5.5. Code Signing Helper Functions

PTXdist provides various bash helper functions to be used in code signing providers and code signing consumers.

PTXdist stores URIs and CA keyrings using these helpers in $(PTXDIST_SYSROOT_HOST)/var/lib/keys/<signing-provider>/<role>/{uri,ca.pem}.

SoftHSM Provider Functions

These helpers initialize and import public/private keys and certificates into the SoftHSM.

cs_init_softhsm

Usage:

cs_init_softhsm

Initialize SoftHSM, and set the initial pins.

cs_import_cert_from_der

Usage:

cs_import_cert_from_der <role> <DER>

Import certificate from a given DER file for role. To be used with SoftHSM only.

Preconditions:

cs_import_cert_from_pem

Usage:

cs_import_cert_from_pem <role> <PEM>

Import certificate from a given PEM file for role. To be used with SoftHSM only.

Preconditions:

cs_import_pubkey_from_pem

Usage:

cs_import_pubkey_from_pem <role> <PEM>

Import public key from a given PEM file for role. To be used with SoftHSM only.

Preconditions:

cs_import_privkey_from_pem

Usage:

cs_import_privkey_from_pem <role> <PEM>

Import private key from a given PEM file for role. To be used with SoftHSM only.

Preconditions:

cs_import_key_from_pem

Usage:

cs_import_key_from_pem <role> <PEM>

Import private/public key pair from a given PEM file for role. To be used with SoftHSM only.

Preconditions:

Generic Provider Functions

These helpers allow to define roles, set PKCS#11 URIs and handle certificate authorities (CAs). HSM as well as SoftHSM code signing providers should use them.

cs_define_role

Usage:

cs_define_role <role>

Define new key role.

A default PKCS#11 URI is set implicitly as convenience for SoftHSM use cases.

cs_set_uri

Usage:

cs_set_uri <role> <URI>

Set given PKCS#11 URI for role.

Preconditions:

cs_append_ca_from_pem

Usage:

cs_append_ca_from_pem <role> <PEM>

Append certificate from a given PEM file to the role’s CA keyring. If no CA keyring exists yet it is created as an empty file before.

Preconditions:

cs_append_ca_from_der

Usage:

cs_append_ca_from_der <role> <DER>

Append certificate from a given DER file to the role’s CA keyring. If no CA keyring exists yet it is created as an empty file before.

Preconditions:

cs_append_ca_from_uri

Usage:

cs_append_ca_from_uri <role> [<URI>]

Append certificate from a given PKCS#11 URI to the role’s CA keyring. If URI is omitted the already set URI for role is used. If no CA keyring exists yet it is created as an empty file before.

Preconditions:

cs_define_group

Usage:

cs_define_group <group>

Define a new role group.

See cs_group_add_roles for an example.

cs_group_add_roles

Usage:

cs_group_add_roles <group> <roles...>

Add all given roles to a role group.

Preconditions:

Example:

# define two roles named imx-habv4-srk1 and imx-habv4-srk2
r="imx-habv4-srk1"
cs_define_role "${r}"
cs_set_uri "${r}" "pkcs11:object=SRK CA 0"
cs_append_ca_from_uri "${r}"
r="imx-habv4-srk2"
cs_define_role "${r}"
cs_set_uri "${r}" "pkcs11:object=SRK CA 1"
cs_append_ca_from_uri "${r}"

# define a group and add the roles
g="imx-habv4-srk"
cs_define_group "${g}"
cs_group_add_roles "${g}" "imx-habv4-srk1" "imx-habv4-srk2"

cs_group_get_roles

Usage:

cs_group_get_roles <group>

Get a list of all roles that have been added to the role group.

Example:

# iterate over role names in a role group, and print their name and URI
for role in $(cs_group_get_roles "imx-habv4-srk"); do
     echo "role '${role}' has URI '$(cs_get_uri "${role}")'"
done

In the example given in cs_group_add_roles above, this would print:

role 'imx-habv4-srk1' has URI 'pkcs11:object=SRK CA 0'
role 'imx-habv4-srk2' has URI 'pkcs11:object=SRK CA 1'

Consumer Functions

Packages that want to sign something or need access to keys/CAs can retrieve PKCS#11 URIs and CA keyrings with these helpers.

cs_get_uri

Usage:

cs_get_uri <role>

Get PKCS#11 URI for role.

Preconditions:

cs_get_ca

Usage:

cs_get_ca <role>

Get path to the CA keyring in PEM format for role.

If the provider does not set a CA for this role (see cs_append_ca_from_pem, cs_append_ca_from_der, cs_append_ca_from_uri), this function will print an empty string.

Preconditions:

  • The role must have been defined by the provider (see cs_define_role). Otherwise, this function will print ERROR_CA_NOT_YET_SET and return 1. This can happen if the function is evaluated by a variable expansion in make with := instead of = before the code signing provider is set up.

Example:

# set up kernel module signing, and add a trusted CA if the provider set one
KERNEL_SIGN_OPT =
     CONFIG_MODULE_SIG_KEY='"$(shell cs_get_uri kernel-modules)"' \
     CONFIG_MODULE_SIG_ALL=y \
     $(if $(shell cs_get_ca kernel-trusted), \
             CONFIG_SYSTEM_TRUSTED_KEYS=$(shell cs_get_ca kernel-trusted))