From 11486c1fee657bb50d0721765663a2b9e6f15cb3 Mon Sep 17 00:00:00 2001 From: Vincent BENOIT Date: Tue, 6 Feb 2024 19:06:09 +0000 Subject: [PATCH] ajout de recettes pour signature via HSM distant et PKCS#11 --- conf/distro/cyber-SB-crypt.conf | 23 ++++++++++++- recipes-core/initrdscripts/files/ecryptfs | 32 ++++++++++++++++--- recipes-support/libp11/files/0001-debug.patch | 10 ++++++ recipes-support/libp11/libp11_%.bbappend | 8 +++++ recipes-support/p11-kit/p11-kit_%.bbappend | 1 + 5 files changed, 69 insertions(+), 5 deletions(-) create mode 100644 recipes-support/libp11/files/0001-debug.patch create mode 100644 recipes-support/libp11/libp11_%.bbappend create mode 100644 recipes-support/p11-kit/p11-kit_%.bbappend diff --git a/conf/distro/cyber-SB-crypt.conf b/conf/distro/cyber-SB-crypt.conf index b12d3ac..6af452c 100644 --- a/conf/distro/cyber-SB-crypt.conf +++ b/conf/distro/cyber-SB-crypt.conf @@ -134,6 +134,17 @@ VIRTUAL-RUNTIME_syslog = "rsyslog" VIRTUAL-RUNTIME_initscripts = "systemd-compat-units" DISTRO_FEATURES_BACKFILL_CONSIDERED = "sysvinit" +PREFERRED_VERSION_cargo = "1.64.0" +PREFERRED_VERSION_cargo-native = "1.64.0" +PREFERRED_VERSION_libstd-rs = "1.64.0" +PREFERRED_VERSION_rust = "1.64.0" +PREFERRED_VERSION_rust-cross = "1.64.0" +PREFERRED_VERSION_rust-llvm = "1.64.0" +PREFERRED_VERSION_rust-llvm-native = "1.64.0" +PREFERRED_VERSION_rust-native = "1.64.0" +PREFERRED_VERSION_rust-source = "1.64.0" +PREFERRED_VERSION_rust-snapshot = "1.64.0" + #IMAGE_FEATURES += " package-management ssh-server-openssh read-only-rootfs" IMAGE_FEATURES += " package-management ssh-server-openssh" @@ -145,4 +156,14 @@ INHERIT += "extrausers" # mkpasswd -m sha-512 root -s sclecyber EXTRA_USERS_PARAMS += "usermod -p '\$6\$sclecyber\$n9LKVtEnhPIDEbFdRFVPWbuRoYabzprcF0W2XuR4Tg/au6xrII8/4qBDc8vPn0z7qthIL.UMp4TlZWi9uOsFQ.' root;" -RM_WORK_EXCLUDE += "core-image-minimal-initramfs cyber-secureboot-image clevis systemd libpwquality" +RM_WORK_EXCLUDE += " \ + core-image-minimal-initramfs \ + cyber-secureboot-image \ + clevis \ + systemd \ + libpwquality \ + openssl \ + u-boot-tools-native \ + p11-kit-native \ + libp11-native \ + " diff --git a/recipes-core/initrdscripts/files/ecryptfs b/recipes-core/initrdscripts/files/ecryptfs index cb523b0..b93040c 100644 --- a/recipes-core/initrdscripts/files/ecryptfs +++ b/recipes-core/initrdscripts/files/ecryptfs @@ -26,7 +26,7 @@ create_tpm_prim_key() { check_tpm2 local contextfile=${dirpath}/key.ctxt - local ret=`/usr/bin/tpm2_createprimary --key-algorithm=rsa2048 --key-context=${contextfile}` + local ret=`/usr/bin/tpm2_createprimary --key-algorithm=rsa2048 --key-context=${contextfile} 2>/dev/null` if [ $? -ne 0 ]; then echo "err: create primary failed" exit 1 @@ -47,6 +47,21 @@ persistent_handle() { fi } +load_trusted_blob() { + local keypath=$1 + local handle=$2 + local blob=`cat ${keypath}` + echo "add trusted blob to linux key" + /bin/keyctl add trusted kmk-trusted "load ${blob} keyhandle=${handle}" @u +} + +load_encrypted_blob() { + local keypath=$1 + local blob=`cat ${keypath}` + echo "add encrypted blob to linux key" + /bin/keyctl add encrypted 1001100110011001 "load ${blob}" @u +} + create_key_master_key() { local handle=$1 local keypath=$2 @@ -66,14 +81,16 @@ create_key_master_key() { local res=`/bin/keyctl pipe ${kmk} > ${keypath}` if [ $? -eq 0 ]; then echo "revoke kmk-trusted" - /bin/keyctl revoke ${kmk} + /bin/keyctl revoke "${kmk}" + if [ $? -eq 0 ]; then + load_trusted_blob "${keypath}" "${handle}" + fi fi fi } create_encrypted_key() { local keypath=$1 - local filename="ecryptfs-encrypted.blob" echo "add ecryptfs key from trusted kmk ..." local encrypted=`/bin/keyctl add encrypted 1001100110011001 "new ecryptfs trusted:kmk-trusted 64" @u` @@ -85,7 +102,10 @@ create_encrypted_key() { local res=`/bin/keyctl pipe ${encrypted} > ${keypath}` if [ $? -eq 0 ]; then echo "revoke ecryptfs-encrypted key" - /bin/keyctl revoke ${encrypted} + /bin/keyctl revoke "${encrypted}" + if [ $? -eq 0 ]; then + load_encrypted_blob "${keypath}" + fi fi fi } @@ -100,12 +120,16 @@ ecryptfs_run() { echo "*-* persistent handle *-*" persistent_handle /tmp/key.ctxt echo "*-* storage primary key: ${storage_prim_key} *-*" + echo "${storage_prim_key}" > "$ROOTFS_DIR/etc/keys/tpm_key_handle" /bin/keyctl clear @u /bin/keyctl link @u @s echo "*-* create_key_master_key *-*" create_key_master_key ${storage_prim_key} "$ROOTFS_DIR/etc/keys/${kmk_filename}" echo "*-* create_encrypted_key *-*" create_encrypted_key "$ROOTFS_DIR/etc/keys/${encrypted_filename}" + elif [ -f "$ROOTFS_DIR/etc/keys/${kmk_filename}" ] && [ -f "$ROOTFS_DIR/etc/keys/${kmk_filename}" ]; then + load_trusted_blob "$ROOTFS_DIR/etc/keys/${kmk_filename}" `cat "$ROOTFS_DIR/etc/keys/tpm_key_handle"` + load_encrypted_blob "$ROOTFS_DIR/etc/keys/${encrypted_filename}" fi echo "*-* END *-*" } diff --git a/recipes-support/libp11/files/0001-debug.patch b/recipes-support/libp11/files/0001-debug.patch new file mode 100644 index 0000000..8d3a79e --- /dev/null +++ b/recipes-support/libp11/files/0001-debug.patch @@ -0,0 +1,10 @@ +--- a/src/p11_slot.c ++++ b/src/p11_slot.c +@@ -238,6 +238,7 @@ int pkcs11_login(PKCS11_SLOT *slot, int so, const char *pin, int relogin) + return -1; + } + ++ printf("[SCLE] PIN: %s\n", pin); + rv = CRYPTOKI_call(ctx, + C_Login(spriv->session, so ? CKU_SO : CKU_USER, + (CK_UTF8CHAR *) pin, pin ? (unsigned long) strlen(pin) : 0)); diff --git a/recipes-support/libp11/libp11_%.bbappend b/recipes-support/libp11/libp11_%.bbappend new file mode 100644 index 0000000..daf8c20 --- /dev/null +++ b/recipes-support/libp11/libp11_%.bbappend @@ -0,0 +1,8 @@ +# Copyright (C) 2024 Vincent BENOIT +# Release under the MIT license (see COPYING.MIT for the terms) + +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" + +SRC_URI += " \ + file://0001-debug.patch \ + " diff --git a/recipes-support/p11-kit/p11-kit_%.bbappend b/recipes-support/p11-kit/p11-kit_%.bbappend new file mode 100644 index 0000000..d6f5869 --- /dev/null +++ b/recipes-support/p11-kit/p11-kit_%.bbappend @@ -0,0 +1 @@ +BBCLASSEXTEND += "native"