summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBastian Krause <bst@pengutronix.de>2020-05-15 16:26:35 +0200
committerMichael Olbrich <m.olbrich@pengutronix.de>2020-05-15 17:22:07 +0200
commitd6a751d6155dca50b17150fffb731530c3ab8e6c (patch)
tree4b0b18132ead52fa0e36aaff52868fb5dcd50e55
parent339831586a10bc28de9a0cd41f4f658995ff9704 (diff)
downloadptxdist-d6a751d6155dca50b17150fffb731530c3ab8e6c.tar.gz
ptxdist-d6a751d6155dca50b17150fffb731530c3ab8e6c.tar.xz
u-boot/ptxd_make_fit_image: avoid overriding object name
Having multiple "object=" occurrences in a single PKCS#11 URI does not work for all cases, at least not for opensc-pkcs11. Thus u-boot's PKCS#11 handling was patched to avoid overriding the object name when it is already specified. The patch was sent upstream. Signed-off-by: Bastian Krause <bst@pengutronix.de> Message-Id: <20200515142641.812-10-bst@pengutronix.de> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
-rw-r--r--patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch81
-rw-r--r--patches/u-boot-2020.04/series4
-rw-r--r--scripts/lib/ptxd_make_fit_image.sh4
3 files changed, 86 insertions, 3 deletions
diff --git a/patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch b/patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch
new file mode 100644
index 000000000..5ba930fb5
--- /dev/null
+++ b/patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch
@@ -0,0 +1,81 @@
+From: Jan Luebbe <jlu@pengutronix.de>
+Date: Mon, 16 Mar 2020 11:45:22 +0100
+Subject: [PATCH] lib: rsa: avoid overriding the object name when already
+ specified
+
+If "object=" is specified in "keydir" when using the pkcs11 engine do
+not append another "object=<key-name-hint>". This makes it possible to
+use object names other than the key name hint. These two string
+identifiers are not necessarily equal.
+
+Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
+Signed-off-by: Bastian Krause <bst@pengutronix.de>
+Reviewed-by: George McCollister <george.mccollister@gmail.com>
+Forwarded: https://lists.denx.de/pipermail/u-boot/2020-May/411892.html
+---
+ doc/uImage.FIT/signature.txt | 8 +++++---
+ lib/rsa/rsa-sign.c | 22 ++++++++++++++++------
+ 2 files changed, 21 insertions(+), 9 deletions(-)
+
+diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt
+index 3591225a6edd..d4afd755e9fc 100644
+--- a/doc/uImage.FIT/signature.txt
++++ b/doc/uImage.FIT/signature.txt
+@@ -481,12 +481,14 @@ openssl. This may require setting up LD_LIBRARY_PATH if engine is not installed
+ to openssl's default search paths.
+
+ PKCS11 engine support forms "key id" based on "keydir" and with
+-"key-name-hint". "key-name-hint" is used as "object" name and "keydir" if
+-defined is used to define (prefix for) which PKCS11 source is being used for
+-lookup up for the key.
++"key-name-hint". "key-name-hint" is used as "object" name (if not defined in
++keydir). "keydir" (if defined) is used to define (prefix for) which PKCS11 source
++is being used for lookup up for the key.
+
+ PKCS11 engine key ids:
+ "pkcs11:<keydir>;object=<key-name-hint>;type=<public|private>"
++or, if keydir contains "object="
++ "pkcs11:<keydir>;type=<public|private>"
+ or
+ "pkcs11:object=<key-name-hint>;type=<public|private>",
+
+diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
+index 580c74470939..1914b9641312 100644
+--- a/lib/rsa/rsa-sign.c
++++ b/lib/rsa/rsa-sign.c
+@@ -135,9 +135,14 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name,
+
+ if (engine_id && !strcmp(engine_id, "pkcs11")) {
+ if (keydir)
+- snprintf(key_id, sizeof(key_id),
+- "pkcs11:%s;object=%s;type=public",
+- keydir, name);
++ if (strstr(keydir, "object="))
++ snprintf(key_id, sizeof(key_id),
++ "pkcs11:%s;type=public",
++ keydir);
++ else
++ snprintf(key_id, sizeof(key_id),
++ "pkcs11:%s;object=%s;type=public",
++ keydir, name);
+ else
+ snprintf(key_id, sizeof(key_id),
+ "pkcs11:object=%s;type=public",
+@@ -255,9 +260,14 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name,
+
+ if (engine_id && !strcmp(engine_id, "pkcs11")) {
+ if (keydir)
+- snprintf(key_id, sizeof(key_id),
+- "pkcs11:%s;object=%s;type=private",
+- keydir, name);
++ if (strstr(keydir, "object="))
++ snprintf(key_id, sizeof(key_id),
++ "pkcs11:%s;type=private",
++ keydir);
++ else
++ snprintf(key_id, sizeof(key_id),
++ "pkcs11:%s;object=%s;type=private",
++ keydir, name);
+ else
+ snprintf(key_id, sizeof(key_id),
+ "pkcs11:object=%s;type=private",
diff --git a/patches/u-boot-2020.04/series b/patches/u-boot-2020.04/series
new file mode 100644
index 000000000..02db98548
--- /dev/null
+++ b/patches/u-boot-2020.04/series
@@ -0,0 +1,4 @@
+# generated by git-ptx-patches
+#tag:base --start-number 1
+0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch
+# d5b0f03c362d4c4e9d26f37173d666d6 - git-ptx-patches magic
diff --git a/scripts/lib/ptxd_make_fit_image.sh b/scripts/lib/ptxd_make_fit_image.sh
index 041c5b803..c2725ab3d 100644
--- a/scripts/lib/ptxd_make_fit_image.sh
+++ b/scripts/lib/ptxd_make_fit_image.sh
@@ -106,9 +106,7 @@ ptxd_make_image_fit() {
#
# It would have been too simple for mkimage to just take a
# PKCS#11 URI. We must drop the "pkcs11:" prefix which U-Boot
- # then adds again. Also mkimage adds "object=<key_name_hint>"
- # to the URI which our URI already has. Well having it twice
- # doesn't seem to hurt at least SoftHSM.
+ # then adds again.
#
pkcs11_uri=$(echo "${pkcs11_uri}" | sed "s/pkcs11://")
sign_args=( -k "${pkcs11_uri}" )