Thanks, applied as d6a751d6155dca50b17150fffb731530c3ab8e6c. Michael
[sent from post-receive hook] On Tue, 19 May 2020 14:23:42 +0200, Bastian Krause <[email protected]> wrote: > Having multiple "object=" occurrences in a single PKCS#11 URI does not > work for all cases, at least not for opensc-pkcs11. Thus u-boot's > PKCS#11 handling was patched to avoid overriding the object name when > it is already specified. The patch was sent upstream. > > Signed-off-by: Bastian Krause <[email protected]> > Message-Id: <[email protected]> > Signed-off-by: Michael Olbrich <[email protected]> > > diff --git > a/patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch > > b/patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch > new file mode 100644 > index 000000000000..5ba930fb5ba1 > --- /dev/null > +++ > b/patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch > @@ -0,0 +1,81 @@ > +From: Jan Luebbe <[email protected]> > +Date: Mon, 16 Mar 2020 11:45:22 +0100 > +Subject: [PATCH] lib: rsa: avoid overriding the object name when already > + specified > + > +If "object=" is specified in "keydir" when using the pkcs11 engine do > +not append another "object=<key-name-hint>". This makes it possible to > +use object names other than the key name hint. These two string > +identifiers are not necessarily equal. > + > +Signed-off-by: Jan Luebbe <[email protected]> > +Signed-off-by: Bastian Krause <[email protected]> > +Reviewed-by: George McCollister <[email protected]> > +Forwarded: https://lists.denx.de/pipermail/u-boot/2020-May/411892.html > +--- > + doc/uImage.FIT/signature.txt | 8 +++++--- > + lib/rsa/rsa-sign.c | 22 ++++++++++++++++------ > + 2 files changed, 21 insertions(+), 9 deletions(-) > + > +diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt > +index 3591225a6edd..d4afd755e9fc 100644 > +--- a/doc/uImage.FIT/signature.txt > ++++ b/doc/uImage.FIT/signature.txt > +@@ -481,12 +481,14 @@ openssl. This may require setting up LD_LIBRARY_PATH > if engine is not installed > + to openssl's default search paths. > + > + PKCS11 engine support forms "key id" based on "keydir" and with > +-"key-name-hint". "key-name-hint" is used as "object" name and "keydir" if > +-defined is used to define (prefix for) which PKCS11 source is being used for > +-lookup up for the key. > ++"key-name-hint". "key-name-hint" is used as "object" name (if not defined in > ++keydir). "keydir" (if defined) is used to define (prefix for) which PKCS11 > source > ++is being used for lookup up for the key. > + > + PKCS11 engine key ids: > + "pkcs11:<keydir>;object=<key-name-hint>;type=<public|private>" > ++or, if keydir contains "object=" > ++ "pkcs11:<keydir>;type=<public|private>" > + or > + "pkcs11:object=<key-name-hint>;type=<public|private>", > + > +diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c > +index 580c74470939..1914b9641312 100644 > +--- a/lib/rsa/rsa-sign.c > ++++ b/lib/rsa/rsa-sign.c > +@@ -135,9 +135,14 @@ static int rsa_engine_get_pub_key(const char *keydir, > const char *name, > + > + if (engine_id && !strcmp(engine_id, "pkcs11")) { > + if (keydir) > +- snprintf(key_id, sizeof(key_id), > +- "pkcs11:%s;object=%s;type=public", > +- keydir, name); > ++ if (strstr(keydir, "object=")) > ++ snprintf(key_id, sizeof(key_id), > ++ "pkcs11:%s;type=public", > ++ keydir); > ++ else > ++ snprintf(key_id, sizeof(key_id), > ++ "pkcs11:%s;object=%s;type=public", > ++ keydir, name); > + else > + snprintf(key_id, sizeof(key_id), > + "pkcs11:object=%s;type=public", > +@@ -255,9 +260,14 @@ static int rsa_engine_get_priv_key(const char *keydir, > const char *name, > + > + if (engine_id && !strcmp(engine_id, "pkcs11")) { > + if (keydir) > +- snprintf(key_id, sizeof(key_id), > +- "pkcs11:%s;object=%s;type=private", > +- keydir, name); > ++ if (strstr(keydir, "object=")) > ++ snprintf(key_id, sizeof(key_id), > ++ "pkcs11:%s;type=private", > ++ keydir); > ++ else > ++ snprintf(key_id, sizeof(key_id), > ++ "pkcs11:%s;object=%s;type=private", > ++ keydir, name); > + else > + snprintf(key_id, sizeof(key_id), > + "pkcs11:object=%s;type=private", > diff --git a/patches/u-boot-2020.04/series b/patches/u-boot-2020.04/series > new file mode 100644 > index 000000000000..02db98548f59 > --- /dev/null > +++ b/patches/u-boot-2020.04/series > @@ -0,0 +1,4 @@ > +# generated by git-ptx-patches > +#tag:base --start-number 1 > +0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch > +# d5b0f03c362d4c4e9d26f37173d666d6 - git-ptx-patches magic > diff --git a/scripts/lib/ptxd_make_fit_image.sh > b/scripts/lib/ptxd_make_fit_image.sh > index 041c5b80341d..c2725ab3ddde 100644 > --- a/scripts/lib/ptxd_make_fit_image.sh > +++ b/scripts/lib/ptxd_make_fit_image.sh > @@ -106,9 +106,7 @@ ptxd_make_image_fit() { > # > # It would have been too simple for mkimage to just take a > # PKCS#11 URI. We must drop the "pkcs11:" prefix which U-Boot > - # then adds again. Also mkimage adds "object=<key_name_hint>" > - # to the URI which our URI already has. Well having it twice > - # doesn't seem to hurt at least SoftHSM. > + # then adds again. > # > pkcs11_uri=$(echo "${pkcs11_uri}" | sed "s/pkcs11://") > sign_args=( -k "${pkcs11_uri}" ) _______________________________________________ ptxdist mailing list [email protected]
