diff options
| author | Bastian Krause <bst@pengutronix.de> | 2020-06-17 16:31:23 +0200 |
|---|---|---|
| committer | Michael Olbrich <m.olbrich@pengutronix.de> | 2020-06-19 10:10:10 +0200 |
| commit | 33c4b37cab1ba5ae924e073d65ab0cbfa2b7c922 (patch) | |
| tree | 609f1ca233028294567d4d501f009fab401e6521 /doc | |
| parent | 5d42f6f4ef8142b15629064cc826a2b7298b4995 (diff) | |
| download | ptxdist-33c4b37cab1ba5ae924e073d65ab0cbfa2b7c922.tar.gz ptxdist-33c4b37cab1ba5ae924e073d65ab0cbfa2b7c922.tar.xz | |
doc: move code signing docs from scripts/ into doc/
Signed-off-by: Bastian Krause <bst@pengutronix.de>
Reviewed-by: Roland Hieber <rhi@pengutronix.de>
Tested-by: Ladislav Michl <ladis@linux-mips.org>
Message-Id: <20200617143125.23999-5-bst@pengutronix.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/dev_code_signing.rst | 36 | ||||
| -rw-r--r-- | doc/dev_manual.rst | 1 |
2 files changed, 37 insertions, 0 deletions
diff --git a/doc/dev_code_signing.rst b/doc/dev_code_signing.rst new file mode 100644 index 000000000..de0087f8b --- /dev/null +++ b/doc/dev_code_signing.rst @@ -0,0 +1,36 @@ +.. _code_signing: + +Code Signing +------------ + +This is an overview over the ptxdist signing infrastructure. +ptxdist uses PKCS#11 internally for providing access to keys and certificates. +Packages that wish to sign something should implement a PKCS#11 interface. + +As PKCS#11 URIs usually differ between different usecases (release vs. +development) the URIs normally are not hardcoded in the package configuration. +Instead, ptxdist has the idea of "roles" which are string identifiers used to +access a single private/public key pair and a certificate. + +ptxdist supports Hardware Security Modules (HSM). +In case a HSM is not present or shall not be used SoftHSM is used internally to +transparently provide the same API internally. + +For each role a PKCS#11 URI must be known by ptxdist. +In case of a HSM the keys and certificates are stored in the HSM, but ptxdist +needs to know the PKCS#11 URI to access the keys. +This is done in ptxdist rule files calling cs_set_uri <role> <uri>. +For SoftHSM the URI is generated internally by ptxdist, but instead the +keys/certificates for each role have have to be imported. +This is done with the cs_import_* functions below. + +During each invocation of ptxdist exactly one key provider is active. +The code signing provider can be chosen with the PTXCONF_CODE_SIGNING_PROVIDER +variable. +A code signing provider is a package resposible for providing the role <-> +PKCS#11 URI relationships in case a HSM is used or for providing the key +material in case SoftHSM is used. + +A package which wants to sign something or which needs access to keys has to +select CODE_SIGNING. +This makes sure the keys are ready when the package is being built. diff --git a/doc/dev_manual.rst b/doc/dev_manual.rst index 47a77a9be..03a05a661 100644 --- a/doc/dev_manual.rst +++ b/doc/dev_manual.rst @@ -14,3 +14,4 @@ This chapter shows all (or most) of the details of how PTXdist works. dev_add_bin_only_files dev_create_new_pkg_templates dev_layers_in_ptxdist + dev_code_signing |