Merge pull request #1149 from flatcar/tormath1/sign

core_sign_update: use pkcs11 openssl engine
flatcar · Jan 23, 2024 · 0987e80 · 0987e80
2 parents 018778e + 05d4afb
commit 0987e80
Show file tree

Hide file tree

Showing 42 changed files with 1,665 additions and 3 deletions.
diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list
@@ -17,7 +17,9 @@ acct-group/messagebus
 acct-group/netperf
 acct-group/nobody
 acct-group/ntp
+acct-group/openct
 acct-group/pcap
+acct-group/pcscd
 acct-group/polkitd
 acct-group/portage
 acct-group/render
@@ -34,6 +36,7 @@ acct-group/systemd-timesync
 acct-group/tape
 acct-group/tss
 acct-group/tty
+acct-group/usb
 acct-group/users
 acct-group/utmp
 acct-group/uucp
@@ -47,6 +50,7 @@ acct-user/netperf
 acct-user/nobody
 acct-user/ntp
 acct-user/pcap
+acct-user/pcscd
 acct-user/polkitd
 acct-user/portage
 acct-user/root
@@ -102,6 +106,7 @@ app-containers/runc
 app-crypt/adcli
 app-crypt/argon2
 app-crypt/efitools
+app-crypt/ccid
 app-crypt/libb2
 app-crypt/libmd
 app-crypt/mhash
@@ -197,6 +202,7 @@ dev-libs/libnl
 dev-libs/libpcre
 dev-libs/libpcre2
 dev-libs/libpipeline
+dev-libs/libp11
 dev-libs/libsodium
 dev-libs/libtasn1
 dev-libs/libunistring
@@ -213,6 +219,7 @@ dev-libs/nettle
 dev-libs/npth
 dev-libs/nspr
 dev-libs/oniguruma
+dev-libs/opensc
 dev-libs/popt
 dev-libs/protobuf
 dev-libs/userspace-rcu
@@ -468,6 +475,7 @@ sys-apps/miscfiles
 sys-apps/net-tools
 sys-apps/nvme-cli
 sys-apps/pciutils
+sys-apps/pcsc-lite
 sys-apps/portage
 sys-apps/pv
 sys-apps/sandbox

diff --git a/core_sign_update b/core_sign_update
@@ -136,7 +136,7 @@ i=1
 signature_sizes=""
 for key in "${private_keys[@]}"; do
 	if [[ "${key}" == pkcs11* ]]; then
-		openssl rsautl -engine pkcs11 -pkcs -sign -inkey ${key} -keyform engine -in update.pkcs11-padhash -out update.sig.${i}
+		OPENSSL_CONF=/etc/ssl/pkcs11.cnf openssl pkeyutl -engine pkcs11 -sign -keyform engine -inkey "${key}" -in update.pkcs11-padhash -out "update.sig.${i}"
 	elif [[ "${key}" == fero* ]]; then
 		fero-client \
 			--address $FLAGS_signing_server_address \
@@ -163,8 +163,13 @@ delta_generator --signature_file ${files} --in_file update --out_file update.sig
 
 i=1
 for key in "${public_keys[@]}"; do
+	version="${i}"
+	if [ ${#public_keys[@]} == 1 ]; then
+		version=2
+	fi
+
 	delta_generator \
-		--public_key_version "${i}" \
+		--public_key_version "${version}" \
 		--public_key "${key}" \
 		--in_file update.signed
 

diff --git a/data/download_payloads b/data/download_payloads
@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [ $# -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
+  echo "Usage: $0 RELEASE_DESCRIPTORS..."
+  echo "Example: $0 alpha:1786.0.0 beta:1781.2.0"
+  echo "Downloads the release update payloads to ARCH-usr/VERSION/ folders."
+  echo "Expected to be run in .../sdk/src/scripts/data/"
+  echo "(usually before entering the chroot and running ./generate_payload data/ARCH-usr/VERSION/ keys/)."
+  exit 1
+fi
+
+if [ "$(basename "${PWD}")" != "data" ] || [ "$(basename "$(readlink -f ..)")" != "scripts" ]; then
+  echo "Expected to be run in .../sdk/src/scripts/data/" >&2
+  exit 1
+fi
+
+# Same as in copy-to-origin.sh and set-symlink.sh
+for TUPLE_COL in "$@"; do
+  IFS=":" read -r -a TUPLE <<< "${TUPLE_COL}"
+  CHANNEL="${TUPLE[0]}"
+  VERSION="${TUPLE[1]}"
+  for ARCH in amd64 arm64; do
+    echo "Downloading ${CHANNEL} ${VERSION} ${ARCH}"
+    rm -rf "${ARCH}-usr/${VERSION}"
+    mkdir -p "${ARCH}-usr/${VERSION}" && cd "${ARCH}-usr/${VERSION}"
+    BASEURL="https://bincache.flatcar-linux.net/images/${ARCH}/${VERSION}/"
+    # Note: Don't replace this with 'mapfile -t array < <(curl)' or 'read -r -a array <<< "$(curl)"' because that has no error checking
+    EXTRA_PAYLOADS=($(curl -H 'Accept: application/json' -fsSL "${BASEURL}" | jq -r ".[].name" | { grep -P '^(oem|flatcar)-.*raw(.sig)?$' || true ; }))
+    wget "${BASEURL}"{flatcar_production_update.bin.bz2,flatcar_production_update.bin.bz2.sig,flatcar_production_image.vmlinuz,flatcar_production_image.vmlinuz.sig}
+    for EXTRA_PAYLOAD in "${EXTRA_PAYLOADS[@]}"; do
+      wget "${BASEURL}${EXTRA_PAYLOAD}"
+    done
+    cd ../..
+  done
+done
+echo "Success"
diff --git a/generate_payload b/generate_payload
diff --git a/...c/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild b/...c/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild
@@ -93,8 +93,12 @@ RDEPEND="${RDEPEND}
 
 # Host dependencies that are needed to create and sign images
 # TODO:	sys-apps/mosys
+# app-crypt/ccid is required for pcsc-lite daemon to work.
 RDEPEND="${RDEPEND}
 	sys-fs/squashfs-tools
+	dev-libs/libp11
+	dev-libs/opensc
+	app-crypt/ccid
 	"
 
 # Host dependencies that are needed for delta_generator.

diff --git a/...ps/baselayout/baselayout-3.6.8-r14.ebuild → ...ps/baselayout/baselayout-3.6.8-r15.ebuild b/...ps/baselayout/baselayout-3.6.8-r14.ebuild → ...ps/baselayout/baselayout-3.6.8-r15.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild
@@ -9,7 +9,7 @@ CROS_WORKON_REPO="https://github.com"
 if [[ "${PV}" == 9999 ]]; then
 	KEYWORDS="~amd64 ~arm ~arm64 ~x86"
 else
-	CROS_WORKON_COMMIT="a482cb4b69ffa5cf92d9cd719409e7abd7f382a3" # flatcar-master
+	CROS_WORKON_COMMIT="937a45faef0f7fa88d3d2c3f7ba60a7f3e2e82f7" # flatcar-master
 	KEYWORDS="amd64 arm arm64 x86"
 fi
 
@@ -183,6 +183,12 @@ src_install() {
 	if use arm64; then
 		sed -i -e '/pam_sss.so/d' "${D}"/usr/lib/pam.d/* || die
 	fi
+
+	if use cros_host; then
+		# inject custom SSL configuration required for signing payloads from the SDK container using OpenSSL.
+		insinto "/etc/ssl/"
+		doins "${S}/baselayout/pkcs11.cnf"
+	fi
 }
 
 pkg_postinst() {

diff --git a/sdk_container/src/third_party/portage-stable/acct-group/openct/metadata.xml b/sdk_container/src/third_party/portage-stable/acct-group/openct/metadata.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<!-- maintainer-needed -->
+</pkgmetadata>
diff --git a/sdk_container/src/third_party/portage-stable/acct-group/openct/openct-0-r2.ebuild b/sdk_container/src/third_party/portage-stable/acct-group/openct/openct-0-r2.ebuild
@@ -0,0 +1,8 @@
+# Copyright 2020-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit acct-group
+
+ACCT_GROUP_ID=46
diff --git a/sdk_container/src/third_party/portage-stable/acct-group/pcscd/metadata.xml b/sdk_container/src/third_party/portage-stable/acct-group/pcscd/metadata.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<!-- maintainer-needed -->
+</pkgmetadata>
diff --git a/sdk_container/src/third_party/portage-stable/acct-group/pcscd/pcscd-0-r2.ebuild b/sdk_container/src/third_party/portage-stable/acct-group/pcscd/pcscd-0-r2.ebuild
@@ -0,0 +1,8 @@
+# Copyright 2020-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit acct-group
+
+ACCT_GROUP_ID=47
diff --git a/sdk_container/src/third_party/portage-stable/acct-group/usb/metadata.xml b/sdk_container/src/third_party/portage-stable/acct-group/usb/metadata.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<!-- maintainer-needed -->
+</pkgmetadata>
diff --git a/sdk_container/src/third_party/portage-stable/acct-group/usb/usb-0-r2.ebuild b/sdk_container/src/third_party/portage-stable/acct-group/usb/usb-0-r2.ebuild
@@ -0,0 +1,8 @@
+# Copyright 2020-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit acct-group
+
+ACCT_GROUP_ID=85
diff --git a/sdk_container/src/third_party/portage-stable/acct-user/pcscd/metadata.xml b/sdk_container/src/third_party/portage-stable/acct-user/pcscd/metadata.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<!-- maintainer-needed -->
+</pkgmetadata>
diff --git a/sdk_container/src/third_party/portage-stable/acct-user/pcscd/pcscd-0-r2.ebuild b/sdk_container/src/third_party/portage-stable/acct-user/pcscd/pcscd-0-r2.ebuild
@@ -0,0 +1,13 @@
+# Copyright 2020-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit acct-user
+
+DESCRIPTION="A user for pcsc-lite"
+ACCT_USER_ID=47
+ACCT_USER_GROUPS=( pcscd openct usb )
+ACCT_USER_GROUPS=( pcscd openct )
+
+acct-user_add_deps
diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/ccid/Manifest b/sdk_container/src/third_party/portage-stable/app-crypt/ccid/Manifest
@@ -0,0 +1 @@
+DIST ccid-1.5.1.tar.bz2 702586 BLAKE2B 7b9e3c6daf03c186f34ac9b13bd960293a6481f9237ee52937ece1040bd3a79b7dab318e1244205a7feae992261ab5e82292d80ae023a4f621e0e7af7cdb9df5 SHA512 492bde96f5752e2a5316693c44e35e2d041785a00d15e094905c0aafad392f5329009d12801899367276328a582936ee53a1c5239c1813c4536001cb8a608f2e
diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/ccid/ccid-1.5.1.ebuild b/sdk_container/src/third_party/portage-stable/app-crypt/ccid/ccid-1.5.1.ebuild
@@ -0,0 +1,45 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit udev
+
+DESCRIPTION="CCID free software driver"
+HOMEPAGE="https://ccid.apdu.fr https://github.com/LudovicRousseau/CCID"
+SRC_URI="https://ccid.apdu.fr/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha amd64 arm ~arm64 ~hppa ~ia64 ppc ppc64 ~riscv ~sparc x86"
+IUSE="twinserial +usb"
+
+RDEPEND="
+	>=sys-apps/pcsc-lite-1.8.3
+	twinserial? ( dev-lang/perl )
+	usb? ( virtual/libusb:1 )
+"
+DEPEND="${RDEPEND}"
+BDEPEND="virtual/pkgconfig"
+
+src_configure() {
+	econf \
+		LEX=: \
+		$(use_enable twinserial) \
+		$(use_enable usb libusb)
+}
+
+src_install() {
+	default
+	udev_newrules src/92_pcscd_ccid.rules 92-pcsc-ccid.rules
+}
+
+pkg_postinst() {
+	udev_reload
+	einfo "Check https://github.com/LudovicRousseau/CCID/blob/master/INSTALL"
+	einfo "for more info about how to configure and use ccid"
+}
+
+pkg_postrm() {
+	udev_reload
+}
diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/ccid/metadata.xml b/sdk_container/src/third_party/portage-stable/app-crypt/ccid/metadata.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<!-- maintainer-needed -->
+	<use>
+		<flag name="twinserial">Enable twinserial reader</flag>
+	</use>
+	<upstream>
+		<remote-id type="github">LudovicRousseau/CCID</remote-id>
+	</upstream>
+</pkgmetadata>
diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/libp11/Manifest b/sdk_container/src/third_party/portage-stable/dev-libs/libp11/Manifest
@@ -0,0 +1 @@
+DIST libp11-0.4.12.tar.gz 516414 BLAKE2B a816749984753a1916dd58860c51b49d316946b59eb3bc839f6a21dcff14de48d7a4937f55fc7ad96a26b914591854d5cf11a1fbac2d5f2f5e04c833973c0e42 SHA512 674cfca2c9eaf162262204c94f9d59d3095dabbc348c1842e758b897e1a5bd4ba08b2d589ec3b2a2d1343a8760eab253e7008dc09ef5b499e2f16385efe5c8cc
diff --git a/...iner/src/third_party/portage-stable/dev-libs/libp11/files/libp11-0.4.12-openssl-3.1.patch b/...iner/src/third_party/portage-stable/dev-libs/libp11/files/libp11-0.4.12-openssl-3.1.patch
@@ -0,0 +1,50 @@
+https://github.com/OpenSC/libp11/pull/503
+https://bugs.gentoo.org/910203
+
+From 580c12b78b63d88010a6178d7c4c58186938c479 Mon Sep 17 00:00:00 2001
+From: Dominique Leuenberger <[email protected]>
+Date: Tue, 6 Jun 2023 14:27:46 +0200
+Subject: [PATCH] Detect openSSL 3.1; compatible to openSSL 3.0
+
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index d6b0ee91..b96979d9 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -33,7 +33,7 @@ AC_C_BIGENDIAN
+ # issues with applications linking to new openssl, old libp11, and vice versa
+ case "`$PKG_CONFIG --modversion --silence-errors libcrypto || \
+ 	$PKG_CONFIG --modversion openssl`" in
+-	3.0.*) # Predicted engines directory prefix for OpenSSL 3.x
++	3.1.*|3.0.*) # Predicted engines directory prefix for OpenSSL 3.x
+ 	    LIBP11_LT_OLDEST="3"
+ 	    debian_ssl_prefix="openssl-3.0.0";;
+ 	1.1.*) # Predicted engines directory prefix for OpenSSL 1.1.x
+From 0697773b403efb8e7fa9f0c0fddcb499fb9b6337 Mon Sep 17 00:00:00 2001
+From: Mike Gilbert <[email protected]>
+Date: Thu, 13 Jul 2023 13:52:54 -0400
+Subject: [PATCH] configure: treat all openssl-3.x releases the same
+
+OpenSSL's soversion will not change for any 3.x minor release.
+
+https://www.openssl.org/policies/general/versioning-policy.html
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index b96979d9..c344e84a 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -33,7 +33,7 @@ AC_C_BIGENDIAN
+ # issues with applications linking to new openssl, old libp11, and vice versa
+ case "`$PKG_CONFIG --modversion --silence-errors libcrypto || \
+ 	$PKG_CONFIG --modversion openssl`" in
+-	3.1.*|3.0.*) # Predicted engines directory prefix for OpenSSL 3.x
++	3.*) # Predicted engines directory prefix for OpenSSL 3.x
+ 	    LIBP11_LT_OLDEST="3"
+ 	    debian_ssl_prefix="openssl-3.0.0";;
+ 	1.1.*) # Predicted engines directory prefix for OpenSSL 1.1.x
diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/libp11/libp11-0.4.12-r1.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/libp11/libp11-0.4.12-r1.ebuild
@@ -0,0 +1,31 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DESCRIPTION="Abstraction layer to simplify PKCS#11 API"
+HOMEPAGE="https://github.com/opensc/libp11/wiki"
+SRC_URI="https://github.com/OpenSC/${PN}/releases/download/${P}/${P}.tar.gz"
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~loong ppc ppc64 ~riscv ~s390 sparc x86"
+IUSE="doc static-libs"
+
+RDEPEND="dev-libs/openssl:=[bindist(+)]"
+DEPEND="${RDEPEND}"
+BDEPEND="virtual/pkgconfig
+	doc? ( app-doc/doxygen )"
+
+src_configure() {
+	econf \
+		--enable-shared \
+		$(use_enable static-libs static) \
+		$(use_enable doc api-doc)
+}
+
+src_install() {
+	default
+
+	find "${ED}" -name '*.la' -delete || die
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		DIST ccid-1.5.1.tar.bz2 702586 BLAKE2B 7b9e3c6daf03c186f34ac9b13bd960293a6481f9237ee52937ece1040bd3a79b7dab318e1244205a7feae992261ab5e82292d80ae023a4f621e0e7af7cdb9df5 SHA512 492bde96f5752e2a5316693c44e35e2d041785a00d15e094905c0aafad392f5329009d12801899367276328a582936ee53a1c5239c1813c4536001cb8a608f2e
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		DIST libp11-0.4.12.tar.gz 516414 BLAKE2B a816749984753a1916dd58860c51b49d316946b59eb3bc839f6a21dcff14de48d7a4937f55fc7ad96a26b914591854d5cf11a1fbac2d5f2f5e04c833973c0e42 SHA512 674cfca2c9eaf162262204c94f9d59d3095dabbc348c1842e758b897e1a5bd4ba08b2d589ec3b2a2d1343a8760eab253e7008dc09ef5b499e2f16385efe5c8cc