mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed
* [ptxdist] [PATCH 01/13] host-genimage: version bump 11 -> 13
@ 2020-05-14 13:42 Bastian Krause
  2020-05-14 13:42 ` [ptxdist] [PATCH 02/13] ptxd_lib_code_signing: return error string in cs_get_uri for make error case Bastian Krause
                   ` (11 more replies)
  0 siblings, 12 replies; 26+ messages in thread
From: Bastian Krause @ 2020-05-14 13:42 UTC (permalink / raw)
  To: ptxdist; +Cc: Bastian Krause

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
 rules/host-genimage.make | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/host-genimage.make b/rules/host-genimage.make
index 28d0d613a..baa69e3fb 100644
--- a/rules/host-genimage.make
+++ b/rules/host-genimage.make
@@ -14,8 +14,8 @@ HOST_PACKAGES-$(PTXCONF_HOST_GENIMAGE) += host-genimage
 #
 # Paths and names
 #
-HOST_GENIMAGE_VERSION	:= 11
-HOST_GENIMAGE_MD5	:= 5db95026ff8aedcbcf7804098f685c7b
+HOST_GENIMAGE_VERSION	:= 13
+HOST_GENIMAGE_MD5	:= 84ec07d684f27a425b3789f87c35ffa3
 HOST_GENIMAGE		:= genimage-$(HOST_GENIMAGE_VERSION)
 HOST_GENIMAGE_SUFFIX	:= tar.xz
 HOST_GENIMAGE_URL	:= http://www.pengutronix.de/software/genimage/download/$(HOST_GENIMAGE).$(HOST_GENIMAGE_SUFFIX)
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 26+ messages in thread

* [ptxdist] [PATCH 02/13] ptxd_lib_code_signing: return error string in cs_get_uri for make error case
  2020-05-14 13:42 [ptxdist] [PATCH 01/13] host-genimage: version bump 11 -> 13 Bastian Krause
@ 2020-05-14 13:42 ` Bastian Krause
  2020-05-14 13:42 ` [ptxdist] [PATCH 03/13] ptxd_lib_imx_hab: fix srk fuse file and table generation Bastian Krause
                   ` (10 subsequent siblings)
  11 siblings, 0 replies; 26+ messages in thread
From: Bastian Krause @ 2020-05-14 13:42 UTC (permalink / raw)
  To: ptxdist; +Cc: Bastian Krause

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
 scripts/lib/ptxd_lib_code_signing.sh | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
index 588a4b1b4..f93f183df 100644
--- a/scripts/lib/ptxd_lib_code_signing.sh
+++ b/scripts/lib/ptxd_lib_code_signing.sh
@@ -154,7 +154,11 @@ cs_get_uri() {
 	if [ ${#FUNCNAME[*]} -gt 1 ]; then
 	    ptxd_bailout "No PKCS#11 URI for role ${role}"
 	else
-	    # ignore the error if cs_get_uri is called directly from make
+	    # cs_get_uri was called directly from make prior to cs_set_uri,
+	    # which may not be an error if it is evaluated early *and* later
+	    # again - return a unique error string in case it is not expected
+	    # and a user stumbles upon this
+	    echo "ERROR_URI_NOT_YET_SET"
 	    return
 	fi
     fi
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 26+ messages in thread

* [ptxdist] [PATCH 03/13] ptxd_lib_imx_hab: fix srk fuse file and table generation
  2020-05-14 13:42 [ptxdist] [PATCH 01/13] host-genimage: version bump 11 -> 13 Bastian Krause
  2020-05-14 13:42 ` [ptxdist] [PATCH 02/13] ptxd_lib_code_signing: return error string in cs_get_uri for make error case Bastian Krause
@ 2020-05-14 13:42 ` Bastian Krause
  2020-05-14 13:42 ` [ptxdist] [PATCH 04/13] ptxd_lib_code_signing: introduce CA helper Bastian Krause
                   ` (9 subsequent siblings)
  11 siblings, 0 replies; 26+ messages in thread
From: Bastian Krause @ 2020-05-14 13:42 UTC (permalink / raw)
  To: ptxdist; +Cc: Bastian Krause

srktool's help text states "certificate filenames must be separated by
a ',' with no spaces". Line continuating using "\" with the next line
being indented leads to a space being inserted between the SRK2
certificate and the SRK3 certificate.
srktool does not fail, but ignores everything after the space silently.
Thus only the first two certicates end up in the fuse file and table.

Fix this by specifying all certs on a single line.

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
 scripts/lib/ptxd_lib_imx_hab.sh | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/scripts/lib/ptxd_lib_imx_hab.sh b/scripts/lib/ptxd_lib_imx_hab.sh
index 8be376ff1..034bf82b2 100644
--- a/scripts/lib/ptxd_lib_imx_hab.sh
+++ b/scripts/lib/ptxd_lib_imx_hab.sh
@@ -43,8 +43,7 @@ ptxd_make_imx_habv4_gen_table_impl() {
 	--table "${table_bin}" \
 	--efuses "${srk_fuse_bin}" \
 	--digest sha256 \
-	--certs ${tmpdir}/srk1.pem,${tmpdir}/srk2.pem,\
-	    ${tmpdir}/srk3.pem,${tmpdir}/srk4.pem
+	--certs ${tmpdir}/srk1.pem,${tmpdir}/srk2.pem,${tmpdir}/srk3.pem,${tmpdir}/srk4.pem
 }
 export -f ptxd_make_imx_habv4_gen_table_impl
 
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 26+ messages in thread

* [ptxdist] [PATCH 04/13] ptxd_lib_code_signing: introduce CA helper
  2020-05-14 13:42 [ptxdist] [PATCH 01/13] host-genimage: version bump 11 -> 13 Bastian Krause
  2020-05-14 13:42 ` [ptxdist] [PATCH 02/13] ptxd_lib_code_signing: return error string in cs_get_uri for make error case Bastian Krause
  2020-05-14 13:42 ` [ptxdist] [PATCH 03/13] ptxd_lib_imx_hab: fix srk fuse file and table generation Bastian Krause
@ 2020-05-14 13:42 ` Bastian Krause
  2020-05-15 10:36   ` Michael Olbrich
  2020-05-14 13:42 ` [ptxdist] [PATCH 05/13] host-ptx-code-signing-dev: version bump 0.2 -> 0.4 Bastian Krause
                   ` (8 subsequent siblings)
  11 siblings, 1 reply; 26+ messages in thread
From: Bastian Krause @ 2020-05-14 13:42 UTC (permalink / raw)
  To: ptxdist; +Cc: Bastian Krause

These helpers allow key providers to append certificates to their CA.
'cs_get_ca <role>' then returns the path to the keyring allowing rules
and other helpers to retrieve it easily.

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
 scripts/lib/ptxd_lib_code_signing.sh | 63 ++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)

diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
index f93f183df..571fe6806 100644
--- a/scripts/lib/ptxd_lib_code_signing.sh
+++ b/scripts/lib/ptxd_lib_code_signing.sh
@@ -261,3 +261,66 @@ cs_import_key_from_pem() {
     cs_import_privkey_from_pem "${role}" "${pem}"
 }
 export -f cs_import_key_from_pem
+
+#
+# cs_get_ca <role>
+#
+# Get the path to the CA in pem format from a role
+#
+cs_get_ca() {
+    local role="${1}"
+    cs_init_variables
+
+    echo "${keydir}/${role}/ca.pem"
+}
+export -f cs_get_ca
+
+#
+# cs_append_ca_from_pem <role> <pem>
+#
+# Append PEM to CA for a role
+#
+cs_append_ca_from_pem() {
+    local role="${1}"
+    local pem="${2}"
+    cs_init_variables
+
+    cat "${pem}" >> "${keydir}/${role}/ca.pem"
+}
+export -f cs_append_ca_from_pem
+
+#
+# cs_append_ca_from_der <role> <der>
+#
+# Append DER to CA for a role
+#
+cs_append_ca_from_der() {
+    local role="${1}"
+    local der="${2}"
+    cs_init_variables
+
+    ptxd_exec openssl x509 -inform der -in "${der}" \
+	-out "${tmpdir}/ca.pem" &&
+    cs_append_ca_from_pem "${role}" "${tmpdir}/ca.pem"
+}
+export -f cs_append_ca_from_der
+
+#
+# cs_append_ca_from_uri <role> [<uri>]
+#
+# Append certificate specified by URI or by already set URI to CA for a role
+#
+cs_append_ca_from_uri() {
+    local role="${1}"
+    local uri="${2}"
+    local tmpdir="$(mktemp -d "${PTXDIST_TEMPDIR}/${role}-ca.XXXXXX")"
+    cs_init_variables
+
+    if [ -z "${uri}" ]; then
+	uri=$(cs_get_uri "${role}")
+    fi
+
+    ptxd_exec extract-cert "${uri}" "${tmpdir}/ca.der" &&
+    cs_append_ca_from_der "${role}" "${tmpdir}/ca.der"
+}
+export -f cs_append_ca_from_uri
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 26+ messages in thread

* [ptxdist] [PATCH 05/13] host-ptx-code-signing-dev: version bump 0.2 -> 0.4
  2020-05-14 13:42 [ptxdist] [PATCH 01/13] host-genimage: version bump 11 -> 13 Bastian Krause
                   ` (2 preceding siblings ...)
  2020-05-14 13:42 ` [ptxdist] [PATCH 04/13] ptxd_lib_code_signing: introduce CA helper Bastian Krause
@ 2020-05-14 13:42 ` Bastian Krause
  2020-05-14 16:00   ` Bastian Krause
  2020-05-14 13:42 ` [ptxdist] [PATCH 06/13] ptxd_lib_imx_hab/template-barebox-imx-habv4: use cs_get_ca helper Bastian Krause
                   ` (7 subsequent siblings)
  11 siblings, 1 reply; 26+ messages in thread
From: Bastian Krause @ 2020-05-14 13:42 UTC (permalink / raw)
  To: ptxdist; +Cc: Bastian Krause

This includes a fix of a copy/paste error in import_rauc_keys's role.
Additionally the new helper cs_append_ca_from_uri is now used for RAUC
and HAB SRK roles. The helper function requires HOST_EXTRACT_CERT and
HOST_OPENSSL.

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
 rules/host-ptx-code-signing-dev.in   | 2 ++
 rules/host-ptx-code-signing-dev.make | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/rules/host-ptx-code-signing-dev.in b/rules/host-ptx-code-signing-dev.in
index 19ea46c40..544932b80 100644
--- a/rules/host-ptx-code-signing-dev.in
+++ b/rules/host-ptx-code-signing-dev.in
@@ -2,6 +2,8 @@
 
 config CODE_SIGNING
 	select HOST_PTX_CODE_SIGNING_DEV if CODE_SIGNING_PROVIDER_DEVEL
+	select HOST_EXTRACT_CERT
+	select HOST_OPENSSL
 
 config CODE_SIGNING_PROVIDER
 	default "devel" if CODE_SIGNING_PROVIDER_DEVEL
diff --git a/rules/host-ptx-code-signing-dev.make b/rules/host-ptx-code-signing-dev.make
index ea40ac646..d97ae60ef 100644
--- a/rules/host-ptx-code-signing-dev.make
+++ b/rules/host-ptx-code-signing-dev.make
@@ -14,8 +14,8 @@ HOST_PACKAGES-$(PTXCONF_HOST_PTX_CODE_SIGNING_DEV) += host-ptx-code-signing-dev
 #
 # Paths and names
 #
-HOST_PTX_CODE_SIGNING_DEV_VERSION	:= 0.2
-HOST_PTX_CODE_SIGNING_DEV_MD5		:= 1d8f695cde55ea9bbfac9804ce439c9a
+HOST_PTX_CODE_SIGNING_DEV_VERSION	:= 0.4
+HOST_PTX_CODE_SIGNING_DEV_MD5		:= 853ac0147adc0b46dc695e16a7101aaa
 HOST_PTX_CODE_SIGNING_DEV		:= ptx-code-signing-dev-$(HOST_PTX_CODE_SIGNING_DEV_VERSION)
 HOST_PTX_CODE_SIGNING_DEV_SUFFIX	:= tar.gz
 HOST_PTX_CODE_SIGNING_DEV_URL		:= https://git.pengutronix.de/cgit/ptx-code-signing-dev/snapshot/$(HOST_PTX_CODE_SIGNING_DEV).$(HOST_PTX_CODE_SIGNING_DEV_SUFFIX)
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 26+ messages in thread

* [ptxdist] [PATCH 06/13] ptxd_lib_imx_hab/template-barebox-imx-habv4: use cs_get_ca helper
  2020-05-14 13:42 [ptxdist] [PATCH 01/13] host-genimage: version bump 11 -> 13 Bastian Krause
                   ` (3 preceding siblings ...)
  2020-05-14 13:42 ` [ptxdist] [PATCH 05/13] host-ptx-code-signing-dev: version bump 0.2 -> 0.4 Bastian Krause
@ 2020-05-14 13:42 ` Bastian Krause
  2020-05-15 10:37   ` Michael Olbrich
  2020-05-14 13:42 ` [ptxdist] [PATCH 07/13] ptxd_lib_imx_hab/template-barebox-imx-habv4: make number of SRKs configurable Bastian Krause
                   ` (6 subsequent siblings)
  11 siblings, 1 reply; 26+ messages in thread
From: Bastian Krause @ 2020-05-14 13:42 UTC (permalink / raw)
  To: ptxdist; +Cc: Bastian Krause

Key providers now take care of calling the CA helpers. This makes sure
the CA is already present in pem format. Use that instead of extracting
and converting the certs here again. Thus HOST_EXTRACT_CERT is no longer
a dependency of template-barebox-imx-habv4.

Note: requires ptx-code-signing-dev > 0.3

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
 rules/templates/template-barebox-imx-habv4-in |  1 -
 scripts/lib/ptxd_lib_imx_hab.sh               | 16 ++++++++--------
 2 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/rules/templates/template-barebox-imx-habv4-in b/rules/templates/template-barebox-imx-habv4-in
index af3e59986..16258cbee 100644
--- a/rules/templates/template-barebox-imx-habv4-in
+++ b/rules/templates/template-barebox-imx-habv4-in
@@ -3,7 +3,6 @@
 config BAREBOX_@PACKAGE@
 	tristate
 	select CODE_SIGNING
-	select HOST_EXTRACT_CERT
 	select HOST_IMX_CST
 	prompt "Barebox (@package@)"
 	help
diff --git a/scripts/lib/ptxd_lib_imx_hab.sh b/scripts/lib/ptxd_lib_imx_hab.sh
index 034bf82b2..781c1b3f6 100644
--- a/scripts/lib/ptxd_lib_imx_hab.sh
+++ b/scripts/lib/ptxd_lib_imx_hab.sh
@@ -26,24 +26,24 @@ ptxd_make_imx_habv4_gen_table_impl() {
     local template="${1}"
     local table_bin="${pkg_build_dir}/imx-srk-table.bin"
     local srk_fuse_bin="${pkg_build_dir}/imx-srk-fuse.bin"
-    local tmpdir="$(mktemp -d "${PTXDIST_TEMPDIR}/imx-habv4.XXXXXX")"
+    local -a certs
 
     echo -e "generating $(basename ${table_bin}) and $(basename ${srk_fuse_bin})\n"
 
     for i in 1 2 3 4; do
-	local t=$(printf "${template}" "${i}")
-	local uri=$(cs_get_uri "$t")
+	certs[${#certs[*]}]="$(cs_get_ca "$(printf "${template}" ${i})")"
+    done
 
-	ptxd_exec extract-cert "${uri}" ${tmpdir}/srk${i}.der &&
-	ptxd_exec openssl x509 -inform der -in ${tmpdir}/srk${i}.der \
-	    -out ${tmpdir}/srk${i}.pem || break
-    done &&
+    local orig_IFS="${IFS}"
+    IFS=","
+    certs="${certs[*]}"
+    IFS="${orig_IFS}"
 
     ptxd_exec srktool --hab_ver 4 \
 	--table "${table_bin}" \
 	--efuses "${srk_fuse_bin}" \
 	--digest sha256 \
-	--certs ${tmpdir}/srk1.pem,${tmpdir}/srk2.pem,${tmpdir}/srk3.pem,${tmpdir}/srk4.pem
+	--certs "${certs}"
 }
 export -f ptxd_make_imx_habv4_gen_table_impl
 
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 26+ messages in thread

* [ptxdist] [PATCH 07/13] ptxd_lib_imx_hab/template-barebox-imx-habv4: make number of SRKs configurable
  2020-05-14 13:42 [ptxdist] [PATCH 01/13] host-genimage: version bump 11 -> 13 Bastian Krause
                   ` (4 preceding siblings ...)
  2020-05-14 13:42 ` [ptxdist] [PATCH 06/13] ptxd_lib_imx_hab/template-barebox-imx-habv4: use cs_get_ca helper Bastian Krause
@ 2020-05-14 13:42 ` Bastian Krause
  2020-05-14 13:42 ` [ptxdist] [PATCH 08/13] ptxd_make_fit_image: call mkimage with ptxd_exec Bastian Krause
                   ` (5 subsequent siblings)
  11 siblings, 0 replies; 26+ messages in thread
From: Bastian Krause @ 2020-05-14 13:42 UTC (permalink / raw)
  To: ptxdist; +Cc: Bastian Krause

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
 rules/templates/template-barebox-imx-habv4-make |  2 +-
 scripts/lib/ptxd_lib_imx_hab.sh                 | 15 +++++++++++++--
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/rules/templates/template-barebox-imx-habv4-make b/rules/templates/template-barebox-imx-habv4-make
index d8086f0cf..ec402afa1 100644
--- a/rules/templates/template-barebox-imx-habv4-make
+++ b/rules/templates/template-barebox-imx-habv4-make
@@ -74,7 +74,7 @@ $(STATEDIR)/barebox-@package@.compile:
 	@$(call targetinfo)
 
 	@$(call world/env, BAREBOX_@PACKAGE@) \
-		ptxd_make_imx_habv4_gen_table "imx-habv4-srk%d"
+		ptxd_make_imx_habv4_gen_table "imx-habv4-srk%d" 4
 
 	@$(call world/compile, BAREBOX_@PACKAGE@)
 
diff --git a/scripts/lib/ptxd_lib_imx_hab.sh b/scripts/lib/ptxd_lib_imx_hab.sh
index 781c1b3f6..d1e2aba99 100644
--- a/scripts/lib/ptxd_lib_imx_hab.sh
+++ b/scripts/lib/ptxd_lib_imx_hab.sh
@@ -9,10 +9,12 @@
 #
 # ptxd_make_imx_habv4_gen_table - generate the srk fuse file and srk table for i.MX HABv4
 #
-# usage: ptxd_make_imx_habv4_gen_table <template>
+# usage: ptxd_make_imx_habv4_gen_table <template> [<srk_count>]
 #
 # template: the role template to access the keys. Must contain a "%d" which is
 #           used as index
+# srk_count: the number of keys (keys with index 1..srk_count will be used),
+#            defaults to 4
 #
 # The output files are generated in the package build dir:
 #
@@ -24,13 +26,22 @@
 #
 ptxd_make_imx_habv4_gen_table_impl() {
     local template="${1}"
+    local srk_count="${2}"
     local table_bin="${pkg_build_dir}/imx-srk-table.bin"
     local srk_fuse_bin="${pkg_build_dir}/imx-srk-fuse.bin"
     local -a certs
 
+    if [ -z "${srk_count}" ]; then
+	srk_count=4
+    fi
+
+    if [ "${srk_count}" -gt 4 ]; then
+	ptxd_bailout "HABv4 allows only 4 certificates"
+    fi
+
     echo -e "generating $(basename ${table_bin}) and $(basename ${srk_fuse_bin})\n"
 
-    for i in 1 2 3 4; do
+    for i in $(seq ${srk_count}); do
 	certs[${#certs[*]}]="$(cs_get_ca "$(printf "${template}" ${i})")"
     done
 
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 26+ messages in thread

* [ptxdist] [PATCH 08/13] ptxd_make_fit_image: call mkimage with ptxd_exec
  2020-05-14 13:42 [ptxdist] [PATCH 01/13] host-genimage: version bump 11 -> 13 Bastian Krause
                   ` (5 preceding siblings ...)
  2020-05-14 13:42 ` [ptxdist] [PATCH 07/13] ptxd_lib_imx_hab/template-barebox-imx-habv4: make number of SRKs configurable Bastian Krause
@ 2020-05-14 13:42 ` Bastian Krause
  2020-05-14 13:42 ` [ptxdist] [PATCH 09/13] u-boot/ptxd_make_fit_image: avoid overriding object name Bastian Krause
                   ` (4 subsequent siblings)
  11 siblings, 0 replies; 26+ messages in thread
From: Bastian Krause @ 2020-05-14 13:42 UTC (permalink / raw)
  To: ptxdist; +Cc: Bastian Krause

It helps debugging failing mkimage calls.

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
 scripts/lib/ptxd_make_fit_image.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/lib/ptxd_make_fit_image.sh b/scripts/lib/ptxd_make_fit_image.sh
index 761d6bf1e..041c5b803 100644
--- a/scripts/lib/ptxd_make_fit_image.sh
+++ b/scripts/lib/ptxd_make_fit_image.sh
@@ -127,6 +127,6 @@ ptxd_make_image_fit() {
 	echo "Generated device-tree for the fit image:"
 	cat "${its}"
     fi &&
-    mkimage -N pkcs11 -f "${its}" "${image_image}" -r "${sign_args[@]}"
+    ptxd_exec mkimage -N pkcs11 -f "${its}" "${image_image}" -r "${sign_args[@]}"
 }
 export -f ptxd_make_image_fit
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 26+ messages in thread

* [ptxdist] [PATCH 09/13] u-boot/ptxd_make_fit_image: avoid overriding object name
  2020-05-14 13:42 [ptxdist] [PATCH 01/13] host-genimage: version bump 11 -> 13 Bastian Krause
                   ` (6 preceding siblings ...)
  2020-05-14 13:42 ` [ptxdist] [PATCH 08/13] ptxd_make_fit_image: call mkimage with ptxd_exec Bastian Krause
@ 2020-05-14 13:42 ` Bastian Krause
  2020-05-14 13:42 ` [ptxdist] [PATCH 10/13] rauc/image-rauc: use code signing infrastructure for key retrieval Bastian Krause
                   ` (3 subsequent siblings)
  11 siblings, 0 replies; 26+ messages in thread
From: Bastian Krause @ 2020-05-14 13:42 UTC (permalink / raw)
  To: ptxdist; +Cc: Bastian Krause

Having multiple "object=" occurrences in a single PKCS#11 URI does not
work for all cases, at least not for opensc-pkcs11. Thus u-boot's
PKCS#11 handling was patched to avoid overriding the object name when
it is already specified. The patch was sent upstream.

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
 ...erriding-the-object-name-when-alread.patch | 81 +++++++++++++++++++
 patches/u-boot-2020.04/series                 |  4 +
 scripts/lib/ptxd_make_fit_image.sh            |  4 +-
 3 files changed, 86 insertions(+), 3 deletions(-)
 create mode 100644 patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch
 create mode 100644 patches/u-boot-2020.04/series

diff --git a/patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch b/patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch
new file mode 100644
index 000000000..5ba930fb5
--- /dev/null
+++ b/patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch
@@ -0,0 +1,81 @@
+From: Jan Luebbe <jlu@pengutronix.de>
+Date: Mon, 16 Mar 2020 11:45:22 +0100
+Subject: [PATCH] lib: rsa: avoid overriding the object name when already
+ specified
+
+If "object=" is specified in "keydir" when using the pkcs11 engine do
+not append another "object=<key-name-hint>". This makes it possible to
+use object names other than the key name hint. These two string
+identifiers are not necessarily equal.
+
+Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
+Signed-off-by: Bastian Krause <bst@pengutronix.de>
+Reviewed-by: George McCollister <george.mccollister@gmail.com>
+Forwarded: https://lists.denx.de/pipermail/u-boot/2020-May/411892.html
+---
+ doc/uImage.FIT/signature.txt |  8 +++++---
+ lib/rsa/rsa-sign.c           | 22 ++++++++++++++++------
+ 2 files changed, 21 insertions(+), 9 deletions(-)
+
+diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt
+index 3591225a6edd..d4afd755e9fc 100644
+--- a/doc/uImage.FIT/signature.txt
++++ b/doc/uImage.FIT/signature.txt
+@@ -481,12 +481,14 @@ openssl. This may require setting up LD_LIBRARY_PATH if engine is not installed
+ to openssl's default search paths.
+ 
+ PKCS11 engine support forms "key id" based on "keydir" and with
+-"key-name-hint". "key-name-hint" is used as "object" name and "keydir" if
+-defined is used to define (prefix for) which PKCS11 source is being used for
+-lookup up for the key.
++"key-name-hint". "key-name-hint" is used as "object" name (if not defined in
++keydir). "keydir" (if defined) is used to define (prefix for) which PKCS11 source
++is being used for lookup up for the key.
+ 
+ PKCS11 engine key ids:
+    "pkcs11:<keydir>;object=<key-name-hint>;type=<public|private>"
++or, if keydir contains "object="
++   "pkcs11:<keydir>;type=<public|private>"
+ or
+    "pkcs11:object=<key-name-hint>;type=<public|private>",
+ 
+diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
+index 580c74470939..1914b9641312 100644
+--- a/lib/rsa/rsa-sign.c
++++ b/lib/rsa/rsa-sign.c
+@@ -135,9 +135,14 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name,
+ 
+ 	if (engine_id && !strcmp(engine_id, "pkcs11")) {
+ 		if (keydir)
+-			snprintf(key_id, sizeof(key_id),
+-				 "pkcs11:%s;object=%s;type=public",
+-				 keydir, name);
++			if (strstr(keydir, "object="))
++				snprintf(key_id, sizeof(key_id),
++					 "pkcs11:%s;type=public",
++					 keydir);
++			else
++				snprintf(key_id, sizeof(key_id),
++					 "pkcs11:%s;object=%s;type=public",
++					 keydir, name);
+ 		else
+ 			snprintf(key_id, sizeof(key_id),
+ 				 "pkcs11:object=%s;type=public",
+@@ -255,9 +260,14 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name,
+ 
+ 	if (engine_id && !strcmp(engine_id, "pkcs11")) {
+ 		if (keydir)
+-			snprintf(key_id, sizeof(key_id),
+-				 "pkcs11:%s;object=%s;type=private",
+-				 keydir, name);
++			if (strstr(keydir, "object="))
++				snprintf(key_id, sizeof(key_id),
++					 "pkcs11:%s;type=private",
++					 keydir);
++			else
++				snprintf(key_id, sizeof(key_id),
++					 "pkcs11:%s;object=%s;type=private",
++					 keydir, name);
+ 		else
+ 			snprintf(key_id, sizeof(key_id),
+ 				 "pkcs11:object=%s;type=private",
diff --git a/patches/u-boot-2020.04/series b/patches/u-boot-2020.04/series
new file mode 100644
index 000000000..02db98548
--- /dev/null
+++ b/patches/u-boot-2020.04/series
@@ -0,0 +1,4 @@
+# generated by git-ptx-patches
+#tag:base --start-number 1
+0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch
+# d5b0f03c362d4c4e9d26f37173d666d6  - git-ptx-patches magic
diff --git a/scripts/lib/ptxd_make_fit_image.sh b/scripts/lib/ptxd_make_fit_image.sh
index 041c5b803..c2725ab3d 100644
--- a/scripts/lib/ptxd_make_fit_image.sh
+++ b/scripts/lib/ptxd_make_fit_image.sh
@@ -106,9 +106,7 @@ ptxd_make_image_fit() {
 	#
 	# It would have been too simple for mkimage to just take a
 	# PKCS#11 URI. We must drop the "pkcs11:" prefix which U-Boot
-	# then adds again. Also mkimage adds "object=<key_name_hint>"
-	# to the URI which our URI already has. Well having it twice
-	# doesn't seem to hurt at least SoftHSM.
+	# then adds again.
 	#
 	pkcs11_uri=$(echo "${pkcs11_uri}" | sed "s/pkcs11://")
 	sign_args=( -k "${pkcs11_uri}" )
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 26+ messages in thread

* [ptxdist] [PATCH 10/13] rauc/image-rauc: use code signing infrastructure for key retrieval
  2020-05-14 13:42 [ptxdist] [PATCH 01/13] host-genimage: version bump 11 -> 13 Bastian Krause
                   ` (7 preceding siblings ...)
  2020-05-14 13:42 ` [ptxdist] [PATCH 09/13] u-boot/ptxd_make_fit_image: avoid overriding object name Bastian Krause
@ 2020-05-14 13:42 ` Bastian Krause
  2020-05-15 10:40   ` Michael Olbrich
  2020-05-14 13:42 ` [ptxdist] [PATCH 11/13] image-rauc: enable keyring verification Bastian Krause
                   ` (2 subsequent siblings)
  11 siblings, 1 reply; 26+ messages in thread
From: Bastian Krause @ 2020-05-14 13:42 UTC (permalink / raw)
  To: ptxdist; +Cc: Bastian Krause

Use the keys provided by the currently active key provider via PKCS#11
instead of key files placed in the platform config directory. In order
to make sure the new mechanics are used after a BSP update the rauc.key
file is no longer allowed to exist in the platformconfig directory.

Note: requires genimage >= v12 and ptx-code-signing-dev > 0.3

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
 platforms/image-rauc.in          |   1 +
 projectroot/etc/rauc/ca.cert.pem |   7 --
 rules/image-rauc.make            |  37 ++-------
 rules/rauc.in                    |   1 +
 rules/rauc.make                  |  11 ++-
 scripts/rauc-gen-test-certs.sh   | 126 -------------------------------
 6 files changed, 17 insertions(+), 166 deletions(-)
 delete mode 100644 projectroot/etc/rauc/ca.cert.pem
 delete mode 100755 scripts/rauc-gen-test-certs.sh

diff --git a/platforms/image-rauc.in b/platforms/image-rauc.in
index 658ddd5cd..1f9427b40 100644
--- a/platforms/image-rauc.in
+++ b/platforms/image-rauc.in
@@ -6,6 +6,7 @@ menuconfig IMAGE_RAUC
 	select HOST_GENIMAGE
 	select HOST_RAUC
 	select IMAGE_ROOT_TGZ
+	select CODE_SIGNING
 	help
 	  This generates a RAUC update Bundle for the selected platform using
 	  genimage.
diff --git a/projectroot/etc/rauc/ca.cert.pem b/projectroot/etc/rauc/ca.cert.pem
deleted file mode 100644
index be1aa7c30..000000000
--- a/projectroot/etc/rauc/ca.cert.pem
+++ /dev/null
@@ -1,7 +0,0 @@
-# This is a dummy keyring file. Please overwrite this with one that matches
-# your X.509 infrastructure if you intend to use RAUC for secure updates!
-#
-# If you really do not intend to actively use the security features (or for
-# testing purpose) you may create a development certificate by executing the
-# script `rauc-gen-test-certs.sh` from the `scripts` folder in your PTXdist
-# installation.
diff --git a/rules/image-rauc.make b/rules/image-rauc.make
index 839cb400b..a031edfae 100644
--- a/rules/image-rauc.make
+++ b/rules/image-rauc.make
@@ -26,46 +26,19 @@ IMAGE_RAUC_CONFIG	:= rauc.config
 
 ifdef PTXCONF_IMAGE_RAUC
 
-IMAGE_RAUC_KEY := $(call ptx/in-platformconfigdir, config/rauc/rauc.key.pem)
-IMAGE_RAUC_CERT := $(call ptx/in-platformconfigdir, config/rauc/rauc.cert.pem)
-
-IMAGE_RAUC_ENV	:= \
+IMAGE_RAUC_ENV	= \
 	RAUC_BUNDLE_COMPATIBLE="$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))" \
 	RAUC_BUNDLE_VERSION="$(call remove_quotes, $(PTXCONF_RAUC_BUNDLE_VERSION))" \
 	RAUC_BUNDLE_BUILD=$(call ptx/sh, date +%FT%T%z) \
 	RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \
-	RAUC_KEY=$(IMAGE_RAUC_KEY) \
-	RAUC_CERT=$(IMAGE_RAUC_CERT)
+	RAUC_KEY="$(shell cs_get_uri update)" \
+	RAUC_CERT="$(shell cs_get_uri update)"
 
-$(IMAGE_RAUC_IMAGE): $(IMAGE_RAUC_KEY) $(IMAGE_RAUC_CERT)
+$(IMAGE_RAUC_IMAGE):
 	@$(call targetinfo)
-	@$(call image/genimage, IMAGE_RAUC)
+	@$(CODE_SIGNING_ENV) $(call image/genimage, IMAGE_RAUC)
 	@$(call finish)
 
-$(IMAGE_RAUC_KEY):
-	@echo
-	@echo "****************************************************************************"
-	@echo "******** Please place your signing key in config/rauc/rauc.key.pem. ********"
-	@echo "*                                                                          *"
-	@echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh   *"
-	@echo "*       from the scripts/ folder of your PTXdist installation              *"
-	@echo "****************************************************************************"
-	@echo
-	@echo
-	@exit 1
-
-$(IMAGE_RAUC_CERT):
-	@echo
-	@echo "****************************************************************************"
-	@echo "**** Please place your signing certificate in config/rauc/rauc.cert.pem. ***"
-	@echo "*                                                                          *"
-	@echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh   *"
-	@echo "*       from the scripts/ folder of your PTXdist installation              *"
-	@echo "****************************************************************************"
-	@echo
-	@echo
-	@exit 1
-
 endif
 
 # vim: syntax=make
diff --git a/rules/rauc.in b/rules/rauc.in
index d712bc7b9..56fc3ae3b 100644
--- a/rules/rauc.in
+++ b/rules/rauc.in
@@ -7,6 +7,7 @@ menuconfig RAUC
 	select GLIB
 	select GLIB_LIBMOUNT
 	select HOST_GLIB
+	select CODE_SIGNING
 	select BUSYBOX_FEATURE_TAR_LONG_OPTIONS	if BUSYBOX_TAR
 	select BUSYBOX_FEATURE_TAR_AUTODETECT	if BUSYBOX_TAR
 	select BUSYBOX_FEATURE_SEAMLESS_XZ	if BUSYBOX_TAR
diff --git a/rules/rauc.make b/rules/rauc.make
index ade9bd5dd..f9a10fbbc 100644
--- a/rules/rauc.make
+++ b/rules/rauc.make
@@ -46,6 +46,14 @@ RAUC_CONF_OPT	:= \
 	--with-dbuspolicydir=/usr/share/dbus-1/system.d \
 	--with-dbussystemservicedir=/usr/share/dbus-1/system-services
 
+$(STATEDIR)/rauc.prepare:
+	@$(call targetinfo)
+	@test ! -e "$(call ptx/in-platformconfigdir, config/rauc/rauc.key)" || \
+		ptxd_bailout "Please use the key provider infrastructure desribed in:" \
+			"scripts/lib/ptxd_lib_code_signing.sh"
+	@$(call world/prepare, RAUC)
+	@$(call touch)
+
 # ----------------------------------------------------------------------------
 # Target-Install
 # ----------------------------------------------------------------------------
@@ -66,7 +74,8 @@ ifdef PTXCONF_RAUC_CONFIGURATION
 	@$(call install_replace, rauc, /etc/rauc/system.conf, \
 		@RAUC_BUNDLE_COMPATIBLE@, \
 		"$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))")
-	@$(call install_alternative, rauc, 0, 0, 0644, /etc/rauc/ca.cert.pem)
+	@$(call install_copy, rauc, 0, 0, 0644, $(shell cs_get_ca update), \
+		/etc/rauc/ca.cert.pem)
 endif
 
 ifdef PTXCONF_RAUC_SERVICE
diff --git a/scripts/rauc-gen-test-certs.sh b/scripts/rauc-gen-test-certs.sh
deleted file mode 100755
index b4ea6a8cf..000000000
--- a/scripts/rauc-gen-test-certs.sh
+++ /dev/null
@@ -1,126 +0,0 @@
-#!/bin/bash
-#
-# Copyright (C) 2017 by Enrico Joerns <e.joerns@pengutronix.de>
-# Copyright (C) 2016 by Jan Luebbe <j.luebbe@pengutronix.de>
-#
-# For further information about the PTXdist project and license conditions
-# see the README file.
-#
-# ---
-#
-# Demo script that generates certificate files required to sign and verify
-# RAUC update tool bundles.
-#
-
-set -xe
-
-ORG="Test Org"
-CA="rauc CA"
-
-# After the CRL expires, signatures cannot be verified anymore
-CRL="-crldays 5000"
-
-BASE="$(pwd)/rauc-openssl-ca"
-
-if [ -e $BASE ]; then
-  echo "$BASE already exists"
-  exit 1
-fi
-
-mkdir -p $BASE/dev/{private,certs}
-touch $BASE/dev/index.txt
-echo 01 > $BASE/dev/serial
-
-cat > $BASE/openssl.cnf <<EOF
-[ ca ]
-default_ca      = CA_default            # The default ca section
-
-[ CA_default ]
-
-dir            = .                     # top dir
-database       = \$dir/index.txt        # index file.
-new_certs_dir  = \$dir/certs            # new certs dir
-
-certificate    = \$dir/ca.cert.pem       # The CA cert
-serial         = \$dir/serial           # serial no file
-private_key    = \$dir/private/ca.key.pem# CA private key
-RANDFILE       = \$dir/private/.rand    # random number file
-
-default_startdate = 19700101000000Z
-default_enddate = 99991231235959Z
-default_crl_days= 30                   # how long before next CRL
-default_md     = sha256                # md to use
-
-policy         = policy_any            # default policy
-email_in_dn    = no                    # Don't add the email into cert DN
-
-name_opt       = ca_default            # Subject name display option
-cert_opt       = ca_default            # Certificate display option
-copy_extensions = none                 # Don't copy extensions from request
-
-[ policy_any ]
-organizationName       = match
-commonName             = supplied
-
-[ req ]
-default_bits           = 2048
-distinguished_name     = req_distinguished_name
-x509_extensions        = v3_leaf
-encrypt_key = no
-default_md = sha256
-
-[ req_distinguished_name ]
-commonName                     = Common Name (eg, YOUR name)
-commonName_max                 = 64
-
-[ v3_ca ]
-
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = CA:TRUE
-
-[ v3_inter ]
-
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = CA:TRUE,pathlen:0
-
-[ v3_leaf ]
-
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = CA:FALSE
-EOF
-
-export OPENSSL_CONF=$BASE/openssl.cnf
-
-echo "Development CA"
-cd $BASE/dev
-openssl req -newkey rsa -keyout private/ca.key.pem -out ca.csr.pem -subj "/O=$ORG/CN=$ORG $CA Development"
-openssl ca -batch -selfsign -extensions v3_ca -in ca.csr.pem -out ca.cert.pem -keyfile private/ca.key.pem
-
-echo "Development Signing Keys 1"
-cd $BASE/dev
-openssl req -newkey rsa -keyout private/rauc.key.pem -out rauc.csr.pem -subj "/O=$ORG/CN=$ORG Development-1"
-openssl ca -batch -extensions v3_leaf -in rauc.csr.pem -out rauc.cert.pem
-
-cat << EOF
-===============================================================================
-
-Note that the default application should be to set up a public key
-infrastructure at your site and use keys and certificates genereated by these.
-
-In oder to use the just generated files in your BSP for testing purpose or if
-you do not intend to use real authentification, follow the instructions below. 
-
-Place the key and certificate file in your platform-dir's config/ folder:
-
-  cp rauc-openssl-ca/private/rauc.key.pem <platform-dir>/config/rauc/rauc.key.pem
-  cp rauc-openssl-ca/rauc.cert.pem <platform-dir>/config/rauc/rauc.cert.pem
-
-Place the keyring file in your platform-dir's projectroot/ folder:
-
-  cp rauc-openssl-ca/ca.cert.pem <plaform-dir>/projectroot/etc/rauc/ca.cert.pem
-
-===============================================================================
-EOF
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 26+ messages in thread

* [ptxdist] [PATCH 11/13] image-rauc: enable keyring verification
  2020-05-14 13:42 [ptxdist] [PATCH 01/13] host-genimage: version bump 11 -> 13 Bastian Krause
                   ` (8 preceding siblings ...)
  2020-05-14 13:42 ` [ptxdist] [PATCH 10/13] rauc/image-rauc: use code signing infrastructure for key retrieval Bastian Krause
@ 2020-05-14 13:42 ` Bastian Krause
  2020-05-15  7:58   ` Michael Olbrich
  2020-05-14 13:42 ` [ptxdist] [PATCH 12/13] code-signing: move code-signing.in to platforms/ Bastian Krause
  2020-05-14 13:43 ` [ptxdist] [PATCH 13/13] code-signing: introduce for ptxconfig, add sanity check Bastian Krause
  11 siblings, 1 reply; 26+ messages in thread
From: Bastian Krause @ 2020-05-14 13:42 UTC (permalink / raw)
  To: ptxdist; +Cc: Bastian Krause

Note: requires genimage > 12

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
 config/images/rauc.config | 1 +
 rules/image-rauc.make     | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/config/images/rauc.config b/config/images/rauc.config
index 8396bd4be..0c824f00e 100644
--- a/config/images/rauc.config
+++ b/config/images/rauc.config
@@ -13,5 +13,6 @@ image @IMAGE@ {
 			"
 		cert = "@RAUC_CERT@"
 		key = "@RAUC_KEY@"
+		keyring = "@RAUC_KEYRING@"
 	}
 }
diff --git a/rules/image-rauc.make b/rules/image-rauc.make
index a031edfae..c0c9d4978 100644
--- a/rules/image-rauc.make
+++ b/rules/image-rauc.make
@@ -32,7 +32,8 @@ IMAGE_RAUC_ENV	= \
 	RAUC_BUNDLE_BUILD=$(call ptx/sh, date +%FT%T%z) \
 	RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \
 	RAUC_KEY="$(shell cs_get_uri update)" \
-	RAUC_CERT="$(shell cs_get_uri update)"
+	RAUC_CERT="$(shell cs_get_uri update)" \
+	RAUC_KEYRING="$(shell cs_get_ca update)"
 
 $(IMAGE_RAUC_IMAGE):
 	@$(call targetinfo)
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 26+ messages in thread

* [ptxdist] [PATCH 12/13] code-signing: move code-signing.in to platforms/
  2020-05-14 13:42 [ptxdist] [PATCH 01/13] host-genimage: version bump 11 -> 13 Bastian Krause
                   ` (9 preceding siblings ...)
  2020-05-14 13:42 ` [ptxdist] [PATCH 11/13] image-rauc: enable keyring verification Bastian Krause
@ 2020-05-14 13:42 ` Bastian Krause
  2020-05-14 13:43 ` [ptxdist] [PATCH 13/13] code-signing: introduce for ptxconfig, add sanity check Bastian Krause
  11 siblings, 0 replies; 26+ messages in thread
From: Bastian Krause @ 2020-05-14 13:42 UTC (permalink / raw)
  To: ptxdist; +Cc: Bastian Krause

rules/code-signing.in belongs in platforms/, so move it there.

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
 {rules => platforms}/code-signing.in | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename {rules => platforms}/code-signing.in (100%)

diff --git a/rules/code-signing.in b/platforms/code-signing.in
similarity index 100%
rename from rules/code-signing.in
rename to platforms/code-signing.in
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 26+ messages in thread

* [ptxdist] [PATCH 13/13] code-signing: introduce for ptxconfig, add sanity check
  2020-05-14 13:42 [ptxdist] [PATCH 01/13] host-genimage: version bump 11 -> 13 Bastian Krause
                   ` (10 preceding siblings ...)
  2020-05-14 13:42 ` [ptxdist] [PATCH 12/13] code-signing: move code-signing.in to platforms/ Bastian Krause
@ 2020-05-14 13:43 ` Bastian Krause
  2020-05-14 15:36   ` Bastian Krause
  11 siblings, 1 reply; 26+ messages in thread
From: Bastian Krause @ 2020-05-14 13:43 UTC (permalink / raw)
  To: ptxdist; +Cc: Bastian Krause

Create a new rules/code-signing.in to be able to select CODE_SIGNING
not only in platformconfig but also in ptxconfig.

Also make sure that PTXCONF_CODE_SIGNING_PROVIDER is set correctly if
PTXCONF_CODE_SIGNING is set.

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
 rules/code-signing.make | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 rules/code-signing.make

diff --git a/rules/code-signing.make b/rules/code-signing.make
new file mode 100644
index 000000000..db1c5ab88
--- /dev/null
+++ b/rules/code-signing.make
@@ -0,0 +1,13 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2020 by Bastian Krause <bst@pengutronix.de>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+ifdef PTXCONF_CODE_SIGNING
+ifeq ($(call remove_quotes,$(PTXCONF_CODE_SIGNING_PROVIDER)),)
+$(error PTXCONF_CODE_SIGNING_PROVIDER must be set correctly)
+endif
+endif
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [ptxdist] [PATCH 13/13] code-signing: introduce for ptxconfig, add sanity check
  2020-05-14 13:43 ` [ptxdist] [PATCH 13/13] code-signing: introduce for ptxconfig, add sanity check Bastian Krause
@ 2020-05-14 15:36   ` Bastian Krause
  2020-05-15  7:55     ` Michael Olbrich
  0 siblings, 1 reply; 26+ messages in thread
From: Bastian Krause @ 2020-05-14 15:36 UTC (permalink / raw)
  To: ptxdist

On 5/14/20 3:43 PM, Bastian Krause wrote:
> Create a new rules/code-signing.in to be able to select CODE_SIGNING
> not only in platformconfig but also in ptxconfig.
> 
> Also make sure that PTXCONF_CODE_SIGNING_PROVIDER is set correctly if
> PTXCONF_CODE_SIGNING is set.
> 
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> ---
>  rules/code-signing.make | 13 +++++++++++++
>  1 file changed, 13 insertions(+)
>  create mode 100644 rules/code-signing.make
> 
> diff --git a/rules/code-signing.make b/rules/code-signing.make
> new file mode 100644
> index 000000000..db1c5ab88
> --- /dev/null
> +++ b/rules/code-signing.make
> @@ -0,0 +1,13 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2020 by Bastian Krause <bst@pengutronix.de>
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +ifdef PTXCONF_CODE_SIGNING
> +ifeq ($(call remove_quotes,$(PTXCONF_CODE_SIGNING_PROVIDER)),)
> +$(error PTXCONF_CODE_SIGNING_PROVIDER must be set correctly)
> +endif
> +endif
> 

I accidentally dropped:

diff --git a/rules/code-signing.in b/rules/code-signing.in
new file mode 100644
--- /dev/null
+++ b/rules/code-signing.in
@@ -0,0 +1,4 @@
+## SECTION=hosttools_noprompt_ptx
+
+config CODE_SIGNING
+       bool

Will add it again in v2.

Regards,
Bastian

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [ptxdist] [PATCH 05/13] host-ptx-code-signing-dev: version bump 0.2 -> 0.4
  2020-05-14 13:42 ` [ptxdist] [PATCH 05/13] host-ptx-code-signing-dev: version bump 0.2 -> 0.4 Bastian Krause
@ 2020-05-14 16:00   ` Bastian Krause
  0 siblings, 0 replies; 26+ messages in thread
From: Bastian Krause @ 2020-05-14 16:00 UTC (permalink / raw)
  To: ptxdist


On 5/14/20 3:42 PM, Bastian Krause wrote:
> This includes a fix of a copy/paste error in import_rauc_keys's role.
> Additionally the new helper cs_append_ca_from_uri is now used for RAUC
> and HAB SRK roles. The helper function requires HOST_EXTRACT_CERT and
> HOST_OPENSSL.
> 
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> ---
>  rules/host-ptx-code-signing-dev.in   | 2 ++
>  rules/host-ptx-code-signing-dev.make | 4 ++--
>  2 files changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/rules/host-ptx-code-signing-dev.in b/rules/host-ptx-code-signing-dev.in
> index 19ea46c40..544932b80 100644
> --- a/rules/host-ptx-code-signing-dev.in
> +++ b/rules/host-ptx-code-signing-dev.in
> @@ -2,6 +2,8 @@
>  
>  config CODE_SIGNING
>  	select HOST_PTX_CODE_SIGNING_DEV if CODE_SIGNING_PROVIDER_DEVEL
> +	select HOST_EXTRACT_CERT
> +	select HOST_OPENSSL

The selects of HOST_EXTRACT_CERT/HOST_OPENSSL as well as HOST_LIBP11
must be moved down to HOST_PTX_CODE_SIGNING_DEV. These host tools might
not yet be available in host-ptx-code-signing-dev.compile otherwise.

Will fix this in v2.

Regards,
Bastian

>  
>  config CODE_SIGNING_PROVIDER
>  	default "devel" if CODE_SIGNING_PROVIDER_DEVEL
> diff --git a/rules/host-ptx-code-signing-dev.make b/rules/host-ptx-code-signing-dev.make
> index ea40ac646..d97ae60ef 100644
> --- a/rules/host-ptx-code-signing-dev.make
> +++ b/rules/host-ptx-code-signing-dev.make
> @@ -14,8 +14,8 @@ HOST_PACKAGES-$(PTXCONF_HOST_PTX_CODE_SIGNING_DEV) += host-ptx-code-signing-dev
>  #
>  # Paths and names
>  #
> -HOST_PTX_CODE_SIGNING_DEV_VERSION	:= 0.2
> -HOST_PTX_CODE_SIGNING_DEV_MD5		:= 1d8f695cde55ea9bbfac9804ce439c9a
> +HOST_PTX_CODE_SIGNING_DEV_VERSION	:= 0.4
> +HOST_PTX_CODE_SIGNING_DEV_MD5		:= 853ac0147adc0b46dc695e16a7101aaa
>  HOST_PTX_CODE_SIGNING_DEV		:= ptx-code-signing-dev-$(HOST_PTX_CODE_SIGNING_DEV_VERSION)
>  HOST_PTX_CODE_SIGNING_DEV_SUFFIX	:= tar.gz
>  HOST_PTX_CODE_SIGNING_DEV_URL		:= https://git.pengutronix.de/cgit/ptx-code-signing-dev/snapshot/$(HOST_PTX_CODE_SIGNING_DEV).$(HOST_PTX_CODE_SIGNING_DEV_SUFFIX)
> 


-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [ptxdist] [PATCH 13/13] code-signing: introduce for ptxconfig, add sanity check
  2020-05-14 15:36   ` Bastian Krause
@ 2020-05-15  7:55     ` Michael Olbrich
  2020-05-15 11:24       ` Bastian Krause
  0 siblings, 1 reply; 26+ messages in thread
From: Michael Olbrich @ 2020-05-15  7:55 UTC (permalink / raw)
  To: ptxdist

On Thu, May 14, 2020 at 05:36:54PM +0200, Bastian Krause wrote:
> On 5/14/20 3:43 PM, Bastian Krause wrote:
> > Create a new rules/code-signing.in to be able to select CODE_SIGNING
> > not only in platformconfig but also in ptxconfig.
> > 
> > Also make sure that PTXCONF_CODE_SIGNING_PROVIDER is set correctly if
> > PTXCONF_CODE_SIGNING is set.
> > 
> > Signed-off-by: Bastian Krause <bst@pengutronix.de>
> > ---
> >  rules/code-signing.make | 13 +++++++++++++
> >  1 file changed, 13 insertions(+)
> >  create mode 100644 rules/code-signing.make
> > 
> > diff --git a/rules/code-signing.make b/rules/code-signing.make
> > new file mode 100644
> > index 000000000..db1c5ab88
> > --- /dev/null
> > +++ b/rules/code-signing.make
> > @@ -0,0 +1,13 @@
> > +# -*-makefile-*-
> > +#
> > +# Copyright (C) 2020 by Bastian Krause <bst@pengutronix.de>
> > +#
> > +# For further information about the PTXdist project and license conditions
> > +# see the README file.
> > +#
> > +
> > +ifdef PTXCONF_CODE_SIGNING
> > +ifeq ($(call remove_quotes,$(PTXCONF_CODE_SIGNING_PROVIDER)),)
> > +$(error PTXCONF_CODE_SIGNING_PROVIDER must be set correctly)
> > +endif
> > +endif
> > 
> 
> I accidentally dropped:
> 
> diff --git a/rules/code-signing.in b/rules/code-signing.in
> new file mode 100644
> --- /dev/null
> +++ b/rules/code-signing.in
> @@ -0,0 +1,4 @@
> +## SECTION=hosttools_noprompt_ptx
> +
> +config CODE_SIGNING
> +       bool
> 
> Will add it again in v2.

And sort the patch before the rauc changes. It's needed there.

Michael

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [ptxdist] [PATCH 11/13] image-rauc: enable keyring verification
  2020-05-14 13:42 ` [ptxdist] [PATCH 11/13] image-rauc: enable keyring verification Bastian Krause
@ 2020-05-15  7:58   ` Michael Olbrich
  2020-05-15 11:23     ` Bastian Krause
  0 siblings, 1 reply; 26+ messages in thread
From: Michael Olbrich @ 2020-05-15  7:58 UTC (permalink / raw)
  To: ptxdist; +Cc: Bastian Krause

On Thu, May 14, 2020 at 03:42:58PM +0200, Bastian Krause wrote:
> Note: requires genimage > 12

I think "genimage 13 or later" would be clearer here. On first glance I
thought that 12 is ok too and that's not correct.

Michael

> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> ---
>  config/images/rauc.config | 1 +
>  rules/image-rauc.make     | 3 ++-
>  2 files changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/config/images/rauc.config b/config/images/rauc.config
> index 8396bd4be..0c824f00e 100644
> --- a/config/images/rauc.config
> +++ b/config/images/rauc.config
> @@ -13,5 +13,6 @@ image @IMAGE@ {
>  			"
>  		cert = "@RAUC_CERT@"
>  		key = "@RAUC_KEY@"
> +		keyring = "@RAUC_KEYRING@"
>  	}
>  }
> diff --git a/rules/image-rauc.make b/rules/image-rauc.make
> index a031edfae..c0c9d4978 100644
> --- a/rules/image-rauc.make
> +++ b/rules/image-rauc.make
> @@ -32,7 +32,8 @@ IMAGE_RAUC_ENV	= \
>  	RAUC_BUNDLE_BUILD=$(call ptx/sh, date +%FT%T%z) \
>  	RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \
>  	RAUC_KEY="$(shell cs_get_uri update)" \
> -	RAUC_CERT="$(shell cs_get_uri update)"
> +	RAUC_CERT="$(shell cs_get_uri update)" \
> +	RAUC_KEYRING="$(shell cs_get_ca update)"
>  
>  $(IMAGE_RAUC_IMAGE):
>  	@$(call targetinfo)
> -- 
> 2.26.2
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [ptxdist] [PATCH 04/13] ptxd_lib_code_signing: introduce CA helper
  2020-05-14 13:42 ` [ptxdist] [PATCH 04/13] ptxd_lib_code_signing: introduce CA helper Bastian Krause
@ 2020-05-15 10:36   ` Michael Olbrich
  2020-05-15 11:21     ` Bastian Krause
  0 siblings, 1 reply; 26+ messages in thread
From: Michael Olbrich @ 2020-05-15 10:36 UTC (permalink / raw)
  To: ptxdist; +Cc: Bastian Krause, Jan Luebbe

On Thu, May 14, 2020 at 03:42:51PM +0200, Bastian Krause wrote:
> These helpers allow key providers to append certificates to their CA.
> 'cs_get_ca <role>' then returns the path to the keyring allowing rules
> and other helpers to retrieve it easily.
> 
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> ---
>  scripts/lib/ptxd_lib_code_signing.sh | 63 ++++++++++++++++++++++++++++
>  1 file changed, 63 insertions(+)
> 
> diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
> index f93f183df..571fe6806 100644
> --- a/scripts/lib/ptxd_lib_code_signing.sh
> +++ b/scripts/lib/ptxd_lib_code_signing.sh
> @@ -261,3 +261,66 @@ cs_import_key_from_pem() {
>      cs_import_privkey_from_pem "${role}" "${pem}"
>  }
>  export -f cs_import_key_from_pem
> +
> +#
> +# cs_get_ca <role>
> +#
> +# Get the path to the CA in pem format from a role
> +#
> +cs_get_ca() {
> +    local role="${1}"
> +    cs_init_variables
> +
> +    echo "${keydir}/${role}/ca.pem"
> +}
> +export -f cs_get_ca
> +
> +#
> +# cs_append_ca_from_pem <role> <pem>
> +#
> +# Append PEM to CA for a role
> +#
> +cs_append_ca_from_pem() {
> +    local role="${1}"
> +    local pem="${2}"
> +    cs_init_variables
> +
> +    cat "${pem}" >> "${keydir}/${role}/ca.pem"

Jan, is this correct? I think you said something about extra newlines that
may be needed?

Michael

> +}
> +export -f cs_append_ca_from_pem
> +
> +#
> +# cs_append_ca_from_der <role> <der>
> +#
> +# Append DER to CA for a role
> +#
> +cs_append_ca_from_der() {
> +    local role="${1}"
> +    local der="${2}"
> +    cs_init_variables
> +
> +    ptxd_exec openssl x509 -inform der -in "${der}" \
> +	-out "${tmpdir}/ca.pem" &&
> +    cs_append_ca_from_pem "${role}" "${tmpdir}/ca.pem"
> +}
> +export -f cs_append_ca_from_der
> +
> +#
> +# cs_append_ca_from_uri <role> [<uri>]
> +#
> +# Append certificate specified by URI or by already set URI to CA for a role
> +#
> +cs_append_ca_from_uri() {
> +    local role="${1}"
> +    local uri="${2}"
> +    local tmpdir="$(mktemp -d "${PTXDIST_TEMPDIR}/${role}-ca.XXXXXX")"
> +    cs_init_variables
> +
> +    if [ -z "${uri}" ]; then
> +	uri=$(cs_get_uri "${role}")
> +    fi
> +
> +    ptxd_exec extract-cert "${uri}" "${tmpdir}/ca.der" &&
> +    cs_append_ca_from_der "${role}" "${tmpdir}/ca.der"
> +}
> +export -f cs_append_ca_from_uri
> -- 
> 2.26.2
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [ptxdist] [PATCH 06/13] ptxd_lib_imx_hab/template-barebox-imx-habv4: use cs_get_ca helper
  2020-05-14 13:42 ` [ptxdist] [PATCH 06/13] ptxd_lib_imx_hab/template-barebox-imx-habv4: use cs_get_ca helper Bastian Krause
@ 2020-05-15 10:37   ` Michael Olbrich
  2020-05-15 11:22     ` Bastian Krause
  0 siblings, 1 reply; 26+ messages in thread
From: Michael Olbrich @ 2020-05-15 10:37 UTC (permalink / raw)
  To: ptxdist; +Cc: Bastian Krause

On Thu, May 14, 2020 at 03:42:53PM +0200, Bastian Krause wrote:
> Key providers now take care of calling the CA helpers. This makes sure
> the CA is already present in pem format. Use that instead of extracting
> and converting the certs here again. Thus HOST_EXTRACT_CERT is no longer
> a dependency of template-barebox-imx-habv4.
> 
> Note: requires ptx-code-signing-dev > 0.3

"0.4 or later"

Michael

> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> ---
>  rules/templates/template-barebox-imx-habv4-in |  1 -
>  scripts/lib/ptxd_lib_imx_hab.sh               | 16 ++++++++--------
>  2 files changed, 8 insertions(+), 9 deletions(-)
> 
> diff --git a/rules/templates/template-barebox-imx-habv4-in b/rules/templates/template-barebox-imx-habv4-in
> index af3e59986..16258cbee 100644
> --- a/rules/templates/template-barebox-imx-habv4-in
> +++ b/rules/templates/template-barebox-imx-habv4-in
> @@ -3,7 +3,6 @@
>  config BAREBOX_@PACKAGE@
>  	tristate
>  	select CODE_SIGNING
> -	select HOST_EXTRACT_CERT
>  	select HOST_IMX_CST
>  	prompt "Barebox (@package@)"
>  	help
> diff --git a/scripts/lib/ptxd_lib_imx_hab.sh b/scripts/lib/ptxd_lib_imx_hab.sh
> index 034bf82b2..781c1b3f6 100644
> --- a/scripts/lib/ptxd_lib_imx_hab.sh
> +++ b/scripts/lib/ptxd_lib_imx_hab.sh
> @@ -26,24 +26,24 @@ ptxd_make_imx_habv4_gen_table_impl() {
>      local template="${1}"
>      local table_bin="${pkg_build_dir}/imx-srk-table.bin"
>      local srk_fuse_bin="${pkg_build_dir}/imx-srk-fuse.bin"
> -    local tmpdir="$(mktemp -d "${PTXDIST_TEMPDIR}/imx-habv4.XXXXXX")"
> +    local -a certs
>  
>      echo -e "generating $(basename ${table_bin}) and $(basename ${srk_fuse_bin})\n"
>  
>      for i in 1 2 3 4; do
> -	local t=$(printf "${template}" "${i}")
> -	local uri=$(cs_get_uri "$t")
> +	certs[${#certs[*]}]="$(cs_get_ca "$(printf "${template}" ${i})")"
> +    done
>  
> -	ptxd_exec extract-cert "${uri}" ${tmpdir}/srk${i}.der &&
> -	ptxd_exec openssl x509 -inform der -in ${tmpdir}/srk${i}.der \
> -	    -out ${tmpdir}/srk${i}.pem || break
> -    done &&
> +    local orig_IFS="${IFS}"
> +    IFS=","
> +    certs="${certs[*]}"
> +    IFS="${orig_IFS}"
>  
>      ptxd_exec srktool --hab_ver 4 \
>  	--table "${table_bin}" \
>  	--efuses "${srk_fuse_bin}" \
>  	--digest sha256 \
> -	--certs ${tmpdir}/srk1.pem,${tmpdir}/srk2.pem,${tmpdir}/srk3.pem,${tmpdir}/srk4.pem
> +	--certs "${certs}"
>  }
>  export -f ptxd_make_imx_habv4_gen_table_impl
>  
> -- 
> 2.26.2
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [ptxdist] [PATCH 10/13] rauc/image-rauc: use code signing infrastructure for key retrieval
  2020-05-14 13:42 ` [ptxdist] [PATCH 10/13] rauc/image-rauc: use code signing infrastructure for key retrieval Bastian Krause
@ 2020-05-15 10:40   ` Michael Olbrich
  2020-05-15 11:23     ` Bastian Krause
  0 siblings, 1 reply; 26+ messages in thread
From: Michael Olbrich @ 2020-05-15 10:40 UTC (permalink / raw)
  To: ptxdist; +Cc: Bastian Krause

On Thu, May 14, 2020 at 03:42:57PM +0200, Bastian Krause wrote:
> Use the keys provided by the currently active key provider via PKCS#11
> instead of key files placed in the platform config directory. In order
> to make sure the new mechanics are used after a BSP update the rauc.key
> file is no longer allowed to exist in the platformconfig directory.
> 
> Note: requires genimage >= v12 and ptx-code-signing-dev > 0.3
> 
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> ---
>  platforms/image-rauc.in          |   1 +
>  projectroot/etc/rauc/ca.cert.pem |   7 --
>  rules/image-rauc.make            |  37 ++-------
>  rules/rauc.in                    |   1 +
>  rules/rauc.make                  |  11 ++-
>  scripts/rauc-gen-test-certs.sh   | 126 -------------------------------
>  6 files changed, 17 insertions(+), 166 deletions(-)
>  delete mode 100644 projectroot/etc/rauc/ca.cert.pem
>  delete mode 100755 scripts/rauc-gen-test-certs.sh
> 
> diff --git a/platforms/image-rauc.in b/platforms/image-rauc.in
> index 658ddd5cd..1f9427b40 100644
> --- a/platforms/image-rauc.in
> +++ b/platforms/image-rauc.in
> @@ -6,6 +6,7 @@ menuconfig IMAGE_RAUC
>  	select HOST_GENIMAGE
>  	select HOST_RAUC
>  	select IMAGE_ROOT_TGZ
> +	select CODE_SIGNING
>  	help
>  	  This generates a RAUC update Bundle for the selected platform using
>  	  genimage.
> diff --git a/projectroot/etc/rauc/ca.cert.pem b/projectroot/etc/rauc/ca.cert.pem
> deleted file mode 100644
> index be1aa7c30..000000000
> --- a/projectroot/etc/rauc/ca.cert.pem
> +++ /dev/null
> @@ -1,7 +0,0 @@
> -# This is a dummy keyring file. Please overwrite this with one that matches
> -# your X.509 infrastructure if you intend to use RAUC for secure updates!
> -#
> -# If you really do not intend to actively use the security features (or for
> -# testing purpose) you may create a development certificate by executing the
> -# script `rauc-gen-test-certs.sh` from the `scripts` folder in your PTXdist
> -# installation.
> diff --git a/rules/image-rauc.make b/rules/image-rauc.make
> index 839cb400b..a031edfae 100644
> --- a/rules/image-rauc.make
> +++ b/rules/image-rauc.make
> @@ -26,46 +26,19 @@ IMAGE_RAUC_CONFIG	:= rauc.config
>  
>  ifdef PTXCONF_IMAGE_RAUC
>  
> -IMAGE_RAUC_KEY := $(call ptx/in-platformconfigdir, config/rauc/rauc.key.pem)
> -IMAGE_RAUC_CERT := $(call ptx/in-platformconfigdir, config/rauc/rauc.cert.pem)
> -
> -IMAGE_RAUC_ENV	:= \
> +IMAGE_RAUC_ENV	= \
>  	RAUC_BUNDLE_COMPATIBLE="$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))" \
>  	RAUC_BUNDLE_VERSION="$(call remove_quotes, $(PTXCONF_RAUC_BUNDLE_VERSION))" \
>  	RAUC_BUNDLE_BUILD=$(call ptx/sh, date +%FT%T%z) \
>  	RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \
> -	RAUC_KEY=$(IMAGE_RAUC_KEY) \
> -	RAUC_CERT=$(IMAGE_RAUC_CERT)
> +	RAUC_KEY="$(shell cs_get_uri update)" \
> +	RAUC_CERT="$(shell cs_get_uri update)"
>  
> -$(IMAGE_RAUC_IMAGE): $(IMAGE_RAUC_KEY) $(IMAGE_RAUC_CERT)
> +$(IMAGE_RAUC_IMAGE):
>  	@$(call targetinfo)
> -	@$(call image/genimage, IMAGE_RAUC)
> +	@$(CODE_SIGNING_ENV) $(call image/genimage, IMAGE_RAUC)

Why don't you add $(CODE_SIGNING_ENV) to IMAGE_RAUC_ENV instead?

Michael

>  	@$(call finish)
>  
> -$(IMAGE_RAUC_KEY):
> -	@echo
> -	@echo "****************************************************************************"
> -	@echo "******** Please place your signing key in config/rauc/rauc.key.pem. ********"
> -	@echo "*                                                                          *"
> -	@echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh   *"
> -	@echo "*       from the scripts/ folder of your PTXdist installation              *"
> -	@echo "****************************************************************************"
> -	@echo
> -	@echo
> -	@exit 1
> -
> -$(IMAGE_RAUC_CERT):
> -	@echo
> -	@echo "****************************************************************************"
> -	@echo "**** Please place your signing certificate in config/rauc/rauc.cert.pem. ***"
> -	@echo "*                                                                          *"
> -	@echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh   *"
> -	@echo "*       from the scripts/ folder of your PTXdist installation              *"
> -	@echo "****************************************************************************"
> -	@echo
> -	@echo
> -	@exit 1
> -
>  endif
>  
>  # vim: syntax=make
> diff --git a/rules/rauc.in b/rules/rauc.in
> index d712bc7b9..56fc3ae3b 100644
> --- a/rules/rauc.in
> +++ b/rules/rauc.in
> @@ -7,6 +7,7 @@ menuconfig RAUC
>  	select GLIB
>  	select GLIB_LIBMOUNT
>  	select HOST_GLIB
> +	select CODE_SIGNING
>  	select BUSYBOX_FEATURE_TAR_LONG_OPTIONS	if BUSYBOX_TAR
>  	select BUSYBOX_FEATURE_TAR_AUTODETECT	if BUSYBOX_TAR
>  	select BUSYBOX_FEATURE_SEAMLESS_XZ	if BUSYBOX_TAR
> diff --git a/rules/rauc.make b/rules/rauc.make
> index ade9bd5dd..f9a10fbbc 100644
> --- a/rules/rauc.make
> +++ b/rules/rauc.make
> @@ -46,6 +46,14 @@ RAUC_CONF_OPT	:= \
>  	--with-dbuspolicydir=/usr/share/dbus-1/system.d \
>  	--with-dbussystemservicedir=/usr/share/dbus-1/system-services
>  
> +$(STATEDIR)/rauc.prepare:
> +	@$(call targetinfo)
> +	@test ! -e "$(call ptx/in-platformconfigdir, config/rauc/rauc.key)" || \
> +		ptxd_bailout "Please use the key provider infrastructure desribed in:" \
> +			"scripts/lib/ptxd_lib_code_signing.sh"
> +	@$(call world/prepare, RAUC)
> +	@$(call touch)
> +
>  # ----------------------------------------------------------------------------
>  # Target-Install
>  # ----------------------------------------------------------------------------
> @@ -66,7 +74,8 @@ ifdef PTXCONF_RAUC_CONFIGURATION
>  	@$(call install_replace, rauc, /etc/rauc/system.conf, \
>  		@RAUC_BUNDLE_COMPATIBLE@, \
>  		"$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))")
> -	@$(call install_alternative, rauc, 0, 0, 0644, /etc/rauc/ca.cert.pem)
> +	@$(call install_copy, rauc, 0, 0, 0644, $(shell cs_get_ca update), \
> +		/etc/rauc/ca.cert.pem)
>  endif
>  
>  ifdef PTXCONF_RAUC_SERVICE
> diff --git a/scripts/rauc-gen-test-certs.sh b/scripts/rauc-gen-test-certs.sh
> deleted file mode 100755
> index b4ea6a8cf..000000000
> --- a/scripts/rauc-gen-test-certs.sh
> +++ /dev/null
> @@ -1,126 +0,0 @@
> -#!/bin/bash
> -#
> -# Copyright (C) 2017 by Enrico Joerns <e.joerns@pengutronix.de>
> -# Copyright (C) 2016 by Jan Luebbe <j.luebbe@pengutronix.de>
> -#
> -# For further information about the PTXdist project and license conditions
> -# see the README file.
> -#
> -# ---
> -#
> -# Demo script that generates certificate files required to sign and verify
> -# RAUC update tool bundles.
> -#
> -
> -set -xe
> -
> -ORG="Test Org"
> -CA="rauc CA"
> -
> -# After the CRL expires, signatures cannot be verified anymore
> -CRL="-crldays 5000"
> -
> -BASE="$(pwd)/rauc-openssl-ca"
> -
> -if [ -e $BASE ]; then
> -  echo "$BASE already exists"
> -  exit 1
> -fi
> -
> -mkdir -p $BASE/dev/{private,certs}
> -touch $BASE/dev/index.txt
> -echo 01 > $BASE/dev/serial
> -
> -cat > $BASE/openssl.cnf <<EOF
> -[ ca ]
> -default_ca      = CA_default            # The default ca section
> -
> -[ CA_default ]
> -
> -dir            = .                     # top dir
> -database       = \$dir/index.txt        # index file.
> -new_certs_dir  = \$dir/certs            # new certs dir
> -
> -certificate    = \$dir/ca.cert.pem       # The CA cert
> -serial         = \$dir/serial           # serial no file
> -private_key    = \$dir/private/ca.key.pem# CA private key
> -RANDFILE       = \$dir/private/.rand    # random number file
> -
> -default_startdate = 19700101000000Z
> -default_enddate = 99991231235959Z
> -default_crl_days= 30                   # how long before next CRL
> -default_md     = sha256                # md to use
> -
> -policy         = policy_any            # default policy
> -email_in_dn    = no                    # Don't add the email into cert DN
> -
> -name_opt       = ca_default            # Subject name display option
> -cert_opt       = ca_default            # Certificate display option
> -copy_extensions = none                 # Don't copy extensions from request
> -
> -[ policy_any ]
> -organizationName       = match
> -commonName             = supplied
> -
> -[ req ]
> -default_bits           = 2048
> -distinguished_name     = req_distinguished_name
> -x509_extensions        = v3_leaf
> -encrypt_key = no
> -default_md = sha256
> -
> -[ req_distinguished_name ]
> -commonName                     = Common Name (eg, YOUR name)
> -commonName_max                 = 64
> -
> -[ v3_ca ]
> -
> -subjectKeyIdentifier=hash
> -authorityKeyIdentifier=keyid:always,issuer:always
> -basicConstraints = CA:TRUE
> -
> -[ v3_inter ]
> -
> -subjectKeyIdentifier=hash
> -authorityKeyIdentifier=keyid:always,issuer:always
> -basicConstraints = CA:TRUE,pathlen:0
> -
> -[ v3_leaf ]
> -
> -subjectKeyIdentifier=hash
> -authorityKeyIdentifier=keyid:always,issuer:always
> -basicConstraints = CA:FALSE
> -EOF
> -
> -export OPENSSL_CONF=$BASE/openssl.cnf
> -
> -echo "Development CA"
> -cd $BASE/dev
> -openssl req -newkey rsa -keyout private/ca.key.pem -out ca.csr.pem -subj "/O=$ORG/CN=$ORG $CA Development"
> -openssl ca -batch -selfsign -extensions v3_ca -in ca.csr.pem -out ca.cert.pem -keyfile private/ca.key.pem
> -
> -echo "Development Signing Keys 1"
> -cd $BASE/dev
> -openssl req -newkey rsa -keyout private/rauc.key.pem -out rauc.csr.pem -subj "/O=$ORG/CN=$ORG Development-1"
> -openssl ca -batch -extensions v3_leaf -in rauc.csr.pem -out rauc.cert.pem
> -
> -cat << EOF
> -===============================================================================
> -
> -Note that the default application should be to set up a public key
> -infrastructure at your site and use keys and certificates genereated by these.
> -
> -In oder to use the just generated files in your BSP for testing purpose or if
> -you do not intend to use real authentification, follow the instructions below. 
> -
> -Place the key and certificate file in your platform-dir's config/ folder:
> -
> -  cp rauc-openssl-ca/private/rauc.key.pem <platform-dir>/config/rauc/rauc.key.pem
> -  cp rauc-openssl-ca/rauc.cert.pem <platform-dir>/config/rauc/rauc.cert.pem
> -
> -Place the keyring file in your platform-dir's projectroot/ folder:
> -
> -  cp rauc-openssl-ca/ca.cert.pem <plaform-dir>/projectroot/etc/rauc/ca.cert.pem
> -
> -===============================================================================
> -EOF
> -- 
> 2.26.2
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [ptxdist] [PATCH 04/13] ptxd_lib_code_signing: introduce CA helper
  2020-05-15 10:36   ` Michael Olbrich
@ 2020-05-15 11:21     ` Bastian Krause
  2020-05-15 11:41       ` Jan Lübbe
  0 siblings, 1 reply; 26+ messages in thread
From: Bastian Krause @ 2020-05-15 11:21 UTC (permalink / raw)
  To: ptxdist, Jan Luebbe


On 5/15/20 12:36 PM, Michael Olbrich wrote:
> On Thu, May 14, 2020 at 03:42:51PM +0200, Bastian Krause wrote:
>> These helpers allow key providers to append certificates to their CA.
>> 'cs_get_ca <role>' then returns the path to the keyring allowing rules
>> and other helpers to retrieve it easily.
>>
>> Signed-off-by: Bastian Krause <bst@pengutronix.de>
>> ---
>>  scripts/lib/ptxd_lib_code_signing.sh | 63 ++++++++++++++++++++++++++++
>>  1 file changed, 63 insertions(+)
>>
>> diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
>> index f93f183df..571fe6806 100644
>> --- a/scripts/lib/ptxd_lib_code_signing.sh
>> +++ b/scripts/lib/ptxd_lib_code_signing.sh
>> @@ -261,3 +261,66 @@ cs_import_key_from_pem() {
>>      cs_import_privkey_from_pem "${role}" "${pem}"
>>  }
>>  export -f cs_import_key_from_pem
>> +
>> +#
>> +# cs_get_ca <role>
>> +#
>> +# Get the path to the CA in pem format from a role
>> +#
>> +cs_get_ca() {
>> +    local role="${1}"
>> +    cs_init_variables
>> +
>> +    echo "${keydir}/${role}/ca.pem"
>> +}
>> +export -f cs_get_ca
>> +
>> +#
>> +# cs_append_ca_from_pem <role> <pem>
>> +#
>> +# Append PEM to CA for a role
>> +#
>> +cs_append_ca_from_pem() {
>> +    local role="${1}"
>> +    local pem="${2}"
>> +    cs_init_variables
>> +
>> +    cat "${pem}" >> "${keydir}/${role}/ca.pem"
> 
> Jan, is this correct? I think you said something about extra newlines that
> may be needed?

I guess if we first append a file with no EOL at the end and then append
something else this can lead to..
"-----END CERTIFICATE----------BEGIN CERTIFICATE-----"
.. on a single line. Is there a smart way of adding an EOL? Or should we
always append a final new line? Does this break any known usecases?

Regards,
Bastian

> 
>> +}
>> +export -f cs_append_ca_from_pem
>> +
>> +#
>> +# cs_append_ca_from_der <role> <der>
>> +#
>> +# Append DER to CA for a role
>> +#
>> +cs_append_ca_from_der() {
>> +    local role="${1}"
>> +    local der="${2}"
>> +    cs_init_variables
>> +
>> +    ptxd_exec openssl x509 -inform der -in "${der}" \
>> +	-out "${tmpdir}/ca.pem" &&
>> +    cs_append_ca_from_pem "${role}" "${tmpdir}/ca.pem"
>> +}
>> +export -f cs_append_ca_from_der
>> +
>> +#
>> +# cs_append_ca_from_uri <role> [<uri>]
>> +#
>> +# Append certificate specified by URI or by already set URI to CA for a role
>> +#
>> +cs_append_ca_from_uri() {
>> +    local role="${1}"
>> +    local uri="${2}"
>> +    local tmpdir="$(mktemp -d "${PTXDIST_TEMPDIR}/${role}-ca.XXXXXX")"
>> +    cs_init_variables
>> +
>> +    if [ -z "${uri}" ]; then
>> +	uri=$(cs_get_uri "${role}")
>> +    fi
>> +
>> +    ptxd_exec extract-cert "${uri}" "${tmpdir}/ca.der" &&
>> +    cs_append_ca_from_der "${role}" "${tmpdir}/ca.der"
>> +}
>> +export -f cs_append_ca_from_uri
>> -- 
>> 2.26.2
>>
>>
>> _______________________________________________
>> ptxdist mailing list
>> ptxdist@pengutronix.de
>>
> 


-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [ptxdist] [PATCH 06/13] ptxd_lib_imx_hab/template-barebox-imx-habv4: use cs_get_ca helper
  2020-05-15 10:37   ` Michael Olbrich
@ 2020-05-15 11:22     ` Bastian Krause
  0 siblings, 0 replies; 26+ messages in thread
From: Bastian Krause @ 2020-05-15 11:22 UTC (permalink / raw)
  To: ptxdist

On 5/15/20 12:37 PM, Michael Olbrich wrote:
> On Thu, May 14, 2020 at 03:42:53PM +0200, Bastian Krause wrote:
>> Key providers now take care of calling the CA helpers. This makes sure
>> the CA is already present in pem format. Use that instead of extracting
>> and converting the certs here again. Thus HOST_EXTRACT_CERT is no longer
>> a dependency of template-barebox-imx-habv4.
>>
>> Note: requires ptx-code-signing-dev > 0.3
> 
> "0.4 or later"

Okay.

Regards,
Bastian

> 
>> Signed-off-by: Bastian Krause <bst@pengutronix.de>
>> ---
>>  rules/templates/template-barebox-imx-habv4-in |  1 -
>>  scripts/lib/ptxd_lib_imx_hab.sh               | 16 ++++++++--------
>>  2 files changed, 8 insertions(+), 9 deletions(-)
>>
>> diff --git a/rules/templates/template-barebox-imx-habv4-in b/rules/templates/template-barebox-imx-habv4-in
>> index af3e59986..16258cbee 100644
>> --- a/rules/templates/template-barebox-imx-habv4-in
>> +++ b/rules/templates/template-barebox-imx-habv4-in
>> @@ -3,7 +3,6 @@
>>  config BAREBOX_@PACKAGE@
>>  	tristate
>>  	select CODE_SIGNING
>> -	select HOST_EXTRACT_CERT
>>  	select HOST_IMX_CST
>>  	prompt "Barebox (@package@)"
>>  	help
>> diff --git a/scripts/lib/ptxd_lib_imx_hab.sh b/scripts/lib/ptxd_lib_imx_hab.sh
>> index 034bf82b2..781c1b3f6 100644
>> --- a/scripts/lib/ptxd_lib_imx_hab.sh
>> +++ b/scripts/lib/ptxd_lib_imx_hab.sh
>> @@ -26,24 +26,24 @@ ptxd_make_imx_habv4_gen_table_impl() {
>>      local template="${1}"
>>      local table_bin="${pkg_build_dir}/imx-srk-table.bin"
>>      local srk_fuse_bin="${pkg_build_dir}/imx-srk-fuse.bin"
>> -    local tmpdir="$(mktemp -d "${PTXDIST_TEMPDIR}/imx-habv4.XXXXXX")"
>> +    local -a certs
>>  
>>      echo -e "generating $(basename ${table_bin}) and $(basename ${srk_fuse_bin})\n"
>>  
>>      for i in 1 2 3 4; do
>> -	local t=$(printf "${template}" "${i}")
>> -	local uri=$(cs_get_uri "$t")
>> +	certs[${#certs[*]}]="$(cs_get_ca "$(printf "${template}" ${i})")"
>> +    done
>>  
>> -	ptxd_exec extract-cert "${uri}" ${tmpdir}/srk${i}.der &&
>> -	ptxd_exec openssl x509 -inform der -in ${tmpdir}/srk${i}.der \
>> -	    -out ${tmpdir}/srk${i}.pem || break
>> -    done &&
>> +    local orig_IFS="${IFS}"
>> +    IFS=","
>> +    certs="${certs[*]}"
>> +    IFS="${orig_IFS}"
>>  
>>      ptxd_exec srktool --hab_ver 4 \
>>  	--table "${table_bin}" \
>>  	--efuses "${srk_fuse_bin}" \
>>  	--digest sha256 \
>> -	--certs ${tmpdir}/srk1.pem,${tmpdir}/srk2.pem,${tmpdir}/srk3.pem,${tmpdir}/srk4.pem
>> +	--certs "${certs}"
>>  }
>>  export -f ptxd_make_imx_habv4_gen_table_impl
>>  
>> -- 
>> 2.26.2
>>
>>
>> _______________________________________________
>> ptxdist mailing list
>> ptxdist@pengutronix.de
>>
> 


-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [ptxdist] [PATCH 10/13] rauc/image-rauc: use code signing infrastructure for key retrieval
  2020-05-15 10:40   ` Michael Olbrich
@ 2020-05-15 11:23     ` Bastian Krause
  0 siblings, 0 replies; 26+ messages in thread
From: Bastian Krause @ 2020-05-15 11:23 UTC (permalink / raw)
  To: ptxdist

On 5/15/20 12:40 PM, Michael Olbrich wrote:
> On Thu, May 14, 2020 at 03:42:57PM +0200, Bastian Krause wrote:
>> Use the keys provided by the currently active key provider via PKCS#11
>> instead of key files placed in the platform config directory. In order
>> to make sure the new mechanics are used after a BSP update the rauc.key
>> file is no longer allowed to exist in the platformconfig directory.
>>
>> Note: requires genimage >= v12 and ptx-code-signing-dev > 0.3
>>
>> Signed-off-by: Bastian Krause <bst@pengutronix.de>
>> ---
>>  platforms/image-rauc.in          |   1 +
>>  projectroot/etc/rauc/ca.cert.pem |   7 --
>>  rules/image-rauc.make            |  37 ++-------
>>  rules/rauc.in                    |   1 +
>>  rules/rauc.make                  |  11 ++-
>>  scripts/rauc-gen-test-certs.sh   | 126 -------------------------------
>>  6 files changed, 17 insertions(+), 166 deletions(-)
>>  delete mode 100644 projectroot/etc/rauc/ca.cert.pem
>>  delete mode 100755 scripts/rauc-gen-test-certs.sh
>>
>> diff --git a/platforms/image-rauc.in b/platforms/image-rauc.in
>> index 658ddd5cd..1f9427b40 100644
>> --- a/platforms/image-rauc.in
>> +++ b/platforms/image-rauc.in
>> @@ -6,6 +6,7 @@ menuconfig IMAGE_RAUC
>>  	select HOST_GENIMAGE
>>  	select HOST_RAUC
>>  	select IMAGE_ROOT_TGZ
>> +	select CODE_SIGNING
>>  	help
>>  	  This generates a RAUC update Bundle for the selected platform using
>>  	  genimage.
>> diff --git a/projectroot/etc/rauc/ca.cert.pem b/projectroot/etc/rauc/ca.cert.pem
>> deleted file mode 100644
>> index be1aa7c30..000000000
>> --- a/projectroot/etc/rauc/ca.cert.pem
>> +++ /dev/null
>> @@ -1,7 +0,0 @@
>> -# This is a dummy keyring file. Please overwrite this with one that matches
>> -# your X.509 infrastructure if you intend to use RAUC for secure updates!
>> -#
>> -# If you really do not intend to actively use the security features (or for
>> -# testing purpose) you may create a development certificate by executing the
>> -# script `rauc-gen-test-certs.sh` from the `scripts` folder in your PTXdist
>> -# installation.
>> diff --git a/rules/image-rauc.make b/rules/image-rauc.make
>> index 839cb400b..a031edfae 100644
>> --- a/rules/image-rauc.make
>> +++ b/rules/image-rauc.make
>> @@ -26,46 +26,19 @@ IMAGE_RAUC_CONFIG	:= rauc.config
>>  
>>  ifdef PTXCONF_IMAGE_RAUC
>>  
>> -IMAGE_RAUC_KEY := $(call ptx/in-platformconfigdir, config/rauc/rauc.key.pem)
>> -IMAGE_RAUC_CERT := $(call ptx/in-platformconfigdir, config/rauc/rauc.cert.pem)
>> -
>> -IMAGE_RAUC_ENV	:= \
>> +IMAGE_RAUC_ENV	= \
>>  	RAUC_BUNDLE_COMPATIBLE="$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))" \
>>  	RAUC_BUNDLE_VERSION="$(call remove_quotes, $(PTXCONF_RAUC_BUNDLE_VERSION))" \
>>  	RAUC_BUNDLE_BUILD=$(call ptx/sh, date +%FT%T%z) \
>>  	RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \
>> -	RAUC_KEY=$(IMAGE_RAUC_KEY) \
>> -	RAUC_CERT=$(IMAGE_RAUC_CERT)
>> +	RAUC_KEY="$(shell cs_get_uri update)" \
>> +	RAUC_CERT="$(shell cs_get_uri update)"
>>  
>> -$(IMAGE_RAUC_IMAGE): $(IMAGE_RAUC_KEY) $(IMAGE_RAUC_CERT)
>> +$(IMAGE_RAUC_IMAGE):
>>  	@$(call targetinfo)
>> -	@$(call image/genimage, IMAGE_RAUC)
>> +	@$(CODE_SIGNING_ENV) $(call image/genimage, IMAGE_RAUC)
> 
> Why don't you add $(CODE_SIGNING_ENV) to IMAGE_RAUC_ENV instead?

You're right, that's better.

Regards,
Bastian

> 
>>  	@$(call finish)
>>  
>> -$(IMAGE_RAUC_KEY):
>> -	@echo
>> -	@echo "****************************************************************************"
>> -	@echo "******** Please place your signing key in config/rauc/rauc.key.pem. ********"
>> -	@echo "*                                                                          *"
>> -	@echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh   *"
>> -	@echo "*       from the scripts/ folder of your PTXdist installation              *"
>> -	@echo "****************************************************************************"
>> -	@echo
>> -	@echo
>> -	@exit 1
>> -
>> -$(IMAGE_RAUC_CERT):
>> -	@echo
>> -	@echo "****************************************************************************"
>> -	@echo "**** Please place your signing certificate in config/rauc/rauc.cert.pem. ***"
>> -	@echo "*                                                                          *"
>> -	@echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh   *"
>> -	@echo "*       from the scripts/ folder of your PTXdist installation              *"
>> -	@echo "****************************************************************************"
>> -	@echo
>> -	@echo
>> -	@exit 1
>> -
>>  endif
>>  
>>  # vim: syntax=make
>> diff --git a/rules/rauc.in b/rules/rauc.in
>> index d712bc7b9..56fc3ae3b 100644
>> --- a/rules/rauc.in
>> +++ b/rules/rauc.in
>> @@ -7,6 +7,7 @@ menuconfig RAUC
>>  	select GLIB
>>  	select GLIB_LIBMOUNT
>>  	select HOST_GLIB
>> +	select CODE_SIGNING
>>  	select BUSYBOX_FEATURE_TAR_LONG_OPTIONS	if BUSYBOX_TAR
>>  	select BUSYBOX_FEATURE_TAR_AUTODETECT	if BUSYBOX_TAR
>>  	select BUSYBOX_FEATURE_SEAMLESS_XZ	if BUSYBOX_TAR
>> diff --git a/rules/rauc.make b/rules/rauc.make
>> index ade9bd5dd..f9a10fbbc 100644
>> --- a/rules/rauc.make
>> +++ b/rules/rauc.make
>> @@ -46,6 +46,14 @@ RAUC_CONF_OPT	:= \
>>  	--with-dbuspolicydir=/usr/share/dbus-1/system.d \
>>  	--with-dbussystemservicedir=/usr/share/dbus-1/system-services
>>  
>> +$(STATEDIR)/rauc.prepare:
>> +	@$(call targetinfo)
>> +	@test ! -e "$(call ptx/in-platformconfigdir, config/rauc/rauc.key)" || \
>> +		ptxd_bailout "Please use the key provider infrastructure desribed in:" \
>> +			"scripts/lib/ptxd_lib_code_signing.sh"
>> +	@$(call world/prepare, RAUC)
>> +	@$(call touch)
>> +
>>  # ----------------------------------------------------------------------------
>>  # Target-Install
>>  # ----------------------------------------------------------------------------
>> @@ -66,7 +74,8 @@ ifdef PTXCONF_RAUC_CONFIGURATION
>>  	@$(call install_replace, rauc, /etc/rauc/system.conf, \
>>  		@RAUC_BUNDLE_COMPATIBLE@, \
>>  		"$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))")
>> -	@$(call install_alternative, rauc, 0, 0, 0644, /etc/rauc/ca.cert.pem)
>> +	@$(call install_copy, rauc, 0, 0, 0644, $(shell cs_get_ca update), \
>> +		/etc/rauc/ca.cert.pem)
>>  endif
>>  
>>  ifdef PTXCONF_RAUC_SERVICE
>> diff --git a/scripts/rauc-gen-test-certs.sh b/scripts/rauc-gen-test-certs.sh
>> deleted file mode 100755
>> index b4ea6a8cf..000000000
>> --- a/scripts/rauc-gen-test-certs.sh
>> +++ /dev/null
>> @@ -1,126 +0,0 @@
>> -#!/bin/bash
>> -#
>> -# Copyright (C) 2017 by Enrico Joerns <e.joerns@pengutronix.de>
>> -# Copyright (C) 2016 by Jan Luebbe <j.luebbe@pengutronix.de>
>> -#
>> -# For further information about the PTXdist project and license conditions
>> -# see the README file.
>> -#
>> -# ---
>> -#
>> -# Demo script that generates certificate files required to sign and verify
>> -# RAUC update tool bundles.
>> -#
>> -
>> -set -xe
>> -
>> -ORG="Test Org"
>> -CA="rauc CA"
>> -
>> -# After the CRL expires, signatures cannot be verified anymore
>> -CRL="-crldays 5000"
>> -
>> -BASE="$(pwd)/rauc-openssl-ca"
>> -
>> -if [ -e $BASE ]; then
>> -  echo "$BASE already exists"
>> -  exit 1
>> -fi
>> -
>> -mkdir -p $BASE/dev/{private,certs}
>> -touch $BASE/dev/index.txt
>> -echo 01 > $BASE/dev/serial
>> -
>> -cat > $BASE/openssl.cnf <<EOF
>> -[ ca ]
>> -default_ca      = CA_default            # The default ca section
>> -
>> -[ CA_default ]
>> -
>> -dir            = .                     # top dir
>> -database       = \$dir/index.txt        # index file.
>> -new_certs_dir  = \$dir/certs            # new certs dir
>> -
>> -certificate    = \$dir/ca.cert.pem       # The CA cert
>> -serial         = \$dir/serial           # serial no file
>> -private_key    = \$dir/private/ca.key.pem# CA private key
>> -RANDFILE       = \$dir/private/.rand    # random number file
>> -
>> -default_startdate = 19700101000000Z
>> -default_enddate = 99991231235959Z
>> -default_crl_days= 30                   # how long before next CRL
>> -default_md     = sha256                # md to use
>> -
>> -policy         = policy_any            # default policy
>> -email_in_dn    = no                    # Don't add the email into cert DN
>> -
>> -name_opt       = ca_default            # Subject name display option
>> -cert_opt       = ca_default            # Certificate display option
>> -copy_extensions = none                 # Don't copy extensions from request
>> -
>> -[ policy_any ]
>> -organizationName       = match
>> -commonName             = supplied
>> -
>> -[ req ]
>> -default_bits           = 2048
>> -distinguished_name     = req_distinguished_name
>> -x509_extensions        = v3_leaf
>> -encrypt_key = no
>> -default_md = sha256
>> -
>> -[ req_distinguished_name ]
>> -commonName                     = Common Name (eg, YOUR name)
>> -commonName_max                 = 64
>> -
>> -[ v3_ca ]
>> -
>> -subjectKeyIdentifier=hash
>> -authorityKeyIdentifier=keyid:always,issuer:always
>> -basicConstraints = CA:TRUE
>> -
>> -[ v3_inter ]
>> -
>> -subjectKeyIdentifier=hash
>> -authorityKeyIdentifier=keyid:always,issuer:always
>> -basicConstraints = CA:TRUE,pathlen:0
>> -
>> -[ v3_leaf ]
>> -
>> -subjectKeyIdentifier=hash
>> -authorityKeyIdentifier=keyid:always,issuer:always
>> -basicConstraints = CA:FALSE
>> -EOF
>> -
>> -export OPENSSL_CONF=$BASE/openssl.cnf
>> -
>> -echo "Development CA"
>> -cd $BASE/dev
>> -openssl req -newkey rsa -keyout private/ca.key.pem -out ca.csr.pem -subj "/O=$ORG/CN=$ORG $CA Development"
>> -openssl ca -batch -selfsign -extensions v3_ca -in ca.csr.pem -out ca.cert.pem -keyfile private/ca.key.pem
>> -
>> -echo "Development Signing Keys 1"
>> -cd $BASE/dev
>> -openssl req -newkey rsa -keyout private/rauc.key.pem -out rauc.csr.pem -subj "/O=$ORG/CN=$ORG Development-1"
>> -openssl ca -batch -extensions v3_leaf -in rauc.csr.pem -out rauc.cert.pem
>> -
>> -cat << EOF
>> -===============================================================================
>> -
>> -Note that the default application should be to set up a public key
>> -infrastructure at your site and use keys and certificates genereated by these.
>> -
>> -In oder to use the just generated files in your BSP for testing purpose or if
>> -you do not intend to use real authentification, follow the instructions below. 
>> -
>> -Place the key and certificate file in your platform-dir's config/ folder:
>> -
>> -  cp rauc-openssl-ca/private/rauc.key.pem <platform-dir>/config/rauc/rauc.key.pem
>> -  cp rauc-openssl-ca/rauc.cert.pem <platform-dir>/config/rauc/rauc.cert.pem
>> -
>> -Place the keyring file in your platform-dir's projectroot/ folder:
>> -
>> -  cp rauc-openssl-ca/ca.cert.pem <plaform-dir>/projectroot/etc/rauc/ca.cert.pem
>> -
>> -===============================================================================
>> -EOF
>> -- 
>> 2.26.2
>>
>>
>> _______________________________________________
>> ptxdist mailing list
>> ptxdist@pengutronix.de
>>
> 


-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [ptxdist] [PATCH 11/13] image-rauc: enable keyring verification
  2020-05-15  7:58   ` Michael Olbrich
@ 2020-05-15 11:23     ` Bastian Krause
  0 siblings, 0 replies; 26+ messages in thread
From: Bastian Krause @ 2020-05-15 11:23 UTC (permalink / raw)
  To: ptxdist

On 5/15/20 9:58 AM, Michael Olbrich wrote:
> On Thu, May 14, 2020 at 03:42:58PM +0200, Bastian Krause wrote:
>> Note: requires genimage > 12
> 
> I think "genimage 13 or later" would be clearer here. On first glance I
> thought that 12 is ok too and that's not correct.

Right, will do.

Regards,
Bastian

> 
> Michael
> 
>> Signed-off-by: Bastian Krause <bst@pengutronix.de>
>> ---
>>  config/images/rauc.config | 1 +
>>  rules/image-rauc.make     | 3 ++-
>>  2 files changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/config/images/rauc.config b/config/images/rauc.config
>> index 8396bd4be..0c824f00e 100644
>> --- a/config/images/rauc.config
>> +++ b/config/images/rauc.config
>> @@ -13,5 +13,6 @@ image @IMAGE@ {
>>  			"
>>  		cert = "@RAUC_CERT@"
>>  		key = "@RAUC_KEY@"
>> +		keyring = "@RAUC_KEYRING@"
>>  	}
>>  }
>> diff --git a/rules/image-rauc.make b/rules/image-rauc.make
>> index a031edfae..c0c9d4978 100644
>> --- a/rules/image-rauc.make
>> +++ b/rules/image-rauc.make
>> @@ -32,7 +32,8 @@ IMAGE_RAUC_ENV	= \
>>  	RAUC_BUNDLE_BUILD=$(call ptx/sh, date +%FT%T%z) \
>>  	RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \
>>  	RAUC_KEY="$(shell cs_get_uri update)" \
>> -	RAUC_CERT="$(shell cs_get_uri update)"
>> +	RAUC_CERT="$(shell cs_get_uri update)" \
>> +	RAUC_KEYRING="$(shell cs_get_ca update)"
>>  
>>  $(IMAGE_RAUC_IMAGE):
>>  	@$(call targetinfo)
>> -- 
>> 2.26.2
>>
>>
>> _______________________________________________
>> ptxdist mailing list
>> ptxdist@pengutronix.de
>>
> 


-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [ptxdist] [PATCH 13/13] code-signing: introduce for ptxconfig, add sanity check
  2020-05-15  7:55     ` Michael Olbrich
@ 2020-05-15 11:24       ` Bastian Krause
  0 siblings, 0 replies; 26+ messages in thread
From: Bastian Krause @ 2020-05-15 11:24 UTC (permalink / raw)
  To: ptxdist

On 5/15/20 9:55 AM, Michael Olbrich wrote:
> On Thu, May 14, 2020 at 05:36:54PM +0200, Bastian Krause wrote:
>> On 5/14/20 3:43 PM, Bastian Krause wrote:
>>> Create a new rules/code-signing.in to be able to select CODE_SIGNING
>>> not only in platformconfig but also in ptxconfig.
>>>
>>> Also make sure that PTXCONF_CODE_SIGNING_PROVIDER is set correctly if
>>> PTXCONF_CODE_SIGNING is set.
>>>
>>> Signed-off-by: Bastian Krause <bst@pengutronix.de>
>>> ---
>>>  rules/code-signing.make | 13 +++++++++++++
>>>  1 file changed, 13 insertions(+)
>>>  create mode 100644 rules/code-signing.make
>>>
>>> diff --git a/rules/code-signing.make b/rules/code-signing.make
>>> new file mode 100644
>>> index 000000000..db1c5ab88
>>> --- /dev/null
>>> +++ b/rules/code-signing.make
>>> @@ -0,0 +1,13 @@
>>> +# -*-makefile-*-
>>> +#
>>> +# Copyright (C) 2020 by Bastian Krause <bst@pengutronix.de>
>>> +#
>>> +# For further information about the PTXdist project and license conditions
>>> +# see the README file.
>>> +#
>>> +
>>> +ifdef PTXCONF_CODE_SIGNING
>>> +ifeq ($(call remove_quotes,$(PTXCONF_CODE_SIGNING_PROVIDER)),)
>>> +$(error PTXCONF_CODE_SIGNING_PROVIDER must be set correctly)
>>> +endif
>>> +endif
>>>
>>
>> I accidentally dropped:
>>
>> diff --git a/rules/code-signing.in b/rules/code-signing.in
>> new file mode 100644
>> --- /dev/null
>> +++ b/rules/code-signing.in
>> @@ -0,0 +1,4 @@
>> +## SECTION=hosttools_noprompt_ptx
>> +
>> +config CODE_SIGNING
>> +       bool
>>
>> Will add it again in v2.
> 
> And sort the patch before the rauc changes. It's needed there.

True.

Regards,
Bastian


-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [ptxdist] [PATCH 04/13] ptxd_lib_code_signing: introduce CA helper
  2020-05-15 11:21     ` Bastian Krause
@ 2020-05-15 11:41       ` Jan Lübbe
  0 siblings, 0 replies; 26+ messages in thread
From: Jan Lübbe @ 2020-05-15 11:41 UTC (permalink / raw)
  To: Bastian Krause, ptxdist

On Fri, 2020-05-15 at 13:21 +0200, Bastian Krause wrote:
> I guess if we first append a file with no EOL at the end and then
> append something else this can lead to..
> 
> "-----END CERTIFICATE----------BEGIN CERTIFICATE-----"
> 
> .. on a single line.

Yes, this is the case is was thinking of.

> Is there a smart way of adding an EOL? Or should we always append a
> final new line? Does this break any known usecases?

Empty lines don't hurt here, so always adding one seems the safe and
simple solution.

Regards,
Jan


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 26+ messages in thread

end of thread, other threads:[~2020-05-15 11:41 UTC | newest]

Thread overview: 26+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-14 13:42 [ptxdist] [PATCH 01/13] host-genimage: version bump 11 -> 13 Bastian Krause
2020-05-14 13:42 ` [ptxdist] [PATCH 02/13] ptxd_lib_code_signing: return error string in cs_get_uri for make error case Bastian Krause
2020-05-14 13:42 ` [ptxdist] [PATCH 03/13] ptxd_lib_imx_hab: fix srk fuse file and table generation Bastian Krause
2020-05-14 13:42 ` [ptxdist] [PATCH 04/13] ptxd_lib_code_signing: introduce CA helper Bastian Krause
2020-05-15 10:36   ` Michael Olbrich
2020-05-15 11:21     ` Bastian Krause
2020-05-15 11:41       ` Jan Lübbe
2020-05-14 13:42 ` [ptxdist] [PATCH 05/13] host-ptx-code-signing-dev: version bump 0.2 -> 0.4 Bastian Krause
2020-05-14 16:00   ` Bastian Krause
2020-05-14 13:42 ` [ptxdist] [PATCH 06/13] ptxd_lib_imx_hab/template-barebox-imx-habv4: use cs_get_ca helper Bastian Krause
2020-05-15 10:37   ` Michael Olbrich
2020-05-15 11:22     ` Bastian Krause
2020-05-14 13:42 ` [ptxdist] [PATCH 07/13] ptxd_lib_imx_hab/template-barebox-imx-habv4: make number of SRKs configurable Bastian Krause
2020-05-14 13:42 ` [ptxdist] [PATCH 08/13] ptxd_make_fit_image: call mkimage with ptxd_exec Bastian Krause
2020-05-14 13:42 ` [ptxdist] [PATCH 09/13] u-boot/ptxd_make_fit_image: avoid overriding object name Bastian Krause
2020-05-14 13:42 ` [ptxdist] [PATCH 10/13] rauc/image-rauc: use code signing infrastructure for key retrieval Bastian Krause
2020-05-15 10:40   ` Michael Olbrich
2020-05-15 11:23     ` Bastian Krause
2020-05-14 13:42 ` [ptxdist] [PATCH 11/13] image-rauc: enable keyring verification Bastian Krause
2020-05-15  7:58   ` Michael Olbrich
2020-05-15 11:23     ` Bastian Krause
2020-05-14 13:42 ` [ptxdist] [PATCH 12/13] code-signing: move code-signing.in to platforms/ Bastian Krause
2020-05-14 13:43 ` [ptxdist] [PATCH 13/13] code-signing: introduce for ptxconfig, add sanity check Bastian Krause
2020-05-14 15:36   ` Bastian Krause
2020-05-15  7:55     ` Michael Olbrich
2020-05-15 11:24       ` Bastian Krause

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox