[ptxdist] [PATCH v2 06/15] ptxd_lib_imx_hab/template-barebox-imx-habv4: use cs_get_ca helper
Key providers now take care of calling the CA helpers. This makes sure the CA is already present in pem format. Use that instead of extracting and converting the certs here again. Thus HOST_EXTRACT_CERT is no longer a dependency of template-barebox-imx-habv4. Note: requires ptx-code-signing-dev 0.4 or later Signed-off-by: Bastian Krause --- Changes since (implicit) v1: - clarify required version of ptx-code-signing-dev in commit message --- rules/templates/template-barebox-imx-habv4-in | 1 - scripts/lib/ptxd_lib_imx_hab.sh | 16 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/rules/templates/template-barebox-imx-habv4-in b/rules/templates/template-barebox-imx-habv4-in index af3e59986..16258cbee 100644 --- a/rules/templates/template-barebox-imx-habv4-in +++ b/rules/templates/template-barebox-imx-habv4-in @@ -3,7 +3,6 @@ config BAREBOX_@PACKAGE@ tristate select CODE_SIGNING - select HOST_EXTRACT_CERT select HOST_IMX_CST prompt "Barebox (@package@)" help diff --git a/scripts/lib/ptxd_lib_imx_hab.sh b/scripts/lib/ptxd_lib_imx_hab.sh index 034bf82b2..781c1b3f6 100644 --- a/scripts/lib/ptxd_lib_imx_hab.sh +++ b/scripts/lib/ptxd_lib_imx_hab.sh @@ -26,24 +26,24 @@ ptxd_make_imx_habv4_gen_table_impl() { local template="${1}" local table_bin="${pkg_build_dir}/imx-srk-table.bin" local srk_fuse_bin="${pkg_build_dir}/imx-srk-fuse.bin" -local tmpdir="$(mktemp -d "${PTXDIST_TEMPDIR}/imx-habv4.XX")" +local -a certs echo -e "generating $(basename ${table_bin}) and $(basename ${srk_fuse_bin})\n" for i in 1 2 3 4; do - local t=$(printf "${template}" "${i}") - local uri=$(cs_get_uri "$t") + certs[${#certs[*]}]="$(cs_get_ca "$(printf "${template}" ${i})")" +done - ptxd_exec extract-cert "${uri}" ${tmpdir}/srk${i}.der && - ptxd_exec openssl x509 -inform der -in ${tmpdir}/srk${i}.der \ - -out ${tmpdir}/srk${i}.pem || break -done && +local orig_IFS="${IFS}" +IFS="," +certs="${certs[*]}" +IFS="${orig_IFS}" ptxd_exec srktool --hab_ver 4 \ --table "${table_bin}" \ --efuses "${srk_fuse_bin}" \ --digest sha256 \ - --certs ${tmpdir}/srk1.pem,${tmpdir}/srk2.pem,${tmpdir}/srk3.pem,${tmpdir}/srk4.pem + --certs "${certs}" } export -f ptxd_make_imx_habv4_gen_table_impl -- 2.26.2 ___ ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH v2 05/15] host-ptx-code-signing-dev: version bump 0.2 -> 0.4
This includes a fix of a copy/paste error in import_rauc_keys's role. Additionally the new helper cs_append_ca_from_uri is now used for RAUC and HAB SRK roles. The helper function requires HOST_EXTRACT_CERT, HOST_OPENSSL and HOST_LIBP11. Signed-off-by: Bastian Krause --- Changes since (implicit) v1: - select necessary host tools directly in code signing provier, not in CODE_SIGNING - select required HOST_LIBP11 --- rules/host-ptx-code-signing-dev.in | 3 +++ rules/host-ptx-code-signing-dev.make | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/host-ptx-code-signing-dev.in b/rules/host-ptx-code-signing-dev.in index 19ea46c40..7cad9f54d 100644 --- a/rules/host-ptx-code-signing-dev.in +++ b/rules/host-ptx-code-signing-dev.in @@ -10,3 +10,6 @@ config HOST_PTX_CODE_SIGNING_DEV bool select HOST_SOFTHSM select HOST_OPENSC + select HOST_EXTRACT_CERT + select HOST_OPENSSL + select HOST_LIBP11 diff --git a/rules/host-ptx-code-signing-dev.make b/rules/host-ptx-code-signing-dev.make index ea40ac646..d97ae60ef 100644 --- a/rules/host-ptx-code-signing-dev.make +++ b/rules/host-ptx-code-signing-dev.make @@ -14,8 +14,8 @@ HOST_PACKAGES-$(PTXCONF_HOST_PTX_CODE_SIGNING_DEV) += host-ptx-code-signing-dev # # Paths and names # -HOST_PTX_CODE_SIGNING_DEV_VERSION := 0.2 -HOST_PTX_CODE_SIGNING_DEV_MD5 := 1d8f695cde55ea9bbfac9804ce439c9a +HOST_PTX_CODE_SIGNING_DEV_VERSION := 0.4 +HOST_PTX_CODE_SIGNING_DEV_MD5 := 853ac0147adc0b46dc695e16a7101aaa HOST_PTX_CODE_SIGNING_DEV := ptx-code-signing-dev-$(HOST_PTX_CODE_SIGNING_DEV_VERSION) HOST_PTX_CODE_SIGNING_DEV_SUFFIX := tar.gz HOST_PTX_CODE_SIGNING_DEV_URL := https://git.pengutronix.de/cgit/ptx-code-signing-dev/snapshot/$(HOST_PTX_CODE_SIGNING_DEV).$(HOST_PTX_CODE_SIGNING_DEV_SUFFIX) -- 2.26.2 ___ ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH v2 13/15] rauc/image-rauc: use code signing infrastructure for key retrieval
Use the keys provided by the currently active key provider via PKCS#11 instead of key files placed in the platform config directory. In order to make sure the new mechanics are used after a BSP update the rauc.key file is no longer allowed to exist in the platformconfig directory. Note: requires genimage v13 or later and ptx-code-signing-dev 0.4 or later Signed-off-by: Bastian Krause --- Changes since (implicit) v1: - add code signing env to image rauc env - clarify required versions of genimage/ptx-code-signing-dev in commit message --- platforms/image-rauc.in | 1 + projectroot/etc/rauc/ca.cert.pem | 7 -- rules/image-rauc.make| 36 ++--- rules/rauc.in| 1 + rules/rauc.make | 11 ++- scripts/rauc-gen-test-certs.sh | 126 --- 6 files changed, 17 insertions(+), 165 deletions(-) delete mode 100644 projectroot/etc/rauc/ca.cert.pem delete mode 100755 scripts/rauc-gen-test-certs.sh diff --git a/platforms/image-rauc.in b/platforms/image-rauc.in index 658ddd5cd..1f9427b40 100644 --- a/platforms/image-rauc.in +++ b/platforms/image-rauc.in @@ -6,6 +6,7 @@ menuconfig IMAGE_RAUC select HOST_GENIMAGE select HOST_RAUC select IMAGE_ROOT_TGZ + select CODE_SIGNING help This generates a RAUC update Bundle for the selected platform using genimage. diff --git a/projectroot/etc/rauc/ca.cert.pem b/projectroot/etc/rauc/ca.cert.pem deleted file mode 100644 index be1aa7c30..0 --- a/projectroot/etc/rauc/ca.cert.pem +++ /dev/null @@ -1,7 +0,0 @@ -# This is a dummy keyring file. Please overwrite this with one that matches -# your X.509 infrastructure if you intend to use RAUC for secure updates! -# -# If you really do not intend to actively use the security features (or for -# testing purpose) you may create a development certificate by executing the -# script `rauc-gen-test-certs.sh` from the `scripts` folder in your PTXdist -# installation. diff --git a/rules/image-rauc.make b/rules/image-rauc.make index 839cb400b..d85b88cc2 100644 --- a/rules/image-rauc.make +++ b/rules/image-rauc.make @@ -26,46 +26,20 @@ IMAGE_RAUC_CONFIG := rauc.config ifdef PTXCONF_IMAGE_RAUC -IMAGE_RAUC_KEY := $(call ptx/in-platformconfigdir, config/rauc/rauc.key.pem) -IMAGE_RAUC_CERT := $(call ptx/in-platformconfigdir, config/rauc/rauc.cert.pem) - -IMAGE_RAUC_ENV := \ +IMAGE_RAUC_ENV = \ + $(CODE_SIGNING_ENV) \ RAUC_BUNDLE_COMPATIBLE="$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))" \ RAUC_BUNDLE_VERSION="$(call remove_quotes, $(PTXCONF_RAUC_BUNDLE_VERSION))" \ RAUC_BUNDLE_BUILD=$(call ptx/sh, date +%FT%T%z) \ RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \ - RAUC_KEY=$(IMAGE_RAUC_KEY) \ - RAUC_CERT=$(IMAGE_RAUC_CERT) + RAUC_KEY="$(shell cs_get_uri update)" \ + RAUC_CERT="$(shell cs_get_uri update)" -$(IMAGE_RAUC_IMAGE): $(IMAGE_RAUC_KEY) $(IMAGE_RAUC_CERT) +$(IMAGE_RAUC_IMAGE): @$(call targetinfo) @$(call image/genimage, IMAGE_RAUC) @$(call finish) -$(IMAGE_RAUC_KEY): - @echo - @echo "" - @echo " Please place your signing key in config/rauc/rauc.key.pem. " - @echo "* *" - @echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh *" - @echo "* from the scripts/ folder of your PTXdist installation *" - @echo "" - @echo - @echo - @exit 1 - -$(IMAGE_RAUC_CERT): - @echo - @echo "" - @echo " Please place your signing certificate in config/rauc/rauc.cert.pem. ***" - @echo "* *" - @echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh *" - @echo "* from the scripts/ folder of your PTXdist installation *" - @echo "" - @echo - @echo - @exit 1 - endif # vim: syntax=make diff --git a/rules/rauc.in b/rules/rauc.in index d712bc7b9..56fc3ae3b 100644 --- a/rules/rauc.in +++ b/rules/rauc.in @@ -7,6 +7,7 @@ menuconfig RAUC select GLIB select GLIB_LIBMOUNT select HOST_GLIB + select CODE_SIGNING select BUSYBOX_FEATURE_TAR_LONG_OPTIONS if BUSYBOX_TAR select BUSYBOX_FEATURE_TAR_AUTODETECT if BUSYBOX_TAR select BUSYBOX_FEATURE_SEAMLESS_XZ if BUSYBOX_TAR diff --git a/rules/rauc.make b/rules/rauc.make index ade9bd5dd..f9a10fbbc 100644 ---
[ptxdist] [PATCH v2 15/15] rauc: version bump 1.2 -> 1.3
Signed-off-by: Bastian Krause --- Note: newly added in v2. --- rules/rauc.make | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/rauc.make b/rules/rauc.make index f9a10fbbc..075a7d649 100644 --- a/rules/rauc.make +++ b/rules/rauc.make @@ -14,8 +14,8 @@ PACKAGES-$(PTXCONF_RAUC) += rauc # # Paths and names # -RAUC_VERSION := 1.2 -RAUC_MD5 := e2a1772825c6ea900e4824b670846a00 +RAUC_VERSION := 1.3 +RAUC_MD5 := 04ba029daa51e1f70fe53d62f2c5ebc3 RAUC := rauc-$(RAUC_VERSION) RAUC_SUFFIX:= tar.xz RAUC_URL := https://github.com/rauc/rauc/releases/download/v$(RAUC_VERSION)/$(RAUC).$(RAUC_SUFFIX) -- 2.26.2 ___ ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH v2 02/15] ptxd_lib_code_signing: return error string in cs_get_uri for make error case
Signed-off-by: Bastian Krause --- scripts/lib/ptxd_lib_code_signing.sh | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh index 588a4b1b4..f93f183df 100644 --- a/scripts/lib/ptxd_lib_code_signing.sh +++ b/scripts/lib/ptxd_lib_code_signing.sh @@ -154,7 +154,11 @@ cs_get_uri() { if [ ${#FUNCNAME[*]} -gt 1 ]; then ptxd_bailout "No PKCS#11 URI for role ${role}" else - # ignore the error if cs_get_uri is called directly from make + # cs_get_uri was called directly from make prior to cs_set_uri, + # which may not be an error if it is evaluated early *and* later + # again - return a unique error string in case it is not expected + # and a user stumbles upon this + echo "ERROR_URI_NOT_YET_SET" return fi fi -- 2.26.2 ___ ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH v2 09/15] u-boot/ptxd_make_fit_image: avoid overriding object name
Having multiple "object=" occurrences in a single PKCS#11 URI does not work for all cases, at least not for opensc-pkcs11. Thus u-boot's PKCS#11 handling was patched to avoid overriding the object name when it is already specified. The patch was sent upstream. Signed-off-by: Bastian Krause --- ...erriding-the-object-name-when-alread.patch | 81 +++ patches/u-boot-2020.04/series | 4 + scripts/lib/ptxd_make_fit_image.sh| 4 +- 3 files changed, 86 insertions(+), 3 deletions(-) create mode 100644 patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch create mode 100644 patches/u-boot-2020.04/series diff --git a/patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch b/patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch new file mode 100644 index 0..5ba930fb5 --- /dev/null +++ b/patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch @@ -0,0 +1,81 @@ +From: Jan Luebbe +Date: Mon, 16 Mar 2020 11:45:22 +0100 +Subject: [PATCH] lib: rsa: avoid overriding the object name when already + specified + +If "object=" is specified in "keydir" when using the pkcs11 engine do +not append another "object=". This makes it possible to +use object names other than the key name hint. These two string +identifiers are not necessarily equal. + +Signed-off-by: Jan Luebbe +Signed-off-by: Bastian Krause +Reviewed-by: George McCollister +Forwarded: https://lists.denx.de/pipermail/u-boot/2020-May/411892.html +--- + doc/uImage.FIT/signature.txt | 8 +--- + lib/rsa/rsa-sign.c | 22 -- + 2 files changed, 21 insertions(+), 9 deletions(-) + +diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt +index 3591225a6edd..d4afd755e9fc 100644 +--- a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt +@@ -481,12 +481,14 @@ openssl. This may require setting up LD_LIBRARY_PATH if engine is not installed + to openssl's default search paths. + + PKCS11 engine support forms "key id" based on "keydir" and with +-"key-name-hint". "key-name-hint" is used as "object" name and "keydir" if +-defined is used to define (prefix for) which PKCS11 source is being used for +-lookup up for the key. ++"key-name-hint". "key-name-hint" is used as "object" name (if not defined in ++keydir). "keydir" (if defined) is used to define (prefix for) which PKCS11 source ++is being used for lookup up for the key. + + PKCS11 engine key ids: +"pkcs11:;object=;type=" ++or, if keydir contains "object=" ++ "pkcs11:;type=" + or +"pkcs11:object=;type=", + +diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c +index 580c74470939..1914b9641312 100644 +--- a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c +@@ -135,9 +135,14 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name, + + if (engine_id && !strcmp(engine_id, "pkcs11")) { + if (keydir) +- snprintf(key_id, sizeof(key_id), +- "pkcs11:%s;object=%s;type=public", +- keydir, name); ++ if (strstr(keydir, "object=")) ++ snprintf(key_id, sizeof(key_id), ++ "pkcs11:%s;type=public", ++ keydir); ++ else ++ snprintf(key_id, sizeof(key_id), ++ "pkcs11:%s;object=%s;type=public", ++ keydir, name); + else + snprintf(key_id, sizeof(key_id), +"pkcs11:object=%s;type=public", +@@ -255,9 +260,14 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name, + + if (engine_id && !strcmp(engine_id, "pkcs11")) { + if (keydir) +- snprintf(key_id, sizeof(key_id), +- "pkcs11:%s;object=%s;type=private", +- keydir, name); ++ if (strstr(keydir, "object=")) ++ snprintf(key_id, sizeof(key_id), ++ "pkcs11:%s;type=private", ++ keydir); ++ else ++ snprintf(key_id, sizeof(key_id), ++ "pkcs11:%s;object=%s;type=private", ++ keydir, name); + else + snprintf(key_id, sizeof(key_id), +"pkcs11:object=%s;type=private", diff --git a/patches/u-boot-2020.04/series b/patches/u-boot-2020.04/series new file mode 100644 index 0..02db98548 --- /dev/null +++ b/patches/u-boot-2020.04/series @@ -0,0 +1,4 @@ +# generated by git-ptx-patches
[ptxdist] [PATCH v2 10/15] ptxd_make_fit_image: sign ramdisk if enabled
Until now only kernel and fdt are signed by mkimage. If a ramdisk is used sign it also. Unfortunately quotes are not usable in the alternative value of variable paramater substitution ${parameter:+alt_value}: https://stackoverflow.com/questions/40995523/bash-variable-expansion-var-in-here-document-removing-double-quotes Thus use printf as a workaround. Signed-off-by: Bastian Krause --- Note: newly added in v2. --- scripts/lib/ptxd_make_fit_image.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/lib/ptxd_make_fit_image.sh b/scripts/lib/ptxd_make_fit_image.sh index c2725ab3d..56f273686 100644 --- a/scripts/lib/ptxd_make_fit_image.sh +++ b/scripts/lib/ptxd_make_fit_image.sh @@ -78,7 +78,7 @@ EOF signature-1 { algo = "sha256,rsa4096"; key-name-hint = "${image_key_name_hint}"; - sign-images = "fdt", "kernel"; + sign-images = "fdt", "kernel"${image_initramfs:+$(printf %s ', "ramdisk"')}; }; EOF fi -- 2.26.2 ___ ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH v2 04/15] ptxd_lib_code_signing: introduce CA helper
These helpers allow key providers to append certificates to their CA. 'cs_get_ca ' then returns the path to the keyring allowing rules and other helpers to retrieve it easily. Signed-off-by: Bastian Krause --- Changes since (implicit) v1: - add new line when appending to a CA --- scripts/lib/ptxd_lib_code_signing.sh | 65 1 file changed, 65 insertions(+) diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh index f93f183df..a7779f821 100644 --- a/scripts/lib/ptxd_lib_code_signing.sh +++ b/scripts/lib/ptxd_lib_code_signing.sh @@ -261,3 +261,68 @@ cs_import_key_from_pem() { cs_import_privkey_from_pem "${role}" "${pem}" } export -f cs_import_key_from_pem + +# +# cs_get_ca +# +# Get the path to the CA in pem format from a role +# +cs_get_ca() { +local role="${1}" +cs_init_variables + +echo "${keydir}/${role}/ca.pem" +} +export -f cs_get_ca + +# +# cs_append_ca_from_pem +# +# Append PEM to CA for a role +# +cs_append_ca_from_pem() { +local role="${1}" +local pem="${2}" +cs_init_variables + +cat "${pem}" >> "${keydir}/${role}/ca.pem" +# add new line in case ${pem} does not end with an EOL +echo >> "${keydir}/${role}/ca.pem" +} +export -f cs_append_ca_from_pem + +# +# cs_append_ca_from_der +# +# Append DER to CA for a role +# +cs_append_ca_from_der() { +local role="${1}" +local der="${2}" +cs_init_variables + +ptxd_exec openssl x509 -inform der -in "${der}" \ + -out "${tmpdir}/ca.pem" && +cs_append_ca_from_pem "${role}" "${tmpdir}/ca.pem" +} +export -f cs_append_ca_from_der + +# +# cs_append_ca_from_uri [] +# +# Append certificate specified by URI or by already set URI to CA for a role +# +cs_append_ca_from_uri() { +local role="${1}" +local uri="${2}" +local tmpdir="$(mktemp -d "${PTXDIST_TEMPDIR}/${role}-ca.XX")" +cs_init_variables + +if [ -z "${uri}" ]; then + uri=$(cs_get_uri "${role}") +fi + +ptxd_exec extract-cert "${uri}" "${tmpdir}/ca.der" && +cs_append_ca_from_der "${role}" "${tmpdir}/ca.der" +} +export -f cs_append_ca_from_uri -- 2.26.2 ___ ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH v2 03/15] ptxd_lib_imx_hab: fix srk fuse file and table generation
srktool's help text states "certificate filenames must be separated by a ',' with no spaces". Line continuating using "\" with the next line being indented leads to a space being inserted between the SRK2 certificate and the SRK3 certificate. srktool does not fail, but ignores everything after the space silently. Thus only the first two certicates end up in the fuse file and table. Fix this by specifying all certs on a single line. Signed-off-by: Bastian Krause --- scripts/lib/ptxd_lib_imx_hab.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/scripts/lib/ptxd_lib_imx_hab.sh b/scripts/lib/ptxd_lib_imx_hab.sh index 8be376ff1..034bf82b2 100644 --- a/scripts/lib/ptxd_lib_imx_hab.sh +++ b/scripts/lib/ptxd_lib_imx_hab.sh @@ -43,8 +43,7 @@ ptxd_make_imx_habv4_gen_table_impl() { --table "${table_bin}" \ --efuses "${srk_fuse_bin}" \ --digest sha256 \ - --certs ${tmpdir}/srk1.pem,${tmpdir}/srk2.pem,\ - ${tmpdir}/srk3.pem,${tmpdir}/srk4.pem + --certs ${tmpdir}/srk1.pem,${tmpdir}/srk2.pem,${tmpdir}/srk3.pem,${tmpdir}/srk4.pem } export -f ptxd_make_imx_habv4_gen_table_impl -- 2.26.2 ___ ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH v2 07/15] ptxd_lib_imx_hab/template-barebox-imx-habv4: make number of SRKs configurable
Signed-off-by: Bastian Krause --- rules/templates/template-barebox-imx-habv4-make | 2 +- scripts/lib/ptxd_lib_imx_hab.sh | 15 +-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/rules/templates/template-barebox-imx-habv4-make b/rules/templates/template-barebox-imx-habv4-make index d8086f0cf..ec402afa1 100644 --- a/rules/templates/template-barebox-imx-habv4-make +++ b/rules/templates/template-barebox-imx-habv4-make @@ -74,7 +74,7 @@ $(STATEDIR)/barebox-@package@.compile: @$(call targetinfo) @$(call world/env, BAREBOX_@PACKAGE@) \ - ptxd_make_imx_habv4_gen_table "imx-habv4-srk%d" + ptxd_make_imx_habv4_gen_table "imx-habv4-srk%d" 4 @$(call world/compile, BAREBOX_@PACKAGE@) diff --git a/scripts/lib/ptxd_lib_imx_hab.sh b/scripts/lib/ptxd_lib_imx_hab.sh index 781c1b3f6..d1e2aba99 100644 --- a/scripts/lib/ptxd_lib_imx_hab.sh +++ b/scripts/lib/ptxd_lib_imx_hab.sh @@ -9,10 +9,12 @@ # # ptxd_make_imx_habv4_gen_table - generate the srk fuse file and srk table for i.MX HABv4 # -# usage: ptxd_make_imx_habv4_gen_table +# usage: ptxd_make_imx_habv4_gen_table [] # # template: the role template to access the keys. Must contain a "%d" which is # used as index +# srk_count: the number of keys (keys with index 1..srk_count will be used), +#defaults to 4 # # The output files are generated in the package build dir: # @@ -24,13 +26,22 @@ # ptxd_make_imx_habv4_gen_table_impl() { local template="${1}" +local srk_count="${2}" local table_bin="${pkg_build_dir}/imx-srk-table.bin" local srk_fuse_bin="${pkg_build_dir}/imx-srk-fuse.bin" local -a certs +if [ -z "${srk_count}" ]; then + srk_count=4 +fi + +if [ "${srk_count}" -gt 4 ]; then + ptxd_bailout "HABv4 allows only 4 certificates" +fi + echo -e "generating $(basename ${table_bin}) and $(basename ${srk_fuse_bin})\n" -for i in 1 2 3 4; do +for i in $(seq ${srk_count}); do certs[${#certs[*]}]="$(cs_get_ca "$(printf "${template}" ${i})")" done -- 2.26.2 ___ ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH v2 12/15] code-signing: introduce for ptxconfig, add sanity check
Create a new rules/code-signing.in to be able to select CODE_SIGNING not only in platformconfig but also in ptxconfig. Also make sure that PTXCONF_CODE_SIGNING_PROVIDER is set correctly if PTXCONF_CODE_SIGNING is set. Signed-off-by: Bastian Krause --- Changes since (implicit) v1: - re-add accidentally dropped rules/code-signing.in introducing CODE_SIGNING for ptxconfig - move before "rauc/image-rauc: use code signing infrastructure for key retrieval" --- rules/code-signing.in | 4 rules/code-signing.make | 13 + 2 files changed, 17 insertions(+) create mode 100644 rules/code-signing.in create mode 100644 rules/code-signing.make diff --git a/rules/code-signing.in b/rules/code-signing.in new file mode 100644 index 0..ae2ba726d --- /dev/null +++ b/rules/code-signing.in @@ -0,0 +1,4 @@ +## SECTION=hosttools_noprompt_ptx + +config CODE_SIGNING + bool diff --git a/rules/code-signing.make b/rules/code-signing.make new file mode 100644 index 0..db1c5ab88 --- /dev/null +++ b/rules/code-signing.make @@ -0,0 +1,13 @@ +# -*-makefile-*- +# +# Copyright (C) 2020 by Bastian Krause +# +# For further information about the PTXdist project and license conditions +# see the README file. +# + +ifdef PTXCONF_CODE_SIGNING +ifeq ($(call remove_quotes,$(PTXCONF_CODE_SIGNING_PROVIDER)),) +$(error PTXCONF_CODE_SIGNING_PROVIDER must be set correctly) +endif +endif -- 2.26.2 ___ ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH v2 14/15] image-rauc: enable keyring verification
Note: requires genimage v13 or later Signed-off-by: Bastian Krause --- Changes since (implicit) v1: - clarify required version of genimage in commit message --- config/images/rauc.config | 1 + rules/image-rauc.make | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/config/images/rauc.config b/config/images/rauc.config index 8396bd4be..0c824f00e 100644 --- a/config/images/rauc.config +++ b/config/images/rauc.config @@ -13,5 +13,6 @@ image @IMAGE@ { " cert = "@RAUC_CERT@" key = "@RAUC_KEY@" + keyring = "@RAUC_KEYRING@" } } diff --git a/rules/image-rauc.make b/rules/image-rauc.make index d85b88cc2..fe1b0e89b 100644 --- a/rules/image-rauc.make +++ b/rules/image-rauc.make @@ -33,7 +33,8 @@ IMAGE_RAUC_ENV= \ RAUC_BUNDLE_BUILD=$(call ptx/sh, date +%FT%T%z) \ RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \ RAUC_KEY="$(shell cs_get_uri update)" \ - RAUC_CERT="$(shell cs_get_uri update)" + RAUC_CERT="$(shell cs_get_uri update)" \ + RAUC_KEYRING="$(shell cs_get_ca update)" $(IMAGE_RAUC_IMAGE): @$(call targetinfo) -- 2.26.2 ___ ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH v2 08/15] ptxd_make_fit_image: call mkimage with ptxd_exec
It helps debugging failing mkimage calls. Signed-off-by: Bastian Krause --- scripts/lib/ptxd_make_fit_image.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/lib/ptxd_make_fit_image.sh b/scripts/lib/ptxd_make_fit_image.sh index 761d6bf1e..041c5b803 100644 --- a/scripts/lib/ptxd_make_fit_image.sh +++ b/scripts/lib/ptxd_make_fit_image.sh @@ -127,6 +127,6 @@ ptxd_make_image_fit() { echo "Generated device-tree for the fit image:" cat "${its}" fi && -mkimage -N pkcs11 -f "${its}" "${image_image}" -r "${sign_args[@]}" +ptxd_exec mkimage -N pkcs11 -f "${its}" "${image_image}" -r "${sign_args[@]}" } export -f ptxd_make_image_fit -- 2.26.2 ___ ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH v2 00/15] Fix/extend code signing infrastructure/consumers
This series includes various bug fixes and extensions of ptxdist's code signing infrastructure and its consumers. This includes HAB barebox images, signed FIT images and RAUC bundles. Real HSMs can now be used for signing. Newly introduced helpers simplify CA handling. Changes since implicit v1 (20200514134300.16105-1-...@pengutronix.de and following, without cover letter): - add new line when appending to a CA - select necessary host tools directly in code signing provier, not in CODE_SIGNING - add code signing env to image rauc env - re-add accidentally dropped rules/code-signing.in introducing CODE_SIGNING for ptxconfig - move "code-signing: introduce for ptxconfig, add sanity check" before "rauc/image-rauc: use code signing infrastructure for key retrieval" - clarify required versions of genimage/ptx-code-signing-dev in commit messages - add rauc version bump - sign ramdisk in FIT images (if enabled) Regards, Bastian Bastian Krause (15): host-genimage: version bump 11 -> 13 ptxd_lib_code_signing: return error string in cs_get_uri for make error case ptxd_lib_imx_hab: fix srk fuse file and table generation ptxd_lib_code_signing: introduce CA helper host-ptx-code-signing-dev: version bump 0.2 -> 0.4 ptxd_lib_imx_hab/template-barebox-imx-habv4: use cs_get_ca helper ptxd_lib_imx_hab/template-barebox-imx-habv4: make number of SRKs configurable ptxd_make_fit_image: call mkimage with ptxd_exec u-boot/ptxd_make_fit_image: avoid overriding object name ptxd_make_fit_image: sign ramdisk if enabled code-signing: move code-signing.in to platforms/ code-signing: introduce for ptxconfig, add sanity check rauc/image-rauc: use code signing infrastructure for key retrieval image-rauc: enable keyring verification rauc: version bump 1.2 -> 1.3 config/images/rauc.config | 1 + ...erriding-the-object-name-when-alread.patch | 81 +++ patches/u-boot-2020.04/series | 4 + platforms/code-signing.in | 23 platforms/image-rauc.in | 1 + projectroot/etc/rauc/ca.cert.pem | 7 - rules/code-signing.in | 23 +--- rules/code-signing.make | 13 ++ rules/host-genimage.make | 4 +- rules/host-ptx-code-signing-dev.in| 3 + rules/host-ptx-code-signing-dev.make | 4 +- rules/image-rauc.make | 37 + rules/rauc.in | 1 + rules/rauc.make | 15 ++- rules/templates/template-barebox-imx-habv4-in | 1 - .../templates/template-barebox-imx-habv4-make | 2 +- scripts/lib/ptxd_lib_code_signing.sh | 71 +- scripts/lib/ptxd_lib_imx_hab.sh | 32 +++-- scripts/lib/ptxd_make_fit_image.sh| 8 +- scripts/rauc-gen-test-certs.sh| 126 -- 20 files changed, 246 insertions(+), 211 deletions(-) create mode 100644 patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch create mode 100644 patches/u-boot-2020.04/series create mode 100644 platforms/code-signing.in delete mode 100644 projectroot/etc/rauc/ca.cert.pem create mode 100644 rules/code-signing.make delete mode 100755 scripts/rauc-gen-test-certs.sh -- 2.26.2 ___ ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH v2 11/15] code-signing: move code-signing.in to platforms/
rules/code-signing.in belongs in platforms/, so move it there. Signed-off-by: Bastian Krause --- {rules => platforms}/code-signing.in | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {rules => platforms}/code-signing.in (100%) diff --git a/rules/code-signing.in b/platforms/code-signing.in similarity index 100% rename from rules/code-signing.in rename to platforms/code-signing.in -- 2.26.2 ___ ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH v2 01/15] host-genimage: version bump 11 -> 13
Signed-off-by: Bastian Krause --- rules/host-genimage.make | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/host-genimage.make b/rules/host-genimage.make index 28d0d613a..baa69e3fb 100644 --- a/rules/host-genimage.make +++ b/rules/host-genimage.make @@ -14,8 +14,8 @@ HOST_PACKAGES-$(PTXCONF_HOST_GENIMAGE) += host-genimage # # Paths and names # -HOST_GENIMAGE_VERSION := 11 -HOST_GENIMAGE_MD5 := 5db95026ff8aedcbcf7804098f685c7b +HOST_GENIMAGE_VERSION := 13 +HOST_GENIMAGE_MD5 := 84ec07d684f27a425b3789f87c35ffa3 HOST_GENIMAGE := genimage-$(HOST_GENIMAGE_VERSION) HOST_GENIMAGE_SUFFIX := tar.xz HOST_GENIMAGE_URL := http://www.pengutronix.de/software/genimage/download/$(HOST_GENIMAGE).$(HOST_GENIMAGE_SUFFIX) -- 2.26.2 ___ ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] Segmentation fault with ptxdist-2020.05.0
On 15.05.20 15:02, Mircea Ciocan wrote: On 15.05.20 09:46, Michael Olbrich wrote: On Thu, May 14, 2020 at 03:36:44PM +0200, Mircea Ciocan wrote: Hello list, I have the most strange error with the ptxdist-2020.05.0 while trying to compile a simple image for the iMX6ULL EVK, the shell segfaults !!! Here are some information, that you could find useful: Distribution: Ubuntu 18.04 LTS, 8GB RAM, current updates. System shell set to bash. The compilation of everything goes perfectly OK, but while building the root filesystem image it crashes, always in the same place (100% reproducible), when adding the net-dns-perl package, with the following message; info: selected ptxconfig: 'configs/platform-mcimx6ull-evk/ptxconfig.tiny' ptxdist: warning: No dev packages found in 'Firmware/packages-MCIMX6ULL-EVK' ...[snip]... [compilation goes OK] target: root.tgz ...[snip]... Configuring readline. Configuring net-dns-perl. environment: line 1: 31523 Done { echo "cd '${work_dir}' || exit"; ptxd_dopermissions "${ptxd_reply_perm_files[@]}"; echo ":"; } 31524 Segmentation fault (core dumped) | sh ./Software/ptxdist-2020.05.0/rules/image-root-tgz.make:29: recipe for target './Software/Firmware/platform-MCIMX6ULL-EVK/images/root.tgz' failed make: *** [./Software/Firmware/platform-MCIMX6ULL-EVK/images/root.tgz] Error 139 In the system log I get something like: "vmunix: [132753.581596] sh[10747]: segfault at 7ffe5bdf1fe8 ip 7fdb0b04930e sp 7ffe5bdf1fe0 error 6 in libc-2.27.so[7fdb0afb5000+1e7000]" I have to say that I rarely, if ever, see this type of crash, and the build finishes OK with ptxdist-2020.02.0. Any pointer on how can I fix or debug this are greatly appreciated. Huh, I've never seen anything like this. Some things to test. Take a look at scripts/lib/ptxd_make_image_prepare_work_dir.sh in PTXdist. The relevant code is there. Line 50ff. If you change line 56 to something like this: } | tee /tmp/ptxdist-sh-test.txt | sh && Then this will save the exact code that the shell executes when it crashed. Maybe we can find some clues there. But It's probably a bug in 'sh'. What's your /bin/sh anyways? For me it's a link to 'dash' but sometimes it's a bash. You could explicitly try the other here instead of 'sh' to see if that crashes as well. Michael Hello Michael and thanks for the hint, first things first, the shell is the GNU bash, I've change it via the update-alternatives, because more than one time I've had issues with scripts that call /bin/sh, but assume that is bash. The logging tap collected the following file: "cd './Software/Firmware/platform-MCIMX6ULL-EVK/build-target/image-root-tgz' || exit chmod 0755 './' && chown 0.0 './' && chmod 0755 './usr' && chown 0.0 './usr' && chmod 0755 './usr/sbin' && chown 0.0 './usr/sbin' && ... !!! Another >>>71940<<< similar lines !!! ... chmod 0755 './usr/bin/cpuburn-a9' && chown 0.0 './usr/bin/cpuburn-a9' && :" Is this just a "cool way" to execute a quatrillion of commands, by exploiting to the limit the AND_IF (&&) construct to exit on error, or there is a deeper purpose ? I could see that some other cool programmer tried some optimization somewhere in bash and these two worlds collided hard, now that full Perl and Python packages adds a few tens of thousands of files to the image that need their permissions fixed. I'll have a look if there was another way to do it (how was it done in 2020.03.0 and lower, could it be that only two lines have been used like: chmod -R * && chown -R 0.0 * und fertig ;) ?!?) and see if I could reproduce it, to make an Ubuntu bug report. Other ideas and solutions are most welcome. Thanks for your help, Mircea OK, latest update, is definitly a (Ubuntu) bash bug, I've run the mega-list of commands with bash and dash, bash crashes immediately, dash takes a mounstrously large amount of time (almost 5min on a beefy machine with fast SSD), so it is clear why Michael did't see the bug. A bit of stracing show something like a lot of threads dieing, so probably bash tries to execute this in parallel and hits something, just FYI here the last words of bash run strace: read(255, "mod 0755\t'./usr' &&\nchown 0.0\t'."..., 8192) = 8192 brk(0x56519329b000) = 0x56519329b000 read(255, "tch_map' &&\nchmod 0755\t'./' &&\nc"..., 8192) = 2374 brk(0x5651932bc000) = 0x5651932bc000 brk(0x5651932dd000) = 0x5651932dd000 mny more similar lines, with different addresses brk(0x565193805000) = 0x565193805000 brk(0x565193826000) = 0x565193826000 --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x7ffef981df98} --- +++ killed by SIGSEGV (core dumped) +++ Segmentation fault (core dumped) So because switching back to dash here it's a bit difficult, is there any way that
Re: [ptxdist] Segmentation fault with ptxdist-2020.05.0
On 15.05.20 09:46, Michael Olbrich wrote: On Thu, May 14, 2020 at 03:36:44PM +0200, Mircea Ciocan wrote: Hello list, I have the most strange error with the ptxdist-2020.05.0 while trying to compile a simple image for the iMX6ULL EVK, the shell segfaults !!! Here are some information, that you could find useful: Distribution: Ubuntu 18.04 LTS, 8GB RAM, current updates. System shell set to bash. The compilation of everything goes perfectly OK, but while building the root filesystem image it crashes, always in the same place (100% reproducible), when adding the net-dns-perl package, with the following message; info: selected ptxconfig: 'configs/platform-mcimx6ull-evk/ptxconfig.tiny' ptxdist: warning: No dev packages found in 'Firmware/packages-MCIMX6ULL-EVK' ...[snip]... [compilation goes OK] target: root.tgz ...[snip]... Configuring readline. Configuring net-dns-perl. environment: line 1: 31523 Done { echo "cd '${work_dir}' || exit"; ptxd_dopermissions "${ptxd_reply_perm_files[@]}"; echo ":"; } 31524 Segmentation fault (core dumped) | sh ./Software/ptxdist-2020.05.0/rules/image-root-tgz.make:29: recipe for target './Software/Firmware/platform-MCIMX6ULL-EVK/images/root.tgz' failed make: *** [./Software/Firmware/platform-MCIMX6ULL-EVK/images/root.tgz] Error 139 In the system log I get something like: "vmunix: [132753.581596] sh[10747]: segfault at 7ffe5bdf1fe8 ip 7fdb0b04930e sp 7ffe5bdf1fe0 error 6 in libc-2.27.so[7fdb0afb5000+1e7000]" I have to say that I rarely, if ever, see this type of crash, and the build finishes OK with ptxdist-2020.02.0. Any pointer on how can I fix or debug this are greatly appreciated. Huh, I've never seen anything like this. Some things to test. Take a look at scripts/lib/ptxd_make_image_prepare_work_dir.sh in PTXdist. The relevant code is there. Line 50ff. If you change line 56 to something like this: } | tee /tmp/ptxdist-sh-test.txt | sh && Then this will save the exact code that the shell executes when it crashed. Maybe we can find some clues there. But It's probably a bug in 'sh'. What's your /bin/sh anyways? For me it's a link to 'dash' but sometimes it's a bash. You could explicitly try the other here instead of 'sh' to see if that crashes as well. Michael Hello Michael and thanks for the hint, first things first, the shell is the GNU bash, I've change it via the update-alternatives, because more than one time I've had issues with scripts that call /bin/sh, but assume that is bash. The logging tap collected the following file: "cd './Software/Firmware/platform-MCIMX6ULL-EVK/build-target/image-root-tgz' || exit chmod 0755 './' && chown 0.0 './' && chmod 0755 './usr' && chown 0.0 './usr' && chmod 0755 './usr/sbin' && chown 0.0 './usr/sbin' && ... !!! Another >>>71940<<< similar lines !!! ... chmod 0755 './usr/bin/cpuburn-a9' && chown 0.0 './usr/bin/cpuburn-a9' && :" Is this just a "cool way" to execute a quatrillion of commands, by exploiting to the limit the AND_IF (&&) construct to exit on error, or there is a deeper purpose ? I could see that some other cool programmer tried some optimization somewhere in bash and these two worlds collided hard, now that full Perl and Python packages adds a few tens of thousands of files to the image that need their permissions fixed. I'll have a look if there was another way to do it (how was it done in 2020.03.0 and lower, could it be that only two lines have been used like: chmod -R * && chown -R 0.0 * und fertig ;) ?!?) and see if I could reproduce it, to make an Ubuntu bug report. Other ideas and solutions are most welcome. Thanks for your help, Mircea ___ ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [PATCH 04/13] ptxd_lib_code_signing: introduce CA helper
On Fri, 2020-05-15 at 13:21 +0200, Bastian Krause wrote: > I guess if we first append a file with no EOL at the end and then > append something else this can lead to.. > > "-END CERTIFICATE--BEGIN CERTIFICATE-" > > .. on a single line. Yes, this is the case is was thinking of. > Is there a smart way of adding an EOL? Or should we always append a > final new line? Does this break any known usecases? Empty lines don't hurt here, so always adding one seems the safe and simple solution. Regards, Jan ___ ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [PATCH 13/13] code-signing: introduce for ptxconfig, add sanity check
On 5/15/20 9:55 AM, Michael Olbrich wrote: > On Thu, May 14, 2020 at 05:36:54PM +0200, Bastian Krause wrote: >> On 5/14/20 3:43 PM, Bastian Krause wrote: >>> Create a new rules/code-signing.in to be able to select CODE_SIGNING >>> not only in platformconfig but also in ptxconfig. >>> >>> Also make sure that PTXCONF_CODE_SIGNING_PROVIDER is set correctly if >>> PTXCONF_CODE_SIGNING is set. >>> >>> Signed-off-by: Bastian Krause >>> --- >>> rules/code-signing.make | 13 + >>> 1 file changed, 13 insertions(+) >>> create mode 100644 rules/code-signing.make >>> >>> diff --git a/rules/code-signing.make b/rules/code-signing.make >>> new file mode 100644 >>> index 0..db1c5ab88 >>> --- /dev/null >>> +++ b/rules/code-signing.make >>> @@ -0,0 +1,13 @@ >>> +# -*-makefile-*- >>> +# >>> +# Copyright (C) 2020 by Bastian Krause >>> +# >>> +# For further information about the PTXdist project and license conditions >>> +# see the README file. >>> +# >>> + >>> +ifdef PTXCONF_CODE_SIGNING >>> +ifeq ($(call remove_quotes,$(PTXCONF_CODE_SIGNING_PROVIDER)),) >>> +$(error PTXCONF_CODE_SIGNING_PROVIDER must be set correctly) >>> +endif >>> +endif >>> >> >> I accidentally dropped: >> >> diff --git a/rules/code-signing.in b/rules/code-signing.in >> new file mode 100644 >> --- /dev/null >> +++ b/rules/code-signing.in >> @@ -0,0 +1,4 @@ >> +## SECTION=hosttools_noprompt_ptx >> + >> +config CODE_SIGNING >> + bool >> >> Will add it again in v2. > > And sort the patch before the rauc changes. It's needed there. True. Regards, Bastian -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0| Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917- | ___ ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [PATCH 11/13] image-rauc: enable keyring verification
On 5/15/20 9:58 AM, Michael Olbrich wrote: > On Thu, May 14, 2020 at 03:42:58PM +0200, Bastian Krause wrote: >> Note: requires genimage > 12 > > I think "genimage 13 or later" would be clearer here. On first glance I > thought that 12 is ok too and that's not correct. Right, will do. Regards, Bastian > > Michael > >> Signed-off-by: Bastian Krause >> --- >> config/images/rauc.config | 1 + >> rules/image-rauc.make | 3 ++- >> 2 files changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/config/images/rauc.config b/config/images/rauc.config >> index 8396bd4be..0c824f00e 100644 >> --- a/config/images/rauc.config >> +++ b/config/images/rauc.config >> @@ -13,5 +13,6 @@ image @IMAGE@ { >> " >> cert = "@RAUC_CERT@" >> key = "@RAUC_KEY@" >> +keyring = "@RAUC_KEYRING@" >> } >> } >> diff --git a/rules/image-rauc.make b/rules/image-rauc.make >> index a031edfae..c0c9d4978 100644 >> --- a/rules/image-rauc.make >> +++ b/rules/image-rauc.make >> @@ -32,7 +32,8 @@ IMAGE_RAUC_ENV = \ >> RAUC_BUNDLE_BUILD=$(call ptx/sh, date +%FT%T%z) \ >> RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \ >> RAUC_KEY="$(shell cs_get_uri update)" \ >> -RAUC_CERT="$(shell cs_get_uri update)" >> +RAUC_CERT="$(shell cs_get_uri update)" \ >> +RAUC_KEYRING="$(shell cs_get_ca update)" >> >> $(IMAGE_RAUC_IMAGE): >> @$(call targetinfo) >> -- >> 2.26.2 >> >> >> ___ >> ptxdist mailing list >> ptxdist@pengutronix.de >> > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0| Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917- | ___ ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [PATCH 10/13] rauc/image-rauc: use code signing infrastructure for key retrieval
On 5/15/20 12:40 PM, Michael Olbrich wrote: > On Thu, May 14, 2020 at 03:42:57PM +0200, Bastian Krause wrote: >> Use the keys provided by the currently active key provider via PKCS#11 >> instead of key files placed in the platform config directory. In order >> to make sure the new mechanics are used after a BSP update the rauc.key >> file is no longer allowed to exist in the platformconfig directory. >> >> Note: requires genimage >= v12 and ptx-code-signing-dev > 0.3 >> >> Signed-off-by: Bastian Krause >> --- >> platforms/image-rauc.in | 1 + >> projectroot/etc/rauc/ca.cert.pem | 7 -- >> rules/image-rauc.make| 37 ++--- >> rules/rauc.in| 1 + >> rules/rauc.make | 11 ++- >> scripts/rauc-gen-test-certs.sh | 126 --- >> 6 files changed, 17 insertions(+), 166 deletions(-) >> delete mode 100644 projectroot/etc/rauc/ca.cert.pem >> delete mode 100755 scripts/rauc-gen-test-certs.sh >> >> diff --git a/platforms/image-rauc.in b/platforms/image-rauc.in >> index 658ddd5cd..1f9427b40 100644 >> --- a/platforms/image-rauc.in >> +++ b/platforms/image-rauc.in >> @@ -6,6 +6,7 @@ menuconfig IMAGE_RAUC >> select HOST_GENIMAGE >> select HOST_RAUC >> select IMAGE_ROOT_TGZ >> +select CODE_SIGNING >> help >>This generates a RAUC update Bundle for the selected platform using >>genimage. >> diff --git a/projectroot/etc/rauc/ca.cert.pem >> b/projectroot/etc/rauc/ca.cert.pem >> deleted file mode 100644 >> index be1aa7c30..0 >> --- a/projectroot/etc/rauc/ca.cert.pem >> +++ /dev/null >> @@ -1,7 +0,0 @@ >> -# This is a dummy keyring file. Please overwrite this with one that matches >> -# your X.509 infrastructure if you intend to use RAUC for secure updates! >> -# >> -# If you really do not intend to actively use the security features (or for >> -# testing purpose) you may create a development certificate by executing the >> -# script `rauc-gen-test-certs.sh` from the `scripts` folder in your PTXdist >> -# installation. >> diff --git a/rules/image-rauc.make b/rules/image-rauc.make >> index 839cb400b..a031edfae 100644 >> --- a/rules/image-rauc.make >> +++ b/rules/image-rauc.make >> @@ -26,46 +26,19 @@ IMAGE_RAUC_CONFIG:= rauc.config >> >> ifdef PTXCONF_IMAGE_RAUC >> >> -IMAGE_RAUC_KEY := $(call ptx/in-platformconfigdir, config/rauc/rauc.key.pem) >> -IMAGE_RAUC_CERT := $(call ptx/in-platformconfigdir, >> config/rauc/rauc.cert.pem) >> - >> -IMAGE_RAUC_ENV := \ >> +IMAGE_RAUC_ENV = \ >> RAUC_BUNDLE_COMPATIBLE="$(call >> remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))" \ >> RAUC_BUNDLE_VERSION="$(call remove_quotes, >> $(PTXCONF_RAUC_BUNDLE_VERSION))" \ >> RAUC_BUNDLE_BUILD=$(call ptx/sh, date +%FT%T%z) \ >> RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \ >> -RAUC_KEY=$(IMAGE_RAUC_KEY) \ >> -RAUC_CERT=$(IMAGE_RAUC_CERT) >> +RAUC_KEY="$(shell cs_get_uri update)" \ >> +RAUC_CERT="$(shell cs_get_uri update)" >> >> -$(IMAGE_RAUC_IMAGE): $(IMAGE_RAUC_KEY) $(IMAGE_RAUC_CERT) >> +$(IMAGE_RAUC_IMAGE): >> @$(call targetinfo) >> -@$(call image/genimage, IMAGE_RAUC) >> +@$(CODE_SIGNING_ENV) $(call image/genimage, IMAGE_RAUC) > > Why don't you add $(CODE_SIGNING_ENV) to IMAGE_RAUC_ENV instead? You're right, that's better. Regards, Bastian > >> @$(call finish) >> >> -$(IMAGE_RAUC_KEY): >> -@echo >> -@echo >> "" >> -@echo " Please place your signing key in >> config/rauc/rauc.key.pem. " >> -@echo "* >> *" >> -@echo "* Note: For test-purpose you can create one by running >> rauc-gen-certs.sh *" >> -@echo "* from the scripts/ folder of your PTXdist installation >> *" >> -@echo >> "" >> -@echo >> -@echo >> -@exit 1 >> - >> -$(IMAGE_RAUC_CERT): >> -@echo >> -@echo >> "" >> -@echo " Please place your signing certificate in >> config/rauc/rauc.cert.pem. ***" >> -@echo "* >> *" >> -@echo "* Note: For test-purpose you can create one by running >> rauc-gen-certs.sh *" >> -@echo "* from the scripts/ folder of your PTXdist installation >> *" >> -@echo >> "" >> -@echo >> -@echo >> -@exit 1 >> - >> endif >> >> # vim: syntax=make >> diff --git a/rules/rauc.in b/rules/rauc.in >> index d712bc7b9..56fc3ae3b 100644 >> --- a/rules/rauc.in >> +++ b/rules/rauc.in >> @@ -7,6 +7,7 @@ menuconfig RAUC >> select GLIB >> select
Re: [ptxdist] [PATCH 06/13] ptxd_lib_imx_hab/template-barebox-imx-habv4: use cs_get_ca helper
On 5/15/20 12:37 PM, Michael Olbrich wrote: > On Thu, May 14, 2020 at 03:42:53PM +0200, Bastian Krause wrote: >> Key providers now take care of calling the CA helpers. This makes sure >> the CA is already present in pem format. Use that instead of extracting >> and converting the certs here again. Thus HOST_EXTRACT_CERT is no longer >> a dependency of template-barebox-imx-habv4. >> >> Note: requires ptx-code-signing-dev > 0.3 > > "0.4 or later" Okay. Regards, Bastian > >> Signed-off-by: Bastian Krause >> --- >> rules/templates/template-barebox-imx-habv4-in | 1 - >> scripts/lib/ptxd_lib_imx_hab.sh | 16 >> 2 files changed, 8 insertions(+), 9 deletions(-) >> >> diff --git a/rules/templates/template-barebox-imx-habv4-in >> b/rules/templates/template-barebox-imx-habv4-in >> index af3e59986..16258cbee 100644 >> --- a/rules/templates/template-barebox-imx-habv4-in >> +++ b/rules/templates/template-barebox-imx-habv4-in >> @@ -3,7 +3,6 @@ >> config BAREBOX_@PACKAGE@ >> tristate >> select CODE_SIGNING >> -select HOST_EXTRACT_CERT >> select HOST_IMX_CST >> prompt "Barebox (@package@)" >> help >> diff --git a/scripts/lib/ptxd_lib_imx_hab.sh >> b/scripts/lib/ptxd_lib_imx_hab.sh >> index 034bf82b2..781c1b3f6 100644 >> --- a/scripts/lib/ptxd_lib_imx_hab.sh >> +++ b/scripts/lib/ptxd_lib_imx_hab.sh >> @@ -26,24 +26,24 @@ ptxd_make_imx_habv4_gen_table_impl() { >> local template="${1}" >> local table_bin="${pkg_build_dir}/imx-srk-table.bin" >> local srk_fuse_bin="${pkg_build_dir}/imx-srk-fuse.bin" >> -local tmpdir="$(mktemp -d "${PTXDIST_TEMPDIR}/imx-habv4.XX")" >> +local -a certs >> >> echo -e "generating $(basename ${table_bin}) and $(basename >> ${srk_fuse_bin})\n" >> >> for i in 1 2 3 4; do >> -local t=$(printf "${template}" "${i}") >> -local uri=$(cs_get_uri "$t") >> +certs[${#certs[*]}]="$(cs_get_ca "$(printf "${template}" ${i})")" >> +done >> >> -ptxd_exec extract-cert "${uri}" ${tmpdir}/srk${i}.der && >> -ptxd_exec openssl x509 -inform der -in ${tmpdir}/srk${i}.der \ >> --out ${tmpdir}/srk${i}.pem || break >> -done && >> +local orig_IFS="${IFS}" >> +IFS="," >> +certs="${certs[*]}" >> +IFS="${orig_IFS}" >> >> ptxd_exec srktool --hab_ver 4 \ >> --table "${table_bin}" \ >> --efuses "${srk_fuse_bin}" \ >> --digest sha256 \ >> ---certs >> ${tmpdir}/srk1.pem,${tmpdir}/srk2.pem,${tmpdir}/srk3.pem,${tmpdir}/srk4.pem >> +--certs "${certs}" >> } >> export -f ptxd_make_imx_habv4_gen_table_impl >> >> -- >> 2.26.2 >> >> >> ___ >> ptxdist mailing list >> ptxdist@pengutronix.de >> > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0| Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917- | ___ ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [PATCH 04/13] ptxd_lib_code_signing: introduce CA helper
On 5/15/20 12:36 PM, Michael Olbrich wrote: > On Thu, May 14, 2020 at 03:42:51PM +0200, Bastian Krause wrote: >> These helpers allow key providers to append certificates to their CA. >> 'cs_get_ca ' then returns the path to the keyring allowing rules >> and other helpers to retrieve it easily. >> >> Signed-off-by: Bastian Krause >> --- >> scripts/lib/ptxd_lib_code_signing.sh | 63 >> 1 file changed, 63 insertions(+) >> >> diff --git a/scripts/lib/ptxd_lib_code_signing.sh >> b/scripts/lib/ptxd_lib_code_signing.sh >> index f93f183df..571fe6806 100644 >> --- a/scripts/lib/ptxd_lib_code_signing.sh >> +++ b/scripts/lib/ptxd_lib_code_signing.sh >> @@ -261,3 +261,66 @@ cs_import_key_from_pem() { >> cs_import_privkey_from_pem "${role}" "${pem}" >> } >> export -f cs_import_key_from_pem >> + >> +# >> +# cs_get_ca >> +# >> +# Get the path to the CA in pem format from a role >> +# >> +cs_get_ca() { >> +local role="${1}" >> +cs_init_variables >> + >> +echo "${keydir}/${role}/ca.pem" >> +} >> +export -f cs_get_ca >> + >> +# >> +# cs_append_ca_from_pem >> +# >> +# Append PEM to CA for a role >> +# >> +cs_append_ca_from_pem() { >> +local role="${1}" >> +local pem="${2}" >> +cs_init_variables >> + >> +cat "${pem}" >> "${keydir}/${role}/ca.pem" > > Jan, is this correct? I think you said something about extra newlines that > may be needed? I guess if we first append a file with no EOL at the end and then append something else this can lead to.. "-END CERTIFICATE--BEGIN CERTIFICATE-" .. on a single line. Is there a smart way of adding an EOL? Or should we always append a final new line? Does this break any known usecases? Regards, Bastian > >> +} >> +export -f cs_append_ca_from_pem >> + >> +# >> +# cs_append_ca_from_der >> +# >> +# Append DER to CA for a role >> +# >> +cs_append_ca_from_der() { >> +local role="${1}" >> +local der="${2}" >> +cs_init_variables >> + >> +ptxd_exec openssl x509 -inform der -in "${der}" \ >> +-out "${tmpdir}/ca.pem" && >> +cs_append_ca_from_pem "${role}" "${tmpdir}/ca.pem" >> +} >> +export -f cs_append_ca_from_der >> + >> +# >> +# cs_append_ca_from_uri [] >> +# >> +# Append certificate specified by URI or by already set URI to CA for a role >> +# >> +cs_append_ca_from_uri() { >> +local role="${1}" >> +local uri="${2}" >> +local tmpdir="$(mktemp -d "${PTXDIST_TEMPDIR}/${role}-ca.XX")" >> +cs_init_variables >> + >> +if [ -z "${uri}" ]; then >> +uri=$(cs_get_uri "${role}") >> +fi >> + >> +ptxd_exec extract-cert "${uri}" "${tmpdir}/ca.der" && >> +cs_append_ca_from_der "${role}" "${tmpdir}/ca.der" >> +} >> +export -f cs_append_ca_from_uri >> -- >> 2.26.2 >> >> >> ___ >> ptxdist mailing list >> ptxdist@pengutronix.de >> > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0| Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917- | ___ ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [PATCH 10/13] rauc/image-rauc: use code signing infrastructure for key retrieval
On Thu, May 14, 2020 at 03:42:57PM +0200, Bastian Krause wrote: > Use the keys provided by the currently active key provider via PKCS#11 > instead of key files placed in the platform config directory. In order > to make sure the new mechanics are used after a BSP update the rauc.key > file is no longer allowed to exist in the platformconfig directory. > > Note: requires genimage >= v12 and ptx-code-signing-dev > 0.3 > > Signed-off-by: Bastian Krause > --- > platforms/image-rauc.in | 1 + > projectroot/etc/rauc/ca.cert.pem | 7 -- > rules/image-rauc.make| 37 ++--- > rules/rauc.in| 1 + > rules/rauc.make | 11 ++- > scripts/rauc-gen-test-certs.sh | 126 --- > 6 files changed, 17 insertions(+), 166 deletions(-) > delete mode 100644 projectroot/etc/rauc/ca.cert.pem > delete mode 100755 scripts/rauc-gen-test-certs.sh > > diff --git a/platforms/image-rauc.in b/platforms/image-rauc.in > index 658ddd5cd..1f9427b40 100644 > --- a/platforms/image-rauc.in > +++ b/platforms/image-rauc.in > @@ -6,6 +6,7 @@ menuconfig IMAGE_RAUC > select HOST_GENIMAGE > select HOST_RAUC > select IMAGE_ROOT_TGZ > + select CODE_SIGNING > help > This generates a RAUC update Bundle for the selected platform using > genimage. > diff --git a/projectroot/etc/rauc/ca.cert.pem > b/projectroot/etc/rauc/ca.cert.pem > deleted file mode 100644 > index be1aa7c30..0 > --- a/projectroot/etc/rauc/ca.cert.pem > +++ /dev/null > @@ -1,7 +0,0 @@ > -# This is a dummy keyring file. Please overwrite this with one that matches > -# your X.509 infrastructure if you intend to use RAUC for secure updates! > -# > -# If you really do not intend to actively use the security features (or for > -# testing purpose) you may create a development certificate by executing the > -# script `rauc-gen-test-certs.sh` from the `scripts` folder in your PTXdist > -# installation. > diff --git a/rules/image-rauc.make b/rules/image-rauc.make > index 839cb400b..a031edfae 100644 > --- a/rules/image-rauc.make > +++ b/rules/image-rauc.make > @@ -26,46 +26,19 @@ IMAGE_RAUC_CONFIG := rauc.config > > ifdef PTXCONF_IMAGE_RAUC > > -IMAGE_RAUC_KEY := $(call ptx/in-platformconfigdir, config/rauc/rauc.key.pem) > -IMAGE_RAUC_CERT := $(call ptx/in-platformconfigdir, > config/rauc/rauc.cert.pem) > - > -IMAGE_RAUC_ENV := \ > +IMAGE_RAUC_ENV = \ > RAUC_BUNDLE_COMPATIBLE="$(call > remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))" \ > RAUC_BUNDLE_VERSION="$(call remove_quotes, > $(PTXCONF_RAUC_BUNDLE_VERSION))" \ > RAUC_BUNDLE_BUILD=$(call ptx/sh, date +%FT%T%z) \ > RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \ > - RAUC_KEY=$(IMAGE_RAUC_KEY) \ > - RAUC_CERT=$(IMAGE_RAUC_CERT) > + RAUC_KEY="$(shell cs_get_uri update)" \ > + RAUC_CERT="$(shell cs_get_uri update)" > > -$(IMAGE_RAUC_IMAGE): $(IMAGE_RAUC_KEY) $(IMAGE_RAUC_CERT) > +$(IMAGE_RAUC_IMAGE): > @$(call targetinfo) > - @$(call image/genimage, IMAGE_RAUC) > + @$(CODE_SIGNING_ENV) $(call image/genimage, IMAGE_RAUC) Why don't you add $(CODE_SIGNING_ENV) to IMAGE_RAUC_ENV instead? Michael > @$(call finish) > > -$(IMAGE_RAUC_KEY): > - @echo > - @echo > "" > - @echo " Please place your signing key in > config/rauc/rauc.key.pem. " > - @echo "* > *" > - @echo "* Note: For test-purpose you can create one by running > rauc-gen-certs.sh *" > - @echo "* from the scripts/ folder of your PTXdist installation > *" > - @echo > "" > - @echo > - @echo > - @exit 1 > - > -$(IMAGE_RAUC_CERT): > - @echo > - @echo > "" > - @echo " Please place your signing certificate in > config/rauc/rauc.cert.pem. ***" > - @echo "* > *" > - @echo "* Note: For test-purpose you can create one by running > rauc-gen-certs.sh *" > - @echo "* from the scripts/ folder of your PTXdist installation > *" > - @echo > "" > - @echo > - @echo > - @exit 1 > - > endif > > # vim: syntax=make > diff --git a/rules/rauc.in b/rules/rauc.in > index d712bc7b9..56fc3ae3b 100644 > --- a/rules/rauc.in > +++ b/rules/rauc.in > @@ -7,6 +7,7 @@ menuconfig RAUC > select GLIB > select GLIB_LIBMOUNT > select HOST_GLIB > + select CODE_SIGNING > select BUSYBOX_FEATURE_TAR_LONG_OPTIONS if BUSYBOX_TAR > select BUSYBOX_FEATURE_TAR_AUTODETECT
Re: [ptxdist] [PATCH 06/13] ptxd_lib_imx_hab/template-barebox-imx-habv4: use cs_get_ca helper
On Thu, May 14, 2020 at 03:42:53PM +0200, Bastian Krause wrote: > Key providers now take care of calling the CA helpers. This makes sure > the CA is already present in pem format. Use that instead of extracting > and converting the certs here again. Thus HOST_EXTRACT_CERT is no longer > a dependency of template-barebox-imx-habv4. > > Note: requires ptx-code-signing-dev > 0.3 "0.4 or later" Michael > Signed-off-by: Bastian Krause > --- > rules/templates/template-barebox-imx-habv4-in | 1 - > scripts/lib/ptxd_lib_imx_hab.sh | 16 > 2 files changed, 8 insertions(+), 9 deletions(-) > > diff --git a/rules/templates/template-barebox-imx-habv4-in > b/rules/templates/template-barebox-imx-habv4-in > index af3e59986..16258cbee 100644 > --- a/rules/templates/template-barebox-imx-habv4-in > +++ b/rules/templates/template-barebox-imx-habv4-in > @@ -3,7 +3,6 @@ > config BAREBOX_@PACKAGE@ > tristate > select CODE_SIGNING > - select HOST_EXTRACT_CERT > select HOST_IMX_CST > prompt "Barebox (@package@)" > help > diff --git a/scripts/lib/ptxd_lib_imx_hab.sh b/scripts/lib/ptxd_lib_imx_hab.sh > index 034bf82b2..781c1b3f6 100644 > --- a/scripts/lib/ptxd_lib_imx_hab.sh > +++ b/scripts/lib/ptxd_lib_imx_hab.sh > @@ -26,24 +26,24 @@ ptxd_make_imx_habv4_gen_table_impl() { > local template="${1}" > local table_bin="${pkg_build_dir}/imx-srk-table.bin" > local srk_fuse_bin="${pkg_build_dir}/imx-srk-fuse.bin" > -local tmpdir="$(mktemp -d "${PTXDIST_TEMPDIR}/imx-habv4.XX")" > +local -a certs > > echo -e "generating $(basename ${table_bin}) and $(basename > ${srk_fuse_bin})\n" > > for i in 1 2 3 4; do > - local t=$(printf "${template}" "${i}") > - local uri=$(cs_get_uri "$t") > + certs[${#certs[*]}]="$(cs_get_ca "$(printf "${template}" ${i})")" > +done > > - ptxd_exec extract-cert "${uri}" ${tmpdir}/srk${i}.der && > - ptxd_exec openssl x509 -inform der -in ${tmpdir}/srk${i}.der \ > - -out ${tmpdir}/srk${i}.pem || break > -done && > +local orig_IFS="${IFS}" > +IFS="," > +certs="${certs[*]}" > +IFS="${orig_IFS}" > > ptxd_exec srktool --hab_ver 4 \ > --table "${table_bin}" \ > --efuses "${srk_fuse_bin}" \ > --digest sha256 \ > - --certs > ${tmpdir}/srk1.pem,${tmpdir}/srk2.pem,${tmpdir}/srk3.pem,${tmpdir}/srk4.pem > + --certs "${certs}" > } > export -f ptxd_make_imx_habv4_gen_table_impl > > -- > 2.26.2 > > > ___ > ptxdist mailing list > ptxdist@pengutronix.de > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0| Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917- | ___ ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [PATCH 04/13] ptxd_lib_code_signing: introduce CA helper
On Thu, May 14, 2020 at 03:42:51PM +0200, Bastian Krause wrote: > These helpers allow key providers to append certificates to their CA. > 'cs_get_ca ' then returns the path to the keyring allowing rules > and other helpers to retrieve it easily. > > Signed-off-by: Bastian Krause > --- > scripts/lib/ptxd_lib_code_signing.sh | 63 > 1 file changed, 63 insertions(+) > > diff --git a/scripts/lib/ptxd_lib_code_signing.sh > b/scripts/lib/ptxd_lib_code_signing.sh > index f93f183df..571fe6806 100644 > --- a/scripts/lib/ptxd_lib_code_signing.sh > +++ b/scripts/lib/ptxd_lib_code_signing.sh > @@ -261,3 +261,66 @@ cs_import_key_from_pem() { > cs_import_privkey_from_pem "${role}" "${pem}" > } > export -f cs_import_key_from_pem > + > +# > +# cs_get_ca > +# > +# Get the path to the CA in pem format from a role > +# > +cs_get_ca() { > +local role="${1}" > +cs_init_variables > + > +echo "${keydir}/${role}/ca.pem" > +} > +export -f cs_get_ca > + > +# > +# cs_append_ca_from_pem > +# > +# Append PEM to CA for a role > +# > +cs_append_ca_from_pem() { > +local role="${1}" > +local pem="${2}" > +cs_init_variables > + > +cat "${pem}" >> "${keydir}/${role}/ca.pem" Jan, is this correct? I think you said something about extra newlines that may be needed? Michael > +} > +export -f cs_append_ca_from_pem > + > +# > +# cs_append_ca_from_der > +# > +# Append DER to CA for a role > +# > +cs_append_ca_from_der() { > +local role="${1}" > +local der="${2}" > +cs_init_variables > + > +ptxd_exec openssl x509 -inform der -in "${der}" \ > + -out "${tmpdir}/ca.pem" && > +cs_append_ca_from_pem "${role}" "${tmpdir}/ca.pem" > +} > +export -f cs_append_ca_from_der > + > +# > +# cs_append_ca_from_uri [] > +# > +# Append certificate specified by URI or by already set URI to CA for a role > +# > +cs_append_ca_from_uri() { > +local role="${1}" > +local uri="${2}" > +local tmpdir="$(mktemp -d "${PTXDIST_TEMPDIR}/${role}-ca.XX")" > +cs_init_variables > + > +if [ -z "${uri}" ]; then > + uri=$(cs_get_uri "${role}") > +fi > + > +ptxd_exec extract-cert "${uri}" "${tmpdir}/ca.der" && > +cs_append_ca_from_der "${role}" "${tmpdir}/ca.der" > +} > +export -f cs_append_ca_from_uri > -- > 2.26.2 > > > ___ > ptxdist mailing list > ptxdist@pengutronix.de > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0| Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917- | ___ ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] Segmentation fault with ptxdist-2020.05.0
On 15.05.20 09:59, Alexander Dahl wrote: Hello Mircea, On Fri, May 15, 2020 at 09:40:45AM +0200, Mircea Ciocan wrote: The main problem is that the older releases as 2020.05.0 doesn't compile the toolchain correctly. Which toolchain? If you compile the OSELAS Toolchain by yourself (instead of e.g. using the prepackaged binary toolchains from [1]), you should use _exactly_ the ptxdist version the toolchain project is configured for. For example if you want to build OSELAS Toolchain v2019.09.1 you should use exactly ptxdist-2020.02.0 to build that toolchain. This is exactly what I was doing, I've used 2020.02 because it was around for the toolchain, but wanted the updated stuff in the newer versions. You can (and probably should) use a newer ptxdist version to build your BSP then. I've tried that and kind of failed as described :(, now I'll retry with the hint from Michael for data collection and see what's coming of it. Is not every day that one sees this kind of bug in bash. Greets Alex Cheers, Mircea ___ ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] Segmentation fault with ptxdist-2020.05.0
Hello Mircea, On Fri, May 15, 2020 at 09:40:45AM +0200, Mircea Ciocan wrote: > The main problem is that the older releases as 2020.05.0 doesn't compile the > toolchain correctly. Which toolchain? If you compile the OSELAS Toolchain by yourself (instead of e.g. using the prepackaged binary toolchains from [1]), you should use _exactly_ the ptxdist version the toolchain project is configured for. For example if you want to build OSELAS Toolchain v2019.09.1 you should use exactly ptxdist-2020.02.0 to build that toolchain. You can (and probably should) use a newer ptxdist version to build your BSP then. Greets Alex [1] http://debian.pengutronix.de/ -- /"\ ASCII RIBBON | »With the first link, the chain is forged. The first \ / CAMPAIGN | speech censured, the first thought forbidden, the X AGAINST | first freedom denied, chains us all irrevocably.« / \ HTML MAIL| (Jean-Luc Picard, quoting Judge Aaron Satie) signature.asc Description: PGP signature ___ ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [PATCH 11/13] image-rauc: enable keyring verification
On Thu, May 14, 2020 at 03:42:58PM +0200, Bastian Krause wrote: > Note: requires genimage > 12 I think "genimage 13 or later" would be clearer here. On first glance I thought that 12 is ok too and that's not correct. Michael > Signed-off-by: Bastian Krause > --- > config/images/rauc.config | 1 + > rules/image-rauc.make | 3 ++- > 2 files changed, 3 insertions(+), 1 deletion(-) > > diff --git a/config/images/rauc.config b/config/images/rauc.config > index 8396bd4be..0c824f00e 100644 > --- a/config/images/rauc.config > +++ b/config/images/rauc.config > @@ -13,5 +13,6 @@ image @IMAGE@ { > " > cert = "@RAUC_CERT@" > key = "@RAUC_KEY@" > + keyring = "@RAUC_KEYRING@" > } > } > diff --git a/rules/image-rauc.make b/rules/image-rauc.make > index a031edfae..c0c9d4978 100644 > --- a/rules/image-rauc.make > +++ b/rules/image-rauc.make > @@ -32,7 +32,8 @@ IMAGE_RAUC_ENV = \ > RAUC_BUNDLE_BUILD=$(call ptx/sh, date +%FT%T%z) \ > RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \ > RAUC_KEY="$(shell cs_get_uri update)" \ > - RAUC_CERT="$(shell cs_get_uri update)" > + RAUC_CERT="$(shell cs_get_uri update)" \ > + RAUC_KEYRING="$(shell cs_get_ca update)" > > $(IMAGE_RAUC_IMAGE): > @$(call targetinfo) > -- > 2.26.2 > > > ___ > ptxdist mailing list > ptxdist@pengutronix.de > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0| Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917- | ___ ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [PATCH 13/13] code-signing: introduce for ptxconfig, add sanity check
On Thu, May 14, 2020 at 05:36:54PM +0200, Bastian Krause wrote: > On 5/14/20 3:43 PM, Bastian Krause wrote: > > Create a new rules/code-signing.in to be able to select CODE_SIGNING > > not only in platformconfig but also in ptxconfig. > > > > Also make sure that PTXCONF_CODE_SIGNING_PROVIDER is set correctly if > > PTXCONF_CODE_SIGNING is set. > > > > Signed-off-by: Bastian Krause > > --- > > rules/code-signing.make | 13 + > > 1 file changed, 13 insertions(+) > > create mode 100644 rules/code-signing.make > > > > diff --git a/rules/code-signing.make b/rules/code-signing.make > > new file mode 100644 > > index 0..db1c5ab88 > > --- /dev/null > > +++ b/rules/code-signing.make > > @@ -0,0 +1,13 @@ > > +# -*-makefile-*- > > +# > > +# Copyright (C) 2020 by Bastian Krause > > +# > > +# For further information about the PTXdist project and license conditions > > +# see the README file. > > +# > > + > > +ifdef PTXCONF_CODE_SIGNING > > +ifeq ($(call remove_quotes,$(PTXCONF_CODE_SIGNING_PROVIDER)),) > > +$(error PTXCONF_CODE_SIGNING_PROVIDER must be set correctly) > > +endif > > +endif > > > > I accidentally dropped: > > diff --git a/rules/code-signing.in b/rules/code-signing.in > new file mode 100644 > --- /dev/null > +++ b/rules/code-signing.in > @@ -0,0 +1,4 @@ > +## SECTION=hosttools_noprompt_ptx > + > +config CODE_SIGNING > + bool > > Will add it again in v2. And sort the patch before the rauc changes. It's needed there. Michael -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0| Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917- | ___ ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] Segmentation fault with ptxdist-2020.05.0
On Fri, May 15, 2020 at 09:40:45AM +0200, Mircea Ciocan wrote: > More information about the subject: > > I've repeated the compilation with all releases since 2020.02.0, the same > config and machine as described under (sorry for top posting): > > - 2020.02.0 - works OK > > -2020.03.0 - works OK > > -2020.04.0 - crashes, bash segfault. > > -2020.05.0 - crashes, same bash segfault, in the same place. > > So the regression is between 2020.03.0 and 2020.04.0, I'll try a diff, maybe > I can spot what went wrong, but I could use your kind help. I've mentioned the 'tee' in my other mail. The output there is probably what you want to diff. Michael > The main problem is that the older releases as 2020.05.0 doesn't compile the > toolchain correctly. > > Best regards, > > Mircea > > > On 14.05.20 15:36, Mircea Ciocan wrote: > > Hello list, > > > > I have the most strange error with the ptxdist-2020.05.0 while trying to > > compile a simple image for the iMX6ULL EVK, the shell segfaults !!! > > > > Here are some information, that you could find useful: > > > > Distribution: Ubuntu 18.04 LTS, 8GB RAM, current updates. > > > > System shell set to bash. > > > > The compilation of everything goes perfectly OK, but while building the > > root filesystem image it crashes, always in the same place (100% > > reproducible), when adding the net-dns-perl package, with the following > > message; > > > > info: selected ptxconfig: > > 'configs/platform-mcimx6ull-evk/ptxconfig.tiny' > > ptxdist: warning: No dev packages found in > > 'Firmware/packages-MCIMX6ULL-EVK' > > > > ...[snip]... > > > > [compilation goes OK] > > > > > > target: root.tgz > > > > ...[snip]... > > > > Configuring readline. > > Configuring net-dns-perl. > > environment: line 1: 31523 Done { echo "cd > > '${work_dir}' || exit"; ptxd_dopermissions > > "${ptxd_reply_perm_files[@]}"; echo ":"; } > > 31524 Segmentation fault (core dumped) | sh > > ./Software/ptxdist-2020.05.0/rules/image-root-tgz.make:29: recipe for > > target './Software/Firmware/platform-MCIMX6ULL-EVK/images/root.tgz' > > failed > > > > make: *** [./Software/Firmware/platform-MCIMX6ULL-EVK/images/root.tgz] > > Error 139 > > > > > > In the system log I get something like: > > > > "vmunix: [132753.581596] sh[10747]: segfault at 7ffe5bdf1fe8 ip > > 7fdb0b04930e sp 7ffe5bdf1fe0 error 6 in > > libc-2.27.so[7fdb0afb5000+1e7000]" > > > > > > I have to say that I rarely, if ever, see this type of crash, and the > > build finishes OK with ptxdist-2020.02.0. Any pointer on how can I fix > > or debug this are greatly appreciated. > > > > > > Best regards, > > > > Mircea > > > > ___ > ptxdist mailing list > ptxdist@pengutronix.de > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0| Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917- | ___ ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] Segmentation fault with ptxdist-2020.05.0
On Thu, May 14, 2020 at 03:36:44PM +0200, Mircea Ciocan wrote: > Hello list, > > I have the most strange error with the ptxdist-2020.05.0 while trying to > compile a simple image for the iMX6ULL EVK, the shell segfaults !!! > > Here are some information, that you could find useful: > > Distribution: Ubuntu 18.04 LTS, 8GB RAM, current updates. > > System shell set to bash. > > The compilation of everything goes perfectly OK, but while building the root > filesystem image it crashes, always in the same place (100% reproducible), > when adding the net-dns-perl package, with the following message; > > info: selected ptxconfig: > 'configs/platform-mcimx6ull-evk/ptxconfig.tiny' > ptxdist: warning: No dev packages found in 'Firmware/packages-MCIMX6ULL-EVK' > > ...[snip]... > > [compilation goes OK] > > > target: root.tgz > > ...[snip]... > > Configuring readline. > Configuring net-dns-perl. > environment: line 1: 31523 Done { echo "cd '${work_dir}' > || exit"; ptxd_dopermissions "${ptxd_reply_perm_files[@]}"; echo ":"; } > 31524 Segmentation fault (core dumped) | sh > ./Software/ptxdist-2020.05.0/rules/image-root-tgz.make:29: recipe for target > './Software/Firmware/platform-MCIMX6ULL-EVK/images/root.tgz' failed > > make: *** [./Software/Firmware/platform-MCIMX6ULL-EVK/images/root.tgz] Error > 139 > > > In the system log I get something like: > > "vmunix: [132753.581596] sh[10747]: segfault at 7ffe5bdf1fe8 ip > 7fdb0b04930e sp 7ffe5bdf1fe0 error 6 in > libc-2.27.so[7fdb0afb5000+1e7000]" > > > I have to say that I rarely, if ever, see this type of crash, and the build > finishes OK with ptxdist-2020.02.0. Any pointer on how can I fix or debug > this are greatly appreciated. Huh, I've never seen anything like this. Some things to test. Take a look at scripts/lib/ptxd_make_image_prepare_work_dir.sh in PTXdist. The relevant code is there. Line 50ff. If you change line 56 to something like this: } | tee /tmp/ptxdist-sh-test.txt | sh && Then this will save the exact code that the shell executes when it crashed. Maybe we can find some clues there. But It's probably a bug in 'sh'. What's your /bin/sh anyways? For me it's a link to 'dash' but sometimes it's a bash. You could explicitly try the other here instead of 'sh' to see if that crashes as well. Michael -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0| Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917- | ___ ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] Segmentation fault with ptxdist-2020.05.0
More information about the subject: I've repeated the compilation with all releases since 2020.02.0, the same config and machine as described under (sorry for top posting): - 2020.02.0 - works OK -2020.03.0 - works OK -2020.04.0 - crashes, bash segfault. -2020.05.0 - crashes, same bash segfault, in the same place. So the regression is between 2020.03.0 and 2020.04.0, I'll try a diff, maybe I can spot what went wrong, but I could use your kind help. The main problem is that the older releases as 2020.05.0 doesn't compile the toolchain correctly. Best regards, Mircea On 14.05.20 15:36, Mircea Ciocan wrote: Hello list, I have the most strange error with the ptxdist-2020.05.0 while trying to compile a simple image for the iMX6ULL EVK, the shell segfaults !!! Here are some information, that you could find useful: Distribution: Ubuntu 18.04 LTS, 8GB RAM, current updates. System shell set to bash. The compilation of everything goes perfectly OK, but while building the root filesystem image it crashes, always in the same place (100% reproducible), when adding the net-dns-perl package, with the following message; info: selected ptxconfig: 'configs/platform-mcimx6ull-evk/ptxconfig.tiny' ptxdist: warning: No dev packages found in 'Firmware/packages-MCIMX6ULL-EVK' ...[snip]... [compilation goes OK] target: root.tgz ...[snip]... Configuring readline. Configuring net-dns-perl. environment: line 1: 31523 Done { echo "cd '${work_dir}' || exit"; ptxd_dopermissions "${ptxd_reply_perm_files[@]}"; echo ":"; } 31524 Segmentation fault (core dumped) | sh ./Software/ptxdist-2020.05.0/rules/image-root-tgz.make:29: recipe for target './Software/Firmware/platform-MCIMX6ULL-EVK/images/root.tgz' failed make: *** [./Software/Firmware/platform-MCIMX6ULL-EVK/images/root.tgz] Error 139 In the system log I get something like: "vmunix: [132753.581596] sh[10747]: segfault at 7ffe5bdf1fe8 ip 7fdb0b04930e sp 7ffe5bdf1fe0 error 6 in libc-2.27.so[7fdb0afb5000+1e7000]" I have to say that I rarely, if ever, see this type of crash, and the build finishes OK with ptxdist-2020.02.0. Any pointer on how can I fix or debug this are greatly appreciated. Best regards, Mircea ___ ptxdist mailing list ptxdist@pengutronix.de