diff mbox series

[v1,2/7] qemuarm64-secureboot: Introduce UEFI_SB_KEYS_DIR

Message ID 20240718203526.52214-3-javier.tia@linaro.org
State New
Headers show
Series qemuarm64-secureboot: Enable UEFI Secure Boot | expand

Commit Message

Javier Tia July 18, 2024, 8:35 p.m. UTC
UEFI_SB_KEYS_DIR saves UEFI keys path.

To avoid security issues, UEFI keys are not provided and they can be
generated by gen_uefi_keys.sh script.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 meta-arm/conf/layer.conf               |  2 ++
 meta-arm/uefi-sb-keys/gen_uefi_keys.sh | 35 ++++++++++++++++++++++++++
 2 files changed, 37 insertions(+)
 create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh

Comments

Jon Mason Aug. 1, 2024, 2:36 p.m. UTC | #1
On Thu, Jul 18, 2024 at 02:35:21PM -0600, Javier Tia wrote:
> UEFI_SB_KEYS_DIR saves UEFI keys path.
> 
> To avoid security issues, UEFI keys are not provided and they can be
> generated by gen_uefi_keys.sh script.
> 
> Signed-off-by: Javier Tia <javier.tia@linaro.org>

Running CI on this series and seeing failures on all qemuarm64-secureboot machines with:

--- Error summary ---
ERROR: Nothing PROVIDES 'core-image-base'
core-image-base was skipped: Required missing keys: /builds/jonmason00/meta-arm/work/build/../../meta-arm/uefi-sb-keys/PK.esl, /builds/jonmason00/meta-arm/work/build/../../meta-arm/uefi-sb-keys/KEK.esl, /builds/jonmason00/meta-arm/work/build/../../meta-arm/uefi-sb-keys/dbx.esl, /builds/jonmason00/meta-arm/work/build/../../meta-arm/uefi-sb-keys/db.esl, /builds/jonmason00/meta-arm/work/build/../../meta-arm/uefi-sb-keys/db.key, /builds/jonmason00/meta-arm/work/build/../../meta-arm/uefi-sb-keys/db.crt.
Run /builds/jonmason00/meta-arm/work/build/../../meta-arm/uefi-sb-keys/gen_uefi_keys.sh to generate missing keys.

See https://gitlab.com/jonmason00/meta-arm/-/jobs/7473619852


> ---
>  meta-arm/conf/layer.conf               |  2 ++
>  meta-arm/uefi-sb-keys/gen_uefi_keys.sh | 35 ++++++++++++++++++++++++++
>  2 files changed, 37 insertions(+)
>  create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh
> 
> diff --git a/meta-arm/conf/layer.conf b/meta-arm/conf/layer.conf
> index 9e9c9dbd..2854dd69 100644
> --- a/meta-arm/conf/layer.conf
> +++ b/meta-arm/conf/layer.conf
> @@ -21,3 +21,5 @@ HOSTTOOLS_NONFATAL += "telnet"
>  addpylib ${LAYERDIR}/lib oeqa
>  
>  WARN_QA:append:layer-meta-arm = " patch-status"
> +
> +UEFI_SB_KEYS_DIR ??= "${LAYERDIR}/uefi-sb-keys"
> \ No newline at end of file
> diff --git a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
> new file mode 100755
> index 00000000..fc7f25c9
> --- /dev/null
> +++ b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
> @@ -0,0 +1,35 @@
> +#/bin/sh
> +
> +set -eux
> +
> +#Create PK
> +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout PK.key -out PK.crt -nodes -days 3650
> +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl
> +sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
> +
> +#Create KEK
> +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout KEK.key -out KEK.crt -nodes -days 3650
> +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl
> +sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
> +
> +#Create DB
> +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout db.key -out db.crt -nodes -days 3650
> +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl
> +sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
> +
> +#Create DBX
> +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout dbx.key -out dbx.crt -nodes -days 3650
> +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc dbx.crt dbx.esl
> +sign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth
> +
> +#Sign image
> +#sbsign --key db.key --cert db.crt Image
> +
> +#Digest image
> +#hash-to-efi-sig-list Image db_Image.hash
> +#sign-efi-sig-list -c KEK.crt -k KEK.key db db_Image.hash db_Image.auth
> +
> +#Empty cert for testing
> +touch noPK.esl
> +sign-efi-sig-list -c PK.crt -k PK.key PK noPK.esl noPK.auth
> +
> -- 
> 2.45.2
> 
>
diff mbox series

Patch

diff --git a/meta-arm/conf/layer.conf b/meta-arm/conf/layer.conf
index 9e9c9dbd..2854dd69 100644
--- a/meta-arm/conf/layer.conf
+++ b/meta-arm/conf/layer.conf
@@ -21,3 +21,5 @@  HOSTTOOLS_NONFATAL += "telnet"
 addpylib ${LAYERDIR}/lib oeqa
 
 WARN_QA:append:layer-meta-arm = " patch-status"
+
+UEFI_SB_KEYS_DIR ??= "${LAYERDIR}/uefi-sb-keys"
\ No newline at end of file
diff --git a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
new file mode 100755
index 00000000..fc7f25c9
--- /dev/null
+++ b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
@@ -0,0 +1,35 @@ 
+#/bin/sh
+
+set -eux
+
+#Create PK
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout PK.key -out PK.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl
+sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
+
+#Create KEK
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout KEK.key -out KEK.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl
+sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
+
+#Create DB
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout db.key -out db.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl
+sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
+
+#Create DBX
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout dbx.key -out dbx.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc dbx.crt dbx.esl
+sign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth
+
+#Sign image
+#sbsign --key db.key --cert db.crt Image
+
+#Digest image
+#hash-to-efi-sig-list Image db_Image.hash
+#sign-efi-sig-list -c KEK.crt -k KEK.key db db_Image.hash db_Image.auth
+
+#Empty cert for testing
+touch noPK.esl
+sign-efi-sig-list -c PK.crt -k PK.key PK noPK.esl noPK.auth
+