From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Tue, 10 Aug 2021 12:00:22 +0200 Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33]) by lore.white.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1mDOYY-0002yP-Nn for lore@lore.pengutronix.de; Tue, 10 Aug 2021 12:00:22 +0200 Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1mDOYY-0000fh-9r; Tue, 10 Aug 2021 12:00:22 +0200 Received: from dude.hi.pengutronix.de ([2001:67c:670:100:1d::7]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mDOYK-0000PR-9o; Tue, 10 Aug 2021 12:00:08 +0200 Received: from rhi by dude.hi.pengutronix.de with local (Exim 4.92) (envelope-from ) id 1mDOYK-0006w0-1e; Tue, 10 Aug 2021 12:00:08 +0200 From: Roland Hieber To: ptxdist@pengutronix.de Date: Tue, 10 Aug 2021 11:59:59 +0200 Message-Id: <20210810100000.26602-3-rhi@pengutronix.de> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210810100000.26602-1-rhi@pengutronix.de> References: <20210810100000.26602-1-rhi@pengutronix.de> MIME-Version: 1.0 Mail-Followup-To: Roland Hieber , ptxdist@pengutronix.de Subject: [ptxdist] [PATCH v2 3/4] ptxd_lib_code_signing: let providers clean up their installed files X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: Roland Hieber , Bastian Krause Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false Currently, sysroot-host/var/lib/keys/${keyprovider} is left over even when the provider package is cleaned, which could lead to inconsistencies and leaked key material in the SoftHSM use case. Introduce cs_clean and cs_clean_softhsm shell functions to clean up those files. Call the cleanup functions in the clean stage of the providers. Reported-by: Bastian Krause Signed-off-by: Roland Hieber --- PATCH v2: - spell Bastian's last name correctly (sorry!) (feedback from Bastian Krause) - split off and extend cs_init stuff into next patch PATCH v1: https://lore.ptxdist.org/ptxdist/20210809144030.22764-3-rhi@pengutronix.de --- doc/ref_code_signing_helpers.rst | 29 ++++++++++++++++ rules/host-ptx-code-signing-dev.make | 6 ++++ .../template-code-signing-provider-make | 6 ++++ scripts/lib/ptxd_lib_code_signing.sh | 34 ++++++++++++++++--- 4 files changed, 71 insertions(+), 4 deletions(-) diff --git a/doc/ref_code_signing_helpers.rst b/doc/ref_code_signing_helpers.rst index fd16ca763557..e1ea5d981a89 100644 --- a/doc/ref_code_signing_helpers.rst +++ b/doc/ref_code_signing_helpers.rst @@ -29,6 +29,20 @@ Usage: Initialize SoftHSM, and set the initial pins. +.. _cs_clean_softhsm: + +cs_clean_softhsm +^^^^^^^^^^^^^^^^ + +Usage: + +.. code-block:: bash + + cs_clean_softhsm + +Clean up everything that was installed into the host sysroot. +This function should be called by the provider during the ``clean`` stage. + .. _cs_import_cert_from_der: cs_import_cert_from_der @@ -125,6 +139,21 @@ These helpers allow to define roles, set PKCS#11 URIs and handle certificate authorities (CAs). HSM as well as SoftHSM code signing providers should use them. +.. _cs_clean: + +cs_clean +^^^^^^^^ + +Usage: + +.. code-block:: bash + + cs_clean + +Clean up everything that was installed into the host sysroot. +This function should be called by the provider during the ``clean`` stage, +For the SoftHSM workflow, call :ref:`cs_clean_softhsm` instead. + .. _cs_define_role: cs_define_role diff --git a/rules/host-ptx-code-signing-dev.make b/rules/host-ptx-code-signing-dev.make index b242d65fc1be..d09049eaa71b 100644 --- a/rules/host-ptx-code-signing-dev.make +++ b/rules/host-ptx-code-signing-dev.make @@ -44,4 +44,10 @@ $(STATEDIR)/host-ptx-code-signing-dev.install: @$(call targetinfo) @$(call touch) +$(STATEDIR)/host-ptx-code-signing-dev.clean: + @$(call targetinfo) + @$(call clean_pkg, HOST_PTX_CODE_SIGNING_DEV) + @$(HOST_PTX_CODE_SIGNING_DEV_MAKE_ENV) \ + cs_clean_softhsm + # vim: syntax=make diff --git a/rules/templates/template-code-signing-provider-make b/rules/templates/template-code-signing-provider-make index 4cf9cac358cf..a4bd4a1e74c5 100644 --- a/rules/templates/template-code-signing-provider-make +++ b/rules/templates/template-code-signing-provider-make @@ -39,4 +39,10 @@ $(STATEDIR)/host-@package@-code-signing.install: @$(call targetinfo) @$(call touch) +$(STATEDIR)/host-@package@-code-signing.clean: + @$(call targetinfo) + @$(call clean_pkg, HOST_@PACKAGE@_CODE_SIGNING) + @$(HOST_@PACKAGE@_CODE_SIGNING_MAKE_ENV) \ + cs_clean # FIXME: alternatively, call cs_clean_softhsm + # vim: syntax=make diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh index f012f8e194c7..b0d54f47f832 100644 --- a/scripts/lib/ptxd_lib_code_signing.sh +++ b/scripts/lib/ptxd_lib_code_signing.sh @@ -86,6 +86,8 @@ cs_init_variables() { sysroot="$(ptxd_get_ptxconf PTXCONF_SYSROOT_HOST)" keyprovider="$(ptxd_get_ptxconf PTXCONF_CODE_SIGNING_PROVIDER)" keydir="${sysroot}/var/lib/keys/${keyprovider}" + + shsm_keys="${sysroot}/var/cache/softhsm/${keyprovider}" } export -f cs_init_variables @@ -97,10 +99,7 @@ export -f cs_init_variables cs_init_softhsm() { cs_check_env_softhsm cs_init_variables - local shsm_keys="${sysroot}/var/cache/softhsm/${keyprovider}" - - rm -rf "${shsm_keys}" && - rm -rf "${keydir}" && + cs_clean_softhsm && sed -i "s^directories.tokendir =.*^directories.tokendir = ${shsm_keys}^" \ ${SOFTHSM2_CONF} && @@ -112,6 +111,33 @@ cs_init_softhsm() { } export -f cs_init_softhsm +# +# cs_clean +# +# Clean up all files that were installed to the sysroot (generic variant) +# +cs_clean() { + cs_check_env && + cs_init_variables && + echo "Cleaning up ${keydir}" && + rm -rf "${keydir}" +} +export -f cs_clean + +# +# cs_clean +# +# Clean up all files that were installed to the sysroot (SoftHSM variant). +# +cs_clean_softhsm() { + cs_check_env_softhsm && + cs_init_variables && + cs_clean && + echo "Cleaning up ${shsm_keys}" && + rm -rf "${shsm_keys}" +} +export -f cs_clean_softhsm + # # cs_define_role # -- 2.30.2 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de