From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Mon, 09 Aug 2021 16:40:57 +0200 Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33]) by lore.white.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1mD6SX-0007Sz-7f for lore@lore.pengutronix.de; Mon, 09 Aug 2021 16:40:57 +0200 Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1mD6SW-0004k4-R1; Mon, 09 Aug 2021 16:40:56 +0200 Received: from dude.hi.pengutronix.de ([2001:67c:670:100:1d::7]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mD6SA-0004jD-KG; Mon, 09 Aug 2021 16:40:34 +0200 Received: from rhi by dude.hi.pengutronix.de with local (Exim 4.92) (envelope-from ) id 1mD6SA-0006l2-Bl; Mon, 09 Aug 2021 16:40:34 +0200 From: Roland Hieber To: ptxdist@pengutronix.de Date: Mon, 9 Aug 2021 16:40:28 +0200 Message-Id: <20210809144030.22764-1-rhi@pengutronix.de> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Mail-Followup-To: Roland Hieber , ptxdist@pengutronix.de Subject: [ptxdist] [PATCH 1/3] ptxd_lib_code_signing: take PKCS#11 PIN from the environment X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: Roland Hieber Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false Signed-off-by: Roland Hieber --- bin/ptxdist | 2 +- doc/dev_code_signing.rst | 12 ++++++++++++ scripts/lib/ptxd_lib_code_signing.sh | 21 +++++++++++++++++++++ 3 files changed, 34 insertions(+), 1 deletion(-) diff --git a/bin/ptxdist b/bin/ptxdist index 2faaf535c1b9..6e843c26c37d 100755 --- a/bin/ptxdist +++ b/bin/ptxdist @@ -2163,7 +2163,7 @@ setup_env() { unset $({ export -p | sed -n 's/^declare -x \([^=]*\).*$/\1/p' export -fp | sed -n 's/^declare -fx \([^=]*\).*$/\1/p' - } | egrep -v "^(PTXDIST_PTXRC|PTX_AUTOBUILD_DESTDIR|CCACHE_.*|PWD|HOME|USER|PATH|TERM|COLUMNS|LINES|DISPLAY|TMPDIR|KCONFIG_ALLCONFIG|KCONFIG_SEED|http_proxy|https_proxy|ftp_proxy|no_proxy${whitelist})$") + } | egrep -v "^(PTXDIST_PTXRC|PTX_AUTOBUILD_DESTDIR|PTXDIST_PKCS11_PIN|CCACHE_.*|PWD|HOME|USER|PATH|TERM|COLUMNS|LINES|DISPLAY|TMPDIR|KCONFIG_ALLCONFIG|KCONFIG_SEED|http_proxy|https_proxy|ftp_proxy|no_proxy${whitelist})$") ######## the environment is clean now ######## diff --git a/doc/dev_code_signing.rst b/doc/dev_code_signing.rst index b9a7c42f2a55..8407b6a3ed3d 100644 --- a/doc/dev_code_signing.rst +++ b/doc/dev_code_signing.rst @@ -172,3 +172,15 @@ also via an environment variable. (``=``, not ``:=``). Otherwise the variable is expanded before a code signing provider can perform its setup. + +PIN Handling +^^^^^^^^^^^^ + +You can also supply the PKCS#11 PIN in the environment variable +``PTXDIST_PKCS11_PIN`` when calling PTXdist instead of including it in the +URI (using the parameter ``pin-value=``). +This has the advantage that the PIN is not printed to the terminal or the +logfile during the PTXdist run. +The value of this variable is passed on in the environment to several programs +that access the PKCS#11 API during the build (e.g. the kernel build system, the +i.MX code signing tool, evmctl, mkfs, u-Boot's mkimage, rauc). diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh index 5ba1a4666af4..5579161cd5cf 100644 --- a/scripts/lib/ptxd_lib_code_signing.sh +++ b/scripts/lib/ptxd_lib_code_signing.sh @@ -1,6 +1,7 @@ #!/bin/bash # # Copyright (C) 2019 Sascha Hauer +# Copyright (C) 2021 Marc Kleine-Budde # # For further information about the PTXdist project and license conditions # see the README file. @@ -11,6 +12,26 @@ # infrastructure. # +# +# cs_export_pin +# +# Called at startup to export the PKCS#11 PIN to environment variables that are +# used by the individual signing programs +# +cs_export_pin() { + if [ -z ${PTXDIST_PKCS11_PIN} ]; then + return + fi + + export CST_SIGN_PIN=${PTXDIST_PKCS11_PIN} + export EVMCTL_SIGN_PIN=${PTXDIST_PKCS11_PIN} + export KBUILD_SIGN_PIN=${PTXDIST_PKCS11_PIN} + export MKFS_UBIFS_SIGN_PIN=${PTXDIST_PKCS11_PIN} + export MKIMAGE_SIGN_PIN=${PTXDIST_PKCS11_PIN} + export RAUC_PKCS11_PIN=${PTXDIST_PKCS11_PIN} +} +cs_export_pin + cs_check_env() { if [ -z "${SOFTHSM2_CONF}" ]; then ptxd_bailout "SOFTHSM2_CONF is not defined. Maybe \$(CODE_SIGNING_ENV) is not used." -- 2.30.2 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de