Signed-off-by: Roland Hieber <r...@pengutronix.de> --- PATCH v2: no changes
PATCH v1: https://lore.ptxdist.org/ptxdist/20210809144030.22764-1-...@pengutronix.de --- bin/ptxdist | 2 +- doc/dev_code_signing.rst | 12 ++++++++++++ scripts/lib/ptxd_lib_code_signing.sh | 21 +++++++++++++++++++++ 3 files changed, 34 insertions(+), 1 deletion(-) diff --git a/bin/ptxdist b/bin/ptxdist index 2faaf535c1b9..6e843c26c37d 100755 --- a/bin/ptxdist +++ b/bin/ptxdist @@ -2163,7 +2163,7 @@ setup_env() { unset $({ export -p | sed -n 's/^declare -x \([^=]*\).*$/\1/p' export -fp | sed -n 's/^declare -fx \([^=]*\).*$/\1/p' - } | egrep -v "^(PTXDIST_PTXRC|PTX_AUTOBUILD_DESTDIR|CCACHE_.*|PWD|HOME|USER|PATH|TERM|COLUMNS|LINES|DISPLAY|TMPDIR|KCONFIG_ALLCONFIG|KCONFIG_SEED|http_proxy|https_proxy|ftp_proxy|no_proxy${whitelist})$") + } | egrep -v "^(PTXDIST_PTXRC|PTX_AUTOBUILD_DESTDIR|PTXDIST_PKCS11_PIN|CCACHE_.*|PWD|HOME|USER|PATH|TERM|COLUMNS|LINES|DISPLAY|TMPDIR|KCONFIG_ALLCONFIG|KCONFIG_SEED|http_proxy|https_proxy|ftp_proxy|no_proxy${whitelist})$") ######## the environment is clean now ######## diff --git a/doc/dev_code_signing.rst b/doc/dev_code_signing.rst index b9a7c42f2a55..8407b6a3ed3d 100644 --- a/doc/dev_code_signing.rst +++ b/doc/dev_code_signing.rst @@ -172,3 +172,15 @@ also via an environment variable. (``=``, not ``:=``). Otherwise the variable is expanded before a code signing provider can perform its setup. + +PIN Handling +^^^^^^^^^^^^ + +You can also supply the PKCS#11 PIN in the environment variable +``PTXDIST_PKCS11_PIN`` when calling PTXdist instead of including it in the +URI (using the parameter ``pin-value=<pin>``). +This has the advantage that the PIN is not printed to the terminal or the +logfile during the PTXdist run. +The value of this variable is passed on in the environment to several programs +that access the PKCS#11 API during the build (e.g. the kernel build system, the +i.MX code signing tool, evmctl, mkfs, u-Boot's mkimage, rauc). diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh index 5ba1a4666af4..5579161cd5cf 100644 --- a/scripts/lib/ptxd_lib_code_signing.sh +++ b/scripts/lib/ptxd_lib_code_signing.sh @@ -1,6 +1,7 @@ #!/bin/bash # # Copyright (C) 2019 Sascha Hauer <s.ha...@pengutronix.de> +# Copyright (C) 2021 Marc Kleine-Budde <m...@pengutronix.de> # # For further information about the PTXdist project and license conditions # see the README file. @@ -11,6 +12,26 @@ # infrastructure. # +# +# cs_export_pin +# +# Called at startup to export the PKCS#11 PIN to environment variables that are +# used by the individual signing programs +# +cs_export_pin() { + if [ -z ${PTXDIST_PKCS11_PIN} ]; then + return + fi + + export CST_SIGN_PIN=${PTXDIST_PKCS11_PIN} + export EVMCTL_SIGN_PIN=${PTXDIST_PKCS11_PIN} + export KBUILD_SIGN_PIN=${PTXDIST_PKCS11_PIN} + export MKFS_UBIFS_SIGN_PIN=${PTXDIST_PKCS11_PIN} + export MKIMAGE_SIGN_PIN=${PTXDIST_PKCS11_PIN} + export RAUC_PKCS11_PIN=${PTXDIST_PKCS11_PIN} +} +cs_export_pin + cs_check_env() { if [ -z "${SOFTHSM2_CONF}" ]; then ptxd_bailout "SOFTHSM2_CONF is not defined. Maybe \$(CODE_SIGNING_ENV) is not used." -- 2.30.2 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-requ...@pengutronix.de
