Message ID | 20240829163209.47945-8-javier.tia@linaro.org |
---|---|
State | New |
Headers | show |
Series | qemuarm64-secureboot: Add UEFI Secure Boot | expand |
On Thu, Aug 29, 2024 at 10:32:03AM -0600, Javier Tia wrote: > Generate a new set of keys on build time. It avoids to use same keys > which could generate a security issue. Squash with patch #3 and #4 > Signed-off-by: Javier Tia <javier.tia@linaro.org> > --- > meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb | 26 +++++++++ > meta-arm/uefi-sb-keys/.gitignore | 4 ++ > meta-arm/uefi-sb-keys/gen_uefi_keys.sh | 56 +++++++++---------- > 3 files changed, 57 insertions(+), 29 deletions(-) > create mode 100644 meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb > create mode 100644 meta-arm/uefi-sb-keys/.gitignore > > diff --git a/meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb b/meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb > new file mode 100644 > index 00000000..a4ae6d87 > --- /dev/null > +++ b/meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb > @@ -0,0 +1,26 @@ > +# SPDX-License-Identifier: MIT > + > +SUMMARY = "Generate UEFI keys for secure boot" > +LICENSE = "MIT" > +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" > + > +DEPENDS += "bash-native" > +DEPENDS += "coreutils-native" > +DEPENDS += "efitools-native" > +DEPENDS += "openssl-native" > + > +SRC_URI = "file://${UEFI_SB_KEYS_DIR}/gen_uefi_keys.sh" > + > +UNPACKDIR = "${S}" > + > +do_fetch[noexec] = "1" > +do_patch[noexec] = "1" > +do_compile[noexec] = "1" > +do_configure[noexec] = "1" > + > +do_install() { > + ${UEFI_SB_KEYS_DIR}/gen_uefi_keys.sh ${UEFI_SB_KEYS_DIR} > +} > + > +FILES:${PN} = "${UEFI_SB_KEYS_DIR}/*.key" > +FILES:${PN} += "${UEFI_SB_KEYS_DIR}/*.crt" > diff --git a/meta-arm/uefi-sb-keys/.gitignore b/meta-arm/uefi-sb-keys/.gitignore > new file mode 100644 > index 00000000..f8669919 > --- /dev/null > +++ b/meta-arm/uefi-sb-keys/.gitignore > @@ -0,0 +1,4 @@ > +*.auth > +*.crt > +*.esl > +*.key > \ No newline at end of file > diff --git a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh > index fc7f25c9..21e65c72 100755 > --- a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh > +++ b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh > @@ -1,35 +1,33 @@ > -#/bin/sh > +#!/bin/bash > +# > +# SPDX-License-Identifier: MIT > +# > > set -eux > > -#Create PK > -openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout PK.key -out PK.crt -nodes -days 3650 > -cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl > -sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth > +KEYS_PATH=${1:-./} > +SUBJECT="/CN=Linaro_LEDGE/" > +GUID="11111111-2222-3333-4444-123456789abc" > > -#Create KEK > -openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout KEK.key -out KEK.crt -nodes -days 3650 > -cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl > -sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth > +openssl req -x509 -sha256 -newkey rsa:2048 -subj "${SUBJECT}" \ > + -keyout "${KEYS_PATH}"/PK.key -out "${KEYS_PATH}"/PK.crt \ > + -nodes -days 3650 > +cert-to-efi-sig-list -g ${GUID} \ > + "${KEYS_PATH}"/PK.crt "${KEYS_PATH}"/PK.esl > +sign-efi-sig-list -c "${KEYS_PATH}"/PK.crt -k "${KEYS_PATH}"/PK.key \ > + "${KEYS_PATH}"/PK "${KEYS_PATH}"/PK.esl "${KEYS_PATH}"/PK.auth > > -#Create DB > -openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout db.key -out db.crt -nodes -days 3650 > -cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl > -sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth > - > -#Create DBX > -openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout dbx.key -out dbx.crt -nodes -days 3650 > -cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc dbx.crt dbx.esl > -sign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth > - > -#Sign image > -#sbsign --key db.key --cert db.crt Image > - > -#Digest image > -#hash-to-efi-sig-list Image db_Image.hash > -#sign-efi-sig-list -c KEK.crt -k KEK.key db db_Image.hash db_Image.auth > - > -#Empty cert for testing > -touch noPK.esl > -sign-efi-sig-list -c PK.crt -k PK.key PK noPK.esl noPK.auth > +for key in KEK db dbx; do > + openssl req -x509 -sha256 -newkey rsa:2048 -subj "${SUBJECT}" \ > + -keyout "${KEYS_PATH}"/${key}.key -out "${KEYS_PATH}"/${key}.crt \ > + -nodes -days 3650 > + cert-to-efi-sig-list -g ${GUID} \ > + "${KEYS_PATH}"/${key}.crt "${KEYS_PATH}"/${key}.esl > + sign-efi-sig-list -c "${KEYS_PATH}"/PK.crt -k "${KEYS_PATH}"/PK.key \ > + "${KEYS_PATH}"/${key} "${KEYS_PATH}"/${key}.esl "${KEYS_PATH}"/${key}.auth > +done > > +# Empty cert for testing > +touch "${KEYS_PATH}"/noPK.esl > +sign-efi-sig-list -c "${KEYS_PATH}"/PK.crt -k "${KEYS_PATH}"/PK.key \ > + "${KEYS_PATH}"/PK "${KEYS_PATH}"/noPK.esl "${KEYS_PATH}"/noPK.auth > -- > 2.46.0 > >
diff --git a/meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb b/meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb new file mode 100644 index 00000000..a4ae6d87 --- /dev/null +++ b/meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb @@ -0,0 +1,26 @@ +# SPDX-License-Identifier: MIT + +SUMMARY = "Generate UEFI keys for secure boot" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" + +DEPENDS += "bash-native" +DEPENDS += "coreutils-native" +DEPENDS += "efitools-native" +DEPENDS += "openssl-native" + +SRC_URI = "file://${UEFI_SB_KEYS_DIR}/gen_uefi_keys.sh" + +UNPACKDIR = "${S}" + +do_fetch[noexec] = "1" +do_patch[noexec] = "1" +do_compile[noexec] = "1" +do_configure[noexec] = "1" + +do_install() { + ${UEFI_SB_KEYS_DIR}/gen_uefi_keys.sh ${UEFI_SB_KEYS_DIR} +} + +FILES:${PN} = "${UEFI_SB_KEYS_DIR}/*.key" +FILES:${PN} += "${UEFI_SB_KEYS_DIR}/*.crt" diff --git a/meta-arm/uefi-sb-keys/.gitignore b/meta-arm/uefi-sb-keys/.gitignore new file mode 100644 index 00000000..f8669919 --- /dev/null +++ b/meta-arm/uefi-sb-keys/.gitignore @@ -0,0 +1,4 @@ +*.auth +*.crt +*.esl +*.key \ No newline at end of file diff --git a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh index fc7f25c9..21e65c72 100755 --- a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh +++ b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh @@ -1,35 +1,33 @@ -#/bin/sh +#!/bin/bash +# +# SPDX-License-Identifier: MIT +# set -eux -#Create PK -openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout PK.key -out PK.crt -nodes -days 3650 -cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl -sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth +KEYS_PATH=${1:-./} +SUBJECT="/CN=Linaro_LEDGE/" +GUID="11111111-2222-3333-4444-123456789abc" -#Create KEK -openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout KEK.key -out KEK.crt -nodes -days 3650 -cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl -sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth +openssl req -x509 -sha256 -newkey rsa:2048 -subj "${SUBJECT}" \ + -keyout "${KEYS_PATH}"/PK.key -out "${KEYS_PATH}"/PK.crt \ + -nodes -days 3650 +cert-to-efi-sig-list -g ${GUID} \ + "${KEYS_PATH}"/PK.crt "${KEYS_PATH}"/PK.esl +sign-efi-sig-list -c "${KEYS_PATH}"/PK.crt -k "${KEYS_PATH}"/PK.key \ + "${KEYS_PATH}"/PK "${KEYS_PATH}"/PK.esl "${KEYS_PATH}"/PK.auth -#Create DB -openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout db.key -out db.crt -nodes -days 3650 -cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl -sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth - -#Create DBX -openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout dbx.key -out dbx.crt -nodes -days 3650 -cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc dbx.crt dbx.esl -sign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth - -#Sign image -#sbsign --key db.key --cert db.crt Image - -#Digest image -#hash-to-efi-sig-list Image db_Image.hash -#sign-efi-sig-list -c KEK.crt -k KEK.key db db_Image.hash db_Image.auth - -#Empty cert for testing -touch noPK.esl -sign-efi-sig-list -c PK.crt -k PK.key PK noPK.esl noPK.auth +for key in KEK db dbx; do + openssl req -x509 -sha256 -newkey rsa:2048 -subj "${SUBJECT}" \ + -keyout "${KEYS_PATH}"/${key}.key -out "${KEYS_PATH}"/${key}.crt \ + -nodes -days 3650 + cert-to-efi-sig-list -g ${GUID} \ + "${KEYS_PATH}"/${key}.crt "${KEYS_PATH}"/${key}.esl + sign-efi-sig-list -c "${KEYS_PATH}"/PK.crt -k "${KEYS_PATH}"/PK.key \ + "${KEYS_PATH}"/${key} "${KEYS_PATH}"/${key}.esl "${KEYS_PATH}"/${key}.auth +done +# Empty cert for testing +touch "${KEYS_PATH}"/noPK.esl +sign-efi-sig-list -c "${KEYS_PATH}"/PK.crt -k "${KEYS_PATH}"/PK.key \ + "${KEYS_PATH}"/PK "${KEYS_PATH}"/noPK.esl "${KEYS_PATH}"/noPK.auth
Generate a new set of keys on build time. It avoids to use same keys which could generate a security issue. Signed-off-by: Javier Tia <javier.tia@linaro.org> --- meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb | 26 +++++++++ meta-arm/uefi-sb-keys/.gitignore | 4 ++ meta-arm/uefi-sb-keys/gen_uefi_keys.sh | 56 +++++++++---------- 3 files changed, 57 insertions(+), 29 deletions(-) create mode 100644 meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb create mode 100644 meta-arm/uefi-sb-keys/.gitignore