[Buildroot] [PATCH 5/6] wireless-regdb: add explicit signing key config
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Mon Jul 27 20:12:24 UTC 2020
Hello Kurt,
On Thu, 2 Jul 2020 12:36:17 +0200
Kurt Van Dijck <dev.kurt at vandijck-laurijssen.be> wrote:
> +if BR2_WIRELESS_REGDB_REBUILD
> +
> +config BR2_WIRELESS_REGDB_COMMONNAME
> + string "CommonName for x509 cert"
> + default "buildroot"
> +
> +config BR2_WIRELESS_REGDB_PRIVKEY
> + string "private key for signing wireless-regdb"
> + default "~/.buildroot"
> + help
> + Path to file containing private key to sign wireless-regdb.
> + The key should be in .pem format.
> +
> + If the file does not exist, a new key will be generated
Ah, OK, so that's where you handle the thing. If the user wants to keep
the same private/public key pair across Buildroot rebuilds, he should
place into the folder pointed to by BR2_WIRELESS_REGDB_PRIVKEY ?
Can I suggest that instead we make this option empty by default, and in
this case, a key is generated in $(HOST_DIR) ?
Anyway, the default value of ~/.buildroot is a bit weird. ~/.buildroot
looks like a directory more than a file that contains a key.
> diff --git a/package/wireless-regdb/wireless-regdb.mk b/package/wireless-regdb/wireless-regdb.mk
> index 7c6b140a4a..d60428a8f0 100644
> --- a/package/wireless-regdb/wireless-regdb.mk
> +++ b/package/wireless-regdb/wireless-regdb.mk
> @@ -13,16 +13,34 @@ WIRELESS_REGDB_LICENSE_FILES = LICENSE
>
> ifeq ($(BR2_WIRELESS_REGDB_REBUILD),y)
>
> +WIRELESS_REGDB_PRIVKEY = $(call qstrip,$(BR2_WIRELESS_REGDB_PRIVKEY))
> +WIRELESS_REGDB_PRIVKEYNAME = $(patsubst .%,%,$(notdir $(WIRELESS_REGDB_PRIVKEY)))
I'm not sure what this PRIVKEYNAME is.
> +# make sure PRIVKEYNAME is set
This is not making sure WIRELESS_REGDB_PRIVKEYNAME is set: it is
setting WIRELESS_REGDB_PRIVKEY.
> +ifeq ($(WIRELESS_REGDB_PRIVKEYNAME),)
> +WIRELESS_REGDB_PRIVKEY=~/.buildroot
> +endif
> +
> +ifeq ($(call qstrip,$(BR2_WIRELESS_REGDB_COMMONNAME)),)
> +BR2_WIRELESS_REGDB_COMMONNAME = "buildroot"
> +endif
We normally handle this like that:
WIRELESS_REGDB_COMMONNAME = $(call qstrip,$(BR2_WIRELESS_REGDB_COMMONNAME))
ifeq ($(WIRELESS_REGDB_COMMONNAME),)
$(error "ERROR: BR2_WIRELESS_REGDB_COMMONNAME is empty")
endif
> define WIRELESS_REGDB_PATCH_PYTHON3
> sed -i -e '1 s/python$$/python3/' $(@D)/*.py
> + sed -i -e 's/= sforshee$$/= $(call qstrip,$(BR2_WIRELESS_REGDB_COMMONNAME))/' $(@D)/gen-pubcert.sh
> endef
>
> WIRELESS_REGDB_POST_PATCH_HOOKS += WIRELESS_REGDB_PATCH_PYTHON3
>
> WIRELESS_REGDB_DEPENDENCIES += host-python3-m2crypto
> +
This is kind of a spurious change, not really related to this commit.
> define WIRELESS_REGDB_BUILD_CMDS
> $(TARGET_MAKE_ENV) $(MAKE) -C $(@D) \
> - REGDB_AUTHOR=buildroot
> + REGDB_PRIVKEY=$(WIRELESS_REGDB_PRIVKEY) \
> + REGDB_PUBKEY=$(WIRELESS_REGDB_PRIVKEYNAME).pub \
> + REGDB_PUBCERT=$(WIRELESS_REGDB_PRIVKEYNAME).x509.pem
I don't quite understand how the private key file name relates to the
public key and public key certificates file names. Could you clarify ?
> + openssl x509 -in $(@D)/$(WIRELESS_REGDB_PRIVKEYNAME).x509.pem \
Use $(HOST_DIR)/bin/openssl here.
> + -outform DER \
> + -out $(@D)/$(WIRELESS_REGDB_PRIVKEYNAME).x509
> endef
> endif
>
> @@ -32,8 +50,8 @@ define WIRELESS_REGDB_INSTALL_CRDA_TARGET_CMDS
> $(TARGET_DIR)/usr/lib/crda/regulatory.bin
> $(INSTALL) -m 644 -D -T $(@D)/sforshee.key.pub.pem \
> $(TARGET_DIR)/etc/wireless-regdb/pubkeys/sforshee.key.pub.pem
> - $(INSTALL) -m 644 -D -T ~/.wireless-regdb-buildroot.key.pub.pem \
> - $(TARGET_DIR)/etc/wireless-regdb/pubkeys/buildroot.key.pub.pem
> + $(INSTALL) -m 644 -D -T $(@D)/$(WIRELESS_REGDB_PRIVKEYNAME).pub \
> + $(TARGET_DIR)/etc/wireless-regdb/pubkeys/$(WIRELESS_REGDB_PRIVKEYNAME).pub
> endef
> endif
>
Thanks!
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
More information about the buildroot
mailing list