From 998598415aaa4fcc9d14a558a72592d0496c6bf5 Mon Sep 17 00:00:00 2001 From: Hector Palacios Date: Mon, 7 Aug 2023 11:54:58 +0200 Subject: [PATCH] dey-image: generate public key after rootfs install When TrustFence is enabled, a PKI tree is generated. In the case of NXP platforms, the PKI contains public certificates from which the public key needs to be extracted using an openssl command. In the case of STM platforms, the PKI contains directly the public key. In all cases, we need the public key to be installed in the rootfs /etc/ssl/certs/ folder, so that it can be used by swupdate to authenticate signed SWU packages. Up to now, this was being done on the dualboot recipe, but the installation of the public key should really be only dependant on the fact of TF being enabled. This commit: - Removes the generation of the public key from dualboot.bb. - Generates a patch to extract the public key from the certificate as part of the PKI tree generation (on NXP platforms). - Installs the public key during a post install function after the final rootfs has been created. - For NXP platforms, extracts the public key using openssl if it does not exist (for backwards compatibility). Signed-off-by: Hector Palacios --- .../trustfence-cst/trustfence-cst-3.3.1.inc | 1 + ...xtract-public-keys-from-certificates.patch | 42 +++++++++++++++++++ meta-digi-dey/classes/trustfence.bbclass | 33 +++++++++++++++ .../recipes-digi/dualboot/dualboot.bb | 38 ----------------- 4 files changed, 76 insertions(+), 38 deletions(-) create mode 100644 meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0008-pki_tree.sh-extract-public-keys-from-certificates.patch diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.1.inc b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.1.inc index a9319dfc0..cf5dda093 100644 --- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.1.inc +++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.1.inc @@ -21,6 +21,7 @@ SRC_URI = " \ file://0005-ahab_pki_tree.sh-automate-script.patch \ file://0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch \ file://0007-rules.mk-weaken-specific-function-err_msg.patch \ + file://0008-pki_tree.sh-extract-public-keys-from-certificates.patch \ " SRC_URI[cst.md5sum] = "27ba9c8bc0b8a7f14d23185775c53794" diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0008-pki_tree.sh-extract-public-keys-from-certificates.patch b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0008-pki_tree.sh-extract-public-keys-from-certificates.patch new file mode 100644 index 000000000..dcaa24120 --- /dev/null +++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0008-pki_tree.sh-extract-public-keys-from-certificates.patch @@ -0,0 +1,42 @@ +From: Hector Palacios +Date: Thu, 3 Aug 2023 16:25:36 +0200 +Subject: [PATCH] pki_tree.sh: extract public keys from certificates + +The public key needs to be available on the rootfs so that signed SWU +packages can be authenticated. +Do this on the PKI generation script so that recipes don't need to do it. + +Signed-off-by: Hector Palacios +--- + keys/ahab_pki_tree.sh | 3 +++ + keys/hab4_pki_tree.sh | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh +index 7f10c5388146..63b5ce58ade7 100755 +--- a/keys/ahab_pki_tree.sh ++++ b/keys/ahab_pki_tree.sh +@@ -632,6 +632,9 @@ do + -in temp_sgk.pem \ + -out ${sgk_key}.pem + ++ # Extract public key from the certificate ++ openssl x509 -pubkey -noout -in "${srk_crt_i}" > ../crts/key${i}.pub ++ + # Cleanup + rm ./temp_sgk.pem ./temp_sgk_req.pem + +diff --git a/keys/hab4_pki_tree.sh b/keys/hab4_pki_tree.sh +index ac6fb29b7f91..e76f22f40643 100755 +--- a/keys/hab4_pki_tree.sh ++++ b/keys/hab4_pki_tree.sh +@@ -682,6 +682,9 @@ do + -in temp_img.pem \ + -out ${img_key}.pem + ++ # Extract public key from the certificate ++ openssl x509 -pubkey -noout -in "${img_crt}.pem" > ../crts/key${i}.pub ++ + # Cleanup + rm ./temp_img.pem ./temp_img_req.pem + diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass index 6ea35e306..885fad932 100644 --- a/meta-digi-dey/classes/trustfence.bbclass +++ b/meta-digi-dey/classes/trustfence.bbclass @@ -69,6 +69,39 @@ check_gen_pki_tree() { fi } +copy_public_key() { + if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then + KEY_INDEX="$(expr $TRUSTFENCE_KEY_INDEX + 1)" + PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/crts/key${KEY_INDEX}.pub" + # The new hab/ahab_pki_tree.sh script extracts the public keys after the PKI + # generation and leaves them in the crts/ folder. However, the PKI tree may + # already exist, the PKI generation script not called, and then the public + # keys may not be available. This is a fall-back to generate at least the + # selected public key. + if [ ! -f "${PUBLIC_KEY}" ]; then + if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then + CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX}*crt.pem)" + elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then + CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK${KEY_INDEX}*_ca_crt.pem)" + else + bberror "Unknown TRUSTFENCE_SIGN_MODE value" + exit 1 + fi + # Extract the public key from the certificate. + openssl x509 -pubkey -noout -in "${CERT_IMG}" > "${PUBLIC_KEY}" + fi + elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then + PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/keys/publicKey0${TRUSTFENCE_KEY_INDEX}.pem" + else + echo "ERROR: Cannot determine the public key" + exit 1 + fi + # Copy the public key to the rootfs + install -d ${D}${sysconfdir}/ssl/certs + cp -f "${PUBLIC_KEY}" "${IMAGE_ROOTFS}${sysconfdir}/ssl/certs/key.pub" +} +ROOTFS_POSTINSTALL_COMMAND:append = " copy_public_key;" + python () { import binascii import hashlib diff --git a/meta-digi-dey/recipes-digi/dualboot/dualboot.bb b/meta-digi-dey/recipes-digi/dualboot/dualboot.bb index 188ef3839..f4f8f3127 100644 --- a/meta-digi-dey/recipes-digi/dualboot/dualboot.bb +++ b/meta-digi-dey/recipes-digi/dualboot/dualboot.bb @@ -36,44 +36,6 @@ do_install() { install -d ${D}${systemd_unitdir}/system/ install -m 0644 ${WORKDIR}/firmware-update-check.service ${D}${systemd_unitdir}/system/ - - # If Trustfence is enabled, copy the public key that is going to be used into the - # initramfs '/etc/ssl/certs' folder in order to verify swupdate packages. - if [ "${TRUSTFENCE_SIGN}" = "1" ]; then - # Retrieve the key index to use. - KEY_INDEX="0" - if [ -n "${TRUSTFENCE_KEY_INDEX}" ]; then - KEY_INDEX="${TRUSTFENCE_KEY_INDEX}" - fi - KEY_INDEX_1=$(expr ${KEY_INDEX} + 1) - - # Find the certificate to use. - if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then - if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then - CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX_1}*crt.pem)" - elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then - CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK${KEY_INDEX_1}*_ca_crt.pem)" - else - bberror "Unknown TRUSTFENCE_SIGN_MODE value" - exit 1 - fi - # Extract the public key from the certificate. - install -d ${D}${sysconfdir}/ssl/certs - openssl x509 -pubkey -noout -in "${CERT_IMG}" > ${D}${sysconfdir}/ssl/certs/key.pub - elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then - # Copy the public key to the rootfs - if [ "${DIGI_SOM}" = "ccmp15" ]; then - PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/keys/publicKey00.pem" - elif [ "${DIGI_SOM}" = "ccmp13" ]; then - PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/keys/publicKey0${KEY_INDEX}.pem" - else - bberror "Unknown DIGI_SOM" - exit 1 - fi - install -d ${D}${sysconfdir}/ssl/certs - cp ${PUBLIC_KEY} ${D}${sysconfdir}/ssl/certs/key.pub - fi - fi } FILES:${PN} += " \