[ptxdist] [PATCH 1/3] ptxd_lib_code_signing: take PKCS#11 PIN from the environment

mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed

* [ptxdist] [PATCH 1/3] ptxd_lib_code_signing: take PKCS#11 PIN from the environment
@ 2021-08-09 14:40 Roland Hieber
  2021-08-09 14:40 ` [ptxdist] [PATCH 2/3] ptxd_lib_code_signing: refactor cs_check_env for SoftHSM workflow Roland Hieber
  2021-08-09 14:40 ` [ptxdist] [PATCH 3/3] ptxd_lib_code_signing: let providers clean up their keys Roland Hieber
  0 siblings, 2 replies; 4+ messages in thread
From: Roland Hieber @ 2021-08-09 14:40 UTC (permalink / raw)
  To: ptxdist; +Cc: Roland Hieber

Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
 bin/ptxdist                          |  2 +-
 doc/dev_code_signing.rst             | 12 ++++++++++++
 scripts/lib/ptxd_lib_code_signing.sh | 21 +++++++++++++++++++++
 3 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/bin/ptxdist b/bin/ptxdist
index 2faaf535c1b9..6e843c26c37d 100755
--- a/bin/ptxdist
+++ b/bin/ptxdist
@@ -2163,7 +2163,7 @@ setup_env() {
 	unset $({
 		export -p  | sed -n 's/^declare -x \([^=]*\).*$/\1/p'
 		export -fp | sed -n 's/^declare -fx \([^=]*\).*$/\1/p'
-		} | egrep -v "^(PTXDIST_PTXRC|PTX_AUTOBUILD_DESTDIR|CCACHE_.*|PWD|HOME|USER|PATH|TERM|COLUMNS|LINES|DISPLAY|TMPDIR|KCONFIG_ALLCONFIG|KCONFIG_SEED|http_proxy|https_proxy|ftp_proxy|no_proxy${whitelist})$")
+		} | egrep -v "^(PTXDIST_PTXRC|PTX_AUTOBUILD_DESTDIR|PTXDIST_PKCS11_PIN|CCACHE_.*|PWD|HOME|USER|PATH|TERM|COLUMNS|LINES|DISPLAY|TMPDIR|KCONFIG_ALLCONFIG|KCONFIG_SEED|http_proxy|https_proxy|ftp_proxy|no_proxy${whitelist})$")
 
 	######## the environment is clean now ########
 
diff --git a/doc/dev_code_signing.rst b/doc/dev_code_signing.rst
index b9a7c42f2a55..8407b6a3ed3d 100644
--- a/doc/dev_code_signing.rst
+++ b/doc/dev_code_signing.rst
@@ -172,3 +172,15 @@ also via an environment variable.
   (``=``, not ``:=``).
   Otherwise the variable is expanded before a code signing provider can perform
   its setup.
+
+PIN Handling
+^^^^^^^^^^^^
+
+You can also supply the PKCS#11 PIN in the environment variable
+``PTXDIST_PKCS11_PIN`` when calling PTXdist instead of including it in the
+URI (using the parameter ``pin-value=<pin>``).
+This has the advantage that the PIN is not printed to the terminal or the
+logfile during the PTXdist run.
+The value of this variable is passed on in the environment to several programs
+that access the PKCS#11 API during the build (e.g. the kernel build system, the
+i.MX code signing tool, evmctl, mkfs, u-Boot's mkimage, rauc).
diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
index 5ba1a4666af4..5579161cd5cf 100644
--- a/scripts/lib/ptxd_lib_code_signing.sh
+++ b/scripts/lib/ptxd_lib_code_signing.sh
@@ -1,6 +1,7 @@
 #!/bin/bash
 #
 # Copyright (C) 2019 Sascha Hauer <s.hauer@pengutronix.de>
+# Copyright (C) 2021 Marc Kleine-Budde <mkl@pengutronix.de>
 #
 # For further information about the PTXdist project and license conditions
 # see the README file.
@@ -11,6 +12,26 @@
 # infrastructure.
 #
 
+#
+# cs_export_pin
+#
+# Called at startup to export the PKCS#11 PIN to environment variables that are
+# used by the individual signing programs
+#
+cs_export_pin() {
+    if [ -z ${PTXDIST_PKCS11_PIN} ]; then
+        return
+    fi
+
+    export CST_SIGN_PIN=${PTXDIST_PKCS11_PIN}
+    export EVMCTL_SIGN_PIN=${PTXDIST_PKCS11_PIN}
+    export KBUILD_SIGN_PIN=${PTXDIST_PKCS11_PIN}
+    export MKFS_UBIFS_SIGN_PIN=${PTXDIST_PKCS11_PIN}
+    export MKIMAGE_SIGN_PIN=${PTXDIST_PKCS11_PIN}
+    export RAUC_PKCS11_PIN=${PTXDIST_PKCS11_PIN}
+}
+cs_export_pin
+
 cs_check_env() {
     if [ -z "${SOFTHSM2_CONF}" ]; then
 	ptxd_bailout "SOFTHSM2_CONF is not defined. Maybe \$(CODE_SIGNING_ENV) is not used."
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [ptxdist] [PATCH 2/3] ptxd_lib_code_signing: refactor cs_check_env for SoftHSM workflow
  2021-08-09 14:40 [ptxdist] [PATCH 1/3] ptxd_lib_code_signing: take PKCS#11 PIN from the environment Roland Hieber
@ 2021-08-09 14:40 ` Roland Hieber
  2021-08-09 14:40 ` [ptxdist] [PATCH 3/3] ptxd_lib_code_signing: let providers clean up their keys Roland Hieber
  1 sibling, 0 replies; 4+ messages in thread
From: Roland Hieber @ 2021-08-09 14:40 UTC (permalink / raw)
  To: ptxdist; +Cc: Roland Hieber

Checking for PKCS11_MODULE_PATH etc. is also useful for the non-SoftHSM
workflow, but the other variables are specific to SoftHSM. Split off the
SoftHSM checks up into a separate function.

Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
 scripts/lib/ptxd_lib_code_signing.sh | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
index 5579161cd5cf..f012f8e194c7 100644
--- a/scripts/lib/ptxd_lib_code_signing.sh
+++ b/scripts/lib/ptxd_lib_code_signing.sh
@@ -32,13 +32,8 @@ cs_export_pin() {
 }
 cs_export_pin
 
+# internal
 cs_check_env() {
-    if [ -z "${SOFTHSM2_CONF}" ]; then
-	ptxd_bailout "SOFTHSM2_CONF is not defined. Maybe \$(CODE_SIGNING_ENV) is not used."
-    fi
-    if [ ! -e "${SOFTHSM2_CONF}" ]; then
-	ptxd_bailout "'${SOFTHSM2_CONF}' is missing."
-    fi
     if [ -z "${PKCS11_MODULE_PATH}" ]; then
 	ptxd_bailout "PKCS11_MODULE_PATH is not defined. Maybe \$(CODE_SIGNING_ENV) is not used."
     fi
@@ -48,6 +43,18 @@ cs_check_env() {
 }
 export -f cs_check_env
 
+# internal
+cs_check_env_softhsm() {
+    cs_check_env
+    if [ -z "${SOFTHSM2_CONF}" ]; then
+	ptxd_bailout "SOFTHSM2_CONF is not defined. Maybe \$(CODE_SIGNING_ENV) is not used."
+    fi
+    if [ ! -e "${SOFTHSM2_CONF}" ]; then
+	ptxd_bailout "'${SOFTHSM2_CONF}' is missing."
+    fi
+}
+export -f cs_check_env_softhsm
+
 #
 # softhsm_pkcs11_tool_init <args>
 #
@@ -88,7 +95,7 @@ export -f cs_init_variables
 # Initialize SoftHSM and set the initial pin
 #
 cs_init_softhsm() {
-    cs_check_env
+    cs_check_env_softhsm
     cs_init_variables
     local shsm_keys="${sysroot}/var/cache/softhsm/${keyprovider}"
 
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [ptxdist] [PATCH 3/3] ptxd_lib_code_signing: let providers clean up their keys
  2021-08-09 14:40 [ptxdist] [PATCH 1/3] ptxd_lib_code_signing: take PKCS#11 PIN from the environment Roland Hieber
  2021-08-09 14:40 ` [ptxdist] [PATCH 2/3] ptxd_lib_code_signing: refactor cs_check_env for SoftHSM workflow Roland Hieber
@ 2021-08-09 14:40 ` Roland Hieber
  2021-08-10  9:58   ` Roland Hieber
  1 sibling, 1 reply; 4+ messages in thread
From: Roland Hieber @ 2021-08-09 14:40 UTC (permalink / raw)
  To: ptxdist; +Cc: Roland Hieber, Bastian Stender

Currently, sysroot-host/var/lib/keys/${keyprovider} is left over even
when the provider package is cleaned. To help with this, introduce
cs_clean and cs_clean_softhsm shell functions. The latter needs access
to ${shsm_keys}, so move its definition into cs_init_variables (even if
this function is not only meant for the SoftHSM workflow, the additional
variable makes no trouble here). Call the cleanup functions in the clean
stage of the providers, and also at the beginning of the compile stage
to ensure a clean setup. For the latter, introduce cs_init for the
non-SoftHSM use case.

Reported-by: Bastian Stender <bst@pengutronix.de>
Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
 doc/ref_code_signing_helpers.rst              | 46 +++++++++++++++++++
 rules/host-ptx-code-signing-dev.make          |  6 +++
 .../ptxdist-set-keys-hsm.sh                   |  1 +
 .../template-code-signing-provider-make       |  6 +++
 scripts/lib/ptxd_lib_code_signing.sh          | 44 ++++++++++++++++--
 5 files changed, 99 insertions(+), 4 deletions(-)

diff --git a/doc/ref_code_signing_helpers.rst b/doc/ref_code_signing_helpers.rst
index fd16ca763557..0db35776b9c4 100644
--- a/doc/ref_code_signing_helpers.rst
+++ b/doc/ref_code_signing_helpers.rst
@@ -29,6 +29,20 @@ Usage:
 
 Initialize SoftHSM, and set the initial pins.
 
+.. _cs_clean_softhsm:
+
+cs_clean_softhsm
+^^^^^^^^^^^^^^^^
+
+Usage:
+
+.. code-block:: bash
+
+    cs_clean_softhsm
+
+Clean up everything that was installed into the host sysroot.
+This function should be called by the provider during the ``clean`` stage.
+
 .. _cs_import_cert_from_der:
 
 cs_import_cert_from_der
@@ -125,6 +139,38 @@ These helpers allow to define roles, set PKCS#11 URIs and handle certificate
 authorities (CAs).
 HSM as well as SoftHSM code signing providers should use them.
 
+.. _cs_init:
+
+cs_init
+^^^^^^^
+
+Usage:
+
+.. code-block:: bash
+
+    cs_init
+
+Initialize the provider.
+This function should be called at the start of the ``compile`` stage.
+For the SoftHSM workflow, call :ref:`cs_init_softhsm` instead.
+
+This function also calls cs_clean.
+
+.. _cs_clean:
+
+cs_clean
+^^^^^^^^
+
+Usage:
+
+.. code-block:: bash
+
+    cs_clean
+
+Clean up everything that was installed into the host sysroot.
+This function should be called by the provider during the ``clean`` stage,
+For the SoftHSM workflow, call :ref:`cs_clean_softhsm` instead.
+
 .. _cs_define_role:
 
 cs_define_role
diff --git a/rules/host-ptx-code-signing-dev.make b/rules/host-ptx-code-signing-dev.make
index b242d65fc1be..d09049eaa71b 100644
--- a/rules/host-ptx-code-signing-dev.make
+++ b/rules/host-ptx-code-signing-dev.make
@@ -44,4 +44,10 @@ $(STATEDIR)/host-ptx-code-signing-dev.install:
 	@$(call targetinfo)
 	@$(call touch)
 
+$(STATEDIR)/host-ptx-code-signing-dev.clean:
+	@$(call targetinfo)
+	@$(call clean_pkg, HOST_PTX_CODE_SIGNING_DEV)
+	@$(HOST_PTX_CODE_SIGNING_DEV_MAKE_ENV) \
+		cs_clean_softhsm
+
 # vim: syntax=make
diff --git a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
index b94eff049eac..b627541e30c1 100755
--- a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
+++ b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
@@ -43,6 +43,7 @@ set_imx_habv4_keys() {
 
 
 # HSM use case
+cs_init
 set_fit_keys
 set_rauc_keys
 set_imx_habv4_keys
diff --git a/rules/templates/template-code-signing-provider-make b/rules/templates/template-code-signing-provider-make
index 4cf9cac358cf..a4bd4a1e74c5 100644
--- a/rules/templates/template-code-signing-provider-make
+++ b/rules/templates/template-code-signing-provider-make
@@ -39,4 +39,10 @@ $(STATEDIR)/host-@package@-code-signing.install:
 	@$(call targetinfo)
 	@$(call touch)
 
+$(STATEDIR)/host-@package@-code-signing.clean:
+	@$(call targetinfo)
+	@$(call clean_pkg, HOST_@PACKAGE@_CODE_SIGNING)
+	@$(HOST_@PACKAGE@_CODE_SIGNING_MAKE_ENV) \
+		cs_clean # FIXME: alternatively, call cs_clean_softhsm
+
 # vim: syntax=make
diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
index f012f8e194c7..e052fa3506b2 100644
--- a/scripts/lib/ptxd_lib_code_signing.sh
+++ b/scripts/lib/ptxd_lib_code_signing.sh
@@ -86,9 +86,21 @@ cs_init_variables() {
     sysroot="$(ptxd_get_ptxconf PTXCONF_SYSROOT_HOST)"
     keyprovider="$(ptxd_get_ptxconf PTXCONF_CODE_SIGNING_PROVIDER)"
     keydir="${sysroot}/var/lib/keys/${keyprovider}"
+
+    shsm_keys="${sysroot}/var/cache/softhsm/${keyprovider}"
 }
 export -f cs_init_variables
 
+#
+# cs_init
+#
+# Initialize the provider
+#
+cs_init() {
+    cs_clean
+}
+export -f cs_init
+
 #
 # cs_init_softhsm
 #
@@ -97,10 +109,7 @@ export -f cs_init_variables
 cs_init_softhsm() {
     cs_check_env_softhsm
     cs_init_variables
-    local shsm_keys="${sysroot}/var/cache/softhsm/${keyprovider}"
-
-    rm -rf "${shsm_keys}" &&
-    rm -rf "${keydir}" &&
+    cs_clean_softhsm &&
 
     sed -i "s^directories.tokendir =.*^directories.tokendir = ${shsm_keys}^" \
 	${SOFTHSM2_CONF} &&
@@ -112,6 +121,33 @@ cs_init_softhsm() {
 }
 export -f cs_init_softhsm
 
+#
+# cs_clean
+#
+# Clean up all files that were installed to the sysroot (generic variant)
+#
+cs_clean() {
+    cs_check_env &&
+    cs_init_variables &&
+    echo "Cleaning up ${keydir}" &&
+    rm -rf "${keydir}"
+}
+export -f cs_clean
+
+#
+# cs_clean
+#
+# Clean up all files that were installed to the sysroot (SoftHSM variant).
+#
+cs_clean_softhsm() {
+    cs_check_env_softhsm &&
+    cs_init_variables &&
+    cs_clean &&
+    echo "Cleaning up ${shsm_keys}" &&
+    rm -rf "${shsm_keys}"
+}
+export -f cs_clean_softhsm
+
 #
 # cs_define_role <role>
 #
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [ptxdist] [PATCH 3/3] ptxd_lib_code_signing: let providers clean up their keys
  2021-08-09 14:40 ` [ptxdist] [PATCH 3/3] ptxd_lib_code_signing: let providers clean up their keys Roland Hieber
@ 2021-08-10  9:58   ` Roland Hieber
  0 siblings, 0 replies; 4+ messages in thread
From: Roland Hieber @ 2021-08-10  9:58 UTC (permalink / raw)
  To: ptxdist

On Mon, Aug 09, 2021 at 04:40:30PM +0200, Roland Hieber wrote:
> Currently, sysroot-host/var/lib/keys/${keyprovider} is left over even
> when the provider package is cleaned. To help with this, introduce
> cs_clean and cs_clean_softhsm shell functions. The latter needs access
> to ${shsm_keys}, so move its definition into cs_init_variables (even if
> this function is not only meant for the SoftHSM workflow, the additional
> variable makes no trouble here). Call the cleanup functions in the clean
> stage of the providers, and also at the beginning of the compile stage
> to ensure a clean setup. For the latter, introduce cs_init for the
> non-SoftHSM use case.
> 
> Reported-by: Bastian Stender <bst@pengutronix.de>
> Signed-off-by: Roland Hieber <rhi@pengutronix.de>

Bastian had some remarks offline, see v2 of this series.

 - Roland

-- 
Roland Hieber, Pengutronix e.K.          | r.hieber@pengutronix.de     |
Steuerwalder Str. 21                     | https://www.pengutronix.de/ |
31137 Hildesheim, Germany                | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686         | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2021-08-10  9:58 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-09 14:40 [ptxdist] [PATCH 1/3] ptxd_lib_code_signing: take PKCS#11 PIN from the environment Roland Hieber
2021-08-09 14:40 ` [ptxdist] [PATCH 2/3] ptxd_lib_code_signing: refactor cs_check_env for SoftHSM workflow Roland Hieber
2021-08-09 14:40 ` [ptxdist] [PATCH 3/3] ptxd_lib_code_signing: let providers clean up their keys Roland Hieber
2021-08-10  9:58   ` Roland Hieber

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox