diff mbox series

[v4,03/13] layer.conf: Introduce UEFI_SB_KEYS_DIR

Message ID 20240829163209.47945-4-javier.tia@linaro.org
State New
Headers show
Series qemuarm64-secureboot: Add UEFI Secure Boot | expand

Commit Message

Javier Tia Aug. 29, 2024, 4:31 p.m. UTC 
UEFI_SB_KEYS_DIR saves UEFI keys path.

To avoid security issues, UEFI keys are not provided and they can be
generated by gen_uefi_keys.sh script.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 meta-arm/conf/layer.conf               |  2 ++
 meta-arm/uefi-sb-keys/gen_uefi_keys.sh | 35 ++++++++++++++++++++++++++
 2 files changed, 37 insertions(+)
 create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh

Comments

Jon Mason Aug. 30, 2024, 2 p.m. UTC | #1 
On Thu, Aug 29, 2024 at 10:31:59AM -0600, Javier Tia wrote:
> UEFI_SB_KEYS_DIR saves UEFI keys path.
> 
> To avoid security issues, UEFI keys are not provided and they can be
> generated by gen_uefi_keys.sh script.
> 
> Signed-off-by: Javier Tia <javier.tia@linaro.org>
> ---
>  meta-arm/conf/layer.conf               |  2 ++
>  meta-arm/uefi-sb-keys/gen_uefi_keys.sh | 35 ++++++++++++++++++++++++++
>  2 files changed, 37 insertions(+)
>  create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh
> 
> diff --git a/meta-arm/conf/layer.conf b/meta-arm/conf/layer.conf
> index 9e9c9dbd..2854dd69 100644
> --- a/meta-arm/conf/layer.conf
> +++ b/meta-arm/conf/layer.conf
> @@ -21,3 +21,5 @@ HOSTTOOLS_NONFATAL += "telnet"
>  addpylib ${LAYERDIR}/lib oeqa
>  
>  WARN_QA:append:layer-meta-arm = " patch-status"
> +
> +UEFI_SB_KEYS_DIR ??= "${LAYERDIR}/uefi-sb-keys"

I'm expecting the keys to be unique for each machine build.  If so,
shouldn't the keys live in the deploy directory (assuming we want to
reference them or reuse them) or the destination/work dir?  This would
also remove the need to have the gitignore file, which I don't think
is correct to have.

> \ No newline at end of file
> diff --git a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
> new file mode 100755
> index 00000000..fc7f25c9
> --- /dev/null
> +++ b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
> @@ -0,0 +1,35 @@
> +#/bin/sh
> +
> +set -eux
> +
> +#Create PK
> +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout PK.key -out PK.crt -nodes -days 3650

Here and below, do we want to say these are Linaro keys?  I'm not
seeing anywhere else that checks (but I don't know this well enough to
know if it does somewhere else).  If not, should we do something else
like "OpenEmbedded"?

> +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl
> +sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
> +
> +#Create KEK
> +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout KEK.key -out KEK.crt -nodes -days 3650
> +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl
> +sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
> +
> +#Create DB
> +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout db.key -out db.crt -nodes -days 3650
> +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl
> +sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
> +
> +#Create DBX
> +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout dbx.key -out dbx.crt -nodes -days 3650
> +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc dbx.crt dbx.esl
> +sign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth
> +
> +#Sign image
> +#sbsign --key db.key --cert db.crt Image

Here and below are commented out.  Is this intentional?  If so, then
why are they being kept in here (e.g., larger commenets needed)?

> +#Digest image
> +#hash-to-efi-sig-list Image db_Image.hash
> +#sign-efi-sig-list -c KEK.crt -k KEK.key db db_Image.hash db_Image.auth
> +
> +#Empty cert for testing
> +touch noPK.esl
> +sign-efi-sig-list -c PK.crt -k PK.key PK noPK.esl noPK.auth
> +
> -- 
> 2.46.0
> 
>
diff mbox series

Patch

diff --git a/meta-arm/conf/layer.conf b/meta-arm/conf/layer.conf
index 9e9c9dbd..2854dd69 100644
--- a/meta-arm/conf/layer.conf
+++ b/meta-arm/conf/layer.conf
@@ -21,3 +21,5 @@  HOSTTOOLS_NONFATAL += "telnet"
 addpylib ${LAYERDIR}/lib oeqa
 
 WARN_QA:append:layer-meta-arm = " patch-status"
+
+UEFI_SB_KEYS_DIR ??= "${LAYERDIR}/uefi-sb-keys"
\ No newline at end of file
diff --git a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
new file mode 100755
index 00000000..fc7f25c9
--- /dev/null
+++ b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
@@ -0,0 +1,35 @@ 
+#/bin/sh
+
+set -eux
+
+#Create PK
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout PK.key -out PK.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl
+sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
+
+#Create KEK
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout KEK.key -out KEK.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl
+sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
+
+#Create DB
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout db.key -out db.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl
+sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
+
+#Create DBX
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout dbx.key -out dbx.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc dbx.crt dbx.esl
+sign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth
+
+#Sign image
+#sbsign --key db.key --cert db.crt Image
+
+#Digest image
+#hash-to-efi-sig-list Image db_Image.hash
+#sign-efi-sig-list -c KEK.crt -k KEK.key db db_Image.hash db_Image.auth
+
+#Empty cert for testing
+touch noPK.esl
+sign-efi-sig-list -c PK.crt -k PK.key PK noPK.esl noPK.auth
+