From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from pty.hi.pengutronix.de ([2001:67c:670:100:1d::c5] helo=[IPv6:::1]) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1jZYQj-0006GB-Cd for ptxdist@pengutronix.de; Fri, 15 May 2020 13:23:05 +0200 References: <20200514134300.16105-1-bst@pengutronix.de> <20200514134300.16105-10-bst@pengutronix.de> <20200515104035.GC7220@pengutronix.de> From: Bastian Krause Message-ID: <9f9de2fc-c6c2-659a-d3c7-ec561eef6376@pengutronix.de> Date: Fri, 15 May 2020 13:23:05 +0200 MIME-Version: 1.0 In-Reply-To: <20200515104035.GC7220@pengutronix.de> Content-Language: en-US Subject: Re: [ptxdist] [PATCH 10/13] rauc/image-rauc: use code signing infrastructure for key retrieval List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: ptxdist@pengutronix.de On 5/15/20 12:40 PM, Michael Olbrich wrote: > On Thu, May 14, 2020 at 03:42:57PM +0200, Bastian Krause wrote: >> Use the keys provided by the currently active key provider via PKCS#11 >> instead of key files placed in the platform config directory. In order >> to make sure the new mechanics are used after a BSP update the rauc.key >> file is no longer allowed to exist in the platformconfig directory. >> >> Note: requires genimage >= v12 and ptx-code-signing-dev > 0.3 >> >> Signed-off-by: Bastian Krause >> --- >> platforms/image-rauc.in | 1 + >> projectroot/etc/rauc/ca.cert.pem | 7 -- >> rules/image-rauc.make | 37 ++------- >> rules/rauc.in | 1 + >> rules/rauc.make | 11 ++- >> scripts/rauc-gen-test-certs.sh | 126 ------------------------------- >> 6 files changed, 17 insertions(+), 166 deletions(-) >> delete mode 100644 projectroot/etc/rauc/ca.cert.pem >> delete mode 100755 scripts/rauc-gen-test-certs.sh >> >> diff --git a/platforms/image-rauc.in b/platforms/image-rauc.in >> index 658ddd5cd..1f9427b40 100644 >> --- a/platforms/image-rauc.in >> +++ b/platforms/image-rauc.in >> @@ -6,6 +6,7 @@ menuconfig IMAGE_RAUC >> select HOST_GENIMAGE >> select HOST_RAUC >> select IMAGE_ROOT_TGZ >> + select CODE_SIGNING >> help >> This generates a RAUC update Bundle for the selected platform using >> genimage. >> diff --git a/projectroot/etc/rauc/ca.cert.pem b/projectroot/etc/rauc/ca.cert.pem >> deleted file mode 100644 >> index be1aa7c30..000000000 >> --- a/projectroot/etc/rauc/ca.cert.pem >> +++ /dev/null >> @@ -1,7 +0,0 @@ >> -# This is a dummy keyring file. Please overwrite this with one that matches >> -# your X.509 infrastructure if you intend to use RAUC for secure updates! >> -# >> -# If you really do not intend to actively use the security features (or for >> -# testing purpose) you may create a development certificate by executing the >> -# script `rauc-gen-test-certs.sh` from the `scripts` folder in your PTXdist >> -# installation. >> diff --git a/rules/image-rauc.make b/rules/image-rauc.make >> index 839cb400b..a031edfae 100644 >> --- a/rules/image-rauc.make >> +++ b/rules/image-rauc.make >> @@ -26,46 +26,19 @@ IMAGE_RAUC_CONFIG := rauc.config >> >> ifdef PTXCONF_IMAGE_RAUC >> >> -IMAGE_RAUC_KEY := $(call ptx/in-platformconfigdir, config/rauc/rauc.key.pem) >> -IMAGE_RAUC_CERT := $(call ptx/in-platformconfigdir, config/rauc/rauc.cert.pem) >> - >> -IMAGE_RAUC_ENV := \ >> +IMAGE_RAUC_ENV = \ >> RAUC_BUNDLE_COMPATIBLE="$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))" \ >> RAUC_BUNDLE_VERSION="$(call remove_quotes, $(PTXCONF_RAUC_BUNDLE_VERSION))" \ >> RAUC_BUNDLE_BUILD=$(call ptx/sh, date +%FT%T%z) \ >> RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \ >> - RAUC_KEY=$(IMAGE_RAUC_KEY) \ >> - RAUC_CERT=$(IMAGE_RAUC_CERT) >> + RAUC_KEY="$(shell cs_get_uri update)" \ >> + RAUC_CERT="$(shell cs_get_uri update)" >> >> -$(IMAGE_RAUC_IMAGE): $(IMAGE_RAUC_KEY) $(IMAGE_RAUC_CERT) >> +$(IMAGE_RAUC_IMAGE): >> @$(call targetinfo) >> - @$(call image/genimage, IMAGE_RAUC) >> + @$(CODE_SIGNING_ENV) $(call image/genimage, IMAGE_RAUC) > > Why don't you add $(CODE_SIGNING_ENV) to IMAGE_RAUC_ENV instead? You're right, that's better. Regards, Bastian > >> @$(call finish) >> >> -$(IMAGE_RAUC_KEY): >> - @echo >> - @echo "****************************************************************************" >> - @echo "******** Please place your signing key in config/rauc/rauc.key.pem. ********" >> - @echo "* *" >> - @echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh *" >> - @echo "* from the scripts/ folder of your PTXdist installation *" >> - @echo "****************************************************************************" >> - @echo >> - @echo >> - @exit 1 >> - >> -$(IMAGE_RAUC_CERT): >> - @echo >> - @echo "****************************************************************************" >> - @echo "**** Please place your signing certificate in config/rauc/rauc.cert.pem. ***" >> - @echo "* *" >> - @echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh *" >> - @echo "* from the scripts/ folder of your PTXdist installation *" >> - @echo "****************************************************************************" >> - @echo >> - @echo >> - @exit 1 >> - >> endif >> >> # vim: syntax=make >> diff --git a/rules/rauc.in b/rules/rauc.in >> index d712bc7b9..56fc3ae3b 100644 >> --- a/rules/rauc.in >> +++ b/rules/rauc.in >> @@ -7,6 +7,7 @@ menuconfig RAUC >> select GLIB >> select GLIB_LIBMOUNT >> select HOST_GLIB >> + select CODE_SIGNING >> select BUSYBOX_FEATURE_TAR_LONG_OPTIONS if BUSYBOX_TAR >> select BUSYBOX_FEATURE_TAR_AUTODETECT if BUSYBOX_TAR >> select BUSYBOX_FEATURE_SEAMLESS_XZ if BUSYBOX_TAR >> diff --git a/rules/rauc.make b/rules/rauc.make >> index ade9bd5dd..f9a10fbbc 100644 >> --- a/rules/rauc.make >> +++ b/rules/rauc.make >> @@ -46,6 +46,14 @@ RAUC_CONF_OPT := \ >> --with-dbuspolicydir=/usr/share/dbus-1/system.d \ >> --with-dbussystemservicedir=/usr/share/dbus-1/system-services >> >> +$(STATEDIR)/rauc.prepare: >> + @$(call targetinfo) >> + @test ! -e "$(call ptx/in-platformconfigdir, config/rauc/rauc.key)" || \ >> + ptxd_bailout "Please use the key provider infrastructure desribed in:" \ >> + "scripts/lib/ptxd_lib_code_signing.sh" >> + @$(call world/prepare, RAUC) >> + @$(call touch) >> + >> # ---------------------------------------------------------------------------- >> # Target-Install >> # ---------------------------------------------------------------------------- >> @@ -66,7 +74,8 @@ ifdef PTXCONF_RAUC_CONFIGURATION >> @$(call install_replace, rauc, /etc/rauc/system.conf, \ >> @RAUC_BUNDLE_COMPATIBLE@, \ >> "$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))") >> - @$(call install_alternative, rauc, 0, 0, 0644, /etc/rauc/ca.cert.pem) >> + @$(call install_copy, rauc, 0, 0, 0644, $(shell cs_get_ca update), \ >> + /etc/rauc/ca.cert.pem) >> endif >> >> ifdef PTXCONF_RAUC_SERVICE >> diff --git a/scripts/rauc-gen-test-certs.sh b/scripts/rauc-gen-test-certs.sh >> deleted file mode 100755 >> index b4ea6a8cf..000000000 >> --- a/scripts/rauc-gen-test-certs.sh >> +++ /dev/null >> @@ -1,126 +0,0 @@ >> -#!/bin/bash >> -# >> -# Copyright (C) 2017 by Enrico Joerns >> -# Copyright (C) 2016 by Jan Luebbe >> -# >> -# For further information about the PTXdist project and license conditions >> -# see the README file. >> -# >> -# --- >> -# >> -# Demo script that generates certificate files required to sign and verify >> -# RAUC update tool bundles. >> -# >> - >> -set -xe >> - >> -ORG="Test Org" >> -CA="rauc CA" >> - >> -# After the CRL expires, signatures cannot be verified anymore >> -CRL="-crldays 5000" >> - >> -BASE="$(pwd)/rauc-openssl-ca" >> - >> -if [ -e $BASE ]; then >> - echo "$BASE already exists" >> - exit 1 >> -fi >> - >> -mkdir -p $BASE/dev/{private,certs} >> -touch $BASE/dev/index.txt >> -echo 01 > $BASE/dev/serial >> - >> -cat > $BASE/openssl.cnf <> -[ ca ] >> -default_ca = CA_default # The default ca section >> - >> -[ CA_default ] >> - >> -dir = . # top dir >> -database = \$dir/index.txt # index file. >> -new_certs_dir = \$dir/certs # new certs dir >> - >> -certificate = \$dir/ca.cert.pem # The CA cert >> -serial = \$dir/serial # serial no file >> -private_key = \$dir/private/ca.key.pem# CA private key >> -RANDFILE = \$dir/private/.rand # random number file >> - >> -default_startdate = 19700101000000Z >> -default_enddate = 99991231235959Z >> -default_crl_days= 30 # how long before next CRL >> -default_md = sha256 # md to use >> - >> -policy = policy_any # default policy >> -email_in_dn = no # Don't add the email into cert DN >> - >> -name_opt = ca_default # Subject name display option >> -cert_opt = ca_default # Certificate display option >> -copy_extensions = none # Don't copy extensions from request >> - >> -[ policy_any ] >> -organizationName = match >> -commonName = supplied >> - >> -[ req ] >> -default_bits = 2048 >> -distinguished_name = req_distinguished_name >> -x509_extensions = v3_leaf >> -encrypt_key = no >> -default_md = sha256 >> - >> -[ req_distinguished_name ] >> -commonName = Common Name (eg, YOUR name) >> -commonName_max = 64 >> - >> -[ v3_ca ] >> - >> -subjectKeyIdentifier=hash >> -authorityKeyIdentifier=keyid:always,issuer:always >> -basicConstraints = CA:TRUE >> - >> -[ v3_inter ] >> - >> -subjectKeyIdentifier=hash >> -authorityKeyIdentifier=keyid:always,issuer:always >> -basicConstraints = CA:TRUE,pathlen:0 >> - >> -[ v3_leaf ] >> - >> -subjectKeyIdentifier=hash >> -authorityKeyIdentifier=keyid:always,issuer:always >> -basicConstraints = CA:FALSE >> -EOF >> - >> -export OPENSSL_CONF=$BASE/openssl.cnf >> - >> -echo "Development CA" >> -cd $BASE/dev >> -openssl req -newkey rsa -keyout private/ca.key.pem -out ca.csr.pem -subj "/O=$ORG/CN=$ORG $CA Development" >> -openssl ca -batch -selfsign -extensions v3_ca -in ca.csr.pem -out ca.cert.pem -keyfile private/ca.key.pem >> - >> -echo "Development Signing Keys 1" >> -cd $BASE/dev >> -openssl req -newkey rsa -keyout private/rauc.key.pem -out rauc.csr.pem -subj "/O=$ORG/CN=$ORG Development-1" >> -openssl ca -batch -extensions v3_leaf -in rauc.csr.pem -out rauc.cert.pem >> - >> -cat << EOF >> -=============================================================================== >> - >> -Note that the default application should be to set up a public key >> -infrastructure at your site and use keys and certificates genereated by these. >> - >> -In oder to use the just generated files in your BSP for testing purpose or if >> -you do not intend to use real authentification, follow the instructions below. >> - >> -Place the key and certificate file in your platform-dir's config/ folder: >> - >> - cp rauc-openssl-ca/private/rauc.key.pem /config/rauc/rauc.key.pem >> - cp rauc-openssl-ca/rauc.cert.pem /config/rauc/rauc.cert.pem >> - >> -Place the keyring file in your platform-dir's projectroot/ folder: >> - >> - cp rauc-openssl-ca/ca.cert.pem /projectroot/etc/rauc/ca.cert.pem >> - >> -=============================================================================== >> -EOF >> -- >> 2.26.2 >> >> >> _______________________________________________ >> ptxdist mailing list >> ptxdist@pengutronix.de >> > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de