From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: References: <20200608085305.30964-1-bst@pengutronix.de> <20200608085305.30964-2-bst@pengutronix.de> <20200612091825.GA27654@pengutronix.de> <20200612095439.GD27654@pengutronix.de> <20200612100538.GF27654@pengutronix.de> From: Bastian Krause Message-ID: Date: Fri, 12 Jun 2020 13:05:14 +0200 MIME-Version: 1.0 In-Reply-To: <20200612100538.GF27654@pengutronix.de> Content-Language: en-US Subject: Re: [ptxdist] [PATCH 1/5] package templates: add code-signing-provider template List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: ptxdist@pengutronix.de Cc: Marc Kleine-Budde , Roland Hieber On 6/12/20 12:05 PM, Michael Olbrich wrote: > On Fri, Jun 12, 2020 at 11:54:39AM +0200, Michael Olbrich wrote: >> On Fri, Jun 12, 2020 at 11:18:25AM +0200, Michael Olbrich wrote: >>> On Mon, Jun 08, 2020 at 10:53:01AM +0200, Bastian Krause wrote: >>>> A ptxdist code signing provider is a package which selects the required >>>> host tools needed for the code signing helpers to work. A shell script >>>> is needed to define roles, set PKCS#11 URIs and import keys if SoftHSM >>>> is used. In order to simplify its creation provide a template along with >>>> an example script. >>> >>> I think we should query whether a HSM or SoftHSM will be used and install >>> an appropriate script and set the correct dependencies. >>> >>>> Signed-off-by: Bastian Krause >>>> --- >>>> .../code-signing-provider/ptxdist-set-keys.sh | 96 +++++++++++++++++++ >>>> .../template-code-signing-provider-choice-in | 5 + >>>> .../template-code-signing-provider-in | 16 ++++ >>>> .../template-code-signing-provider-make | 41 ++++++++ >>>> scripts/lib/ptxd_lib_template.sh | 16 ++++ >>>> 5 files changed, 174 insertions(+) >>>> create mode 100755 rules/templates/code-signing-provider/ptxdist-set-keys.sh >>>> create mode 100644 rules/templates/template-code-signing-provider-choice-in >>>> create mode 100644 rules/templates/template-code-signing-provider-in >>>> create mode 100644 rules/templates/template-code-signing-provider-make >>>> >>>> diff --git a/rules/templates/code-signing-provider/ptxdist-set-keys.sh b/rules/templates/code-signing-provider/ptxdist-set-keys.sh >>>> new file mode 100755 >>>> index 000000000..040a61534 >>>> --- /dev/null >>>> +++ b/rules/templates/code-signing-provider/ptxdist-set-keys.sh >>>> @@ -0,0 +1,96 @@ >>>> +#!/bin/bash >>>> + >>>> +set -e >>>> + >>>> +set_fit_keys() { >>>> + local r="image-kernel-fit" >>>> + cs_define_role "${r}" >>>> + >>>> + # HSM use case >>>> + cs_set_uri "${r}" "pkcs11:token=foo;object=kernel-fit" >>>> +} >>>> + >>>> +import_fit_keys() { >>>> + local fit_cert_dir=fit >>>> + local r="image-kernel-fit" >>>> + cs_define_role "${r}" >>>> + >>>> + cs_import_cert_from_der "${r}" "${fit_cert_dir}/fit-4096-development.crt" >>>> + cs_import_pubkey_from_pem "${r}" "${fit_cert_dir}/fit-4096-development.key" >>>> + cs_import_privkey_from_pem "${r}" "${fit_cert_dir}/fit-4096-development.key" >>>> +} >>>> + >>>> +set_rauc_keys() { >>>> + local r="update" >>>> + cs_define_role "${r}" >>>> + cs_set_uri "${r}" "pkcs11:token=foo;object=rauc" >>>> + cs_append_ca_from_uri "${r}" >>>> +} >>>> + >>>> +import_rauc_keys() { >>>> + local rauc_cert_dir=rauc >>>> + local r="update" >>>> + cs_define_role "${r}" >>>> + >>>> + # SoftHSM use case >>>> + cs_import_cert_from_pem "${r}" "${rauc_cert_dir}/rauc.cert.pem" >>>> + cs_import_pubkey_from_pem "${r}" "${rauc_cert_dir}/rauc.key.pem" >>>> + cs_import_privkey_from_pem "${r}" "${rauc_cert_dir}/rauc.key.pem" >>>> + >>>> + cs_append_ca_from_uri "${r}" >>>> +} >>>> + >>>> +set_imx_habv4_keys() { >>>> + # HSM use case, assuming it contains only 1st CSF/IMG key >>>> + for i in 1 2 3 4; do >>>> + r="imx-habv4-srk${i}" >>>> + cs_define_role "${r}" >>>> + cs_set_uri "${r}" "pkcs11:token=foo;object=srk-release${i}" >>>> + cs_append_ca_from_uri "${r}" >>>> + done >>>> + >>>> + r="imx-habv4-csf1" >>>> + cs_define_role ${r} >>>> + cs_set_uri "${r}" "pkcs11:token=foo;object=csf1" >>>> + >>>> + r="imx-habv4-img1" >>>> + cs_define_role ${r} >>>> + cs_set_uri "${r}" "pkcs11:token=foo;object=img1" >>>> +} >>>> + >>>> +import_imx_habv4_keys() { >>>> + local imx_habv4_key_dir="habv4" >>>> + local crts="${imx_habv4_key_dir}/crts" >>>> + local keys="${imx_habv4_key_dir}/keys" >>>> + local OPENSSL_KEYPASS="${imx_habv4_key_dir}/keys/key_pass.txt" >>>> + >>>> + for i in 1 2 3 4; do >>>> + r="imx-habv4-srk${i}" >>>> + cs_define_role "${r}" >>>> + cs_import_cert_from_der "${r}" "${crts}/SRK${i}_sha256_4096_65537_v3_ca_crt.der" >>>> + cs_import_key_from_pem "${r}" "${keys}/SRK${i}_sha256_4096_65537_v3_ca_key.pem" >>>> + cs_append_ca_from_uri "${r}" >>>> + >>>> + r="imx-habv4-csf${i}" >>>> + cs_define_role "${r}" >>>> + cs_import_cert_from_der "${r}" "${crts}/CSF${i}_1_sha256_4096_65537_v3_usr_crt.der" >>>> + cs_import_key_from_pem "${r}" "${keys}/CSF${i}_1_sha256_4096_65537_v3_usr_key.pem" >>>> + >>>> + r="imx-habv4-img${i}" >>>> + cs_define_role "${r}" >>>> + cs_import_cert_from_der "${r}" "${crts}/IMG${i}_1_sha256_4096_65537_v3_usr_crt.der" >>>> + cs_import_key_from_pem "${r}" "${keys}/IMG${i}_1_sha256_4096_65537_v3_usr_key.pem" >>>> + done >>>> +} >>>> + >>>> + >>>> +# HSM use case >>>> +#set_fit_keys >>>> +#set_rauc_keys >>>> +#set_imx_habv4_keys >>>> + >>>> +# or: SoftHSM use case >>>> +#cs_init_softhsm >>>> +#import_fit_keys >>>> +#import_rauc_keys >>>> +#import_imx_habv4_keys >>> >>> Split this into two scripts that work for the correct use-case. >>> And use the wizard.sh to delete one and rename the other. >>> >>>> diff --git a/rules/templates/template-code-signing-provider-choice-in b/rules/templates/template-code-signing-provider-choice-in >>>> new file mode 100644 >>>> index 000000000..e2108f870 >>>> --- /dev/null >>>> +++ b/rules/templates/template-code-signing-provider-choice-in >>>> @@ -0,0 +1,5 @@ >>>> +## SECTION=code_signing_provider >>>> + >>>> +config CODE_SIGNING_PROVIDER_@PACKAGE@ >>>> + bool >>>> + prompt "@package@" >>>> diff --git a/rules/templates/template-code-signing-provider-in b/rules/templates/template-code-signing-provider-in >>>> new file mode 100644 >>>> index 000000000..a0c61e6ef >>>> --- /dev/null >>>> +++ b/rules/templates/template-code-signing-provider-in >>>> @@ -0,0 +1,16 @@ >>>> +## SECTION=code_signing >>>> + >>>> +config CODE_SIGNING >>>> + select HOST_@PACKAGE@_CODE_SIGNING if CODE_SIGNING_PROVIDER_@PACKAGE@ >>>> + >>>> +config CODE_SIGNING_PROVIDER >>>> + default "@package@" if CODE_SIGNING_PROVIDER_@PACKAGE@ >>>> + >>>> +config HOST_@PACKAGE@_CODE_SIGNING >>>> + bool >>>> + select HOST_OPENSC >>>> + select HOST_LIBP11 >>>> + select HOST_OPENSSL >>>> + #select HOST_SOFTHSM >>>> + #select HOST_OPENSC_PCSC >>>> + #select HOST_EXTRACT_CERT >>> >>> We can substitute multi-line values here. So just >>> >>> @DEPENDENCIES@ >>> >>> and set that to the correct full list of dependencies in the script. >>> >>> >>>> diff --git a/rules/templates/template-code-signing-provider-make b/rules/templates/template-code-signing-provider-make >>>> new file mode 100644 >>>> index 000000000..94830d92e >>>> --- /dev/null >>>> +++ b/rules/templates/template-code-signing-provider-make >>>> @@ -0,0 +1,41 @@ >>>> +# -*-makefile-*- >>>> +# >>>> +# Copyright (C) @YEAR@ by @AUTHOR@ >>>> +# >>>> +# For further information about the PTXdist project and license conditions >>>> +# see the README file. >>>> +# >>>> + >>>> +# >>>> +# We provide this package >>>> +# >>>> +HOST_PACKAGES-$(PTXCONF_HOST_@PACKAGE@_CODE_SIGNING) += host-@package@-code-signing >>>> + >>>> +# >>>> +# Paths and names >>>> +# >>>> +HOST_@PACKAGE@_CODE_SIGNING_VERSION := @VERSION@ >>>> +HOST_@PACKAGE@_CODE_SIGNING := @package@-code-signing-$(HOST_@PACKAGE@_CODE_SIGNING_VERSION) >>>> +HOST_@PACKAGE@_CODE_SIGNING_URL := file://local_src/@package@-code-signing >>>> +HOST_@PACKAGE@_CODE_SIGNING_DIR := $(HOST_BUILDDIR)/$(HOST_@PACKAGE@_CODE_SIGNING) >>>> + >>>> +HOST_@PACKAGE@_CODE_SIGNING_CONF_TOOL := NO >>>> + >>>> +# ---------------------------------------------------------------------------- >>>> +# Compile >>>> +# ---------------------------------------------------------------------------- >>>> + >>>> +HOST_@PACKAGE@_CODE_SIGNING_MAKE_ENV := \ >>>> + $(CODE_SIGNING_ENV) >>>> + >>>> +$(STATEDIR)/host-@package@-code-signing.compile: >>>> + @$(call targetinfo) >>>> + @$(call world/execute, HOST_@PACKAGE@_CODE_SIGNING, \ >>>> + ./ptxdist-set-keys.sh) >>>> + @$(call touch) >>>> + >>>> +$(STATEDIR)/host-@package@-code-signing.install: >>>> + @$(call targetinfo) >>>> + @$(call touch) >>>> + >>>> +# vim: syntax=make >>>> diff --git a/scripts/lib/ptxd_lib_template.sh b/scripts/lib/ptxd_lib_template.sh >>>> index f39e6e033..b89981f45 100644 >>>> --- a/scripts/lib/ptxd_lib_template.sh >>>> +++ b/scripts/lib/ptxd_lib_template.sh >>>> @@ -460,3 +460,19 @@ ptxd_template_new_blspec_entry() { >>>> export -f ptxd_template_new_blspec_entry >>>> ptxd_template_help_list[${#ptxd_template_help_list[@]}]="blspec-entry" >>>> ptxd_template_help_list[${#ptxd_template_help_list[@]}]="create package for a bootloader spec entry" >>>> + >>>> +ptxd_template_new_code_signing_provider() { >>>> + export class="host-" >>>> + ptxd_template_read_basic && >>>> + ptxd_template_read_author && >>> >>> The question for the type should be here. Maybe provide an list and the >>> user must input the index number or something like that. >> >> So, after reading the docs, I think there should be 3 options here: >> >> 1) SoftHSM >> 2) HSM (with OpenSC) >> 3) HSM (custom) >> >> And for the HSM cases, the template should also provide the rules/pre/... >> file for CODE_SIGNING_ENV. Maybe with the module name as a variable? >> Substitute 'opensc-pkcs11' for OpenSC and 'fixme' otherwise. > > Or ask for the module name? I don't have a good understanding what is > usually necessary for other HSMs beyond the PKCS11_MODULE_PATH, so I don't > know if that makes sense. I've disucssed this with Marc some time ago. We came up with the idea of setting the HSM specifics in CODE_SIGNING_ENV via another code signing provider helper, e.g. "cs_append_env". In our opinion the code signing provider should know (and set) such extra environment variables. Regards, Bastian > >> The documentation should still contain the same information but add a note >> what the template generates. >> >> Michael >> >>> Michael >>> >>>> + package_filename="${package_filename}-code-signing" >>>> + ptxd_template_write_platform_rules >>>> + local template_file="$(ptxd_template_file "${template}-choice-in")" >>>> + local filename="${PTXDIST_PLATFORMCONFIGDIR}/platforms/${class}${package_filename}-choice.in" >>>> + ptxd_template_filter "${template_file}" "${filename}" >>>> + package="${package}-code-signing" >>>> + ptxd_template_write_src >>>> +} >>>> +export -f ptxd_template_new_code_signing_provider >>>> +ptxd_template_help_list[${#ptxd_template_help_list[@]}]="code-signing-provider" >>>> +ptxd_template_help_list[${#ptxd_template_help_list[@]}]="create package for a code signing provider" >>>> -- >>>> 2.27.0 >>>> >>>> >>>> _______________________________________________ >>>> ptxdist mailing list >>>> ptxdist@pengutronix.de >>>> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de >>>> >>> >>> -- >>> Pengutronix e.K. | | >>> Steuerwalder Str. 21 | http://www.pengutronix.de/ | >>> 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | >>> Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | >>> >>> _______________________________________________ >>> ptxdist mailing list >>> ptxdist@pengutronix.de >>> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de >>> >> >> -- >> Pengutronix e.K. | | >> Steuerwalder Str. 21 | http://www.pengutronix.de/ | >> 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | >> Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | >> >> _______________________________________________ >> ptxdist mailing list >> ptxdist@pengutronix.de >> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de >> > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de