From: Marc Kleine-Budde <mkl@pengutronix.de> This patch changes cs_get_ca() to only output the CA if it actually exists, or print an error and return 1 instead. This makes it possible to use make's $(if $(filter-out, ERROR_CA_NOT_YET_SET, ...)) conditional. Co-authored-by: Roland Hieber <rhi@pengutronix.de> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> Signed-off-by: Roland Hieber <rhi@pengutronix.de> --- PATCH v3: - correctly check for existence of ${keydir} instead of ${ca} (feedback from Michael Olbrich) - drop controversial re-indentation patches 6/7 and 7/7 from the series PATCH v2 (rhi): https://lore.ptxdist.org/ptxdist/20210627231121.28313-1-rhi@pengutronix.de - reorder from PATCH 3/n to PATCH 1/n - echo "ERROR_CA_NOT_YET_SET" in case of error (feedback from Michael Olbrich) and also return 1 PATCH v1 (mkl): https://lore.ptxdist.org/ptxdist/20210412161900.2376802-3-mkl@pengutronix.de --- scripts/lib/ptxd_lib_code_signing.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh index 3e1654bb36e4..199f679ef828 100644 --- a/scripts/lib/ptxd_lib_code_signing.sh +++ b/scripts/lib/ptxd_lib_code_signing.sh @@ -243,7 +243,13 @@ cs_get_ca() { local role="${1}" cs_init_variables - echo "${keydir}/${role}/ca.pem" + local ca="${keydir}/${role}/ca.pem" + + if [ ! -d "${keydir}" ]; then + echo "ERROR_CA_NOT_YET_SET" + return 1 + fi + echo "${ca}" } export -f cs_get_ca -- 2.30.2 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
From: Marc Kleine-Budde <mkl@pengutronix.de> A role group consists of one or more roles. It should be used where more than one role is needed, but the exact names and/or number of roles depend on the used code signing provider. For example the generation of the imx HABv4 fuse table can use 1 to 4 SRK keys as input. If the signing provider is an HSM, the current mechanism with continuous numbered URI may not work – role groups to the rescue. To make use of role groups, define roles as usual: | r="imx-habv4-srk1" | cs_define_role "${r}" | cs_set_uri "${r}" "pkcs11:object=SRK CA 0" | cs_append_ca_from_uri "${r}" | | r="imx-habv4-srk2" | cs_define_role "${r}" | cs_set_uri "${r}" "pkcs11:object=SRK CA 1" | cs_append_ca_from_uri "${r}" Now define a role group and add the roles to the group: | g="imx-habv4-srk" | cs_define_group "${g}" | cs_group_add_roles "${g}" "imx-habv4-srk1" "imx-habv4-srk2" Use the function cs_group_get_roles() to get the roles of a group. In a later patch the function ptxd_make_imx_habv4_gen_table() is converted to make use $(cs_group_get_roles imx-habv4-srk) to get the roles of the imx-habv4-srk group. Co-authored-by: Roland Hieber <rhi@pengutronix.de> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> Signed-off-by: Roland Hieber <rhi@pengutronix.de> --- PATCH v3: - no changes PATCH v2 (rhi): https://lore.ptxdist.org/ptxdist/20210627231121.28313-2-rhi@pengutronix.de - reorder from PATCH 1/n to PATCH 2/n - be more concise and call the new concept "role groups" instead of the (less expressive) "code signing groups" or "key groups" - add API docs for new shell functions (feedback from myself) - rephrase and fix typos in commit message PATCH v1 (mkl): https://lore.ptxdist.org/ptxdist/20210412161900.2376802-1-mkl@pengutronix.de --- doc/dev_code_signing.rst | 5 ++ doc/ref_code_signing_helpers.rst | 79 ++++++++++++++++++++++++++++ scripts/lib/ptxd_lib_code_signing.sh | 45 ++++++++++++++++ 3 files changed, 129 insertions(+) diff --git a/doc/dev_code_signing.rst b/doc/dev_code_signing.rst index 56ac0e3b3217..1f43f2b60ade 100644 --- a/doc/dev_code_signing.rst +++ b/doc/dev_code_signing.rst @@ -19,6 +19,11 @@ development) the URIs are usually not hardcoded in the package configuration. Instead, PTXdist has the idea of **roles** which are string identifiers used to access a single private/public key pair and a certificate. +Roles can be grouped into **role groups**. +Role groups should be used where more than one role is needed, but the exact +names and/or number of roles depend on the concrete code signing provider. +For example, an i.MX HABv4 fuse table can contain up to four keys. + Finally, one or several **code signing providers** supply the mapping from roles to the respective key material or even provide it themselves for development. diff --git a/doc/ref_code_signing_helpers.rst b/doc/ref_code_signing_helpers.rst index f7928f52ebef..99a395b287c9 100644 --- a/doc/ref_code_signing_helpers.rst +++ b/doc/ref_code_signing_helpers.rst @@ -215,6 +215,85 @@ Preconditions: - when used with SoftHSM, certificates must have been imported before (see :ref:`cs_import_cert_from_der`, :ref:`cs_import_cert_from_pem`) +.. _cs_define_group: + +cs_define_group +^^^^^^^^^^^^^^^ + +Usage: + +.. code-block:: bash + + cs_define_group <group> + +Define a new role group. + +See :ref:`cs_group_add_roles` for an example. + +.. _cs_group_add_roles: + +cs_group_add_roles +^^^^^^^^^^^^^^^^^^ + +Usage: + +.. code-block:: bash + + cs_group_add_roles <group> <roles...> + +Add all given roles to a role group. + +Preconditions: + +- the group must have been defined (see :ref:`cs_define_group`) +- the role(s) must have been defined (see :ref:`cs_define_role`) + +Example: + +.. code-block:: bash + + # define two roles named imx-habv4-srk1 and imx-habv4-srk2 + r="imx-habv4-srk1" + cs_define_role "${r}" + cs_set_uri "${r}" "pkcs11:object=SRK CA 0" + cs_append_ca_from_uri "${r}" + r="imx-habv4-srk2" + cs_define_role "${r}" + cs_set_uri "${r}" "pkcs11:object=SRK CA 1" + cs_append_ca_from_uri "${r}" + + # define a group and add the roles + g="imx-habv4-srk" + cs_define_group "${g}" + cs_group_add_roles "${g}" "imx-habv4-srk1" "imx-habv4-srk2" + +.. _cs_group_get_roles: + +cs_group_get_roles +^^^^^^^^^^^^^^^^^^ + +Usage: + +.. code-block:: bash + + cs_group_get_roles <group> + +Get a list of all roles that have been added to the role group. + +Example: + +.. code-block:: bash + + # iterate over role names in a role group, and print their name and URI + for role in $(cs_group_get_roles "imx-habv4-srk"); do + echo "role '${role}' has URI '$(cs_get_uri "${role}")'" + done + +In the example given in :ref:`cs_group_add_roles` above, this would print:: + + role 'imx-habv4-srk1' has URI 'pkcs11:object=SRK CA 0' + role 'imx-habv4-srk2' has URI 'pkcs11:object=SRK CA 1' + Consumer Functions ~~~~~~~~~~~~~~~~~~ diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh index 199f679ef828..c1c61e063b6c 100644 --- a/scripts/lib/ptxd_lib_code_signing.sh +++ b/scripts/lib/ptxd_lib_code_signing.sh @@ -99,6 +99,51 @@ cs_define_role() { } export -f cs_define_role +# +# cs_define_group <group> +# +# Define a new role group. +# +cs_define_group() { + local group="${1}" + cs_init_variables + + mkdir -p "${keydir}/${group}.group" && + rm -f "${keydir}/${group}.group/roles" +} +export -f cs_define_group + +# +# cs_group_add_roles <group> <role> ... <role> +# +# Set the roles for a group +# +cs_group_add_roles() { + local group="${1}" + shift + cs_init_variables + + local orig_IFS="${IFS}" + IFS=" +" + echo "${*}" >> "${keydir}/${group}.group/roles" && + IFS=${orig_IFS} +} +export -f cs_group_add_roles + +# +# cs_group_get_roles <group> +# +# Gets the roles of a group +# +cs_group_get_roles() { + local group="${1}" + cs_init_variables + + cat "${keydir}/${group}.group/roles" +} +export -f cs_group_get_roles + # # cs_set_uri <role> <uri> # -- 2.30.2 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
From: Marc Kleine-Budde <mkl@pengutronix.de> Existing barebox-imx-habv4 recipes can still use the indexed 'imx-habv4-srk%d ' roles to fetch the SRK keys, but for compatibility with HSM use cases that don't supported indexed role names, set up a new role group that contains the roles. Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> Signed-off-by: Roland Hieber <rhi@pengutronix.de> --- PATCH v3: - no changes PATCH v2 (rhi): https://lore.ptxdist.org/ptxdist/20210627231121.28313-3-rhi@pengutronix.de - split off code signing provider template changes from library and consumer changes (see next patch) to make patches easier to port to existing code signing providers PATCH v1 (mkl): https://lore.ptxdist.org/ptxdist/20210412161900.2376802-2-mkl@pengutronix.de --- .../templates/code-signing-provider/ptxdist-set-keys-hsm.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh index bcd531d69572..b94eff049eac 100755 --- a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh +++ b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh @@ -18,7 +18,7 @@ set_rauc_keys() { } set_imx_habv4_keys() { - local r + local r g # HSM use case, assuming it contains only 1st CSF/IMG key for i in 1 2 3 4; do @@ -28,6 +28,10 @@ set_imx_habv4_keys() { cs_append_ca_from_uri "${r}" done + g="imx-habv4-srk" + cs_define_group "${g}" + cs_group_add_roles "${g}" "imx-habv4-srk1" "imx-habv4-srk2" "imx-habv4-srk3" "imx-habv4-srk4" + r="imx-habv4-csf1" cs_define_role ${r} cs_set_uri "${r}" "pkcs11:token=foo;object=csf1" -- 2.30.2 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
From: Marc Kleine-Budde <mkl@pengutronix.de> The previous patch taught new code signing providers to set up the 'imx-habv4-srk' role group. This patch uses it for the barebox-imx-habv4 recipe. Keep backwards compatibility with the old way of using indexed role names in the library part, so existing recipes can still work with ptxd_make_imx_habv4_gen_table() if their code signing provider sets up the roles appropriately. Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> Signed-off-by: Roland Hieber <rhi@pengutronix.de> --- PATCH v3: - no changes PATCH v2 (rhi): https://lore.ptxdist.org/ptxdist/20210627231121.28313-4-rhi@pengutronix.de - split up code signing provider template changes (see previous patch) from lib and consumer changes - fix ptxd_make_imx_habv4_gen_table() documentation comments PATCH v1 (mkl): https://lore.ptxdist.org/ptxdist/20210412161900.2376802-2-mkl@pengutronix.de --- .../templates/template-barebox-imx-habv4-make | 2 +- scripts/lib/ptxd_lib_imx_hab.sh | 49 ++++++++++++++----- 2 files changed, 37 insertions(+), 14 deletions(-) diff --git a/rules/templates/template-barebox-imx-habv4-make b/rules/templates/template-barebox-imx-habv4-make index eb752c8349d9..cc825dc90292 100644 --- a/rules/templates/template-barebox-imx-habv4-make +++ b/rules/templates/template-barebox-imx-habv4-make @@ -74,7 +74,7 @@ $(STATEDIR)/barebox-@package@.compile: @$(call targetinfo) @$(call world/env, BAREBOX_@PACKAGE@) \ - ptxd_make_imx_habv4_gen_table "imx-habv4-srk%d" 4 + ptxd_make_imx_habv4_gen_table imx-habv4-srk @$(call world/compile, BAREBOX_@PACKAGE@) diff --git a/scripts/lib/ptxd_lib_imx_hab.sh b/scripts/lib/ptxd_lib_imx_hab.sh index d1e2aba99fab..fa5b3e2c1439 100644 --- a/scripts/lib/ptxd_lib_imx_hab.sh +++ b/scripts/lib/ptxd_lib_imx_hab.sh @@ -9,12 +9,14 @@ # # ptxd_make_imx_habv4_gen_table - generate the srk fuse file and srk table for i.MX HABv4 # -# usage: ptxd_make_imx_habv4_gen_table <template> [<srk_count>] +# usage: ptxd_make_imx_habv4_gen_table <role group> +# ptxd_make_imx_habv4_gen_table <template> [<srk_count>] # +# role group: the group that specifies all roles to access the keys # template: the role template to access the keys. Must contain a "%d" which is # used as index -# srk_count: the number of keys (keys with index 1..srk_count will be used), -# defaults to 4 +# srk_count: only when using <template>: the number of keys (keys with index +# 1..srk_count will be used), defaults to 4 # # The output files are generated in the package build dir: # @@ -25,25 +27,46 @@ # This will contain the srk hash which must be written to the fuses # ptxd_make_imx_habv4_gen_table_impl() { + local group="${1}" local template="${1}" local srk_count="${2}" local table_bin="${pkg_build_dir}/imx-srk-table.bin" local srk_fuse_bin="${pkg_build_dir}/imx-srk-fuse.bin" local -a certs + local i - if [ -z "${srk_count}" ]; then - srk_count=4 - fi + case "${template}" in + *%d*) # <template> [<srk_count>] + if [ -z "${srk_count}" ]; then + srk_count=4 + fi - if [ "${srk_count}" -gt 4 ]; then - ptxd_bailout "HABv4 allows only 4 certificates" - fi + if [ "${srk_count}" -gt 4 ]; then + ptxd_bailout "HABv4 allows only 4 certificates" + fi - echo -e "generating $(basename ${table_bin}) and $(basename ${srk_fuse_bin})\n" + for i in $(seq ${srk_count}); do + certs[${#certs[*]}]="$(cs_get_ca "$(printf "${template}" ${i})")" + done + ;; + + *) # <role group> + local -a roles=( $(cs_group_get_roles "${group}") ) + + if [ "${#roles[@]}" -eq 0 ]; then + ptxd_bailout "Failed to get roles for group '${group}'" + fi - for i in $(seq ${srk_count}); do - certs[${#certs[*]}]="$(cs_get_ca "$(printf "${template}" ${i})")" - done + if [ "${#roles[@]}" -gt 4 ]; then + ptxd_bailout "HABv4 allows only 4 certificates" + fi + + for i in "${roles[@]}"; do + certs[${#certs[*]}]="$(cs_get_ca "${i}")" + done + esac + + echo -e "generating $(basename ${table_bin}) and $(basename ${srk_fuse_bin})\n" local orig_IFS="${IFS}" IFS="," -- 2.30.2 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
With this version, host-ptx-code-signing-dev sets up the new role groups imx-habv4-srk, imx-habv4-csf and imx-habv4-img. Signed-off-by: Roland Hieber <rhi@pengutronix.de> --- PATCH v3: - no changes PATCH v2 (rhi): https://lore.ptxdist.org/ptxdist/20210627231121.28313-5-rhi@pengutronix.de - new patch in v2 (feedback from Michael Olbrich) --- rules/host-ptx-code-signing-dev.make | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/host-ptx-code-signing-dev.make b/rules/host-ptx-code-signing-dev.make index af7a774bc9a4..2314f88c2d88 100644 --- a/rules/host-ptx-code-signing-dev.make +++ b/rules/host-ptx-code-signing-dev.make @@ -14,8 +14,8 @@ HOST_PACKAGES-$(PTXCONF_HOST_PTX_CODE_SIGNING_DEV) += host-ptx-code-signing-dev # # Paths and names # -HOST_PTX_CODE_SIGNING_DEV_VERSION := 0.4 -HOST_PTX_CODE_SIGNING_DEV_MD5 := 853ac0147adc0b46dc695e16a7101aaa +HOST_PTX_CODE_SIGNING_DEV_VERSION := 0.5 +HOST_PTX_CODE_SIGNING_DEV_MD5 := ec83c9225c520932b515a7c3b353d149 HOST_PTX_CODE_SIGNING_DEV := ptx-code-signing-dev-$(HOST_PTX_CODE_SIGNING_DEV_VERSION) HOST_PTX_CODE_SIGNING_DEV_SUFFIX := tar.gz HOST_PTX_CODE_SIGNING_DEV_URL := https://git.pengutronix.de/cgit/ptx-code-signing-dev/snapshot/$(HOST_PTX_CODE_SIGNING_DEV).$(HOST_PTX_CODE_SIGNING_DEV_SUFFIX) -- 2.30.2 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
On Thu, Jul 08, 2021 at 10:39:37PM +0200, Roland Hieber wrote: > From: Marc Kleine-Budde <mkl@pengutronix.de> > > This patch changes cs_get_ca() to only output the CA if it actually > exists, or print an error and return 1 instead. This makes it possible > to use make's $(if $(filter-out, ERROR_CA_NOT_YET_SET, ...)) > conditional. > > Co-authored-by: Roland Hieber <rhi@pengutronix.de> > Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> > Signed-off-by: Roland Hieber <rhi@pengutronix.de> > --- > PATCH v3: > - correctly check for existence of ${keydir} instead of ${ca} (feedback > from Michael Olbrich) > - drop controversial re-indentation patches 6/7 and 7/7 from the series > > PATCH v2 (rhi): https://lore.ptxdist.org/ptxdist/20210627231121.28313-1-rhi@pengutronix.de > - reorder from PATCH 3/n to PATCH 1/n > - echo "ERROR_CA_NOT_YET_SET" in case of error (feedback from Michael > Olbrich) and also return 1 > > PATCH v1 (mkl): https://lore.ptxdist.org/ptxdist/20210412161900.2376802-3-mkl@pengutronix.de > --- > scripts/lib/ptxd_lib_code_signing.sh | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh > index 3e1654bb36e4..199f679ef828 100644 > --- a/scripts/lib/ptxd_lib_code_signing.sh > +++ b/scripts/lib/ptxd_lib_code_signing.sh > @@ -243,7 +243,13 @@ cs_get_ca() { > local role="${1}" > cs_init_variables > > - echo "${keydir}/${role}/ca.pem" > + local ca="${keydir}/${role}/ca.pem" > + > + if [ ! -d "${keydir}" ]; then > + echo "ERROR_CA_NOT_YET_SET" > + return 1 > + fi So this is not what we want here. Sorry, I didn't notice this in the last version. The idea is this: If the keydir does not exist, then cs_get_ca)() was evaluated too early. So the check above should be added as it is here. What's now missing is what Marc originally intended and was part of the first version of the patch: If the keydir exists but no CA, then there will never be a CA and we want to match that. So this should be there as well: if [ -e "${ca}" ]; then echo "${ca}" fi instead of this: > + echo "${ca}" Now we can do $(if $(shell cs_get_ca ...), ...) to do something only if the CA exists. Marc, that was the use-case, right? Michael > } > export -f cs_get_ca > > -- > 2.30.2 > > > _______________________________________________ > ptxdist mailing list > ptxdist@pengutronix.de > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
[-- Attachment #1.1: Type: text/plain, Size: 1348 bytes --] On 09.07.2021 15:36:00, Michael Olbrich wrote: > So this is not what we want here. Sorry, I didn't notice this in the last > version. The idea is this: > > If the keydir does not exist, then cs_get_ca)() was evaluated too early. So > the check above should be added as it is here. > What's now missing is what Marc originally intended and was part of the > first version of the patch: > If the keydir exists but no CA, then there will never be a CA and we want > to match that. So this should be there as well: > > if [ -e "${ca}" ]; then > echo "${ca}" > fi > > instead of this: > > > + echo "${ca}" > > Now we can do $(if $(shell cs_get_ca ...), ...) to do something only if the > CA exists. > > Marc, that was the use-case, right? ACK, the use case is: | KERNEL_SIGN_OPT = \ | CONFIG_MODULE_SIG_KEY='"$(shell cs_get_uri evm)"' \ | CONFIG_MODULE_SIG_ALL=y \ | $(if $(shell cs_get_ca kernel-trusted), \ | CONFIG_SYSTEM_TRUSTED_KEYS=$(shell cs_get_ca kernel-trusted)) regards, Marc -- Pengutronix e.K. | Marc Kleine-Budde | Embedded Linux | https://www.pengutronix.de | Vertretung West/Dortmund | Phone: +49-231-2826-924 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 488 bytes --] [-- Attachment #2: Type: text/plain, Size: 181 bytes --] _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
From: Marc Kleine-Budde <mkl@pengutronix.de> This patch changes cs_get_ca() to only output the CA if it actually exists, or print an error and return 1 instead. This makes it possible to use make's $(if $(filter-out, ERROR_CA_NOT_YET_SET, ...)) conditional. Co-authored-by: Roland Hieber <rhi@pengutronix.de> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> Signed-off-by: Roland Hieber <rhi@pengutronix.de> --- PATCH v4: - revert to [ -e "${ca}" ] test (feeback from Michael Olbrich and Marc Kleine-Budde) - add documentation too PATCH v3: https://lore.ptxdist.org/ptxdist/20210708203941.30212-1-rhi@pengutronix.de - correctly check for existence of ${keydir} instead of ${ca} (feedback from Michael Olbrich) - drop controversial re-indentation patches 6/7 and 7/7 from the series PATCH v2 (rhi): https://lore.ptxdist.org/ptxdist/20210627231121.28313-1-rhi@pengutronix.de - reorder from PATCH 3/n to PATCH 1/n - echo "ERROR_CA_NOT_YET_SET" in case of error (feedback from Michael Olbrich) and also return 1 PATCH v1 (mkl): https://lore.ptxdist.org/ptxdist/20210412161900.2376802-3-mkl@pengutronix.de fixup! ptxd_lib_code_signing: cs_get_ca(): improve error handling --- doc/ref_code_signing_helpers.rst | 3 ++- scripts/lib/ptxd_lib_code_signing.sh | 8 +++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/doc/ref_code_signing_helpers.rst b/doc/ref_code_signing_helpers.rst index 99a395b287c9..0fd61219a97a 100644 --- a/doc/ref_code_signing_helpers.rst +++ b/doc/ref_code_signing_helpers.rst @@ -334,4 +334,5 @@ Preconditions: - a certificate must have been appended to the CA keyring (see :ref:`cs_append_ca_from_pem`, :ref:`cs_append_ca_from_der`, - :ref:`cs_append_ca_from_uri`) + :ref:`cs_append_ca_from_uri`). + Otherwise, this function will print ``ERROR_CA_NOT_YET_SET``. diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh index 5fa62d8372f9..ca101d635574 100644 --- a/scripts/lib/ptxd_lib_code_signing.sh +++ b/scripts/lib/ptxd_lib_code_signing.sh @@ -288,7 +288,13 @@ cs_get_ca() { local role="${1}" cs_init_variables - echo "${keydir}/${role}/ca.pem" + local ca="${keydir}/${role}/ca.pem" + + if [ ! -e "${ca}" ]; then + echo "ERROR_CA_NOT_YET_SET" + return 1 + fi + echo "${ca}" } export -f cs_get_ca -- 2.30.2 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
On Tue, Jul 13, 2021 at 01:51:25PM +0200, Roland Hieber wrote: > From: Marc Kleine-Budde <mkl@pengutronix.de> > > This patch changes cs_get_ca() to only output the CA if it actually > exists, or print an error and return 1 instead. This makes it possible > to use make's $(if $(filter-out, ERROR_CA_NOT_YET_SET, ...)) > conditional. > > Co-authored-by: Roland Hieber <rhi@pengutronix.de> > Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> > Signed-off-by: Roland Hieber <rhi@pengutronix.de> > --- > PATCH v4: > - revert to [ -e "${ca}" ] test (feeback from Michael Olbrich and Marc > Kleine-Budde) > - add documentation too > > PATCH v3: https://lore.ptxdist.org/ptxdist/20210708203941.30212-1-rhi@pengutronix.de > - correctly check for existence of ${keydir} instead of ${ca} (feedback > from Michael Olbrich) > - drop controversial re-indentation patches 6/7 and 7/7 from the series > > PATCH v2 (rhi): https://lore.ptxdist.org/ptxdist/20210627231121.28313-1-rhi@pengutronix.de > - reorder from PATCH 3/n to PATCH 1/n > - echo "ERROR_CA_NOT_YET_SET" in case of error (feedback from Michael > Olbrich) and also return 1 > > PATCH v1 (mkl): https://lore.ptxdist.org/ptxdist/20210412161900.2376802-3-mkl@pengutronix.de > > fixup! ptxd_lib_code_signing: cs_get_ca(): improve error handling > --- > doc/ref_code_signing_helpers.rst | 3 ++- > scripts/lib/ptxd_lib_code_signing.sh | 8 +++++++- > 2 files changed, 9 insertions(+), 2 deletions(-) > > diff --git a/doc/ref_code_signing_helpers.rst b/doc/ref_code_signing_helpers.rst > index 99a395b287c9..0fd61219a97a 100644 > --- a/doc/ref_code_signing_helpers.rst > +++ b/doc/ref_code_signing_helpers.rst > @@ -334,4 +334,5 @@ Preconditions: > > - a certificate must have been appended to the CA keyring > (see :ref:`cs_append_ca_from_pem`, :ref:`cs_append_ca_from_der`, > - :ref:`cs_append_ca_from_uri`) > + :ref:`cs_append_ca_from_uri`). > + Otherwise, this function will print ``ERROR_CA_NOT_YET_SET``. > diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh > index 5fa62d8372f9..ca101d635574 100644 > --- a/scripts/lib/ptxd_lib_code_signing.sh > +++ b/scripts/lib/ptxd_lib_code_signing.sh > @@ -288,7 +288,13 @@ cs_get_ca() { > local role="${1}" > cs_init_variables > > - echo "${keydir}/${role}/ca.pem" > + local ca="${keydir}/${role}/ca.pem" > + > + if [ ! -e "${ca}" ]; then > + echo "ERROR_CA_NOT_YET_SET" > + return 1 > + fi > + echo "${ca}" No. Please that's not what I meant. You need _both_! There are three cases that need different output not two: 1. The function is called before the provider initialized the data: if [ ! -d "${keydir}" ]; then echo "ERROR_CA_NOT_YET_SET" return 1 fi 2. The provider created a CA: if [ -e "${ca}" ]; then echo "${ca}" fi 3. The provider did _not_ create a CA: # no output Case 1 is to detect misuse. And case 2 and 3 are needed to make the example that Marc described possible. Michael > } > export -f cs_get_ca > > -- > 2.30.2 > > > _______________________________________________ > ptxdist mailing list > ptxdist@pengutronix.de > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
From: Marc Kleine-Budde <mkl@pengutronix.de> This patch changes cs_get_ca() to only output the CA if it actually exists, so that this function can be used even if a signing provider does not provide a CA for a role. Additionally improve robustness against premature evaluation by printing an error code if the signing provider was not set up yet. If the error message is used as part of a URI, the user can at least get a hint about the fact that an error happened. Co-authored-by: Roland Hieber <rhi@pengutronix.de> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> Signed-off-by: Roland Hieber <rhi@pengutronix.de> --- PATCH v5: - print error if keydir doesn't exist; and only print CA if it was set (feedback from Michael Olbrich) - update docs, and add example PATCH v4: https://lore.ptxdist.org/ptxdist/20210713115125.15630-1-rhi@pengutronix.de - revert to [ -e "${ca}" ] test (feeback from Michael Olbrich and Marc Kleine-Budde) - add documentation too PATCH v3: https://lore.ptxdist.org/ptxdist/20210708203941.30212-1-rhi@pengutronix.de - correctly check for existence of ${keydir} instead of ${ca} (feedback from Michael Olbrich) - drop controversial re-indentation patches 6/7 and 7/7 from the series PATCH v2 (rhi): https://lore.ptxdist.org/ptxdist/20210627231121.28313-1-rhi@pengutronix.de - reorder from PATCH 3/n to PATCH 1/n - echo "ERROR_CA_NOT_YET_SET" in case of error (feedback from Michael Olbrich) and also return 1 PATCH v1 (mkl): https://lore.ptxdist.org/ptxdist/20210412161900.2376802-3-mkl@pengutronix.de --- doc/ref_code_signing_helpers.rst | 22 +++++++++++++++++++--- scripts/lib/ptxd_lib_code_signing.sh | 11 ++++++++++- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/doc/ref_code_signing_helpers.rst b/doc/ref_code_signing_helpers.rst index 99a395b287c9..fd16ca763557 100644 --- a/doc/ref_code_signing_helpers.rst +++ b/doc/ref_code_signing_helpers.rst @@ -330,8 +330,24 @@ Usage: Get path to the CA keyring in PEM format for role. +If the provider does not set a CA for this role (see :ref:`cs_append_ca_from_pem`, +:ref:`cs_append_ca_from_der`, :ref:`cs_append_ca_from_uri`), this function will print an empty +string. + Preconditions: -- a certificate must have been appended to the CA keyring - (see :ref:`cs_append_ca_from_pem`, :ref:`cs_append_ca_from_der`, - :ref:`cs_append_ca_from_uri`) +- The role must have been defined by the provider (see :ref:`cs_define_role`). + Otherwise, this function will print ``ERROR_CA_NOT_YET_SET`` and return 1. + This can happen if the function is evaluated by a variable expansion in make + with ``:=`` instead of ``=`` before the code signing provider is set up. + +Example: + +.. code-block:: make + + # set up kernel module signing, and add a trusted CA if the provider set one + KERNEL_SIGN_OPT = + CONFIG_MODULE_SIG_KEY='"$(shell cs_get_uri kernel-modules)"' \ + CONFIG_MODULE_SIG_ALL=y \ + $(if $(shell cs_get_ca kernel-trusted), \ + CONFIG_SYSTEM_TRUSTED_KEYS=$(shell cs_get_ca kernel-trusted)) diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh index 5fa62d8372f9..5ba1a4666af4 100644 --- a/scripts/lib/ptxd_lib_code_signing.sh +++ b/scripts/lib/ptxd_lib_code_signing.sh @@ -288,7 +288,16 @@ cs_get_ca() { local role="${1}" cs_init_variables - echo "${keydir}/${role}/ca.pem" + local ca="${keydir}/${role}/ca.pem" + + if [ ! -d "${keydir}" ]; then + echo "ERROR_CA_NOT_YET_SET" + return 1 + fi + + if [ -e "${ca}" ]; then + echo "${ca}" + fi } export -f cs_get_ca -- 2.30.2 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
Thanks, applied as b48275586b2ee07cfeb5d146b504141d6d490a65.
Michael
[sent from post-receive hook]
On Tue, 20 Jul 2021 13:48:38 +0200, Roland Hieber <rhi@pengutronix.de> wrote:
> A role group consists of one or more roles. It should be used where more
> than one role is needed, but the exact names and/or number of roles
> depend on the used code signing provider.
>
> For example the generation of the imx HABv4 fuse table can use 1 to 4
> SRK keys as input. If the signing provider is an HSM, the current
> mechanism with continuous numbered URI may not work – role groups to the
> rescue.
>
> To make use of role groups, define roles as usual:
>
> | r="imx-habv4-srk1"
> | cs_define_role "${r}"
> | cs_set_uri "${r}" "pkcs11:object=SRK CA 0"
> | cs_append_ca_from_uri "${r}"
> |
> | r="imx-habv4-srk2"
> | cs_define_role "${r}"
> | cs_set_uri "${r}" "pkcs11:object=SRK CA 1"
> | cs_append_ca_from_uri "${r}"
>
> Now define a role group and add the roles to the group:
>
> | g="imx-habv4-srk"
> | cs_define_group "${g}"
> | cs_group_add_roles "${g}" "imx-habv4-srk1" "imx-habv4-srk2"
>
> Use the function cs_group_get_roles() to get the roles of a group.
>
> In a later patch the function ptxd_make_imx_habv4_gen_table() is
> converted to make use $(cs_group_get_roles imx-habv4-srk) to get the
> roles of the imx-habv4-srk group.
>
> Co-authored-by: Roland Hieber <rhi@pengutronix.de>
> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> Message-Id: <20210708203941.30212-2-rhi@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
>
> diff --git a/doc/dev_code_signing.rst b/doc/dev_code_signing.rst
> index 56ac0e3b3217..1f43f2b60ade 100644
> --- a/doc/dev_code_signing.rst
> +++ b/doc/dev_code_signing.rst
> @@ -19,6 +19,11 @@ development) the URIs are usually not hardcoded in the package configuration.
> Instead, PTXdist has the idea of **roles** which are string identifiers used to
> access a single private/public key pair and a certificate.
>
> +Roles can be grouped into **role groups**.
> +Role groups should be used where more than one role is needed, but the exact
> +names and/or number of roles depend on the concrete code signing provider.
> +For example, an i.MX HABv4 fuse table can contain up to four keys.
> +
> Finally, one or several **code signing providers** supply the mapping from
> roles to the respective key material or even provide it themselves for
> development.
> diff --git a/doc/ref_code_signing_helpers.rst b/doc/ref_code_signing_helpers.rst
> index f7928f52ebef..99a395b287c9 100644
> --- a/doc/ref_code_signing_helpers.rst
> +++ b/doc/ref_code_signing_helpers.rst
> @@ -215,6 +215,85 @@ Preconditions:
> - when used with SoftHSM, certificates must have been imported before
> (see :ref:`cs_import_cert_from_der`, :ref:`cs_import_cert_from_pem`)
>
> +.. _cs_define_group:
> +
> +cs_define_group
> +^^^^^^^^^^^^^^^
> +
> +Usage:
> +
> +.. code-block:: bash
> +
> + cs_define_group <group>
> +
> +Define a new role group.
> +
> +See :ref:`cs_group_add_roles` for an example.
> +
> +.. _cs_group_add_roles:
> +
> +cs_group_add_roles
> +^^^^^^^^^^^^^^^^^^
> +
> +Usage:
> +
> +.. code-block:: bash
> +
> + cs_group_add_roles <group> <roles...>
> +
> +Add all given roles to a role group.
> +
> +Preconditions:
> +
> +- the group must have been defined (see :ref:`cs_define_group`)
> +- the role(s) must have been defined (see :ref:`cs_define_role`)
> +
> +Example:
> +
> +.. code-block:: bash
> +
> + # define two roles named imx-habv4-srk1 and imx-habv4-srk2
> + r="imx-habv4-srk1"
> + cs_define_role "${r}"
> + cs_set_uri "${r}" "pkcs11:object=SRK CA 0"
> + cs_append_ca_from_uri "${r}"
> + r="imx-habv4-srk2"
> + cs_define_role "${r}"
> + cs_set_uri "${r}" "pkcs11:object=SRK CA 1"
> + cs_append_ca_from_uri "${r}"
> +
> + # define a group and add the roles
> + g="imx-habv4-srk"
> + cs_define_group "${g}"
> + cs_group_add_roles "${g}" "imx-habv4-srk1" "imx-habv4-srk2"
> +
> +.. _cs_group_get_roles:
> +
> +cs_group_get_roles
> +^^^^^^^^^^^^^^^^^^
> +
> +Usage:
> +
> +.. code-block:: bash
> +
> + cs_group_get_roles <group>
> +
> +Get a list of all roles that have been added to the role group.
> +
> +Example:
> +
> +.. code-block:: bash
> +
> + # iterate over role names in a role group, and print their name and URI
> + for role in $(cs_group_get_roles "imx-habv4-srk"); do
> + echo "role '${role}' has URI '$(cs_get_uri "${role}")'"
> + done
> +
> +In the example given in :ref:`cs_group_add_roles` above, this would print::
> +
> + role 'imx-habv4-srk1' has URI 'pkcs11:object=SRK CA 0'
> + role 'imx-habv4-srk2' has URI 'pkcs11:object=SRK CA 1'
> +
> Consumer Functions
> ~~~~~~~~~~~~~~~~~~
>
> diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
> index 3e1654bb36e4..5fa62d8372f9 100644
> --- a/scripts/lib/ptxd_lib_code_signing.sh
> +++ b/scripts/lib/ptxd_lib_code_signing.sh
> @@ -99,6 +99,51 @@ cs_define_role() {
> }
> export -f cs_define_role
>
> +#
> +# cs_define_group <group>
> +#
> +# Define a new role group.
> +#
> +cs_define_group() {
> + local group="${1}"
> + cs_init_variables
> +
> + mkdir -p "${keydir}/${group}.group" &&
> + rm -f "${keydir}/${group}.group/roles"
> +}
> +export -f cs_define_group
> +
> +#
> +# cs_group_add_roles <group> <role> ... <role>
> +#
> +# Set the roles for a group
> +#
> +cs_group_add_roles() {
> + local group="${1}"
> + shift
> + cs_init_variables
> +
> + local orig_IFS="${IFS}"
> + IFS="
> +"
> + echo "${*}" >> "${keydir}/${group}.group/roles" &&
> + IFS=${orig_IFS}
> +}
> +export -f cs_group_add_roles
> +
> +#
> +# cs_group_get_roles <group>
> +#
> +# Gets the roles of a group
> +#
> +cs_group_get_roles() {
> + local group="${1}"
> + cs_init_variables
> +
> + cat "${keydir}/${group}.group/roles"
> +}
> +export -f cs_group_get_roles
> +
> #
> # cs_set_uri <role> <uri>
> #
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
Thanks, applied as f1fc06cd534092bd1a4ae84917ecfc33d5ddb2c2.
Michael
[sent from post-receive hook]
On Tue, 20 Jul 2021 13:48:40 +0200, Roland Hieber <rhi@pengutronix.de> wrote:
> Existing barebox-imx-habv4 recipes can still use the indexed
> 'imx-habv4-srk%d ' roles to fetch the SRK keys, but for compatibility
> with HSM use cases that don't supported indexed role names, set up a new
> role group that contains the roles.
>
> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> Message-Id: <20210708203941.30212-3-rhi@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
>
> diff --git a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
> index bcd531d69572..b94eff049eac 100755
> --- a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
> +++ b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
> @@ -18,7 +18,7 @@ set_rauc_keys() {
> }
>
> set_imx_habv4_keys() {
> - local r
> + local r g
>
> # HSM use case, assuming it contains only 1st CSF/IMG key
> for i in 1 2 3 4; do
> @@ -28,6 +28,10 @@ set_imx_habv4_keys() {
> cs_append_ca_from_uri "${r}"
> done
>
> + g="imx-habv4-srk"
> + cs_define_group "${g}"
> + cs_group_add_roles "${g}" "imx-habv4-srk1" "imx-habv4-srk2" "imx-habv4-srk3" "imx-habv4-srk4"
> +
> r="imx-habv4-csf1"
> cs_define_role ${r}
> cs_set_uri "${r}" "pkcs11:token=foo;object=csf1"
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
Thanks, applied as 67083fd28c7a49d9cca8866f8ff51cdf1728b6b9.
Michael
[sent from post-receive hook]
On Tue, 20 Jul 2021 13:48:42 +0200, Roland Hieber <rhi@pengutronix.de> wrote:
> The previous patch taught new code signing providers to set up the
> 'imx-habv4-srk' role group. This patch uses it for the barebox-imx-habv4
> recipe.
>
> Keep backwards compatibility with the old way of using indexed role
> names in the library part, so existing recipes can still work with
> ptxd_make_imx_habv4_gen_table() if their code signing provider sets up
> the roles appropriately.
>
> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> Message-Id: <20210708203941.30212-4-rhi@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
>
> diff --git a/rules/templates/template-barebox-imx-habv4-make b/rules/templates/template-barebox-imx-habv4-make
> index eb752c8349d9..cc825dc90292 100644
> --- a/rules/templates/template-barebox-imx-habv4-make
> +++ b/rules/templates/template-barebox-imx-habv4-make
> @@ -74,7 +74,7 @@ $(STATEDIR)/barebox-@package@.compile:
> @$(call targetinfo)
>
> @$(call world/env, BAREBOX_@PACKAGE@) \
> - ptxd_make_imx_habv4_gen_table "imx-habv4-srk%d" 4
> + ptxd_make_imx_habv4_gen_table imx-habv4-srk
>
> @$(call world/compile, BAREBOX_@PACKAGE@)
>
> diff --git a/scripts/lib/ptxd_lib_imx_hab.sh b/scripts/lib/ptxd_lib_imx_hab.sh
> index d1e2aba99fab..fa5b3e2c1439 100644
> --- a/scripts/lib/ptxd_lib_imx_hab.sh
> +++ b/scripts/lib/ptxd_lib_imx_hab.sh
> @@ -9,12 +9,14 @@
> #
> # ptxd_make_imx_habv4_gen_table - generate the srk fuse file and srk table for i.MX HABv4
> #
> -# usage: ptxd_make_imx_habv4_gen_table <template> [<srk_count>]
> +# usage: ptxd_make_imx_habv4_gen_table <role group>
> +# ptxd_make_imx_habv4_gen_table <template> [<srk_count>]
> #
> +# role group: the group that specifies all roles to access the keys
> # template: the role template to access the keys. Must contain a "%d" which is
> # used as index
> -# srk_count: the number of keys (keys with index 1..srk_count will be used),
> -# defaults to 4
> +# srk_count: only when using <template>: the number of keys (keys with index
> +# 1..srk_count will be used), defaults to 4
> #
> # The output files are generated in the package build dir:
> #
> @@ -25,25 +27,46 @@
> # This will contain the srk hash which must be written to the fuses
> #
> ptxd_make_imx_habv4_gen_table_impl() {
> + local group="${1}"
> local template="${1}"
> local srk_count="${2}"
> local table_bin="${pkg_build_dir}/imx-srk-table.bin"
> local srk_fuse_bin="${pkg_build_dir}/imx-srk-fuse.bin"
> local -a certs
> + local i
>
> - if [ -z "${srk_count}" ]; then
> - srk_count=4
> - fi
> + case "${template}" in
> + *%d*) # <template> [<srk_count>]
> + if [ -z "${srk_count}" ]; then
> + srk_count=4
> + fi
>
> - if [ "${srk_count}" -gt 4 ]; then
> - ptxd_bailout "HABv4 allows only 4 certificates"
> - fi
> + if [ "${srk_count}" -gt 4 ]; then
> + ptxd_bailout "HABv4 allows only 4 certificates"
> + fi
>
> - echo -e "generating $(basename ${table_bin}) and $(basename ${srk_fuse_bin})\n"
> + for i in $(seq ${srk_count}); do
> + certs[${#certs[*]}]="$(cs_get_ca "$(printf "${template}" ${i})")"
> + done
> + ;;
> +
> + *) # <role group>
> + local -a roles=( $(cs_group_get_roles "${group}") )
> +
> + if [ "${#roles[@]}" -eq 0 ]; then
> + ptxd_bailout "Failed to get roles for group '${group}'"
> + fi
>
> - for i in $(seq ${srk_count}); do
> - certs[${#certs[*]}]="$(cs_get_ca "$(printf "${template}" ${i})")"
> - done
> + if [ "${#roles[@]}" -gt 4 ]; then
> + ptxd_bailout "HABv4 allows only 4 certificates"
> + fi
> +
> + for i in "${roles[@]}"; do
> + certs[${#certs[*]}]="$(cs_get_ca "${i}")"
> + done
> + esac
> +
> + echo -e "generating $(basename ${table_bin}) and $(basename ${srk_fuse_bin})\n"
>
> local orig_IFS="${IFS}"
> IFS=","
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
Thanks, applied as bd8b3d01cbd0ce3af98f3a7543160e0217ac9061.
Michael
[sent from post-receive hook]
On Tue, 20 Jul 2021 13:48:43 +0200, Roland Hieber <rhi@pengutronix.de> wrote:
> With this version, host-ptx-code-signing-dev sets up the new role groups
> imx-habv4-srk, imx-habv4-csf and imx-habv4-img.
>
> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> Message-Id: <20210708203941.30212-5-rhi@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
>
> diff --git a/rules/host-ptx-code-signing-dev.make b/rules/host-ptx-code-signing-dev.make
> index af7a774bc9a4..2314f88c2d88 100644
> --- a/rules/host-ptx-code-signing-dev.make
> +++ b/rules/host-ptx-code-signing-dev.make
> @@ -14,8 +14,8 @@ HOST_PACKAGES-$(PTXCONF_HOST_PTX_CODE_SIGNING_DEV) += host-ptx-code-signing-dev
> #
> # Paths and names
> #
> -HOST_PTX_CODE_SIGNING_DEV_VERSION := 0.4
> -HOST_PTX_CODE_SIGNING_DEV_MD5 := 853ac0147adc0b46dc695e16a7101aaa
> +HOST_PTX_CODE_SIGNING_DEV_VERSION := 0.5
> +HOST_PTX_CODE_SIGNING_DEV_MD5 := ec83c9225c520932b515a7c3b353d149
> HOST_PTX_CODE_SIGNING_DEV := ptx-code-signing-dev-$(HOST_PTX_CODE_SIGNING_DEV_VERSION)
> HOST_PTX_CODE_SIGNING_DEV_SUFFIX := tar.gz
> HOST_PTX_CODE_SIGNING_DEV_URL := https://git.pengutronix.de/cgit/ptx-code-signing-dev/snapshot/$(HOST_PTX_CODE_SIGNING_DEV).$(HOST_PTX_CODE_SIGNING_DEV_SUFFIX)
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
Thanks, applied as 235332de090655007e6ca808e79c9206d1e075da.
Michael
[sent from post-receive hook]
On Tue, 20 Jul 2021 13:49:13 +0200, Roland Hieber <rhi@pengutronix.de> wrote:
> This patch changes cs_get_ca() to only output the CA if it actually
> exists, so that this function can be used even if a signing provider
> does not provide a CA for a role.
>
> Additionally improve robustness against premature evaluation by printing
> an error code if the signing provider was not set up yet. If the error
> message is used as part of a URI, the user can at least get a hint about
> the fact that an error happened.
>
> Co-authored-by: Roland Hieber <rhi@pengutronix.de>
> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> Message-Id: <20210715134224.25700-1-rhi@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
>
> diff --git a/doc/ref_code_signing_helpers.rst b/doc/ref_code_signing_helpers.rst
> index 99a395b287c9..fd16ca763557 100644
> --- a/doc/ref_code_signing_helpers.rst
> +++ b/doc/ref_code_signing_helpers.rst
> @@ -330,8 +330,24 @@ Usage:
>
> Get path to the CA keyring in PEM format for role.
>
> +If the provider does not set a CA for this role (see :ref:`cs_append_ca_from_pem`,
> +:ref:`cs_append_ca_from_der`, :ref:`cs_append_ca_from_uri`), this function will print an empty
> +string.
> +
> Preconditions:
>
> -- a certificate must have been appended to the CA keyring
> - (see :ref:`cs_append_ca_from_pem`, :ref:`cs_append_ca_from_der`,
> - :ref:`cs_append_ca_from_uri`)
> +- The role must have been defined by the provider (see :ref:`cs_define_role`).
> + Otherwise, this function will print ``ERROR_CA_NOT_YET_SET`` and return 1.
> + This can happen if the function is evaluated by a variable expansion in make
> + with ``:=`` instead of ``=`` before the code signing provider is set up.
> +
> +Example:
> +
> +.. code-block:: make
> +
> + # set up kernel module signing, and add a trusted CA if the provider set one
> + KERNEL_SIGN_OPT =
> + CONFIG_MODULE_SIG_KEY='"$(shell cs_get_uri kernel-modules)"' \
> + CONFIG_MODULE_SIG_ALL=y \
> + $(if $(shell cs_get_ca kernel-trusted), \
> + CONFIG_SYSTEM_TRUSTED_KEYS=$(shell cs_get_ca kernel-trusted))
> diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
> index 5fa62d8372f9..5ba1a4666af4 100644
> --- a/scripts/lib/ptxd_lib_code_signing.sh
> +++ b/scripts/lib/ptxd_lib_code_signing.sh
> @@ -288,7 +288,16 @@ cs_get_ca() {
> local role="${1}"
> cs_init_variables
>
> - echo "${keydir}/${role}/ca.pem"
> + local ca="${keydir}/${role}/ca.pem"
> +
> + if [ ! -d "${keydir}" ]; then
> + echo "ERROR_CA_NOT_YET_SET"
> + return 1
> + fi
> +
> + if [ -e "${ca}" ]; then
> + echo "${ca}"
> + fi
> }
> export -f cs_get_ca
>
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de