On 5/15/20 12:36 PM, Michael Olbrich wrote:
> On Thu, May 14, 2020 at 03:42:51PM +0200, Bastian Krause wrote:
>> These helpers allow key providers to append certificates to their CA.
>> 'cs_get_ca ' then returns the path to the keyring allowing rules
>> and other helpers to retrieve it easily.
Note: requires genimage v13 or later
Signed-off-by: Bastian Krause
---
Changes since (implicit) v1:
- clarify required version of genimage in commit message
---
config/images/rauc.config | 1 +
rules/image-rauc.make | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git
It helps debugging failing mkimage calls.
Signed-off-by: Bastian Krause
---
scripts/lib/ptxd_make_fit_image.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/lib/ptxd_make_fit_image.sh
b/scripts/lib/ptxd_make_fit_image.sh
index 761d6bf1e..041c5b803 100644
---
This series includes various bug fixes and extensions of ptxdist's code
signing infrastructure and its consumers. This includes HAB barebox
images, signed FIT images and RAUC bundles. Real HSMs can now be used
for signing. Newly introduced helpers simplify CA handling.
Changes since implicit v1
These helpers allow key providers to append certificates to their CA.
'cs_get_ca ' then returns the path to the keyring allowing rules
and other helpers to retrieve it easily.
Signed-off-by: Bastian Krause
---
Changes since (implicit) v1:
- add new line when appending to a CA
---
srktool's help text states "certificate filenames must be separated by
a ',' with no spaces". Line continuating using "\" with the next line
being indented leads to a space being inserted between the SRK2
certificate and the SRK3 certificate.
srktool does not fail, but ignores everything after the
Signed-off-by: Bastian Krause
---
rules/templates/template-barebox-imx-habv4-make | 2 +-
scripts/lib/ptxd_lib_imx_hab.sh | 15 +--
2 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/rules/templates/template-barebox-imx-habv4-make
Create a new rules/code-signing.in to be able to select CODE_SIGNING
not only in platformconfig but also in ptxconfig.
Also make sure that PTXCONF_CODE_SIGNING_PROVIDER is set correctly if
PTXCONF_CODE_SIGNING is set.
Signed-off-by: Bastian Krause
---
Changes since (implicit) v1:
- re-add
Having multiple "object=" occurrences in a single PKCS#11 URI does not
work for all cases, at least not for opensc-pkcs11. Thus u-boot's
PKCS#11 handling was patched to avoid overriding the object name when
it is already specified. The patch was sent upstream.
Signed-off-by: Bastian Krause
---
Signed-off-by: Bastian Krause
---
Note: newly added in v2.
---
rules/rauc.make | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/rules/rauc.make b/rules/rauc.make
index f9a10fbbc..075a7d649 100644
--- a/rules/rauc.make
+++ b/rules/rauc.make
@@ -14,8 +14,8 @@
rules/code-signing.in belongs in platforms/, so move it there.
Signed-off-by: Bastian Krause
---
{rules => platforms}/code-signing.in | 0
1 file changed, 0 insertions(+), 0 deletions(-)
rename {rules => platforms}/code-signing.in (100%)
diff --git a/rules/code-signing.in
Signed-off-by: Bastian Krause
---
scripts/lib/ptxd_lib_code_signing.sh | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/scripts/lib/ptxd_lib_code_signing.sh
b/scripts/lib/ptxd_lib_code_signing.sh
index 588a4b1b4..f93f183df 100644
---
This includes a fix of a copy/paste error in import_rauc_keys's role.
Additionally the new helper cs_append_ca_from_uri is now used for RAUC
and HAB SRK roles. The helper function requires HOST_EXTRACT_CERT,
HOST_OPENSSL and HOST_LIBP11.
Signed-off-by: Bastian Krause
---
Changes since (implicit)
Use the keys provided by the currently active key provider via PKCS#11
instead of key files placed in the platform config directory. In order
to make sure the new mechanics are used after a BSP update the rauc.key
file is no longer allowed to exist in the platformconfig directory.
Note: requires
Until now only kernel and fdt are signed by mkimage. If a ramdisk is
used sign it also.
Unfortunately quotes are not usable in the alternative value of
variable paramater substitution ${parameter:+alt_value}:
Key providers now take care of calling the CA helpers. This makes sure
the CA is already present in pem format. Use that instead of extracting
and converting the certs here again. Thus HOST_EXTRACT_CERT is no longer
a dependency of template-barebox-imx-habv4.
Note: requires ptx-code-signing-dev
On 5/15/20 9:55 AM, Michael Olbrich wrote:
> On Thu, May 14, 2020 at 05:36:54PM +0200, Bastian Krause wrote:
>> On 5/14/20 3:43 PM, Bastian Krause wrote:
>>> Create a new rules/code-signing.in to be able to select CODE_SIGNING
>>> not only in platformconfig but also in ptxconfig.
>>>
>>> Also make
On 5/15/20 9:58 AM, Michael Olbrich wrote:
> On Thu, May 14, 2020 at 03:42:58PM +0200, Bastian Krause wrote:
>> Note: requires genimage > 12
>
> I think "genimage 13 or later" would be clearer here. On first glance I
> thought that 12 is ok too and that's not correct.
Right, will do.
Regards,
On 15.05.20 15:02, Mircea Ciocan wrote:
On 15.05.20 09:46, Michael Olbrich wrote:
On Thu, May 14, 2020 at 03:36:44PM +0200, Mircea Ciocan wrote:
Hello list,
I have the most strange error with the ptxdist-2020.05.0 while
trying to
compile a simple image for the iMX6ULL EVK, the shell
Signed-off-by: Bastian Krause
---
rules/host-genimage.make | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/rules/host-genimage.make b/rules/host-genimage.make
index 28d0d613a..baa69e3fb 100644
--- a/rules/host-genimage.make
+++ b/rules/host-genimage.make
@@ -14,8 +14,8 @@
On Fri, 2020-05-15 at 13:21 +0200, Bastian Krause wrote:
> I guess if we first append a file with no EOL at the end and then
> append something else this can lead to..
>
> "-END CERTIFICATE--BEGIN CERTIFICATE-"
>
> .. on a single line.
Yes, this is the case is was thinking of.
On 5/15/20 12:40 PM, Michael Olbrich wrote:
> On Thu, May 14, 2020 at 03:42:57PM +0200, Bastian Krause wrote:
>> Use the keys provided by the currently active key provider via PKCS#11
>> instead of key files placed in the platform config directory. In order
>> to make sure the new mechanics are
On 5/15/20 12:37 PM, Michael Olbrich wrote:
> On Thu, May 14, 2020 at 03:42:53PM +0200, Bastian Krause wrote:
>> Key providers now take care of calling the CA helpers. This makes sure
>> the CA is already present in pem format. Use that instead of extracting
>> and converting the certs here again.
On 15.05.20 09:46, Michael Olbrich wrote:
On Thu, May 14, 2020 at 03:36:44PM +0200, Mircea Ciocan wrote:
Hello list,
I have the most strange error with the ptxdist-2020.05.0 while trying to
compile a simple image for the iMX6ULL EVK, the shell segfaults !!!
Here are some information, that
On Thu, May 14, 2020 at 05:36:54PM +0200, Bastian Krause wrote:
> On 5/14/20 3:43 PM, Bastian Krause wrote:
> > Create a new rules/code-signing.in to be able to select CODE_SIGNING
> > not only in platformconfig but also in ptxconfig.
> >
> > Also make sure that PTXCONF_CODE_SIGNING_PROVIDER is
On 15.05.20 09:59, Alexander Dahl wrote:
Hello Mircea,
On Fri, May 15, 2020 at 09:40:45AM +0200, Mircea Ciocan wrote:
The main problem is that the older releases as 2020.05.0 doesn't compile the
toolchain correctly.
Which toolchain? If you compile the OSELAS Toolchain by yourself
(instead of
More information about the subject:
I've repeated the compilation with all releases since 2020.02.0, the
same config and machine as described under (sorry for top posting):
- 2020.02.0 - works OK
-2020.03.0 - works OK
-2020.04.0 - crashes, bash segfault.
-2020.05.0 - crashes, same bash
On Thu, May 14, 2020 at 03:36:44PM +0200, Mircea Ciocan wrote:
> Hello list,
>
> I have the most strange error with the ptxdist-2020.05.0 while trying to
> compile a simple image for the iMX6ULL EVK, the shell segfaults !!!
>
> Here are some information, that you could find useful:
>
>
On Fri, May 15, 2020 at 09:40:45AM +0200, Mircea Ciocan wrote:
> More information about the subject:
>
> I've repeated the compilation with all releases since 2020.02.0, the same
> config and machine as described under (sorry for top posting):
>
> - 2020.02.0 - works OK
>
> -2020.03.0 - works
Hello Mircea,
On Fri, May 15, 2020 at 09:40:45AM +0200, Mircea Ciocan wrote:
> The main problem is that the older releases as 2020.05.0 doesn't compile the
> toolchain correctly.
Which toolchain? If you compile the OSELAS Toolchain by yourself
(instead of e.g. using the prepackaged binary
On Thu, May 14, 2020 at 03:42:58PM +0200, Bastian Krause wrote:
> Note: requires genimage > 12
I think "genimage 13 or later" would be clearer here. On first glance I
thought that 12 is ok too and that's not correct.
Michael
> Signed-off-by: Bastian Krause
> ---
> config/images/rauc.config |
On Thu, May 14, 2020 at 03:42:51PM +0200, Bastian Krause wrote:
> These helpers allow key providers to append certificates to their CA.
> 'cs_get_ca ' then returns the path to the keyring allowing rules
> and other helpers to retrieve it easily.
>
> Signed-off-by: Bastian Krause
> ---
>
On Thu, May 14, 2020 at 03:42:53PM +0200, Bastian Krause wrote:
> Key providers now take care of calling the CA helpers. This makes sure
> the CA is already present in pem format. Use that instead of extracting
> and converting the certs here again. Thus HOST_EXTRACT_CERT is no longer
> a
On Thu, May 14, 2020 at 03:42:57PM +0200, Bastian Krause wrote:
> Use the keys provided by the currently active key provider via PKCS#11
> instead of key files placed in the platform config directory. In order
> to make sure the new mechanics are used after a BSP update the rauc.key
> file is no
34 matches
Mail list logo