[ptxdist] [PATCH v2 4/4] ptxd_lib_code_signing: enforce cleaning up on init

[Roland Hieber <rhi@pengutronix.de>]

Similarly to cs_init_softhsm, introduce cs_init for non-SoftHSM use
cases. In both cases, clean up any left-over files from previous
installations to ensure a clean state, and enforce their use for
existing providers.

Reported-by: Bastian Krause <bst@pengutronix.de>
Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
PATCH v2: new in v2, split off from previous patch
 - enforce calling cs_init* at start of the provider (feedback from
   Bastian Krause)
 - slight fixes to the docs
---
 doc/ref_code_signing_helpers.rst              | 31 +++++++++++++++++++
 .../ptxdist-set-keys-hsm.sh                   |  1 +
 scripts/lib/ptxd_lib_code_signing.sh          | 28 +++++++++++++++++
 3 files changed, 60 insertions(+)

diff --git a/doc/ref_code_signing_helpers.rst b/doc/ref_code_signing_helpers.rst
index e1ea5d981a89..bb577c496c5b 100644
--- a/doc/ref_code_signing_helpers.rst
+++ b/doc/ref_code_signing_helpers.rst
@@ -28,6 +28,10 @@ Usage:
     cs_init_softhsm
 
 Initialize SoftHSM, and set the initial pins.
+This function must be called by the provider at the start of the ``compile`` stage.
+For non-SoftHSM workflows, call :ref:`cs_init` instead.
+
+This function also calls :ref:`cs_clean_softhsm`.
 
 .. _cs_clean_softhsm:
 
@@ -139,6 +143,23 @@ These helpers allow to define roles, set PKCS#11 URIs and handle certificate
 authorities (CAs).
 HSM as well as SoftHSM code signing providers should use them.
 
+.. _cs_init:
+
+cs_init
+^^^^^^^
+
+Usage:
+
+.. code-block:: bash
+
+    cs_init
+
+Initialize the provider.
+This function must be called by the provider at the start of the ``compile`` stage.
+For the SoftHSM workflow, call :ref:`cs_init_softhsm` instead.
+
+This function also calls :ref:`cs_clean`.
+
 .. _cs_clean:
 
 cs_clean
@@ -169,6 +190,10 @@ Define new key role.
 
 A default PKCS#11 URI is set implicitly as convenience for SoftHSM use cases.
 
+Preconditions:
+
+- the provider must have been initialised (see :ref:`cs_init` or :ref:`cs_init_softhsm`)
+
 .. _cs_set_uri:
 
 cs_set_uri
@@ -259,6 +284,10 @@ Define a new role group.
 
 See :ref:`cs_group_add_roles` for an example.
 
+Preconditions:
+
+- the provider must have been initialised (see :ref:`cs_init` or :ref:`cs_init_softhsm`)
+
 .. _cs_group_add_roles:
 
 cs_group_add_roles
@@ -281,6 +310,8 @@ Example:
 
 .. code-block:: bash
 
+   cs_init
+
    # define two roles named imx-habv4-srk1 and imx-habv4-srk2
    r="imx-habv4-srk1"
    cs_define_role "${r}"
diff --git a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
index b94eff049eac..b627541e30c1 100755
--- a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
+++ b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
@@ -43,6 +43,7 @@ set_imx_habv4_keys() {
 
 
 # HSM use case
+cs_init
 set_fit_keys
 set_rauc_keys
 set_imx_habv4_keys
diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
index b0d54f47f832..a0c53f7f05fb 100644
--- a/scripts/lib/ptxd_lib_code_signing.sh
+++ b/scripts/lib/ptxd_lib_code_signing.sh
@@ -91,6 +91,26 @@ cs_init_variables() {
 }
 export -f cs_init_variables
 
+# internal check that tells us if cs_init was called
+cs_initialised=
+cs_check_initialised() {
+	if [ -z "${cs_initialised}" ]; then
+		echo ERROR_NOT_INITIALISED
+		ptxd_bailout "Not initialised – call cs_init or cs_init_softhsm first."
+	fi
+}
+
+#
+# cs_init
+#
+# Initialize the provider
+#
+cs_init() {
+    cs_clean
+    cs_initialised=1
+}
+export -f cs_init
+
 #
 # cs_init_softhsm
 #
@@ -108,6 +128,8 @@ cs_init_softhsm() {
 
     softhsm_pkcs11_tool_init --init-token --label "${keyprovider}" --so-pin 0000 &&
     softhsm_pkcs11_tool_init -l --so-pin 0000 --new-pin 1111 --init-pin
+
+    cs_initialised=1
 }
 export -f cs_init_softhsm
 
@@ -145,6 +167,7 @@ export -f cs_clean_softhsm
 #
 cs_define_role() {
     local role="${1}"
+    cs_check_initialised
     cs_init_variables
 
     mkdir -p "${keydir}/${role}" &&
@@ -160,6 +183,7 @@ export -f cs_define_role
 #
 cs_define_group() {
     local group="${1}"
+    cs_check_initialised
     cs_init_variables
 
     mkdir -p "${keydir}/${group}.group" &&
@@ -246,6 +270,7 @@ export -f cs_get_uri
 cs_import_cert_from_der() {
     local role="${1}"
     local der="${2}"
+    cs_check_initialised
     cs_init_variables
 
     softhsm_pkcs11_tool --type cert --write-object "${der}" --label "${role}"
@@ -261,6 +286,7 @@ export -f cs_import_cert_from_der
 cs_import_cert_from_pem() {
     local role="${1}"
     local pem="${2}"
+    cs_check_initialised
     cs_init_variables
 
     openssl x509 \
@@ -280,6 +306,7 @@ cs_import_pubkey_from_pem() {
     local -a openssl_keyopt
     local role="${1}"
     local pem="${2}"
+    cs_check_initialised
     cs_init_variables
 
     if [ -n "${OPENSSL_KEYPASS}" ]; then
@@ -304,6 +331,7 @@ cs_import_privkey_from_pem() {
     local -a openssl_keyopt
     local role="${1}"
     local pem="${2}"
+    cs_check_initialised
     cs_init_variables
 
     if [ -n "${OPENSSL_KEYPASS}" ]; then
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de