Use the keys provided by the currently active key provider via PKCS#11
instead of key files placed in the platform config directory. In order
to make sure the new mechanics are used after a BSP update the rauc.key
file is no longer allowed to exist in the platformconfig directory.
Note: requires genimage >= v12 and ptx-code-signing-dev > 0.3
Signed-off-by: Bastian Krause <b...@pengutronix.de>
---
platforms/image-rauc.in | 1 +
projectroot/etc/rauc/ca.cert.pem | 7 --
rules/image-rauc.make | 37 ++-------
rules/rauc.in | 1 +
rules/rauc.make | 11 ++-
scripts/rauc-gen-test-certs.sh | 126 -------------------------------
6 files changed, 17 insertions(+), 166 deletions(-)
delete mode 100644 projectroot/etc/rauc/ca.cert.pem
delete mode 100755 scripts/rauc-gen-test-certs.sh
diff --git a/platforms/image-rauc.in b/platforms/image-rauc.in
index 658ddd5cd..1f9427b40 100644
--- a/platforms/image-rauc.in
+++ b/platforms/image-rauc.in
@@ -6,6 +6,7 @@ menuconfig IMAGE_RAUC
select HOST_GENIMAGE
select HOST_RAUC
select IMAGE_ROOT_TGZ
+ select CODE_SIGNING
help
This generates a RAUC update Bundle for the selected platform using
genimage.
diff --git a/projectroot/etc/rauc/ca.cert.pem b/projectroot/etc/rauc/ca.cert.pem
deleted file mode 100644
index be1aa7c30..000000000
--- a/projectroot/etc/rauc/ca.cert.pem
+++ /dev/null
@@ -1,7 +0,0 @@
-# This is a dummy keyring file. Please overwrite this with one that matches
-# your X.509 infrastructure if you intend to use RAUC for secure updates!
-#
-# If you really do not intend to actively use the security features (or for
-# testing purpose) you may create a development certificate by executing the
-# script `rauc-gen-test-certs.sh` from the `scripts` folder in your PTXdist
-# installation.
diff --git a/rules/image-rauc.make b/rules/image-rauc.make
index 839cb400b..a031edfae 100644
--- a/rules/image-rauc.make
+++ b/rules/image-rauc.make
@@ -26,46 +26,19 @@ IMAGE_RAUC_CONFIG := rauc.config
ifdef PTXCONF_IMAGE_RAUC
-IMAGE_RAUC_KEY := $(call ptx/in-platformconfigdir, config/rauc/rauc.key.pem)
-IMAGE_RAUC_CERT := $(call ptx/in-platformconfigdir, config/rauc/rauc.cert.pem)
-
-IMAGE_RAUC_ENV := \
+IMAGE_RAUC_ENV = \
RAUC_BUNDLE_COMPATIBLE="$(call
remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))" \
RAUC_BUNDLE_VERSION="$(call remove_quotes,
$(PTXCONF_RAUC_BUNDLE_VERSION))" \
RAUC_BUNDLE_BUILD=$(call ptx/sh, date +%FT%T%z) \
RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \
- RAUC_KEY=$(IMAGE_RAUC_KEY) \
- RAUC_CERT=$(IMAGE_RAUC_CERT)
+ RAUC_KEY="$(shell cs_get_uri update)" \
+ RAUC_CERT="$(shell cs_get_uri update)"
-$(IMAGE_RAUC_IMAGE): $(IMAGE_RAUC_KEY) $(IMAGE_RAUC_CERT)
+$(IMAGE_RAUC_IMAGE):
@$(call targetinfo)
- @$(call image/genimage, IMAGE_RAUC)
+ @$(CODE_SIGNING_ENV) $(call image/genimage, IMAGE_RAUC)
@$(call finish)
-$(IMAGE_RAUC_KEY):
- @echo
- @echo
"****************************************************************************"
- @echo "******** Please place your signing key in
config/rauc/rauc.key.pem. ********"
- @echo "*
*"
- @echo "* Note: For test-purpose you can create one by running
rauc-gen-certs.sh *"
- @echo "* from the scripts/ folder of your PTXdist installation
*"
- @echo
"****************************************************************************"
- @echo
- @echo
- @exit 1
-
-$(IMAGE_RAUC_CERT):
- @echo
- @echo
"****************************************************************************"
- @echo "**** Please place your signing certificate in
config/rauc/rauc.cert.pem. ***"
- @echo "*
*"
- @echo "* Note: For test-purpose you can create one by running
rauc-gen-certs.sh *"
- @echo "* from the scripts/ folder of your PTXdist installation
*"
- @echo
"****************************************************************************"
- @echo
- @echo
- @exit 1
-
endif
# vim: syntax=make
diff --git a/rules/rauc.in b/rules/rauc.in
index d712bc7b9..56fc3ae3b 100644
--- a/rules/rauc.in
+++ b/rules/rauc.in
@@ -7,6 +7,7 @@ menuconfig RAUC
select GLIB
select GLIB_LIBMOUNT
select HOST_GLIB
+ select CODE_SIGNING
select BUSYBOX_FEATURE_TAR_LONG_OPTIONS if BUSYBOX_TAR
select BUSYBOX_FEATURE_TAR_AUTODETECT if BUSYBOX_TAR
select BUSYBOX_FEATURE_SEAMLESS_XZ if BUSYBOX_TAR
diff --git a/rules/rauc.make b/rules/rauc.make
index ade9bd5dd..f9a10fbbc 100644
--- a/rules/rauc.make
+++ b/rules/rauc.make
@@ -46,6 +46,14 @@ RAUC_CONF_OPT := \
--with-dbuspolicydir=/usr/share/dbus-1/system.d \
--with-dbussystemservicedir=/usr/share/dbus-1/system-services
+$(STATEDIR)/rauc.prepare:
+ @$(call targetinfo)
+ @test ! -e "$(call ptx/in-platformconfigdir, config/rauc/rauc.key)" || \
+ ptxd_bailout "Please use the key provider infrastructure
desribed in:" \
+ "scripts/lib/ptxd_lib_code_signing.sh"
+ @$(call world/prepare, RAUC)
+ @$(call touch)
+
# ----------------------------------------------------------------------------
# Target-Install
# ----------------------------------------------------------------------------
@@ -66,7 +74,8 @@ ifdef PTXCONF_RAUC_CONFIGURATION
@$(call install_replace, rauc, /etc/rauc/system.conf, \
@RAUC_BUNDLE_COMPATIBLE@, \
"$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))")
- @$(call install_alternative, rauc, 0, 0, 0644, /etc/rauc/ca.cert.pem)
+ @$(call install_copy, rauc, 0, 0, 0644, $(shell cs_get_ca update), \
+ /etc/rauc/ca.cert.pem)
endif
ifdef PTXCONF_RAUC_SERVICE
diff --git a/scripts/rauc-gen-test-certs.sh b/scripts/rauc-gen-test-certs.sh
deleted file mode 100755
index b4ea6a8cf..000000000
--- a/scripts/rauc-gen-test-certs.sh
+++ /dev/null
@@ -1,126 +0,0 @@
-#!/bin/bash
-#
-# Copyright (C) 2017 by Enrico Joerns <e.joe...@pengutronix.de>
-# Copyright (C) 2016 by Jan Luebbe <j.lue...@pengutronix.de>
-#
-# For further information about the PTXdist project and license conditions
-# see the README file.
-#
-# ---
-#
-# Demo script that generates certificate files required to sign and verify
-# RAUC update tool bundles.
-#
-
-set -xe
-
-ORG="Test Org"
-CA="rauc CA"
-
-# After the CRL expires, signatures cannot be verified anymore
-CRL="-crldays 5000"
-
-BASE="$(pwd)/rauc-openssl-ca"
-
-if [ -e $BASE ]; then
- echo "$BASE already exists"
- exit 1
-fi
-
-mkdir -p $BASE/dev/{private,certs}
-touch $BASE/dev/index.txt
-echo 01 > $BASE/dev/serial
-
-cat > $BASE/openssl.cnf <<EOF
-[ ca ]
-default_ca = CA_default # The default ca section
-
-[ CA_default ]
-
-dir = . # top dir
-database = \$dir/index.txt # index file.
-new_certs_dir = \$dir/certs # new certs dir
-
-certificate = \$dir/ca.cert.pem # The CA cert
-serial = \$dir/serial # serial no file
-private_key = \$dir/private/ca.key.pem# CA private key
-RANDFILE = \$dir/private/.rand # random number file
-
-default_startdate = 19700101000000Z
-default_enddate = 99991231235959Z
-default_crl_days= 30 # how long before next CRL
-default_md = sha256 # md to use
-
-policy = policy_any # default policy
-email_in_dn = no # Don't add the email into cert DN
-
-name_opt = ca_default # Subject name display option
-cert_opt = ca_default # Certificate display option
-copy_extensions = none # Don't copy extensions from request
-
-[ policy_any ]
-organizationName = match
-commonName = supplied
-
-[ req ]
-default_bits = 2048
-distinguished_name = req_distinguished_name
-x509_extensions = v3_leaf
-encrypt_key = no
-default_md = sha256
-
-[ req_distinguished_name ]
-commonName = Common Name (eg, YOUR name)
-commonName_max = 64
-
-[ v3_ca ]
-
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = CA:TRUE
-
-[ v3_inter ]
-
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = CA:TRUE,pathlen:0
-
-[ v3_leaf ]
-
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = CA:FALSE
-EOF
-
-export OPENSSL_CONF=$BASE/openssl.cnf
-
-echo "Development CA"
-cd $BASE/dev
-openssl req -newkey rsa -keyout private/ca.key.pem -out ca.csr.pem -subj
"/O=$ORG/CN=$ORG $CA Development"
-openssl ca -batch -selfsign -extensions v3_ca -in ca.csr.pem -out ca.cert.pem
-keyfile private/ca.key.pem
-
-echo "Development Signing Keys 1"
-cd $BASE/dev
-openssl req -newkey rsa -keyout private/rauc.key.pem -out rauc.csr.pem -subj
"/O=$ORG/CN=$ORG Development-1"
-openssl ca -batch -extensions v3_leaf -in rauc.csr.pem -out rauc.cert.pem
-
-cat << EOF
-===============================================================================
-
-Note that the default application should be to set up a public key
-infrastructure at your site and use keys and certificates genereated by these.
-
-In oder to use the just generated files in your BSP for testing purpose or if
-you do not intend to use real authentification, follow the instructions below.
-
-Place the key and certificate file in your platform-dir's config/ folder:
-
- cp rauc-openssl-ca/private/rauc.key.pem
<platform-dir>/config/rauc/rauc.key.pem
- cp rauc-openssl-ca/rauc.cert.pem <platform-dir>/config/rauc/rauc.cert.pem
-
-Place the keyring file in your platform-dir's projectroot/ folder:
-
- cp rauc-openssl-ca/ca.cert.pem <plaform-dir>/projectroot/etc/rauc/ca.cert.pem
-
-===============================================================================
-EOF
--
2.26.2
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
