From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: In-Reply-To: <20200515142641.812-14-bst@pengutronix.de> MIME-Version: 1.0 Message-Id: From: Michael Olbrich Date: Tue, 19 May 2020 14:23:44 +0200 Subject: Re: [ptxdist] [APPLIED] rauc/image-rauc: use code signing infrastructure for key retrieval List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: ptxdist@pengutronix.de Cc: Bastian Krause Thanks, applied as c420c0745b568fbf2ab2d0f7394c27935ed7faf2. Michael [sent from post-receive hook] On Tue, 19 May 2020 14:23:44 +0200, Bastian Krause wrote: > Use the keys provided by the currently active key provider via PKCS#11 > instead of key files placed in the platform config directory. In order > to make sure the new mechanics are used after a BSP update the rauc.key > file is no longer allowed to exist in the platformconfig directory. > > Note: requires genimage v13 or later and ptx-code-signing-dev 0.4 or > later > > Signed-off-by: Bastian Krause > Message-Id: <20200515142641.812-14-bst@pengutronix.de> > Signed-off-by: Michael Olbrich > > diff --git a/platforms/image-rauc.in b/platforms/image-rauc.in > index 658ddd5cd167..1f9427b40f42 100644 > --- a/platforms/image-rauc.in > +++ b/platforms/image-rauc.in > @@ -6,6 +6,7 @@ menuconfig IMAGE_RAUC > select HOST_GENIMAGE > select HOST_RAUC > select IMAGE_ROOT_TGZ > + select CODE_SIGNING > help > This generates a RAUC update Bundle for the selected platform using > genimage. > diff --git a/projectroot/etc/rauc/ca.cert.pem b/projectroot/etc/rauc/ca.cert.pem > deleted file mode 100644 > index be1aa7c30e77..000000000000 > --- a/projectroot/etc/rauc/ca.cert.pem > +++ /dev/null > @@ -1,7 +0,0 @@ > -# This is a dummy keyring file. Please overwrite this with one that matches > -# your X.509 infrastructure if you intend to use RAUC for secure updates! > -# > -# If you really do not intend to actively use the security features (or for > -# testing purpose) you may create a development certificate by executing the > -# script `rauc-gen-test-certs.sh` from the `scripts` folder in your PTXdist > -# installation. > diff --git a/rules/image-rauc.make b/rules/image-rauc.make > index 839cb400bdbd..d85b88cc2ecd 100644 > --- a/rules/image-rauc.make > +++ b/rules/image-rauc.make > @@ -26,46 +26,20 @@ IMAGE_RAUC_CONFIG := rauc.config > > ifdef PTXCONF_IMAGE_RAUC > > -IMAGE_RAUC_KEY := $(call ptx/in-platformconfigdir, config/rauc/rauc.key.pem) > -IMAGE_RAUC_CERT := $(call ptx/in-platformconfigdir, config/rauc/rauc.cert.pem) > - > -IMAGE_RAUC_ENV := \ > +IMAGE_RAUC_ENV = \ > + $(CODE_SIGNING_ENV) \ > RAUC_BUNDLE_COMPATIBLE="$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))" \ > RAUC_BUNDLE_VERSION="$(call remove_quotes, $(PTXCONF_RAUC_BUNDLE_VERSION))" \ > RAUC_BUNDLE_BUILD=$(call ptx/sh, date +%FT%T%z) \ > RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \ > - RAUC_KEY=$(IMAGE_RAUC_KEY) \ > - RAUC_CERT=$(IMAGE_RAUC_CERT) > + RAUC_KEY="$(shell cs_get_uri update)" \ > + RAUC_CERT="$(shell cs_get_uri update)" > > -$(IMAGE_RAUC_IMAGE): $(IMAGE_RAUC_KEY) $(IMAGE_RAUC_CERT) > +$(IMAGE_RAUC_IMAGE): > @$(call targetinfo) > @$(call image/genimage, IMAGE_RAUC) > @$(call finish) > > -$(IMAGE_RAUC_KEY): > - @echo > - @echo "****************************************************************************" > - @echo "******** Please place your signing key in config/rauc/rauc.key.pem. ********" > - @echo "* *" > - @echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh *" > - @echo "* from the scripts/ folder of your PTXdist installation *" > - @echo "****************************************************************************" > - @echo > - @echo > - @exit 1 > - > -$(IMAGE_RAUC_CERT): > - @echo > - @echo "****************************************************************************" > - @echo "**** Please place your signing certificate in config/rauc/rauc.cert.pem. ***" > - @echo "* *" > - @echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh *" > - @echo "* from the scripts/ folder of your PTXdist installation *" > - @echo "****************************************************************************" > - @echo > - @echo > - @exit 1 > - > endif > > # vim: syntax=make > diff --git a/rules/rauc.in b/rules/rauc.in > index d712bc7b9c36..56fc3ae3be45 100644 > --- a/rules/rauc.in > +++ b/rules/rauc.in > @@ -7,6 +7,7 @@ menuconfig RAUC > select GLIB > select GLIB_LIBMOUNT > select HOST_GLIB > + select CODE_SIGNING > select BUSYBOX_FEATURE_TAR_LONG_OPTIONS if BUSYBOX_TAR > select BUSYBOX_FEATURE_TAR_AUTODETECT if BUSYBOX_TAR > select BUSYBOX_FEATURE_SEAMLESS_XZ if BUSYBOX_TAR > diff --git a/rules/rauc.make b/rules/rauc.make > index ade9bd5dd2c5..f9a10fbbcff6 100644 > --- a/rules/rauc.make > +++ b/rules/rauc.make > @@ -46,6 +46,14 @@ RAUC_CONF_OPT := \ > --with-dbuspolicydir=/usr/share/dbus-1/system.d \ > --with-dbussystemservicedir=/usr/share/dbus-1/system-services > > +$(STATEDIR)/rauc.prepare: > + @$(call targetinfo) > + @test ! -e "$(call ptx/in-platformconfigdir, config/rauc/rauc.key)" || \ > + ptxd_bailout "Please use the key provider infrastructure desribed in:" \ > + "scripts/lib/ptxd_lib_code_signing.sh" > + @$(call world/prepare, RAUC) > + @$(call touch) > + > # ---------------------------------------------------------------------------- > # Target-Install > # ---------------------------------------------------------------------------- > @@ -66,7 +74,8 @@ ifdef PTXCONF_RAUC_CONFIGURATION > @$(call install_replace, rauc, /etc/rauc/system.conf, \ > @RAUC_BUNDLE_COMPATIBLE@, \ > "$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))") > - @$(call install_alternative, rauc, 0, 0, 0644, /etc/rauc/ca.cert.pem) > + @$(call install_copy, rauc, 0, 0, 0644, $(shell cs_get_ca update), \ > + /etc/rauc/ca.cert.pem) > endif > > ifdef PTXCONF_RAUC_SERVICE > diff --git a/scripts/rauc-gen-test-certs.sh b/scripts/rauc-gen-test-certs.sh > deleted file mode 100755 > index b4ea6a8cf2ef..000000000000 > --- a/scripts/rauc-gen-test-certs.sh > +++ /dev/null > @@ -1,126 +0,0 @@ > -#!/bin/bash > -# > -# Copyright (C) 2017 by Enrico Joerns > -# Copyright (C) 2016 by Jan Luebbe > -# > -# For further information about the PTXdist project and license conditions > -# see the README file. > -# > -# --- > -# > -# Demo script that generates certificate files required to sign and verify > -# RAUC update tool bundles. > -# > - > -set -xe > - > -ORG="Test Org" > -CA="rauc CA" > - > -# After the CRL expires, signatures cannot be verified anymore > -CRL="-crldays 5000" > - > -BASE="$(pwd)/rauc-openssl-ca" > - > -if [ -e $BASE ]; then > - echo "$BASE already exists" > - exit 1 > -fi > - > -mkdir -p $BASE/dev/{private,certs} > -touch $BASE/dev/index.txt > -echo 01 > $BASE/dev/serial > - > -cat > $BASE/openssl.cnf < -[ ca ] > -default_ca = CA_default # The default ca section > - > -[ CA_default ] > - > -dir = . # top dir > -database = \$dir/index.txt # index file. > -new_certs_dir = \$dir/certs # new certs dir > - > -certificate = \$dir/ca.cert.pem # The CA cert > -serial = \$dir/serial # serial no file > -private_key = \$dir/private/ca.key.pem# CA private key > -RANDFILE = \$dir/private/.rand # random number file > - > -default_startdate = 19700101000000Z > -default_enddate = 99991231235959Z > -default_crl_days= 30 # how long before next CRL > -default_md = sha256 # md to use > - > -policy = policy_any # default policy > -email_in_dn = no # Don't add the email into cert DN > - > -name_opt = ca_default # Subject name display option > -cert_opt = ca_default # Certificate display option > -copy_extensions = none # Don't copy extensions from request > - > -[ policy_any ] > -organizationName = match > -commonName = supplied > - > -[ req ] > -default_bits = 2048 > -distinguished_name = req_distinguished_name > -x509_extensions = v3_leaf > -encrypt_key = no > -default_md = sha256 > - > -[ req_distinguished_name ] > -commonName = Common Name (eg, YOUR name) > -commonName_max = 64 > - > -[ v3_ca ] > - > -subjectKeyIdentifier=hash > -authorityKeyIdentifier=keyid:always,issuer:always > -basicConstraints = CA:TRUE > - > -[ v3_inter ] > - > -subjectKeyIdentifier=hash > -authorityKeyIdentifier=keyid:always,issuer:always > -basicConstraints = CA:TRUE,pathlen:0 > - > -[ v3_leaf ] > - > -subjectKeyIdentifier=hash > -authorityKeyIdentifier=keyid:always,issuer:always > -basicConstraints = CA:FALSE > -EOF > - > -export OPENSSL_CONF=$BASE/openssl.cnf > - > -echo "Development CA" > -cd $BASE/dev > -openssl req -newkey rsa -keyout private/ca.key.pem -out ca.csr.pem -subj "/O=$ORG/CN=$ORG $CA Development" > -openssl ca -batch -selfsign -extensions v3_ca -in ca.csr.pem -out ca.cert.pem -keyfile private/ca.key.pem > - > -echo "Development Signing Keys 1" > -cd $BASE/dev > -openssl req -newkey rsa -keyout private/rauc.key.pem -out rauc.csr.pem -subj "/O=$ORG/CN=$ORG Development-1" > -openssl ca -batch -extensions v3_leaf -in rauc.csr.pem -out rauc.cert.pem > - > -cat << EOF > -=============================================================================== > - > -Note that the default application should be to set up a public key > -infrastructure at your site and use keys and certificates genereated by these. > - > -In oder to use the just generated files in your BSP for testing purpose or if > -you do not intend to use real authentification, follow the instructions below. > - > -Place the key and certificate file in your platform-dir's config/ folder: > - > - cp rauc-openssl-ca/private/rauc.key.pem /config/rauc/rauc.key.pem > - cp rauc-openssl-ca/rauc.cert.pem /config/rauc/rauc.cert.pem > - > -Place the keyring file in your platform-dir's projectroot/ folder: > - > - cp rauc-openssl-ca/ca.cert.pem /projectroot/etc/rauc/ca.cert.pem > - > -=============================================================================== > -EOF _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de