On Tue, Jun 16, 2020 at 03:56:48PM +0200, Bastian Krause wrote: > > On 6/12/20 11:18 AM, Michael Olbrich wrote: > > On Mon, Jun 08, 2020 at 10:53:01AM +0200, Bastian Krause wrote: > >> A ptxdist code signing provider is a package which selects the required > >> host tools needed for the code signing helpers to work. A shell script > >> is needed to define roles, set PKCS#11 URIs and import keys if SoftHSM > >> is used. In order to simplify its creation provide a template along with > >> an example script. > > > > I think we should query whether a HSM or SoftHSM will be used and install > > an appropriate script and set the correct dependencies. > > > >> Signed-off-by: Bastian Krause <[email protected]> > >> --- > >> .../code-signing-provider/ptxdist-set-keys.sh | 96 +++++++++++++++++++ > >> .../template-code-signing-provider-choice-in | 5 + > >> .../template-code-signing-provider-in | 16 ++++ > >> .../template-code-signing-provider-make | 41 ++++++++ > >> scripts/lib/ptxd_lib_template.sh | 16 ++++ > >> 5 files changed, 174 insertions(+) > >> create mode 100755 > >> rules/templates/code-signing-provider/ptxdist-set-keys.sh > >> create mode 100644 > >> rules/templates/template-code-signing-provider-choice-in > >> create mode 100644 rules/templates/template-code-signing-provider-in > >> create mode 100644 rules/templates/template-code-signing-provider-make > >> > >> diff --git a/rules/templates/code-signing-provider/ptxdist-set-keys.sh > >> b/rules/templates/code-signing-provider/ptxdist-set-keys.sh > >> new file mode 100755 > >> index 000000000..040a61534 > >> --- /dev/null > >> +++ b/rules/templates/code-signing-provider/ptxdist-set-keys.sh > >> @@ -0,0 +1,96 @@ > >> +#!/bin/bash > >> + > >> +set -e > >> + > >> +set_fit_keys() { > >> + local r="image-kernel-fit" > >> + cs_define_role "${r}" > >> + > >> + # HSM use case > >> + cs_set_uri "${r}" "pkcs11:token=foo;object=kernel-fit" > >> +} > >> + > >> +import_fit_keys() { > >> + local fit_cert_dir=fit > >> + local r="image-kernel-fit" > >> + cs_define_role "${r}" > >> + > >> + cs_import_cert_from_der "${r}" > >> "${fit_cert_dir}/fit-4096-development.crt" > >> + cs_import_pubkey_from_pem "${r}" > >> "${fit_cert_dir}/fit-4096-development.key" > >> + cs_import_privkey_from_pem "${r}" > >> "${fit_cert_dir}/fit-4096-development.key" > >> +} > >> + > >> +set_rauc_keys() { > >> + local r="update" > >> + cs_define_role "${r}" > >> + cs_set_uri "${r}" "pkcs11:token=foo;object=rauc" > >> + cs_append_ca_from_uri "${r}" > >> +} > >> + > >> +import_rauc_keys() { > >> + local rauc_cert_dir=rauc > >> + local r="update" > >> + cs_define_role "${r}" > >> + > >> + # SoftHSM use case > >> + cs_import_cert_from_pem "${r}" "${rauc_cert_dir}/rauc.cert.pem" > >> + cs_import_pubkey_from_pem "${r}" "${rauc_cert_dir}/rauc.key.pem" > >> + cs_import_privkey_from_pem "${r}" "${rauc_cert_dir}/rauc.key.pem" > >> + > >> + cs_append_ca_from_uri "${r}" > >> +} > >> + > >> +set_imx_habv4_keys() { > >> + # HSM use case, assuming it contains only 1st CSF/IMG key > >> + for i in 1 2 3 4; do > >> + r="imx-habv4-srk${i}" > >> + cs_define_role "${r}" > >> + cs_set_uri "${r}" "pkcs11:token=foo;object=srk-release${i}" > >> + cs_append_ca_from_uri "${r}" > >> + done > >> + > >> + r="imx-habv4-csf1" > >> + cs_define_role ${r} > >> + cs_set_uri "${r}" "pkcs11:token=foo;object=csf1" > >> + > >> + r="imx-habv4-img1" > >> + cs_define_role ${r} > >> + cs_set_uri "${r}" "pkcs11:token=foo;object=img1" > >> +} > >> + > >> +import_imx_habv4_keys() { > >> + local imx_habv4_key_dir="habv4" > >> + local crts="${imx_habv4_key_dir}/crts" > >> + local keys="${imx_habv4_key_dir}/keys" > >> + local OPENSSL_KEYPASS="${imx_habv4_key_dir}/keys/key_pass.txt" > >> + > >> + for i in 1 2 3 4; do > >> + r="imx-habv4-srk${i}" > >> + cs_define_role "${r}" > >> + cs_import_cert_from_der "${r}" > >> "${crts}/SRK${i}_sha256_4096_65537_v3_ca_crt.der" > >> + cs_import_key_from_pem "${r}" > >> "${keys}/SRK${i}_sha256_4096_65537_v3_ca_key.pem" > >> + cs_append_ca_from_uri "${r}" > >> + > >> + r="imx-habv4-csf${i}" > >> + cs_define_role "${r}" > >> + cs_import_cert_from_der "${r}" > >> "${crts}/CSF${i}_1_sha256_4096_65537_v3_usr_crt.der" > >> + cs_import_key_from_pem "${r}" > >> "${keys}/CSF${i}_1_sha256_4096_65537_v3_usr_key.pem" > >> + > >> + r="imx-habv4-img${i}" > >> + cs_define_role "${r}" > >> + cs_import_cert_from_der "${r}" > >> "${crts}/IMG${i}_1_sha256_4096_65537_v3_usr_crt.der" > >> + cs_import_key_from_pem "${r}" > >> "${keys}/IMG${i}_1_sha256_4096_65537_v3_usr_key.pem" > >> + done > >> +} > >> + > >> + > >> +# HSM use case > >> +#set_fit_keys > >> +#set_rauc_keys > >> +#set_imx_habv4_keys > >> + > >> +# or: SoftHSM use case > >> +#cs_init_softhsm > >> +#import_fit_keys > >> +#import_rauc_keys > >> +#import_imx_habv4_keys > > > > Split this into two scripts that work for the correct use-case. > > And use the wizard.sh to delete one and rename the other. > > > >> diff --git a/rules/templates/template-code-signing-provider-choice-in > >> b/rules/templates/template-code-signing-provider-choice-in > >> new file mode 100644 > >> index 000000000..e2108f870 > >> --- /dev/null > >> +++ b/rules/templates/template-code-signing-provider-choice-in > >> @@ -0,0 +1,5 @@ > >> +## SECTION=code_signing_provider > >> + > >> +config CODE_SIGNING_PROVIDER_@PACKAGE@ > >> + bool > >> + prompt "@package@" > >> diff --git a/rules/templates/template-code-signing-provider-in > >> b/rules/templates/template-code-signing-provider-in > >> new file mode 100644 > >> index 000000000..a0c61e6ef > >> --- /dev/null > >> +++ b/rules/templates/template-code-signing-provider-in > >> @@ -0,0 +1,16 @@ > >> +## SECTION=code_signing > >> + > >> +config CODE_SIGNING > >> + select HOST_@PACKAGE@_CODE_SIGNING if CODE_SIGNING_PROVIDER_@PACKAGE@ > >> + > >> +config CODE_SIGNING_PROVIDER > >> + default "@package@" if CODE_SIGNING_PROVIDER_@PACKAGE@ > >> + > >> +config HOST_@PACKAGE@_CODE_SIGNING > >> + bool > >> + select HOST_OPENSC > >> + select HOST_LIBP11 > >> + select HOST_OPENSSL > >> + #select HOST_SOFTHSM > >> + #select HOST_OPENSC_PCSC > >> + #select HOST_EXTRACT_CERT > > > > We can substitute multi-line values here. So just > > > > @DEPENDENCIES@ > > > > and set that to the correct full list of dependencies in the script. > > With "the script" you mean wizard.sh, right? > > Note that wizard.sh is not called if local_src/<name> already exist and > the user answers "y" when asked if the files should be overwritten [1]. > The .in file will contain @PLACEHHOLDER@s in that case.
Not the wizard.sh. Any variable that you export in ptxd_template_new_code_signing_provider() will be substituted when ptxd_template_write_platform_rules() creates the .in file. Michael > (How) should we handle that? > > Regards, > Bastian > > [1] > https://git.pengutronix.de/cgit/ptxdist/tree/scripts/lib/ptxd_lib_template.sh?id=560f69b173794383a9dbfb6bc5be38a81c3e3b05#n191 > > -- > Pengutronix e.K. | | > Steuerwalder Str. 21 | http://www.pengutronix.de/ | > 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | > Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list [email protected] To unsubscribe, send a mail with subject "unsubscribe" to [email protected]
