diff options
| author | Bastian Krause <bst@pengutronix.de> | 2020-05-15 16:26:39 +0200 |
|---|---|---|
| committer | Michael Olbrich <m.olbrich@pengutronix.de> | 2020-05-15 17:22:07 +0200 |
| commit | c420c0745b568fbf2ab2d0f7394c27935ed7faf2 (patch) | |
| tree | 3bbddb3be682c7171f3a3d2346bdd69b538d11c8 | |
| parent | c691a61e4b244d30b046289655228981d27adc2c (diff) | |
| download | ptxdist-c420c0745b568fbf2ab2d0f7394c27935ed7faf2.tar.gz ptxdist-c420c0745b568fbf2ab2d0f7394c27935ed7faf2.tar.xz | |
rauc/image-rauc: use code signing infrastructure for key retrieval
Use the keys provided by the currently active key provider via PKCS#11
instead of key files placed in the platform config directory. In order
to make sure the new mechanics are used after a BSP update the rauc.key
file is no longer allowed to exist in the platformconfig directory.
Note: requires genimage v13 or later and ptx-code-signing-dev 0.4 or
later
Signed-off-by: Bastian Krause <bst@pengutronix.de>
Message-Id: <20200515142641.812-14-bst@pengutronix.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
| -rw-r--r-- | platforms/image-rauc.in | 1 | ||||
| -rw-r--r-- | projectroot/etc/rauc/ca.cert.pem | 7 | ||||
| -rw-r--r-- | rules/image-rauc.make | 36 | ||||
| -rw-r--r-- | rules/rauc.in | 1 | ||||
| -rw-r--r-- | rules/rauc.make | 11 | ||||
| -rwxr-xr-x | scripts/rauc-gen-test-certs.sh | 126 |
6 files changed, 17 insertions, 165 deletions
diff --git a/platforms/image-rauc.in b/platforms/image-rauc.in index 658ddd5cd..1f9427b40 100644 --- a/platforms/image-rauc.in +++ b/platforms/image-rauc.in @@ -6,6 +6,7 @@ menuconfig IMAGE_RAUC select HOST_GENIMAGE select HOST_RAUC select IMAGE_ROOT_TGZ + select CODE_SIGNING help This generates a RAUC update Bundle for the selected platform using genimage. diff --git a/projectroot/etc/rauc/ca.cert.pem b/projectroot/etc/rauc/ca.cert.pem deleted file mode 100644 index be1aa7c30..000000000 --- a/projectroot/etc/rauc/ca.cert.pem +++ /dev/null @@ -1,7 +0,0 @@ -# This is a dummy keyring file. Please overwrite this with one that matches -# your X.509 infrastructure if you intend to use RAUC for secure updates! -# -# If you really do not intend to actively use the security features (or for -# testing purpose) you may create a development certificate by executing the -# script `rauc-gen-test-certs.sh` from the `scripts` folder in your PTXdist -# installation. diff --git a/rules/image-rauc.make b/rules/image-rauc.make index 839cb400b..d85b88cc2 100644 --- a/rules/image-rauc.make +++ b/rules/image-rauc.make @@ -26,46 +26,20 @@ IMAGE_RAUC_CONFIG := rauc.config ifdef PTXCONF_IMAGE_RAUC -IMAGE_RAUC_KEY := $(call ptx/in-platformconfigdir, config/rauc/rauc.key.pem) -IMAGE_RAUC_CERT := $(call ptx/in-platformconfigdir, config/rauc/rauc.cert.pem) - -IMAGE_RAUC_ENV := \ +IMAGE_RAUC_ENV = \ + $(CODE_SIGNING_ENV) \ RAUC_BUNDLE_COMPATIBLE="$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))" \ RAUC_BUNDLE_VERSION="$(call remove_quotes, $(PTXCONF_RAUC_BUNDLE_VERSION))" \ RAUC_BUNDLE_BUILD=$(call ptx/sh, date +%FT%T%z) \ RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \ - RAUC_KEY=$(IMAGE_RAUC_KEY) \ - RAUC_CERT=$(IMAGE_RAUC_CERT) + RAUC_KEY="$(shell cs_get_uri update)" \ + RAUC_CERT="$(shell cs_get_uri update)" -$(IMAGE_RAUC_IMAGE): $(IMAGE_RAUC_KEY) $(IMAGE_RAUC_CERT) +$(IMAGE_RAUC_IMAGE): @$(call targetinfo) @$(call image/genimage, IMAGE_RAUC) @$(call finish) -$(IMAGE_RAUC_KEY): - @echo - @echo "****************************************************************************" - @echo "******** Please place your signing key in config/rauc/rauc.key.pem. ********" - @echo "* *" - @echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh *" - @echo "* from the scripts/ folder of your PTXdist installation *" - @echo "****************************************************************************" - @echo - @echo - @exit 1 - -$(IMAGE_RAUC_CERT): - @echo - @echo "****************************************************************************" - @echo "**** Please place your signing certificate in config/rauc/rauc.cert.pem. ***" - @echo "* *" - @echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh *" - @echo "* from the scripts/ folder of your PTXdist installation *" - @echo "****************************************************************************" - @echo - @echo - @exit 1 - endif # vim: syntax=make diff --git a/rules/rauc.in b/rules/rauc.in index d712bc7b9..56fc3ae3b 100644 --- a/rules/rauc.in +++ b/rules/rauc.in @@ -7,6 +7,7 @@ menuconfig RAUC select GLIB select GLIB_LIBMOUNT select HOST_GLIB + select CODE_SIGNING select BUSYBOX_FEATURE_TAR_LONG_OPTIONS if BUSYBOX_TAR select BUSYBOX_FEATURE_TAR_AUTODETECT if BUSYBOX_TAR select BUSYBOX_FEATURE_SEAMLESS_XZ if BUSYBOX_TAR diff --git a/rules/rauc.make b/rules/rauc.make index ade9bd5dd..f9a10fbbc 100644 --- a/rules/rauc.make +++ b/rules/rauc.make @@ -46,6 +46,14 @@ RAUC_CONF_OPT := \ --with-dbuspolicydir=/usr/share/dbus-1/system.d \ --with-dbussystemservicedir=/usr/share/dbus-1/system-services +$(STATEDIR)/rauc.prepare: + @$(call targetinfo) + @test ! -e "$(call ptx/in-platformconfigdir, config/rauc/rauc.key)" || \ + ptxd_bailout "Please use the key provider infrastructure desribed in:" \ + "scripts/lib/ptxd_lib_code_signing.sh" + @$(call world/prepare, RAUC) + @$(call touch) + # ---------------------------------------------------------------------------- # Target-Install # ---------------------------------------------------------------------------- @@ -66,7 +74,8 @@ ifdef PTXCONF_RAUC_CONFIGURATION @$(call install_replace, rauc, /etc/rauc/system.conf, \ @RAUC_BUNDLE_COMPATIBLE@, \ "$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))") - @$(call install_alternative, rauc, 0, 0, 0644, /etc/rauc/ca.cert.pem) + @$(call install_copy, rauc, 0, 0, 0644, $(shell cs_get_ca update), \ + /etc/rauc/ca.cert.pem) endif ifdef PTXCONF_RAUC_SERVICE diff --git a/scripts/rauc-gen-test-certs.sh b/scripts/rauc-gen-test-certs.sh deleted file mode 100755 index b4ea6a8cf..000000000 --- a/scripts/rauc-gen-test-certs.sh +++ /dev/null @@ -1,126 +0,0 @@ -#!/bin/bash -# -# Copyright (C) 2017 by Enrico Joerns <e.joerns@pengutronix.de> -# Copyright (C) 2016 by Jan Luebbe <j.luebbe@pengutronix.de> -# -# For further information about the PTXdist project and license conditions -# see the README file. -# -# --- -# -# Demo script that generates certificate files required to sign and verify -# RAUC update tool bundles. -# - -set -xe - -ORG="Test Org" -CA="rauc CA" - -# After the CRL expires, signatures cannot be verified anymore -CRL="-crldays 5000" - -BASE="$(pwd)/rauc-openssl-ca" - -if [ -e $BASE ]; then - echo "$BASE already exists" - exit 1 -fi - -mkdir -p $BASE/dev/{private,certs} -touch $BASE/dev/index.txt -echo 01 > $BASE/dev/serial - -cat > $BASE/openssl.cnf <<EOF -[ ca ] -default_ca = CA_default # The default ca section - -[ CA_default ] - -dir = . # top dir -database = \$dir/index.txt # index file. -new_certs_dir = \$dir/certs # new certs dir - -certificate = \$dir/ca.cert.pem # The CA cert -serial = \$dir/serial # serial no file -private_key = \$dir/private/ca.key.pem# CA private key -RANDFILE = \$dir/private/.rand # random number file - -default_startdate = 19700101000000Z -default_enddate = 99991231235959Z -default_crl_days= 30 # how long before next CRL -default_md = sha256 # md to use - -policy = policy_any # default policy -email_in_dn = no # Don't add the email into cert DN - -name_opt = ca_default # Subject name display option -cert_opt = ca_default # Certificate display option -copy_extensions = none # Don't copy extensions from request - -[ policy_any ] -organizationName = match -commonName = supplied - -[ req ] -default_bits = 2048 -distinguished_name = req_distinguished_name -x509_extensions = v3_leaf -encrypt_key = no -default_md = sha256 - -[ req_distinguished_name ] -commonName = Common Name (eg, YOUR name) -commonName_max = 64 - -[ v3_ca ] - -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer:always -basicConstraints = CA:TRUE - -[ v3_inter ] - -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer:always -basicConstraints = CA:TRUE,pathlen:0 - -[ v3_leaf ] - -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer:always -basicConstraints = CA:FALSE -EOF - -export OPENSSL_CONF=$BASE/openssl.cnf - -echo "Development CA" -cd $BASE/dev -openssl req -newkey rsa -keyout private/ca.key.pem -out ca.csr.pem -subj "/O=$ORG/CN=$ORG $CA Development" -openssl ca -batch -selfsign -extensions v3_ca -in ca.csr.pem -out ca.cert.pem -keyfile private/ca.key.pem - -echo "Development Signing Keys 1" -cd $BASE/dev -openssl req -newkey rsa -keyout private/rauc.key.pem -out rauc.csr.pem -subj "/O=$ORG/CN=$ORG Development-1" -openssl ca -batch -extensions v3_leaf -in rauc.csr.pem -out rauc.cert.pem - -cat << EOF -=============================================================================== - -Note that the default application should be to set up a public key -infrastructure at your site and use keys and certificates genereated by these. - -In oder to use the just generated files in your BSP for testing purpose or if -you do not intend to use real authentification, follow the instructions below. - -Place the key and certificate file in your platform-dir's config/ folder: - - cp rauc-openssl-ca/private/rauc.key.pem <platform-dir>/config/rauc/rauc.key.pem - cp rauc-openssl-ca/rauc.cert.pem <platform-dir>/config/rauc/rauc.cert.pem - -Place the keyring file in your platform-dir's projectroot/ folder: - - cp rauc-openssl-ca/ca.cert.pem <plaform-dir>/projectroot/etc/rauc/ca.cert.pem - -=============================================================================== -EOF |