From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: References: <20200608085305.30964-1-bst@pengutronix.de> <20200608085305.30964-2-bst@pengutronix.de> <20200612091825.GA27654@pengutronix.de> From: Bastian Krause Message-ID: <58b1fe2f-8aac-fdb4-ea2c-3cfe99bd622b@pengutronix.de> Date: Tue, 16 Jun 2020 15:56:48 +0200 MIME-Version: 1.0 In-Reply-To: <20200612091825.GA27654@pengutronix.de> Content-Language: en-US Subject: Re: [ptxdist] [PATCH 1/5] package templates: add code-signing-provider template List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: ptxdist@pengutronix.de Cc: Michael Olbrich On 6/12/20 11:18 AM, Michael Olbrich wrote: > On Mon, Jun 08, 2020 at 10:53:01AM +0200, Bastian Krause wrote: >> A ptxdist code signing provider is a package which selects the required >> host tools needed for the code signing helpers to work. A shell script >> is needed to define roles, set PKCS#11 URIs and import keys if SoftHSM >> is used. In order to simplify its creation provide a template along with >> an example script. > > I think we should query whether a HSM or SoftHSM will be used and install > an appropriate script and set the correct dependencies. > >> Signed-off-by: Bastian Krause >> --- >> .../code-signing-provider/ptxdist-set-keys.sh | 96 +++++++++++++++++++ >> .../template-code-signing-provider-choice-in | 5 + >> .../template-code-signing-provider-in | 16 ++++ >> .../template-code-signing-provider-make | 41 ++++++++ >> scripts/lib/ptxd_lib_template.sh | 16 ++++ >> 5 files changed, 174 insertions(+) >> create mode 100755 rules/templates/code-signing-provider/ptxdist-set-keys.sh >> create mode 100644 rules/templates/template-code-signing-provider-choice-in >> create mode 100644 rules/templates/template-code-signing-provider-in >> create mode 100644 rules/templates/template-code-signing-provider-make >> >> diff --git a/rules/templates/code-signing-provider/ptxdist-set-keys.sh b/rules/templates/code-signing-provider/ptxdist-set-keys.sh >> new file mode 100755 >> index 000000000..040a61534 >> --- /dev/null >> +++ b/rules/templates/code-signing-provider/ptxdist-set-keys.sh >> @@ -0,0 +1,96 @@ >> +#!/bin/bash >> + >> +set -e >> + >> +set_fit_keys() { >> + local r="image-kernel-fit" >> + cs_define_role "${r}" >> + >> + # HSM use case >> + cs_set_uri "${r}" "pkcs11:token=foo;object=kernel-fit" >> +} >> + >> +import_fit_keys() { >> + local fit_cert_dir=fit >> + local r="image-kernel-fit" >> + cs_define_role "${r}" >> + >> + cs_import_cert_from_der "${r}" "${fit_cert_dir}/fit-4096-development.crt" >> + cs_import_pubkey_from_pem "${r}" "${fit_cert_dir}/fit-4096-development.key" >> + cs_import_privkey_from_pem "${r}" "${fit_cert_dir}/fit-4096-development.key" >> +} >> + >> +set_rauc_keys() { >> + local r="update" >> + cs_define_role "${r}" >> + cs_set_uri "${r}" "pkcs11:token=foo;object=rauc" >> + cs_append_ca_from_uri "${r}" >> +} >> + >> +import_rauc_keys() { >> + local rauc_cert_dir=rauc >> + local r="update" >> + cs_define_role "${r}" >> + >> + # SoftHSM use case >> + cs_import_cert_from_pem "${r}" "${rauc_cert_dir}/rauc.cert.pem" >> + cs_import_pubkey_from_pem "${r}" "${rauc_cert_dir}/rauc.key.pem" >> + cs_import_privkey_from_pem "${r}" "${rauc_cert_dir}/rauc.key.pem" >> + >> + cs_append_ca_from_uri "${r}" >> +} >> + >> +set_imx_habv4_keys() { >> + # HSM use case, assuming it contains only 1st CSF/IMG key >> + for i in 1 2 3 4; do >> + r="imx-habv4-srk${i}" >> + cs_define_role "${r}" >> + cs_set_uri "${r}" "pkcs11:token=foo;object=srk-release${i}" >> + cs_append_ca_from_uri "${r}" >> + done >> + >> + r="imx-habv4-csf1" >> + cs_define_role ${r} >> + cs_set_uri "${r}" "pkcs11:token=foo;object=csf1" >> + >> + r="imx-habv4-img1" >> + cs_define_role ${r} >> + cs_set_uri "${r}" "pkcs11:token=foo;object=img1" >> +} >> + >> +import_imx_habv4_keys() { >> + local imx_habv4_key_dir="habv4" >> + local crts="${imx_habv4_key_dir}/crts" >> + local keys="${imx_habv4_key_dir}/keys" >> + local OPENSSL_KEYPASS="${imx_habv4_key_dir}/keys/key_pass.txt" >> + >> + for i in 1 2 3 4; do >> + r="imx-habv4-srk${i}" >> + cs_define_role "${r}" >> + cs_import_cert_from_der "${r}" "${crts}/SRK${i}_sha256_4096_65537_v3_ca_crt.der" >> + cs_import_key_from_pem "${r}" "${keys}/SRK${i}_sha256_4096_65537_v3_ca_key.pem" >> + cs_append_ca_from_uri "${r}" >> + >> + r="imx-habv4-csf${i}" >> + cs_define_role "${r}" >> + cs_import_cert_from_der "${r}" "${crts}/CSF${i}_1_sha256_4096_65537_v3_usr_crt.der" >> + cs_import_key_from_pem "${r}" "${keys}/CSF${i}_1_sha256_4096_65537_v3_usr_key.pem" >> + >> + r="imx-habv4-img${i}" >> + cs_define_role "${r}" >> + cs_import_cert_from_der "${r}" "${crts}/IMG${i}_1_sha256_4096_65537_v3_usr_crt.der" >> + cs_import_key_from_pem "${r}" "${keys}/IMG${i}_1_sha256_4096_65537_v3_usr_key.pem" >> + done >> +} >> + >> + >> +# HSM use case >> +#set_fit_keys >> +#set_rauc_keys >> +#set_imx_habv4_keys >> + >> +# or: SoftHSM use case >> +#cs_init_softhsm >> +#import_fit_keys >> +#import_rauc_keys >> +#import_imx_habv4_keys > > Split this into two scripts that work for the correct use-case. > And use the wizard.sh to delete one and rename the other. > >> diff --git a/rules/templates/template-code-signing-provider-choice-in b/rules/templates/template-code-signing-provider-choice-in >> new file mode 100644 >> index 000000000..e2108f870 >> --- /dev/null >> +++ b/rules/templates/template-code-signing-provider-choice-in >> @@ -0,0 +1,5 @@ >> +## SECTION=code_signing_provider >> + >> +config CODE_SIGNING_PROVIDER_@PACKAGE@ >> + bool >> + prompt "@package@" >> diff --git a/rules/templates/template-code-signing-provider-in b/rules/templates/template-code-signing-provider-in >> new file mode 100644 >> index 000000000..a0c61e6ef >> --- /dev/null >> +++ b/rules/templates/template-code-signing-provider-in >> @@ -0,0 +1,16 @@ >> +## SECTION=code_signing >> + >> +config CODE_SIGNING >> + select HOST_@PACKAGE@_CODE_SIGNING if CODE_SIGNING_PROVIDER_@PACKAGE@ >> + >> +config CODE_SIGNING_PROVIDER >> + default "@package@" if CODE_SIGNING_PROVIDER_@PACKAGE@ >> + >> +config HOST_@PACKAGE@_CODE_SIGNING >> + bool >> + select HOST_OPENSC >> + select HOST_LIBP11 >> + select HOST_OPENSSL >> + #select HOST_SOFTHSM >> + #select HOST_OPENSC_PCSC >> + #select HOST_EXTRACT_CERT > > We can substitute multi-line values here. So just > > @DEPENDENCIES@ > > and set that to the correct full list of dependencies in the script. With "the script" you mean wizard.sh, right? Note that wizard.sh is not called if local_src/ already exist and the user answers "y" when asked if the files should be overwritten [1]. The .in file will contain @PLACEHHOLDER@s in that case. (How) should we handle that? Regards, Bastian [1] https://git.pengutronix.de/cgit/ptxdist/tree/scripts/lib/ptxd_lib_template.sh?id=560f69b173794383a9dbfb6bc5be38a81c3e3b05#n191 -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de