[v1,2/7] qemuarm64-secureboot: Introduce UEFI_SB_KEYS_DIR

Message ID	20240718203526.52214-3-javier.tia@linaro.org
State	New
Headers	show Return-Path: <javier.tia@linaro.org> ip: 209.85.128.171, mailfrom: javier.tia@linaro.org) From: Javier Tia <javier.tia@linaro.org> To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli <mikko.rapeli@linaro.org>, Ross Burton <Ross.Burton@arm.com>, Javier Tia <javier.tia@linaro.org> Subject: [PATCH v1 2/7] qemuarm64-secureboot: Introduce UEFI_SB_KEYS_DIR Date: Thu, 18 Jul 2024 14:35:21 -0600 Message-ID: <20240718203526.52214-3-javier.tia@linaro.org> In-Reply-To: <20240718203526.52214-1-javier.tia@linaro.org> References: <20240718203526.52214-1-javier.tia@linaro.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	qemuarm64-secureboot: Enable UEFI Secure Boot \| expand [v1,0/7] qemuarm64-secureboot: Enable UEFI Secure Boot [v1,1/7] qemuarm64-secureboot: Add poky machine UEFI settings [v1,2/7] qemuarm64-secureboot: Introduce UEFI_SB_KEYS_DIR [v1,3/7] qemuarm64-secureboot: Validate UEFI keys exist [v1,4/7] qemuarm64-secureboot: Setup UEFI and Secure Boot in u-boot [v1,5/7] qemuarm64-secureboot: Setup UEFI grub and sign EFI grub binary [v1,6/7] qemuarm64-secureboot: Setup UEFI linux-yocto and sign kernel image [v1,7/7] qemuarm64-secureboot: Add UEFI systemd support

Message ID

20240718203526.52214-3-javier.tia@linaro.org

State

New

Headers

From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v1 2/7] qemuarm64-secureboot: Introduce UEFI_SB_KEYS_DIR
Date: Thu, 18 Jul 2024 14:35:21 -0600
Message-ID: <20240718203526.52214-3-javier.tia@linaro.org>
In-Reply-To: <20240718203526.52214-1-javier.tia@linaro.org>
References: <20240718203526.52214-1-javier.tia@linaro.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

qemuarm64-secureboot: Enable UEFI Secure Boot | expand

Commit Message

Javier Tia July 18, 2024, 8:35 p.m. UTC

UEFI_SB_KEYS_DIR saves UEFI keys path.

To avoid security issues, UEFI keys are not provided and they can be
generated by gen_uefi_keys.sh script.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 meta-arm/conf/layer.conf               |  2 ++
 meta-arm/uefi-sb-keys/gen_uefi_keys.sh | 35 ++++++++++++++++++++++++++
 2 files changed, 37 insertions(+)
 create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh

Comments

Jon Mason Aug. 1, 2024, 2:36 p.m. UTC | #1

On Thu, Jul 18, 2024 at 02:35:21PM -0600, Javier Tia wrote:
> UEFI_SB_KEYS_DIR saves UEFI keys path.
> 
> To avoid security issues, UEFI keys are not provided and they can be
> generated by gen_uefi_keys.sh script.
> 
> Signed-off-by: Javier Tia <javier.tia@linaro.org>

Running CI on this series and seeing failures on all qemuarm64-secureboot machines with:

--- Error summary ---
ERROR: Nothing PROVIDES 'core-image-base'
core-image-base was skipped: Required missing keys: /builds/jonmason00/meta-arm/work/build/../../meta-arm/uefi-sb-keys/PK.esl, /builds/jonmason00/meta-arm/work/build/../../meta-arm/uefi-sb-keys/KEK.esl, /builds/jonmason00/meta-arm/work/build/../../meta-arm/uefi-sb-keys/dbx.esl, /builds/jonmason00/meta-arm/work/build/../../meta-arm/uefi-sb-keys/db.esl, /builds/jonmason00/meta-arm/work/build/../../meta-arm/uefi-sb-keys/db.key, /builds/jonmason00/meta-arm/work/build/../../meta-arm/uefi-sb-keys/db.crt.
Run /builds/jonmason00/meta-arm/work/build/../../meta-arm/uefi-sb-keys/gen_uefi_keys.sh to generate missing keys.

See https://gitlab.com/jonmason00/meta-arm/-/jobs/7473619852


> ---
>  meta-arm/conf/layer.conf               |  2 ++
>  meta-arm/uefi-sb-keys/gen_uefi_keys.sh | 35 ++++++++++++++++++++++++++
>  2 files changed, 37 insertions(+)
>  create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh
> 
> diff --git a/meta-arm/conf/layer.conf b/meta-arm/conf/layer.conf
> index 9e9c9dbd..2854dd69 100644
> --- a/meta-arm/conf/layer.conf
> +++ b/meta-arm/conf/layer.conf
> @@ -21,3 +21,5 @@ HOSTTOOLS_NONFATAL += "telnet"
>  addpylib ${LAYERDIR}/lib oeqa
>  
>  WARN_QA:append:layer-meta-arm = " patch-status"
> +
> +UEFI_SB_KEYS_DIR ??= "${LAYERDIR}/uefi-sb-keys"
> \ No newline at end of file
> diff --git a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
> new file mode 100755
> index 00000000..fc7f25c9
> --- /dev/null
> +++ b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
> @@ -0,0 +1,35 @@
> +#/bin/sh
> +
> +set -eux
> +
> +#Create PK
> +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout PK.key -out PK.crt -nodes -days 3650
> +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl
> +sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
> +
> +#Create KEK
> +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout KEK.key -out KEK.crt -nodes -days 3650
> +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl
> +sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
> +
> +#Create DB
> +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout db.key -out db.crt -nodes -days 3650
> +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl
> +sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
> +
> +#Create DBX
> +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout dbx.key -out dbx.crt -nodes -days 3650
> +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc dbx.crt dbx.esl
> +sign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth
> +
> +#Sign image
> +#sbsign --key db.key --cert db.crt Image
> +
> +#Digest image
> +#hash-to-efi-sig-list Image db_Image.hash
> +#sign-efi-sig-list -c KEK.crt -k KEK.key db db_Image.hash db_Image.auth
> +
> +#Empty cert for testing
> +touch noPK.esl
> +sign-efi-sig-list -c PK.crt -k PK.key PK noPK.esl noPK.auth
> +
> -- 
> 2.45.2
> 
>

diff --git a/meta-arm/conf/layer.conf b/meta-arm/conf/layer.conf
index 9e9c9dbd..2854dd69 100644
--- a/meta-arm/conf/layer.conf
+++ b/meta-arm/conf/layer.conf
@@ -21,3 +21,5 @@  HOSTTOOLS_NONFATAL += "telnet"
 addpylib ${LAYERDIR}/lib oeqa
 
 WARN_QA:append:layer-meta-arm = " patch-status"
+
+UEFI_SB_KEYS_DIR ??= "${LAYERDIR}/uefi-sb-keys"
\ No newline at end of file
diff --git a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
new file mode 100755
index 00000000..fc7f25c9
--- /dev/null
+++ b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
@@ -0,0 +1,35 @@ 
+#/bin/sh
+
+set -eux
+
+#Create PK
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout PK.key -out PK.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl
+sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
+
+#Create KEK
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout KEK.key -out KEK.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl
+sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
+
+#Create DB
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout db.key -out db.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl
+sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
+
+#Create DBX
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout dbx.key -out dbx.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc dbx.crt dbx.esl
+sign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth
+
+#Sign image
+#sbsign --key db.key --cert db.crt Image
+
+#Digest image
+#hash-to-efi-sig-list Image db_Image.hash
+#sign-efi-sig-list -c KEK.crt -k KEK.key db db_Image.hash db_Image.auth
+
+#Empty cert for testing
+touch noPK.esl
+sign-efi-sig-list -c PK.crt -k PK.key PK noPK.esl noPK.auth
+

[v1,2/7] qemuarm64-secureboot: Introduce UEFI_SB_KEYS_DIR

Commit Message

Comments

Patch