mail archive of the rauc mailing list
 help / color / mirror / Atom feed
* Re: [RAUC] pass PEM passphrase in Yocto build
       [not found] <1c731e01b30146c7b24384eacf6954a9@data-modul.com>
@ 2022-03-18 10:38 ` Enrico Jörns
  2022-03-18 10:44 ` Jan Lübbe
  1 sibling, 0 replies; 4+ messages in thread
From: Enrico Jörns @ 2022-03-18 10:38 UTC (permalink / raw)
  To: Yazdani, Reyhaneh, rauc

Hi,

Am Freitag, dem 18.03.2022 um 10:32 +0000 schrieb Yazdani, Reyhaneh:
> Hi everyone,
>  

didn't you ask the exact same question on meta-rauc ML already?
(which also shortly hang in review queue as you are not registered)
Please be so kind and do not double-post.

If you already found the related issue, is there a specific reason not to pick
this up but scatter information in different MLs instead? Would be easier to
handle this in the Issue.

And I fear nothing about this topic has hanged since then.

Best regards

Enrico

> I am getting the below error when I was building the bundle by Yocto with
> encrypted Root CA and ICA certificate.
>  
> ERROR: p118-bundle-1.0-r0 do_bundle: Execution of
> '/build/tmp/work/imx8mm_p118-poky-linux/p118-bundle/1.0-
> r0/temp/run.do_bundle.88428' failed with exit code 1
> ERROR: Logfile of failure stored in: /build/tmp/work/imx8mm_p118-poky-
> linux/p118-bundle/1.0-r0/temp/log.do_bundle.88428
> Log data follows:
> | DEBUG: Executing shell function do_bundle
> | rauc-Message: 10:39:18.125: Debug log domains: 'rauc'
> | (rauc:88441): rauc-DEBUG: 10:39:18.126: bundle start
> | (rauc:88441): rauc-DEBUG: 10:39:18.126: system config not found, using
> default values
> | rauc-Message: 10:39:18.126: Failed to resolve realpath for '/dev/disk/by-
> uuid/e9b676c1-a65c-4677-b9df-b4e974452609'
> | (rauc:88441): rauc-DEBUG: 10:39:18.126: input directory:
> /build/tmp/work/imx8mm_p118-poky-linux/p118-bundle/1.0-r0/bundle
> | (rauc:88441): rauc-DEBUG: 10:39:18.126: output bundle:
> /build/tmp/work/imx8mm_p118-poky-linux/p118-bundle/1.0-r0/build/bundle.raucb
> | (rauc:88441): rauc-DEBUG: 10:39:30.140: Payload size: 497258496 bytes.
> | Creating bundle in 'plain' format
> | Enter PEM pass phrase:
> | Failed to create bundle: failed to sign bundle: failed to parse key file
> '/repo/meta-p118-bsp/conf/keys/ica.key.pem': while reading strings
> | 139843920926528:error:0906406D:PEM routines:PEM_def_callback:problems
> getting password:../openssl-1.1.1l/crypto/pem/pem_lib.c:59:
> | 139843920926528:error:0907B068:PEM routines:PEM_read_bio_PrivateKey:bad
> password read:../openssl-1.1.1l/crypto/pem/pem_pkey.c:64:
> | WARNING: exit code 1 from a shell command.
> | ERROR: Execution of '/build/tmp/work/imx8mm_p118-poky-linux/p118-bundle/1.0-
> r0/temp/run.do_bundle.88428' failed with exit code 1
>  
> This is my local.conf:
>  
> RAUC_KEY_FILE ?=
> "${LAYERDIR}/conf/keys/ica.key.pem"                           
> RAUC_CERT_FILE ?=
> "${LAYERDIR}/conf/keys/ica.cert.pem"                         
> RAUC_KEYRING_FILE ?=
> "${LAYERDIR}/conf/keys/rauc.cert.pem"                     
> BUNDLE_ARGS += ' --intermediate="${LAYERDIR}/conf/keys/ica-certificate.pem"
> '  
>  
> During my investigation, I found the below post from 6 months ago:
> https://github.com/rauc/meta-rauc/issues/200
>  
> Based on this post, I cannot use any encrypted keys and Root-CA in building a
> bundle in Yocto. Am I right?
>  
> Best regards,
> Reyhaneh 
>  
> _______________________________________________
> RAUC mailing list

-- 
Pengutronix e.K.                           | Enrico Jörns                |
Embedded Linux Consulting & Support        | https://www.pengutronix.de/ |
Steuerwalder Str. 21                       | Phone: +49-5121-206917-180  |
31137 Hildesheim, Germany                  | Fax:   +49-5121-206917-9    |

_______________________________________________
RAUC mailing list

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [RAUC] pass PEM passphrase in Yocto build
       [not found] <1c731e01b30146c7b24384eacf6954a9@data-modul.com>
  2022-03-18 10:38 ` [RAUC] pass PEM passphrase in Yocto build Enrico Jörns
@ 2022-03-18 10:44 ` Jan Lübbe
  2022-03-18 11:03   ` Yazdani, Reyhaneh
  1 sibling, 1 reply; 4+ messages in thread
From: Jan Lübbe @ 2022-03-18 10:44 UTC (permalink / raw)
  To: Yazdani, Reyhaneh, rauc

Hi,

On Fri, 2022-03-18 at 10:32 +0000, Yazdani, Reyhaneh wrote:
> Hi everyone,
>  
> I am getting the below error when I was building the bundle by Yocto with
> encrypted Root CA and ICA certificate.
> 
> | 139843920926528:error:0906406D:PEM routines:PEM_def_callback:problems
> getting password:../openssl-1.1.1l/crypto/pem/pem_lib.c:59:
> | 139843920926528:error:0907B068:PEM routines:PEM_read_bio_PrivateKey:bad
> password read:../openssl-1.1.1l/crypto/pem/pem_pkey.c:64:
>  
> During my investigation, I found the below post from 6 months ago:
> https://github.com/rauc/meta-rauc/issues/200

My recommendations in
https://github.com/rauc/meta-rauc/issues/200#issuecomment-943085728 still stand.

> Based on this post, I cannot use any encrypted keys and Root-CA in building a
> bundle in Yocto. Am I right?

Yes. So far, nobody has implemented support for passing a private key password
to RAUC, as the security benefits are minimal compared to the effort. 

Regards,
Jan
-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
RAUC mailing list

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [RAUC] pass PEM passphrase in Yocto build
  2022-03-18 10:44 ` Jan Lübbe
@ 2022-03-18 11:03   ` Yazdani, Reyhaneh
  2022-03-18 13:22     ` Jan Lübbe
  0 siblings, 1 reply; 4+ messages in thread
From: Yazdani, Reyhaneh @ 2022-03-18 11:03 UTC (permalink / raw)
  To: Jan Lübbe, rauc

Hi Jan,

Thanks for your answer.

> -----Ursprüngliche Nachricht-----
> Von: Jan Lübbe <jlu@pengutronix.de>
> Gesendet: Freitag, 18. März 2022 11:44
> An: Yazdani, Reyhaneh <RYazdani@data-modul.com>; rauc@pengutronix.de
> Betreff: Re: [RAUC] pass PEM passphrase in Yocto build
> 
> Hi,
> 
> On Fri, 2022-03-18 at 10:32 +0000, Yazdani, Reyhaneh wrote:
> > Hi everyone,
> >
> > I am getting the below error when I was building the bundle by Yocto
> > with encrypted Root CA and ICA certificate.
> >
> …
> > | 139843920926528:error:0906406D:PEM
> > | routines:PEM_def_callback:problems
> > getting password:../openssl-1.1.1l/crypto/pem/pem_lib.c:59:
> > | 139843920926528:error:0907B068:PEM
> > | routines:PEM_read_bio_PrivateKey:bad
> > password read:../openssl-1.1.1l/crypto/pem/pem_pkey.c:64:
> …
> >
> > During my investigation, I found the below post from 6 months ago:
> > https://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http
> >
> s%3a%2f%2fgithub.com%2frauc%2fmeta%2drauc%2fissues%2f200&umid=96
> BD2BE4
> > -DA7B-D305-B107-
> 4007ED7F68E3&auth=162296ff492f363ddb29ca454338bb846279
> > 96db-2ff6ea33cb85b28d75411d2b21402171190c8a2e
> 
> My recommendations in
> https://imsva91-
> ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fgithub.
> com%2frauc%2fmeta%2drauc%2fissues%2f200%23issuecomment%2d943085
> 728&umid=96BD2BE4-DA7B-D305-B107-
> 4007ED7F68E3&auth=162296ff492f363ddb29ca454338bb84627996db-
> cb2252107bcc0c04e1eb222a5f3f56a047114518 still stand.
> 
> > Based on this post, I cannot use any encrypted keys and Root-CA in
> > building a bundle in Yocto. Am I right?
> 
> Yes. So far, nobody has implemented support for passing a private key
> password to RAUC, as the security benefits are minimal compared to the
> effort.
[Reyhaneh] I asked here, since I wanted to be sure nothing has changed regarding implementation since six months. That is great you answered me quickly.

Best regards,
Reyhaneh
> 
> Regards,
> Jan
> --
> Pengutronix e.K.                           |                             |
> Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
> 31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |
_______________________________________________
RAUC mailing list

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [RAUC] pass PEM passphrase in Yocto build
  2022-03-18 11:03   ` Yazdani, Reyhaneh
@ 2022-03-18 13:22     ` Jan Lübbe
  0 siblings, 0 replies; 4+ messages in thread
From: Jan Lübbe @ 2022-03-18 13:22 UTC (permalink / raw)
  To: Yazdani, Reyhaneh, rauc

Hi Reyhaneh,

On Fri, 2022-03-18 at 11:03 +0000, Yazdani, Reyhaneh wrote:
> > Yes. So far, nobody has implemented support for passing a private key
> > password to RAUC, as the security benefits are minimal compared to the
> > effort.
> [Reyhaneh] I asked here, since I wanted to be sure nothing has changed
> regarding implementation since six months. That is great you answered me
> quickly.

Besides the normal maintenance, most of the changes Enrico and myself are
contributing are driven by requirements from our customers (see streaming
support, encryption or the upcoming incremental block has mode).

As we don't see password support as a useful feature (there are better
alternatives avalable), it's unlikely that Pengutronix will implement this.

Best regards,
Jan
-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
RAUC mailing list


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2022-03-18 13:22 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <1c731e01b30146c7b24384eacf6954a9@data-modul.com>
2022-03-18 10:38 ` [RAUC] pass PEM passphrase in Yocto build Enrico Jörns
2022-03-18 10:44 ` Jan Lübbe
2022-03-18 11:03   ` Yazdani, Reyhaneh
2022-03-18 13:22     ` Jan Lübbe

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox