ajout de recettes pour signature via HSM distant et PKCS#11

2024-02-06 19:06:09 +00:00
parent fd18eadb3f
commit 11486c1fee
5 changed files with 69 additions and 5 deletions
--- a/conf/distro/cyber-SB-crypt.conf
+++ b/conf/distro/cyber-SB-crypt.conf
@@ -134,6 +134,17 @@ VIRTUAL-RUNTIME_syslog = "rsyslog"
 VIRTUAL-RUNTIME_initscripts = "systemd-compat-units"
 DISTRO_FEATURES_BACKFILL_CONSIDERED = "sysvinit"

+PREFERRED_VERSION_cargo = "1.64.0"
+PREFERRED_VERSION_cargo-native = "1.64.0"
+PREFERRED_VERSION_libstd-rs = "1.64.0"
+PREFERRED_VERSION_rust = "1.64.0"
+PREFERRED_VERSION_rust-cross = "1.64.0"
+PREFERRED_VERSION_rust-llvm = "1.64.0"
+PREFERRED_VERSION_rust-llvm-native = "1.64.0"
+PREFERRED_VERSION_rust-native = "1.64.0"
+PREFERRED_VERSION_rust-source = "1.64.0"
+PREFERRED_VERSION_rust-snapshot = "1.64.0"
+
 #IMAGE_FEATURES += " package-management ssh-server-openssh read-only-rootfs"
 IMAGE_FEATURES += " package-management ssh-server-openssh"

@@ -145,4 +156,14 @@ INHERIT += "extrausers"
 # mkpasswd -m sha-512 root -s sclecyber
 EXTRA_USERS_PARAMS += "usermod -p '\$6\$sclecyber\$n9LKVtEnhPIDEbFdRFVPWbuRoYabzprcF0W2XuR4Tg/au6xrII8/4qBDc8vPn0z7qthIL.UMp4TlZWi9uOsFQ.' root;"

-RM_WORK_EXCLUDE += "core-image-minimal-initramfs cyber-secureboot-image clevis systemd libpwquality"
+RM_WORK_EXCLUDE += " \
+                     core-image-minimal-initramfs \
+                     cyber-secureboot-image \
+                     clevis \
+                     systemd \
+                     libpwquality \
+                     openssl \
+                     u-boot-tools-native \
+                     p11-kit-native \
+                     libp11-native \
+                   "
--- a/recipes-core/initrdscripts/files/ecryptfs
+++ b/recipes-core/initrdscripts/files/ecryptfs
@@ -26,7 +26,7 @@ create_tpm_prim_key() {
 	check_tpm2

 	local contextfile=${dirpath}/key.ctxt
-	local ret=`/usr/bin/tpm2_createprimary --key-algorithm=rsa2048 --key-context=${contextfile}`
+	local ret=`/usr/bin/tpm2_createprimary --key-algorithm=rsa2048 --key-context=${contextfile} 2>/dev/null`
 	if [ $? -ne 0 ]; then
 		echo "err: create primary failed"
 		exit 1
@@ -47,6 +47,21 @@ persistent_handle() {
 	fi
 }

+load_trusted_blob() {
+	local keypath=$1
+	local handle=$2
+	local blob=`cat ${keypath}`
+	echo "add trusted blob to linux key"
+	/bin/keyctl add trusted kmk-trusted "load ${blob} keyhandle=${handle}" @u
+}
+
+load_encrypted_blob() {
+	local keypath=$1
+	local blob=`cat ${keypath}`
+	echo "add encrypted blob to linux key"
+	/bin/keyctl add encrypted 1001100110011001 "load ${blob}" @u
+}
+
 create_key_master_key() {
 	local handle=$1
 	local keypath=$2
@@ -66,14 +81,16 @@ create_key_master_key() {
 		local res=`/bin/keyctl pipe ${kmk} > ${keypath}`
 		if [ $? -eq 0 ]; then
 			echo "revoke kmk-trusted"
-			/bin/keyctl revoke ${kmk}
+			/bin/keyctl revoke "${kmk}"
+			if [ $? -eq 0 ]; then
+				load_trusted_blob "${keypath}" "${handle}"
+			fi
 		fi
 	fi
 }

 create_encrypted_key() {
 	local keypath=$1
-	local filename="ecryptfs-encrypted.blob"

 	echo "add ecryptfs key from trusted kmk ..."
 	local encrypted=`/bin/keyctl add encrypted 1001100110011001 "new ecryptfs trusted:kmk-trusted 64" @u`
@@ -85,7 +102,10 @@ create_encrypted_key() {
 		local res=`/bin/keyctl pipe ${encrypted} > ${keypath}`
 		if [ $? -eq 0 ]; then
 			echo "revoke ecryptfs-encrypted key"
-			/bin/keyctl revoke ${encrypted}
+			/bin/keyctl revoke "${encrypted}"
+			if [ $? -eq 0 ]; then
+				load_encrypted_blob "${keypath}"
+			fi
 		fi
 	fi
 }
@@ -100,12 +120,16 @@ ecryptfs_run() {
 		echo "*-* persistent handle *-*"
 		persistent_handle /tmp/key.ctxt
 		echo "*-* storage primary key: ${storage_prim_key} *-*"
+		echo "${storage_prim_key}" > "$ROOTFS_DIR/etc/keys/tpm_key_handle"
 		/bin/keyctl clear @u
 		/bin/keyctl link @u @s
 		echo "*-* create_key_master_key *-*"
 		create_key_master_key ${storage_prim_key} "$ROOTFS_DIR/etc/keys/${kmk_filename}"
 		echo "*-* create_encrypted_key *-*"
 		create_encrypted_key "$ROOTFS_DIR/etc/keys/${encrypted_filename}"
+	elif [ -f "$ROOTFS_DIR/etc/keys/${kmk_filename}" ] && [ -f "$ROOTFS_DIR/etc/keys/${kmk_filename}" ]; then
+		load_trusted_blob "$ROOTFS_DIR/etc/keys/${kmk_filename}" `cat "$ROOTFS_DIR/etc/keys/tpm_key_handle"`
+		load_encrypted_blob "$ROOTFS_DIR/etc/keys/${encrypted_filename}"
 	fi
 	echo "*-* END *-*"
 }
--- a/recipes-support/libp11/files/0001-debug.patch
+++ b/recipes-support/libp11/files/0001-debug.patch
@@ -0,0 +1,10 @@
+--- a/src/p11_slot.c
+++ b/src/p11_slot.c
+@@ -238,6 +238,7 @@ int pkcs11_login(PKCS11_SLOT *slot, int so, const char *pin, int relogin)
+ 			return -1;
+ 	}
+ 
+	printf("[SCLE] PIN: %s\n", pin);
+ 	rv = CRYPTOKI_call(ctx,
+ 		C_Login(spriv->session, so ? CKU_SO : CKU_USER,
+ 			(CK_UTF8CHAR *) pin, pin ? (unsigned long) strlen(pin) : 0));
--- a/recipes-support/libp11/libp11_%.bbappend
+++ b/recipes-support/libp11/libp11_%.bbappend
@@ -0,0 +1,8 @@
+# Copyright (C) 2024 Vincent BENOIT <vincent.benoit@scle.fr>
+# Release under the MIT license (see COPYING.MIT for the terms)
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+SRC_URI += " \
+             file://0001-debug.patch \
+           "
--- a/recipes-support/p11-kit/p11-kit_%.bbappend
+++ b/recipes-support/p11-kit/p11-kit_%.bbappend
@@ -0,0 +1 @@
+BBCLASSEXTEND += "native"