mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed
* [ptxdist] [PATCH v3 1/5] kernel: make sure that kbuild can extract keys from the HSM
@ 2021-09-12 20:59 Roland Hieber
  2021-09-12 20:59 ` [ptxdist] [PATCH v3 2/5] ptxd_lib_code_signing: return success in case of ERROR_CA_NOT_YET_SET Roland Hieber
                   ` (4 more replies)
  0 siblings, 5 replies; 7+ messages in thread
From: Roland Hieber @ 2021-09-12 20:59 UTC (permalink / raw)
  To: ptxdist; +Cc: Roland Hieber

CODE_SIGNING_ENV provides the config files and the PKCS11 engine for
OpenSSL and SoftHSM, which kbuild calls when signing the kernel modules.

Fixes: 3ffb3585dd13de9e20d1 (2021-07-23, "kernel: add support for module signing")
Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
PATCH v3:
 - new in v3, and yet another case of "how did this ever work before?"
---
 rules/kernel.make | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/rules/kernel.make b/rules/kernel.make
index 9caff677918e..7a4642f3d07f 100644
--- a/rules/kernel.make
+++ b/rules/kernel.make
@@ -187,6 +187,9 @@ $(STATEDIR)/kernel.tags:
 # Compile
 # ----------------------------------------------------------------------------
 
+KERNEL_MAKE_ENV		+= \
+	$(CODE_SIGNING_ENV)
+
 KERNEL_MAKE_OPT		= \
 	$(call kernel/deprecated, KERNEL_MAKE_OPT) \
 	$(KERNEL_SHARED_OPT) \
@@ -254,6 +257,9 @@ endif
 # Install
 # ----------------------------------------------------------------------------
 
+KERNEL_INSTALL_ENV	+= \
+	$(CODE_SIGNING_ENV)
+
 KERNEL_INSTALL_OPT = \
 	$(KERNEL_BASE_OPT) \
 	modules_install
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [ptxdist] [PATCH v3 2/5] ptxd_lib_code_signing: return success in case of ERROR_CA_NOT_YET_SET
  2021-09-12 20:59 [ptxdist] [PATCH v3 1/5] kernel: make sure that kbuild can extract keys from the HSM Roland Hieber
@ 2021-09-12 20:59 ` Roland Hieber
  2021-09-12 20:59 ` [ptxdist] [PATCH v3 3/5] libptxdist: introduce ptxd_exec_silent_stderr Roland Hieber
                   ` (3 subsequent siblings)
  4 siblings, 0 replies; 7+ messages in thread
From: Roland Hieber @ 2021-09-12 20:59 UTC (permalink / raw)
  To: ptxdist; +Cc: Marc Kleine-Budde, Roland Hieber

This edge case will trigger whenever a BSP is built from scratch and the
code signing provider hasn't been installed yet, but a '='-style make
variable is expanded early. Like in cs_get_uri, this may not be an error
if the variable is expanded again after the code signing provider has
been set up, so return a successful exit code here.

Cc: Marc Kleine-Budde <mkl@pengutronix.de>
Fixes: 235332de090655007e6c (2021-07-15, "ptxd_lib_code_signing: cs_get_ca(): improve error handling")
Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
PATCH v3:
 - new in v3
---
 scripts/lib/ptxd_lib_code_signing.sh | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
index 5ba1a4666af4..b2dbb031d17d 100644
--- a/scripts/lib/ptxd_lib_code_signing.sh
+++ b/scripts/lib/ptxd_lib_code_signing.sh
@@ -291,8 +291,12 @@ cs_get_ca() {
     local ca="${keydir}/${role}/ca.pem"
 
     if [ ! -d "${keydir}" ]; then
+	# cs_get_ca was called directly from make prior to cs_set_ca,
+	# which may not be an error if it is evaluated early *and* later
+	# again - return a unique error string in case it is not expected
+	# and a user stumbles upon this
 	echo "ERROR_CA_NOT_YET_SET"
-	return 1
+	return
     fi
 
     if [ -e "${ca}" ]; then
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [ptxdist] [PATCH v3 3/5] libptxdist: introduce ptxd_exec_silent_stderr
  2021-09-12 20:59 [ptxdist] [PATCH v3 1/5] kernel: make sure that kbuild can extract keys from the HSM Roland Hieber
  2021-09-12 20:59 ` [ptxdist] [PATCH v3 2/5] ptxd_lib_code_signing: return success in case of ERROR_CA_NOT_YET_SET Roland Hieber
@ 2021-09-12 20:59 ` Roland Hieber
  2021-09-12 20:59 ` [ptxdist] [PATCH v3 4/5] ptxd_lib_code_signing: provide consumer functions with some environment Roland Hieber
                   ` (2 subsequent siblings)
  4 siblings, 0 replies; 7+ messages in thread
From: Roland Hieber @ 2021-09-12 20:59 UTC (permalink / raw)
  To: ptxdist; +Cc: Roland Hieber

Some programs print stuff to stderr that are not errors and are
therefore not relevant to the usual build runs (e.g. openssl when
loading the PKCS#11 libraries), but they may still be useful for
debugging. When called with ptxd_exec_silent_stderr, stderr won't make
it to the terminal except with 'ptxdist -v', but the messages are still
available in the logfile.

Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
PATCH v3:
 - no changes in content
 - dropped previous "[PATCH v2 1/5] ptxd_make_world_common: make the
   package name available to scripts" to keep the shell command line
   slim (feedback from Michael Olbrich)

PATCH v2: https://lore.ptxdist.org/ptxdist/20210809080608.23475-2-rhi@pengutronix.de
 - no changes

PATCH v1: https://lore.ptxdist.org/ptxdist/20210804142330.32739-2-rhi@pengutronix.de
---
 scripts/libptxdist.sh | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/scripts/libptxdist.sh b/scripts/libptxdist.sh
index ee0ba39d3ea3..bb508798cb6f 100644
--- a/scripts/libptxdist.sh
+++ b/scripts/libptxdist.sh
@@ -776,6 +776,24 @@ ptxd_exec() {
 }
 export -f ptxd_exec
 
+#
+# execute command with silenced stderr, except when verbose building is enabled.
+# the stderr output of the command will always be written to the logfile.
+#
+ptxd_exec_silent_stderr() {
+	exec 8>&2
+	if [ "${PTXDIST_VERBOSE}" == "1" ]; then
+		:
+	elif [ -n "${PTXDIST_FD_LOGFILE}" ]; then
+		exec 2>&9
+	else
+		exec 2>/dev/null
+	fi
+	"${@}"
+	exec 2>&8 8>&-
+}
+export -f ptxd_exec_silent_stderr
+
 #
 # check if a previously executed pipe returned an error
 #
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [ptxdist] [PATCH v3 4/5] ptxd_lib_code_signing: provide consumer functions with some environment
  2021-09-12 20:59 [ptxdist] [PATCH v3 1/5] kernel: make sure that kbuild can extract keys from the HSM Roland Hieber
  2021-09-12 20:59 ` [ptxdist] [PATCH v3 2/5] ptxd_lib_code_signing: return success in case of ERROR_CA_NOT_YET_SET Roland Hieber
  2021-09-12 20:59 ` [ptxdist] [PATCH v3 3/5] libptxdist: introduce ptxd_exec_silent_stderr Roland Hieber
@ 2021-09-12 20:59 ` Roland Hieber
  2021-09-12 20:59 ` [ptxdist] [PATCH v3 5/5] ptxd_lib_code_signing: add key whitelist checks Roland Hieber
  2021-09-29 11:54 ` [ptxdist] [PATCH v3 1/5] kernel: make sure that kbuild can extract keys from the HSM Michael Olbrich
  4 siblings, 0 replies; 7+ messages in thread
From: Roland Hieber @ 2021-09-12 20:59 UTC (permalink / raw)
  To: ptxdist; +Cc: Roland Hieber

The code signing consumer functions should be able to retrieve some
information about the recipe in which they were called in order to make
additional checks if needed. Refactor the (shell cs_get_*, …) calls into
macro calls of the form $(call ptx/cs-get-*, <PKG>, …). Let these
macros look up the package name (for now) from PTX_MAP_TO_package_<PKG>
before passing it to the shell functions. Using $(call world/env) here
would be practical, but would also cause make to complain about
recursive variable dependencies. Therefore variables must be added
to ptx/cs-consumer-env manually, but additional information can be added
later if needed.

Refactor the existing consumers in the code base too, and add an error
message in case anyone else still uses the old API.

Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
PATCH v3:
 - dropped previous "[PATCH v2 3/5] ptxd_lib_code_signing: refactor
   hard-coded SoftHSM PIN in PKCS11 URIs", as it was not needed for the
   rest of the series (feedback by Michael Olbrich)
 - make ptx/cs-consumer-env a oneline '=' definition instead of a
   multi-line define block (feedback by Michael Olbrich)
 - remove superfluous backslash-newline escapes in multi-line defines
   (feedback by Michael Olbrich)
 - refactor cs_get_uri into cs_get_uri_impl, which can be used
   internally in cs_append_ca_from_uri, which doesn't need to check for
   pkg_name – otherwise the code provider setup path will run into our
   legacy code guard and die with errors.

PATCH v2: https://lore.ptxdist.org/ptxdist/20210809080608.23475-3-rhi@pengutronix.de
 - define multiline macros using "define"

PATCH v1: https://lore.ptxdist.org/ptxdist/20210804142330.32739-4-rhi@pengutronix.de
---
 doc/dev_code_signing.rst                      |  2 +-
 doc/ref_code_signing_helpers.rst              | 25 +++++++------
 rules/barebox.make                            |  2 +-
 rules/image-rauc.make                         |  6 +--
 rules/kernel.make                             |  6 +--
 rules/pre/030-code-signing-consumers.make     | 37 +++++++++++++++++++
 rules/rauc.make                               |  2 +-
 .../templates/template-barebox-imx-habv4-make |  6 +--
 scripts/lib/ptxd_lib_code_signing.sh          | 34 +++++++++++++----
 9 files changed, 89 insertions(+), 31 deletions(-)
 create mode 100644 rules/pre/030-code-signing-consumers.make

diff --git a/doc/dev_code_signing.rst b/doc/dev_code_signing.rst
index b9a7c42f2a55..413f694980eb 100644
--- a/doc/dev_code_signing.rst
+++ b/doc/dev_code_signing.rst
@@ -164,7 +164,7 @@ also via an environment variable.
 .. code-block:: none
 
     $(call install_copy, rauc, 0, 0, 0644, \
-      $(shell cs_get_ca update), \
+      $(call ptx/cs-get-ca, RAUC, update), \
       /etc/rauc/ca.cert.pem)
 
 .. note:: When code signing helper functions are used in make variables (e.g.
diff --git a/doc/ref_code_signing_helpers.rst b/doc/ref_code_signing_helpers.rst
index fd16ca763557..d3429778d94d 100644
--- a/doc/ref_code_signing_helpers.rst
+++ b/doc/ref_code_signing_helpers.rst
@@ -297,19 +297,21 @@ In the example given in :ref:`cs_group_add_roles` above, this would print::
 Consumer Functions
 ~~~~~~~~~~~~~~~~~~
 
+The consumer functions are implemented as make macros.
 Packages that want to sign something or need access to keys/CAs can retrieve
 PKCS#11 URIs and CA keyrings with these helpers.
 
+.. _ptx/cs-get-uri:
 .. _cs_get_uri:
 
-cs_get_uri
-^^^^^^^^^^
+ptx/cs-get-uri
+^^^^^^^^^^^^^^
 
 Usage:
 
-.. code-block:: bash
+.. code-block:: make
 
-    cs_get_uri <role>
+    $(call ptx/cs-get-uri, <PKG>, <role>)
 
 Get PKCS#11 URI for role.
 
@@ -317,16 +319,17 @@ Preconditions:
 
 - the URI must have been set (see :ref:`cs_set_uri`)
 
+.. _ptx/cs-get-ca:
 .. _cs_get_ca:
 
-cs_get_ca
-^^^^^^^^^
+ptx/cs-get-ca
+^^^^^^^^^^^^^
 
 Usage:
 
-.. code-block:: bash
+.. code-block:: make
 
-    cs_get_ca <role>
+    $(call ptx/cs-get-ca, <PKG>, <role>)
 
 Get path to the CA keyring in PEM format for role.
 
@@ -347,7 +350,7 @@ Example:
 
    # set up kernel module signing, and add a trusted CA if the provider set one
    KERNEL_SIGN_OPT =
-   	CONFIG_MODULE_SIG_KEY='"$(shell cs_get_uri kernel-modules)"' \
+   	CONFIG_MODULE_SIG_KEY='"$(call ptx/cs-get-uri, KERNEL, kernel-modules)"' \
    	CONFIG_MODULE_SIG_ALL=y \
-   	$(if $(shell cs_get_ca kernel-trusted), \
-   		CONFIG_SYSTEM_TRUSTED_KEYS=$(shell cs_get_ca kernel-trusted))
+   	$(if $(call ptx/cs-get-ca, KERNEL, kernel-trusted), \
+   		CONFIG_SYSTEM_TRUSTED_KEYS=$(call ptx/cs-get-ca, KERNEL, kernel-trusted))
diff --git a/rules/barebox.make b/rules/barebox.make
index bea9f3adcbf8..983d34032e0d 100644
--- a/rules/barebox.make
+++ b/rules/barebox.make
@@ -103,7 +103,7 @@ endif
 ifdef PTXCONF_CODE_SIGNING
 BAREBOX_MAKE_ENV = \
 	$(CODE_SIGNING_ENV) \
-	IMAGE_KERNEL_FIT_KEY="$(shell cs_get_uri image-kernel-fit)"
+	IMAGE_KERNEL_FIT_KEY="$(call ptx/cs-get-uri, BAREBOX, image-kernel-fit)"
 endif
 
 $(STATEDIR)/barebox.compile:
diff --git a/rules/image-rauc.make b/rules/image-rauc.make
index fe1b0e89be7c..c8747231f8f1 100644
--- a/rules/image-rauc.make
+++ b/rules/image-rauc.make
@@ -32,9 +32,9 @@ IMAGE_RAUC_ENV	= \
 	RAUC_BUNDLE_VERSION="$(call remove_quotes, $(PTXCONF_RAUC_BUNDLE_VERSION))" \
 	RAUC_BUNDLE_BUILD=$(call ptx/sh, date +%FT%T%z) \
 	RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \
-	RAUC_KEY="$(shell cs_get_uri update)" \
-	RAUC_CERT="$(shell cs_get_uri update)" \
-	RAUC_KEYRING="$(shell cs_get_ca update)"
+	RAUC_KEY="$(call ptx/cs-get-uri, IMAGE_RAUC, update)" \
+	RAUC_CERT="$(call ptx/cs-get-uri, IMAGE_RAUC, update)" \
+	RAUC_KEYRING="$(call ptx/cs-get-ca, IMAGE_RAUC, update)"
 
 $(IMAGE_RAUC_IMAGE):
 	@$(call targetinfo)
diff --git a/rules/kernel.make b/rules/kernel.make
index 7a4642f3d07f..cf505f67fe01 100644
--- a/rules/kernel.make
+++ b/rules/kernel.make
@@ -73,12 +73,12 @@ KERNEL_BASE_OPT		= \
 
 ifdef PTXCONF_KERNEL_CODE_SIGNING
 KERNEL_BASE_OPT		+= \
-	$(if $(shell cs_get_ca kernel-trusted), \
-		CONFIG_SYSTEM_TRUSTED_KEYS=$(shell cs_get_ca kernel-trusted))
+	$(if $(call ptx/cs-get-ca, KERNEL, kernel-trusted), \
+		CONFIG_SYSTEM_TRUSTED_KEYS=$(call ptx/cs-get-ca, KERNEL, kernel-trusted))
 endif
 ifdef PTXCONF_KERNEL_MODULES_SIGN
 KERNEL_BASE_OPT		+= \
-	CONFIG_MODULE_SIG_KEY='"$(shell cs_get_uri kernel-modules)"'
+	CONFIG_MODULE_SIG_KEY='"$(call ptx/cs-get-uri, KERNEL, kernel-modules)"'
 endif
 
 # Intermediate option. This will be used by kernel module packages.
diff --git a/rules/pre/030-code-signing-consumers.make b/rules/pre/030-code-signing-consumers.make
new file mode 100644
index 000000000000..e2c6c868e0ee
--- /dev/null
+++ b/rules/pre/030-code-signing-consumers.make
@@ -0,0 +1,37 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2021 Roland Hieber, Pengutronix <rhi@pengutronix.de>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+#
+
+#
+# Usage: $(call ptx/cs-consumer-env, <PKG>)
+#
+ptx/cs-consumer-env = pkg_name='$(PTX_MAP_TO_package_$(strip $(1)))' $(CODE_SIGNING_ENV)
+
+#
+# Usage: $(call ptx/cs-get-uri, <PKG>, <role>)
+#
+define ptx/cs-get-uri
+$(strip
+	$(shell
+		$(call ptx/cs-consumer-env, $(1))
+			cs_get_uri '$(strip $(2))'
+	)
+)
+endef
+
+#
+# Usage: $(call ptx/cs-get-ca, <PKG>, <role>)
+#
+define ptx/cs-get-ca
+$(strip
+	$(shell
+		$(call ptx/cs-consumer-env, $(1))
+			cs_get_ca '$(strip $(2))'
+	)
+)
+endef
diff --git a/rules/rauc.make b/rules/rauc.make
index 08df6336a7cd..3c28befcd3ff 100644
--- a/rules/rauc.make
+++ b/rules/rauc.make
@@ -78,7 +78,7 @@ ifdef PTXCONF_RAUC_CONFIGURATION
 	@$(call install_replace, rauc, /etc/rauc/system.conf, \
 		@RAUC_BUNDLE_COMPATIBLE@, \
 		"$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))")
-	@$(call install_copy, rauc, 0, 0, 0644, $(shell cs_get_ca update), \
+	@$(call install_copy, rauc, 0, 0, 0644, $(call ptx/cs-get-ca, RAUC, update), \
 		/etc/rauc/ca.cert.pem)
 endif
 
diff --git a/rules/templates/template-barebox-imx-habv4-make b/rules/templates/template-barebox-imx-habv4-make
index cc825dc90292..b2d5d7100fc9 100644
--- a/rules/templates/template-barebox-imx-habv4-make
+++ b/rules/templates/template-barebox-imx-habv4-make
@@ -64,9 +64,9 @@ endif
 
 BAREBOX_@PACKAGE@_MAKE_ENV	= \
 	$(CODE_SIGNING_ENV) \
-	CSF="$(shell cs_get_uri imx-habv4-csf1)" \
-	IMG="$(shell cs_get_uri imx-habv4-img1)" \
-	FIT_KEY="$(shell cs_get_uri image-kernel-fit)"
+	CSF="$(call ptx/cs-get-uri, BAREBOX_@PACKAGE@, imx-habv4-csf1)" \
+	IMG="$(call ptx/cs-get-uri, BAREBOX_@PACKAGE@, imx-habv4-img1)" \
+	FIT_KEY="$(call ptx/cs-get-uri, BAREBOX_@PACKAGE@, image-kernel-fit)"
 
 BAREBOX_@PACKAGE@_MAKE_OPT	:= $(BAREBOX_@PACKAGE@_CONF_OPT)
 
diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
index b2dbb031d17d..8f35c276855f 100644
--- a/scripts/lib/ptxd_lib_code_signing.sh
+++ b/scripts/lib/ptxd_lib_code_signing.sh
@@ -1,6 +1,7 @@
 #!/bin/bash
 #
 # Copyright (C) 2019 Sascha Hauer <s.hauer@pengutronix.de>
+# Copyright (C) 2021 Roland Hieber, Pengutronix <rhi@pengutronix.de>
 #
 # For further information about the PTXdist project and license conditions
 # see the README file.
@@ -158,17 +159,12 @@ cs_set_uri() {
 }
 export -f cs_set_uri
 
-#
-# cs_get_uri <role>
-#
-# Get the uri from a role
-#
-cs_get_uri() {
+cs_get_uri_impl() {
     local role="${1}"
     cs_init_variables
 
     if [ ! -f "${keydir}/${role}/uri" ]; then
-	if [ ${#FUNCNAME[*]} -gt 1 ]; then
+	if [ ${#FUNCNAME[*]} -gt 2 ]; then
 	    ptxd_bailout "No PKCS#11 URI for role ${role}"
 	else
 	    # cs_get_uri was called directly from make prior to cs_set_uri,
@@ -181,6 +177,22 @@ cs_get_uri() {
     fi
     cat "${keydir}/${role}/uri"
 }
+export -f cs_get_uri_impl
+
+#
+# cs_get_uri <role>
+#
+# Get the uri from a role
+#
+cs_get_uri() {
+    if [ -z "${pkg_name}" ]; then
+	    echo ERROR_UNSUPPORTED_CS_API_CALL
+	    ptxd_bailout '$(shell cs_get_uri, <role>) is no longer supported in make files.' \
+		'Use $(call ptx/cs-get-uri, <PKG>, <role>) instead.'
+    fi
+
+    cs_get_uri_impl "$@"
+}
 export -f cs_get_uri
 
 #
@@ -285,6 +297,12 @@ export -f cs_import_key_from_pem
 # Get the path to the CA in pem format from a role
 #
 cs_get_ca() {
+    if [ -z "${pkg_name}" ]; then
+	    echo ERROR_UNSUPPORTED_CS_API_CALL
+	    ptxd_bailout '$(shell cs_get_ca, …) is no longer supported in make files.' \
+		'Use $(call ptx/cs-get-ca, <PKG>, …) instead.'
+    fi
+
     local role="${1}"
     cs_init_variables
 
@@ -349,7 +367,7 @@ cs_append_ca_from_uri() {
     cs_init_variables
 
     if [ -z "${uri}" ]; then
-	uri=$(cs_get_uri "${role}")
+	uri=$(cs_get_uri_impl "${role}")
     fi
 
     ptxd_exec extract-cert "${uri}" "${tmpdir}/ca.der" &&
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [ptxdist] [PATCH v3 5/5] ptxd_lib_code_signing: add key whitelist checks
  2021-09-12 20:59 [ptxdist] [PATCH v3 1/5] kernel: make sure that kbuild can extract keys from the HSM Roland Hieber
                   ` (2 preceding siblings ...)
  2021-09-12 20:59 ` [ptxdist] [PATCH v3 4/5] ptxd_lib_code_signing: provide consumer functions with some environment Roland Hieber
@ 2021-09-12 20:59 ` Roland Hieber
  2021-09-29 12:08   ` Michael Olbrich
  2021-09-29 11:54 ` [ptxdist] [PATCH v3 1/5] kernel: make sure that kbuild can extract keys from the HSM Michael Olbrich
  4 siblings, 1 reply; 7+ messages in thread
From: Roland Hieber @ 2021-09-12 20:59 UTC (permalink / raw)
  To: ptxdist; +Cc: Roland Hieber

Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
PATCH v3:
 - adapt to cs_get_uri_impl from previous patch. cs_get_uri_unchecked
   didn't really need to check for pkg_name anyway as it's only called
   by cs_append_ca_from_uri in the code provider setup path, and the
   code provider should always be able to get its own URI, so we can use
   cs_get_uri_impl here too.
 - cs_check_whitelist: handle the case correctly when the code signing
   provider is not set up yet (i.e. when the BSP is built from scratch)
 - small doc fixes
 - use fixed whitelist filename, remove CODE_SIGNING_WHITELIST_FILENAME
   (feedback by Michael Olbrich)
 - remove superfluous backslash-newline escapes in multi-line defines
   (feedback by Michael Olbrich)
 - add early error handling for openssl | spki-hash in cs_append_ca_*
   (feedback by Michael Olbrich)
 - remove factually untrue comment in cs_append_ca_from_uri (feedback by
   Michael Olbrich)
 - use $(error) instead of $(ptx/error) (feedback by Michael Olbrich)

PATCH v2: https://lore.ptxdist.org/ptxdist/20210809080608.23475-5-rhi@pengutronix.de
 - cs_check_whitelisted: make "needle" a local variable (feedback by
   Michael Olbrich)
 - cs_check_whitelisted: error out with ERROR_KEY_NOT_WHITELISTED also
   if whitelist does not exist yet (Michael Olbrich)
 - rename cs_get_uri to cs_get_uri_unchecked and let cs_get_uri wrap it
   instead of setting cs_no_whitelist_check=1 (Michael Olbrich)
 - docs: simplify introductory example (Michael Olbrich)
 - docs: add short paragraph on how to determine fingerprints of certs

PATCH v1: https://lore.ptxdist.org/ptxdist/20210804142330.32739-5-rhi@pengutronix.de
---
 doc/daily_work.inc                        |  1 +
 doc/dev_code_signing.rst                  | 77 +++++++++++++++++++++++
 platforms/code-signing.in                 | 10 +++
 rules/pre/030-code-signing-consumers.make |  6 ++
 scripts/lib/ptxd_lib_code_signing.sh      | 56 ++++++++++++++++-
 5 files changed, 149 insertions(+), 1 deletion(-)

diff --git a/doc/daily_work.inc b/doc/daily_work.inc
index 37bb9bc48180..a5b32dc5461c 100644
--- a/doc/daily_work.inc
+++ b/doc/daily_work.inc
@@ -180,6 +180,7 @@ options during the `kernel.compile` and `kernel.install` stages:
   PTXdist supplies the URI from the ``kernel-modules`` role of the configured
   code signing provider.
   (The code signing provider should use :ref:`cs_set_uri` to set the URI.)
+  The value of this kconfig option from your kernel config file is overridden.
 
 However, additional settings must also be enabled in the kernel config:
 
diff --git a/doc/dev_code_signing.rst b/doc/dev_code_signing.rst
index 413f694980eb..b0b8c9b4a3b8 100644
--- a/doc/dev_code_signing.rst
+++ b/doc/dev_code_signing.rst
@@ -172,3 +172,80 @@ also via an environment variable.
   (``=``, not ``:=``).
   Otherwise the variable is expanded before a code signing provider can perform
   its setup.
+
+Key Whitelisting
+~~~~~~~~~~~~~~~~
+
+In some use cases, it may be feasible to do additional checks to make sure that
+a package uses the correct key material.
+For example, suppose you have a "release" code signing provider which you use
+to sign bootloaders for production,
+and a "development" code signing provider which you use to sign bootloaders
+with an extended feature set, e.g. to allow booting arbitrary kernels and
+userlands for debugging purposes.
+Your production boards are locked down in hardware so the ROM code only
+executes bootloaders signed with the "release" key.
+Now you don't want any bootloader with debugging features to be signed with a
+release key, otherwise someone could boot them on a locked-down production
+device, and use the additional debugging features to get extended access to the
+production device.
+In this case, key whitelisting can help to prevent signing bootloader packages
+with the wrong key.
+
+If the ``CODE_SIGNING_REQUIRE_WHITELIST`` kconfig symbol is enabled,
+the consumer functions :ref:`ptx/cs-get-ca` and :ref:`ptx/cs-get-uri`
+look up the triplet of package name, role name, and the pubkey's SHA256
+fingerprint in ``configs/platform-<name>/code-signing-whitelist``.
+If a key or a CA is not whitelisted for the package in which it is to be used,
+the functions will exit with an error message on the terminal::
+
+   $ ptxdist -v print KERNEL_MAKE_OPT
+   ptxdist: error: SPKI whitelist record 'kernel kernel-modules
+   69C9BBB8BB4DFAE74AB21D06DFB5F2C67066373AE545453276847340822CDF04' not found in
+   distrokit/configs/platform-v7a/code-signing-whitelist
+
+   …/ptxdist/rules/kernel.make:196: *** cs-get-uri: whitelist check failed, see errors above.  Stop.
+
+If ``CODE_SIGNING_REQUIRE_WHITELIST`` is disabled (the default),
+all keys and CAs are provided to all packages without further checks.
+
+The format of the code signing whitelist consists of one triplet per line, in
+which the elements of the triplet are separated by whitespace.
+If a CA is to be checked, the role name is prefixed with a literal ``ca:``,
+and the fingerprint refers to the public key of the certificate.
+All other unmatched lines in the file are ignored, but we suggest to use ``#``
+to start a line comment so as not to add a whitelist record accidentally.
+
+For example, here is a whitelist for use with the *devel* code provider which
+allows all provided keys to be used by their respective consumers::
+
+   # format: package-name role-name sha256-pubkey-fingerprint
+   kernel      kernel-modules   69C9BBB8BB4DFAE74AB21D06DFB5F2C67066373AE545453276847340822CDF04
+   image-rauc  update           0034F8FE5ADC3B0DFE642407275D144DE2398C68CC9A86DD6703D7151116B44E
+   image-rauc  ca:update        0034F8FE5ADC3B0DFE642407275D144DE2398C68CC9A86DD6703D7151116B44E
+   rauc        ca:update        0034F8FE5ADC3B0DFE642407275D144DE2398C68CC9A86DD6703D7151116B44E
+
+.. note:: The match is case-sensitive, and the fingerprints are expected
+   in uppercase.
+
+   If a CA consists of more than one certificate, all of their fingerprints
+   must be whitelisted.
+
+You can determine the key fingerprints by copying it from the error message,
+or with the `spki-hash`__ tool from the ``host-extract-cert`` package,
+or with openssl::
+
+   $ openssl pkey -in keyfile.pem -pubout -outform der \
+     | openssl sha256 \
+     | tr 'a-z' 'A-Z'
+   (STDIN)= 69C9BBB8BB4DFAE74AB21D06DFB5F2C67066373AE545453276847340822CDF04
+
+or, in the case of certificates::
+
+   $ openssl x509 -noout -in cert.pem -pubkey \
+     | openssl pkey -pubin -inform pem -pubout -outform der \
+     | openssl sha256 \
+     | tr 'a-z' 'A-Z'
+   (STDIN)= 0034F8FE5ADC3B0DFE642407275D144DE2398C68CC9A86DD6703D7151116B44E
+
+__ https://git.pengutronix.de/cgit/extract-cert/tree/spki-hash.c
diff --git a/platforms/code-signing.in b/platforms/code-signing.in
index 81f9ef6f3c9e..7fa46e644df7 100644
--- a/platforms/code-signing.in
+++ b/platforms/code-signing.in
@@ -20,4 +20,14 @@ source "generated/code_signing_provider.in"
 
 endchoice
 
+config CODE_SIGNING_REQUIRE_WHITELISTED_KEYS
+	bool
+	prompt "require whitelisted keys"
+	help
+	  Every time a key from the code provider is used, check if the consumer
+	  is allowed to use it.
+
+	  Code signing consumers can depend on this option if they want to force
+	  the key whitelist check.
+
 endif
diff --git a/rules/pre/030-code-signing-consumers.make b/rules/pre/030-code-signing-consumers.make
index e2c6c868e0ee..24bfa1c9c815 100644
--- a/rules/pre/030-code-signing-consumers.make
+++ b/rules/pre/030-code-signing-consumers.make
@@ -21,6 +21,9 @@ $(strip
 		$(call ptx/cs-consumer-env, $(1))
 			cs_get_uri '$(strip $(2))'
 	)
+	$(if $(filter-out 0,$(.SHELLSTATUS)),
+		$(error cs-get-uri: whitelist check failed – see errors above)
+	)
 )
 endef
 
@@ -33,5 +36,8 @@ $(strip
 		$(call ptx/cs-consumer-env, $(1))
 			cs_get_ca '$(strip $(2))'
 	)
+	$(if $(filter-out 0,$(.SHELLSTATUS)),
+		$(error cs-get-ca: whitelist check failed – see errors above)
+	)
 )
 endef
diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
index 8f35c276855f..fe819bcb07ae 100644
--- a/scripts/lib/ptxd_lib_code_signing.sh
+++ b/scripts/lib/ptxd_lib_code_signing.sh
@@ -1,6 +1,7 @@
 #!/bin/bash
 #
 # Copyright (C) 2019 Sascha Hauer <s.hauer@pengutronix.de>
+# Copyright (C) 2020 Jan Luebbe <j.luebbe@pengutronix.de>
 # Copyright (C) 2021 Roland Hieber, Pengutronix <rhi@pengutronix.de>
 #
 # For further information about the PTXdist project and license conditions
@@ -145,6 +146,47 @@ cs_group_get_roles() {
 }
 export -f cs_group_get_roles
 
+#
+# cs_check_whitelisted <role> <uri/pem or fingerprint prefixed with "sha256:">
+#
+# Checks if the SPKI (Subject Public Key Info) Hash is in the whitelist
+#
+cs_check_whitelisted() {
+    local role="${1:-ERROR_ROLE_IS_EMPTY}"
+    local src="${2}"
+    cs_init_variables
+
+    if [ "${src}" = "ERROR_URI_NOT_YET_SET" ]; then
+	# skip check until the code signing provider has been set up
+	return;
+    fi
+
+    if [ "$(ptxd_get_ptxconf PTXCONF_CODE_SIGNING_REQUIRE_WHITELISTED_KEYS)" != "y" ]; then
+	return
+    fi
+
+    if ! ptxd_in_path PTXDIST_PATH_PLATFORMCONFIGDIR "code-signing-whitelist"; then
+	echo ERROR_KEY_NOT_WHITELISTED
+	ptxd_bailout "${pkg_name}: SPKI hash whitelist check for role '${role}' (${src}) is required, but configs/<platform>/code-signing-whitelist is missing."
+    fi
+    local whitelist_path="${ptxd_reply}"
+
+    local hash
+    if [ "${src#sha256:}" != "${src}" ]; then
+	hash="${src#sha256:}"
+    else
+	hash=$(ptxd_exec_silent_stderr spki-hash "${src}")
+    fi
+    hash=${hash:-ERROR_HASH_IS_EMPTY}
+    local needle="${pkg_name}\s\+${role}\s\+${hash}"
+
+    if ! grep -q --line-regexp "${needle}" "${whitelist_path}"; then
+	echo ERROR_KEY_NOT_WHITELISTED
+	ptxd_bailout "SPKI whitelist record '${pkg_name} ${role} ${hash}' not found in $(ptxd_print_path "${whitelist_path}")"
+    fi
+}
+export -f cs_check_whitelisted
+
 #
 # cs_set_uri <role> <uri>
 #
@@ -191,7 +233,12 @@ cs_get_uri() {
 		'Use $(call ptx/cs-get-uri, <PKG>, <role>) instead.'
     fi
 
-    cs_get_uri_impl "$@"
+    local role="${1}"
+    local uri=$(cs_get_uri_impl "${role}")
+
+    if cs_check_whitelisted "${role}" "${uri}"; then
+	echo "${uri}"
+    fi
 }
 export -f cs_get_uri
 
@@ -318,6 +365,9 @@ cs_get_ca() {
     fi
 
     if [ -e "${ca}" ]; then
+	while read fp; do
+	    cs_check_whitelisted "ca:${role}" "sha256:${fp}"
+	done < "${keydir}/${role}/ca.fingerprints"
 	echo "${ca}"
     fi
 }
@@ -333,6 +383,10 @@ cs_append_ca_from_pem() {
     local pem="${2}"
     cs_init_variables
 
+    openssl x509 -in "${pem}" -inform pem -noout -pubkey | \
+	spki-hash /dev/stdin >> "${keydir}/${role}/ca.fingerprints"
+    check_pipe_status || ptxd_bailout "Extracting SPKI hash from CA '${pem}' failed"
+
     cat "${pem}" >> "${keydir}/${role}/ca.pem"
     # add new line in case ${pem} does not end with an EOL
     echo >> "${keydir}/${role}/ca.pem"
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [ptxdist] [PATCH v3 1/5] kernel: make sure that kbuild can extract keys from the HSM
  2021-09-12 20:59 [ptxdist] [PATCH v3 1/5] kernel: make sure that kbuild can extract keys from the HSM Roland Hieber
                   ` (3 preceding siblings ...)
  2021-09-12 20:59 ` [ptxdist] [PATCH v3 5/5] ptxd_lib_code_signing: add key whitelist checks Roland Hieber
@ 2021-09-29 11:54 ` Michael Olbrich
  4 siblings, 0 replies; 7+ messages in thread
From: Michael Olbrich @ 2021-09-29 11:54 UTC (permalink / raw)
  To: Roland Hieber, ptxdist

On Sun, Sep 12, 2021 at 10:59:21PM +0200, Roland Hieber wrote:
> CODE_SIGNING_ENV provides the config files and the PKCS11 engine for
> OpenSSL and SoftHSM, which kbuild calls when signing the kernel modules.
> 
> Fixes: 3ffb3585dd13de9e20d1 (2021-07-23, "kernel: add support for module signing")
> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> ---
> PATCH v3:
>  - new in v3, and yet another case of "how did this ever work before?"
> ---
>  rules/kernel.make | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/rules/kernel.make b/rules/kernel.make
> index 9caff677918e..7a4642f3d07f 100644
> --- a/rules/kernel.make
> +++ b/rules/kernel.make
> @@ -187,6 +187,9 @@ $(STATEDIR)/kernel.tags:
>  # Compile
>  # ----------------------------------------------------------------------------
>  
> +KERNEL_MAKE_ENV		+= \
> +	$(CODE_SIGNING_ENV)
> +
>  KERNEL_MAKE_OPT		= \
>  	$(call kernel/deprecated, KERNEL_MAKE_OPT) \
>  	$(KERNEL_SHARED_OPT) \
> @@ -254,6 +257,9 @@ endif
>  # Install
>  # ----------------------------------------------------------------------------
>  
> +KERNEL_INSTALL_ENV	+= \
> +	$(CODE_SIGNING_ENV)

This should not be needed. KERNEL_MAKE_ENV should be used for compile and
install. Build with '-v' to see the commandline.

Michael

> +
>  KERNEL_INSTALL_OPT = \
>  	$(KERNEL_BASE_OPT) \
>  	modules_install
> -- 
> 2.30.2
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [ptxdist] [PATCH v3 5/5] ptxd_lib_code_signing: add key whitelist checks
  2021-09-12 20:59 ` [ptxdist] [PATCH v3 5/5] ptxd_lib_code_signing: add key whitelist checks Roland Hieber
@ 2021-09-29 12:08   ` Michael Olbrich
  0 siblings, 0 replies; 7+ messages in thread
From: Michael Olbrich @ 2021-09-29 12:08 UTC (permalink / raw)
  To: Roland Hieber, ptxdist

On Sun, Sep 12, 2021 at 10:59:25PM +0200, Roland Hieber wrote:
> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> ---
> PATCH v3:
>  - adapt to cs_get_uri_impl from previous patch. cs_get_uri_unchecked
>    didn't really need to check for pkg_name anyway as it's only called
>    by cs_append_ca_from_uri in the code provider setup path, and the
>    code provider should always be able to get its own URI, so we can use
>    cs_get_uri_impl here too.
>  - cs_check_whitelist: handle the case correctly when the code signing
>    provider is not set up yet (i.e. when the BSP is built from scratch)
>  - small doc fixes
>  - use fixed whitelist filename, remove CODE_SIGNING_WHITELIST_FILENAME
>    (feedback by Michael Olbrich)
>  - remove superfluous backslash-newline escapes in multi-line defines
>    (feedback by Michael Olbrich)
>  - add early error handling for openssl | spki-hash in cs_append_ca_*
>    (feedback by Michael Olbrich)
>  - remove factually untrue comment in cs_append_ca_from_uri (feedback by
>    Michael Olbrich)
>  - use $(error) instead of $(ptx/error) (feedback by Michael Olbrich)
> 
> PATCH v2: https://lore.ptxdist.org/ptxdist/20210809080608.23475-5-rhi@pengutronix.de
>  - cs_check_whitelisted: make "needle" a local variable (feedback by
>    Michael Olbrich)
>  - cs_check_whitelisted: error out with ERROR_KEY_NOT_WHITELISTED also
>    if whitelist does not exist yet (Michael Olbrich)
>  - rename cs_get_uri to cs_get_uri_unchecked and let cs_get_uri wrap it
>    instead of setting cs_no_whitelist_check=1 (Michael Olbrich)
>  - docs: simplify introductory example (Michael Olbrich)
>  - docs: add short paragraph on how to determine fingerprints of certs
> 
> PATCH v1: https://lore.ptxdist.org/ptxdist/20210804142330.32739-5-rhi@pengutronix.de
> ---
>  doc/daily_work.inc                        |  1 +
>  doc/dev_code_signing.rst                  | 77 +++++++++++++++++++++++
>  platforms/code-signing.in                 | 10 +++
>  rules/pre/030-code-signing-consumers.make |  6 ++
>  scripts/lib/ptxd_lib_code_signing.sh      | 56 ++++++++++++++++-
>  5 files changed, 149 insertions(+), 1 deletion(-)
> 
> diff --git a/doc/daily_work.inc b/doc/daily_work.inc
> index 37bb9bc48180..a5b32dc5461c 100644
> --- a/doc/daily_work.inc
> +++ b/doc/daily_work.inc
> @@ -180,6 +180,7 @@ options during the `kernel.compile` and `kernel.install` stages:
>    PTXdist supplies the URI from the ``kernel-modules`` role of the configured
>    code signing provider.
>    (The code signing provider should use :ref:`cs_set_uri` to set the URI.)
> +  The value of this kconfig option from your kernel config file is overridden.
>  
>  However, additional settings must also be enabled in the kernel config:
>  
> diff --git a/doc/dev_code_signing.rst b/doc/dev_code_signing.rst
> index 413f694980eb..b0b8c9b4a3b8 100644
> --- a/doc/dev_code_signing.rst
> +++ b/doc/dev_code_signing.rst
> @@ -172,3 +172,80 @@ also via an environment variable.
>    (``=``, not ``:=``).
>    Otherwise the variable is expanded before a code signing provider can perform
>    its setup.
> +
> +Key Whitelisting
> +~~~~~~~~~~~~~~~~
> +
> +In some use cases, it may be feasible to do additional checks to make sure that
> +a package uses the correct key material.
> +For example, suppose you have a "release" code signing provider which you use
> +to sign bootloaders for production,
> +and a "development" code signing provider which you use to sign bootloaders
> +with an extended feature set, e.g. to allow booting arbitrary kernels and
> +userlands for debugging purposes.
> +Your production boards are locked down in hardware so the ROM code only
> +executes bootloaders signed with the "release" key.
> +Now you don't want any bootloader with debugging features to be signed with a
> +release key, otherwise someone could boot them on a locked-down production
> +device, and use the additional debugging features to get extended access to the
> +production device.
> +In this case, key whitelisting can help to prevent signing bootloader packages
> +with the wrong key.
> +
> +If the ``CODE_SIGNING_REQUIRE_WHITELIST`` kconfig symbol is enabled,
> +the consumer functions :ref:`ptx/cs-get-ca` and :ref:`ptx/cs-get-uri`
> +look up the triplet of package name, role name, and the pubkey's SHA256
> +fingerprint in ``configs/platform-<name>/code-signing-whitelist``.
> +If a key or a CA is not whitelisted for the package in which it is to be used,
> +the functions will exit with an error message on the terminal::
> +
> +   $ ptxdist -v print KERNEL_MAKE_OPT
> +   ptxdist: error: SPKI whitelist record 'kernel kernel-modules
> +   69C9BBB8BB4DFAE74AB21D06DFB5F2C67066373AE545453276847340822CDF04' not found in
> +   distrokit/configs/platform-v7a/code-signing-whitelist
> +
> +   …/ptxdist/rules/kernel.make:196: *** cs-get-uri: whitelist check failed, see errors above.  Stop.
> +
> +If ``CODE_SIGNING_REQUIRE_WHITELIST`` is disabled (the default),
> +all keys and CAs are provided to all packages without further checks.
> +
> +The format of the code signing whitelist consists of one triplet per line, in
> +which the elements of the triplet are separated by whitespace.
> +If a CA is to be checked, the role name is prefixed with a literal ``ca:``,
> +and the fingerprint refers to the public key of the certificate.
> +All other unmatched lines in the file are ignored, but we suggest to use ``#``
> +to start a line comment so as not to add a whitelist record accidentally.
> +
> +For example, here is a whitelist for use with the *devel* code provider which
> +allows all provided keys to be used by their respective consumers::
> +
> +   # format: package-name role-name sha256-pubkey-fingerprint
> +   kernel      kernel-modules   69C9BBB8BB4DFAE74AB21D06DFB5F2C67066373AE545453276847340822CDF04
> +   image-rauc  update           0034F8FE5ADC3B0DFE642407275D144DE2398C68CC9A86DD6703D7151116B44E
> +   image-rauc  ca:update        0034F8FE5ADC3B0DFE642407275D144DE2398C68CC9A86DD6703D7151116B44E
> +   rauc        ca:update        0034F8FE5ADC3B0DFE642407275D144DE2398C68CC9A86DD6703D7151116B44E
> +
> +.. note:: The match is case-sensitive, and the fingerprints are expected
> +   in uppercase.
> +
> +   If a CA consists of more than one certificate, all of their fingerprints
> +   must be whitelisted.
> +
> +You can determine the key fingerprints by copying it from the error message,
> +or with the `spki-hash`__ tool from the ``host-extract-cert`` package,
> +or with openssl::
> +
> +   $ openssl pkey -in keyfile.pem -pubout -outform der \
> +     | openssl sha256 \
> +     | tr 'a-z' 'A-Z'
> +   (STDIN)= 69C9BBB8BB4DFAE74AB21D06DFB5F2C67066373AE545453276847340822CDF04
> +
> +or, in the case of certificates::
> +
> +   $ openssl x509 -noout -in cert.pem -pubkey \
> +     | openssl pkey -pubin -inform pem -pubout -outform der \
> +     | openssl sha256 \
> +     | tr 'a-z' 'A-Z'
> +   (STDIN)= 0034F8FE5ADC3B0DFE642407275D144DE2398C68CC9A86DD6703D7151116B44E
> +
> +__ https://git.pengutronix.de/cgit/extract-cert/tree/spki-hash.c
> diff --git a/platforms/code-signing.in b/platforms/code-signing.in
> index 81f9ef6f3c9e..7fa46e644df7 100644
> --- a/platforms/code-signing.in
> +++ b/platforms/code-signing.in
> @@ -20,4 +20,14 @@ source "generated/code_signing_provider.in"
>  
>  endchoice
>  
> +config CODE_SIGNING_REQUIRE_WHITELISTED_KEYS
> +	bool
> +	prompt "require whitelisted keys"
> +	help
> +	  Every time a key from the code provider is used, check if the consumer
> +	  is allowed to use it.
> +
> +	  Code signing consumers can depend on this option if they want to force
> +	  the key whitelist check.

I think, where the whitelist is expected should be mentioned here as well.

Michael

> +
>  endif
> diff --git a/rules/pre/030-code-signing-consumers.make b/rules/pre/030-code-signing-consumers.make
> index e2c6c868e0ee..24bfa1c9c815 100644
> --- a/rules/pre/030-code-signing-consumers.make
> +++ b/rules/pre/030-code-signing-consumers.make
> @@ -21,6 +21,9 @@ $(strip
>  		$(call ptx/cs-consumer-env, $(1))
>  			cs_get_uri '$(strip $(2))'
>  	)
> +	$(if $(filter-out 0,$(.SHELLSTATUS)),
> +		$(error cs-get-uri: whitelist check failed – see errors above)
> +	)
>  )
>  endef
>  
> @@ -33,5 +36,8 @@ $(strip
>  		$(call ptx/cs-consumer-env, $(1))
>  			cs_get_ca '$(strip $(2))'
>  	)
> +	$(if $(filter-out 0,$(.SHELLSTATUS)),
> +		$(error cs-get-ca: whitelist check failed – see errors above)
> +	)
>  )
>  endef
> diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
> index 8f35c276855f..fe819bcb07ae 100644
> --- a/scripts/lib/ptxd_lib_code_signing.sh
> +++ b/scripts/lib/ptxd_lib_code_signing.sh
> @@ -1,6 +1,7 @@
>  #!/bin/bash
>  #
>  # Copyright (C) 2019 Sascha Hauer <s.hauer@pengutronix.de>
> +# Copyright (C) 2020 Jan Luebbe <j.luebbe@pengutronix.de>
>  # Copyright (C) 2021 Roland Hieber, Pengutronix <rhi@pengutronix.de>
>  #
>  # For further information about the PTXdist project and license conditions
> @@ -145,6 +146,47 @@ cs_group_get_roles() {
>  }
>  export -f cs_group_get_roles
>  
> +#
> +# cs_check_whitelisted <role> <uri/pem or fingerprint prefixed with "sha256:">
> +#
> +# Checks if the SPKI (Subject Public Key Info) Hash is in the whitelist
> +#
> +cs_check_whitelisted() {
> +    local role="${1:-ERROR_ROLE_IS_EMPTY}"
> +    local src="${2}"
> +    cs_init_variables
> +
> +    if [ "${src}" = "ERROR_URI_NOT_YET_SET" ]; then
> +	# skip check until the code signing provider has been set up
> +	return;
> +    fi
> +
> +    if [ "$(ptxd_get_ptxconf PTXCONF_CODE_SIGNING_REQUIRE_WHITELISTED_KEYS)" != "y" ]; then
> +	return
> +    fi
> +
> +    if ! ptxd_in_path PTXDIST_PATH_PLATFORMCONFIGDIR "code-signing-whitelist"; then
> +	echo ERROR_KEY_NOT_WHITELISTED
> +	ptxd_bailout "${pkg_name}: SPKI hash whitelist check for role '${role}' (${src}) is required, but configs/<platform>/code-signing-whitelist is missing."
> +    fi
> +    local whitelist_path="${ptxd_reply}"
> +
> +    local hash
> +    if [ "${src#sha256:}" != "${src}" ]; then
> +	hash="${src#sha256:}"
> +    else
> +	hash=$(ptxd_exec_silent_stderr spki-hash "${src}")
> +    fi
> +    hash=${hash:-ERROR_HASH_IS_EMPTY}
> +    local needle="${pkg_name}\s\+${role}\s\+${hash}"
> +
> +    if ! grep -q --line-regexp "${needle}" "${whitelist_path}"; then
> +	echo ERROR_KEY_NOT_WHITELISTED
> +	ptxd_bailout "SPKI whitelist record '${pkg_name} ${role} ${hash}' not found in $(ptxd_print_path "${whitelist_path}")"
> +    fi
> +}
> +export -f cs_check_whitelisted
> +
>  #
>  # cs_set_uri <role> <uri>
>  #
> @@ -191,7 +233,12 @@ cs_get_uri() {
>  		'Use $(call ptx/cs-get-uri, <PKG>, <role>) instead.'
>      fi
>  
> -    cs_get_uri_impl "$@"
> +    local role="${1}"
> +    local uri=$(cs_get_uri_impl "${role}")
> +
> +    if cs_check_whitelisted "${role}" "${uri}"; then
> +	echo "${uri}"
> +    fi
>  }
>  export -f cs_get_uri
>  
> @@ -318,6 +365,9 @@ cs_get_ca() {
>      fi
>  
>      if [ -e "${ca}" ]; then
> +	while read fp; do
> +	    cs_check_whitelisted "ca:${role}" "sha256:${fp}"
> +	done < "${keydir}/${role}/ca.fingerprints"
>  	echo "${ca}"
>      fi
>  }
> @@ -333,6 +383,10 @@ cs_append_ca_from_pem() {
>      local pem="${2}"
>      cs_init_variables
>  
> +    openssl x509 -in "${pem}" -inform pem -noout -pubkey | \
> +	spki-hash /dev/stdin >> "${keydir}/${role}/ca.fingerprints"
> +    check_pipe_status || ptxd_bailout "Extracting SPKI hash from CA '${pem}' failed"
> +
>      cat "${pem}" >> "${keydir}/${role}/ca.pem"
>      # add new line in case ${pem} does not end with an EOL
>      echo >> "${keydir}/${role}/ca.pem"
> -- 
> 2.30.2
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2021-09-29 12:09 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-12 20:59 [ptxdist] [PATCH v3 1/5] kernel: make sure that kbuild can extract keys from the HSM Roland Hieber
2021-09-12 20:59 ` [ptxdist] [PATCH v3 2/5] ptxd_lib_code_signing: return success in case of ERROR_CA_NOT_YET_SET Roland Hieber
2021-09-12 20:59 ` [ptxdist] [PATCH v3 3/5] libptxdist: introduce ptxd_exec_silent_stderr Roland Hieber
2021-09-12 20:59 ` [ptxdist] [PATCH v3 4/5] ptxd_lib_code_signing: provide consumer functions with some environment Roland Hieber
2021-09-12 20:59 ` [ptxdist] [PATCH v3 5/5] ptxd_lib_code_signing: add key whitelist checks Roland Hieber
2021-09-29 12:08   ` Michael Olbrich
2021-09-29 11:54 ` [ptxdist] [PATCH v3 1/5] kernel: make sure that kbuild can extract keys from the HSM Michael Olbrich

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox