[PATCH] imx: hab: add documentation about the required keys/certs
Claudius Heine
ch at denx.de
Thu May 16 13:27:34 CEST 2024
Hi Rasmus,
On 2024-05-16 11:50 am, Rasmus Villemoes wrote:
> On 16/05/2024 10.25, Claudius Heine wrote:
>> Hi Tim and Marek,
>>
>> On 2024-05-16 12:46 am, Tim Harvey wrote:
>>> On Tue, May 14, 2024 at 11:50 AM Tim Harvey <tharvey at gateworks.com>
>>> wrote:
>>>> On Sun, May 12, 2024 at 10:08 PM Marek Vasut <marex at denx.de> wrote:
>>>>> On 5/8/24 9:23 AM, Claudius Heine wrote:
>>>>>> On 2024-05-07 3:28 pm, Marek Vasut wrote:
>>>>>>> It would be good to mention the DT properties which govern the crypto
>>>>>>> material paths -- nxp,srk-table, nxp,csf-crt, nxp,img-crt --
>>>>>>> somewhere
>>>>>>> around this sentence.
>>>>>>
>>>>>> This is something that should be documented with the changes where
>>>>>> that
>>>>>> code was added, IMO. I only documented here what I found out and have
>>>>>> used myself, I haven't used those.
>>>>>>
>>>>>> I would be interested in reading how to best overwrite those paths and
>>>>>> the image structured from board u-boot.dtsi files myself.
>>>>>>
>>>>>> If you want to can pickup my patch and integrate it into your
>>>>>> series and
>>>>>> extend it.
>>>>>
>>>>> I'll keep it in mind for V3.
>>>
>>> Hi Marek,
>>>
>>> The documentation patch here by Claudius does resolve my issues
>>> discussed in the other thread and I can confirm symlinks work fine so
>>> I think something like the following should be added:
>>>
>>> CST_DIR=/usr/src/cst-3.3.2/
>>> ln -s $CST_DIR/crts .
>>> ln -s $CST_DIR/keys .
>>
>> `keys` and `crts` are very short and generic names, and putting them
>> into the build directory might cause issues at some point. But I would
>> not be against putting them into a sub directory (`imx-hab/{keys,crts}`?).
>
> It is probably useful to be aware of the quality of the cst code. For
> reference, I quote get_key_file()
>
> int32_t get_key_file(const char* cert_file, char* key_file)
> {
> /* Algorithm to locate key file from given cert file */
> /* for now just assume the key to present in the */
> /* same folder as cert file. The crt in the name will */
> /* will be replaced with key */
> char * folder;
> int32_t i = strlen(cert_file); /**< Index into key filename,
> initialized
> to filename length */
>
> strcpy(key_file, cert_file);
> key_file[i] = 0;
>
> key_file[i-5] = 'y';
> key_file[i-6] = 'e';
> key_file[i-7] = 'k';
>
> /* Search for folder name "certs" in the file and replace it with
> "keys" */
> /* Keys are found in "keys" folder and certs are in "certs" folder
> */
>
> folder = strstr(key_file, "crts");
> if(folder)
> {
> folder[0] = 'k';
> folder[1] = 'e';
> folder[2] = 'y';
> folder[3] = 's';
> }
> return CAL_SUCCESS;
> }
>
> Ignoring the inconsistencies in the comments, obviously there are a lot
> of implicit assumptions on file names and paths. First, the assumption
> that the filename of they key corresponding to the certificate can be
> obtained by replacing [-7:-5] by "key". Second, and much more egregious,
> is the use of strstr() on key_file searching for "crts", and just
> blindly replacing the first such with "keys", and ignoring it if not
> found. So if that string appears anywhere in the path (say, my homedir
> is /home/dcrts/ and I have the key material somewhere below that) this
> will replace the wrong occurrence (and look in /home/dkeys/ ....).
>
> And of course it was unthinkable that this could have been written using
> the much shorter memcpy(..., "keys", 4) so that one could actually `git
> grep 'keys'` and figure out what was going on.
Exactly. I had the pleasure to read cst code a bit as well to figure out
some issue. This is also a reason I suggested to just set the base path
to the CST/HAB files instead of setting the individual paths to the
keys/certs in the hope that this is a more robust way for cst to find
its implicitly required files.
regards,
Claudius
--
DENX Software Engineering GmbH, Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch at denx.de
More information about the U-Boot
mailing list