From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Thu, 15 Jul 2021 15:43:16 +0200 Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33]) by lore.white.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1m41e0-0008M3-IS for lore@lore.pengutronix.de; Thu, 15 Jul 2021 15:43:16 +0200 Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1m41e0-0003EP-5B; Thu, 15 Jul 2021 15:43:16 +0200 Received: from dude.hi.pengutronix.de ([2001:67c:670:100:1d::7]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1m41dQ-0003E3-IL; Thu, 15 Jul 2021 15:42:40 +0200 Received: from rhi by dude.hi.pengutronix.de with local (Exim 4.92) (envelope-from ) id 1m41dQ-0006l7-AB; Thu, 15 Jul 2021 15:42:40 +0200 From: Roland Hieber To: ptxdist@pengutronix.de Date: Thu, 15 Jul 2021 15:42:25 +0200 Message-Id: <20210715134224.25700-1-rhi@pengutronix.de> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210714062113.GK27936@pengutronix.de> References: <20210714062113.GK27936@pengutronix.de> MIME-Version: 1.0 Mail-Followup-To: Roland Hieber , ptxdist@pengutronix.de Subject: [ptxdist] [PATCH v5] ptxd_lib_code_signing: cs_get_ca(): improve error handling X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: Marc Kleine-Budde , Roland Hieber Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false From: Marc Kleine-Budde This patch changes cs_get_ca() to only output the CA if it actually exists, so that this function can be used even if a signing provider does not provide a CA for a role. Additionally improve robustness against premature evaluation by printing an error code if the signing provider was not set up yet. If the error message is used as part of a URI, the user can at least get a hint about the fact that an error happened. Co-authored-by: Roland Hieber Signed-off-by: Marc Kleine-Budde Signed-off-by: Roland Hieber --- PATCH v5: - print error if keydir doesn't exist; and only print CA if it was set (feedback from Michael Olbrich) - update docs, and add example PATCH v4: https://lore.ptxdist.org/ptxdist/20210713115125.15630-1-rhi@pengutronix.de - revert to [ -e "${ca}" ] test (feeback from Michael Olbrich and Marc Kleine-Budde) - add documentation too PATCH v3: https://lore.ptxdist.org/ptxdist/20210708203941.30212-1-rhi@pengutronix.de - correctly check for existence of ${keydir} instead of ${ca} (feedback from Michael Olbrich) - drop controversial re-indentation patches 6/7 and 7/7 from the series PATCH v2 (rhi): https://lore.ptxdist.org/ptxdist/20210627231121.28313-1-rhi@pengutronix.de - reorder from PATCH 3/n to PATCH 1/n - echo "ERROR_CA_NOT_YET_SET" in case of error (feedback from Michael Olbrich) and also return 1 PATCH v1 (mkl): https://lore.ptxdist.org/ptxdist/20210412161900.2376802-3-mkl@pengutronix.de --- doc/ref_code_signing_helpers.rst | 22 +++++++++++++++++++--- scripts/lib/ptxd_lib_code_signing.sh | 11 ++++++++++- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/doc/ref_code_signing_helpers.rst b/doc/ref_code_signing_helpers.rst index 99a395b287c9..fd16ca763557 100644 --- a/doc/ref_code_signing_helpers.rst +++ b/doc/ref_code_signing_helpers.rst @@ -330,8 +330,24 @@ Usage: Get path to the CA keyring in PEM format for role. +If the provider does not set a CA for this role (see :ref:`cs_append_ca_from_pem`, +:ref:`cs_append_ca_from_der`, :ref:`cs_append_ca_from_uri`), this function will print an empty +string. + Preconditions: -- a certificate must have been appended to the CA keyring - (see :ref:`cs_append_ca_from_pem`, :ref:`cs_append_ca_from_der`, - :ref:`cs_append_ca_from_uri`) +- The role must have been defined by the provider (see :ref:`cs_define_role`). + Otherwise, this function will print ``ERROR_CA_NOT_YET_SET`` and return 1. + This can happen if the function is evaluated by a variable expansion in make + with ``:=`` instead of ``=`` before the code signing provider is set up. + +Example: + +.. code-block:: make + + # set up kernel module signing, and add a trusted CA if the provider set one + KERNEL_SIGN_OPT = + CONFIG_MODULE_SIG_KEY='"$(shell cs_get_uri kernel-modules)"' \ + CONFIG_MODULE_SIG_ALL=y \ + $(if $(shell cs_get_ca kernel-trusted), \ + CONFIG_SYSTEM_TRUSTED_KEYS=$(shell cs_get_ca kernel-trusted)) diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh index 5fa62d8372f9..5ba1a4666af4 100644 --- a/scripts/lib/ptxd_lib_code_signing.sh +++ b/scripts/lib/ptxd_lib_code_signing.sh @@ -288,7 +288,16 @@ cs_get_ca() { local role="${1}" cs_init_variables - echo "${keydir}/${role}/ca.pem" + local ca="${keydir}/${role}/ca.pem" + + if [ ! -d "${keydir}" ]; then + echo "ERROR_CA_NOT_YET_SET" + return 1 + fi + + if [ -e "${ca}" ]; then + echo "${ca}" + fi } export -f cs_get_ca -- 2.30.2 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de