From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from gallifrey.ext.pengutronix.de ([2001:67c:670:201:5054:ff:fe8d:eefb] helo=[IPv6:::1]) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1jmBpC-0006g1-Pp for ptxdist@pengutronix.de; Fri, 19 Jun 2020 09:52:34 +0200 References: <20200617143125.23999-1-bst@pengutronix.de> <20200617143125.23999-3-bst@pengutronix.de> <20200619062834.GK9312@pengutronix.de> From: Bastian Krause Message-ID: Date: Fri, 19 Jun 2020 09:52:34 +0200 MIME-Version: 1.0 In-Reply-To: <20200619062834.GK9312@pengutronix.de> Content-Language: en-US Subject: Re: [ptxdist] [PATCH v3 2/6] package templates: add code-signing-provider template List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: ptxdist@pengutronix.de On 6/19/20 8:28 AM, Michael Olbrich wrote: > On Wed, Jun 17, 2020 at 04:31:21PM +0200, Bastian Krause wrote: >> A ptxdist code signing provider is a package which selects the required >> host tools needed for the code signing helpers to work. A shell script >> is needed to define roles, set PKCS#11 URIs and import keys if SoftHSM >> is used. In order to simplify its creation provide a template along with >> an example script. >> >> Signed-off-by: Bastian Krause >> --- >> Changes since v2: >> - rename srk object name for consistency reasons >> - ask user about HSM type >> - split HSM/SoftHSM ptxdist-set-keys.sh cases into separate files >> - introduce wizard.sh to generate ptxdist-set-keys.sh HSM case specific >> - set dependencies HSM case specific >> - introduce pre rule template to extend CODE_SIGNING_ENV HSM case >> specific >> --- >> .../ptxdist-set-keys-hsm.sh | 42 ++++++++++++++ >> .../ptxdist-set-keys-softhsm.sh | 58 +++++++++++++++++++ >> .../templates/code-signing-provider/wizard.sh | 10 ++++ >> .../template-code-signing-provider-choice-in | 5 ++ >> .../template-code-signing-provider-in | 14 +++++ >> .../template-code-signing-provider-make | 41 +++++++++++++ >> .../template-code-signing-provider-pre-make | 15 +++++ >> scripts/lib/ptxd_lib_template.sh | 31 ++++++++++ >> 8 files changed, 216 insertions(+) >> create mode 100755 rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh >> create mode 100755 rules/templates/code-signing-provider/ptxdist-set-keys-softhsm.sh >> create mode 100644 rules/templates/code-signing-provider/wizard.sh >> create mode 100644 rules/templates/template-code-signing-provider-choice-in >> create mode 100644 rules/templates/template-code-signing-provider-in >> create mode 100644 rules/templates/template-code-signing-provider-make >> create mode 100644 rules/templates/template-code-signing-provider-pre-make >> >> diff --git a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh >> new file mode 100755 >> index 000000000..6bbe830f2 >> --- /dev/null >> +++ b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh >> @@ -0,0 +1,42 @@ >> +#!/bin/bash >> + >> +set -e >> + >> +set_fit_keys() { >> + local r="image-kernel-fit" >> + cs_define_role "${r}" >> + >> + # HSM use case >> + cs_set_uri "${r}" "pkcs11:token=foo;object=kernel-fit" >> +} >> + >> +set_rauc_keys() { >> + local r="update" >> + cs_define_role "${r}" >> + cs_set_uri "${r}" "pkcs11:token=foo;object=rauc" >> + cs_append_ca_from_uri "${r}" >> +} >> + >> +set_imx_habv4_keys() { >> + # HSM use case, assuming it contains only 1st CSF/IMG key >> + for i in 1 2 3 4; do >> + r="imx-habv4-srk${i}" >> + cs_define_role "${r}" >> + cs_set_uri "${r}" "pkcs11:token=foo;object=srk${i}" >> + cs_append_ca_from_uri "${r}" >> + done >> + >> + r="imx-habv4-csf1" >> + cs_define_role ${r} >> + cs_set_uri "${r}" "pkcs11:token=foo;object=csf1" >> + >> + r="imx-habv4-img1" >> + cs_define_role ${r} >> + cs_set_uri "${r}" "pkcs11:token=foo;object=img1" >> +} >> + >> + >> +# HSM use case >> +set_fit_keys >> +set_rauc_keys >> +set_imx_habv4_keys >> diff --git a/rules/templates/code-signing-provider/ptxdist-set-keys-softhsm.sh b/rules/templates/code-signing-provider/ptxdist-set-keys-softhsm.sh >> new file mode 100755 >> index 000000000..0836d61d1 >> --- /dev/null >> +++ b/rules/templates/code-signing-provider/ptxdist-set-keys-softhsm.sh >> @@ -0,0 +1,58 @@ >> +#!/bin/bash >> + >> +set -e >> + >> +import_fit_keys() { >> + local fit_cert_dir=fit >> + local r="image-kernel-fit" >> + cs_define_role "${r}" >> + >> + cs_import_cert_from_der "${r}" "${fit_cert_dir}/fit-4096-development.crt" >> + cs_import_pubkey_from_pem "${r}" "${fit_cert_dir}/fit-4096-development.key" >> + cs_import_privkey_from_pem "${r}" "${fit_cert_dir}/fit-4096-development.key" >> +} >> + >> +import_rauc_keys() { >> + local rauc_cert_dir=rauc >> + local r="update" >> + cs_define_role "${r}" >> + >> + # SoftHSM use case >> + cs_import_cert_from_pem "${r}" "${rauc_cert_dir}/rauc.cert.pem" >> + cs_import_pubkey_from_pem "${r}" "${rauc_cert_dir}/rauc.key.pem" >> + cs_import_privkey_from_pem "${r}" "${rauc_cert_dir}/rauc.key.pem" >> + >> + cs_append_ca_from_uri "${r}" >> +} >> + >> +import_imx_habv4_keys() { >> + local imx_habv4_key_dir="habv4" >> + local crts="${imx_habv4_key_dir}/crts" >> + local keys="${imx_habv4_key_dir}/keys" >> + local OPENSSL_KEYPASS="${imx_habv4_key_dir}/keys/key_pass.txt" >> + >> + for i in 1 2 3 4; do >> + r="imx-habv4-srk${i}" >> + cs_define_role "${r}" >> + cs_import_cert_from_der "${r}" "${crts}/SRK${i}_sha256_4096_65537_v3_ca_crt.der" >> + cs_import_key_from_pem "${r}" "${keys}/SRK${i}_sha256_4096_65537_v3_ca_key.pem" >> + cs_append_ca_from_uri "${r}" >> + >> + r="imx-habv4-csf${i}" >> + cs_define_role "${r}" >> + cs_import_cert_from_der "${r}" "${crts}/CSF${i}_1_sha256_4096_65537_v3_usr_crt.der" >> + cs_import_key_from_pem "${r}" "${keys}/CSF${i}_1_sha256_4096_65537_v3_usr_key.pem" >> + >> + r="imx-habv4-img${i}" >> + cs_define_role "${r}" >> + cs_import_cert_from_der "${r}" "${crts}/IMG${i}_1_sha256_4096_65537_v3_usr_crt.der" >> + cs_import_key_from_pem "${r}" "${keys}/IMG${i}_1_sha256_4096_65537_v3_usr_key.pem" >> + done >> +} >> + >> + >> +# SoftHSM use case >> +cs_init_softhsm >> +import_fit_keys >> +import_rauc_keys >> +import_imx_habv4_keys >> diff --git a/rules/templates/code-signing-provider/wizard.sh b/rules/templates/code-signing-provider/wizard.sh >> new file mode 100644 >> index 000000000..83d6d54e3 >> --- /dev/null >> +++ b/rules/templates/code-signing-provider/wizard.sh >> @@ -0,0 +1,10 @@ >> +#!/bin/bash >> + >> +if [ "$TYPE" = "SoftHSM" ]; then >> + mv ptxdist-set-keys-softhsm.sh ptxdist-set-keys.sh >> + rm ptxdist-set-keys-hsm.sh >> + >> +elif [ "$TYPE" = "HSM with OpenSC support" ] || [ "$TYPE" = "other HSM" ]; then >> + mv ptxdist-set-keys-hsm.sh ptxdist-set-keys.sh >> + rm ptxdist-set-keys-softhsm.sh >> +fi >> diff --git a/rules/templates/template-code-signing-provider-choice-in b/rules/templates/template-code-signing-provider-choice-in >> new file mode 100644 >> index 000000000..e2108f870 >> --- /dev/null >> +++ b/rules/templates/template-code-signing-provider-choice-in >> @@ -0,0 +1,5 @@ >> +## SECTION=code_signing_provider >> + >> +config CODE_SIGNING_PROVIDER_@PACKAGE@ >> + bool >> + prompt "@package@" >> diff --git a/rules/templates/template-code-signing-provider-in b/rules/templates/template-code-signing-provider-in >> new file mode 100644 >> index 000000000..b84ba839c >> --- /dev/null >> +++ b/rules/templates/template-code-signing-provider-in >> @@ -0,0 +1,14 @@ >> +## SECTION=code_signing >> + >> +config CODE_SIGNING >> + select HOST_@PACKAGE@_CODE_SIGNING if CODE_SIGNING_PROVIDER_@PACKAGE@ >> + >> +config CODE_SIGNING_PROVIDER >> + default "@package@" if CODE_SIGNING_PROVIDER_@PACKAGE@ >> + >> +config HOST_@PACKAGE@_CODE_SIGNING >> + bool >> + select HOST_LIBP11 >> + select HOST_OPENSSL >> + select HOST_EXTRACT_CERT >> + @EXTRA_DEPENDENCIES@ >> diff --git a/rules/templates/template-code-signing-provider-make b/rules/templates/template-code-signing-provider-make >> new file mode 100644 >> index 000000000..94830d92e >> --- /dev/null >> +++ b/rules/templates/template-code-signing-provider-make >> @@ -0,0 +1,41 @@ >> +# -*-makefile-*- >> +# >> +# Copyright (C) @YEAR@ by @AUTHOR@ >> +# >> +# For further information about the PTXdist project and license conditions >> +# see the README file. >> +# >> + >> +# >> +# We provide this package >> +# >> +HOST_PACKAGES-$(PTXCONF_HOST_@PACKAGE@_CODE_SIGNING) += host-@package@-code-signing >> + >> +# >> +# Paths and names >> +# >> +HOST_@PACKAGE@_CODE_SIGNING_VERSION := @VERSION@ >> +HOST_@PACKAGE@_CODE_SIGNING := @package@-code-signing-$(HOST_@PACKAGE@_CODE_SIGNING_VERSION) >> +HOST_@PACKAGE@_CODE_SIGNING_URL := file://local_src/@package@-code-signing >> +HOST_@PACKAGE@_CODE_SIGNING_DIR := $(HOST_BUILDDIR)/$(HOST_@PACKAGE@_CODE_SIGNING) >> + >> +HOST_@PACKAGE@_CODE_SIGNING_CONF_TOOL := NO >> + >> +# ---------------------------------------------------------------------------- >> +# Compile >> +# ---------------------------------------------------------------------------- >> + >> +HOST_@PACKAGE@_CODE_SIGNING_MAKE_ENV := \ >> + $(CODE_SIGNING_ENV) >> + >> +$(STATEDIR)/host-@package@-code-signing.compile: >> + @$(call targetinfo) >> + @$(call world/execute, HOST_@PACKAGE@_CODE_SIGNING, \ >> + ./ptxdist-set-keys.sh) >> + @$(call touch) >> + >> +$(STATEDIR)/host-@package@-code-signing.install: >> + @$(call targetinfo) >> + @$(call touch) >> + >> +# vim: syntax=make >> diff --git a/rules/templates/template-code-signing-provider-pre-make b/rules/templates/template-code-signing-provider-pre-make >> new file mode 100644 >> index 000000000..28cac750c >> --- /dev/null >> +++ b/rules/templates/template-code-signing-provider-pre-make >> @@ -0,0 +1,15 @@ >> +# -*-makefile-*- >> +# >> +# Copyright (C) @YEAR@ by @AUTHOR@ >> +# >> +# For further information about the PTXdist project and license conditions >> +# see the README file. >> +# >> + >> +ifndef PTXCONF_CODE_SIGNING_PROVIDER_@PACKAGE@ >> +CODE_SIGNING_ENV += \ >> + PKCS11_MODULE_PATH=@MODULE_PATH@ >> + $(HSM_CODE_SIGNING_ENV) > > This line has no effect. I removed it. In the OpenSC case, no extra env is > needed and for other HSMs the file must be edited anyways and all need > extra environment can be added. You are right, this is a leftover from a previous construct where PKCS11_MODULE_PATH was added to HSM_CODE_SIGNING_ENV. HSM_CODE_SIGNING_ENV was then added to CODE_SIGNING_ENV. I decided to remove that extra variable but forgot to remove HSM_CODE_SIGNING_ENV here. Thanks, Bastian >> +endif >> + >> +# vim: syntax=make >> diff --git a/scripts/lib/ptxd_lib_template.sh b/scripts/lib/ptxd_lib_template.sh >> index 6b405763b..805d8d9d3 100644 >> --- a/scripts/lib/ptxd_lib_template.sh >> +++ b/scripts/lib/ptxd_lib_template.sh >> @@ -486,3 +486,34 @@ ptxd_template_new_blspec_entry() { >> export -f ptxd_template_new_blspec_entry >> ptxd_template_help_list[${#ptxd_template_help_list[@]}]="blspec-entry" >> ptxd_template_help_list[${#ptxd_template_help_list[@]}]="create package for a bootloader spec entry" >> + >> +ptxd_template_new_code_signing_provider() { >> + export class="host-" >> + ptxd_template_read_basic && >> + ptxd_template_read_author && >> + ptxd_template_read_options "provider type" TYPE "SoftHSM" "HSM with OpenSC support" "other HSM" >> + package_filename="${package_filename}-code-signing" >> + local template_file="$(ptxd_template_file "${template}-choice-in")" >> + local filename="${PTXDIST_PLATFORMCONFIGDIR}/platforms/${class}${package_filename}-choice.in" >> + ptxd_template_filter "${template_file}" "${filename}" >> + template_file="$(ptxd_template_file "${template}-pre-make")" >> + filename="${PTXDIST_PLATFORMCONFIGDIR}/rules/pre/020-${package_filename}-hsm.make" >> + if [ "$TYPE" = "SoftHSM" ]; then >> + export EXTRA_DEPENDENCIES="select HOST_SOFTHSM" >> + elif [ "$TYPE" = "HSM with OpenSC support" ]; then >> + export EXTRA_DEPENDENCIES="select HOST_OPENSC >> + select HOST_OPENSC_PCSC" >> + export MODULE_PATH="\${PTXDIST_SYSROOT_HOST}/lib/pkcs11/opensc-pkcs11.so" >> + ptxd_template_filter "${template_file}" "${filename}" >> + elif [ "$TYPE" = "other HSM" ]; then >> + export EXTRA_DEPENDENCIES="select FIXME" >> + export MODULE_PATH="\${PTXDIST_SYSROOT_HOST}/fix/me" >> + ptxd_template_filter "${template_file}" "${filename}" >> + fi >> + ptxd_template_write_platform_rules >> + package="${package}-code-signing" >> + ptxd_template_write_src >> +} >> +export -f ptxd_template_new_code_signing_provider >> +ptxd_template_help_list[${#ptxd_template_help_list[@]}]="code-signing-provider" >> +ptxd_template_help_list[${#ptxd_template_help_list[@]}]="create package for a code signing provider" >> -- >> 2.27.0 >> >> >> _______________________________________________ >> ptxdist mailing list >> ptxdist@pengutronix.de >> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de >> > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de