/ptxd_lib_code_signing.sh
> +++ b/scripts/lib/ptxd_lib_code_signing.sh
> @@ -243,7 +243,13 @@ cs_get_ca() {
>      local role="${1}"
>      cs_init_variables
>  
> -    echo "${keydir}/${role}/ca.pem"
> +    local ca="${keydir}/${role}/ca.pem"
> +
> +    if [ ! -d "${keydir}" ]; then
> +	echo "ERROR_CA_NOT_YET_SET"
> +	return 1
> +    fi

So this is not what we want here. Sorry, I didn't notice this in the last
version. The idea is this:

If the keydir does not exist, then cs_get_ca)() was evaluated too early. So
the check above should be added as it is here.
What's now missing is what Marc originally intended and was part of the
first version of the patch:
If the keydir exists but no CA, then there will never be a CA and we want
to match that. So this should be there as well:

    if [ -e "${ca}" ]; then
	echo "${ca}"
    fi

instead of this:

> +    echo "${ca}"

Now we can do $(if $(shell cs_get_ca ...), ...) to do something only if the
CA exists.

Marc, that was the use-case, right?

Michael

>  }
>  export -f cs_get_ca
>  
> -- 
> 2.30.2
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [ptxdist] [PATCH v3 1/5] ptxd_lib_code_signing: cs_get_ca(): improve error handling
  2021-07-09 13:36 ` [ptxdist] [PATCH v3 1/5] ptxd_lib_code_signing: cs_get_ca(): improve error handling Michael Olbrich
@ 2021-07-12  8:42   ` Marc Kleine-Budde
  2021-07-13 11:51     ` [ptxdist] [PATCH v4] " Roland Hieber
  0 siblings, 1 reply; 15+ messages in thread
From: Marc Kleine-Budde @ 2021-07-12  8:42 UTC (permalink / raw)
  To: Michael Olbrich; +Cc: ptxdist, Roland Hieber


[-- Attachment #1.1: Type: text/plain, Size: 1348 bytes --]

On 09.07.2021 15:36:00, Michael Olbrich wrote:
> So this is not what we want here. Sorry, I didn't notice this in the last
> version. The idea is this:
> 
> If the keydir does not exist, then cs_get_ca)() was evaluated too early. So
> the check above should be added as it is here.
> What's now missing is what Marc originally intended and was part of the
> first version of the patch:
> If the keydir exists but no CA, then there will never be a CA and we want
> to match that. So this should be there as well:
> 
>     if [ -e "${ca}" ]; then
> 	echo "${ca}"
>     fi
> 
> instead of this:
> 
> > +    echo "${ca}"
> 
> Now we can do $(if $(shell cs_get_ca ...), ...) to do something only if the
> CA exists.
> 
> Marc, that was the use-case, right?

ACK, the use case is:

| KERNEL_SIGN_OPT = \
|         CONFIG_MODULE_SIG_KEY='"$(shell cs_get_uri evm)"' \
|         CONFIG_MODULE_SIG_ALL=y \
|         $(if $(shell cs_get_ca kernel-trusted), \
|                 CONFIG_SYSTEM_TRUSTED_KEYS=$(shell cs_get_ca kernel-trusted))

regards,
Marc

-- 
Pengutronix e.K.                 | Marc Kleine-Budde           |
Embedded Linux                   | https://www.pengutronix.de  |
Vertretung West/Dortmund         | Phone: +49-231-2826-924     |
Amtsgericht Hildesheim, HRA 2686 | Fax:   +49-5121-206917-5555 |

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

[-- Attachment #2: Type: text/plain, Size: 181 bytes --]

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

^ permalink raw reply	[flat|nested] 15+ messages in thread

* [ptxdist] [PATCH v4] ptxd_lib_code_signing: cs_get_ca(): improve error handling
  2021-07-12  8:42   ` Marc Kleine-Budde
@ 2021-07-13 11:51     ` Roland Hieber
  2021-07-14  6:21       ` Michael Olbrich
  0 siblings, 1 reply; 15+ messages in thread
From: Roland Hieber @ 2021-07-13 11:51 UTC (permalink / raw)
  To: ptxdist; +Cc: Marc Kleine-Budde, Roland Hieber

From: Marc Kleine-Budde <mkl@pengutronix.de>

This patch changes cs_get_ca() to only output the CA if it actually
exists, or print an error and return 1 instead. This makes it possible
to use make's $(if $(filter-out, ERROR_CA_NOT_YET_SET, ...))
conditional.

Co-authored-by: Roland Hieber <rhi@pengutronix.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
PATCH v4:
 - revert to [ -e "${ca}" ] test (feeback from Michael Olbrich and Marc
   Kleine-Budde)
 - add documentation too

PATCH v3: https://lore.ptxdist.org/ptxdist/20210708203941.30212-1-rhi@pengutronix.de
 - correctly check for existence of ${keydir} instead of ${ca} (feedback
   from Michael Olbrich)
 - drop controversial re-indentation patches 6/7 and 7/7 from the series

PATCH v2 (rhi): https://lore.ptxdist.org/ptxdist/20210627231121.28313-1-rhi@pengutronix.de
 - reorder from PATCH 3/n to PATCH 1/n
 - echo "ERROR_CA_NOT_YET_SET" in case of error (feedback from Michael
   Olbrich) and also return 1

PATCH v1 (mkl): https://lore.ptxdist.org/ptxdist/20210412161900.2376802-3-mkl@pengutronix.de

fixup! ptxd_lib_code_signing: cs_get_ca(): improve error handling
---
 doc/ref_code_signing_helpers.rst     | 3 ++-
 scripts/lib/ptxd_lib_code_signing.sh | 8 +++++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/doc/ref_code_signing_helpers.rst b/doc/ref_code_signing_helpers.rst
index 99a395b287c9..0fd61219a97a 100644
--- a/doc/ref_code_signing_helpers.rst
+++ b/doc/ref_code_signing_helpers.rst
@@ -334,4 +334,5 @@ Preconditions:
 
 - a certificate must have been appended to the CA keyring
   (see :ref:`cs_append_ca_from_pem`, :ref:`cs_append_ca_from_der`,
-  :ref:`cs_append_ca_from_uri`)
+  :ref:`cs_append_ca_from_uri`).
+  Otherwise, this function will print ``ERROR_CA_NOT_YET_SET``.
diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
index 5fa62d8372f9..ca101d635574 100644
--- a/scripts/lib/ptxd_lib_code_signing.sh
+++ b/scripts/lib/ptxd_lib_code_signing.sh
@@ -288,7 +288,13 @@ cs_get_ca() {
     local role="${1}"
     cs_init_variables
 
-    echo "${keydir}/${role}/ca.pem"
+    local ca="${keydir}/${role}/ca.pem"
+
+    if [ ! -e "${ca}" ]; then
+	echo "ERROR_CA_NOT_YET_SET"
+	return 1
+    fi
+    echo "${ca}"
 }
 export -f cs_get_ca
 
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [ptxdist] [PATCH v4] ptxd_lib_code_signing: cs_get_ca(): improve error handling
  2021-07-13 11:51     ` [ptxdist] [PATCH v4] " Roland Hieber
@ 2021-07-14  6:21       ` Michael Olbrich
  2021-07-15 13:42         ` [ptxdist] [PATCH v5] " Roland Hieber
  0 siblings, 1 reply; 15+ messages in thread
From: Michael Olbrich @ 2021-07-14  6:21 UTC (permalink / raw)
  To: Roland Hieber, ptxdist

On Tue, Jul 13, 2021 at 01:51:25PM +0200, Roland Hieber wrote:
> From: Marc Kleine-Budde <mkl@pengutronix.de>
> 
> This patch changes cs_get_ca() to only output the CA if it actually
> exists, or print an error and return 1 instead. This makes it possible
> to use make's $(if $(filter-out, ERROR_CA_NOT_YET_SET, ...))
> conditional.
> 
> Co-authored-by: Roland Hieber <rhi@pengutronix.de>
> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> ---
> PATCH v4:
>  - revert to [ -e "${ca}" ] test (feeback from Michael Olbrich and Marc
>    Kleine-Budde)
>  - add documentation too
> 
> PATCH v3: https://lore.ptxdist.org/ptxdist/20210708203941.30212-1-rhi@pengutronix.de
>  - correctly check for existence of ${keydir} instead of ${ca} (feedback
>    from Michael Olbrich)
>  - drop controversial re-indentation patches 6/7 and 7/7 from the series
> 
> PATCH v2 (rhi): https://lore.ptxdist.org/ptxdist/20210627231121.28313-1-rhi@pengutronix.de
>  - reorder from PATCH 3/n to PATCH 1/n
>  - echo "ERROR_CA_NOT_YET_SET" in case of error (feedback from Michael
>    Olbrich) and also return 1
> 
> PATCH v1 (mkl): https://lore.ptxdist.org/ptxdist/20210412161900.2376802-3-mkl@pengutronix.de
> 
> fixup! ptxd_lib_code_signing: cs_get_ca(): improve error handling
> ---
>  doc/ref_code_signing_helpers.rst     | 3 ++-
>  scripts/lib/ptxd_lib_code_signing.sh | 8 +++++++-
>  2 files changed, 9 insertions(+), 2 deletions(-)
> 
> diff --git a/doc/ref_code_signing_helpers.rst b/doc/ref_code_signing_helpers.rst
> index 99a395b287c9..0fd61219a97a 100644
> --- a/doc/ref_code_signing_helpers.rst
> +++ b/doc/ref_code_signing_helpers.rst
> @@ -334,4 +334,5 @@ Preconditions:
>  
>  - a certificate must have been appended to the CA keyring
>    (see :ref:`cs_append_ca_from_pem`, :ref:`cs_append_ca_from_der`,
> -  :ref:`cs_append_ca_from_uri`)
> +  :ref:`cs_append_ca_from_uri`).
> +  Otherwise, this function will print ``ERROR_CA_NOT_YET_SET``.
> diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
> index 5fa62d8372f9..ca101d635574 100644
> --- a/scripts/lib/ptxd_lib_code_signing.sh
> +++ b/scripts/lib/ptxd_lib_code_signing.sh
> @@ -288,7 +288,13 @@ cs_get_ca() {
>      local role="${1}"
>      cs_init_variables
>  
> -    echo "${keydir}/${role}/ca.pem"
> +    local ca="${keydir}/${role}/ca.pem"
> +
> +    if [ ! -e "${ca}" ]; then
> +	echo "ERROR_CA_NOT_YET_SET"
> +	return 1
> +    fi
> +    echo "${ca}"

No. Please that's not what I meant. You need _both_!

There are three cases that need different output not two:

1. The function is called before the provider initialized the data:

    if [ ! -d "${keydir}" ]; then
	echo "ERROR_CA_NOT_YET_SET"
	return 1
    fi

2. The provider created a CA:

    if [ -e "${ca}" ]; then
	echo "${ca}"
    fi

3. The provider did _not_ create a CA:

   # no output

Case 1 is to detect misuse. And case 2 and 3 are needed to make the example
that Marc described possible.

Michael

>  }
>  export -f cs_get_ca
>  
> -- 
> 2.30.2
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 15+ messages in thread

* [ptxdist] [PATCH v5] ptxd_lib_code_signing: cs_get_ca(): improve error handling
  2021-07-14  6:21       ` Michael Olbrich
@ 2021-07-15 13:42         ` Roland Hieber
  2021-07-20 11:49           ` [ptxdist] [APPLIED] " Michael Olbrich
  0 siblings, 1 reply; 15+ messages in thread
From: Roland Hieber @ 2021-07-15 13:42 UTC (permalink / raw)
  To: ptxdist; +Cc: Marc Kleine-Budde, Roland Hieber

From: Marc Kleine-Budde <mkl@pengutronix.de>

This patch changes cs_get_ca() to only output the CA if it actually
exists, so that this function can be used even if a signing provider
does not provide a CA for a role.

Additionally improve robustness against premature evaluation by printing
an error code if the signing provider was not set up yet. If the error
message is used as part of a URI, the user can at least get a hint about
the fact that an error happened.

Co-authored-by: Roland Hieber <rhi@pengutronix.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
PATCH v5:
 - print error if keydir doesn't exist; and only print CA if it was set
   (feedback from Michael Olbrich)
 - update docs, and add example

PATCH v4: https://lore.ptxdist.org/ptxdist/20210713115125.15630-1-rhi@pengutronix.de
 - revert to [ -e "${ca}" ] test (feeback from Michael Olbrich and Marc
   Kleine-Budde)
 - add documentation too

PATCH v3: https://lore.ptxdist.org/ptxdist/20210708203941.30212-1-rhi@pengutronix.de
 - correctly check for existence of ${keydir} instead of ${ca} (feedback
   from Michael Olbrich)
 - drop controversial re-indentation patches 6/7 and 7/7 from the series

PATCH v2 (rhi): https://lore.ptxdist.org/ptxdist/20210627231121.28313-1-rhi@pengutronix.de
 - reorder from PATCH 3/n to PATCH 1/n
 - echo "ERROR_CA_NOT_YET_SET" in case of error (feedback from Michael
   Olbrich) and also return 1

PATCH v1 (mkl): https://lore.ptxdist.org/ptxdist/20210412161900.2376802-3-mkl@pengutronix.de
---
 doc/ref_code_signing_helpers.rst     | 22 +++++++++++++++++++---
 scripts/lib/ptxd_lib_code_signing.sh | 11 ++++++++++-
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/doc/ref_code_signing_helpers.rst b/doc/ref_code_signing_helpers.rst
index 99a395b287c9..fd16ca763557 100644
--- a/doc/ref_code_signing_helpers.rst
+++ b/doc/ref_code_signing_helpers.rst
@@ -330,8 +330,24 @@ Usage:
 
 Get path to the CA keyring in PEM format for role.
 
+If the provider does not set a CA for this role (see :ref:`cs_append_ca_from_pem`,
+:ref:`cs_append_ca_from_der`, :ref:`cs_append_ca_from_uri`), this function will print an empty
+string.
+
 Preconditions:
 
-- a certificate must have been appended to the CA keyring
-  (see :ref:`cs_append_ca_from_pem`, :ref:`cs_append_ca_from_der`,
-  :ref:`cs_append_ca_from_uri`)
+- The role must have been defined by the provider (see :ref:`cs_define_role`).
+  Otherwise, this function will print ``ERROR_CA_NOT_YET_SET`` and return 1.
+  This can happen if the function is evaluated by a variable expansion in make
+  with ``:=`` instead of ``=`` before the code signing provider is set up.
+
+Example:
+
+.. code-block:: make
+
+   # set up kernel module signing, and add a trusted CA if the provider set one
+   KERNEL_SIGN_OPT =
+   	CONFIG_MODULE_SIG_KEY='"$(shell cs_get_uri kernel-modules)"' \
+   	CONFIG_MODULE_SIG_ALL=y \
+   	$(if $(shell cs_get_ca kernel-trusted), \
+   		CONFIG_SYSTEM_TRUSTED_KEYS=$(shell cs_get_ca kernel-trusted))
diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
index 5fa62d8372f9..5ba1a4666af4 100644
--- a/scripts/lib/ptxd_lib_code_signing.sh
+++ b/scripts/lib/ptxd_lib_code_signing.sh
@@ -288,7 +288,16 @@ cs_get_ca() {
     local role="${1}"
     cs_init_variables
 
-    echo "${keydir}/${role}/ca.pem"
+    local ca="${keydir}/${role}/ca.pem"
+
+    if [ ! -d "${keydir}" ]; then
+	echo "ERROR_CA_NOT_YET_SET"
+	return 1
+    fi
+
+    if [ -e "${ca}" ]; then
+	echo "${ca}"
+    fi
 }
 export -f cs_get_ca
 
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [ptxdist] [APPLIED] ptxd_lib_code_signing: introduce role groups
  2021-07-08 20:39 ` [ptxdist] [PATCH v3 2/5] ptxd_lib_code_signing: introduce role groups Roland Hieber
@ 2021-07-20 11:48   ` Michael Olbrich
  0 siblings, 0 replies; 15+ messages in thread
From: Michael Olbrich @ 2021-07-20 11:48 UTC (permalink / raw)
  To: ptxdist; +Cc: Roland Hieber

Thanks, applied as b48275586b2ee07cfeb5d146b504141d6d490a65.

Michael

[sent from post-receive hook]

On Tue, 20 Jul 2021 13:48:38 +0200, Roland Hieber <rhi@pengutronix.de> wrote:
> A role group consists of one or more roles. It should be used where more
> than one role is needed, but the exact names and/or number of roles
> depend on the used code signing provider.
> 
> For example the generation of the imx HABv4 fuse table can use 1 to 4
> SRK keys as input. If the signing provider is an HSM, the current
> mechanism with continuous numbered URI may not work – role groups to the
> rescue.
> 
> To make use of role groups, define roles as usual:
> 
> | r="imx-habv4-srk1"
> | cs_define_role "${r}"
> | cs_set_uri "${r}" "pkcs11:object=SRK CA 0"
> | cs_append_ca_from_uri "${r}"
> |
> | r="imx-habv4-srk2"
> | cs_define_role "${r}"
> | cs_set_uri "${r}" "pkcs11:object=SRK CA 1"
> | cs_append_ca_from_uri "${r}"
> 
> Now define a role group and add the roles to the group:
> 
> | g="imx-habv4-srk"
> | cs_define_group "${g}"
> | cs_group_add_roles "${g}" "imx-habv4-srk1" "imx-habv4-srk2"
> 
> Use the function cs_group_get_roles() to get the roles of a group.
> 
> In a later patch the function ptxd_make_imx_habv4_gen_table() is
> converted to make use $(cs_group_get_roles imx-habv4-srk) to get the
> roles of the imx-habv4-srk group.
> 
> Co-authored-by: Roland Hieber <rhi@pengutronix.de>
> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> Message-Id: <20210708203941.30212-2-rhi@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/doc/dev_code_signing.rst b/doc/dev_code_signing.rst
> index 56ac0e3b3217..1f43f2b60ade 100644
> --- a/doc/dev_code_signing.rst
> +++ b/doc/dev_code_signing.rst
> @@ -19,6 +19,11 @@ development) the URIs are usually not hardcoded in the package configuration.
>  Instead, PTXdist has the idea of **roles** which are string identifiers used to
>  access a single private/public key pair and a certificate.
>  
> +Roles can be grouped into **role groups**.
> +Role groups should be used where more than one role is needed, but the exact
> +names and/or number of roles depend on the concrete code signing provider.
> +For example, an i.MX HABv4 fuse table can contain up to four keys.
> +
>  Finally, one or several **code signing providers** supply the mapping from
>  roles to the respective key material or even provide it themselves for
>  development.
> diff --git a/doc/ref_code_signing_helpers.rst b/doc/ref_code_signing_helpers.rst
> index f7928f52ebef..99a395b287c9 100644
> --- a/doc/ref_code_signing_helpers.rst
> +++ b/doc/ref_code_signing_helpers.rst
> @@ -215,6 +215,85 @@ Preconditions:
>  - when used with SoftHSM, certificates must have been imported before
>    (see :ref:`cs_import_cert_from_der`, :ref:`cs_import_cert_from_pem`)
>  
> +.. _cs_define_group:
> +
> +cs_define_group
> +^^^^^^^^^^^^^^^
> +
> +Usage:
> +
> +.. code-block:: bash
> +
> +   cs_define_group <group>
> +
> +Define a new role group.
> +
> +See :ref:`cs_group_add_roles` for an example.
> +
> +.. _cs_group_add_roles:
> +
> +cs_group_add_roles
> +^^^^^^^^^^^^^^^^^^
> +
> +Usage:
> +
> +.. code-block:: bash
> +
> +   cs_group_add_roles <group> <roles...>
> +
> +Add all given roles to a role group.
> +
> +Preconditions:
> +
> +- the group must have been defined (see :ref:`cs_define_group`)
> +- the role(s) must have been defined (see :ref:`cs_define_role`)
> +
> +Example:
> +
> +.. code-block:: bash
> +
> +   # define two roles named imx-habv4-srk1 and imx-habv4-srk2
> +   r="imx-habv4-srk1"
> +   cs_define_role "${r}"
> +   cs_set_uri "${r}" "pkcs11:object=SRK CA 0"
> +   cs_append_ca_from_uri "${r}"
> +   r="imx-habv4-srk2"
> +   cs_define_role "${r}"
> +   cs_set_uri "${r}" "pkcs11:object=SRK CA 1"
> +   cs_append_ca_from_uri "${r}"
> +
> +   # define a group and add the roles
> +   g="imx-habv4-srk"
> +   cs_define_group "${g}"
> +   cs_group_add_roles "${g}" "imx-habv4-srk1" "imx-habv4-srk2"
> +
> +.. _cs_group_get_roles:
> +
> +cs_group_get_roles
> +^^^^^^^^^^^^^^^^^^
> +
> +Usage:
> +
> +.. code-block:: bash
> +
> +   cs_group_get_roles <group>
> +
> +Get a list of all roles that have been added to the role group.
> +
> +Example:
> +
> +.. code-block:: bash
> +
> +   # iterate over role names in a role group, and print their name and URI
> +   for role in $(cs_group_get_roles "imx-habv4-srk"); do
> +   	echo "role '${role}' has URI '$(cs_get_uri "${role}")'"
> +   done
> +
> +In the example given in :ref:`cs_group_add_roles` above, this would print::
> +
> +   role 'imx-habv4-srk1' has URI 'pkcs11:object=SRK CA 0'
> +   role 'imx-habv4-srk2' has URI 'pkcs11:object=SRK CA 1'
> +
>  Consumer Functions
>  ~~~~~~~~~~~~~~~~~~
>  
> diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
> index 3e1654bb36e4..5fa62d8372f9 100644
> --- a/scripts/lib/ptxd_lib_code_signing.sh
> +++ b/scripts/lib/ptxd_lib_code_signing.sh
> @@ -99,6 +99,51 @@ cs_define_role() {
>  }
>  export -f cs_define_role
>  
> +#
> +# cs_define_group <group>
> +#
> +# Define a new role group.
> +#
> +cs_define_group() {
> +    local group="${1}"
> +    cs_init_variables
> +
> +    mkdir -p "${keydir}/${group}.group" &&
> +    rm -f "${keydir}/${group}.group/roles"
> +}
> +export -f cs_define_group
> +
> +#
> +# cs_group_add_roles <group> <role> ... <role>
> +#
> +# Set the roles for a group
> +#
> +cs_group_add_roles() {
> +    local group="${1}"
> +    shift
> +    cs_init_variables
> +
> +    local orig_IFS="${IFS}"
> +    IFS="
> +"
> +    echo "${*}" >> "${keydir}/${group}.group/roles" &&
> +    IFS=${orig_IFS}
> +}
> +export -f cs_group_add_roles
> +
> +#
> +# cs_group_get_roles <group>
> +#
> +# Gets the roles of a group
> +#
> +cs_group_get_roles() {
> +    local group="${1}"
> +    cs_init_variables
> +
> +    cat "${keydir}/${group}.group/roles"
> +}
> +export -f cs_group_get_roles
> +
>  #
>  # cs_set_uri <role> <uri>
>  #

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [ptxdist] [APPLIED] templates/code-signing-provider: set up the 'imx-habv4-srk' role group
  2021-07-08 20:39 ` [ptxdist] [PATCH v3 3/5] templates/code-signing-provider: set up the 'imx-habv4-srk' role group Roland Hieber
@ 2021-07-20 11:48   ` Michael Olbrich
  0 siblings, 0 replies; 15+ messages in thread
From: Michael Olbrich @ 2021-07-20 11:48 UTC (permalink / raw)
  To: ptxdist; +Cc: Roland Hieber

Thanks, applied as f1fc06cd534092bd1a4ae84917ecfc33d5ddb2c2.

Michael

[sent from post-receive hook]

On Tue, 20 Jul 2021 13:48:40 +0200, Roland Hieber <rhi@pengutronix.de> wrote:
> Existing barebox-imx-habv4 recipes can still use the indexed
> 'imx-habv4-srk%d ' roles to fetch the SRK keys, but for compatibility
> with HSM use cases that don't supported indexed role names, set up a new
> role group that contains the roles.
> 
> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> Message-Id: <20210708203941.30212-3-rhi@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
> index bcd531d69572..b94eff049eac 100755
> --- a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
> +++ b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
> @@ -18,7 +18,7 @@ set_rauc_keys() {
>  }
>  
>  set_imx_habv4_keys() {
> -	local r
> +	local r g
>  
>  	# HSM use case, assuming it contains only 1st CSF/IMG key
>  	for i in 1 2 3 4; do
> @@ -28,6 +28,10 @@ set_imx_habv4_keys() {
>  		cs_append_ca_from_uri "${r}"
>  	done
>  
> +	g="imx-habv4-srk"
> +	cs_define_group "${g}"
> +	cs_group_add_roles "${g}" "imx-habv4-srk1" "imx-habv4-srk2" "imx-habv4-srk3" "imx-habv4-srk4"
> +
>  	r="imx-habv4-csf1"
>  	cs_define_role ${r}
>  	cs_set_uri "${r}" "pkcs11:token=foo;object=csf1"

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [ptxdist] [APPLIED] templates/barebox-imx-habv4: use the 'imx-habv4-srk' role group
  2021-07-08 20:39 ` [ptxdist] [PATCH v3 4/5] templates/barebox-imx-habv4: use " Roland Hieber
@ 2021-07-20 11:48   ` Michael Olbrich
  0 siblings, 0 replies; 15+ messages in thread
From: Michael Olbrich @ 2021-07-20 11:48 UTC (permalink / raw)
  To: ptxdist; +Cc: Roland Hieber

Thanks, applied as 67083fd28c7a49d9cca8866f8ff51cdf1728b6b9.

Michael

[sent from post-receive hook]

On Tue, 20 Jul 2021 13:48:42 +0200, Roland Hieber <rhi@pengutronix.de> wrote:
> The previous patch taught new code signing providers to set up the
> 'imx-habv4-srk' role group. This patch uses it for the barebox-imx-habv4
> recipe.
> 
> Keep backwards compatibility with the old way of using indexed role
> names in the library part, so existing recipes can still work with
> ptxd_make_imx_habv4_gen_table() if their code signing provider sets up
> the roles appropriately.
> 
> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> Message-Id: <20210708203941.30212-4-rhi@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/rules/templates/template-barebox-imx-habv4-make b/rules/templates/template-barebox-imx-habv4-make
> index eb752c8349d9..cc825dc90292 100644
> --- a/rules/templates/template-barebox-imx-habv4-make
> +++ b/rules/templates/template-barebox-imx-habv4-make
> @@ -74,7 +74,7 @@ $(STATEDIR)/barebox-@package@.compile:
>  	@$(call targetinfo)
>  
>  	@$(call world/env, BAREBOX_@PACKAGE@) \
> -		ptxd_make_imx_habv4_gen_table "imx-habv4-srk%d" 4
> +		ptxd_make_imx_habv4_gen_table imx-habv4-srk
>  
>  	@$(call world/compile, BAREBOX_@PACKAGE@)
>  
> diff --git a/scripts/lib/ptxd_lib_imx_hab.sh b/scripts/lib/ptxd_lib_imx_hab.sh
> index d1e2aba99fab..fa5b3e2c1439 100644
> --- a/scripts/lib/ptxd_lib_imx_hab.sh
> +++ b/scripts/lib/ptxd_lib_imx_hab.sh
> @@ -9,12 +9,14 @@
>  #
>  # ptxd_make_imx_habv4_gen_table - generate the srk fuse file and srk table for i.MX HABv4
>  #
> -# usage: ptxd_make_imx_habv4_gen_table <template> [<srk_count>]
> +# usage: ptxd_make_imx_habv4_gen_table <role group>
> +#        ptxd_make_imx_habv4_gen_table <template> [<srk_count>]
>  #
> +# role group: the group that specifies all roles to access the keys
>  # template: the role template to access the keys. Must contain a "%d" which is
>  #           used as index
> -# srk_count: the number of keys (keys with index 1..srk_count will be used),
> -#            defaults to 4
> +# srk_count: only when using <template>: the number of keys (keys with index
> +#           1..srk_count will be used), defaults to 4
>  #
>  # The output files are generated in the package build dir:
>  #
> @@ -25,25 +27,46 @@
>  #     This will contain the srk hash which must be written to the fuses
>  #
>  ptxd_make_imx_habv4_gen_table_impl() {
> +    local group="${1}"
>      local template="${1}"
>      local srk_count="${2}"
>      local table_bin="${pkg_build_dir}/imx-srk-table.bin"
>      local srk_fuse_bin="${pkg_build_dir}/imx-srk-fuse.bin"
>      local -a certs
> +    local i
>  
> -    if [ -z "${srk_count}" ]; then
> -	srk_count=4
> -    fi
> +    case "${template}" in
> +	*%d*)	# <template> [<srk_count>]
> +	    if [ -z "${srk_count}" ]; then
> +		srk_count=4
> +	    fi
>  
> -    if [ "${srk_count}" -gt 4 ]; then
> -	ptxd_bailout "HABv4 allows only 4 certificates"
> -    fi
> +	    if [ "${srk_count}" -gt 4 ]; then
> +		ptxd_bailout "HABv4 allows only 4 certificates"
> +	    fi
>  
> -    echo -e "generating $(basename ${table_bin}) and $(basename ${srk_fuse_bin})\n"
> +	    for i in $(seq ${srk_count}); do
> +		certs[${#certs[*]}]="$(cs_get_ca "$(printf "${template}" ${i})")"
> +	    done
> +	    ;;
> +
> +	*)	# <role group>
> +	    local -a roles=( $(cs_group_get_roles "${group}") )
> +
> +	    if [ "${#roles[@]}" -eq 0 ]; then
> +		ptxd_bailout "Failed to get roles for group '${group}'"
> +	    fi
>  
> -    for i in $(seq ${srk_count}); do
> -	certs[${#certs[*]}]="$(cs_get_ca "$(printf "${template}" ${i})")"
> -    done
> +	    if [ "${#roles[@]}" -gt 4 ]; then
> +		ptxd_bailout "HABv4 allows only 4 certificates"
> +	    fi
> +
> +	    for i in "${roles[@]}"; do
> +		certs[${#certs[*]}]="$(cs_get_ca "${i}")"
> +	    done
> +    esac
> +
> +    echo -e "generating $(basename ${table_bin}) and $(basename ${srk_fuse_bin})\n"
>  
>      local orig_IFS="${IFS}"
>      IFS=","

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [ptxdist] [APPLIED] host-ptx-code-signing-dev: version bump 0.4 -> 0.5
  2021-07-08 20:39 ` [ptxdist] [PATCH v3 5/5] host-ptx-code-signing-dev: version bump 0.4 -> 0.5 Roland Hieber
@ 2021-07-20 11:48   ` Michael Olbrich
  0 siblings, 0 replies; 15+ messages in thread
From: Michael Olbrich @ 2021-07-20 11:48 UTC (permalink / raw)
  To: ptxdist; +Cc: Roland Hieber

Thanks, applied as bd8b3d01cbd0ce3af98f3a7543160e0217ac9061.

Michael

[sent from post-receive hook]

On Tue, 20 Jul 2021 13:48:43 +0200, Roland Hieber <rhi@pengutronix.de> wrote:
> With this version, host-ptx-code-signing-dev sets up the new role groups
> imx-habv4-srk, imx-habv4-csf and imx-habv4-img.
> 
> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> Message-Id: <20210708203941.30212-5-rhi@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/rules/host-ptx-code-signing-dev.make b/rules/host-ptx-code-signing-dev.make
> index af7a774bc9a4..2314f88c2d88 100644
> --- a/rules/host-ptx-code-signing-dev.make
> +++ b/rules/host-ptx-code-signing-dev.make
> @@ -14,8 +14,8 @@ HOST_PACKAGES-$(PTXCONF_HOST_PTX_CODE_SIGNING_DEV) += host-ptx-code-signing-dev
>  #
>  # Paths and names
>  #
> -HOST_PTX_CODE_SIGNING_DEV_VERSION	:= 0.4
> -HOST_PTX_CODE_SIGNING_DEV_MD5		:= 853ac0147adc0b46dc695e16a7101aaa
> +HOST_PTX_CODE_SIGNING_DEV_VERSION	:= 0.5
> +HOST_PTX_CODE_SIGNING_DEV_MD5		:= ec83c9225c520932b515a7c3b353d149
>  HOST_PTX_CODE_SIGNING_DEV		:= ptx-code-signing-dev-$(HOST_PTX_CODE_SIGNING_DEV_VERSION)
>  HOST_PTX_CODE_SIGNING_DEV_SUFFIX	:= tar.gz
>  HOST_PTX_CODE_SIGNING_DEV_URL		:= https://git.pengutronix.de/cgit/ptx-code-signing-dev/snapshot/$(HOST_PTX_CODE_SIGNING_DEV).$(HOST_PTX_CODE_SIGNING_DEV_SUFFIX)

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [ptxdist] [APPLIED] ptxd_lib_code_signing: cs_get_ca(): improve error handling
  2021-07-15 13:42         ` [ptxdist] [PATCH v5] " Roland Hieber
@ 2021-07-20 11:49           ` Michael Olbrich
  0 siblings, 0 replies; 15+ messages in thread
From: Michael Olbrich @ 2021-07-20 11:49 UTC (permalink / raw)
  To: ptxdist; +Cc: Roland Hieber

Thanks, applied as 235332de090655007e6ca808e79c9206d1e075da.

Michael

[sent from post-receive hook]

On Tue, 20 Jul 2021 13:49:13 +0200, Roland Hieber <rhi@pengutronix.de> wrote:
> This patch changes cs_get_ca() to only output the CA if it actually
> exists, so that this function can be used even if a signing provider
> does not provide a CA for a role.
> 
> Additionally improve robustness against premature evaluation by printing
> an error code if the signing provider was not set up yet. If the error
> message is used as part of a URI, the user can at least get a hint about
> the fact that an error happened.
> 
> Co-authored-by: Roland Hieber <rhi@pengutronix.de>
> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> Message-Id: <20210715134224.25700-1-rhi@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/doc/ref_code_signing_helpers.rst b/doc/ref_code_signing_helpers.rst
> index 99a395b287c9..fd16ca763557 100644
> --- a/doc/ref_code_signing_helpers.rst
> +++ b/doc/ref_code_signing_helpers.rst
> @@ -330,8 +330,24 @@ Usage:
>  
>  Get path to the CA keyring in PEM format for role.
>  
> +If the provider does not set a CA for this role (see :ref:`cs_append_ca_from_pem`,
> +:ref:`cs_append_ca_from_der`, :ref:`cs_append_ca_from_uri`), this function will print an empty
> +string.
> +
>  Preconditions:
>  
> -- a certificate must have been appended to the CA keyring
> -  (see :ref:`cs_append_ca_from_pem`, :ref:`cs_append_ca_from_der`,
> -  :ref:`cs_append_ca_from_uri`)
> +- The role must have been defined by the provider (see :ref:`cs_define_role`).
> +  Otherwise, this function will print ``ERROR_CA_NOT_YET_SET`` and return 1.
> +  This can happen if the function is evaluated by a variable expansion in make
> +  with ``:=`` instead of ``=`` before the code signing provider is set up.
> +
> +Example:
> +
> +.. code-block:: make
> +
> +   # set up kernel module signing, and add a trusted CA if the provider set one
> +   KERNEL_SIGN_OPT =
> +   	CONFIG_MODULE_SIG_KEY='"$(shell cs_get_uri kernel-modules)"' \
> +   	CONFIG_MODULE_SIG_ALL=y \
> +   	$(if $(shell cs_get_ca kernel-trusted), \
> +   		CONFIG_SYSTEM_TRUSTED_KEYS=$(shell cs_get_ca kernel-trusted))
> diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
> index 5fa62d8372f9..5ba1a4666af4 100644
> --- a/scripts/lib/ptxd_lib_code_signing.sh
> +++ b/scripts/lib/ptxd_lib_code_signing.sh
> @@ -288,7 +288,16 @@ cs_get_ca() {
>      local role="${1}"
>      cs_init_variables
>  
> -    echo "${keydir}/${role}/ca.pem"
> +    local ca="${keydir}/${role}/ca.pem"
> +
> +    if [ ! -d "${keydir}" ]; then
> +	echo "ERROR_CA_NOT_YET_SET"
> +	return 1
> +    fi
> +
> +    if [ -e "${ca}" ]; then
> +	echo "${ca}"
> +    fi
>  }
>  export -f cs_get_ca
>  

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 15+ messages in thread

end of thread, other threads:[~2021-07-20 11:51 UTC | newest]

Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-08 20:39 [ptxdist] [PATCH v3 1/5] ptxd_lib_code_signing: cs_get_ca(): improve error handling Roland Hieber
2021-07-08 20:39 ` [ptxdist] [PATCH v3 2/5] ptxd_lib_code_signing: introduce role groups Roland Hieber
2021-07-20 11:48   ` [ptxdist] [APPLIED] " Michael Olbrich
2021-07-08 20:39 ` [ptxdist] [PATCH v3 3/5] templates/code-signing-provider: set up the 'imx-habv4-srk' role group Roland Hieber
2021-07-20 11:48   ` [ptxdist] [APPLIED] " Michael Olbrich
2021-07-08 20:39 ` [ptxdist] [PATCH v3 4/5] templates/barebox-imx-habv4: use " Roland Hieber
2021-07-20 11:48   ` [ptxdist] [APPLIED] " Michael Olbrich
2021-07-08 20:39 ` [ptxdist] [PATCH v3 5/5] host-ptx-code-signing-dev: version bump 0.4 -> 0.5 Roland Hieber
2021-07-20 11:48   ` [ptxdist] [APPLIED] " Michael Olbrich
2021-07-09 13:36 ` [ptxdist] [PATCH v3 1/5] ptxd_lib_code_signing: cs_get_ca(): improve error handling Michael Olbrich
2021-07-12  8:42   ` Marc Kleine-Budde
2021-07-13 11:51     ` [ptxdist] [PATCH v4] " Roland Hieber
2021-07-14  6:21       ` Michael Olbrich
2021-07-15 13:42         ` [ptxdist] [PATCH v5] " Roland Hieber
2021-07-20 11:49           ` [ptxdist] [APPLIED] " Michael Olbrich

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox