From: Michael Olbrich <m.olbrich@pengutronix.de>
To: ptxdist@pengutronix.de
Cc: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Subject: Re: [ptxdist] [APPLIED] imx-cst: version bump 3.1.0 -> 3.4.1
Date: Mon, 10 Mar 2025 09:27:07 +0100 [thread overview]
Message-ID: <20250310082707.657312-1-m.olbrich@pengutronix.de> (raw)
In-Reply-To: <20250305110033.288089-1-r.czerwinski@pengutronix.de>
Thanks, applied as 900a4e6548d9b20752cbd9d37a0bee36e5a24228.
Michael
[sent from post-receive hook]
On Mon, 10 Mar 2025 09:27:07 +0100, Rouven Czerwinski <r.czerwinski@pengutronix.de> wrote:
> The CST archive from NXP now ships with a proper Makefile, all we need
> to do is supply the correct host openssl library. Additionally, pkcs11
> is now supported, but has to be enabled via "-b pkcs11".
>
> In barebox recipes that means the the compile environment needs to
> contain CST_EXTRA_CMDLINE_OPTIONS="-b pkcs11", to use the native pkcs11
> backend.
>
> Additionally the frontend library no longer exists.
>
> Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
> Message-Id: <20250305110033.288089-1-r.czerwinski@pengutronix.de>
> [mol: remove obsolte patch]
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
>
> diff --git a/patches/cst-3.1.0/0001-cst-Add-pkcs11-support.patch b/patches/cst-3.1.0/0001-cst-Add-pkcs11-support.patch
> deleted file mode 100644
> index 1c4cf697add7..000000000000
> --- a/patches/cst-3.1.0/0001-cst-Add-pkcs11-support.patch
> +++ /dev/null
> @@ -1,162 +0,0 @@
> -From d41ca6a9afdf25c19c0a7f1d9e8ad089b2eeb46b Mon Sep 17 00:00:00 2001
> -From: Sascha Hauer <s.hauer@pengutronix.de>
> -Date: Fri, 27 Sep 2019 10:04:18 +0200
> -Subject: [PATCH] cst: Add pkcs11 support
> -
> -This adds native pkcs11 support to cst. The pkcs11 uri must be passed in
> -in environment variables. The csf file will have __ENV__foo where a
> -filename is expected and then the pkcs11 uri is read from the
> -environment variable "foo". This is necessary as the binary portion
> -of the cst tool will mangle all characters that remotely look like
> -special characters, like ':' and ';'.
> -The key pass file is read from the environment variable CST_SIGN_PIN
> -if exists.
> -
> -Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
> ----
> - code/back_end/src/openssl_helper.c | 85 ++++++++++++++++++++++++++++++
> - code/back_end/src/pkey.c | 4 ++
> - 2 files changed, 89 insertions(+)
> -
> -diff --git a/code/back_end/src/openssl_helper.c b/code/back_end/src/openssl_helper.c
> -index 3a54ac7..2b20a5e 100644
> ---- a/code/back_end/src/openssl_helper.c
> -+++ b/code/back_end/src/openssl_helper.c
> -@@ -35,6 +35,7 @@ without specific written permission from NXP.
> - #include <openssl/x509v3.h>
> - #include <openssl/pem.h>
> - #include <openssl/err.h>
> -+#include <openssl/engine.h>
> - #include "openssl_helper.h"
> - #include "version.h"
> - #include <openssl/rand.h>
> -@@ -408,6 +409,48 @@ write_cert_file(const char *filename, const BIO *data)
> - return CST_SUCCESS;
> - }
> -
> -+static X509*
> -+read_certificate_pkcs11(const char *uri)
> -+{
> -+ char *key_pass;
> -+ ENGINE *e;
> -+ struct {
> -+ const char *url;
> -+ X509 *cert;
> -+ } parms = {
> -+ .url = uri,
> -+ };
> -+ int err;
> -+
> -+ ENGINE_load_builtin_engines();
> -+ e = ENGINE_by_id("pkcs11");
> -+ if (!e)
> -+ {
> -+ fprintf(stderr, "Cannot Load PKCS#11 ENGINE\n");
> -+ return NULL;
> -+ }
> -+
> -+ if (!ENGINE_init(e))
> -+ {
> -+ fprintf(stderr, "Cannot ENGINE_init\n");
> -+ return NULL;
> -+ }
> -+
> -+ key_pass = getenv("CST_SIGN_PIN");
> -+ if (key_pass)
> -+ if (!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0))
> -+ {
> -+ fprintf(stderr, "Cannot Set PKCS#11 PIN\n");
> -+ return NULL;
> -+ }
> -+
> -+ err = ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 0);
> -+ if (!err || !parms.cert)
> -+ fprintf(stderr, "Cannot Load certificate\n");
> -+
> -+ return parms.cert;
> -+}
> -+
> - /*--------------------------
> - read_certificate
> - ---------------------------*/
> -@@ -427,6 +470,13 @@ read_certificate(const char* filename)
> - return NULL;
> - }
> -
> -+ if (!strncmp(filename, "__ENV__", 7))
> -+ filename = getenv(filename + 7);
> -+
> -+ if (!strncmp(filename, "pkcs11:", 7))
> -+ {
> -+ return read_certificate_pkcs11(filename);
> -+ } else
> - /* PEM encoded */
> - if (!strncasecmp(temp, PEM_FILE_EXTENSION, PEM_FILE_EXTENSION_BYTES))
> - {
> -@@ -482,6 +532,36 @@ int32_t get_der_encoded_certificate_data(const char* filename,
> - return ret_val;
> - }
> -
> -+static EVP_PKEY *read_private_key_pkcs11(const char *uri)
> -+{
> -+ char *key_pass;
> -+ ENGINE *e;
> -+
> -+ ENGINE_load_builtin_engines();
> -+ e = ENGINE_by_id("pkcs11");
> -+ if (!e)
> -+ {
> -+ fprintf(stderr, "Cannot Load PKCS#11 ENGINE\n");
> -+ return NULL;
> -+ }
> -+
> -+ if (!ENGINE_init(e))
> -+ {
> -+ fprintf(stderr, "Cannot ENGINE_init\n");
> -+ return NULL;
> -+ }
> -+
> -+ key_pass = getenv("CST_SIGN_PIN");
> -+ if (key_pass)
> -+ if (!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0))
> -+ {
> -+ fprintf(stderr, "Cannot Set PKCS#11 PIN\n");
> -+ return NULL;
> -+ }
> -+
> -+ return ENGINE_load_private_key(e, uri, NULL, NULL);
> -+}
> -+
> - /*--------------------------
> - read_private_key
> - ---------------------------*/
> -@@ -495,6 +575,11 @@ read_private_key(const char *filename, pem_password_cb *password_cb,
> - const char *temp = filename + strlen(filename) -
> - PEM_FILE_EXTENSION_BYTES;
> -
> -+ if (!strncmp(filename, "__ENV__", 7))
> -+ filename = getenv(filename + 7);
> -+ if (!strncmp(filename, "pkcs11:", 7))
> -+ return read_private_key_pkcs11(filename);
> -+
> - /* Read Private key */
> - private_key = BIO_new(BIO_s_file( ));
> - if (!private_key)
> -diff --git a/code/back_end/src/pkey.c b/code/back_end/src/pkey.c
> -index 9ee5049..033954b 100644
> ---- a/code/back_end/src/pkey.c
> -+++ b/code/back_end/src/pkey.c
> -@@ -144,6 +144,10 @@ int32_t get_key_file(const char* cert_file, char* key_file)
> - to filename length */
> -
> - strcpy(key_file, cert_file);
> -+
> -+ if (!strncmp(cert_file, "__ENV__", 7))
> -+ return CAL_SUCCESS;
> -+
> - key_file[i] = 0;
> -
> - key_file[i-5] = 'y';
> ---
> -2.23.0
> -
> diff --git a/patches/cst-3.1.0/series b/patches/cst-3.1.0/series
> deleted file mode 100644
> index 78398c0d722c..000000000000
> --- a/patches/cst-3.1.0/series
> +++ /dev/null
> @@ -1 +0,0 @@
> -0001-cst-Add-pkcs11-support.patch
> diff --git a/rules/host-imx-cst.make b/rules/host-imx-cst.make
> index 42d6f667b821..3850f7200628 100644
> --- a/rules/host-imx-cst.make
> +++ b/rules/host-imx-cst.make
> @@ -14,8 +14,8 @@ HOST_PACKAGES-$(PTXCONF_HOST_IMX_CST) += host-imx-cst
> #
> # Paths and names
> #
> -HOST_IMX_CST_VERSION := 3.1.0
> -HOST_IMX_CST_MD5 := 89a2d6c05253c4de9a1bf9d5710bb7ae
> +HOST_IMX_CST_VERSION := 3.4.1
> +HOST_IMX_CST_MD5 := b23ed5983734d4812fcf1da33eac8f31
> HOST_IMX_CST := cst-$(HOST_IMX_CST_VERSION)
> HOST_IMX_CST_SUFFIX := tgz
> HOST_IMX_CST_SOURCE := $(SRCDIR)/$(HOST_IMX_CST).$(HOST_IMX_CST_SUFFIX)
> @@ -56,13 +56,9 @@ HOST_IMX_CST_CONF := NO
> HOST_IMX_CST_ARCH := \
> linux$(call ptx/ifeq, GNU_BUILD, x86_64-%, 64, 32)
>
> -$(STATEDIR)/host-imx-cst.compile:
> - @$(call targetinfo)
> - cd $(HOST_IMX_CST_DIR)/code/back_end/src && \
> - $(HOSTCC) \
> - -Wall -O2 -g3 -o ../../../$(HOST_IMX_CST_ARCH)/bin/cst \
> - -I ../hdr -L ../../../$(HOST_IMX_CST_ARCH)/lib *.c -lfrontend -lcrypto
> - @$(call touch)
> +HOST_IMX_CST_MAKE_ENV := \
> + $(HOST_ENV) \
> + OPENSSL_PATH="$(PTXDIST_SYSROOT_HOST)/usr/lib/"
>
> # ----------------------------------------------------------------------------
> # Install
> @@ -71,19 +67,13 @@ $(STATEDIR)/host-imx-cst.compile:
> HOST_IMX_CST_PROGS := \
> cst \
> srktool \
> - x5092wtls
> -
> -HOST_IMX_CST_LIBS := \
> - libfrontend.a
> + mac_dump
>
> $(STATEDIR)/host-imx-cst.install:
> @$(call targetinfo)
> @$(foreach prog, $(HOST_IMX_CST_PROGS), \
> - install -v -m0755 -D $(HOST_IMX_CST_DIR)/$(HOST_IMX_CST_ARCH)/bin/$(prog) \
> + install -v -m0755 -D $(HOST_IMX_CST_DIR)/build/$(HOST_IMX_CST_ARCH)/bin/$(prog) \
> $(HOST_IMX_CST_PKGDIR)/usr/bin/$(prog)$(ptx/nl))
> - @$(foreach lib, $(HOST_IMX_CST_LIBS), \
> - install -v -m0644 -D $(HOST_IMX_CST_DIR)/$(HOST_IMX_CST_ARCH)/lib/$(lib) \
> - $(HOST_IMX_CST_PKGDIR)/usr/lib/imx-cst/$(lib)$(ptx/nl))
> @$(call touch)
>
> # vim: syntax=make
prev parent reply other threads:[~2025-03-10 8:27 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-05 11:00 [ptxdist] [PATCH] " Rouven Czerwinski
2025-03-07 10:15 ` Michael Olbrich
2025-03-07 10:20 ` Rouven Czerwinski
2025-03-07 10:25 ` Michael Olbrich
2025-03-10 8:27 ` Michael Olbrich [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250310082707.657312-1-m.olbrich@pengutronix.de \
--to=m.olbrich@pengutronix.de \
--cc=ptxdist@pengutronix.de \
--cc=r.czerwinski@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox