mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed
From: Michael Olbrich <mol@pengutronix.de>
To: ptxdist@pengutronix.de
Cc: Bastian Krause <bst@pengutronix.de>
Subject: Re: [ptxdist] [APPLIED] rauc/image-rauc: use code signing infrastructure for key retrieval
Date: Tue, 19 May 2020 14:23:44 +0200	[thread overview]
Message-ID: <E1jb1Hc-0001EO-I4@dude02.lab.pengutronix.de> (raw)
In-Reply-To: <20200515142641.812-14-bst@pengutronix.de>

Thanks, applied as c420c0745b568fbf2ab2d0f7394c27935ed7faf2.

Michael

[sent from post-receive hook]

On Tue, 19 May 2020 14:23:44 +0200, Bastian Krause <bst@pengutronix.de> wrote:
> Use the keys provided by the currently active key provider via PKCS#11
> instead of key files placed in the platform config directory. In order
> to make sure the new mechanics are used after a BSP update the rauc.key
> file is no longer allowed to exist in the platformconfig directory.
> 
> Note: requires genimage v13 or later and ptx-code-signing-dev 0.4 or
> later
> 
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> Message-Id: <20200515142641.812-14-bst@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/platforms/image-rauc.in b/platforms/image-rauc.in
> index 658ddd5cd167..1f9427b40f42 100644
> --- a/platforms/image-rauc.in
> +++ b/platforms/image-rauc.in
> @@ -6,6 +6,7 @@ menuconfig IMAGE_RAUC
>  	select HOST_GENIMAGE
>  	select HOST_RAUC
>  	select IMAGE_ROOT_TGZ
> +	select CODE_SIGNING
>  	help
>  	  This generates a RAUC update Bundle for the selected platform using
>  	  genimage.
> diff --git a/projectroot/etc/rauc/ca.cert.pem b/projectroot/etc/rauc/ca.cert.pem
> deleted file mode 100644
> index be1aa7c30e77..000000000000
> --- a/projectroot/etc/rauc/ca.cert.pem
> +++ /dev/null
> @@ -1,7 +0,0 @@
> -# This is a dummy keyring file. Please overwrite this with one that matches
> -# your X.509 infrastructure if you intend to use RAUC for secure updates!
> -#
> -# If you really do not intend to actively use the security features (or for
> -# testing purpose) you may create a development certificate by executing the
> -# script `rauc-gen-test-certs.sh` from the `scripts` folder in your PTXdist
> -# installation.
> diff --git a/rules/image-rauc.make b/rules/image-rauc.make
> index 839cb400bdbd..d85b88cc2ecd 100644
> --- a/rules/image-rauc.make
> +++ b/rules/image-rauc.make
> @@ -26,46 +26,20 @@ IMAGE_RAUC_CONFIG	:= rauc.config
>  
>  ifdef PTXCONF_IMAGE_RAUC
>  
> -IMAGE_RAUC_KEY := $(call ptx/in-platformconfigdir, config/rauc/rauc.key.pem)
> -IMAGE_RAUC_CERT := $(call ptx/in-platformconfigdir, config/rauc/rauc.cert.pem)
> -
> -IMAGE_RAUC_ENV	:= \
> +IMAGE_RAUC_ENV	= \
> +	$(CODE_SIGNING_ENV) \
>  	RAUC_BUNDLE_COMPATIBLE="$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))" \
>  	RAUC_BUNDLE_VERSION="$(call remove_quotes, $(PTXCONF_RAUC_BUNDLE_VERSION))" \
>  	RAUC_BUNDLE_BUILD=$(call ptx/sh, date +%FT%T%z) \
>  	RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \
> -	RAUC_KEY=$(IMAGE_RAUC_KEY) \
> -	RAUC_CERT=$(IMAGE_RAUC_CERT)
> +	RAUC_KEY="$(shell cs_get_uri update)" \
> +	RAUC_CERT="$(shell cs_get_uri update)"
>  
> -$(IMAGE_RAUC_IMAGE): $(IMAGE_RAUC_KEY) $(IMAGE_RAUC_CERT)
> +$(IMAGE_RAUC_IMAGE):
>  	@$(call targetinfo)
>  	@$(call image/genimage, IMAGE_RAUC)
>  	@$(call finish)
>  
> -$(IMAGE_RAUC_KEY):
> -	@echo
> -	@echo "****************************************************************************"
> -	@echo "******** Please place your signing key in config/rauc/rauc.key.pem. ********"
> -	@echo "*                                                                          *"
> -	@echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh   *"
> -	@echo "*       from the scripts/ folder of your PTXdist installation              *"
> -	@echo "****************************************************************************"
> -	@echo
> -	@echo
> -	@exit 1
> -
> -$(IMAGE_RAUC_CERT):
> -	@echo
> -	@echo "****************************************************************************"
> -	@echo "**** Please place your signing certificate in config/rauc/rauc.cert.pem. ***"
> -	@echo "*                                                                          *"
> -	@echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh   *"
> -	@echo "*       from the scripts/ folder of your PTXdist installation              *"
> -	@echo "****************************************************************************"
> -	@echo
> -	@echo
> -	@exit 1
> -
>  endif
>  
>  # vim: syntax=make
> diff --git a/rules/rauc.in b/rules/rauc.in
> index d712bc7b9c36..56fc3ae3be45 100644
> --- a/rules/rauc.in
> +++ b/rules/rauc.in
> @@ -7,6 +7,7 @@ menuconfig RAUC
>  	select GLIB
>  	select GLIB_LIBMOUNT
>  	select HOST_GLIB
> +	select CODE_SIGNING
>  	select BUSYBOX_FEATURE_TAR_LONG_OPTIONS	if BUSYBOX_TAR
>  	select BUSYBOX_FEATURE_TAR_AUTODETECT	if BUSYBOX_TAR
>  	select BUSYBOX_FEATURE_SEAMLESS_XZ	if BUSYBOX_TAR
> diff --git a/rules/rauc.make b/rules/rauc.make
> index ade9bd5dd2c5..f9a10fbbcff6 100644
> --- a/rules/rauc.make
> +++ b/rules/rauc.make
> @@ -46,6 +46,14 @@ RAUC_CONF_OPT	:= \
>  	--with-dbuspolicydir=/usr/share/dbus-1/system.d \
>  	--with-dbussystemservicedir=/usr/share/dbus-1/system-services
>  
> +$(STATEDIR)/rauc.prepare:
> +	@$(call targetinfo)
> +	@test ! -e "$(call ptx/in-platformconfigdir, config/rauc/rauc.key)" || \
> +		ptxd_bailout "Please use the key provider infrastructure desribed in:" \
> +			"scripts/lib/ptxd_lib_code_signing.sh"
> +	@$(call world/prepare, RAUC)
> +	@$(call touch)
> +
>  # ----------------------------------------------------------------------------
>  # Target-Install
>  # ----------------------------------------------------------------------------
> @@ -66,7 +74,8 @@ ifdef PTXCONF_RAUC_CONFIGURATION
>  	@$(call install_replace, rauc, /etc/rauc/system.conf, \
>  		@RAUC_BUNDLE_COMPATIBLE@, \
>  		"$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))")
> -	@$(call install_alternative, rauc, 0, 0, 0644, /etc/rauc/ca.cert.pem)
> +	@$(call install_copy, rauc, 0, 0, 0644, $(shell cs_get_ca update), \
> +		/etc/rauc/ca.cert.pem)
>  endif
>  
>  ifdef PTXCONF_RAUC_SERVICE
> diff --git a/scripts/rauc-gen-test-certs.sh b/scripts/rauc-gen-test-certs.sh
> deleted file mode 100755
> index b4ea6a8cf2ef..000000000000
> --- a/scripts/rauc-gen-test-certs.sh
> +++ /dev/null
> @@ -1,126 +0,0 @@
> -#!/bin/bash
> -#
> -# Copyright (C) 2017 by Enrico Joerns <e.joerns@pengutronix.de>
> -# Copyright (C) 2016 by Jan Luebbe <j.luebbe@pengutronix.de>
> -#
> -# For further information about the PTXdist project and license conditions
> -# see the README file.
> -#
> -# ---
> -#
> -# Demo script that generates certificate files required to sign and verify
> -# RAUC update tool bundles.
> -#
> -
> -set -xe
> -
> -ORG="Test Org"
> -CA="rauc CA"
> -
> -# After the CRL expires, signatures cannot be verified anymore
> -CRL="-crldays 5000"
> -
> -BASE="$(pwd)/rauc-openssl-ca"
> -
> -if [ -e $BASE ]; then
> -  echo "$BASE already exists"
> -  exit 1
> -fi
> -
> -mkdir -p $BASE/dev/{private,certs}
> -touch $BASE/dev/index.txt
> -echo 01 > $BASE/dev/serial
> -
> -cat > $BASE/openssl.cnf <<EOF
> -[ ca ]
> -default_ca      = CA_default            # The default ca section
> -
> -[ CA_default ]
> -
> -dir            = .                     # top dir
> -database       = \$dir/index.txt        # index file.
> -new_certs_dir  = \$dir/certs            # new certs dir
> -
> -certificate    = \$dir/ca.cert.pem       # The CA cert
> -serial         = \$dir/serial           # serial no file
> -private_key    = \$dir/private/ca.key.pem# CA private key
> -RANDFILE       = \$dir/private/.rand    # random number file
> -
> -default_startdate = 19700101000000Z
> -default_enddate = 99991231235959Z
> -default_crl_days= 30                   # how long before next CRL
> -default_md     = sha256                # md to use
> -
> -policy         = policy_any            # default policy
> -email_in_dn    = no                    # Don't add the email into cert DN
> -
> -name_opt       = ca_default            # Subject name display option
> -cert_opt       = ca_default            # Certificate display option
> -copy_extensions = none                 # Don't copy extensions from request
> -
> -[ policy_any ]
> -organizationName       = match
> -commonName             = supplied
> -
> -[ req ]
> -default_bits           = 2048
> -distinguished_name     = req_distinguished_name
> -x509_extensions        = v3_leaf
> -encrypt_key = no
> -default_md = sha256
> -
> -[ req_distinguished_name ]
> -commonName                     = Common Name (eg, YOUR name)
> -commonName_max                 = 64
> -
> -[ v3_ca ]
> -
> -subjectKeyIdentifier=hash
> -authorityKeyIdentifier=keyid:always,issuer:always
> -basicConstraints = CA:TRUE
> -
> -[ v3_inter ]
> -
> -subjectKeyIdentifier=hash
> -authorityKeyIdentifier=keyid:always,issuer:always
> -basicConstraints = CA:TRUE,pathlen:0
> -
> -[ v3_leaf ]
> -
> -subjectKeyIdentifier=hash
> -authorityKeyIdentifier=keyid:always,issuer:always
> -basicConstraints = CA:FALSE
> -EOF
> -
> -export OPENSSL_CONF=$BASE/openssl.cnf
> -
> -echo "Development CA"
> -cd $BASE/dev
> -openssl req -newkey rsa -keyout private/ca.key.pem -out ca.csr.pem -subj "/O=$ORG/CN=$ORG $CA Development"
> -openssl ca -batch -selfsign -extensions v3_ca -in ca.csr.pem -out ca.cert.pem -keyfile private/ca.key.pem
> -
> -echo "Development Signing Keys 1"
> -cd $BASE/dev
> -openssl req -newkey rsa -keyout private/rauc.key.pem -out rauc.csr.pem -subj "/O=$ORG/CN=$ORG Development-1"
> -openssl ca -batch -extensions v3_leaf -in rauc.csr.pem -out rauc.cert.pem
> -
> -cat << EOF
> -===============================================================================
> -
> -Note that the default application should be to set up a public key
> -infrastructure at your site and use keys and certificates genereated by these.
> -
> -In oder to use the just generated files in your BSP for testing purpose or if
> -you do not intend to use real authentification, follow the instructions below. 
> -
> -Place the key and certificate file in your platform-dir's config/ folder:
> -
> -  cp rauc-openssl-ca/private/rauc.key.pem <platform-dir>/config/rauc/rauc.key.pem
> -  cp rauc-openssl-ca/rauc.cert.pem <platform-dir>/config/rauc/rauc.cert.pem
> -
> -Place the keyring file in your platform-dir's projectroot/ folder:
> -
> -  cp rauc-openssl-ca/ca.cert.pem <plaform-dir>/projectroot/etc/rauc/ca.cert.pem
> -
> -===============================================================================
> -EOF

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

  reply	other threads:[~2020-05-19 12:23 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-05-15 14:26 [ptxdist] [PATCH v2 00/15] Fix/extend code signing infrastructure/consumers Bastian Krause
2020-05-15 14:26 ` [ptxdist] [PATCH v2 01/15] host-genimage: version bump 11 -> 13 Bastian Krause
2020-05-19 12:23   ` [ptxdist] [APPLIED] " Michael Olbrich
2020-05-15 14:26 ` [ptxdist] [PATCH v2 02/15] ptxd_lib_code_signing: return error string in cs_get_uri for make error case Bastian Krause
2020-05-19 12:23   ` [ptxdist] [APPLIED] " Michael Olbrich
2020-05-15 14:26 ` [ptxdist] [PATCH v2 03/15] ptxd_lib_imx_hab: fix srk fuse file and table generation Bastian Krause
2020-05-19 12:23   ` [ptxdist] [APPLIED] " Michael Olbrich
2020-05-15 14:26 ` [ptxdist] [PATCH v2 04/15] ptxd_lib_code_signing: introduce CA helper Bastian Krause
2020-05-19 12:23   ` [ptxdist] [APPLIED] " Michael Olbrich
2020-05-15 14:26 ` [ptxdist] [PATCH v2 05/15] host-ptx-code-signing-dev: version bump 0.2 -> 0.4 Bastian Krause
2020-05-19 12:23   ` [ptxdist] [APPLIED] " Michael Olbrich
2020-05-15 14:26 ` [ptxdist] [PATCH v2 06/15] ptxd_lib_imx_hab/template-barebox-imx-habv4: use cs_get_ca helper Bastian Krause
2020-05-19 12:23   ` [ptxdist] [APPLIED] " Michael Olbrich
2020-05-15 14:26 ` [ptxdist] [PATCH v2 07/15] ptxd_lib_imx_hab/template-barebox-imx-habv4: make number of SRKs configurable Bastian Krause
2020-05-19 12:23   ` [ptxdist] [APPLIED] " Michael Olbrich
2020-05-15 14:26 ` [ptxdist] [PATCH v2 08/15] ptxd_make_fit_image: call mkimage with ptxd_exec Bastian Krause
2020-05-19 12:23   ` [ptxdist] [APPLIED] " Michael Olbrich
2020-05-15 14:26 ` [ptxdist] [PATCH v2 09/15] u-boot/ptxd_make_fit_image: avoid overriding object name Bastian Krause
2020-05-19 12:23   ` [ptxdist] [APPLIED] " Michael Olbrich
2020-05-15 14:26 ` [ptxdist] [PATCH v2 10/15] ptxd_make_fit_image: sign ramdisk if enabled Bastian Krause
2020-05-19 12:23   ` [ptxdist] [APPLIED] " Michael Olbrich
2020-05-15 14:26 ` [ptxdist] [PATCH v2 11/15] code-signing: move code-signing.in to platforms/ Bastian Krause
2020-05-19 12:23   ` [ptxdist] [APPLIED] " Michael Olbrich
2020-05-15 14:26 ` [ptxdist] [PATCH v2 12/15] code-signing: introduce for ptxconfig, add sanity check Bastian Krause
2020-05-19 12:23   ` [ptxdist] [APPLIED] " Michael Olbrich
2020-05-15 14:26 ` [ptxdist] [PATCH v2 13/15] rauc/image-rauc: use code signing infrastructure for key retrieval Bastian Krause
2020-05-19 12:23   ` Michael Olbrich [this message]
2020-05-15 14:26 ` [ptxdist] [PATCH v2 14/15] image-rauc: enable keyring verification Bastian Krause
2020-05-19 12:23   ` [ptxdist] [APPLIED] " Michael Olbrich
2020-05-15 14:26 ` [ptxdist] [PATCH v2 15/15] rauc: version bump 1.2 -> 1.3 Bastian Krause
2020-05-19 12:23   ` [ptxdist] [APPLIED] " Michael Olbrich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=E1jb1Hc-0001EO-I4@dude02.lab.pengutronix.de \
    --to=mol@pengutronix.de \
    --cc=bst@pengutronix.de \
    --cc=ptxdist@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox