The code signing consumer functions should be able to retrieve some
information about the recipe in which they were called in order to make
additional checks if needed. Refactor the (shell cs_get_*, …) calls into
macro calls of the form $(call ptx/cs-get-*, <PKG>, …). Let these
macros look up the package name (for now) from PTX_MAP_TO_package_<PKG>
before passing it to the shell functions. Using $(call world/env) here
would be practical, but would also cause make to complain about
recursive variable dependencies. Therefore variables must be added
to ptx/cs-consumer-env manually, but additional information can be added
later if needed.

Refactor the existing consumers in the code base too, and add an error
message in case anyone else that still uses the old API.

Signed-off-by: Roland Hieber <r...@pengutronix.de>
---
PATCH v2:
 - define multiline macros using "define"

PATCH v1: 
https://lore.ptxdist.org/ptxdist/20210804142330.32739-4-...@pengutronix.de
---
 doc/dev_code_signing.rst                      |  2 +-
 doc/ref_code_signing_helpers.rst              | 25 ++++++-----
 rules/barebox.make                            |  2 +-
 rules/image-rauc.make                         |  6 +--
 rules/kernel.make                             |  6 +--
 rules/pre/030-code-signing-consumers.make     | 44 +++++++++++++++++++
 rules/rauc.make                               |  2 +-
 .../templates/template-barebox-imx-habv4-make |  6 +--
 scripts/lib/ptxd_lib_code_signing.sh          | 13 ++++++
 9 files changed, 83 insertions(+), 23 deletions(-)
 create mode 100644 rules/pre/030-code-signing-consumers.make

diff --git a/doc/dev_code_signing.rst b/doc/dev_code_signing.rst
index b9a7c42f2a55..413f694980eb 100644
--- a/doc/dev_code_signing.rst
+++ b/doc/dev_code_signing.rst
@@ -164,7 +164,7 @@ also via an environment variable.
 .. code-block:: none
 
     $(call install_copy, rauc, 0, 0, 0644, \
-      $(shell cs_get_ca update), \
+      $(call ptx/cs-get-ca, RAUC, update), \
       /etc/rauc/ca.cert.pem)
 
 .. note:: When code signing helper functions are used in make variables (e.g.
diff --git a/doc/ref_code_signing_helpers.rst b/doc/ref_code_signing_helpers.rst
index fd16ca763557..d3429778d94d 100644
--- a/doc/ref_code_signing_helpers.rst
+++ b/doc/ref_code_signing_helpers.rst
@@ -297,19 +297,21 @@ In the example given in :ref:`cs_group_add_roles` above, 
this would print::
 Consumer Functions
 ~~~~~~~~~~~~~~~~~~
 
+The consumer functions are implemented as make macros.
 Packages that want to sign something or need access to keys/CAs can retrieve
 PKCS#11 URIs and CA keyrings with these helpers.
 
+.. _ptx/cs-get-uri:
 .. _cs_get_uri:
 
-cs_get_uri
-^^^^^^^^^^
+ptx/cs-get-uri
+^^^^^^^^^^^^^^
 
 Usage:
 
-.. code-block:: bash
+.. code-block:: make
 
-    cs_get_uri <role>
+    $(call ptx/cs-get-uri, <PKG>, <role>)
 
 Get PKCS#11 URI for role.
 
@@ -317,16 +319,17 @@ Preconditions:
 
 - the URI must have been set (see :ref:`cs_set_uri`)
 
+.. _ptx/cs-get-ca:
 .. _cs_get_ca:
 
-cs_get_ca
-^^^^^^^^^
+ptx/cs-get-ca
+^^^^^^^^^^^^^
 
 Usage:
 
-.. code-block:: bash
+.. code-block:: make
 
-    cs_get_ca <role>
+    $(call ptx/cs-get-ca, <PKG>, <role>)
 
 Get path to the CA keyring in PEM format for role.
 
@@ -347,7 +350,7 @@ Example:
 
    # set up kernel module signing, and add a trusted CA if the provider set one
    KERNEL_SIGN_OPT =
-       CONFIG_MODULE_SIG_KEY='"$(shell cs_get_uri kernel-modules)"' \
+       CONFIG_MODULE_SIG_KEY='"$(call ptx/cs-get-uri, KERNEL, 
kernel-modules)"' \
        CONFIG_MODULE_SIG_ALL=y \
-       $(if $(shell cs_get_ca kernel-trusted), \
-               CONFIG_SYSTEM_TRUSTED_KEYS=$(shell cs_get_ca kernel-trusted))
+       $(if $(call ptx/cs-get-ca, KERNEL, kernel-trusted), \
+               CONFIG_SYSTEM_TRUSTED_KEYS=$(call ptx/cs-get-ca, KERNEL, 
kernel-trusted))
diff --git a/rules/barebox.make b/rules/barebox.make
index bea9f3adcbf8..983d34032e0d 100644
--- a/rules/barebox.make
+++ b/rules/barebox.make
@@ -103,7 +103,7 @@ endif
 ifdef PTXCONF_CODE_SIGNING
 BAREBOX_MAKE_ENV = \
        $(CODE_SIGNING_ENV) \
-       IMAGE_KERNEL_FIT_KEY="$(shell cs_get_uri image-kernel-fit)"
+       IMAGE_KERNEL_FIT_KEY="$(call ptx/cs-get-uri, BAREBOX, image-kernel-fit)"
 endif
 
 $(STATEDIR)/barebox.compile:
diff --git a/rules/image-rauc.make b/rules/image-rauc.make
index fe1b0e89be7c..c8747231f8f1 100644
--- a/rules/image-rauc.make
+++ b/rules/image-rauc.make
@@ -32,9 +32,9 @@ IMAGE_RAUC_ENV        = \
        RAUC_BUNDLE_VERSION="$(call remove_quotes, 
$(PTXCONF_RAUC_BUNDLE_VERSION))" \
        RAUC_BUNDLE_BUILD=$(call ptx/sh, date +%FT%T%z) \
        RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \
-       RAUC_KEY="$(shell cs_get_uri update)" \
-       RAUC_CERT="$(shell cs_get_uri update)" \
-       RAUC_KEYRING="$(shell cs_get_ca update)"
+       RAUC_KEY="$(call ptx/cs-get-uri, IMAGE_RAUC, update)" \
+       RAUC_CERT="$(call ptx/cs-get-uri, IMAGE_RAUC, update)" \
+       RAUC_KEYRING="$(call ptx/cs-get-ca, IMAGE_RAUC, update)"
 
 $(IMAGE_RAUC_IMAGE):
        @$(call targetinfo)
diff --git a/rules/kernel.make b/rules/kernel.make
index 9caff677918e..e6faba82df38 100644
--- a/rules/kernel.make
+++ b/rules/kernel.make
@@ -73,12 +73,12 @@ KERNEL_BASE_OPT             = \
 
 ifdef PTXCONF_KERNEL_CODE_SIGNING
 KERNEL_BASE_OPT                += \
-       $(if $(shell cs_get_ca kernel-trusted), \
-               CONFIG_SYSTEM_TRUSTED_KEYS=$(shell cs_get_ca kernel-trusted))
+       $(if $(call ptx/cs-get-ca, KERNEL, kernel-trusted), \
+               CONFIG_SYSTEM_TRUSTED_KEYS=$(call ptx/cs-get-ca, KERNEL, 
kernel-trusted))
 endif
 ifdef PTXCONF_KERNEL_MODULES_SIGN
 KERNEL_BASE_OPT                += \
-       CONFIG_MODULE_SIG_KEY='"$(shell cs_get_uri kernel-modules)"'
+       CONFIG_MODULE_SIG_KEY='"$(call ptx/cs-get-uri, KERNEL, kernel-modules)"'
 endif
 
 # Intermediate option. This will be used by kernel module packages.
diff --git a/rules/pre/030-code-signing-consumers.make 
b/rules/pre/030-code-signing-consumers.make
new file mode 100644
index 000000000000..909e8ebd6936
--- /dev/null
+++ b/rules/pre/030-code-signing-consumers.make
@@ -0,0 +1,44 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2021 Roland Hieber, Pengutronix <r...@pengutronix.de>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+#
+
+#
+# Usage: $(call ptx/cs-consumer-env, <PKG>)
+#
+# We usually want to use cs-get-* macros inside a <PKG>_MAKE_OPT etc., which is
+# referenced in world/env, so we cannot use world/env to set pkg_name without
+# running into circular variable dependencies.
+#
+define ptx/cs-consumer-env
+       pkg_name='$(PTX_MAP_TO_package_$(strip $(1)))' \
+       $(CODE_SIGNING_ENV)
+endef
+
+#
+# Usage: $(call ptx/cs-get-uri, <PKG>, <role>)
+#
+define ptx/cs-get-uri
+$(strip \
+       $(shell \
+               $(call ptx/cs-consumer-env, $(1))\
+                       cs_get_uri '$(strip $(2))'\
+       )\
+)
+endef
+
+#
+# Usage: $(call ptx/cs-get-ca, <PKG>, <role>)
+#
+define ptx/cs-get-ca
+$(strip \
+       $(shell \
+               $(call ptx/cs-consumer-env, $(1))\
+                       cs_get_ca '$(strip $(2))'\
+       )\
+)
+endef
diff --git a/rules/rauc.make b/rules/rauc.make
index 08df6336a7cd..3c28befcd3ff 100644
--- a/rules/rauc.make
+++ b/rules/rauc.make
@@ -78,7 +78,7 @@ ifdef PTXCONF_RAUC_CONFIGURATION
        @$(call install_replace, rauc, /etc/rauc/system.conf, \
                @RAUC_BUNDLE_COMPATIBLE@, \
                "$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))")
-       @$(call install_copy, rauc, 0, 0, 0644, $(shell cs_get_ca update), \
+       @$(call install_copy, rauc, 0, 0, 0644, $(call ptx/cs-get-ca, RAUC, 
update), \
                /etc/rauc/ca.cert.pem)
 endif
 
diff --git a/rules/templates/template-barebox-imx-habv4-make 
b/rules/templates/template-barebox-imx-habv4-make
index cc825dc90292..b2d5d7100fc9 100644
--- a/rules/templates/template-barebox-imx-habv4-make
+++ b/rules/templates/template-barebox-imx-habv4-make
@@ -64,9 +64,9 @@ endif
 
 BAREBOX_@PACKAGE@_MAKE_ENV     = \
        $(CODE_SIGNING_ENV) \
-       CSF="$(shell cs_get_uri imx-habv4-csf1)" \
-       IMG="$(shell cs_get_uri imx-habv4-img1)" \
-       FIT_KEY="$(shell cs_get_uri image-kernel-fit)"
+       CSF="$(call ptx/cs-get-uri, BAREBOX_@PACKAGE@, imx-habv4-csf1)" \
+       IMG="$(call ptx/cs-get-uri, BAREBOX_@PACKAGE@, imx-habv4-img1)" \
+       FIT_KEY="$(call ptx/cs-get-uri, BAREBOX_@PACKAGE@, image-kernel-fit)"
 
 BAREBOX_@PACKAGE@_MAKE_OPT     := $(BAREBOX_@PACKAGE@_CONF_OPT)
 
diff --git a/scripts/lib/ptxd_lib_code_signing.sh 
b/scripts/lib/ptxd_lib_code_signing.sh
index 66a2cab81395..24730d3cf742 100644
--- a/scripts/lib/ptxd_lib_code_signing.sh
+++ b/scripts/lib/ptxd_lib_code_signing.sh
@@ -1,6 +1,7 @@
 #!/bin/bash
 #
 # Copyright (C) 2019 Sascha Hauer <s.ha...@pengutronix.de>
+# Copyright (C) 2021 Roland Hieber, Pengutronix <r...@pengutronix.de>
 #
 # For further information about the PTXdist project and license conditions
 # see the README file.
@@ -176,6 +177,12 @@ export -f cs_set_uri
 # Get the uri from a role
 #
 cs_get_uri() {
+    if [ -z "${pkg_name}" ]; then
+           echo ERROR_UNSUPPORTED_CS_API_CALL
+           ptxd_bailout '$(shell cs_get_uri, <role>) is no longer supported in 
make files.' \
+               'Use $(call ptx/cs-get-uri, <PKG>, <role>) instead.'
+    fi
+
     local role="${1}"
     cs_init_variables
 
@@ -297,6 +304,12 @@ export -f cs_import_key_from_pem
 # Get the path to the CA in pem format from a role
 #
 cs_get_ca() {
+    if [ -z "${pkg_name}" ]; then
+           echo ERROR_UNSUPPORTED_CS_API_CALL
+           ptxd_bailout '$(shell cs_get_ca, …) is no longer supported in make 
files.' \
+               'Use $(call ptx/cs-get-ca, <PKG>, …) instead.'
+    fi
+
     local role="${1}"
     cs_init_variables
 
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to 
ptxdist-requ...@pengutronix.de

Reply via email to