From: Bastian Krause <bst@pengutronix.de>
To: ptxdist@pengutronix.de
Subject: Re: [ptxdist] [PATCH 10/13] rauc/image-rauc: use code signing infrastructure for key retrieval
Date: Fri, 15 May 2020 13:23:05 +0200 [thread overview]
Message-ID: <9f9de2fc-c6c2-659a-d3c7-ec561eef6376@pengutronix.de> (raw)
In-Reply-To: <20200515104035.GC7220@pengutronix.de>
On 5/15/20 12:40 PM, Michael Olbrich wrote:
> On Thu, May 14, 2020 at 03:42:57PM +0200, Bastian Krause wrote:
>> Use the keys provided by the currently active key provider via PKCS#11
>> instead of key files placed in the platform config directory. In order
>> to make sure the new mechanics are used after a BSP update the rauc.key
>> file is no longer allowed to exist in the platformconfig directory.
>>
>> Note: requires genimage >= v12 and ptx-code-signing-dev > 0.3
>>
>> Signed-off-by: Bastian Krause <bst@pengutronix.de>
>> ---
>> platforms/image-rauc.in | 1 +
>> projectroot/etc/rauc/ca.cert.pem | 7 --
>> rules/image-rauc.make | 37 ++-------
>> rules/rauc.in | 1 +
>> rules/rauc.make | 11 ++-
>> scripts/rauc-gen-test-certs.sh | 126 -------------------------------
>> 6 files changed, 17 insertions(+), 166 deletions(-)
>> delete mode 100644 projectroot/etc/rauc/ca.cert.pem
>> delete mode 100755 scripts/rauc-gen-test-certs.sh
>>
>> diff --git a/platforms/image-rauc.in b/platforms/image-rauc.in
>> index 658ddd5cd..1f9427b40 100644
>> --- a/platforms/image-rauc.in
>> +++ b/platforms/image-rauc.in
>> @@ -6,6 +6,7 @@ menuconfig IMAGE_RAUC
>> select HOST_GENIMAGE
>> select HOST_RAUC
>> select IMAGE_ROOT_TGZ
>> + select CODE_SIGNING
>> help
>> This generates a RAUC update Bundle for the selected platform using
>> genimage.
>> diff --git a/projectroot/etc/rauc/ca.cert.pem b/projectroot/etc/rauc/ca.cert.pem
>> deleted file mode 100644
>> index be1aa7c30..000000000
>> --- a/projectroot/etc/rauc/ca.cert.pem
>> +++ /dev/null
>> @@ -1,7 +0,0 @@
>> -# This is a dummy keyring file. Please overwrite this with one that matches
>> -# your X.509 infrastructure if you intend to use RAUC for secure updates!
>> -#
>> -# If you really do not intend to actively use the security features (or for
>> -# testing purpose) you may create a development certificate by executing the
>> -# script `rauc-gen-test-certs.sh` from the `scripts` folder in your PTXdist
>> -# installation.
>> diff --git a/rules/image-rauc.make b/rules/image-rauc.make
>> index 839cb400b..a031edfae 100644
>> --- a/rules/image-rauc.make
>> +++ b/rules/image-rauc.make
>> @@ -26,46 +26,19 @@ IMAGE_RAUC_CONFIG := rauc.config
>>
>> ifdef PTXCONF_IMAGE_RAUC
>>
>> -IMAGE_RAUC_KEY := $(call ptx/in-platformconfigdir, config/rauc/rauc.key.pem)
>> -IMAGE_RAUC_CERT := $(call ptx/in-platformconfigdir, config/rauc/rauc.cert.pem)
>> -
>> -IMAGE_RAUC_ENV := \
>> +IMAGE_RAUC_ENV = \
>> RAUC_BUNDLE_COMPATIBLE="$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))" \
>> RAUC_BUNDLE_VERSION="$(call remove_quotes, $(PTXCONF_RAUC_BUNDLE_VERSION))" \
>> RAUC_BUNDLE_BUILD=$(call ptx/sh, date +%FT%T%z) \
>> RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \
>> - RAUC_KEY=$(IMAGE_RAUC_KEY) \
>> - RAUC_CERT=$(IMAGE_RAUC_CERT)
>> + RAUC_KEY="$(shell cs_get_uri update)" \
>> + RAUC_CERT="$(shell cs_get_uri update)"
>>
>> -$(IMAGE_RAUC_IMAGE): $(IMAGE_RAUC_KEY) $(IMAGE_RAUC_CERT)
>> +$(IMAGE_RAUC_IMAGE):
>> @$(call targetinfo)
>> - @$(call image/genimage, IMAGE_RAUC)
>> + @$(CODE_SIGNING_ENV) $(call image/genimage, IMAGE_RAUC)
>
> Why don't you add $(CODE_SIGNING_ENV) to IMAGE_RAUC_ENV instead?
You're right, that's better.
Regards,
Bastian
>
>> @$(call finish)
>>
>> -$(IMAGE_RAUC_KEY):
>> - @echo
>> - @echo "****************************************************************************"
>> - @echo "******** Please place your signing key in config/rauc/rauc.key.pem. ********"
>> - @echo "* *"
>> - @echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh *"
>> - @echo "* from the scripts/ folder of your PTXdist installation *"
>> - @echo "****************************************************************************"
>> - @echo
>> - @echo
>> - @exit 1
>> -
>> -$(IMAGE_RAUC_CERT):
>> - @echo
>> - @echo "****************************************************************************"
>> - @echo "**** Please place your signing certificate in config/rauc/rauc.cert.pem. ***"
>> - @echo "* *"
>> - @echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh *"
>> - @echo "* from the scripts/ folder of your PTXdist installation *"
>> - @echo "****************************************************************************"
>> - @echo
>> - @echo
>> - @exit 1
>> -
>> endif
>>
>> # vim: syntax=make
>> diff --git a/rules/rauc.in b/rules/rauc.in
>> index d712bc7b9..56fc3ae3b 100644
>> --- a/rules/rauc.in
>> +++ b/rules/rauc.in
>> @@ -7,6 +7,7 @@ menuconfig RAUC
>> select GLIB
>> select GLIB_LIBMOUNT
>> select HOST_GLIB
>> + select CODE_SIGNING
>> select BUSYBOX_FEATURE_TAR_LONG_OPTIONS if BUSYBOX_TAR
>> select BUSYBOX_FEATURE_TAR_AUTODETECT if BUSYBOX_TAR
>> select BUSYBOX_FEATURE_SEAMLESS_XZ if BUSYBOX_TAR
>> diff --git a/rules/rauc.make b/rules/rauc.make
>> index ade9bd5dd..f9a10fbbc 100644
>> --- a/rules/rauc.make
>> +++ b/rules/rauc.make
>> @@ -46,6 +46,14 @@ RAUC_CONF_OPT := \
>> --with-dbuspolicydir=/usr/share/dbus-1/system.d \
>> --with-dbussystemservicedir=/usr/share/dbus-1/system-services
>>
>> +$(STATEDIR)/rauc.prepare:
>> + @$(call targetinfo)
>> + @test ! -e "$(call ptx/in-platformconfigdir, config/rauc/rauc.key)" || \
>> + ptxd_bailout "Please use the key provider infrastructure desribed in:" \
>> + "scripts/lib/ptxd_lib_code_signing.sh"
>> + @$(call world/prepare, RAUC)
>> + @$(call touch)
>> +
>> # ----------------------------------------------------------------------------
>> # Target-Install
>> # ----------------------------------------------------------------------------
>> @@ -66,7 +74,8 @@ ifdef PTXCONF_RAUC_CONFIGURATION
>> @$(call install_replace, rauc, /etc/rauc/system.conf, \
>> @RAUC_BUNDLE_COMPATIBLE@, \
>> "$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))")
>> - @$(call install_alternative, rauc, 0, 0, 0644, /etc/rauc/ca.cert.pem)
>> + @$(call install_copy, rauc, 0, 0, 0644, $(shell cs_get_ca update), \
>> + /etc/rauc/ca.cert.pem)
>> endif
>>
>> ifdef PTXCONF_RAUC_SERVICE
>> diff --git a/scripts/rauc-gen-test-certs.sh b/scripts/rauc-gen-test-certs.sh
>> deleted file mode 100755
>> index b4ea6a8cf..000000000
>> --- a/scripts/rauc-gen-test-certs.sh
>> +++ /dev/null
>> @@ -1,126 +0,0 @@
>> -#!/bin/bash
>> -#
>> -# Copyright (C) 2017 by Enrico Joerns <e.joerns@pengutronix.de>
>> -# Copyright (C) 2016 by Jan Luebbe <j.luebbe@pengutronix.de>
>> -#
>> -# For further information about the PTXdist project and license conditions
>> -# see the README file.
>> -#
>> -# ---
>> -#
>> -# Demo script that generates certificate files required to sign and verify
>> -# RAUC update tool bundles.
>> -#
>> -
>> -set -xe
>> -
>> -ORG="Test Org"
>> -CA="rauc CA"
>> -
>> -# After the CRL expires, signatures cannot be verified anymore
>> -CRL="-crldays 5000"
>> -
>> -BASE="$(pwd)/rauc-openssl-ca"
>> -
>> -if [ -e $BASE ]; then
>> - echo "$BASE already exists"
>> - exit 1
>> -fi
>> -
>> -mkdir -p $BASE/dev/{private,certs}
>> -touch $BASE/dev/index.txt
>> -echo 01 > $BASE/dev/serial
>> -
>> -cat > $BASE/openssl.cnf <<EOF
>> -[ ca ]
>> -default_ca = CA_default # The default ca section
>> -
>> -[ CA_default ]
>> -
>> -dir = . # top dir
>> -database = \$dir/index.txt # index file.
>> -new_certs_dir = \$dir/certs # new certs dir
>> -
>> -certificate = \$dir/ca.cert.pem # The CA cert
>> -serial = \$dir/serial # serial no file
>> -private_key = \$dir/private/ca.key.pem# CA private key
>> -RANDFILE = \$dir/private/.rand # random number file
>> -
>> -default_startdate = 19700101000000Z
>> -default_enddate = 99991231235959Z
>> -default_crl_days= 30 # how long before next CRL
>> -default_md = sha256 # md to use
>> -
>> -policy = policy_any # default policy
>> -email_in_dn = no # Don't add the email into cert DN
>> -
>> -name_opt = ca_default # Subject name display option
>> -cert_opt = ca_default # Certificate display option
>> -copy_extensions = none # Don't copy extensions from request
>> -
>> -[ policy_any ]
>> -organizationName = match
>> -commonName = supplied
>> -
>> -[ req ]
>> -default_bits = 2048
>> -distinguished_name = req_distinguished_name
>> -x509_extensions = v3_leaf
>> -encrypt_key = no
>> -default_md = sha256
>> -
>> -[ req_distinguished_name ]
>> -commonName = Common Name (eg, YOUR name)
>> -commonName_max = 64
>> -
>> -[ v3_ca ]
>> -
>> -subjectKeyIdentifier=hash
>> -authorityKeyIdentifier=keyid:always,issuer:always
>> -basicConstraints = CA:TRUE
>> -
>> -[ v3_inter ]
>> -
>> -subjectKeyIdentifier=hash
>> -authorityKeyIdentifier=keyid:always,issuer:always
>> -basicConstraints = CA:TRUE,pathlen:0
>> -
>> -[ v3_leaf ]
>> -
>> -subjectKeyIdentifier=hash
>> -authorityKeyIdentifier=keyid:always,issuer:always
>> -basicConstraints = CA:FALSE
>> -EOF
>> -
>> -export OPENSSL_CONF=$BASE/openssl.cnf
>> -
>> -echo "Development CA"
>> -cd $BASE/dev
>> -openssl req -newkey rsa -keyout private/ca.key.pem -out ca.csr.pem -subj "/O=$ORG/CN=$ORG $CA Development"
>> -openssl ca -batch -selfsign -extensions v3_ca -in ca.csr.pem -out ca.cert.pem -keyfile private/ca.key.pem
>> -
>> -echo "Development Signing Keys 1"
>> -cd $BASE/dev
>> -openssl req -newkey rsa -keyout private/rauc.key.pem -out rauc.csr.pem -subj "/O=$ORG/CN=$ORG Development-1"
>> -openssl ca -batch -extensions v3_leaf -in rauc.csr.pem -out rauc.cert.pem
>> -
>> -cat << EOF
>> -===============================================================================
>> -
>> -Note that the default application should be to set up a public key
>> -infrastructure at your site and use keys and certificates genereated by these.
>> -
>> -In oder to use the just generated files in your BSP for testing purpose or if
>> -you do not intend to use real authentification, follow the instructions below.
>> -
>> -Place the key and certificate file in your platform-dir's config/ folder:
>> -
>> - cp rauc-openssl-ca/private/rauc.key.pem <platform-dir>/config/rauc/rauc.key.pem
>> - cp rauc-openssl-ca/rauc.cert.pem <platform-dir>/config/rauc/rauc.cert.pem
>> -
>> -Place the keyring file in your platform-dir's projectroot/ folder:
>> -
>> - cp rauc-openssl-ca/ca.cert.pem <plaform-dir>/projectroot/etc/rauc/ca.cert.pem
>> -
>> -===============================================================================
>> -EOF
>> --
>> 2.26.2
>>
>>
>> _______________________________________________
>> ptxdist mailing list
>> ptxdist@pengutronix.de
>>
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
next prev parent reply other threads:[~2020-05-15 11:23 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-14 13:42 [ptxdist] [PATCH 01/13] host-genimage: version bump 11 -> 13 Bastian Krause
2020-05-14 13:42 ` [ptxdist] [PATCH 02/13] ptxd_lib_code_signing: return error string in cs_get_uri for make error case Bastian Krause
2020-05-14 13:42 ` [ptxdist] [PATCH 03/13] ptxd_lib_imx_hab: fix srk fuse file and table generation Bastian Krause
2020-05-14 13:42 ` [ptxdist] [PATCH 04/13] ptxd_lib_code_signing: introduce CA helper Bastian Krause
2020-05-15 10:36 ` Michael Olbrich
2020-05-15 11:21 ` Bastian Krause
2020-05-15 11:41 ` Jan Lübbe
2020-05-14 13:42 ` [ptxdist] [PATCH 05/13] host-ptx-code-signing-dev: version bump 0.2 -> 0.4 Bastian Krause
2020-05-14 16:00 ` Bastian Krause
2020-05-14 13:42 ` [ptxdist] [PATCH 06/13] ptxd_lib_imx_hab/template-barebox-imx-habv4: use cs_get_ca helper Bastian Krause
2020-05-15 10:37 ` Michael Olbrich
2020-05-15 11:22 ` Bastian Krause
2020-05-14 13:42 ` [ptxdist] [PATCH 07/13] ptxd_lib_imx_hab/template-barebox-imx-habv4: make number of SRKs configurable Bastian Krause
2020-05-14 13:42 ` [ptxdist] [PATCH 08/13] ptxd_make_fit_image: call mkimage with ptxd_exec Bastian Krause
2020-05-14 13:42 ` [ptxdist] [PATCH 09/13] u-boot/ptxd_make_fit_image: avoid overriding object name Bastian Krause
2020-05-14 13:42 ` [ptxdist] [PATCH 10/13] rauc/image-rauc: use code signing infrastructure for key retrieval Bastian Krause
2020-05-15 10:40 ` Michael Olbrich
2020-05-15 11:23 ` Bastian Krause [this message]
2020-05-14 13:42 ` [ptxdist] [PATCH 11/13] image-rauc: enable keyring verification Bastian Krause
2020-05-15 7:58 ` Michael Olbrich
2020-05-15 11:23 ` Bastian Krause
2020-05-14 13:42 ` [ptxdist] [PATCH 12/13] code-signing: move code-signing.in to platforms/ Bastian Krause
2020-05-14 13:43 ` [ptxdist] [PATCH 13/13] code-signing: introduce for ptxconfig, add sanity check Bastian Krause
2020-05-14 15:36 ` Bastian Krause
2020-05-15 7:55 ` Michael Olbrich
2020-05-15 11:24 ` Bastian Krause
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9f9de2fc-c6c2-659a-d3c7-ec561eef6376@pengutronix.de \
--to=bst@pengutronix.de \
--cc=ptxdist@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox