Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

core_sign_update: use pkcs11 openssl engine #1149

Merged
merged 9 commits into from
Jan 23, 2024
Merged

core_sign_update: use pkcs11 openssl engine #1149

merged 9 commits into from
Jan 23, 2024

Conversation

tormath1
Copy link
Contributor

@tormath1 tormath1 commented Sep 18, 2023

To be tested with an actual payload.
SDK: http://jenkins.infra.kinvolk.io:8080/job/container/job/sdk/1275/cldsv/

TODO:

The workflow would be the follow: (see: https://github.com/flatcar/flatcar-maintainer-private/pull/9)

  • start the SDK
  • start the pcscd daemon
  • plug the device
  • ./generate_payloads alpha:3815.0.0 ...

core_sign_update Outdated Show resolved Hide resolved
@pothos
Copy link
Member

pothos commented Dec 14, 2023

+1 for adding download_payloads/generate_payload to this repo. (What I don't like is making it mandatory to run inside the SDK because of of common.sh)

Copy link

github-actions bot commented Dec 14, 2023

@pothos
Copy link
Member

pothos commented Dec 14, 2023

start the pcscd daemon

Inside the SDK or can I use the one from the host? Would it conflict with the one from the host? That was the case before and one had to manually stop it for successful signing.

@pothos
Copy link
Member

pothos commented Dec 14, 2023

  • ./download_payloads alpha:3815.0.0 ...

  • ./generate_payloads ./data/ keys (with a for loop on the releases in ./data/)

In the end a big wrapper would be nice that downloads and uploads.

@tormath1
Copy link
Contributor Author

start the pcscd daemon

Inside the SDK or can I use the one from the host? Would it conflict with the one from the host? That was the case before and one had to manually stop it for successful signing.

@pothos I just checked, it conflicts indeed:

00000000 [140694532543296] ccid_usb.c:683:OpenUSBByName() Can't claim interface 1/9: LIBUSB_ERROR_BUSY

For this to work, one has to use the daemon from the SDK (and not from the host). That's also the idea behind: no need to pull dependencies on your own machine.

Copy link
Member

@pothos pothos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@pothos
Copy link
Member

pothos commented Jan 17, 2024

Let's merge and then remove the scripts from flatcar-build-scripts, otherwise things can get out of sync

Copy link
Member

@krnowak krnowak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume that the scripts work. The changes in portage-stable and coreos-overlay look good. The baselayout will need to have its commit ID updated, of course.

One question though: why putting download_payloads script in the data subdirectory? The generate payload scripts could just create the directory and call download_payloads from there.

this is the pkcs11 engine for OpenSSL

Signed-off-by: Mathieu Tortuyaux <[email protected]>
it's used to interact with the HSM device.

Signed-off-by: Mathieu Tortuyaux <[email protected]>
required for pcsc-lite daemon to work

Signed-off-by: Mathieu Tortuyaux <[email protected]>
Signed-off-by: Mathieu Tortuyaux <[email protected]>
directly from the flatcar-build-scripts (no modification)

Signed-off-by: Mathieu Tortuyaux <[email protected]>
@tormath1
Copy link
Contributor Author

I assume that the scripts work. The changes in portage-stable and coreos-overlay look good. The baselayout will need to have its commit ID updated, of course.

One question though: why putting download_payloads script in the data subdirectory? The generate payload scripts could just create the directory and call download_payloads from there.

It's because the download_payloads can be used separately from the generate_payload to previously download the payloads if you work in air gapped environment (as recommended when generating the release payloads).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants