Signed-off-by: Roland Hieber <rhi@pengutronix.de> --- bin/ptxdist | 2 +- doc/dev_code_signing.rst | 12 ++++++++++++ scripts/lib/ptxd_lib_code_signing.sh | 21 +++++++++++++++++++++ 3 files changed, 34 insertions(+), 1 deletion(-) diff --git a/bin/ptxdist b/bin/ptxdist index 2faaf535c1b9..6e843c26c37d 100755 --- a/bin/ptxdist +++ b/bin/ptxdist @@ -2163,7 +2163,7 @@ setup_env() { unset $({ export -p | sed -n 's/^declare -x \([^=]*\).*$/\1/p' export -fp | sed -n 's/^declare -fx \([^=]*\).*$/\1/p' - } | egrep -v "^(PTXDIST_PTXRC|PTX_AUTOBUILD_DESTDIR|CCACHE_.*|PWD|HOME|USER|PATH|TERM|COLUMNS|LINES|DISPLAY|TMPDIR|KCONFIG_ALLCONFIG|KCONFIG_SEED|http_proxy|https_proxy|ftp_proxy|no_proxy${whitelist})$") + } | egrep -v "^(PTXDIST_PTXRC|PTX_AUTOBUILD_DESTDIR|PTXDIST_PKCS11_PIN|CCACHE_.*|PWD|HOME|USER|PATH|TERM|COLUMNS|LINES|DISPLAY|TMPDIR|KCONFIG_ALLCONFIG|KCONFIG_SEED|http_proxy|https_proxy|ftp_proxy|no_proxy${whitelist})$") ######## the environment is clean now ######## diff --git a/doc/dev_code_signing.rst b/doc/dev_code_signing.rst index b9a7c42f2a55..8407b6a3ed3d 100644 --- a/doc/dev_code_signing.rst +++ b/doc/dev_code_signing.rst @@ -172,3 +172,15 @@ also via an environment variable. (``=``, not ``:=``). Otherwise the variable is expanded before a code signing provider can perform its setup. + +PIN Handling +^^^^^^^^^^^^ + +You can also supply the PKCS#11 PIN in the environment variable +``PTXDIST_PKCS11_PIN`` when calling PTXdist instead of including it in the +URI (using the parameter ``pin-value=<pin>``). +This has the advantage that the PIN is not printed to the terminal or the +logfile during the PTXdist run. +The value of this variable is passed on in the environment to several programs +that access the PKCS#11 API during the build (e.g. the kernel build system, the +i.MX code signing tool, evmctl, mkfs, u-Boot's mkimage, rauc). diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh index 5ba1a4666af4..5579161cd5cf 100644 --- a/scripts/lib/ptxd_lib_code_signing.sh +++ b/scripts/lib/ptxd_lib_code_signing.sh @@ -1,6 +1,7 @@ #!/bin/bash # # Copyright (C) 2019 Sascha Hauer <s.hauer@pengutronix.de> +# Copyright (C) 2021 Marc Kleine-Budde <mkl@pengutronix.de> # # For further information about the PTXdist project and license conditions # see the README file. @@ -11,6 +12,26 @@ # infrastructure. # +# +# cs_export_pin +# +# Called at startup to export the PKCS#11 PIN to environment variables that are +# used by the individual signing programs +# +cs_export_pin() { + if [ -z ${PTXDIST_PKCS11_PIN} ]; then + return + fi + + export CST_SIGN_PIN=${PTXDIST_PKCS11_PIN} + export EVMCTL_SIGN_PIN=${PTXDIST_PKCS11_PIN} + export KBUILD_SIGN_PIN=${PTXDIST_PKCS11_PIN} + export MKFS_UBIFS_SIGN_PIN=${PTXDIST_PKCS11_PIN} + export MKIMAGE_SIGN_PIN=${PTXDIST_PKCS11_PIN} + export RAUC_PKCS11_PIN=${PTXDIST_PKCS11_PIN} +} +cs_export_pin + cs_check_env() { if [ -z "${SOFTHSM2_CONF}" ]; then ptxd_bailout "SOFTHSM2_CONF is not defined. Maybe \$(CODE_SIGNING_ENV) is not used." -- 2.30.2 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
Checking for PKCS11_MODULE_PATH etc. is also useful for the non-SoftHSM workflow, but the other variables are specific to SoftHSM. Split off the SoftHSM checks up into a separate function. Signed-off-by: Roland Hieber <rhi@pengutronix.de> --- scripts/lib/ptxd_lib_code_signing.sh | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh index 5579161cd5cf..f012f8e194c7 100644 --- a/scripts/lib/ptxd_lib_code_signing.sh +++ b/scripts/lib/ptxd_lib_code_signing.sh @@ -32,13 +32,8 @@ cs_export_pin() { } cs_export_pin +# internal cs_check_env() { - if [ -z "${SOFTHSM2_CONF}" ]; then - ptxd_bailout "SOFTHSM2_CONF is not defined. Maybe \$(CODE_SIGNING_ENV) is not used." - fi - if [ ! -e "${SOFTHSM2_CONF}" ]; then - ptxd_bailout "'${SOFTHSM2_CONF}' is missing." - fi if [ -z "${PKCS11_MODULE_PATH}" ]; then ptxd_bailout "PKCS11_MODULE_PATH is not defined. Maybe \$(CODE_SIGNING_ENV) is not used." fi @@ -48,6 +43,18 @@ cs_check_env() { } export -f cs_check_env +# internal +cs_check_env_softhsm() { + cs_check_env + if [ -z "${SOFTHSM2_CONF}" ]; then + ptxd_bailout "SOFTHSM2_CONF is not defined. Maybe \$(CODE_SIGNING_ENV) is not used." + fi + if [ ! -e "${SOFTHSM2_CONF}" ]; then + ptxd_bailout "'${SOFTHSM2_CONF}' is missing." + fi +} +export -f cs_check_env_softhsm + # # softhsm_pkcs11_tool_init <args> # @@ -88,7 +95,7 @@ export -f cs_init_variables # Initialize SoftHSM and set the initial pin # cs_init_softhsm() { - cs_check_env + cs_check_env_softhsm cs_init_variables local shsm_keys="${sysroot}/var/cache/softhsm/${keyprovider}" -- 2.30.2 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
Currently, sysroot-host/var/lib/keys/${keyprovider} is left over even when the provider package is cleaned. To help with this, introduce cs_clean and cs_clean_softhsm shell functions. The latter needs access to ${shsm_keys}, so move its definition into cs_init_variables (even if this function is not only meant for the SoftHSM workflow, the additional variable makes no trouble here). Call the cleanup functions in the clean stage of the providers, and also at the beginning of the compile stage to ensure a clean setup. For the latter, introduce cs_init for the non-SoftHSM use case. Reported-by: Bastian Stender <bst@pengutronix.de> Signed-off-by: Roland Hieber <rhi@pengutronix.de> --- doc/ref_code_signing_helpers.rst | 46 +++++++++++++++++++ rules/host-ptx-code-signing-dev.make | 6 +++ .../ptxdist-set-keys-hsm.sh | 1 + .../template-code-signing-provider-make | 6 +++ scripts/lib/ptxd_lib_code_signing.sh | 44 ++++++++++++++++-- 5 files changed, 99 insertions(+), 4 deletions(-) diff --git a/doc/ref_code_signing_helpers.rst b/doc/ref_code_signing_helpers.rst index fd16ca763557..0db35776b9c4 100644 --- a/doc/ref_code_signing_helpers.rst +++ b/doc/ref_code_signing_helpers.rst @@ -29,6 +29,20 @@ Usage: Initialize SoftHSM, and set the initial pins. +.. _cs_clean_softhsm: + +cs_clean_softhsm +^^^^^^^^^^^^^^^^ + +Usage: + +.. code-block:: bash + + cs_clean_softhsm + +Clean up everything that was installed into the host sysroot. +This function should be called by the provider during the ``clean`` stage. + .. _cs_import_cert_from_der: cs_import_cert_from_der @@ -125,6 +139,38 @@ These helpers allow to define roles, set PKCS#11 URIs and handle certificate authorities (CAs). HSM as well as SoftHSM code signing providers should use them. +.. _cs_init: + +cs_init +^^^^^^^ + +Usage: + +.. code-block:: bash + + cs_init + +Initialize the provider. +This function should be called at the start of the ``compile`` stage. +For the SoftHSM workflow, call :ref:`cs_init_softhsm` instead. + +This function also calls cs_clean. + +.. _cs_clean: + +cs_clean +^^^^^^^^ + +Usage: + +.. code-block:: bash + + cs_clean + +Clean up everything that was installed into the host sysroot. +This function should be called by the provider during the ``clean`` stage, +For the SoftHSM workflow, call :ref:`cs_clean_softhsm` instead. + .. _cs_define_role: cs_define_role diff --git a/rules/host-ptx-code-signing-dev.make b/rules/host-ptx-code-signing-dev.make index b242d65fc1be..d09049eaa71b 100644 --- a/rules/host-ptx-code-signing-dev.make +++ b/rules/host-ptx-code-signing-dev.make @@ -44,4 +44,10 @@ $(STATEDIR)/host-ptx-code-signing-dev.install: @$(call targetinfo) @$(call touch) +$(STATEDIR)/host-ptx-code-signing-dev.clean: + @$(call targetinfo) + @$(call clean_pkg, HOST_PTX_CODE_SIGNING_DEV) + @$(HOST_PTX_CODE_SIGNING_DEV_MAKE_ENV) \ + cs_clean_softhsm + # vim: syntax=make diff --git a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh index b94eff049eac..b627541e30c1 100755 --- a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh +++ b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh @@ -43,6 +43,7 @@ set_imx_habv4_keys() { # HSM use case +cs_init set_fit_keys set_rauc_keys set_imx_habv4_keys diff --git a/rules/templates/template-code-signing-provider-make b/rules/templates/template-code-signing-provider-make index 4cf9cac358cf..a4bd4a1e74c5 100644 --- a/rules/templates/template-code-signing-provider-make +++ b/rules/templates/template-code-signing-provider-make @@ -39,4 +39,10 @@ $(STATEDIR)/host-@package@-code-signing.install: @$(call targetinfo) @$(call touch) +$(STATEDIR)/host-@package@-code-signing.clean: + @$(call targetinfo) + @$(call clean_pkg, HOST_@PACKAGE@_CODE_SIGNING) + @$(HOST_@PACKAGE@_CODE_SIGNING_MAKE_ENV) \ + cs_clean # FIXME: alternatively, call cs_clean_softhsm + # vim: syntax=make diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh index f012f8e194c7..e052fa3506b2 100644 --- a/scripts/lib/ptxd_lib_code_signing.sh +++ b/scripts/lib/ptxd_lib_code_signing.sh @@ -86,9 +86,21 @@ cs_init_variables() { sysroot="$(ptxd_get_ptxconf PTXCONF_SYSROOT_HOST)" keyprovider="$(ptxd_get_ptxconf PTXCONF_CODE_SIGNING_PROVIDER)" keydir="${sysroot}/var/lib/keys/${keyprovider}" + + shsm_keys="${sysroot}/var/cache/softhsm/${keyprovider}" } export -f cs_init_variables +# +# cs_init +# +# Initialize the provider +# +cs_init() { + cs_clean +} +export -f cs_init + # # cs_init_softhsm # @@ -97,10 +109,7 @@ export -f cs_init_variables cs_init_softhsm() { cs_check_env_softhsm cs_init_variables - local shsm_keys="${sysroot}/var/cache/softhsm/${keyprovider}" - - rm -rf "${shsm_keys}" && - rm -rf "${keydir}" && + cs_clean_softhsm && sed -i "s^directories.tokendir =.*^directories.tokendir = ${shsm_keys}^" \ ${SOFTHSM2_CONF} && @@ -112,6 +121,33 @@ cs_init_softhsm() { } export -f cs_init_softhsm +# +# cs_clean +# +# Clean up all files that were installed to the sysroot (generic variant) +# +cs_clean() { + cs_check_env && + cs_init_variables && + echo "Cleaning up ${keydir}" && + rm -rf "${keydir}" +} +export -f cs_clean + +# +# cs_clean +# +# Clean up all files that were installed to the sysroot (SoftHSM variant). +# +cs_clean_softhsm() { + cs_check_env_softhsm && + cs_init_variables && + cs_clean && + echo "Cleaning up ${shsm_keys}" && + rm -rf "${shsm_keys}" +} +export -f cs_clean_softhsm + # # cs_define_role <role> # -- 2.30.2 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
On Mon, Aug 09, 2021 at 04:40:30PM +0200, Roland Hieber wrote: > Currently, sysroot-host/var/lib/keys/${keyprovider} is left over even > when the provider package is cleaned. To help with this, introduce > cs_clean and cs_clean_softhsm shell functions. The latter needs access > to ${shsm_keys}, so move its definition into cs_init_variables (even if > this function is not only meant for the SoftHSM workflow, the additional > variable makes no trouble here). Call the cleanup functions in the clean > stage of the providers, and also at the beginning of the compile stage > to ensure a clean setup. For the latter, introduce cs_init for the > non-SoftHSM use case. > > Reported-by: Bastian Stender <bst@pengutronix.de> > Signed-off-by: Roland Hieber <rhi@pengutronix.de> Bastian had some remarks offline, see v2 of this series. - Roland -- Roland Hieber, Pengutronix e.K. | r.hieber@pengutronix.de | Steuerwalder Str. 21 | https://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de