mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed
From: Roland Hieber <rhi@pengutronix.de>
To: ptxdist@pengutronix.de
Cc: Roland Hieber <rhi@pengutronix.de>
Subject: [ptxdist] [PATCH v1 4/5] ptxd_lib_code_signing: provide consumer functions with some environment
Date: Wed,  4 Aug 2021 16:23:29 +0200	[thread overview]
Message-ID: <20210804142330.32739-4-rhi@pengutronix.de> (raw)
In-Reply-To: <20210804142330.32739-1-rhi@pengutronix.de>

The code signing consumer functions should be able to retrieve some
information about the recipe in which they were called in order to make
additional checks if needed. Refactor the (shell cs_get_*, …) calls into
macro calls of the form $(call ptx/cs-get-*, <PKG>, …). Let these
macros look up the package name (for now) from PTX_MAP_TO_package_<PKG>
before passing it to the shell functions. Using $(call world/env) here
would be practical, but would also cause make to complain about
recursive variable dependencies. Therefore variables must be added
to ptx/cs-consumer-env manually, but additional information can be added
later if needed.

Refactor the existing consumers in the code base too, and add an error
message in case anyone else that still uses the old API.

Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
 doc/dev_code_signing.rst                      |  2 +-
 doc/ref_code_signing_helpers.rst              | 25 ++++++-----
 rules/barebox.make                            |  2 +-
 rules/image-rauc.make                         |  6 +--
 rules/kernel.make                             |  6 +--
 rules/pre/030-code-signing-consumers.make     | 41 +++++++++++++++++++
 rules/rauc.make                               |  2 +-
 .../templates/template-barebox-imx-habv4-make |  6 +--
 scripts/lib/ptxd_lib_code_signing.sh          | 13 ++++++
 9 files changed, 80 insertions(+), 23 deletions(-)
 create mode 100644 rules/pre/030-code-signing-consumers.make

diff --git a/doc/dev_code_signing.rst b/doc/dev_code_signing.rst
index b9a7c42f2a55..413f694980eb 100644
--- a/doc/dev_code_signing.rst
+++ b/doc/dev_code_signing.rst
@@ -164,7 +164,7 @@ also via an environment variable.
 .. code-block:: none
 
     $(call install_copy, rauc, 0, 0, 0644, \
-      $(shell cs_get_ca update), \
+      $(call ptx/cs-get-ca, RAUC, update), \
       /etc/rauc/ca.cert.pem)
 
 .. note:: When code signing helper functions are used in make variables (e.g.
diff --git a/doc/ref_code_signing_helpers.rst b/doc/ref_code_signing_helpers.rst
index fd16ca763557..d3429778d94d 100644
--- a/doc/ref_code_signing_helpers.rst
+++ b/doc/ref_code_signing_helpers.rst
@@ -297,19 +297,21 @@ In the example given in :ref:`cs_group_add_roles` above, this would print::
 Consumer Functions
 ~~~~~~~~~~~~~~~~~~
 
+The consumer functions are implemented as make macros.
 Packages that want to sign something or need access to keys/CAs can retrieve
 PKCS#11 URIs and CA keyrings with these helpers.
 
+.. _ptx/cs-get-uri:
 .. _cs_get_uri:
 
-cs_get_uri
-^^^^^^^^^^
+ptx/cs-get-uri
+^^^^^^^^^^^^^^
 
 Usage:
 
-.. code-block:: bash
+.. code-block:: make
 
-    cs_get_uri <role>
+    $(call ptx/cs-get-uri, <PKG>, <role>)
 
 Get PKCS#11 URI for role.
 
@@ -317,16 +319,17 @@ Preconditions:
 
 - the URI must have been set (see :ref:`cs_set_uri`)
 
+.. _ptx/cs-get-ca:
 .. _cs_get_ca:
 
-cs_get_ca
-^^^^^^^^^
+ptx/cs-get-ca
+^^^^^^^^^^^^^
 
 Usage:
 
-.. code-block:: bash
+.. code-block:: make
 
-    cs_get_ca <role>
+    $(call ptx/cs-get-ca, <PKG>, <role>)
 
 Get path to the CA keyring in PEM format for role.
 
@@ -347,7 +350,7 @@ Example:
 
    # set up kernel module signing, and add a trusted CA if the provider set one
    KERNEL_SIGN_OPT =
-   	CONFIG_MODULE_SIG_KEY='"$(shell cs_get_uri kernel-modules)"' \
+   	CONFIG_MODULE_SIG_KEY='"$(call ptx/cs-get-uri, KERNEL, kernel-modules)"' \
    	CONFIG_MODULE_SIG_ALL=y \
-   	$(if $(shell cs_get_ca kernel-trusted), \
-   		CONFIG_SYSTEM_TRUSTED_KEYS=$(shell cs_get_ca kernel-trusted))
+   	$(if $(call ptx/cs-get-ca, KERNEL, kernel-trusted), \
+   		CONFIG_SYSTEM_TRUSTED_KEYS=$(call ptx/cs-get-ca, KERNEL, kernel-trusted))
diff --git a/rules/barebox.make b/rules/barebox.make
index bea9f3adcbf8..983d34032e0d 100644
--- a/rules/barebox.make
+++ b/rules/barebox.make
@@ -103,7 +103,7 @@ endif
 ifdef PTXCONF_CODE_SIGNING
 BAREBOX_MAKE_ENV = \
 	$(CODE_SIGNING_ENV) \
-	IMAGE_KERNEL_FIT_KEY="$(shell cs_get_uri image-kernel-fit)"
+	IMAGE_KERNEL_FIT_KEY="$(call ptx/cs-get-uri, BAREBOX, image-kernel-fit)"
 endif
 
 $(STATEDIR)/barebox.compile:
diff --git a/rules/image-rauc.make b/rules/image-rauc.make
index fe1b0e89be7c..c8747231f8f1 100644
--- a/rules/image-rauc.make
+++ b/rules/image-rauc.make
@@ -32,9 +32,9 @@ IMAGE_RAUC_ENV	= \
 	RAUC_BUNDLE_VERSION="$(call remove_quotes, $(PTXCONF_RAUC_BUNDLE_VERSION))" \
 	RAUC_BUNDLE_BUILD=$(call ptx/sh, date +%FT%T%z) \
 	RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \
-	RAUC_KEY="$(shell cs_get_uri update)" \
-	RAUC_CERT="$(shell cs_get_uri update)" \
-	RAUC_KEYRING="$(shell cs_get_ca update)"
+	RAUC_KEY="$(call ptx/cs-get-uri, IMAGE_RAUC, update)" \
+	RAUC_CERT="$(call ptx/cs-get-uri, IMAGE_RAUC, update)" \
+	RAUC_KEYRING="$(call ptx/cs-get-ca, IMAGE_RAUC, update)"
 
 $(IMAGE_RAUC_IMAGE):
 	@$(call targetinfo)
diff --git a/rules/kernel.make b/rules/kernel.make
index 9caff677918e..e6faba82df38 100644
--- a/rules/kernel.make
+++ b/rules/kernel.make
@@ -73,12 +73,12 @@ KERNEL_BASE_OPT		= \
 
 ifdef PTXCONF_KERNEL_CODE_SIGNING
 KERNEL_BASE_OPT		+= \
-	$(if $(shell cs_get_ca kernel-trusted), \
-		CONFIG_SYSTEM_TRUSTED_KEYS=$(shell cs_get_ca kernel-trusted))
+	$(if $(call ptx/cs-get-ca, KERNEL, kernel-trusted), \
+		CONFIG_SYSTEM_TRUSTED_KEYS=$(call ptx/cs-get-ca, KERNEL, kernel-trusted))
 endif
 ifdef PTXCONF_KERNEL_MODULES_SIGN
 KERNEL_BASE_OPT		+= \
-	CONFIG_MODULE_SIG_KEY='"$(shell cs_get_uri kernel-modules)"'
+	CONFIG_MODULE_SIG_KEY='"$(call ptx/cs-get-uri, KERNEL, kernel-modules)"'
 endif
 
 # Intermediate option. This will be used by kernel module packages.
diff --git a/rules/pre/030-code-signing-consumers.make b/rules/pre/030-code-signing-consumers.make
new file mode 100644
index 000000000000..72ee8e63b7b9
--- /dev/null
+++ b/rules/pre/030-code-signing-consumers.make
@@ -0,0 +1,41 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2021 Roland Hieber, Pengutronix <rhi@pengutronix.de>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+#
+
+#
+# Usage: $(call ptx/cs-consumer-env, <PKG>)
+#
+# We usually want to use cs-get-* macros inside a <PKG>_MAKE_OPT etc., which is
+# referenced in world/env, so we cannot use world/env to set pkg_name without
+# running into circular variable dependencies.
+#
+ptx/cs-consumer-env = \
+	pkg_name='$(PTX_MAP_TO_package_$(strip $(1)))' \
+	$(CODE_SIGNING_ENV)
+
+#
+# Usage: $(call ptx/cs-get-uri, <PKG>, <role>)
+#
+ptx/cs-get-uri = \
+	$(strip \
+		$(shell \
+			$(call ptx/cs-consumer-env, $(1))\
+				cs_get_uri '$(strip $(2))'\
+		)\
+	)
+
+#
+# Usage: $(call ptx/cs-get-ca, <PKG>, <role>)
+#
+ptx/cs-get-ca = \
+	$(strip \
+		$(shell \
+			$(call ptx/cs-consumer-env, $(1))\
+				cs_get_ca '$(strip $(2))'\
+		)\
+	)
diff --git a/rules/rauc.make b/rules/rauc.make
index 08df6336a7cd..3c28befcd3ff 100644
--- a/rules/rauc.make
+++ b/rules/rauc.make
@@ -78,7 +78,7 @@ ifdef PTXCONF_RAUC_CONFIGURATION
 	@$(call install_replace, rauc, /etc/rauc/system.conf, \
 		@RAUC_BUNDLE_COMPATIBLE@, \
 		"$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))")
-	@$(call install_copy, rauc, 0, 0, 0644, $(shell cs_get_ca update), \
+	@$(call install_copy, rauc, 0, 0, 0644, $(call ptx/cs-get-ca, RAUC, update), \
 		/etc/rauc/ca.cert.pem)
 endif
 
diff --git a/rules/templates/template-barebox-imx-habv4-make b/rules/templates/template-barebox-imx-habv4-make
index cc825dc90292..b2d5d7100fc9 100644
--- a/rules/templates/template-barebox-imx-habv4-make
+++ b/rules/templates/template-barebox-imx-habv4-make
@@ -64,9 +64,9 @@ endif
 
 BAREBOX_@PACKAGE@_MAKE_ENV	= \
 	$(CODE_SIGNING_ENV) \
-	CSF="$(shell cs_get_uri imx-habv4-csf1)" \
-	IMG="$(shell cs_get_uri imx-habv4-img1)" \
-	FIT_KEY="$(shell cs_get_uri image-kernel-fit)"
+	CSF="$(call ptx/cs-get-uri, BAREBOX_@PACKAGE@, imx-habv4-csf1)" \
+	IMG="$(call ptx/cs-get-uri, BAREBOX_@PACKAGE@, imx-habv4-img1)" \
+	FIT_KEY="$(call ptx/cs-get-uri, BAREBOX_@PACKAGE@, image-kernel-fit)"
 
 BAREBOX_@PACKAGE@_MAKE_OPT	:= $(BAREBOX_@PACKAGE@_CONF_OPT)
 
diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
index 66a2cab81395..24730d3cf742 100644
--- a/scripts/lib/ptxd_lib_code_signing.sh
+++ b/scripts/lib/ptxd_lib_code_signing.sh
@@ -1,6 +1,7 @@
 #!/bin/bash
 #
 # Copyright (C) 2019 Sascha Hauer <s.hauer@pengutronix.de>
+# Copyright (C) 2021 Roland Hieber, Pengutronix <rhi@pengutronix.de>
 #
 # For further information about the PTXdist project and license conditions
 # see the README file.
@@ -176,6 +177,12 @@ export -f cs_set_uri
 # Get the uri from a role
 #
 cs_get_uri() {
+    if [ -z "${pkg_name}" ]; then
+	    echo ERROR_UNSUPPORTED_CS_API_CALL
+	    ptxd_bailout '$(shell cs_get_uri, <role>) is no longer supported in make files.' \
+		'Use $(call ptx/cs-get-uri, <PKG>, <role>) instead.'
+    fi
+
     local role="${1}"
     cs_init_variables
 
@@ -297,6 +304,12 @@ export -f cs_import_key_from_pem
 # Get the path to the CA in pem format from a role
 #
 cs_get_ca() {
+    if [ -z "${pkg_name}" ]; then
+	    echo ERROR_UNSUPPORTED_CS_API_CALL
+	    ptxd_bailout '$(shell cs_get_ca, …) is no longer supported in make files.' \
+		'Use $(call ptx/cs-get-ca, <PKG>, …) instead.'
+    fi
+
     local role="${1}"
     cs_init_variables
 
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

  parent reply	other threads:[~2021-08-04 14:24 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-04 14:23 [ptxdist] [PATCH v1 1/5] ptxd_make_world_common: make the package name available to scripts Roland Hieber
2021-08-04 14:23 ` [ptxdist] [PATCH v1 2/5] libptxdist: introduce ptxd_exec_silent_stderr Roland Hieber
2021-08-04 14:23 ` [ptxdist] [PATCH v1 3/5] ptxd_lib_code_signing: refactor hard-coded SoftHSM PIN in PKCS11 URIs Roland Hieber
2021-08-04 14:23 ` Roland Hieber [this message]
2021-08-04 15:23   ` [ptxdist] [PATCH v1 4/5] ptxd_lib_code_signing: provide consumer functions with some environment Michael Olbrich
2021-08-04 14:23 ` [ptxdist] [PATCH v1 5/5] ptxd_lib_code_signing: add key whitelist checks Roland Hieber
2021-08-04 15:58   ` Michael Olbrich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210804142330.32739-4-rhi@pengutronix.de \
    --to=rhi@pengutronix.de \
    --cc=ptxdist@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox