From 1517949f13f8c5e019c94c2e38801cc88945b8b4 Mon Sep 17 00:00:00 2001
From: Benjamin Valentin <benjamin.valentin@ml-pa.com>
Date: Fri, 13 Sep 2024 10:57:40 +0200
Subject: [PATCH 1/2] makefiles/suit: drop use of SUIT_SEC_PASSWORD

Specifying the password of the SUIT private key on the command line
and thereby committing it to shell history is a security issue.

Instead ask for the password interactively when an encrypted private
key is used.
---
 makefiles/suit.inc.mk | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/makefiles/suit.inc.mk b/makefiles/suit.inc.mk
index 9d59290c6b..1d153906ce 100644
--- a/makefiles/suit.inc.mk
+++ b/makefiles/suit.inc.mk
@@ -32,10 +32,6 @@ SUIT_MANIFEST_SIGNED_LATEST ?= $(BINDIR_SUIT)/$(SUIT_MANIFEST_BASENAME).latest.b
 SUIT_NOTIFY_VERSION ?= latest
 SUIT_NOTIFY_MANIFEST ?= $(SUIT_MANIFEST_BASENAME).$(SUIT_NOTIFY_VERSION).bin
 
-ifneq (,$(SUIT_SEC_PASSWORD))
-  SUIT_TOOL_ARGS += -p $(SUIT_SEC_PASSWORD)
-endif
-
 # Long manifest names require more buffer space when parsing
 export CFLAGS += -DCONFIG_SOCK_URLPATH_MAXLEN=128
 export CFLAGS += -DSUIT_VENDOR_DOMAIN="\"$(SUIT_VENDOR)\""
@@ -58,7 +54,15 @@ $(SUIT_MANIFEST): $(SUIT_MANIFEST_PAYLOADS) $(BINDIR_SUIT)
 	$(Q)rm -f $@.tmp
 
 $(SUIT_MANIFEST_SIGNED): $(SUIT_MANIFEST) $(SUIT_SEC)
-	$(Q)$(SUIT_TOOL) sign $(SUIT_TOOL_ARGS) -k $(SUIT_SEC_SIGN) -m $(SUIT_MANIFEST) -o $@
+	$(Q)(											\
+	if grep -q ENCRYPTED $(SUIT_SEC_SIGN); then						\
+		printf "Enter encryption for key file $(SUIT_SEC_SIGN): ";			\
+		read PASSWORD;									\
+		$(SUIT_TOOL) sign -p $$PASSWORD -k $(SUIT_SEC_SIGN) -m $(SUIT_MANIFEST) -o $@;	\
+	else											\
+		$(SUIT_TOOL) sign -k $(SUIT_SEC_SIGN) -m $(SUIT_MANIFEST) -o $@;		\
+	fi											\
+	)
 
 $(SUIT_MANIFEST_LATEST): $(SUIT_MANIFEST)
 	$(Q)ln -f -s $< $@

From 50e3d6144169f707e28a3fa6928237e176500a8b Mon Sep 17 00:00:00 2001
From: Benjamin Valentin <benjamin.valentin@ml-pa.com>
Date: Mon, 30 Sep 2024 13:38:34 +0200
Subject: [PATCH 2/2] makefiles/suit: allow to decrypt signing key with
 SUIT_SEC_PASSWORD

---
 makefiles/suit.inc.mk | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/makefiles/suit.inc.mk b/makefiles/suit.inc.mk
index 1d153906ce..64f25a0ff7 100644
--- a/makefiles/suit.inc.mk
+++ b/makefiles/suit.inc.mk
@@ -56,9 +56,13 @@ $(SUIT_MANIFEST): $(SUIT_MANIFEST_PAYLOADS) $(BINDIR_SUIT)
 $(SUIT_MANIFEST_SIGNED): $(SUIT_MANIFEST) $(SUIT_SEC)
 	$(Q)(											\
 	if grep -q ENCRYPTED $(SUIT_SEC_SIGN); then						\
-		printf "Enter encryption for key file $(SUIT_SEC_SIGN): ";			\
-		read PASSWORD;									\
-		$(SUIT_TOOL) sign -p $$PASSWORD -k $(SUIT_SEC_SIGN) -m $(SUIT_MANIFEST) -o $@;	\
+		if [ -z "$(SUIT_SEC_PASSWORD)" ]; then						\
+			printf "Enter encryption for key file $(SUIT_SEC_SIGN): ";		\
+			read PASSWORD;								\
+		else										\
+			PASSWORD="$(SUIT_SEC_PASSWORD)";					\
+		fi;										\
+		$(SUIT_TOOL) sign -p "$$PASSWORD" -k $(SUIT_SEC_SIGN) -m $(SUIT_MANIFEST) -o $@;\
 	else											\
 		$(SUIT_TOOL) sign -k $(SUIT_SEC_SIGN) -m $(SUIT_MANIFEST) -o $@;		\
 	fi											\