Adding keys to BMC production build

Adding keys to BMC production build

[Patrick Voelker]

[-- Attachment #1: Type: text/plain, Size: 149 bytes --]

Is there a page or document with instructions for adding a custom key for signing the production BMC build?  I haven't had any luck finding it yet.

[-- Attachment #2: Type: text/html, Size: 181 bytes --]

RE: Adding keys to BMC production build

[Troy Lee]

[-- Attachment #1: Type: text/plain, Size: 627 bytes --]

Hi Patrick,

You could assign SIGNING_KEY to your private key for signing image.
If it is not set, meta-phosphor/recipes-phosphor/flash/phosphor-insecure-signing-key-native.bb will be applied.

Thanks,
Troy Lee

From: openbmc <openbmc-bounces+troy_lee=aspeedtech.com@lists.ozlabs.org> On Behalf Of Patrick Voelker
Sent: Thursday, March 11, 2021 10:18 AM
To: OpenBMC (openbmc@lists.ozlabs.org) <openbmc@lists.ozlabs.org>
Subject: Adding keys to BMC production build

Is there a page or document with instructions for adding a custom key for signing the production BMC build? I haven't had any luck finding it yet.

[-- Attachment #2: Type: text/html, Size: 2752 bytes --]

RE: Adding keys to BMC production build

[Bruce Mitchell]

-----"openbmc" <openbmc-bounces+bruce.mitchell=ibm.com@lists.ozlabs.org> wrote: -----

>To: Patrick Voelker <Patrick_Voelker@phoenix.com>, "OpenBMC
>(openbmc@lists.ozlabs.org)" <openbmc@lists.ozlabs.org>
>From: Troy Lee
>Sent by: "openbmc"
>Date: 03/10/2021 18:35
>Subject: [EXTERNAL] RE: Adding keys to BMC production build
>
> Hi Patrick, You could assign SIGNING_KEY
>to your private key for signing image. If it is not set,
>meta-phosphor/recipes-phosphor/flash/phosphor-insecure-signing-key
>-native.bb will be applied. Thanks, ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍
>‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍
>
>
> Hi Patrick,
>  
> You could assign SIGNING_KEY to your private key for signing
>image.
> If it is not set,
>meta-phosphor/recipes-phosphor/flash/phosphor-insecure-signing-key
>-native.bb will be applied.
>  
> Thanks,
> Troy Lee
>  
>
>
> From: openbmc
><openbmc-bounces+troy_lee=aspeedtech.com@lists.ozlabs.org> On
>Behalf Of Patrick Voelker
> Sent: Thursday, March 11, 2021 10:18 AM
> To: OpenBMC (openbmc@lists.ozlabs.org) <openbmc@lists.ozlabs.org>
> Subject: Adding keys to BMC production build
>  
> Is there a page or document with instructions for adding a custom
>key for signing the production BMC build? I haven't had any luck
>finding it yet.
>

Hi Patrick,

Also check with Klaus as well.

--
Bruce

Re: Adding keys to BMC production build

[Joseph Reynolds]

On 3/10/21 8:35 PM, Troy Lee wrote:
> Hi Patrick, You could assign SIGNING_KEY to your private key for 
> signing image. If it is not set, 
> meta-phosphor/recipes-phosphor/flash/phosphor-insecure-signing-key-native.bb 
> will be applied. Thanks, ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ 
> ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ 
>
> Hi Patrick,
>
> You could assign SIGNING_KEY to your private key for signing image.
>
> If it is not set, 
> meta-phosphor/recipes-phosphor/flash/phosphor-insecure-signing-key-native.bb 
> will be applied.
>
> Thanks,
>
> Troy Lee
>
> *From:* openbmc 
> <openbmc-bounces+troy_lee=aspeedtech.com@lists.ozlabs.org> *On Behalf 
> Of *Patrick Voelker
> *Sent:* Thursday, March 11, 2021 10:18 AM
> *To:* OpenBMC (openbmc@lists.ozlabs.org) <openbmc@lists.ozlabs.org>
> *Subject:* Adding keys to BMC production build
>
> Is there a page or document with instructions for adding a custom key 
> for signing the production BMC build? I haven't had any luck finding 
> it yet.
>

Yes, sort of.  The OpenBMC "Configuration Guide" wiki has items like this:
https://github.com/openbmc/openbmc/wiki/Configuration-guide#image-signature

Troy, I've added your info to the wiki.  Thank you!

The OpenBMC security working group has discussed migrating the config 
guide into the docs repo.  Any volunteers?

-Joseph