From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>,
Christian Storm <christian.storm@siemens.com>
Subject: [isar-cip-core][PATCH 04/12] Rework secure boot key handling and signing recipes
Date: Wed, 4 May 2022 21:45:52 +0200 [thread overview]
Message-ID: <ec0256be52152975c1a9be42ca875059a222cbbc.1651693560.git.jan.kiszka@siemens.com> (raw)
In-Reply-To: <cover.1651693560.git.jan.kiszka@siemens.com>
From: Jan Kiszka <jan.kiszka@siemens.com>
Simplify the signing recipe to a single, generic one. Instead, provide
secure-boot-secrets packages that contain the used image key and
certificate at a well-defined location. This allows for easy reuse in
other recipes than ebg-secure-boot-signer. U-Boot will be one.
Rather than using the OVMF package as build-time source for the snakeoil
keys, we import the two artifacts here. This allows to run the required
key removal upfront and simplifies the usage for buster. The certificate
has such a long lifetime that also future Debian should use the same
one, thus the snakeoil artifacts of OVMF should stay in sync with our
copy of key and cert. We may revisit this when discontinuing support for
buster, though.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
doc/README.secureboot.md | 22 ++++----
kas/opt/ebg-secure-boot-snakeoil.yml | 7 +--
.../ebg-secure-boot-secrets_0.1.bb | 51 -------------------
.../ebg-secure-boot-secrets/files/README.md | 1 -
.../files/control.tmpl | 12 -----
.../files/sign_secure_image.sh.tmpl | 22 --------
.../ebg-secure-boot-signer_0.1.bb | 26 ++++++++++
.../files/sign_secure_image.sh | 33 ++++++++++++
.../ebg-secure-boot-snakeoil_0.1.bb | 34 -------------
.../files/control.tmpl | 12 -----
.../files/sign_secure_image.sh | 36 -------------
.../files/PkKek-1-snakeoil.key | 27 ++++++++++
.../files/PkKek-1-snakeoil.pem | 21 ++++++++
.../secure-boot-key_0.1.bb | 14 +++++
.../secure-boot-secrets.inc | 34 +++++++++++++
.../secure-boot-snakeoil_0.1.bb | 17 +++++++
16 files changed, 186 insertions(+), 183 deletions(-)
delete mode 100644 recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb
delete mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/README.md
delete mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl
delete mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl
create mode 100644 recipes-devtools/ebg-secure-boot-signer/ebg-secure-boot-signer_0.1.bb
create mode 100644 recipes-devtools/ebg-secure-boot-signer/files/sign_secure_image.sh
delete mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb
delete mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl
delete mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh
create mode 100644 recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.key
create mode 100644 recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.pem
create mode 100644 recipes-devtools/secure-boot-secrets/secure-boot-key_0.1.bb
create mode 100644 recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc
create mode 100644 recipes-devtools/secure-boot-secrets/secure-boot-snakeoil_0.1.bb
diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
index b2d7be9..c1a0301 100644
--- a/doc/README.secureboot.md
+++ b/doc/README.secureboot.md
@@ -43,24 +43,22 @@ executable or script with the following interface:
Supply the script name and path to wic by adding
`signwith=<path and name of the script to sign>"` to sourceparams of the partition.
-### Existing packages to sign an image
+### Existing key packages for signing an image
-#### ebg-secure-boot-snakeoil
+#### secure-boot-snakeoil
This package uses the snakeoil key and certificate from the ovmf package(0.0~20200229-2)
-backported from Debian bullseye and signs the image.
+backported from Debian bullseye for signing the image.
-#### ebg-secure-boot-secrets
-This package takes a user-generated certificate and adds it to the build system.
+#### secure-boot-key
+
+This package takes a user-generated certificate and key adds them to the build system.
The following variable and steps are necessary to build a secure boot capable image:
- Set certification information to sign and verify the image with:
- - SB_CERTDB: The directory containing the certificate database create with certutil
- - SB_VERIFY_CERT: The certificate to verify the signing process
- - SB_KEY_NAME: Name of the key in the certificate database
-- if necessary change the script to select the boot partition after an update
- - recipes-support/initramfs-config/files/initramfs.selectrootfs.script
+ - SB_CERT: The certificate to verify the signing process
+ - SB_KEY: The private key of for the certificate
-The files referred by SB_CERTDB and SB_VERIFY_CERT must be store in `recipes-devtools/ebg-secure-boot-secrets/files/`
+The files referred by SB_CERT and SB_KEY must be store in `recipes-devtools/secure-boot-secrets/files/`.
## Running in QEMU
@@ -96,7 +94,7 @@ scripts/generate-sb-db-from-existing-certificate.sh
```
This will create the directory `SB_KEYDIR` and will store the `${SB_NAME}certdb` with the given name.
-Copy the used certificate and database to `recipes-devtools/ebg-secure-boot-secrets/files/`
+Copy the used certificate and private key to `recipes-devtools/secure-boot-secrets/files/`
#### Generate keys
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index b329f41..7442eb7 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -28,6 +28,7 @@ local_conf_header:
INITRAMFS_INSTALL_append = " initramfs-verity-hook"
secure-boot: |
- # Add snakeoil binaries for qemu
- IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil"
- IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
+ IMAGER_BUILD_DEPS += "ebg-secure-boot-signer"
+ IMAGER_INSTALL += "ebg-secure-boot-signer"
+ # Use snakeoil keys
+ PREFERRED_PROVIDER_secure-boot-secrets = "secure-boot-snakeoil"
diff --git a/recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb b/recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb
deleted file mode 100644
index 0d57910..0000000
--- a/recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb
+++ /dev/null
@@ -1,51 +0,0 @@
-#
-# CIP Core, generic profile
-#
-# Copyright (c) Siemens AG, 2020
-#
-# Authors:
-# Quirin Gylstorff <quirin.gylstorff@siemens.com>
-#
-# SPDX-License-Identifier: MIT
-#
-
-inherit dpkg-raw
-
-DESCRIPTION = "Add user defined secureboot certifcates to the buildchroot and the script to \
- sign an image with the given keys"
-
-# variables
-SB_CERT_PATH = "/usr/share/ebg-secure-boot"
-SB_CERTDB ??= ""
-SB_VERIFY_CERT ??= ""
-SB_KEY_NAME ??= "demoDB"
-
-# used to sign the image
-DEBIAN_DEPENDS = "pesign, sbsigntool"
-
-# this package cannot be install together with:
-DEBIAN_CONFLICTS = "ebg-secure-boot-snakeoil"
-
-SRC_URI = " \
- file://sign_secure_image.sh.tmpl \
- file://control.tmpl"
-SRC_URI_append = " ${@ "file://"+d.getVar('SB_CERTDB') if d.getVar('SB_CERTDB') else '' }"
-SRC_URI_append = " ${@ "file://"+d.getVar('SB_VERIFY_CERT') if d.getVar('SB_VERIFY_CERT') else '' }"
-TEMPLATE_FILES = "sign_secure_image.sh.tmpl"
-TEMPLATE_VARS += "SB_CERT_PATH SB_CERTDB SB_VERIFY_CERT SB_KEY_NAME"
-
-TEMPLATE_FILES += "control.tmpl"
-TEMPLATE_VARS += "PN MAINTAINER DPKG_ARCH DEBIAN_DEPENDS DESCRIPTION DEBIAN_CONFLICTS"
-
-do_install() {
- TARGET=${D}${SB_CERT_PATH}
- install -m 0700 -d ${TARGET}
- cp -a ${WORKDIR}/${SB_CERTDB} ${TARGET}/${SB_CERTDB}
- chmod 700 ${TARGET}/${SB_CERTDB}
- install -m 0600 ${WORKDIR}/${SB_VERIFY_CERT} ${TARGET}/${SB_VERIFY_CERT}
- TARGET=${D}/usr/bin
- install -d ${TARGET}
- install -m 755 ${WORKDIR}/sign_secure_image.sh ${TARGET}/sign_secure_image.sh
-}
-
-addtask do_install after do_transform_template
diff --git a/recipes-devtools/ebg-secure-boot-secrets/files/README.md b/recipes-devtools/ebg-secure-boot-secrets/files/README.md
deleted file mode 100644
index c739c51..0000000
--- a/recipes-devtools/ebg-secure-boot-secrets/files/README.md
+++ /dev/null
@@ -1 +0,0 @@
-For a secure boot image this directory needs to contain the certdb directory and the db.crt file.
diff --git a/recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl b/recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl
deleted file mode 100644
index 8361a49..0000000
--- a/recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl
+++ /dev/null
@@ -1,12 +0,0 @@
-Source: ${PN}
-Section: misc
-Priority: optional
-Standards-Version: 3.9.6
-Maintainer: ${MAINTAINER}
-Build-Depends: debhelper (>= 9)
-
-Package: ${PN}
-Architecture: ${DPKG_ARCH}
-Depends: ${DEBIAN_DEPENDS}
-Description: ${DESCRIPTION}
-Conflicts: ${DEBIAN_CONFLICTS}
diff --git a/recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl b/recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl
deleted file mode 100644
index e84fd4c..0000000
--- a/recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/sh
-set -e
-set -x
-signee=$1
-signed=$2
-
-usage(){
- echo "sign with debian snakeoil"
- echo "$0 signee signed"
- echo "signee: path to the image to be signed"
- echo "signed: path to store the signed image"
-}
-
-
-if [ -z "$signee" ] || [ -z "$signed" ]; then
- usage
- exit 1
-fi
-
-pesign --force --verbose --padding -n ${SB_CERT_PATH}/${SB_CERTDB} -c "${SB_KEY_NAME}" -s -i $signee -o $signed
-sbverify --cert ${SB_CERT_PATH}/${SB_VERIFY_CERT} $signed
-exit 0
diff --git a/recipes-devtools/ebg-secure-boot-signer/ebg-secure-boot-signer_0.1.bb b/recipes-devtools/ebg-secure-boot-signer/ebg-secure-boot-signer_0.1.bb
new file mode 100644
index 0000000..546fded
--- /dev/null
+++ b/recipes-devtools/ebg-secure-boot-signer/ebg-secure-boot-signer_0.1.bb
@@ -0,0 +1,26 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020-2022
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+# Jan Kiszka <jan.kiszka@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+DESCRIPTION = "Signing script for EFI Boot Guard setups"
+
+DEPENDS = "secure-boot-secrets"
+DEBIAN_DEPENDS = "sbsigntool, secure-boot-secrets"
+
+SRC_URI = "file://sign_secure_image.sh"
+
+do_install() {
+ TARGET=${D}/usr/bin
+ install -d ${TARGET}
+ install -m 755 ${WORKDIR}/sign_secure_image.sh ${TARGET}/sign_secure_image.sh
+}
diff --git a/recipes-devtools/ebg-secure-boot-signer/files/sign_secure_image.sh b/recipes-devtools/ebg-secure-boot-signer/files/sign_secure_image.sh
new file mode 100644
index 0000000..0c9b898
--- /dev/null
+++ b/recipes-devtools/ebg-secure-boot-signer/files/sign_secure_image.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020-2022
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+# Jan Kiszka <jan.kiszka@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+set -e
+
+signee=$1
+signed=$2
+
+usage(){
+ echo "sign with image keys"
+ echo "$0 signee signed"
+ echo "signee: path to the image to be signed"
+ echo "signed: path to store the signed image"
+}
+
+if [ -z "$signee" ] || [ -z "$signed" ]; then
+ usage
+ exit 1
+fi
+
+keydir=/usr/share/secure-boot-secrets
+
+sbsign --key ${keydir}/secure-boot.key --cert ${keydir}/secure-boot.pem --output $signed $signee
diff --git a/recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb b/recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb
deleted file mode 100644
index 4975d92..0000000
--- a/recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb
+++ /dev/null
@@ -1,34 +0,0 @@
-#
-# CIP Core, generic profile
-#
-# Copyright (c) Siemens AG, 2020
-#
-# Authors:
-# Quirin Gylstorff <quirin.gylstorff@siemens.com>
-#
-# SPDX-License-Identifier: MIT
-#
-
-inherit dpkg-raw
-
-DESCRIPTION = "Add script to sign for secure boot with the debian snakeoil keys"
-# used to sign the image
-DEBIAN_DEPENDS = "pesign, sbsigntool, ovmf, openssl, libnss3-tools"
-
-
-# this package cannot be install together with:
-DEBIAN_CONFLICTS = "ebg-secure-boot-secrets"
-
-SRC_URI = "file://sign_secure_image.sh \
- file://control.tmpl"
-
-TEMPLATE_FILES = "control.tmpl"
-TEMPLATE_VARS += "PN MAINTAINER DPKG_ARCH DEBIAN_DEPENDS DESCRIPTION DEBIAN_CONFLICTS"
-
-do_install() {
- TARGET=${D}/usr/bin
- install -d ${TARGET}
- install -m 755 ${WORKDIR}/sign_secure_image.sh ${TARGET}/sign_secure_image.sh
-}
-
-addtask do_install after do_transform_template
diff --git a/recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl b/recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl
deleted file mode 100644
index 8361a49..0000000
--- a/recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl
+++ /dev/null
@@ -1,12 +0,0 @@
-Source: ${PN}
-Section: misc
-Priority: optional
-Standards-Version: 3.9.6
-Maintainer: ${MAINTAINER}
-Build-Depends: debhelper (>= 9)
-
-Package: ${PN}
-Architecture: ${DPKG_ARCH}
-Depends: ${DEBIAN_DEPENDS}
-Description: ${DESCRIPTION}
-Conflicts: ${DEBIAN_CONFLICTS}
diff --git a/recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh b/recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh
deleted file mode 100644
index 081dbe9..0000000
--- a/recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh
+++ /dev/null
@@ -1,36 +0,0 @@
-#!/bin/sh
-set -e
-set -x
-signee=$1
-signed=$2
-
-usage(){
- echo "sign with debian snakeoil"
- echo "$0 signee signed"
- echo "signee: path to the image to be signed"
- echo "signed: path to store the signed image"
-}
-
-
-if [ -z "$signee" ] || [ -z "$signed" ]; then
- usage
- exit 1
-fi
-
-name=snakeoil
-keydir=$(mktemp -d)
-inkey=/usr/share/ovmf/PkKek-1-snakeoil.key
-incert=/usr/share/ovmf/PkKek-1-snakeoil.pem
-nick_name=snakeoil
-TMP=$(mktemp -d)
-mkdir -p ${keydir}/${name}certdb
-certutil -N --empty-password -d ${keydir}/${name}certdb
-openssl pkcs12 -export -passin pass:"snakeoil" -passout pass: -out ${TMP}/foo_key.p12 -inkey $inkey -in $incert -name $nick_name
-pk12util -W "" -i ${TMP}/foo_key.p12 -d ${keydir}/${name}certdb
-cp $incert ${keydir}/$(basename $incert)
-rm -rf $TMP
-
-pesign --force --verbose --padding -n ${keydir}/${name}certdb -c "$nick_name" -s -i $signee -o $signed
-sbverify --cert $incert $signed
-rm -rf $keydir
-exit 0
diff --git a/recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.key b/recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.key
new file mode 100644
index 0000000..193de62
--- /dev/null
+++ b/recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAyIuuXei5qIw+UvavLxPyyNhx0G6Ijuf9SqxVXOpKcQ+l3ZCc
+KQaCLWCH0pbPQj587zVjgMUd4SHgXdVP6awDz8b0NcLgyzF31pHBmmB3z55nv2Jb
+gI56bix9TEHLpoDs4+cWAb2WZPkW8rV/6YR+xVuE8fi9aAWJ7H4dwUhPzU7RBB1d
+Z1wF6Wv3b8nn1jJa5W8I3zOd+tpWczOsqyRnDnFhMiOulGAiFTtmIXv2VReQf7Tx
+rXdqAAs9dcS3qizzNVgY5XpABtmYu1AjyLwwqXZ+blZ2tmUUJicgw3YdCWtlTAtf
+XZDHf+ZzgCNtTvhb2DzpAVmF/H+A8w8lUJZiBQIDAQABAoIBABET/BRZNj5JOyF7
+im2a6Ej8TazvTMfGr8ZFKLvR4+b+6yQUJYhE2p8colRnrVy5z4/bXw7fOm0qol27
+RaPjlyuBiNhvMQ98tfTa0r7fyjQvDCy7JomrGHf7Z+wvijUys3mw+ynIyF7u62pd
+1HfBZb5OzeKBSTfriNRP5R7JlqooDl+O9JVlnvlJIaFe1rX2sQxZ7F8gVINKIJDv
+n7ZZ0o351uIMjKLqwmliULPTjZ2ZeeJqnkB0pFcWZzEf2wAnrrglYRdnn10oNzhB
+6cXMHJeuEOedXECLZtmynRw1dWZK9+Xku1jEAqTWAoI0OIjrfYYzntwe/kab8w/R
+T7ojFGECgYEA9rGhtmSQiim2h+3iGyXNTEQiEOFFL7E8/1ibfWi3vzDhoLARrnH1
+p45DPgnL664xLHXIUl6/wto79Ij/2qA9mp054nVJ4X4AQgq3xCT/57nL0QHfQLaa
+VdzNIoz4jJT3cO0gYcBAK4Bg+dGGQ6ZUrRRt6VkHG/W6fW0D1e7PnEkCgYEA0Bxj
+Jr4ShNXb7J4YDQ24uSwmc2E1IgX5FjHu/JMKCiyIDWQkrxtVdIL9v6+kmYecyxFJ
+S3Qyr3ZqOHqwN1svYuB/CHyKg6dHrzJyZFTj8cr8h0ZKLDu2xZNFxfBIjn5vitSX
+W9q3477oFG/30Ew12Yee4NhDQkaEuB/Ic9+yv90CgYB2y00rLrwnvDSIunXiSs7U
+xg59gG03rSrJb5rYxj+NkvVj0sWA8qGwASLCUidfo69MUJ+ZgsTnCP5MIFjMp9Ni
+jAne0ko0it+G7fBWRNbyeJb8W+FtIUGqzTv/QlFCKU4KlDW+vLxp9lU8l7gHBabK
+/gZ7kwKIZUlbss5hC7Hv+QKBgQCsQBLBKmlhkTEqs9/sTgMrISPiM/8qXg9BE6tf
+WsTgjuM9UjoaxWEBwroMQnDWsqxQV8p2rYKWQEjC3qmj59Fc4bvDZnGvbnGizPpp
+mOniY8SIouEZo4MwHSmPH8auSnBAVJ3C5VF3K7gj0lknCy03E02phNaGsJ+BVq0v
+W2Qz8QKBgEB5RKiwJhgGQA2o+NJKKUUCDM9iBsO1Yy3QwtDWioKKcdAkxdTg3xR+
+XtJdXq6MkCMWM5em3v6GHPceexn81FZTxGBbIMBYNp0Sp4qs/3lK64ln8m5Qttxe
+70HVtrp9HhG5oFJ3fUuLPcYpE2GMgPM9fIbAWh9GZ4GpTLuPRtWg
+-----END RSA PRIVATE KEY-----
diff --git a/recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.pem b/recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.pem
new file mode 100644
index 0000000..dd02a82
--- /dev/null
+++ b/recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDdzCCAl+gAwIBAgIULTs+L+8XzClMGhAvyFIdsp/PYgUwDQYJKoZIhvcNAQEL
+BQAwSjELMAkGA1UEBhMCVVMxETAPBgNVBAgMCENvbG9yYWRvMRUwEwYDVQQHDAxG
+b3J0IENvbGxpbnMxETAPBgNVBAoMCFNuYWtlT2lsMCAXDTIwMDkwNzE4NDMyMloY
+DzIxMjAwODE0MTg0MzIyWjBKMQswCQYDVQQGEwJVUzERMA8GA1UECAwIQ29sb3Jh
+ZG8xFTATBgNVBAcMDEZvcnQgQ29sbGluczERMA8GA1UECgwIU25ha2VPaWwwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIi65d6LmojD5S9q8vE/LI2HHQ
+boiO5/1KrFVc6kpxD6XdkJwpBoItYIfSls9CPnzvNWOAxR3hIeBd1U/prAPPxvQ1
+wuDLMXfWkcGaYHfPnme/YluAjnpuLH1MQcumgOzj5xYBvZZk+RbytX/phH7FW4Tx
++L1oBYnsfh3BSE/NTtEEHV1nXAXpa/dvyefWMlrlbwjfM5362lZzM6yrJGcOcWEy
+I66UYCIVO2Yhe/ZVF5B/tPGtd2oACz11xLeqLPM1WBjlekAG2Zi7UCPIvDCpdn5u
+Vna2ZRQmJyDDdh0Ja2VMC19dkMd/5nOAI21O+FvYPOkBWYX8f4DzDyVQlmIFAgMB
+AAGjUzBRMB0GA1UdDgQWBBRjuNXuXfh7mi8I3eTboeYGyFTa2zAfBgNVHSMEGDAW
+gBRjuNXuXfh7mi8I3eTboeYGyFTa2zAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
+DQEBCwUAA4IBAQBW2ckn0APqBnwSiOXCWkMCnvY7K7UOfxAlotEsMFSrkzdEa4IE
+sn0+A3RV/r3HZGqIaE8GMsBqp8UiVIbL5H67dkqvJEke94/7wEUC16JSSOBc0Mac
+HeArDWsL/WIbzKiVcRrmgX+XwJFlsUN5UtR/feTHR08yiy5srSCIJEqli/cTrOxS
+JAgvWPLxcoFhOKf6Mi+nwWdrQEbpXvvv8Jv/qyyz5e/VmTRY0wIVmUjd+Yseu+5M
+3+cpKtlYaawMxVni5RibA0A12fm+i60fGPrkCNhascUrNY+Oppaf/h+QmKOwEM7h
+pqKXyGFQyU6dB6cFBQ/uD5IABUYuEOuL7VFY
+-----END CERTIFICATE-----
diff --git a/recipes-devtools/secure-boot-secrets/secure-boot-key_0.1.bb b/recipes-devtools/secure-boot-secrets/secure-boot-key_0.1.bb
new file mode 100644
index 0000000..e6ef37c
--- /dev/null
+++ b/recipes-devtools/secure-boot-secrets/secure-boot-key_0.1.bb
@@ -0,0 +1,14 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2022
+#
+# Authors:
+# Jan Kiszka <jan.kiszka@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+require secure-boot-secrets.inc
+
+DEBIAN_CONFLICTS = "secure-boot-snakeoil"
diff --git a/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc b/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc
new file mode 100644
index 0000000..f53435a
--- /dev/null
+++ b/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc
@@ -0,0 +1,34 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2022
+#
+# Authors:
+# Jan Kiszka <jan.kiszka@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+PROVIDES += "secure-boot-secrets"
+
+SB_KEY ??= ""
+SB_CERT ??= ""
+
+SRC_URI_append = " ${@ "file://"+d.getVar('SB_KEY') if d.getVar('SB_KEY') else '' }"
+SRC_URI_append = " ${@ "file://"+d.getVar('SB_CERT') if d.getVar('SB_CERT') else '' }"
+
+do_install() {
+ if [ -z ${SB_KEY} ] || [ -z ${SB_CERT} ]; then
+ bbfatal "You must set SB_KEY and SB_CERT and provide the required files as artifacts to this recipe"
+ fi
+ TARGET=${D}/usr/share/secure-boot-secrets
+ install -d -m 0700 ${TARGET}
+ install -m 0700 ${WORKDIR}/${SB_KEY} ${TARGET}/secure-boot.key
+ install -m 0700 ${WORKDIR}/${SB_CERT} ${TARGET}/secure-boot.pem
+}
+
+do_prepare_build_append() {
+ echo "Provides: secure-boot-secrets" >> ${S}/debian/control
+}
diff --git a/recipes-devtools/secure-boot-secrets/secure-boot-snakeoil_0.1.bb b/recipes-devtools/secure-boot-secrets/secure-boot-snakeoil_0.1.bb
new file mode 100644
index 0000000..24a5352
--- /dev/null
+++ b/recipes-devtools/secure-boot-secrets/secure-boot-snakeoil_0.1.bb
@@ -0,0 +1,17 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2022
+#
+# Authors:
+# Jan Kiszka <jan.kiszka@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+require secure-boot-secrets.inc
+
+SB_KEY = "PkKek-1-snakeoil.key"
+SB_CERT = "PkKek-1-snakeoil.pem"
+
+DEBIAN_CONFLICTS = "secure-boot-key"
--
2.34.1
next prev parent reply other threads:[~2022-05-04 19:46 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-04 19:45 [isar-cip-core][PATCH 00/12] Fixes and improvements for SWUpdate images, kernel/config update Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 01/12] initramfs-etc-overlay-hook: Improve error reporting of script Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 02/12] initramfs-etc-overlay-hook: Install overlay module Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 03/12] initramfs-abrootfs-hook: Remove obsolete patch Jan Kiszka
2022-05-04 19:45 ` Jan Kiszka [this message]
2022-05-04 19:45 ` [isar-cip-core][PATCH 05/12] linux-cip: Update cip-kernel-config for QEMU and ipc227e Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 06/12] linux-cip: Update to 4.19.239-cip72 and 5.10.112-cip6 Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 07/12] efibootguard: Update to 0.11 release Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 08/12] efibootguard: Use new unified kernel image generation Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 09/12] efibootguard: Add support for embedding DTBs into unified kernel images Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 10/12] u-boot-qemu-arm64: Add recipe for customized version based on 2022.04 Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 11/12] Enable SWUpdate with and w/o secure boot for QEMU arm64 Jan Kiszka
2022-05-04 19:46 ` [isar-cip-core][PATCH 12/12] start-qemu.sh: Add support for SWUpdate and secure boot mode to arm64 Jan Kiszka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ec0256be52152975c1a9be42ca875059a222cbbc.1651693560.git.jan.kiszka@siemens.com \
--to=jan.kiszka@siemens.com \
--cc=christian.storm@siemens.com \
--cc=cip-dev@lists.cip-project.org \
--cc=quirin.gylstorff@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.