diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-2.3.2/0002-hab4_pki_tree.sh-automate-script.patch b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-2.3.2/0002-hab4_pki_tree.sh-automate-script.patch new file mode 100644 index 000000000..a6686f9ee --- /dev/null +++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-2.3.2/0002-hab4_pki_tree.sh-automate-script.patch @@ -0,0 +1,521 @@ +From: "Diaz de Grenu, Jose" +Date: Mon, 18 Jul 2016 13:21:11 +0200 +Subject: [PATCH] hab4_pki_tree.sh: automate script + +Signed-off-by: Diaz de Grenu, Jose +--- + keys/hab4_pki_tree.sh | 347 ++++++++++++++++---------------------------------- + 1 file changed, 107 insertions(+), 240 deletions(-) + +diff --git a/keys/hab4_pki_tree.sh b/keys/hab4_pki_tree.sh +index 7dd67f68c8df..b2c6b71b604e 100755 +--- a/keys/hab4_pki_tree.sh ++++ b/keys/hab4_pki_tree.sh +@@ -42,84 +42,40 @@ + # + #----------------------------------------------------------------------------- + +-printf "\n" +-printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n" +-printf " This script is a part of the Code signing tools for Freescale's\n" +-printf " High Assurance Boot. It generates a basic PKI tree. The PKI\n" +-printf " tree consists of one or more Super Root Keys (SRK), with each\n" +-printf " SRK having two subordinate keys: \n" +-printf " + a Command Sequence File (CSF) key \n" +-printf " + Image key. \n" +-printf " Additional keys can be added to the PKI tree but a separate \n" +-printf " script is available for this. This this script assumes openssl\n" +-printf " is installed on your system and is included in your search \n" +-printf " path. Finally, the private keys generated are password \n" +-printf " protectedwith the password provided by the file key_pass.txt.\n" +-printf " The format of the file is the password repeated twice:\n" +-printf " my_password\n" +-printf " my_password\n" +-printf " All private keys in the PKI tree are in PKCS #8 format will be\n" +-printf " protected by the same password.\n\n" +-printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n" +- +-stty erase  +- +-printf "Do you want to use an existing CA key (y/n)?: \b" +-read existing_ca +-if [ $existing_ca = "y" ] +-then +- printf "Enter CA key name: \b" +- read ca_key +- printf "Enter CA certificate name: \b" +- read ca_cert ++SCRIPT_BASEDIR="$(cd $(dirname ${0}) && pwd)" ++CSF_PATH="${1}" ++if [ ! -d "${CSF_PATH}" ]; then ++ echo "Invalid CSF_PATH: ${CSF_PATH}" ++ exit 1 + fi + +-printf "Do you want to use Elliptic Curve Cryptography (y/n)?: \b" +-read use_ecc +-if [ $use_ecc = "y" ] +-then +- printf "Enter length for elliptic curve to be used for PKI tree:\n" +- printf "Possible values p192, p256, p521: \b" +- read kl +- +- # Confirm that a valid key length has been entered +- case $kl in +- p192) +- cn="secp112r1" ;; +- p256) +- cn="prime256v1" ;; +- p521) +- cn="secp521r1" ;; +- *) +- echo Invalid key length. Supported key lengths: 192, 256, 521 +- exit 1 ;; +- esac +-else +- printf "Enter key length in bits for PKI tree: \b" +- read kl +- +- # Confirm that a valid key length has been entered +- case $kl in +- 1024) ;; +- 2048) ;; +- 3072) ;; +- 4096) ;; +- *) +- echo Invalid key length. Supported key lengths: 1024, 2048, 3072, 4096 +- exit 1 ;; +- esac +-fi ++cd "${CSF_PATH}" ++ ++[ -d crts ] || mkdir crts ++[ -d keys ] || mkdir keys + ++cd keys + ++existing_ca="n" ++kl="4096" + +-printf "Enter PKI tree duration (years): \b" +-read duration ++# Confirm that a valid key length has been entered ++case $kl in ++ 1024) ;; ++ 2048) ;; ++ 3072) ;; ++ 4096) ;; ++ *) ++ echo Invalid key length. Supported key lengths: 1024, 2048, 3072, 4096 ++ exit 1 ;; ++esac ++ ++duration="10" + + # Compute validity period + val_period=$((duration*365)) + +-printf "How many Super Root Keys should be generated? \b" +-read num_srk ++num_srk="4" + + # Check that 0 < num_srk <= 4 (Max. number of SRKs) + if [ $num_srk -lt 1 ] || [ $num_srk -gt 4 ] +@@ -128,10 +84,7 @@ then + exit 1 + fi + +-# Check if SRKs should be generated as CA certs or user certs +-printf "Do you want the SRK certificates to have the CA flag set? (y/n)?: \b" +-read srk_ca +- ++srk_ca="y" + # Check that the file "serial" is present, if not create it: + if [ ! -f serial ] + then +@@ -154,6 +107,9 @@ echo "unique_subject = no" > index.txt.attr + + if [ $existing_ca = "n" ] + then ++ ca_key=./CA1_sha256_${kl}_65537_v3_ca_key ++ ca_cert=../crts/CA1_sha256_${kl}_65537_v3_ca_crt ++ + # Generate CA key and certificate + # ------------------------------- + echo +@@ -161,31 +117,12 @@ then + echo + Generating CA key and certificate + + echo +++++++++++++++++++++++++++++++++++++ + echo +- +- if [ $use_ecc = 'n' ] +- then +- ca_key=./CA1_sha256_${kl}_65537_v3_ca_key +- ca_cert=../crts/CA1_sha256_${kl}_65537_v3_ca_crt +- ca_subj_req=/CN=CA1_sha256_${kl}_65537_v3_ca/ +- ca_key_type=rsa:${kl} +- else +- +- # Generate Elliptic Curve parameters: +- eck='ec-'$cn'.pem' +- openssl ecparam -out $eck -name $cn +- +- ca_key=./CA1_sha256_${cn}_v3_ca_key +- ca_cert=../crts/CA1_sha256_${cn}_v3_ca_crt +- ca_subj_req=/CN=CA1_sha256_${cn}_v3_ca/ +- ca_key_type=ec:${eck} +- fi +- +- openssl req -newkey ${ca_key_type} -passout file:./key_pass.txt \ +- -subj ${ca_subj_req} \ +- -x509 -extensions v3_ca \ +- -keyout temp_ca.pem \ +- -out ${ca_cert}.pem \ +- -days ${val_period} -config ../ca/openssl.cnf ++ openssl req -newkey rsa:${kl} -passout file:./key_pass.txt \ ++ -subj /CN=CA1_sha256_${kl}_65537_v3_ca/ \ ++ -x509 -extensions v3_ca \ ++ -keyout temp_ca.pem \ ++ -out ${ca_cert}.pem \ ++ -days ${val_period} -config "${SCRIPT_BASEDIR}/openssl.cnf" + + # Generate CA key in PKCS #8 format - both PEM and DER + openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ +@@ -202,7 +139,7 @@ then + openssl x509 -inform PEM -outform DER -in ${ca_cert}.pem -out ${ca_cert}.der + + # Cleanup +- \rm temp_ca.pem ++ rm temp_ca.pem + fi + + +@@ -219,64 +156,48 @@ then + echo + Generating SRK key and certificate $i + + echo ++++++++++++++++++++++++++++++++++++++++ + echo +- if [ $use_ecc = 'n' ] +- then +- # Generate SRK key +- openssl genrsa -des3 -passout file:./key_pass.txt -f4 \ +- -out ./temp_srk.pem ${kl} +- +- srk_subj_req=/CN=SRK${i}_sha256_${kl}_65537_v3_usr/ +- srk_crt=../crts/SRK${i}_sha256_${kl}_65537_v3_usr_crt +- srk_key=./SRK${i}_sha256_${kl}_65537_v3_usr_key +- else +- # Generate Elliptic Curve parameters: +- openssl ecparam -out ./temp_srk.pem -name ${cn} -genkey +- # Generate SRK key +- openssl ec -in ./temp_srk.pem -des3 -passout file:./key_pass.txt \ +- -out ./temp_srk.pem +- +- srk_subj_req=/CN=SRK${i}_sha256_${cn}_v3_usr/ +- srk_crt=../crts/SRK${i}_sha256_${cn}_v3_usr_crt +- srk_key=./SRK${i}_sha256_${cn}_v3_usr_key +- fi ++ ++ # Generate SRK key ++ openssl genrsa -des3 -passout file:./key_pass.txt -f4 \ ++ -out ./temp_srk.pem ${kl} + + # Generate SRK certificate signing request + openssl req -new -batch -passin file:./key_pass.txt \ +- -subj ${srk_subj_req} \ ++ -subj /CN=SRK${i}_sha256_${kl}_65537_v3_usr/ \ + -key ./temp_srk.pem \ + -out ./temp_srk_req.pem + + # Generate SRK certificate (this is a CA cert) +- openssl ca -batch -passin file:./key_pass.txt \ +- -md sha256 -outdir ./ \ +- -in ./temp_srk_req.pem \ +- -cert ${ca_cert}.pem \ ++ openssl ca -batch -passin file:./key_pass.txt \ ++ -md sha256 -outdir ./ \ ++ -in ./temp_srk_req.pem \ ++ -cert ${ca_cert}.pem \ + -keyfile ${ca_key}.pem \ +- -extfile ../ca/v3_usr.cnf \ +- -out ${srk_crt}.pem \ +- -days ${val_period} \ +- -config ../ca/openssl.cnf ++ -extfile "${SCRIPT_BASEDIR}/v3_usr.cnf" \ ++ -out ../crts/SRK${i}_sha256_${kl}_65537_v3_usr_crt.pem \ ++ -days ${val_period} \ ++ -config "${SCRIPT_BASEDIR}/openssl.cnf" + + # Convert SRK Certificate to DER format + openssl x509 -inform PEM -outform DER \ +- -in ${srk_crt}.pem \ +- -out ${srk_crt}.der ++ -in ../crts/SRK${i}_sha256_${kl}_65537_v3_usr_crt.pem \ ++ -out ../crts/SRK${i}_sha256_${kl}_65537_v3_usr_crt.der + + # Generate SRK key in PKCS #8 format - both PEM and DER + openssl pkcs8 -passin file:./key_pass.txt \ + -passout file:./key_pass.txt \ + -topk8 -inform PEM -outform DER -v2 des3 \ + -in temp_srk.pem \ +- -out ${srk_key}.der ++ -out ./SRK${i}_sha256_${kl}_65537_v3_usr_key.der + + openssl pkcs8 -passin file:./key_pass.txt \ + -passout file:./key_pass.txt \ + -topk8 -inform PEM -outform PEM -v2 des3 \ + -in temp_srk.pem \ +- -out ${srk_key}.pem ++ -out ./SRK${i}_sha256_${kl}_65537_v3_usr_key.pem + + # Cleanup +- \rm ./temp_srk.pem ./temp_srk_req.pem ++ rm ./temp_srk.pem ./temp_srk_req.pem + i=$((i+1)) + done + else +@@ -293,98 +214,60 @@ do + echo ++++++++++++++++++++++++++++++++++++++++ + echo + +- if [ $use_ecc = 'n' ] +- then +- # Generate SRK key +- openssl genrsa -des3 -passout file:./key_pass.txt -f4 \ +- -out ./temp_srk.pem ${kl} +- +- srk_subj_req=/CN=SRK${i}_sha256_${kl}_65537_v3_ca/ +- srk_crt=../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt +- srk_key=./SRK${i}_sha256_${kl}_65537_v3_ca_key +- else +- # Generate Elliptic Curve parameters: +- openssl ecparam -out ./temp_srk.pem -name ${cn} -genkey +- # Generate SRK key +- openssl ec -in ./temp_srk.pem -des3 -passout file:./key_pass.txt \ +- -out ./temp_srk.pem +- +- srk_subj_req=/CN=SRK${i}_sha256_${cn}_v3_ca/ +- srk_crt=../crts/SRK${i}_sha256_${cn}_v3_ca_crt +- srk_key=./SRK${i}_sha256_${cn}_v3_ca_key +- fi ++ # Generate SRK key ++ openssl genrsa -des3 -passout file:./key_pass.txt -f4 \ ++ -out ./temp_srk.pem ${kl} ++ + # Generate SRK certificate signing request +- openssl req -new -batch -passin file:./key_pass.txt \ +- -subj ${srk_subj_req} \ +- -key ./temp_srk.pem \ +- -out ./temp_srk_req.pem ++ openssl req -new -batch -passin file:./key_pass.txt \ ++ -subj /CN=SRK${i}_sha256_${kl}_65537_v3_ca/ \ ++ -key ./temp_srk.pem \ ++ -out ./temp_srk_req.pem + + # Generate SRK certificate (this is a CA cert) +- openssl ca -batch -passin file:./key_pass.txt \ +- -md sha256 -outdir ./ \ +- -in ./temp_srk_req.pem \ +- -cert ${ca_cert}.pem \ +- -keyfile ${ca_key}.pem \ +- -extfile ../ca/v3_ca.cnf \ +- -out ${srk_crt}.pem \ +- -days ${val_period} \ +- -config ../ca/openssl.cnf ++ openssl ca -batch -passin file:./key_pass.txt \ ++ -md sha256 -outdir ./ \ ++ -in ./temp_srk_req.pem \ ++ -cert ${ca_cert}.pem \ ++ -keyfile ${ca_key}.pem \ ++ -extfile "${SCRIPT_BASEDIR}/v3_ca.cnf" \ ++ -out ../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt.pem \ ++ -days ${val_period} \ ++ -config "${SCRIPT_BASEDIR}/openssl.cnf" + + # Convert SRK Certificate to DER format + openssl x509 -inform PEM -outform DER \ +- -in ${srk_crt}.pem \ +- -out ${srk_crt}.der ++ -in ../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt.pem \ ++ -out ../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt.der + + # Generate SRK key in PKCS #8 format - both PEM and DER +- openssl pkcs8 -passin file:./key_pass.txt \ +- -passout file:./key_pass.txt \ ++ openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ + -topk8 -inform PEM -outform DER -v2 des3 \ + -in temp_srk.pem \ +- -out ${srk_key}.der ++ -out ./SRK${i}_sha256_${kl}_65537_v3_ca_key.der + +- openssl pkcs8 -passin file:./key_pass.txt \ +- -passout file:./key_pass.txt \ ++ openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ + -topk8 -inform PEM -outform PEM -v2 des3 \ + -in temp_srk.pem \ +- -out ${srk_key}.pem ++ -out ./SRK${i}_sha256_${kl}_65537_v3_ca_key.pem + + # Cleanup + \rm ./temp_srk.pem ./temp_srk_req.pem + ++ + echo + echo ++++++++++++++++++++++++++++++++++++++++ + echo + Generating CSF key and certificate $i + + echo ++++++++++++++++++++++++++++++++++++++++ + echo + +- if [ $use_ecc = 'n' ] +- then +- srk_crt_i=../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt.pem +- srk_key_i=./SRK${i}_sha256_${kl}_65537_v3_ca_key.pem +- # Generate key +- openssl genrsa -des3 -passout file:./key_pass.txt -f4 \ +- -out ./temp_csf.pem ${kl} +- +- csf_subj_req=/CN=CSF${i}_1_sha256_${kl}_65537_v3_usr/ +- csf_crt=../crts/CSF${i}_1_sha256_${kl}_65537_v3_usr_crt +- csf_key=./CSF${i}_1_sha256_${kl}_65537_v3_usr_key +- else +- srk_crt_i=../crts/SRK${i}_sha256_${cn}_v3_ca_crt.pem +- srk_key_i=./SRK${i}_sha256_${cn}_v3_ca_key.pem +- # Generate Elliptic Curve parameters: +- openssl ecparam -out ./temp_csf.pem -name ${cn} -genkey +- # Generate key +- openssl ec -in ./temp_csf.pem -des3 -passout file:./key_pass.txt \ +- -out ./temp_csf.pem +- +- csf_subj_req=/CN=CSF${i}_1_sha256_${cn}_v3_usr/ +- csf_crt=../crts/CSF${i}_1_sha256_${cn}_v3_usr_crt +- csf_key=./CSF${i}_1_sha256_${cn}_v3_usr_key +- fi ++ # Generate key ++ openssl genrsa -des3 -passout file:./key_pass.txt \ ++ -f4 -out ./temp_csf.pem ${kl} + + # Generate CSF certificate signing request + openssl req -new -batch -passin file:./key_pass.txt \ +- -subj ${csf_subj_req} \ ++ -subj /CN=CSF${i}_1_sha256_${kl}_65537_v3_usr/ \ + -key ./temp_csf.pem \ + -out ./temp_csf_req.pem + +@@ -392,31 +275,31 @@ do + openssl ca -batch -md sha256 -outdir ./ \ + -passin file:./key_pass.txt \ + -in ./temp_csf_req.pem \ +- -cert ${srk_crt_i} \ +- -keyfile ${srk_key_i} \ +- -extfile ../ca/v3_usr.cnf \ +- -out ${csf_crt}.pem \ ++ -cert ../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt.pem \ ++ -keyfile ./SRK${i}_sha256_${kl}_65537_v3_ca_key.pem \ ++ -extfile "${SCRIPT_BASEDIR}/v3_usr.cnf" \ ++ -out ../crts/CSF${i}_1_sha256_${kl}_65537_v3_usr_crt.pem \ + -days ${val_period} \ +- -config ../ca/openssl.cnf ++ -config "${SCRIPT_BASEDIR}/openssl.cnf" + + # Convert CSF Certificate to DER format + openssl x509 -inform PEM -outform DER \ +- -in ${csf_crt}.pem \ +- -out ${csf_crt}.der ++ -in ../crts/CSF${i}_1_sha256_${kl}_65537_v3_usr_crt.pem \ ++ -out ../crts/CSF${i}_1_sha256_${kl}_65537_v3_usr_crt.der + + # Generate CSF key in PKCS #8 format - both PEM and DER + openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ + -topk8 -inform PEM -outform DER -v2 des3 \ + -in temp_csf.pem \ +- -out ${csf_key}.der ++ -out ./CSF${i}_1_sha256_${kl}_65537_v3_usr_key.der + + openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ + -topk8 -inform PEM -outform PEM -v2 des3 \ + -in temp_csf.pem \ +- -out ${csf_key}.pem ++ -out ./CSF${i}_1_sha256_${kl}_65537_v3_usr_key.pem + + # Cleanup +- \rm ./temp_csf.pem ./temp_csf_req.pem ++ rm ./temp_csf.pem ./temp_csf_req.pem + + echo + echo ++++++++++++++++++++++++++++++++++++++++ +@@ -424,61 +307,45 @@ do + echo ++++++++++++++++++++++++++++++++++++++++ + echo + +- if [ $use_ecc = 'n' ] +- then +- # Generate key +- openssl genrsa -des3 -passout file:./key_pass.txt -f4 \ +- -out ./temp_img.pem ${kl} +- +- img_subj_req=/CN=IMG${i}_1_sha256_${kl}_65537_v3_usr/ +- img_crt=../crts/IMG${i}_1_sha256_${kl}_65537_v3_usr_crt +- img_key=./IMG${i}_1_sha256_${kl}_65537_v3_usr_key +- else +- # Generate Elliptic Curve parameters: +- openssl ecparam -out ./temp_img.pem -name ${cn} -genkey +- # Generate key +- openssl ec -in ./temp_img.pem -des3 -passout file:./key_pass.txt \ +- -out ./temp_img.pem +- +- img_subj_req=/CN=IMG${i}_1_sha256_${cn}_v3_usr/ +- img_crt=../crts/IMG${i}_1_sha256_${cn}_v3_usr_crt +- img_key=./IMG${i}_1_sha256_${cn}_v3_usr_key +- fi ++ # Generate key ++ openssl genrsa -des3 -passout file:./key_pass.txt \ ++ -f4 -out ./temp_img.pem ${kl} + + # Generate IMG certificate signing request + openssl req -new -batch -passin file:./key_pass.txt \ +- -subj ${img_subj_req} \ ++ -subj /CN=IMG${i}_1_sha256_${kl}_65537_v3_usr/ \ + -key ./temp_img.pem \ + -out ./temp_img_req.pem + + openssl ca -batch -md sha256 -outdir ./ \ + -passin file:./key_pass.txt \ + -in ./temp_img_req.pem \ +- -cert ${srk_crt_i} \ +- -keyfile ${srk_key_i} \ +- -extfile ../ca/v3_usr.cnf \ +- -out ${img_crt}.pem \ ++ -cert ../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt.pem \ ++ -keyfile ./SRK${i}_sha256_${kl}_65537_v3_ca_key.pem \ ++ -extfile "${SCRIPT_BASEDIR}/v3_usr.cnf" \ ++ -out ../crts/IMG${i}_1_sha256_${kl}_65537_v3_usr_crt.pem \ + -days ${val_period} \ +- -config ../ca/openssl.cnf ++ -config "${SCRIPT_BASEDIR}/openssl.cnf" + + # Convert IMG Certificate to DER format + openssl x509 -inform PEM -outform DER \ +- -in ${img_crt}.pem \ +- -out ${img_crt}.der ++ -in ../crts/IMG${i}_1_sha256_${kl}_65537_v3_usr_crt.pem \ ++ -out ../crts/IMG${i}_1_sha256_${kl}_65537_v3_usr_crt.der + + # Generate IMG key in PKCS #8 format - both PEM and DER + openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ + -topk8 -inform PEM -outform DER -v2 des3 \ + -in temp_img.pem \ +- -out ${img_key}.der ++ -out ./IMG${i}_1_sha256_${kl}_65537_v3_usr_key.der + + openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ + -topk8 -inform PEM -outform PEM -v2 des3 \ + -in temp_img.pem \ +- -out ${img_key}.pem ++ -out ./IMG${i}_1_sha256_${kl}_65537_v3_usr_key.pem + + # Cleanup +- \rm ./temp_img.pem ./temp_img_req.pem ++ rm ./temp_img.pem ./temp_img_req.pem ++ + + i=$((i+1)) + done diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst_2.3.2.bb b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst_2.3.2.bb index f1fd9ab58..0fc73c323 100644 --- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst_2.3.2.bb +++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst_2.3.2.bb @@ -10,6 +10,7 @@ S= "${WORKDIR}/cst-${PV}" SRC_URI = " \ ${@base_conditional('TRUSTFENCE_SIGN', '1', 'file://cst-${PV}.tar.gz', '', d)} \ file://0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch \ + file://0002-hab4_pki_tree.sh-automate-script.patch \ file://Makefile \ " @@ -25,6 +26,7 @@ do_install () { install -d ${D}${bindir} install -m 0755 linux64/cst ${D}${bindir}/cst install -m 0755 linux64/srktool ${D}${bindir}/srktool + install -m 0755 keys/hab4_pki_tree.sh ${D}${bindir}/trustfence-gen-pki.sh install -m 0755 ca/openssl.cnf ${D}${bindir}/openssl.cnf install -m 0755 ca/v3_ca.cnf ${D}${bindir}/v3_ca.cnf install -m 0755 ca/v3_usr.cnf ${D}${bindir}/v3_usr.cnf