[ptxdist] [PATCH v2 1/4] ptxd_lib_code_signing: take PKCS#11 PIN from the environment

[Roland Hieber <rhi@pengutronix.de>]

Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
PATCH v2: no changes

PATCH v1: https://lore.ptxdist.org/ptxdist/20210809144030.22764-1-rhi@pengutronix.de
---
 bin/ptxdist                          |  2 +-
 doc/dev_code_signing.rst             | 12 ++++++++++++
 scripts/lib/ptxd_lib_code_signing.sh | 21 +++++++++++++++++++++
 3 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/bin/ptxdist b/bin/ptxdist
index 2faaf535c1b9..6e843c26c37d 100755
--- a/bin/ptxdist
+++ b/bin/ptxdist
@@ -2163,7 +2163,7 @@ setup_env() {
 	unset $({
 		export -p  | sed -n 's/^declare -x \([^=]*\).*$/\1/p'
 		export -fp | sed -n 's/^declare -fx \([^=]*\).*$/\1/p'
-		} | egrep -v "^(PTXDIST_PTXRC|PTX_AUTOBUILD_DESTDIR|CCACHE_.*|PWD|HOME|USER|PATH|TERM|COLUMNS|LINES|DISPLAY|TMPDIR|KCONFIG_ALLCONFIG|KCONFIG_SEED|http_proxy|https_proxy|ftp_proxy|no_proxy${whitelist})$")
+		} | egrep -v "^(PTXDIST_PTXRC|PTX_AUTOBUILD_DESTDIR|PTXDIST_PKCS11_PIN|CCACHE_.*|PWD|HOME|USER|PATH|TERM|COLUMNS|LINES|DISPLAY|TMPDIR|KCONFIG_ALLCONFIG|KCONFIG_SEED|http_proxy|https_proxy|ftp_proxy|no_proxy${whitelist})$")
 
 	######## the environment is clean now ########
 
diff --git a/doc/dev_code_signing.rst b/doc/dev_code_signing.rst
index b9a7c42f2a55..8407b6a3ed3d 100644
--- a/doc/dev_code_signing.rst
+++ b/doc/dev_code_signing.rst
@@ -172,3 +172,15 @@ also via an environment variable.
   (``=``, not ``:=``).
   Otherwise the variable is expanded before a code signing provider can perform
   its setup.
+
+PIN Handling
+^^^^^^^^^^^^
+
+You can also supply the PKCS#11 PIN in the environment variable
+``PTXDIST_PKCS11_PIN`` when calling PTXdist instead of including it in the
+URI (using the parameter ``pin-value=<pin>``).
+This has the advantage that the PIN is not printed to the terminal or the
+logfile during the PTXdist run.
+The value of this variable is passed on in the environment to several programs
+that access the PKCS#11 API during the build (e.g. the kernel build system, the
+i.MX code signing tool, evmctl, mkfs, u-Boot's mkimage, rauc).
diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
index 5ba1a4666af4..5579161cd5cf 100644
--- a/scripts/lib/ptxd_lib_code_signing.sh
+++ b/scripts/lib/ptxd_lib_code_signing.sh
@@ -1,6 +1,7 @@
 #!/bin/bash
 #
 # Copyright (C) 2019 Sascha Hauer <s.hauer@pengutronix.de>
+# Copyright (C) 2021 Marc Kleine-Budde <mkl@pengutronix.de>
 #
 # For further information about the PTXdist project and license conditions
 # see the README file.
@@ -11,6 +12,26 @@
 # infrastructure.
 #
 
+#
+# cs_export_pin
+#
+# Called at startup to export the PKCS#11 PIN to environment variables that are
+# used by the individual signing programs
+#
+cs_export_pin() {
+    if [ -z ${PTXDIST_PKCS11_PIN} ]; then
+        return
+    fi
+
+    export CST_SIGN_PIN=${PTXDIST_PKCS11_PIN}
+    export EVMCTL_SIGN_PIN=${PTXDIST_PKCS11_PIN}
+    export KBUILD_SIGN_PIN=${PTXDIST_PKCS11_PIN}
+    export MKFS_UBIFS_SIGN_PIN=${PTXDIST_PKCS11_PIN}
+    export MKIMAGE_SIGN_PIN=${PTXDIST_PKCS11_PIN}
+    export RAUC_PKCS11_PIN=${PTXDIST_PKCS11_PIN}
+}
+cs_export_pin
+
 cs_check_env() {
     if [ -z "${SOFTHSM2_CONF}" ]; then
 	ptxd_bailout "SOFTHSM2_CONF is not defined. Maybe \$(CODE_SIGNING_ENV) is not used."
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de