Add meta-parsec layer into meta-security.

The layer contains recipes for Parsec service version 0.7.0 and parsec-tool version 0.3.0. The Parsec service is built with all supported providers and deployed with the MbedCrypto provider enabled. Both systemd and sysv-init are supported. Signed-off-by: Anton Antonov <Anton.Antonov@arm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Anton Antonov <anton.antonov@arm.com> 2021-04-09 12:14:07 +0100
committer: Armin Kuster <akuster808@gmail.com> 2021-04-12 07:06:46 -0700
commit: 409a8d4276efd9bf8c06a7ccf6ea85fb6e83b04a (patch)
tree: 3e5f053f021cf8f1154d16bc65f40ee9969142d0 /meta-parsec/README.md
parent: 6ad6bb0141defbcf25828e39314145eb43dea06b (diff)
download: meta-security-409a8d4276efd9bf8c06a7ccf6ea85fb6e83b04a.tar.gz
1 files changed, 186 insertions, 0 deletions
diff --git a/meta-parsec/README.md b/meta-parsec/README.md
new file mode 100644
index 0000000..a2736b6
--- /dev/null
+++ b/meta-parsec/README.md
@@ -0,0 +1,186 @@
+meta-parsec layer
+==============
+This layer contains recipes for the Parsec service with Mbed-Crypto,
+Pkcs11 and TPM providers and parsec tools.
+Dependencies
+============
+This layer depends on:
+    URI: git://git.openembedded.org/meta-openembedded
+    branch: master
+    revision: HEAD
+    prio: default
+    URI git://git.yoctoproject.org/meta-security
+    branch: master
+    revision: HEAD
+    prio: default
+    URI https://github.com/meta-rust/meta-rust.git
+    branch: master
+    revision: HEAD
+    prio: default
+    URI https://github.com/kraj/meta-clang.git
+    branch: master
+    revision: HEAD
+    prio: default
+Adding the meta-parsec layer to your build
+==========================================
+In order to use this layer, you need to make the build system aware of it.
+You can add it to the build system by adding the
+location of the meta-parsec layer to bblayers.conf, along with any
+other layers needed. e.g.:
+    BBLAYERS ?= " \
+      /path/to/yocto/meta \
+      /path/to/yocto/meta-yocto \
+      /path/to/yocto/meta-yocto-bsp \
+      /path/to/meta-openembedded/meta-oe \
+      /path/to/meta-openembedded/meta-python \
+      /path/to/meta-rust \
+      /path/to/meta-clang \
+      /path/to/meta-security/meta-tpm \
+      /path/to/meta-security/meta-parsec \
+      "
+To include the Parsec service into your image add following into the
+local.conf:
+    IMAGE_INSTALL_append = " parsec-service"
+  The Parsec service will be deployed into the image built with all the supported
+providers and with the default config file from the Parsec repository:
+https://github.com/parallaxsecond/parsec/blob/main/config.toml
+  The default Parsec service config file contains the MbedCrypto provider
+enabled. The config file needs to be updated to use the Parsec service
+with other providers like TPM or PKCS11. The required procedures are
+covered in Parsec documentation.
+https://parallaxsecond.github.io/parsec-book/
+Updating recipes
+================
+  The parsec-service and parsec-tool recipes use include files with lists
+of all rust crates required. This allows bitbake to fetch all the necessary
+dependent crates, as well as a pegged version of the crates.io index,
+to ensure maximum reproducibility.
+  It's recommended to use cargo-bitbake to generate include files for new
+versions of parsec recipes.
+https://github.com/meta-rust/cargo-bitbake
+  When you have crago-bitbake built:
+1. Checkout the required version of parsec repository.
+2. Run cargo-bitbake inside the repository. It will produce a BB file.
+3. Create a new include file with SRC_URI and LIC_FILES_CHKSUM from the BB file.
+Manual testing with runqemu
+===========================
+  This layer also contains a recipe for pasec-tool which can be used for
+manual testing of the Parsec service:
+    IMAGE_INSTALL_append += " parsec-tools"
+  There are a series of Parsec Demo videos showing how to use parsec-tool
+to test the Parsec service base functionality:
+https://www.youtube.com/watch?v=ido0CyUdMHM&list=PLKjl7IFAwc4S7WQqqphCsyy6DPDxJ2Skg&index=4
+  You can use runqemu to start a VM with a built image file and run
+manual tests with parsec-tool.
+1. MbedCrypto provider
+  The default Parsec service config file contains the MbedCrypto provider
+enabled. No changes required for manual testing.
+2. PKCS11 provider
+  The Software HSM can be used for manual testing of the provider by
+including it into your test image:
+    IMAGE_INSTALL_append += " softhsm"
+Inside the running VM:
+- Stop Parsec
+```bash
+systemctl stop parsec
+```
+- Initialise a token and notice the result slot number
+```bash
+softhsm2-util --init-token --slot 0 --label "Parsec Service" --pin 123456 --so-pin 123456
+```
+- Change the token ownership:
+```bash
+for d in /var/lib/softhsm/tokens/*; do chown -R parsec $d; done
+```
+- Enable the PKCS11 provider and update its parameters in the Parsec config file
+/etc/parsec/config.toml
+```
+library_path = "/usr/lib/softhsm/libsofthsm2.so"
+slot_number = <slot number>
+user_pin = "123456"
+```
+- Start Parsec
+```bash
+systemctl start parsec
+```
+3. TPM provider
+  The IBM Software TPM service can be used for manual testing of the provider by
+including it into your test image:
+    IMAGE_INSTALL_append += " ibmswtpm2 tpm2-tools libtss2 libtss2-tcti-mssim"
+Inside the running VM:
+- Stop Parsec
+```bash
+systemctl stop parsec
+```
+- Start and configure the Software TPM server
+```bash
+   /usr/bin/tpm_server &
+   sleep 5
+   /usr/bin/tpm2_startup -c -T mssim
+   /usr/bin/tpm2_changeauth -c owner tpm_pass
+```
+- Enable the TPM provider and update its parameters in the Parsec config file
+/etc/parsec/config.toml
+```
+tcti = "mssim"
+owner_hierarchy_auth = "hex:74706d5f70617373"
+```
+- Start Parsec
+```bash
+systemctl start parsec
+```
+Maintenance
+-----------
+Send pull requests, patches, comments or questions to yocto@yoctoproject.org
+When sending single patches, please using something like:
+'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-parsec][PATCH'
+These values can be set as defaults for this repository:
+$ git config sendemail.to yocto@yoctoproject.org
+$ git config format.subjectPrefix meta-parsec][PATCH
+Now you can just do 'git send-email origin/master' to send all local patches.
+Maintainers:    Anton Antonov <Anton.Antonov@arm.com>
+                Armin Kuster <akuster808@gmail.com>
+License
+=======
+All metadata is MIT licensed unless otherwise stated. Source code included
+in tree for individual recipes is under the LICENSE stated in each recipe
+(.bb file) unless otherwise stated.
author	Anton Antonov <anton.antonov@arm.com>	2021-04-09 12:14:07 +0100
committer	Armin Kuster <akuster808@gmail.com>	2021-04-12 07:06:46 -0700
commit	409a8d4276efd9bf8c06a7ccf6ea85fb6e83b04a (patch)
tree	3e5f053f021cf8f1154d16bc65f40ee9969142d0 /meta-parsec/README.md
parent	6ad6bb0141defbcf25828e39314145eb43dea06b (diff)
download	meta-security-409a8d4276efd9bf8c06a7ccf6ea85fb6e83b04a.tar.gz

diff --git a/meta-parsec/README.md b/meta-parsec/README.md new file mode 100644 index 0000000..a2736b6 --- /dev/null +++ b/meta-parsec/README.md
@@ -0,0 +1,186 @@
	1	meta-parsec layer
	2	==============
	3
	4	This layer contains recipes for the Parsec service with Mbed-Crypto,
	5	Pkcs11 and TPM providers and parsec tools.
	6
	7	Dependencies
	8	============
	9
	10	This layer depends on:
	11
	12	URI: git://git.openembedded.org/meta-openembedded
	13	branch: master
	14	revision: HEAD
	15	prio: default
	16
	17	URI git://git.yoctoproject.org/meta-security
	18	branch: master
	19	revision: HEAD
	20	prio: default
	21
	22	URI https://github.com/meta-rust/meta-rust.git
	23	branch: master
	24	revision: HEAD
	25	prio: default
	26
	27	URI https://github.com/kraj/meta-clang.git
	28	branch: master
	29	revision: HEAD
	30	prio: default
	31
	32	Adding the meta-parsec layer to your build
	33	==========================================
	34
	35	In order to use this layer, you need to make the build system aware of it.
	36
	37	You can add it to the build system by adding the
	38	location of the meta-parsec layer to bblayers.conf, along with any
	39	other layers needed. e.g.:
	40
	41	BBLAYERS ?= " \
	42	/path/to/yocto/meta \
	43	/path/to/yocto/meta-yocto \
	44	/path/to/yocto/meta-yocto-bsp \
	45	/path/to/meta-openembedded/meta-oe \
	46	/path/to/meta-openembedded/meta-python \
	47	/path/to/meta-rust \
	48	/path/to/meta-clang \
	49	/path/to/meta-security/meta-tpm \
	50	/path/to/meta-security/meta-parsec \
	51	"
	52
	53	To include the Parsec service into your image add following into the
	54	local.conf:
	55
	56	IMAGE_INSTALL_append = " parsec-service"
	57
	58	The Parsec service will be deployed into the image built with all the supported
	59	providers and with the default config file from the Parsec repository:
	60	https://github.com/parallaxsecond/parsec/blob/main/config.toml
	61	The default Parsec service config file contains the MbedCrypto provider
	62	enabled. The config file needs to be updated to use the Parsec service
	63	with other providers like TPM or PKCS11. The required procedures are
	64	covered in Parsec documentation.
	65	https://parallaxsecond.github.io/parsec-book/
	66
	67	Updating recipes
	68	================
	69
	70	The parsec-service and parsec-tool recipes use include files with lists
	71	of all rust crates required. This allows bitbake to fetch all the necessary
	72	dependent crates, as well as a pegged version of the crates.io index,
	73	to ensure maximum reproducibility.
	74	It's recommended to use cargo-bitbake to generate include files for new
	75	versions of parsec recipes.
	76	https://github.com/meta-rust/cargo-bitbake
	77
	78	When you have crago-bitbake built:
	79	1. Checkout the required version of parsec repository.
	80	2. Run cargo-bitbake inside the repository. It will produce a BB file.
	81	3. Create a new include file with SRC_URI and LIC_FILES_CHKSUM from the BB file.
	82
	83	Manual testing with runqemu
	84	===========================
	85
	86	This layer also contains a recipe for pasec-tool which can be used for
	87	manual testing of the Parsec service:
	88
	89	IMAGE_INSTALL_append += " parsec-tools"
	90
	91	There are a series of Parsec Demo videos showing how to use parsec-tool
	92	to test the Parsec service base functionality:
	93	https://www.youtube.com/watch?v=ido0CyUdMHM&list=PLKjl7IFAwc4S7WQqqphCsyy6DPDxJ2Skg&index=4
	94
	95	You can use runqemu to start a VM with a built image file and run
	96	manual tests with parsec-tool.
	97
	98	1. MbedCrypto provider
	99	The default Parsec service config file contains the MbedCrypto provider
	100	enabled. No changes required for manual testing.
	101
	102	2. PKCS11 provider
	103	The Software HSM can be used for manual testing of the provider by
	104	including it into your test image:
	105
	106	IMAGE_INSTALL_append += " softhsm"
	107
	108	Inside the running VM:
	109	- Stop Parsec
	110	```bash
	111	systemctl stop parsec
	112	```
	113	- Initialise a token and notice the result slot number
	114	```bash
	115	softhsm2-util --init-token --slot 0 --label "Parsec Service" --pin 123456 --so-pin 123456
	116	```
	117	- Change the token ownership:
	118	```bash
	119	for d in /var/lib/softhsm/tokens/*; do chown -R parsec $d; done
	120	```
	121	- Enable the PKCS11 provider and update its parameters in the Parsec config file
	122	/etc/parsec/config.toml
	123	```
	124	library_path = "/usr/lib/softhsm/libsofthsm2.so"
	125	slot_number = <slot number>
	126	user_pin = "123456"
	127	```
	128	- Start Parsec
	129	```bash
	130	systemctl start parsec
	131	```
	132
	133	3. TPM provider
	134	The IBM Software TPM service can be used for manual testing of the provider by
	135	including it into your test image:
	136
	137	IMAGE_INSTALL_append += " ibmswtpm2 tpm2-tools libtss2 libtss2-tcti-mssim"
	138
	139	Inside the running VM:
	140	- Stop Parsec
	141	```bash
	142	systemctl stop parsec
	143	```
	144	- Start and configure the Software TPM server
	145	```bash
	146	/usr/bin/tpm_server &
	147	sleep 5
	148	/usr/bin/tpm2_startup -c -T mssim
	149	/usr/bin/tpm2_changeauth -c owner tpm_pass
	150	```
	151	- Enable the TPM provider and update its parameters in the Parsec config file
	152	/etc/parsec/config.toml
	153	```
	154	tcti = "mssim"
	155	owner_hierarchy_auth = "hex:74706d5f70617373"
	156	```
	157	- Start Parsec
	158	```bash
	159	systemctl start parsec
	160	```
	161
	162	Maintenance
	163	-----------
	164
	165	Send pull requests, patches, comments or questions to yocto@yoctoproject.org
	166
	167	When sending single patches, please using something like:
	168	'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-parsec][PATCH'
	169
	170	These values can be set as defaults for this repository:
	171
	172	$ git config sendemail.to yocto@yoctoproject.org
	173	$ git config format.subjectPrefix meta-parsec][PATCH
	174
	175	Now you can just do 'git send-email origin/master' to send all local patches.
	176
	177	Maintainers: Anton Antonov <Anton.Antonov@arm.com>
	178	Armin Kuster <akuster808@gmail.com>
	179
	180
	181	License
	182	=======
	183
	184	All metadata is MIT licensed unless otherwise stated. Source code included
	185	in tree for individual recipes is under the LICENSE stated in each recipe
	186	(.bb file) unless otherwise stated.