Re: [ptxdist] [PATCH v2 0/2] yubi HSM pkcs11 plugin for signing provider

[Denis Osterland-Heim <denis.osterland@diehl.com>]

Hi,

Am Mittwoch, den 31.03.2021, 09:22 +0200 schrieb Michael Olbrich:
> On Tue, Mar 30, 2021 at 02:53:42PM +0000, Denis Osterland-Heim wrote:
> > v1 -> v2:
> > - pass variables to CODE_SIGNING_ENV in favour of noproxy patch
> > - remove function extending patches, which seams easier to maintain
> >
> > Denis Osterland-Heim (2):
> >       host-libcurl: enable http(s) support
> >       host-yubihsm-shell: new package
> >
> >  rules/host-libcurl.make          |  4 ++--
> >  rules/host-yubihsm-shell.in      | 13 +++++++++++++
> >  rules/host-yubihsm-shell.make    | 37 +++++++++++++++++++++++++++++++++++++
> >  rules/pre/030-yubihsm-shell.make | 11 +++++++++++
> >  4 files changed, 63 insertions(+), 2 deletions(-)
> >
> > base-commit: c33f9942d ("glib: version bump 2.66.6 -> 2.68.0")
> >
> > Return-Path: <osterlad@cwpc1435.diehlako.local>
> > X-Original-To: ptxdist@pengutronix.de
> > Delivered-To: osterlad@cwpc1435.diehlako.local
> > Received: by cwpc1435.diehlako.local (Postfix, from userid 1001)
> > id ABA433E432B; Tue, 30 Mar 2021 16:48:30 +0200 (CEST)
> > From: Denis Osterland-Heim <denis.osterland@diehl.com>
> > To: ptxdist@pengutronix.de
> > Subject: [PATCH v2 1/2] host-libcurl: enable http(s) support
> > Date: Tue, 30 Mar 2021 16:48:27 +0200
> > Message-Id: <20210330144828.15293-2-denis.osterland@diehl.com>
> > X-Mailer: git-send-email 2.31.1
> > In-Reply-To: <20210330144828.15293-1-denis.osterland@diehl.com>
> > References: <20210330144828.15293-1-denis.osterland@diehl.com>
> > MIME-Version: 1.0
> > Content-Transfer-Encoding: 8bit
> >
> > Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
> > ---
> >  rules/host-libcurl.make | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/rules/host-libcurl.make b/rules/host-libcurl.make
> > index dc28de778..1a2a1fcf5 100644
> > --- a/rules/host-libcurl.make
> > +++ b/rules/host-libcurl.make
> > @@ -61,7 +61,7 @@ HOST_LIBCURL_CONF_OPT:= \
> >  --without-librtmp \
> >  \
> >  --disable-ares \
> > ---disable-http \
> > +--enable-http \
> >  --disable-nghttp2 \
> >  --disable-cookies \
> >  --disable-ftp \
> > @@ -69,7 +69,7 @@ HOST_LIBCURL_CONF_OPT:= \
> >  --disable-file \
> >  --disable-crypto-auth \
> >  --disable-libssh2 \
> > ---without-ssl
> > +--with-ssl
>
> still missing the openssl dependency.
sorry, will be in next version

>
>
> >
> >  $(STATEDIR)/host-libcurl.install:
> >  @$(call targetinfo)
> > --
> > 2.31.1
> >
> > Return-Path: <osterlad@cwpc1435.diehlako.local>
> > X-Original-To: ptxdist@pengutronix.de
> > Delivered-To: osterlad@cwpc1435.diehlako.local
> > Received: by cwpc1435.diehlako.local (Postfix, from userid 1001)
> > id AE8CF3E432B; Tue, 30 Mar 2021 16:48:30 +0200 (CEST)
> > From: Denis Osterland-Heim <denis.osterland@diehl.com>
> > To: ptxdist@pengutronix.de
> > Subject: [PATCH v2 2/2] host-yubihsm-shell: new package
> > Date: Tue, 30 Mar 2021 16:48:28 +0200
> > Message-Id: <20210330144828.15293-3-denis.osterland@diehl.com>
> > X-Mailer: git-send-email 2.31.1
> > In-Reply-To: <20210330144828.15293-1-denis.osterland@diehl.com>
> > References: <20210330144828.15293-1-denis.osterland@diehl.com>
> > MIME-Version: 1.0
> > Content-Transfer-Encoding: 8bit
> >
> > This package provides the pkcs11 plugin for yubi HSMs,
> > which allows to create a signing provider for it.
> >
> > Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
> > ---
> >  rules/host-yubihsm-shell.in      | 13 +++++++++++
> >  rules/host-yubihsm-shell.make    | 37 ++++++++++++++++++++++++++++++++
> >  rules/pre/030-yubihsm-shell.make | 11 ++++++++++
> >  3 files changed, 61 insertions(+)
> >  create mode 100644 rules/host-yubihsm-shell.in
> >  create mode 100644 rules/host-yubihsm-shell.make
> >  create mode 100644 rules/pre/030-yubihsm-shell.make
> >
> > diff --git a/rules/host-yubihsm-shell.in b/rules/host-yubihsm-shell.in
> > new file mode 100644
> > index 000000000..3b17a2e98
> > --- /dev/null
> > +++ b/rules/host-yubihsm-shell.in
> > @@ -0,0 +1,13 @@
> > +## SECTION=hosttools_noprompt
> > +
> > +config HOST_YUBIHSM_SHELL
> > +tristate
> > +default ALLYES
> > +select HOST_CMAKE
> > +select HOST_OPENSSL
> > +select HOST_LIBCURL
> > +select HOST_LIBUSB
> > +select HOST_GENGETOPT
> > +select HOST_LIBEDIT
> > +select HOST_PCSC_LITE
> > +select HOST_LIBP11
> > diff --git a/rules/host-yubihsm-shell.make b/rules/host-yubihsm-shell.make
> > new file mode 100644
> > index 000000000..3ebfc8c1f
> > --- /dev/null
> > +++ b/rules/host-yubihsm-shell.make
> > @@ -0,0 +1,37 @@
> > +# -*-makefile-*-
> > +#
> > +# Copyright (C) 2021 by Denis Osterland-Heim <Denis.Osterland@diehl.com>
> > +#
> > +# For further information about the PTXdist project and license conditions
> > +# see the README file.
> > +#
> > +
> > +HOST_PACKAGES-$(PTXCONF_HOST_YUBIHSM_SHELL) += host-yubihsm-shell
> > +
> > +#
> > +# Paths and names
> > +#
> > +HOST_YUBIHSM_SHELL_VERSION:= 2.1.0
> > +HOST_YUBIHSM_SHELL_MD5:= 7363c0bc4ed037e262474beaa6e1407b
> > +HOST_YUBIHSM_SHELL:= yubihsm-shell-$(HOST_YUBIHSM_SHELL_VERSION)
> > +HOST_YUBIHSM_SHELL_SUFFIX:= tar.gz
> > +HOST_YUBIHSM_SHELL_URL:= https://github.com/Yubico/yubihsm-shell/archive/$(HOST_YUBIHSM_SHELL_VERSION).$(HOST_YUBIHSM_SHELL_SUFFIX)
> > +HOST_YUBIHSM_SHELL_SOURCE:= $(SRCDIR)/$(HOST_YUBIHSM_SHELL).$(HOST_YUBIHSM_SHELL_SUFFIX)
> > +HOST_YUBIHSM_SHELL_DIR:= $(HOST_BUILDDIR)/$(HOST_YUBIHSM_SHELL)
> > +
> > +# ----------------------------------------------------------------------------
> > +# Prepare
> > +# ----------------------------------------------------------------------------
> > +
> > +#
> > +# cmake
> > +#
> > +HOST_YUBIHSM_SHELL_CONF_TOOL:= cmake
> > +HOST_YUBIHSM_SHELL_CONF_OPT:=  \
> > +$(HOST_CMAKE_OPT) \
> > +-DBUILD_ONLY_LIB=OFF \
> > +-DENABLE_COVERAGE=OFF \
> > +-DSUPRESS_MSVC_WARNINGS=ON \
> > +-DWITHOUT_MANPAGES=1
> > +
> > +# vim: syntax=make
> > diff --git a/rules/pre/030-yubihsm-shell.make b/rules/pre/030-yubihsm-shell.make
> > new file mode 100644
> > index 000000000..fbfc48f2d
> > --- /dev/null
> > +++ b/rules/pre/030-yubihsm-shell.make
> > @@ -0,0 +1,11 @@
> > +# -*-makefile-*-
> > +#
> > +# Copyright (C) 2021 by Denis Osterland-Heim <denis.osterland@diehl.com>
> > +#
> > +# For further information about the PTXdist project and license conditions
> > +# see the README file.
> > +#
> > +
> > +ifdef PTXCONF_HOST_YUBIHSM_SHELL
> > +CODE_SIGNING_ENV += HTTPS_PROXY= HTTP_PROXY= https_proxy= http_proxy=
> > +endif
>
> Could you add a comment, why this is needed?
>
> Hmmm, in general, I'd prefer to ifdef based on the provider and not the
> package. But that will be some custom stuff and I don't want to require
> this kind of thing in the BSP.
>
> The proxy stuff is just a bit of a sanity check anyways. The packages that
> use CODE_SIGNING_ENV are bootloaders, images, etc. I'm not too worried
> about those. It's stuff like python packages that try to download missing
> dependencies at build-time.
>
> So this is fine, even if it's not 100 percent correct.
I know what you mean.
What do you think about adding it to the template?
I guess we should not copy this to x providers but define a macro.
I would think about:

--- a/rules/pre/010-code-signing.make
+++ b/rules/pre/010-code-signing.make
@@ -11,4 +11,7 @@ CODE_SIGNING_ENV = \
        OPENSSL_CONF="$(PTXDIST_SYSROOT_HOST)/ssl/openssl.cnf" \
        OPENSSL_ENGINES="$(PTXDIST_SYSROOT_HOST)/lib/engines-1.1"

+ptx/online-code-signing-poriver = CODE_SIGNING_ENV += \
+       HTTPS_PROXY= HTTP_PROXY= https_proxy= http_proxy=
+
 # vim: syntax=make
--- a/rules/templates/template-code-signing-provider-pre-make
+++ b/rules/templates/template-code-signing-provider-pre-make
@@ -9,6 +9,10 @@
 ifdef PTXCONF_CODE_SIGNING_PROVIDER_@PACKAGE@
 CODE_SIGNING_ENV += \
        PKCS11_MODULE_PATH=@MODULE_PATH@
+
+# if your provider communicates to a server uncomment the following lines
+# to allow network requests outside of get stage
+#$(call ptx/online-code-signing-poriver)
 endif

 # vim: syntax=make

Regard, Denis
>
> Regards,
> Michael
>
>
> > --
> > 2.31.1
> >
> > _______________________________________________
> > ptxdist mailing list
> > ptxdist@pengutronix.de
> > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
>
>
Diehl Connectivity Solutions GmbH
Geschäftsführung: Horst Leonberger
Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
Nürnberg: HRB 32315

________________________________

Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.

- Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter:

https://www.diehl.com/group/de/transparenz-und-informationspflichten/

The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited.

- For general information on data protection and your respective rights please visit:

https://www.diehl.com/group/en/transparency-and-information-obligations/


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de