On Tue, Aug 10, 2021 at 12:00:00PM +0200, Roland Hieber wrote:
> Similarly to cs_init_softhsm, introduce cs_init for non-SoftHSM use
> cases. In both cases, clean up any left-over files from previous
> installations to ensure a clean state, and enforce their use for
> existing providers.
>
> Reported-by: Bastian Krause <b...@pengutronix.de>
> Signed-off-by: Roland Hieber <r...@pengutronix.de>
> ---
> PATCH v2: new in v2, split off from previous patch
> - enforce calling cs_init* at start of the provider (feedback from
> Bastian Krause)
> - slight fixes to the docs
> ---
> doc/ref_code_signing_helpers.rst | 31 +++++++++++++++++++
> .../ptxdist-set-keys-hsm.sh | 1 +
> scripts/lib/ptxd_lib_code_signing.sh | 28 +++++++++++++++++
> 3 files changed, 60 insertions(+)
>
> diff --git a/doc/ref_code_signing_helpers.rst
> b/doc/ref_code_signing_helpers.rst
> index e1ea5d981a89..bb577c496c5b 100644
> --- a/doc/ref_code_signing_helpers.rst
> +++ b/doc/ref_code_signing_helpers.rst
> @@ -28,6 +28,10 @@ Usage:
> cs_init_softhsm
>
> Initialize SoftHSM, and set the initial pins.
> +This function must be called by the provider at the start of the ``compile``
> stage.
> +For non-SoftHSM workflows, call :ref:`cs_init` instead.
> +
> +This function also calls :ref:`cs_clean_softhsm`.
>
> .. _cs_clean_softhsm:
>
> @@ -139,6 +143,23 @@ These helpers allow to define roles, set PKCS#11 URIs
> and handle certificate
> authorities (CAs).
> HSM as well as SoftHSM code signing providers should use them.
>
> +.. _cs_init:
> +
> +cs_init
> +^^^^^^^
> +
> +Usage:
> +
> +.. code-block:: bash
> +
> + cs_init
> +
> +Initialize the provider.
> +This function must be called by the provider at the start of the ``compile``
> stage.
> +For the SoftHSM workflow, call :ref:`cs_init_softhsm` instead.
> +
> +This function also calls :ref:`cs_clean`.
> +
> .. _cs_clean:
>
> cs_clean
> @@ -169,6 +190,10 @@ Define new key role.
>
> A default PKCS#11 URI is set implicitly as convenience for SoftHSM use cases.
>
> +Preconditions:
> +
> +- the provider must have been initialised (see :ref:`cs_init` or
> :ref:`cs_init_softhsm`)
> +
> .. _cs_set_uri:
>
> cs_set_uri
> @@ -259,6 +284,10 @@ Define a new role group.
>
> See :ref:`cs_group_add_roles` for an example.
>
> +Preconditions:
> +
> +- the provider must have been initialised (see :ref:`cs_init` or
> :ref:`cs_init_softhsm`)
> +
> .. _cs_group_add_roles:
>
> cs_group_add_roles
> @@ -281,6 +310,8 @@ Example:
>
> .. code-block:: bash
>
> + cs_init
> +
> # define two roles named imx-habv4-srk1 and imx-habv4-srk2
> r="imx-habv4-srk1"
> cs_define_role "${r}"
> diff --git a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
> b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
> index b94eff049eac..b627541e30c1 100755
> --- a/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
> +++ b/rules/templates/code-signing-provider/ptxdist-set-keys-hsm.sh
> @@ -43,6 +43,7 @@ set_imx_habv4_keys() {
>
>
> # HSM use case
> +cs_init
> set_fit_keys
> set_rauc_keys
> set_imx_habv4_keys
> diff --git a/scripts/lib/ptxd_lib_code_signing.sh
> b/scripts/lib/ptxd_lib_code_signing.sh
> index b0d54f47f832..a0c53f7f05fb 100644
> --- a/scripts/lib/ptxd_lib_code_signing.sh
> +++ b/scripts/lib/ptxd_lib_code_signing.sh
> @@ -91,6 +91,26 @@ cs_init_variables() {
> }
> export -f cs_init_variables
>
> +# internal check that tells us if cs_init was called
> +cs_initialised=
> +cs_check_initialised() {
> + if [ -z "${cs_initialised}" ]; then
Hmm, this assumes that, during initialisation, all cs_* functions are
called within the same shell. Can we really assume this?
Maybe put ${PTXDIST_TEMPDIR} or something like that into ${keydir}/.stamp
and compare it. This path remains the same during on PTXdist call but will
be different between two calls.
Michael
> + echo ERROR_NOT_INITIALISED
> + ptxd_bailout "Not initialised – call cs_init or cs_init_softhsm
> first."
> + fi
> +}
> +
> +#
> +# cs_init
> +#
> +# Initialize the provider
> +#
> +cs_init() {
> + cs_clean
> + cs_initialised=1
> +}
> +export -f cs_init
> +
> #
> # cs_init_softhsm
> #
> @@ -108,6 +128,8 @@ cs_init_softhsm() {
>
> softhsm_pkcs11_tool_init --init-token --label "${keyprovider}" --so-pin
> 0000 &&
> softhsm_pkcs11_tool_init -l --so-pin 0000 --new-pin 1111 --init-pin
> +
> + cs_initialised=1
> }
> export -f cs_init_softhsm
>
> @@ -145,6 +167,7 @@ export -f cs_clean_softhsm
> #
> cs_define_role() {
> local role="${1}"
> + cs_check_initialised
> cs_init_variables
>
> mkdir -p "${keydir}/${role}" &&
> @@ -160,6 +183,7 @@ export -f cs_define_role
> #
> cs_define_group() {
> local group="${1}"
> + cs_check_initialised
> cs_init_variables
>
> mkdir -p "${keydir}/${group}.group" &&
> @@ -246,6 +270,7 @@ export -f cs_get_uri
> cs_import_cert_from_der() {
> local role="${1}"
> local der="${2}"
> + cs_check_initialised
> cs_init_variables
>
> softhsm_pkcs11_tool --type cert --write-object "${der}" --label "${role}"
> @@ -261,6 +286,7 @@ export -f cs_import_cert_from_der
> cs_import_cert_from_pem() {
> local role="${1}"
> local pem="${2}"
> + cs_check_initialised
> cs_init_variables
>
> openssl x509 \
> @@ -280,6 +306,7 @@ cs_import_pubkey_from_pem() {
> local -a openssl_keyopt
> local role="${1}"
> local pem="${2}"
> + cs_check_initialised
> cs_init_variables
>
> if [ -n "${OPENSSL_KEYPASS}" ]; then
> @@ -304,6 +331,7 @@ cs_import_privkey_from_pem() {
> local -a openssl_keyopt
> local role="${1}"
> local pem="${2}"
> + cs_check_initialised
> cs_init_variables
>
> if [ -n "${OPENSSL_KEYPASS}" ]; then
> --
> 2.30.2
>
>
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to
> ptxdist-requ...@pengutronix.de
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to
ptxdist-requ...@pengutronix.de
