Re: [RAUC] pass PEM passphrase in Yocto build
Hi Reyhaneh, On Fri, 2022-03-18 at 11:03 +, Yazdani, Reyhaneh wrote: > > Yes. So far, nobody has implemented support for passing a private key > > password to RAUC, as the security benefits are minimal compared to the > > effort. > [Reyhaneh] I asked here, since I wanted to be sure nothing has changed > regarding implementation since six months. That is great you answered me > quickly. Besides the normal maintenance, most of the changes Enrico and myself are contributing are driven by requirements from our customers (see streaming support, encryption or the upcoming incremental block has mode). As we don't see password support as a useful feature (there are better alternatives avalable), it's unlikely that Pengutronix will implement this. Best regards, Jan -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0| Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917- | ___ RAUC mailing list
Re: [RAUC] pass PEM passphrase in Yocto build
Hi Jan, Thanks for your answer. > -Ursprüngliche Nachricht- > Von: Jan Lübbe > Gesendet: Freitag, 18. März 2022 11:44 > An: Yazdani, Reyhaneh ; rauc@pengutronix.de > Betreff: Re: [RAUC] pass PEM passphrase in Yocto build > > Hi, > > On Fri, 2022-03-18 at 10:32 +, Yazdani, Reyhaneh wrote: > > Hi everyone, > > > > I am getting the below error when I was building the bundle by Yocto > > with encrypted Root CA and ICA certificate. > > > … > > | 139843920926528:error:0906406D:PEM > > | routines:PEM_def_callback:problems > > getting password:../openssl-1.1.1l/crypto/pem/pem_lib.c:59: > > | 139843920926528:error:0907B068:PEM > > | routines:PEM_read_bio_PrivateKey:bad > > password read:../openssl-1.1.1l/crypto/pem/pem_pkey.c:64: > … > > > > During my investigation, I found the below post from 6 months ago: > > https://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http > > > s%3a%2f%2fgithub.com%2frauc%2fmeta%2drauc%2fissues%2f200=96 > BD2BE4 > > -DA7B-D305-B107- > 4007ED7F68E3=162296ff492f363ddb29ca454338bb846279 > > 96db-2ff6ea33cb85b28d75411d2b21402171190c8a2e > > My recommendations in > https://imsva91- > ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fgithub. > com%2frauc%2fmeta%2drauc%2fissues%2f200%23issuecomment%2d943085 > 728=96BD2BE4-DA7B-D305-B107- > 4007ED7F68E3=162296ff492f363ddb29ca454338bb84627996db- > cb2252107bcc0c04e1eb222a5f3f56a047114518 still stand. > > > Based on this post, I cannot use any encrypted keys and Root-CA in > > building a bundle in Yocto. Am I right? > > Yes. So far, nobody has implemented support for passing a private key > password to RAUC, as the security benefits are minimal compared to the > effort. [Reyhaneh] I asked here, since I wanted to be sure nothing has changed regarding implementation since six months. That is great you answered me quickly. Best regards, Reyhaneh > > Regards, > Jan > -- > Pengutronix e.K. | | > Steuerwalder Str. 21 | http://www.pengutronix.de/ | > 31137 Hildesheim, Germany | Phone: +49-5121-206917-0| > Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917- | ___ RAUC mailing list
Re: [RAUC] pass PEM passphrase in Yocto build
Hi, On Fri, 2022-03-18 at 10:32 +, Yazdani, Reyhaneh wrote: > Hi everyone, > > I am getting the below error when I was building the bundle by Yocto with > encrypted Root CA and ICA certificate. > … > | 139843920926528:error:0906406D:PEM routines:PEM_def_callback:problems > getting password:../openssl-1.1.1l/crypto/pem/pem_lib.c:59: > | 139843920926528:error:0907B068:PEM routines:PEM_read_bio_PrivateKey:bad > password read:../openssl-1.1.1l/crypto/pem/pem_pkey.c:64: … > > During my investigation, I found the below post from 6 months ago: > https://github.com/rauc/meta-rauc/issues/200 My recommendations in https://github.com/rauc/meta-rauc/issues/200#issuecomment-943085728 still stand. > Based on this post, I cannot use any encrypted keys and Root-CA in building a > bundle in Yocto. Am I right? Yes. So far, nobody has implemented support for passing a private key password to RAUC, as the security benefits are minimal compared to the effort. Regards, Jan -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0| Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917- | ___ RAUC mailing list
Re: [RAUC] pass PEM passphrase in Yocto build
Hi,
Am Freitag, dem 18.03.2022 um 10:32 + schrieb Yazdani, Reyhaneh:
> Hi everyone,
>
didn't you ask the exact same question on meta-rauc ML already?
(which also shortly hang in review queue as you are not registered)
Please be so kind and do not double-post.
If you already found the related issue, is there a specific reason not to pick
this up but scatter information in different MLs instead? Would be easier to
handle this in the Issue.
And I fear nothing about this topic has hanged since then.
Best regards
Enrico
> I am getting the below error when I was building the bundle by Yocto with
> encrypted Root CA and ICA certificate.
>
> ERROR: p118-bundle-1.0-r0 do_bundle: Execution of
> '/build/tmp/work/imx8mm_p118-poky-linux/p118-bundle/1.0-
> r0/temp/run.do_bundle.88428' failed with exit code 1
> ERROR: Logfile of failure stored in: /build/tmp/work/imx8mm_p118-poky-
> linux/p118-bundle/1.0-r0/temp/log.do_bundle.88428
> Log data follows:
> | DEBUG: Executing shell function do_bundle
> | rauc-Message: 10:39:18.125: Debug log domains: 'rauc'
> | (rauc:88441): rauc-DEBUG: 10:39:18.126: bundle start
> | (rauc:88441): rauc-DEBUG: 10:39:18.126: system config not found, using
> default values
> | rauc-Message: 10:39:18.126: Failed to resolve realpath for '/dev/disk/by-
> uuid/e9b676c1-a65c-4677-b9df-b4e974452609'
> | (rauc:88441): rauc-DEBUG: 10:39:18.126: input directory:
> /build/tmp/work/imx8mm_p118-poky-linux/p118-bundle/1.0-r0/bundle
> | (rauc:88441): rauc-DEBUG: 10:39:18.126: output bundle:
> /build/tmp/work/imx8mm_p118-poky-linux/p118-bundle/1.0-r0/build/bundle.raucb
> | (rauc:88441): rauc-DEBUG: 10:39:30.140: Payload size: 497258496 bytes.
> | Creating bundle in 'plain' format
> | Enter PEM pass phrase:
> | Failed to create bundle: failed to sign bundle: failed to parse key file
> '/repo/meta-p118-bsp/conf/keys/ica.key.pem': while reading strings
> | 139843920926528:error:0906406D:PEM routines:PEM_def_callback:problems
> getting password:../openssl-1.1.1l/crypto/pem/pem_lib.c:59:
> | 139843920926528:error:0907B068:PEM routines:PEM_read_bio_PrivateKey:bad
> password read:../openssl-1.1.1l/crypto/pem/pem_pkey.c:64:
> | WARNING: exit code 1 from a shell command.
> | ERROR: Execution of '/build/tmp/work/imx8mm_p118-poky-linux/p118-bundle/1.0-
> r0/temp/run.do_bundle.88428' failed with exit code 1
>
> This is my local.conf:
>
> RAUC_KEY_FILE ?=
> "${LAYERDIR}/conf/keys/ica.key.pem"
> RAUC_CERT_FILE ?=
> "${LAYERDIR}/conf/keys/ica.cert.pem"
> RAUC_KEYRING_FILE ?=
> "${LAYERDIR}/conf/keys/rauc.cert.pem"
> BUNDLE_ARGS += ' --intermediate="${LAYERDIR}/conf/keys/ica-certificate.pem"
> '
>
> During my investigation, I found the below post from 6 months ago:
> https://github.com/rauc/meta-rauc/issues/200
>
> Based on this post, I cannot use any encrypted keys and Root-CA in building a
> bundle in Yocto. Am I right?
>
> Best regards,
> Reyhaneh
>
> ___
> RAUC mailing list
--
Pengutronix e.K. | Enrico Jörns|
Embedded Linux Consulting & Support| https://www.pengutronix.de/ |
Steuerwalder Str. 21 | Phone: +49-5121-206917-180 |
31137 Hildesheim, Germany | Fax: +49-5121-206917-9|
___
RAUC mailing list
