Message ID | 20240829163209.47945-4-javier.tia@linaro.org |
---|---|
State | New |
Headers | show |
Series | qemuarm64-secureboot: Add UEFI Secure Boot | expand |
On Thu, Aug 29, 2024 at 10:31:59AM -0600, Javier Tia wrote: > UEFI_SB_KEYS_DIR saves UEFI keys path. > > To avoid security issues, UEFI keys are not provided and they can be > generated by gen_uefi_keys.sh script. > > Signed-off-by: Javier Tia <javier.tia@linaro.org> > --- > meta-arm/conf/layer.conf | 2 ++ > meta-arm/uefi-sb-keys/gen_uefi_keys.sh | 35 ++++++++++++++++++++++++++ > 2 files changed, 37 insertions(+) > create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh > > diff --git a/meta-arm/conf/layer.conf b/meta-arm/conf/layer.conf > index 9e9c9dbd..2854dd69 100644 > --- a/meta-arm/conf/layer.conf > +++ b/meta-arm/conf/layer.conf > @@ -21,3 +21,5 @@ HOSTTOOLS_NONFATAL += "telnet" > addpylib ${LAYERDIR}/lib oeqa > > WARN_QA:append:layer-meta-arm = " patch-status" > + > +UEFI_SB_KEYS_DIR ??= "${LAYERDIR}/uefi-sb-keys" I'm expecting the keys to be unique for each machine build. If so, shouldn't the keys live in the deploy directory (assuming we want to reference them or reuse them) or the destination/work dir? This would also remove the need to have the gitignore file, which I don't think is correct to have. > \ No newline at end of file > diff --git a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh > new file mode 100755 > index 00000000..fc7f25c9 > --- /dev/null > +++ b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh > @@ -0,0 +1,35 @@ > +#/bin/sh > + > +set -eux > + > +#Create PK > +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout PK.key -out PK.crt -nodes -days 3650 Here and below, do we want to say these are Linaro keys? I'm not seeing anywhere else that checks (but I don't know this well enough to know if it does somewhere else). If not, should we do something else like "OpenEmbedded"? > +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl > +sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth > + > +#Create KEK > +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout KEK.key -out KEK.crt -nodes -days 3650 > +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl > +sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth > + > +#Create DB > +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout db.key -out db.crt -nodes -days 3650 > +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl > +sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth > + > +#Create DBX > +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout dbx.key -out dbx.crt -nodes -days 3650 > +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc dbx.crt dbx.esl > +sign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth > + > +#Sign image > +#sbsign --key db.key --cert db.crt Image Here and below are commented out. Is this intentional? If so, then why are they being kept in here (e.g., larger commenets needed)? > +#Digest image > +#hash-to-efi-sig-list Image db_Image.hash > +#sign-efi-sig-list -c KEK.crt -k KEK.key db db_Image.hash db_Image.auth > + > +#Empty cert for testing > +touch noPK.esl > +sign-efi-sig-list -c PK.crt -k PK.key PK noPK.esl noPK.auth > + > -- > 2.46.0 > >
diff --git a/meta-arm/conf/layer.conf b/meta-arm/conf/layer.conf index 9e9c9dbd..2854dd69 100644 --- a/meta-arm/conf/layer.conf +++ b/meta-arm/conf/layer.conf @@ -21,3 +21,5 @@ HOSTTOOLS_NONFATAL += "telnet" addpylib ${LAYERDIR}/lib oeqa WARN_QA:append:layer-meta-arm = " patch-status" + +UEFI_SB_KEYS_DIR ??= "${LAYERDIR}/uefi-sb-keys" \ No newline at end of file diff --git a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh new file mode 100755 index 00000000..fc7f25c9 --- /dev/null +++ b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh @@ -0,0 +1,35 @@ +#/bin/sh + +set -eux + +#Create PK +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout PK.key -out PK.crt -nodes -days 3650 +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl +sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth + +#Create KEK +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout KEK.key -out KEK.crt -nodes -days 3650 +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl +sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth + +#Create DB +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout db.key -out db.crt -nodes -days 3650 +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl +sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth + +#Create DBX +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout dbx.key -out dbx.crt -nodes -days 3650 +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc dbx.crt dbx.esl +sign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth + +#Sign image +#sbsign --key db.key --cert db.crt Image + +#Digest image +#hash-to-efi-sig-list Image db_Image.hash +#sign-efi-sig-list -c KEK.crt -k KEK.key db db_Image.hash db_Image.auth + +#Empty cert for testing +touch noPK.esl +sign-efi-sig-list -c PK.crt -k PK.key PK noPK.esl noPK.auth +
UEFI_SB_KEYS_DIR saves UEFI keys path. To avoid security issues, UEFI keys are not provided and they can be generated by gen_uefi_keys.sh script. Signed-off-by: Javier Tia <javier.tia@linaro.org> --- meta-arm/conf/layer.conf | 2 ++ meta-arm/uefi-sb-keys/gen_uefi_keys.sh | 35 ++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh