ajout de recettes pour signature via HSM distant et PKCS#11
This commit is contained in:
@@ -134,6 +134,17 @@ VIRTUAL-RUNTIME_syslog = "rsyslog"
|
|||||||
VIRTUAL-RUNTIME_initscripts = "systemd-compat-units"
|
VIRTUAL-RUNTIME_initscripts = "systemd-compat-units"
|
||||||
DISTRO_FEATURES_BACKFILL_CONSIDERED = "sysvinit"
|
DISTRO_FEATURES_BACKFILL_CONSIDERED = "sysvinit"
|
||||||
|
|
||||||
|
PREFERRED_VERSION_cargo = "1.64.0"
|
||||||
|
PREFERRED_VERSION_cargo-native = "1.64.0"
|
||||||
|
PREFERRED_VERSION_libstd-rs = "1.64.0"
|
||||||
|
PREFERRED_VERSION_rust = "1.64.0"
|
||||||
|
PREFERRED_VERSION_rust-cross = "1.64.0"
|
||||||
|
PREFERRED_VERSION_rust-llvm = "1.64.0"
|
||||||
|
PREFERRED_VERSION_rust-llvm-native = "1.64.0"
|
||||||
|
PREFERRED_VERSION_rust-native = "1.64.0"
|
||||||
|
PREFERRED_VERSION_rust-source = "1.64.0"
|
||||||
|
PREFERRED_VERSION_rust-snapshot = "1.64.0"
|
||||||
|
|
||||||
#IMAGE_FEATURES += " package-management ssh-server-openssh read-only-rootfs"
|
#IMAGE_FEATURES += " package-management ssh-server-openssh read-only-rootfs"
|
||||||
IMAGE_FEATURES += " package-management ssh-server-openssh"
|
IMAGE_FEATURES += " package-management ssh-server-openssh"
|
||||||
|
|
||||||
@@ -145,4 +156,14 @@ INHERIT += "extrausers"
|
|||||||
# mkpasswd -m sha-512 root -s sclecyber
|
# mkpasswd -m sha-512 root -s sclecyber
|
||||||
EXTRA_USERS_PARAMS += "usermod -p '\$6\$sclecyber\$n9LKVtEnhPIDEbFdRFVPWbuRoYabzprcF0W2XuR4Tg/au6xrII8/4qBDc8vPn0z7qthIL.UMp4TlZWi9uOsFQ.' root;"
|
EXTRA_USERS_PARAMS += "usermod -p '\$6\$sclecyber\$n9LKVtEnhPIDEbFdRFVPWbuRoYabzprcF0W2XuR4Tg/au6xrII8/4qBDc8vPn0z7qthIL.UMp4TlZWi9uOsFQ.' root;"
|
||||||
|
|
||||||
RM_WORK_EXCLUDE += "core-image-minimal-initramfs cyber-secureboot-image clevis systemd libpwquality"
|
RM_WORK_EXCLUDE += " \
|
||||||
|
core-image-minimal-initramfs \
|
||||||
|
cyber-secureboot-image \
|
||||||
|
clevis \
|
||||||
|
systemd \
|
||||||
|
libpwquality \
|
||||||
|
openssl \
|
||||||
|
u-boot-tools-native \
|
||||||
|
p11-kit-native \
|
||||||
|
libp11-native \
|
||||||
|
"
|
||||||
|
|||||||
@@ -26,7 +26,7 @@ create_tpm_prim_key() {
|
|||||||
check_tpm2
|
check_tpm2
|
||||||
|
|
||||||
local contextfile=${dirpath}/key.ctxt
|
local contextfile=${dirpath}/key.ctxt
|
||||||
local ret=`/usr/bin/tpm2_createprimary --key-algorithm=rsa2048 --key-context=${contextfile}`
|
local ret=`/usr/bin/tpm2_createprimary --key-algorithm=rsa2048 --key-context=${contextfile} 2>/dev/null`
|
||||||
if [ $? -ne 0 ]; then
|
if [ $? -ne 0 ]; then
|
||||||
echo "err: create primary failed"
|
echo "err: create primary failed"
|
||||||
exit 1
|
exit 1
|
||||||
@@ -47,6 +47,21 @@ persistent_handle() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
load_trusted_blob() {
|
||||||
|
local keypath=$1
|
||||||
|
local handle=$2
|
||||||
|
local blob=`cat ${keypath}`
|
||||||
|
echo "add trusted blob to linux key"
|
||||||
|
/bin/keyctl add trusted kmk-trusted "load ${blob} keyhandle=${handle}" @u
|
||||||
|
}
|
||||||
|
|
||||||
|
load_encrypted_blob() {
|
||||||
|
local keypath=$1
|
||||||
|
local blob=`cat ${keypath}`
|
||||||
|
echo "add encrypted blob to linux key"
|
||||||
|
/bin/keyctl add encrypted 1001100110011001 "load ${blob}" @u
|
||||||
|
}
|
||||||
|
|
||||||
create_key_master_key() {
|
create_key_master_key() {
|
||||||
local handle=$1
|
local handle=$1
|
||||||
local keypath=$2
|
local keypath=$2
|
||||||
@@ -66,14 +81,16 @@ create_key_master_key() {
|
|||||||
local res=`/bin/keyctl pipe ${kmk} > ${keypath}`
|
local res=`/bin/keyctl pipe ${kmk} > ${keypath}`
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
echo "revoke kmk-trusted"
|
echo "revoke kmk-trusted"
|
||||||
/bin/keyctl revoke ${kmk}
|
/bin/keyctl revoke "${kmk}"
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
load_trusted_blob "${keypath}" "${handle}"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
create_encrypted_key() {
|
create_encrypted_key() {
|
||||||
local keypath=$1
|
local keypath=$1
|
||||||
local filename="ecryptfs-encrypted.blob"
|
|
||||||
|
|
||||||
echo "add ecryptfs key from trusted kmk ..."
|
echo "add ecryptfs key from trusted kmk ..."
|
||||||
local encrypted=`/bin/keyctl add encrypted 1001100110011001 "new ecryptfs trusted:kmk-trusted 64" @u`
|
local encrypted=`/bin/keyctl add encrypted 1001100110011001 "new ecryptfs trusted:kmk-trusted 64" @u`
|
||||||
@@ -85,7 +102,10 @@ create_encrypted_key() {
|
|||||||
local res=`/bin/keyctl pipe ${encrypted} > ${keypath}`
|
local res=`/bin/keyctl pipe ${encrypted} > ${keypath}`
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
echo "revoke ecryptfs-encrypted key"
|
echo "revoke ecryptfs-encrypted key"
|
||||||
/bin/keyctl revoke ${encrypted}
|
/bin/keyctl revoke "${encrypted}"
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
load_encrypted_blob "${keypath}"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
@@ -100,12 +120,16 @@ ecryptfs_run() {
|
|||||||
echo "*-* persistent handle *-*"
|
echo "*-* persistent handle *-*"
|
||||||
persistent_handle /tmp/key.ctxt
|
persistent_handle /tmp/key.ctxt
|
||||||
echo "*-* storage primary key: ${storage_prim_key} *-*"
|
echo "*-* storage primary key: ${storage_prim_key} *-*"
|
||||||
|
echo "${storage_prim_key}" > "$ROOTFS_DIR/etc/keys/tpm_key_handle"
|
||||||
/bin/keyctl clear @u
|
/bin/keyctl clear @u
|
||||||
/bin/keyctl link @u @s
|
/bin/keyctl link @u @s
|
||||||
echo "*-* create_key_master_key *-*"
|
echo "*-* create_key_master_key *-*"
|
||||||
create_key_master_key ${storage_prim_key} "$ROOTFS_DIR/etc/keys/${kmk_filename}"
|
create_key_master_key ${storage_prim_key} "$ROOTFS_DIR/etc/keys/${kmk_filename}"
|
||||||
echo "*-* create_encrypted_key *-*"
|
echo "*-* create_encrypted_key *-*"
|
||||||
create_encrypted_key "$ROOTFS_DIR/etc/keys/${encrypted_filename}"
|
create_encrypted_key "$ROOTFS_DIR/etc/keys/${encrypted_filename}"
|
||||||
|
elif [ -f "$ROOTFS_DIR/etc/keys/${kmk_filename}" ] && [ -f "$ROOTFS_DIR/etc/keys/${kmk_filename}" ]; then
|
||||||
|
load_trusted_blob "$ROOTFS_DIR/etc/keys/${kmk_filename}" `cat "$ROOTFS_DIR/etc/keys/tpm_key_handle"`
|
||||||
|
load_encrypted_blob "$ROOTFS_DIR/etc/keys/${encrypted_filename}"
|
||||||
fi
|
fi
|
||||||
echo "*-* END *-*"
|
echo "*-* END *-*"
|
||||||
}
|
}
|
||||||
|
|||||||
10
recipes-support/libp11/files/0001-debug.patch
Normal file
10
recipes-support/libp11/files/0001-debug.patch
Normal file
@@ -0,0 +1,10 @@
|
|||||||
|
--- a/src/p11_slot.c
|
||||||
|
+++ b/src/p11_slot.c
|
||||||
|
@@ -238,6 +238,7 @@ int pkcs11_login(PKCS11_SLOT *slot, int so, const char *pin, int relogin)
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ printf("[SCLE] PIN: %s\n", pin);
|
||||||
|
rv = CRYPTOKI_call(ctx,
|
||||||
|
C_Login(spriv->session, so ? CKU_SO : CKU_USER,
|
||||||
|
(CK_UTF8CHAR *) pin, pin ? (unsigned long) strlen(pin) : 0));
|
||||||
8
recipes-support/libp11/libp11_%.bbappend
Normal file
8
recipes-support/libp11/libp11_%.bbappend
Normal file
@@ -0,0 +1,8 @@
|
|||||||
|
# Copyright (C) 2024 Vincent BENOIT <vincent.benoit@scle.fr>
|
||||||
|
# Release under the MIT license (see COPYING.MIT for the terms)
|
||||||
|
|
||||||
|
FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
|
||||||
|
|
||||||
|
SRC_URI += " \
|
||||||
|
file://0001-debug.patch \
|
||||||
|
"
|
||||||
1
recipes-support/p11-kit/p11-kit_%.bbappend
Normal file
1
recipes-support/p11-kit/p11-kit_%.bbappend
Normal file
@@ -0,0 +1 @@
|
|||||||
|
BBCLASSEXTEND += "native"
|
||||||
Reference in New Issue
Block a user