Message ID | 20240718203526.52214-3-javier.tia@linaro.org |
---|---|
State | New |
Headers | show |
Series | qemuarm64-secureboot: Enable UEFI Secure Boot | expand |
On Thu, Jul 18, 2024 at 02:35:21PM -0600, Javier Tia wrote: > UEFI_SB_KEYS_DIR saves UEFI keys path. > > To avoid security issues, UEFI keys are not provided and they can be > generated by gen_uefi_keys.sh script. > > Signed-off-by: Javier Tia <javier.tia@linaro.org> Running CI on this series and seeing failures on all qemuarm64-secureboot machines with: --- Error summary --- ERROR: Nothing PROVIDES 'core-image-base' core-image-base was skipped: Required missing keys: /builds/jonmason00/meta-arm/work/build/../../meta-arm/uefi-sb-keys/PK.esl, /builds/jonmason00/meta-arm/work/build/../../meta-arm/uefi-sb-keys/KEK.esl, /builds/jonmason00/meta-arm/work/build/../../meta-arm/uefi-sb-keys/dbx.esl, /builds/jonmason00/meta-arm/work/build/../../meta-arm/uefi-sb-keys/db.esl, /builds/jonmason00/meta-arm/work/build/../../meta-arm/uefi-sb-keys/db.key, /builds/jonmason00/meta-arm/work/build/../../meta-arm/uefi-sb-keys/db.crt. Run /builds/jonmason00/meta-arm/work/build/../../meta-arm/uefi-sb-keys/gen_uefi_keys.sh to generate missing keys. See https://gitlab.com/jonmason00/meta-arm/-/jobs/7473619852 > --- > meta-arm/conf/layer.conf | 2 ++ > meta-arm/uefi-sb-keys/gen_uefi_keys.sh | 35 ++++++++++++++++++++++++++ > 2 files changed, 37 insertions(+) > create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh > > diff --git a/meta-arm/conf/layer.conf b/meta-arm/conf/layer.conf > index 9e9c9dbd..2854dd69 100644 > --- a/meta-arm/conf/layer.conf > +++ b/meta-arm/conf/layer.conf > @@ -21,3 +21,5 @@ HOSTTOOLS_NONFATAL += "telnet" > addpylib ${LAYERDIR}/lib oeqa > > WARN_QA:append:layer-meta-arm = " patch-status" > + > +UEFI_SB_KEYS_DIR ??= "${LAYERDIR}/uefi-sb-keys" > \ No newline at end of file > diff --git a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh > new file mode 100755 > index 00000000..fc7f25c9 > --- /dev/null > +++ b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh > @@ -0,0 +1,35 @@ > +#/bin/sh > + > +set -eux > + > +#Create PK > +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout PK.key -out PK.crt -nodes -days 3650 > +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl > +sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth > + > +#Create KEK > +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout KEK.key -out KEK.crt -nodes -days 3650 > +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl > +sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth > + > +#Create DB > +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout db.key -out db.crt -nodes -days 3650 > +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl > +sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth > + > +#Create DBX > +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout dbx.key -out dbx.crt -nodes -days 3650 > +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc dbx.crt dbx.esl > +sign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth > + > +#Sign image > +#sbsign --key db.key --cert db.crt Image > + > +#Digest image > +#hash-to-efi-sig-list Image db_Image.hash > +#sign-efi-sig-list -c KEK.crt -k KEK.key db db_Image.hash db_Image.auth > + > +#Empty cert for testing > +touch noPK.esl > +sign-efi-sig-list -c PK.crt -k PK.key PK noPK.esl noPK.auth > + > -- > 2.45.2 > >
diff --git a/meta-arm/conf/layer.conf b/meta-arm/conf/layer.conf index 9e9c9dbd..2854dd69 100644 --- a/meta-arm/conf/layer.conf +++ b/meta-arm/conf/layer.conf @@ -21,3 +21,5 @@ HOSTTOOLS_NONFATAL += "telnet" addpylib ${LAYERDIR}/lib oeqa WARN_QA:append:layer-meta-arm = " patch-status" + +UEFI_SB_KEYS_DIR ??= "${LAYERDIR}/uefi-sb-keys" \ No newline at end of file diff --git a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh new file mode 100755 index 00000000..fc7f25c9 --- /dev/null +++ b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh @@ -0,0 +1,35 @@ +#/bin/sh + +set -eux + +#Create PK +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout PK.key -out PK.crt -nodes -days 3650 +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl +sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth + +#Create KEK +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout KEK.key -out KEK.crt -nodes -days 3650 +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl +sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth + +#Create DB +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout db.key -out db.crt -nodes -days 3650 +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl +sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth + +#Create DBX +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout dbx.key -out dbx.crt -nodes -days 3650 +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc dbx.crt dbx.esl +sign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth + +#Sign image +#sbsign --key db.key --cert db.crt Image + +#Digest image +#hash-to-efi-sig-list Image db_Image.hash +#sign-efi-sig-list -c KEK.crt -k KEK.key db db_Image.hash db_Image.auth + +#Empty cert for testing +touch noPK.esl +sign-efi-sig-list -c PK.crt -k PK.key PK noPK.esl noPK.auth +
UEFI_SB_KEYS_DIR saves UEFI keys path. To avoid security issues, UEFI keys are not provided and they can be generated by gen_uefi_keys.sh script. Signed-off-by: Javier Tia <javier.tia@linaro.org> --- meta-arm/conf/layer.conf | 2 ++ meta-arm/uefi-sb-keys/gen_uefi_keys.sh | 35 ++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh